2019-05-01 14:42:17 +00:00
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/sha512"
|
2019-05-02 05:54:06 +00:00
|
|
|
"database/sql"
|
2019-05-01 14:42:17 +00:00
|
|
|
"encoding/hex"
|
|
|
|
"log"
|
|
|
|
"strconv"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"git.xdrm.io/example/aicra/storage"
|
|
|
|
"git.xdrm.io/go/aicra"
|
|
|
|
"git.xdrm.io/go/aicra/api"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Service manages the url shortener
|
|
|
|
type Service struct {
|
2019-05-02 05:54:06 +00:00
|
|
|
storage *sql.DB
|
2019-05-01 14:42:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// New returns a bare service
|
2019-05-02 05:54:06 +00:00
|
|
|
func New(storage *sql.DB) *Service {
|
2019-05-01 14:42:17 +00:00
|
|
|
log.Printf("[service.auth] created")
|
|
|
|
return &Service{
|
|
|
|
storage: storage,
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wire to the aicra server
|
|
|
|
func (svc *Service) Wire(server *aicra.Server) {
|
|
|
|
log.Printf("[service.auth] wired")
|
|
|
|
server.HandleFunc("POST", "/token", svc.generateToken)
|
|
|
|
}
|
|
|
|
|
|
|
|
// generateToken generates a token valid for 5 mintes
|
|
|
|
func (svc *Service) generateToken(req api.Request, res *api.Response) {
|
|
|
|
|
|
|
|
// 1. extract input
|
|
|
|
role, err := req.Param.GetString("role")
|
|
|
|
if err != nil {
|
2019-05-01 16:54:36 +00:00
|
|
|
res.SetError(api.ErrorInvalidParam(), "role", err.Error())
|
2019-05-01 14:42:17 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// 2. generate token
|
|
|
|
hasher := sha512.New()
|
|
|
|
defer hasher.Reset()
|
|
|
|
hasher.Write([]byte(strconv.FormatInt(time.Now().Unix(), 5)))
|
|
|
|
token := hex.EncodeToString(hasher.Sum(nil))
|
|
|
|
|
|
|
|
// 3. store token
|
|
|
|
if !svc.storage.Set(storage.TOKEN, token, role, 5*time.Minute) {
|
2019-05-01 16:54:36 +00:00
|
|
|
res.SetError(api.ErrorFailure())
|
2019-05-01 14:42:17 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// 4. return data
|
|
|
|
res.Data["token"] = token
|
2019-05-01 16:54:36 +00:00
|
|
|
res.SetError(api.ErrorSuccess())
|
2019-05-01 14:42:17 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
// CheckToken returns whether a token is valid
|
|
|
|
func (svc *Service) CheckToken(handler api.HandlerFunc) api.HandlerFunc {
|
|
|
|
return func(req api.Request, res *api.Response) {
|
|
|
|
|
|
|
|
// success if no scope [['admin']]
|
|
|
|
if req.Scope == nil || len(req.Scope) < 1 {
|
|
|
|
handler(req, res)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
headerToken := req.Request.Header.Get("Authorization")
|
|
|
|
|
|
|
|
// fail if invalid header
|
|
|
|
if len(headerToken) != 128 || strings.ContainsAny(headerToken, "$-_") {
|
2019-05-01 16:54:36 +00:00
|
|
|
res.SetError(api.ErrorPermission())
|
2019-05-01 14:42:17 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
tokenRole := svc.storage.Get(storage.TOKEN, headerToken)
|
|
|
|
|
|
|
|
// fail if the role of the token does not match any scope
|
|
|
|
for _, scope := range req.Scope {
|
|
|
|
if scope == nil || len(scope) != 1 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// success
|
|
|
|
if scope[0] == string(tokenRole) {
|
|
|
|
handler(req, res)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// failure
|
2019-05-01 16:54:36 +00:00
|
|
|
res.SetError(api.ErrorPermission())
|
2019-05-01 14:42:17 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|