This repository was archived by the owner on Dec 28, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathauth.go
272 lines (245 loc) · 7.21 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
// Copyright (C) 2023 The Takeout Authors.
//
// This file is part of Takeout.
//
// Takeout is free software: you can redistribute it and/or modify it under the
// terms of the GNU Affero General Public License as published by the Free
// Software Foundation, either version 3 of the License, or (at your option)
// any later version.
//
// Takeout is distributed in the hope that it will be useful, but WITHOUT ANY
// WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
// FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for
// more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with Takeout. If not, see <https://www.gnu.org/licenses/>.
package server
import (
"net/http"
"strings"
"github.com/defsub/takeout/auth"
)
type bits uint8
const (
AllowCookie bits = 1 << iota
AllowAccessToken
AllowMediaToken
AuthorizationHeader = "Authorization"
BearerAuthorization = "Bearer"
)
// doCodeAuth creates a login session and binds to the provided code value.
func doCodeAuth(ctx Context, user, pass, value string) error {
session, err := doLogin(ctx, user, pass)
if err != nil {
return err
}
err = ctx.Auth().AuthorizeCode(value, session.Token)
if err != nil {
return ErrInvalidCode
}
return nil
}
// getAuthToken returns the bearer token from the request, if any.
func getAuthToken(r *http.Request) string {
value := r.Header.Get(AuthorizationHeader)
if value == "" {
return ""
}
result := strings.Split(value, " ")
var token string
switch len(result) {
case 1:
// Authorization: <token>
token = result[0]
case 2:
// Authorization: Bearer <token>
if strings.EqualFold(result[0], BearerAuthorization) {
token = result[1]
}
}
return token
}
// authorizeAccessToken validates the provided JWT access token for API access.
func authorizeAccessToken(ctx Context, w http.ResponseWriter, r *http.Request) (*auth.User, error) {
token := getAuthToken(r)
if token == "" {
return nil, nil
}
// token should be a JWT
user, err := ctx.Auth().CheckAccessTokenUser(token)
if err != nil {
authErr(w, err)
return nil, err
}
return &user, nil
}
// authorizeMediaToken validates the provided JWT media token for API access.
func authorizeMediaToken(ctx Context, w http.ResponseWriter, r *http.Request) (*auth.User, error) {
token := getAuthToken(r)
if token == "" {
return nil, nil
}
// token should be a JWT
user, err := ctx.Auth().CheckMediaTokenUser(token)
if err != nil {
authErr(w, err)
return nil, err
}
return &user, nil
}
// authorizeCodeToken validates the provided JWT code token for code auth access.
func authorizeCodeToken(ctx Context, w http.ResponseWriter, r *http.Request) error {
token := getAuthToken(r)
if token == "" {
err := ErrMissingToken
authErr(w, err)
return err
}
// token should be a JWT with valid code in the subject
err := ctx.Auth().CheckCodeToken(token)
if err != nil {
authErr(w, err)
return err
}
return err
}
// authorizeCookie validates the provided cookie for API or web view access.
func authorizeCookie(ctx Context, w http.ResponseWriter, r *http.Request) (*auth.User, error) {
a := ctx.Auth()
cookie, err := r.Cookie(auth.CookieName)
if err != nil {
if err != http.ErrNoCookie {
http.SetCookie(w, auth.ExpireCookie(cookie)) // what cookie is this?
}
http.Redirect(w, r, LoginRedirect, http.StatusTemporaryRedirect)
return nil, err
}
session := a.CookieSession(cookie)
if session == nil {
http.SetCookie(w, auth.ExpireCookie(cookie))
http.Redirect(w, r, LoginRedirect, http.StatusTemporaryRedirect)
return nil, ErrAccessDenied
} else if session.Expired() {
err = ErrAccessDenied
a.DeleteSession(*session)
http.SetCookie(w, auth.ExpireCookie(cookie))
http.Redirect(w, r, LoginRedirect, http.StatusTemporaryRedirect)
return nil, ErrAccessDenied
}
user, err := a.SessionUser(session)
if err != nil {
// session with no user?
a.DeleteSession(*session)
http.SetCookie(w, auth.ExpireCookie(cookie))
http.Redirect(w, r, LoginRedirect, http.StatusTemporaryRedirect)
return nil, err
}
// send back an updated cookie
auth.UpdateCookie(session, cookie)
http.SetCookie(w, cookie)
return user, nil
}
// authorizeRefreshToken validates the provided refresh token for API access.
func authorizeRefreshToken(ctx Context, w http.ResponseWriter, r *http.Request) *auth.Session {
token := getAuthToken(r)
if token == "" {
authErr(w, ErrUnauthorized)
return nil
}
// token should be a refresh token not JWT
a := ctx.Auth()
session := a.TokenSession(token)
if session == nil {
// no session for token
authErr(w, ErrUnauthorized)
return nil
} else if session.Expired() {
// session expired
a.DeleteSession(*session)
authErr(w, ErrUnauthorized)
return nil
} else if session.Duration() < ctx.Config().Auth.AccessToken.Age {
// session will expire before token
authErr(w, ErrUnauthorized)
return nil
}
// session still valid
return session
}
// authorizeRequest authorizes the request with one or more of the allowed
// authorization methods.
func authorizeRequest(ctx Context, w http.ResponseWriter, r *http.Request, auth bits) *auth.User {
if auth&AllowAccessToken != 0 {
user, err := authorizeAccessToken(ctx, w, r)
if user != nil {
return user
}
if err != nil {
return nil
}
}
if auth&AllowMediaToken != 0 {
user, err := authorizeMediaToken(ctx, w, r)
if user != nil {
return user
}
if err != nil {
return nil
}
}
if auth&AllowCookie != 0 {
user, err := authorizeCookie(ctx, w, r)
if user != nil {
return user
}
if err != nil {
return nil
}
}
return nil
}
// refreshTokenAuthHandler handles requests intended to refresh and access token.
func refreshTokenAuthHandler(ctx RequestContext, handler http.HandlerFunc) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
session := authorizeRefreshToken(ctx, w, r)
if session != nil {
ctx := sessionContext(ctx, session)
handler.ServeHTTP(w, withContext(r, ctx))
}
}
return http.HandlerFunc(fn)
}
// authHandler authorizes and handles all (except refresh) requests based on
// allowed auth methods.
func authHandler(ctx RequestContext, handler http.HandlerFunc, auth bits) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
user := authorizeRequest(ctx, w, r, auth)
if user != nil {
ctx, err := upgradeContext(ctx, user)
if err != nil {
serverErr(w, err)
return
}
handler.ServeHTTP(w, withContext(r, ctx))
}
}
return http.HandlerFunc(fn)
}
// mediaTokenAuthHandler handles media access requests using the media token (or cookie).
func mediaTokenAuthHandler(ctx RequestContext, handler http.HandlerFunc) http.Handler {
return authHandler(ctx, handler, AllowMediaToken|AllowCookie)
}
// accessTokenAuthHandler handles non-media requests using the access token (or cookie).
func accessTokenAuthHandler(ctx RequestContext, handler http.HandlerFunc) http.Handler {
return authHandler(ctx, handler, AllowAccessToken|AllowCookie)
}
func codeTokenAuthHandler(ctx RequestContext, handler http.HandlerFunc) http.Handler {
fn := func(w http.ResponseWriter, r *http.Request) {
err := authorizeCodeToken(ctx, w, r)
if err == nil {
handler.ServeHTTP(w, withContext(r, ctx))
}
}
return http.HandlerFunc(fn)
}