tulip/server/login.go

196 lines
5.3 KiB
Go
Raw Normal View History

package server
import (
"database/sql"
"errors"
2023-09-24 18:24:16 +01:00
"fmt"
"github.com/1f349/mjwt/auth"
"github.com/1f349/mjwt/claims"
"github.com/1f349/tulip/database"
2024-05-13 20:06:17 +01:00
"github.com/1f349/tulip/logger"
"github.com/1f349/tulip/pages"
2023-09-24 18:24:16 +01:00
"github.com/emersion/go-message/mail"
"github.com/golang-jwt/jwt/v4"
"github.com/google/uuid"
"github.com/julienschmidt/httprouter"
"golang.org/x/crypto/bcrypt"
"net/http"
"net/url"
2023-09-24 18:24:16 +01:00
"time"
)
// getUserLoginName finds the `login_name` query parameter within the `/authorize` redirect url
func getUserLoginName(req *http.Request) string {
q := req.URL.Query()
if !q.Has("redirect") {
return ""
}
originUrl, err := url.ParseRequestURI(q.Get("redirect"))
if err != nil {
return ""
}
if originUrl.Path != "/authorize" {
return ""
}
return originUrl.Query().Get("login_name")
}
func (h *HttpServer) LoginGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
if !auth.IsGuest() {
h.SafeRedirect(rw, req)
return
}
loginName := getUserLoginName(req)
rw.Header().Set("Content-Type", "text/html")
rw.WriteHeader(http.StatusOK)
pages.RenderPageTemplate(rw, "login", map[string]any{
2023-10-10 18:06:43 +01:00
"ServiceName": h.conf.ServiceName,
"Redirect": req.URL.Query().Get("redirect"),
2023-09-24 18:24:16 +01:00
"Mismatch": req.URL.Query().Get("mismatch"),
"LoginName": loginName,
})
}
func (h *HttpServer) LoginPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
un := req.FormValue("username")
pw := req.FormValue("password")
2023-09-24 18:24:16 +01:00
// flags returned from database call
2024-03-12 21:04:25 +00:00
var userInfo database.CheckLoginResult
2023-09-24 18:24:16 +01:00
var loginMismatch byte
var hasOtp bool
2023-09-24 18:24:16 +01:00
2024-03-11 12:39:52 +00:00
if h.DbTx(rw, func(tx *database.Queries) error {
2024-03-12 03:29:10 +00:00
loginUser, err := tx.CheckLogin(req.Context(), un, pw)
if err != nil {
if errors.Is(err, sql.ErrNoRows) || errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
2023-09-24 18:24:16 +01:00
loginMismatch = 1
return nil
}
http.Error(rw, "Internal server error", http.StatusInternalServerError)
return err
}
2023-09-24 18:24:16 +01:00
userInfo = loginUser
2024-03-12 21:04:25 +00:00
hasOtp = loginUser.HasOtp
if !loginUser.EmailVerified {
2023-09-24 18:24:16 +01:00
loginMismatch = 2
}
return nil
}) {
return
}
2023-09-24 18:24:16 +01:00
if loginMismatch != 0 {
originUrl, err := url.Parse(req.FormValue("redirect"))
if err != nil {
http.Error(rw, "400 Bad Request: Invalid redirect URL", http.StatusBadRequest)
return
}
// send verify email
if loginMismatch == 2 {
// parse email for headers
address, err := mail.ParseAddress(userInfo.Email)
if err != nil {
http.Error(rw, "500 Internal Server Error: Failed to parse user email address", http.StatusInternalServerError)
return
}
u := uuid.NewString()
2024-03-12 21:04:25 +00:00
h.mailLinkCache.Set(mailLinkKey{mailLinkVerifyEmail, u}, userInfo.Subject, time.Now().Add(10*time.Minute))
2023-09-24 18:24:16 +01:00
// try to send email
2023-10-10 18:06:43 +01:00
err = h.conf.Mail.SendEmailTemplate("mail-verify", "Verify Email", userInfo.Name, address, map[string]any{
"VerifyUrl": h.conf.BaseUrl + "/mail/verify/" + u,
2023-09-24 18:24:16 +01:00
})
if err != nil {
2024-05-13 20:06:17 +01:00
logger.Logger.Warn("Login: Failed to send verification email", "err", err)
2023-09-24 18:24:16 +01:00
http.Error(rw, "500 Internal Server Error: Failed to send verification email", http.StatusInternalServerError)
return
}
// send email successfully, hope the user actually receives it
}
redirectUrl := PrepareRedirectUrl(fmt.Sprintf("/login?mismatch=%d", loginMismatch), originUrl)
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
return
}
// only continues if the above tx succeeds
auth = UserAuth{
2024-03-12 21:04:25 +00:00
ID: userInfo.Subject,
NeedOtp: hasOtp,
}
if h.setLoginDataCookie(rw, auth) {
return
}
if hasOtp {
originUrl, err := url.Parse(req.FormValue("redirect"))
if err != nil {
http.Error(rw, "400 Bad Request: Invalid redirect URL", http.StatusBadRequest)
return
}
redirectUrl := PrepareRedirectUrl("/login/otp", originUrl)
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
return
}
h.SafeRedirect(rw, req)
}
2023-09-29 16:37:23 +01:00
2024-02-15 15:23:27 +00:00
const oneYear = 365 * 24 * time.Hour
func (h *HttpServer) setLoginDataCookie(rw http.ResponseWriter, authData UserAuth) bool {
ps := claims.NewPermStorage()
if authData.NeedOtp {
ps.Set("needs-otp")
}
gen, err := h.signingKey.GenerateJwt(authData.ID, uuid.NewString(), jwt.ClaimStrings{h.conf.BaseUrl}, oneYear, auth.AccessTokenClaims{Perms: ps})
if err != nil {
http.Error(rw, "Failed to generate cookie token", http.StatusInternalServerError)
return true
}
http.SetCookie(rw, &http.Cookie{
Name: "tulip-login-data",
Value: gen,
Path: "/",
Expires: time.Now().AddDate(1, 0, 0),
Secure: true,
2024-02-15 14:44:25 +00:00
SameSite: http.SameSiteLaxMode,
})
return false
}
func (h *HttpServer) LoginResetPasswordPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
2023-09-29 16:37:23 +01:00
email := req.PostFormValue("email")
address, err := mail.ParseAddress(email)
if err != nil || address.Name != "" {
http.Error(rw, "Invalid email address format", http.StatusBadRequest)
return
}
var emailExists bool
2024-03-11 12:39:52 +00:00
if h.DbTx(rw, func(tx *database.Queries) (err error) {
2024-03-12 21:04:25 +00:00
emailExists, err = tx.UserEmailExists(req.Context(), email)
2023-09-29 16:37:23 +01:00
return err
}) {
return
}
go h.possiblySendPasswordResetEmail(email, emailExists)
http.Error(rw, "An email will be send to your inbox if an account with that email address is found", http.StatusOK)
}
func (h *HttpServer) possiblySendPasswordResetEmail(email string, exists bool) {
// TODO(Melon): Send reset password email template
2024-03-12 21:04:25 +00:00
_ = email
_ = exists
2023-09-29 16:37:23 +01:00
}