softplayer/softplayer-backend
5
0
Fork 0
Code Pull Requests 2 Packages Releases Activity

Token authorization is ready for MVP
All checks were successful
ci/woodpecker/push/build Pipeline was successful
Details

Browse Source 
Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>
This commit is contained in:
Nikolai Rodionov
2026-05-15 14:51:21 +02:00
parent efe9042bdc
commit d954491893
10 changed files with 188 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
api/v1/accounts.go
View File

@@ -48,16 +48,23 @@ func (a *AccountsServer) RefreshToken(ctx context.Context, in *empty.Empty) (*em
return nil, status.Error(codes.Unauthenticated, "Invalid session")
}
accessToken, _, err := a.authorizationCtrl.GenerateToken(session.UserID, controllers.TokenTypeAccess)
accessToken, _, err := a.authorizationCtrl.GenerateToken(&controllers.JWTData{
UserID: claims.UserID,
TokenType: controllers.TokenTypeAccess,
TokenAud: controllers.TokenAudWeb,
})
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't generate an access token")
}
refreshToken, tokenID, err := a.authorizationCtrl.GenerateToken(session.UserID, controllers.TokenTypeRefresh)
refreshToken, tokenID, err := a.authorizationCtrl.GenerateToken(&controllers.JWTData{
UserID: claims.UserID,
TokenType: controllers.TokenTypeRefresh,
TokenAud: controllers.TokenAudWeb,
})
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't generate an access token")
}
newSession := &controllers.Session{UserID: session.UserID}
if err := a.authorizationCtrl.SaveSession(ctx, tokenID, newSession); err != nil {

24
api/v1/public_accounts.go
View File

@@ -34,12 +34,20 @@ func (a *PublicAccountService) SignIn(ctx context.Context, in *accounts.SignInRe
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't create a user")
}
accessToken, _, err := a.authorizationCtrl.GenerateToken(id, controllers.TokenTypeAccess)
accessToken, _, err := a.authorizationCtrl.GenerateToken(&controllers.JWTData{
UserID: id,
TokenType: controllers.TokenTypeAccess,
TokenAud: controllers.TokenAudWeb,
})
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't generate an access token")
}
refreshToken, tokenID, err := a.authorizationCtrl.GenerateToken(id, controllers.TokenTypeRefresh)
refreshToken, tokenID, err := a.authorizationCtrl.GenerateToken(&controllers.JWTData{
UserID: id,
TokenType: controllers.TokenTypeRefresh,
TokenAud: controllers.TokenAudWeb,
})
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't generate an access token")
}
@@ -70,12 +78,20 @@ func (a *PublicAccountService) SignUp(ctx context.Context, in *accounts.SignUpRe
return nil, status.Error(codes.Aborted, "Couldn't create a user")
}
accessToken, _, err := a.authorizationCtrl.GenerateToken(id, controllers.TokenTypeAccess)
accessToken, _, err := a.authorizationCtrl.GenerateToken(&controllers.JWTData{
UserID: id,
TokenType: controllers.TokenTypeAccess,
TokenAud: controllers.TokenAudWeb,
})
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't generate an access token")
}
refreshToken, tokenID, err := a.authorizationCtrl.GenerateToken(id, controllers.TokenTypeRefresh)
refreshToken, tokenID, err := a.authorizationCtrl.GenerateToken(&controllers.JWTData{
UserID: id,
TokenType: controllers.TokenTypeRefresh,
TokenAud: controllers.TokenAudWeb,
})
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't generate an access token")
}

64
api/v1/public_tokens.go Normal file
View File

@@ -0,0 +1,64 @@
package v1
import (
"context"
"errors"
"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/controllers"
tokens "gitea.badhouseplants.net/softplayer/softplayer-go-proto/pkg/tokens/v1"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/emptypb"
)
// var _ tokens.PublicTokensServiceServer = (*PublicTokensServer)(nil)
type PublicTokensServer struct {
tokens.UnimplementedPublicTokensServiceServer
tokenCtrl *controllers.TokenController
authorizationCtrl *controllers.AuthController
}
func NewPublicTokensServer(
tokenCtrl *controllers.TokenController,
authorizationCtrl *controllers.AuthController,
) *PublicTokensServer {
return &PublicTokensServer{
tokenCtrl: tokenCtrl,
authorizationCtrl: authorizationCtrl,
}
}
func (srv *PublicTokensServer) AuthenticateWithToken(ctx context.Context, in *tokens.AuthenticateWithTokenRequest) (*emptypb.Empty, error) {
tokenAuthRes, err := srv.tokenCtrl.AuthenticateWithToken(ctx, in.TokenValue.Token)
if err != nil {
if errors.Is(err, controllers.ErrBadToken) {
return nil, status.Error(codes.Unauthenticated, "Token is not valid")
}
if errors.Is(err, controllers.ErrServerError) {
return nil, status.Error(codes.Internal, "Something is broken on our side")
}
return nil, status.Error(codes.Aborted, "Couldn't list tokens")
}
jwtData := &controllers.JWTData{
UserID: tokenAuthRes.UserID,
TokenType: controllers.TokenTypeAccess,
TokenAud: controllers.TokenAudToken,
Scope: tokenAuthRes.Scope,
}
accessToken, _, err := srv.authorizationCtrl.GenerateToken(jwtData)
if err != nil {
return nil, status.Error(codes.Aborted, "Couldn't generate an access token")
}
header := metadata.New(map[string]string{
"X-Access-Token": accessToken,
})
if err := grpc.SetHeader(ctx, header); err != nil {
return nil, status.Error(codes.Aborted, "Couldn't set metadata")
}
return &emptypb.Empty{}, nil
}

16
api/v1/tokens.go
View File

@@ -3,7 +3,6 @@ package v1
import (
"context"
"errors"
"fmt"
"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/controllers"
tokens "gitea.badhouseplants.net/softplayer/softplayer-go-proto/pkg/tokens/v1"
@@ -261,18 +260,3 @@ func (srv *TokensServer) ListPermissions(in *emptypb.Empty, stream grpc.ServerSt
}
return nil
}
func (srv *TokensServer) AuthenticateWithToken(ctx context.Context, in *tokens.AuthenticateWithTokenRequest) (*emptypb.Empty, error) {
scopes, err := srv.tokenCtrl.AuthenticateWithToken(ctx, in.TokenValue.Token)
if err != nil {
if errors.Is(err, controllers.ErrBadToken) {
return nil, status.Error(codes.Unauthenticated, "Token is not valid")
}
if errors.Is(err, controllers.ErrServerError) {
return nil, status.Error(codes.Internal, "Something is broken on our side")
}
return nil, status.Error(codes.Aborted, "Couldn't list tokens")
}
fmt.Println(scopes)
return nil, nil
}

13
cmd/server.go
View File

@@ -67,7 +67,7 @@ func (cmd *Server) Run(ctx context.Context) error {
Addr: cmd.RedisHost,
})
authInterceptor := controllers.NewAuthController(
authController := controllers.NewAuthController(
[]byte(cmd.JWTSecret),
cmd.AccessTokenTTL,
cmd.RefrestTokenTTL,
@@ -79,14 +79,14 @@ func (cmd *Server) Run(ctx context.Context) error {
grpc_zap.UnaryServerInterceptor(logger.SetupLogger("info")),
// jwtVerifier.JWTAuthInterceptor,
selector.UnaryServerInterceptor(
auth.UnaryServerInterceptor(authInterceptor.AuthInterceptorFN),
auth.UnaryServerInterceptor(authController.AuthInterceptorFN),
selector.MatchFunc(selectorRequireAuth),
),
),
grpc.ChainStreamInterceptor(
grpc_zap.StreamServerInterceptor(logger.SetupLogger("info")),
selector.StreamServerInterceptor(
auth.StreamServerInterceptor(authInterceptor.AuthInterceptorFN),
auth.StreamServerInterceptor(authController.AuthInterceptorFN),
selector.MatchFunc(selectorRequireAuth),
),
),
@@ -113,11 +113,12 @@ func (cmd *Server) Run(ctx context.Context) error {
}
// Services that should be accessible for tokens should go here
accounts.RegisterAccountsServiceServer(grpcServer, v1.NewAccountServer(accountCtrl, authInterceptor))
accounts.RegisterAccountsServiceServer(grpcServer, v1.NewAccountServer(accountCtrl, authController))
test.RegisterTestServiceServer(grpcServer, v1.NewTestServer())
test.RegisterPublicTestServiceServer(grpcServer, v1.NewPublicTestServer())
tokens.RegisterTokensServiceServer(grpcServer, v1.NewTokensServer(tokenCtrl, authInterceptor))
accounts.RegisterPublicAccountsServiceServer(grpcServer, v1.NewPublicAccountServer(accountCtrl, authInterceptor))
tokens.RegisterTokensServiceServer(grpcServer, v1.NewTokensServer(tokenCtrl, authController))
tokens.RegisterPublicTokensServiceServer(grpcServer, v1.NewPublicTokensServer(tokenCtrl, authController))
accounts.RegisterPublicAccountsServiceServer(grpcServer, v1.NewPublicAccountServer(accountCtrl, authController))
info := grpcServer.GetServiceInfo()
tokenCtrl.SetGRPCInfo(info)

2
go.mod
View File

@@ -39,7 +39,7 @@ require (
)
require (
gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514173933-48bddcf5c686
gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260515083721-50411957979f
github.com/golang/protobuf v1.5.4
golang.org/x/net v0.49.0 // indirect
golang.org/x/sys v0.40.0 // indirect

4
go.sum
View File

@@ -2,8 +2,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c=
cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514173933-48bddcf5c686 h1:tOSfg7VeD0Xq2NhVQblSiWGICvSH8RWfaaPH7mCvw0Y=
gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514173933-48bddcf5c686/go.mod h1:AgOh1lkPHyRgBf3/s1btKcAqke/33LbKYarTD13qeAg=
gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260515083721-50411957979f h1:o+GpCFtuw59LrWw9ZkWQOXhQxJjLaJYM+uZm0gdtrRI=
gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260515083721-50411957979f/go.mod h1:AgOh1lkPHyRgBf3/s1btKcAqke/33LbKYarTD13qeAg=
github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=

59
internal/controllers/authorization.go
View File

@@ -5,6 +5,7 @@ import (
"encoding/json"
"errors"
"fmt"
"slices"
"strings"
"time"
@@ -22,6 +23,8 @@ type TokenType string
const (
TokenTypeAccess TokenType = "access"
TokenTypeRefresh TokenType = "refresh"
TokenAudToken string = "token"
TokenAudWeb string = "web"
)
var (
@@ -33,6 +36,7 @@ type Claims struct {
UserID string `json:"user_id"`
TokenID string `json:"token_id"`
TokenType TokenType `json:"token_type"`
Scope string `json:"scope,omitempty"`
jwt.RegisteredClaims
}
@@ -56,6 +60,13 @@ func NewAuthController(jwtSecret []byte, accessTTL, refreshTTL time.Duration, re
}
}
type JWTData struct {
UserID string
TokenType TokenType
TokenAud string
Scope string
}
// Write claims into context
func (a *AuthController) WithClaims(ctx context.Context, claims *Claims) context.Context {
return context.WithValue(ctx, claimsContextKey, claims)
@@ -87,15 +98,43 @@ func (a *AuthController) AuthInterceptorFN(ctx context.Context) (context.Context
}
}
// If it's a cli token, we need to check the scope
if slices.Contains(claims.Audience, TokenAudToken) {
currentMethod, ok := grpc.Method(ctx)
if !ok {
return nil, errors.New("unknown method")
}
scopeMap := map[string][]string{}
if err := json.Unmarshal([]byte(claims.Scope), &scopeMap); err != nil {
return nil, ErrServerError
}
allowed := isAllowed(scopeMap, currentMethod)
if !allowed {
return nil, errors.New("not authorized")
}
}
ctx = a.WithClaims(ctx, claims)
return ctx, nil
}
func isAllowed(scope map[string][]string, currentMethod string) bool {
for service, methods := range scope {
for _, method := range methods {
if fmt.Sprintf("/%s/%s", service, method) == currentMethod {
return true
}
}
}
return false
}
// Generate JWT token
func (a *AuthController) GenerateToken(userID string, tokenType TokenType) (token, tokenID string, err error) {
func (a *AuthController) GenerateToken(data *JWTData) (token, tokenID string, err error) {
var expiresAt time.Time
notBefore := time.Now()
switch tokenType {
switch data.TokenType {
case TokenTypeAccess:
expiresAt = time.Now().Add(a.accessTTL)
case TokenTypeRefresh:
@@ -103,25 +142,25 @@ func (a *AuthController) GenerateToken(userID string, tokenType TokenType) (toke
default:
return "", "", ErrUnknownTokenType
}
if tokenType != TokenTypeAccess && tokenType != TokenTypeRefresh {
return "", "", ErrUnknownTokenType
}
tokenID = uuid.New().String()
claims := Claims{
UserID: userID,
UserID: data.UserID,
TokenID: tokenID,
TokenType: tokenType,
TokenType: data.TokenType,
Scope: data.Scope,
RegisteredClaims: jwt.RegisteredClaims{
Issuer: "",
Subject: "",
Audience: jwt.ClaimStrings{},
Subject: data.UserID,
Audience: jwt.ClaimStrings{data.TokenAud},
ExpiresAt: jwt.NewNumericDate(expiresAt),
NotBefore: jwt.NewNumericDate(notBefore),
IssuedAt: jwt.NewNumericDate(time.Now()),
ID: userID,
ID: tokenID,
},
}
tokenJwt := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
token, err = tokenJwt.SignedString(a.jwtSecret)
if err != nil {

20
internal/controllers/authorization_test.go
View File

@@ -16,16 +16,26 @@ var (
)
func TestGenerateInvalidTokenType(t *testing.T) {
data := &controllers.JWTData{
UserID: testUserID,
TokenType: "invalid_type",
}
authCtrl := controllers.NewAuthController([]byte("test"), testAccessTTL, testRefreshTTL, nil)
token, _, err := authCtrl.GenerateToken(testUserID, "invalid_type")
token, _, err := authCtrl.GenerateToken(data)
assert.Equal(t, "", token)
assert.ErrorIs(t, controllers.ErrUnknownTokenType, err)
}
func TestGenerateValidateAccessToken(t *testing.T) {
data := &controllers.JWTData{
UserID: testUserID,
TokenType: controllers.TokenTypeAccess,
}
authCtrl := controllers.NewAuthController([]byte("test"), testAccessTTL, testRefreshTTL, nil)
now := time.Now()
token, _, err := authCtrl.GenerateToken(testUserID, controllers.TokenTypeAccess)
token, _, err := authCtrl.GenerateToken(data)
assert.NoError(t, err)
assert.NotEmpty(t, token)
@@ -40,9 +50,13 @@ func TestGenerateValidateAccessToken(t *testing.T) {
}
func TestGenerateValidateRefreshToken(t *testing.T) {
data := &controllers.JWTData{
UserID: testUserID,
TokenType: controllers.TokenTypeRefresh,
}
authCtrl := controllers.NewAuthController([]byte("test"), testAccessTTL, testRefreshTTL, nil)
now := time.Now()
token, _, err := authCtrl.GenerateToken(testUserID, controllers.TokenTypeRefresh)
token, _, err := authCtrl.GenerateToken(data)
assert.NoError(t, err)
assert.NotEmpty(t, token)

31
internal/controllers/tokens.go
View File

@@ -330,22 +330,27 @@ func shouldSkip(s string, rules []rule) bool {
return false
}
func (ctrl *TokenController) AuthenticateWithToken(ctx context.Context, token string) (map[string][]string, error) {
type TokenAuthResult struct {
UserID string
Scope string
}
func (ctrl *TokenController) AuthenticateWithToken(ctx context.Context, token string) (*TokenAuthResult, error) {
log := logger.FromContext(ctx)
log.V(2).Info("Authenticating with a token")
query := `
SELECT scopes, expires_at, revoked_at
SELECT user_id, scopes, expires_at, revoked_at
FROM tokens
WHERE token_hash = $1`
var userID string
var expiresAt sql.NullTime
var revokedAt sql.NullTime
var scopes string
fmt.Println(hashSHA256(token))
fmt.Println(hashSHA256(token))
var scope string
if err := ctrl.DB.QueryRowContext(ctx, query, hashSHA256(token)).Scan(
&scopes,
&userID,
&scope,
&expiresAt,
&revokedAt,
); err != nil {
@@ -356,20 +361,20 @@ func (ctrl *TokenController) AuthenticateWithToken(ctx context.Context, token st
return nil, ErrServerError
}
if !revokedAt.Valid {
if revokedAt.Valid {
return nil, ErrBadToken
}
if expiresAt.Time.After(time.Now()) {
if expiresAt.Time.Before(time.Now()) {
return nil, ErrBadToken
}
scopesMap := map[string][]string{}
if err := json.Unmarshal([]byte(scopes), scopesMap); err != nil {
return nil, ErrServerError
result := &TokenAuthResult{
UserID: userID,
Scope: scope,
}
return scopesMap, nil
return result, nil
}
func hashSHA256(s string) string {