tulip/server/login.go

package server

import (
	"database/sql"
	"errors"
	"fmt"
	"github.com/1f349/mjwt/auth"
	"github.com/1f349/mjwt/claims"
	"github.com/1f349/tulip/database"
	"github.com/1f349/tulip/pages"
	"github.com/emersion/go-message/mail"
	"github.com/golang-jwt/jwt/v4"
	"github.com/google/uuid"
	"github.com/julienschmidt/httprouter"
	"golang.org/x/crypto/bcrypt"
	"log"
	"net/http"
	"net/url"
	"time"
)

// getUserLoginName finds the `login_name` query parameter within the `/authorize` redirect url
func getUserLoginName(req *http.Request) string {
	q := req.URL.Query()
	if !q.Has("redirect") {
		return ""
	}
	originUrl, err := url.ParseRequestURI(q.Get("redirect"))
	if err != nil {
		return ""
	}
	if originUrl.Path != "/authorize" {
		return ""
	}
	return originUrl.Query().Get("login_name")
}

func (h *HttpServer) LoginGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	if !auth.IsGuest() {
		h.SafeRedirect(rw, req)
		return
	}

	loginName := getUserLoginName(req)

	rw.Header().Set("Content-Type", "text/html")
	rw.WriteHeader(http.StatusOK)
	pages.RenderPageTemplate(rw, "login", map[string]any{
		"ServiceName": h.conf.ServiceName,
		"Redirect":    req.URL.Query().Get("redirect"),
		"Mismatch":    req.URL.Query().Get("mismatch"),
		"LoginName":   loginName,
	})
}

func (h *HttpServer) LoginPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	un := req.FormValue("username")
	pw := req.FormValue("password")

	// flags returned from database call
	var userInfo *database.User
	var loginMismatch byte
	var hasOtp bool

	if h.DbTx(rw, func(tx *database.Tx) error {
		loginUser, hasOtpRaw, hasVerifiedEmail, err := tx.CheckLogin(un, pw)
		if err != nil {
			if errors.Is(err, sql.ErrNoRows) || errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
				loginMismatch = 1
				return nil
			}
			http.Error(rw, "Internal server error", http.StatusInternalServerError)
			return err
		}

		userInfo = loginUser
		hasOtp = hasOtpRaw
		if !hasVerifiedEmail {
			loginMismatch = 2
		}
		return nil
	}) {
		return
	}

	if loginMismatch != 0 {
		originUrl, err := url.Parse(req.FormValue("redirect"))
		if err != nil {
			http.Error(rw, "400 Bad Request: Invalid redirect URL", http.StatusBadRequest)
			return
		}

		// send verify email
		if loginMismatch == 2 {
			// parse email for headers
			address, err := mail.ParseAddress(userInfo.Email)
			if err != nil {
				http.Error(rw, "500 Internal Server Error: Failed to parse user email address", http.StatusInternalServerError)
				return
			}

			u := uuid.NewString()
			h.mailLinkCache.Set(mailLinkKey{mailLinkVerifyEmail, u}, userInfo.Sub, time.Now().Add(10*time.Minute))

			// try to send email
			err = h.conf.Mail.SendEmailTemplate("mail-verify", "Verify Email", userInfo.Name, address, map[string]any{
				"VerifyUrl": h.conf.BaseUrl + "/mail/verify/" + u,
			})
			if err != nil {
				log.Println("[Tulip] Login: Failed to send verification email:", err)
				http.Error(rw, "500 Internal Server Error: Failed to send verification email", http.StatusInternalServerError)
				return
			}

			// send email successfully, hope the user actually receives it
		}

		redirectUrl := PrepareRedirectUrl(fmt.Sprintf("/login?mismatch=%d", loginMismatch), originUrl)
		http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
		return
	}

	// only continues if the above tx succeeds
	auth = UserAuth{
		ID:      userInfo.Sub,
		NeedOtp: hasOtp,
	}

	if hasOtp {
		originUrl, err := url.Parse(req.FormValue("redirect"))
		if err != nil {
			http.Error(rw, "400 Bad Request: Invalid redirect URL", http.StatusBadRequest)
			return
		}
		redirectUrl := PrepareRedirectUrl("/login/otp", originUrl)
		http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
		return
	}

	if h.setLoginDataCookie(rw, auth) {
		return
	}
	h.SafeRedirect(rw, req)
}

var oneYear = 365 * 24 * time.Hour

func (h *HttpServer) setLoginDataCookie(rw http.ResponseWriter, authData UserAuth) bool {
	ps := claims.NewPermStorage()
	if authData.NeedOtp {
		ps.Set("needs-otp")
	}
	gen, err := h.signingKey.GenerateJwt(authData.ID, uuid.NewString(), jwt.ClaimStrings{h.conf.BaseUrl}, oneYear, auth.AccessTokenClaims{Perms: ps})
	if err != nil {
		http.Error(rw, "Failed to generate cookie token", http.StatusInternalServerError)
		return true
	}
	http.SetCookie(rw, &http.Cookie{
		Name:     "tulip-login-data",
		Value:    gen,
		Path:     "/",
		Expires:  time.Now().AddDate(1, 0, 0),
		Secure:   true,
		SameSite: http.SameSiteStrictMode,
	})
	return false
}

func (h *HttpServer) LoginResetPasswordPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
	email := req.PostFormValue("email")
	address, err := mail.ParseAddress(email)
	if err != nil || address.Name != "" {
		http.Error(rw, "Invalid email address format", http.StatusBadRequest)
		return
	}

	var emailExists bool
	if h.DbTx(rw, func(tx *database.Tx) (err error) {
		emailExists, err = tx.UserEmailExists(email)
		return err
	}) {
		return
	}

	go h.possiblySendPasswordResetEmail(email, emailExists)

	http.Error(rw, "An email will be send to your inbox if an account with that email address is found", http.StatusOK)
}

func (h *HttpServer) possiblySendPasswordResetEmail(email string, exists bool) {
	// TODO(Melon): Send reset password email template
}
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`package server`

			`import (`
			`"database/sql"`
			`"errors"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"fmt"`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`"github.com/1f349/mjwt/auth"`
			`"github.com/1f349/mjwt/claims"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`"github.com/1f349/tulip/database"`
			`"github.com/1f349/tulip/pages"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"github.com/emersion/go-message/mail"`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`"github.com/golang-jwt/jwt/v4"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`"github.com/google/uuid"`
			`"github.com/julienschmidt/httprouter"`
			`"golang.org/x/crypto/bcrypt"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"log"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`"net/http"`
			`"net/url"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"time"`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`)`

Autofill login name sent from external service 2023-10-04 21:51:11 +01:00			// getUserLoginName finds the `login_name` query parameter within the `/authorize` redirect url
			`func getUserLoginName(req *http.Request) string {`
			`q := req.URL.Query()`
			`if !q.Has("redirect") {`
			`return ""`
			`}`
			`originUrl, err := url.ParseRequestURI(q.Get("redirect"))`
			`if err != nil {`
			`return ""`
			`}`
			`if originUrl.Path != "/authorize" {`
			`return ""`
			`}`
			`return originUrl.Query().Get("login_name")`
			`}`

Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`func (h HttpServer) LoginGet(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
			`if !auth.IsGuest() {`
			`h.SafeRedirect(rw, req)`
			`return`
			`}`

Autofill login name sent from external service 2023-10-04 21:51:11 +01:00			`loginName := getUserLoginName(req)`

Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`rw.Header().Set("Content-Type", "text/html")`
			`rw.WriteHeader(http.StatusOK)`
			`pages.RenderPageTemplate(rw, "login", map[string]any{`
Pass config directly to server 2023-10-10 18:06:43 +01:00			`"ServiceName": h.conf.ServiceName,`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`"Redirect": req.URL.Query().Get("redirect"),`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"Mismatch": req.URL.Query().Get("mismatch"),`
Autofill login name sent from external service 2023-10-04 21:51:11 +01:00			`"LoginName": loginName,`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`})`
			`}`

			`func (h HttpServer) LoginPost(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
			`un := req.FormValue("username")`
			`pw := req.FormValue("password")`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00
			`// flags returned from database call`
			`var userInfo *database.User`
			`var loginMismatch byte`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`var hasOtp bool`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`if h.DbTx(rw, func(tx *database.Tx) error {`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`loginUser, hasOtpRaw, hasVerifiedEmail, err := tx.CheckLogin(un, pw)`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`if err != nil {`
			`if errors.Is(err, sql.ErrNoRows) \|\| errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`loginMismatch = 1`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`return nil`
			`}`
			`http.Error(rw, "Internal server error", http.StatusInternalServerError)`
			`return err`
			`}`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00
			`userInfo = loginUser`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`hasOtp = hasOtpRaw`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`if !hasVerifiedEmail {`
			`loginMismatch = 2`
			`}`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`return nil`
			`}) {`
			`return`
			`}`

Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`if loginMismatch != 0 {`
			`originUrl, err := url.Parse(req.FormValue("redirect"))`
			`if err != nil {`
			`http.Error(rw, "400 Bad Request: Invalid redirect URL", http.StatusBadRequest)`
			`return`
			`}`

			`// send verify email`
			`if loginMismatch == 2 {`
			`// parse email for headers`
			`address, err := mail.ParseAddress(userInfo.Email)`
			`if err != nil {`
			`http.Error(rw, "500 Internal Server Error: Failed to parse user email address", http.StatusInternalServerError)`
			`return`
			`}`

Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`u := uuid.NewString()`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`h.mailLinkCache.Set(mailLinkKey{mailLinkVerifyEmail, u}, userInfo.Sub, time.Now().Add(10*time.Minute))`

			`// try to send email`
Pass config directly to server 2023-10-10 18:06:43 +01:00			`err = h.conf.Mail.SendEmailTemplate("mail-verify", "Verify Email", userInfo.Name, address, map[string]any{`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`"VerifyUrl": h.conf.BaseUrl + "/mail/verify/" + u,`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`})`
			`if err != nil {`
			`log.Println("[Tulip] Login: Failed to send verification email:", err)`
			`http.Error(rw, "500 Internal Server Error: Failed to send verification email", http.StatusInternalServerError)`
			`return`
			`}`

			`// send email successfully, hope the user actually receives it`
			`}`

			`redirectUrl := PrepareRedirectUrl(fmt.Sprintf("/login?mismatch=%d", loginMismatch), originUrl)`
			`http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)`
			`return`
			`}`

Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`// only continues if the above tx succeeds`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`auth = UserAuth{`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`ID: userInfo.Sub,`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`NeedOtp: hasOtp,`
			`}`

			`if hasOtp {`
			`originUrl, err := url.Parse(req.FormValue("redirect"))`
			`if err != nil {`
			`http.Error(rw, "400 Bad Request: Invalid redirect URL", http.StatusBadRequest)`
			`return`
			`}`
			`redirectUrl := PrepareRedirectUrl("/login/otp", originUrl)`
			`http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)`
			`return`
			`}`

Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`if h.setLoginDataCookie(rw, auth) {`
Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`return`
			`}`
Add OTP and fix up oauth with the new page rendering system 2023-09-09 01:38:10 +01:00			`h.SafeRedirect(rw, req)`
			`}`
Start adding a reset password system 2023-09-29 16:37:23 +01:00
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`var oneYear = 365 * 24 * time.Hour`

			`func (h *HttpServer) setLoginDataCookie(rw http.ResponseWriter, authData UserAuth) bool {`
			`ps := claims.NewPermStorage()`
			`if authData.NeedOtp {`
			`ps.Set("needs-otp")`
			`}`
			`gen, err := h.signingKey.GenerateJwt(authData.ID, uuid.NewString(), jwt.ClaimStrings{h.conf.BaseUrl}, oneYear, auth.AccessTokenClaims{Perms: ps})`
Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`if err != nil {`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`http.Error(rw, "Failed to generate cookie token", http.StatusInternalServerError)`
Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`return true`
			`}`
			`http.SetCookie(rw, &http.Cookie{`
Add support for public oauth client apps 2024-02-08 01:16:46 +00:00			`Name: "tulip-login-data",`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`Value: gen,`
Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`Path: "/",`
Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`Expires: time.Now().AddDate(1, 0, 0),`
Save current user in encrypted cookie to prevent repetative logging in 2023-12-19 00:01:08 +00:00			`Secure: true,`
			`SameSite: http.SameSiteStrictMode,`
			`})`
			`return false`
			`}`

Replace session with single login cookie, just use strings for user ids 2024-02-09 15:24:40 +00:00			`func (h HttpServer) LoginResetPasswordPost(rw http.ResponseWriter, req http.Request, _ httprouter.Params) {`
Start adding a reset password system 2023-09-29 16:37:23 +01:00			`email := req.PostFormValue("email")`
			`address, err := mail.ParseAddress(email)`
			`if err != nil \|\| address.Name != "" {`
			`http.Error(rw, "Invalid email address format", http.StatusBadRequest)`
			`return`
			`}`

			`var emailExists bool`
			`if h.DbTx(rw, func(tx *database.Tx) (err error) {`
			`emailExists, err = tx.UserEmailExists(email)`
			`return err`
			`}) {`
			`return`
			`}`

			`go h.possiblySendPasswordResetEmail(email, emailExists)`

			`http.Error(rw, "An email will be send to your inbox if an account with that email address is found", http.StatusOK)`
			`}`

			`func (h *HttpServer) possiblySendPasswordResetEmail(email string, exists bool) {`
			`// TODO(Melon): Send reset password email template`
			`}`