Start adding token auth

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>

api/v1/tokens.go

@@ -3,6 +3,7 @@ package v1
 import (
 	"context"
 	"errors"
+	"fmt"
 
 	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/controllers"
 	tokens "gitea.badhouseplants.net/softplayer/softplayer-go-proto/pkg/tokens/v1"
@@ -78,6 +79,13 @@ func (srv *TokensServer) ForceTokenExpiration(ctx context.Context, in *tokens.Fo
 		return nil, status.Error(codes.Aborted, "Context is invalid")
 	}
 
+	if err := srv.tokenCtrl.VerifyTokenOwner(ctx, claims.UserID, in.TokenUuid.Uuid); err != nil {
+		if errors.Is(err, controllers.ErrServerError) {
+			return nil, status.Error(codes.Internal, "Something is broken on our side")
+		}
+		return nil, status.Error(codes.Aborted, "User is now allowed to manipulate this token")
+	}
+
 	if err := srv.tokenCtrl.ForceExpiration(ctx, in.TokenUuid.GetUuid()); err != nil {
 		if errors.Is(err, controllers.ErrServerError) {
 			return nil, status.Error(codes.Internal, "Something is broken on our side")
@@ -96,6 +104,12 @@ func (srv *TokensServer) GetToken(ctx context.Context, in *tokens.GetTokenReques
 	if claims.UserID == "" {
 		return nil, status.Error(codes.Aborted, "Context is invalid")
 	}
+	if err := srv.tokenCtrl.VerifyTokenOwner(ctx, claims.UserID, in.TokenUuid.Uuid); err != nil {
+		if errors.Is(err, controllers.ErrServerError) {
+			return nil, status.Error(codes.Internal, "Something is broken on our side")
+		}
+		return nil, status.Error(codes.Aborted, "User is now allowed to manipulate this token")
+	}
 
 	token, err := srv.tokenCtrl.Get(ctx, in.TokenUuid.Uuid, claims.UserID)
 	if err != nil {
@@ -168,6 +182,12 @@ func (srv *TokensServer) RegenerateToken(ctx context.Context, in *tokens.Regener
 	if claims.UserID == "" {
 		return nil, status.Error(codes.Aborted, "Context is invalid")
 	}
+	if err := srv.tokenCtrl.VerifyTokenOwner(ctx, claims.UserID, in.TokenUuid.Uuid); err != nil {
+		if errors.Is(err, controllers.ErrServerError) {
+			return nil, status.Error(codes.Internal, "Something is broken on our side")
+		}
+		return nil, status.Error(codes.Aborted, "User is now allowed to manipulate this token")
+	}
 
 	tokenVal, err := srv.tokenCtrl.Regenerate(ctx, in.TokenUuid.GetUuid())
 	if err != nil {
@@ -193,6 +213,12 @@ func (srv *TokensServer) UpdateToken(ctx context.Context, in *tokens.UpdateToken
 		return nil, status.Error(codes.Aborted, "Context is invalid")
 	}
 
+	if err := srv.tokenCtrl.VerifyTokenOwner(ctx, claims.UserID, in.TokenUuid.Uuid); err != nil {
+		if errors.Is(err, controllers.ErrServerError) {
+			return nil, status.Error(codes.Internal, "Something is broken on our side")
+		}
+		return nil, status.Error(codes.Aborted, "User is now allowed to manipulate this token")
+	}
 	if in.TokenPermissions == nil {
 		return nil, status.Error(codes.InvalidArgument, "Permissions must be set")
 	}
@@ -235,3 +261,18 @@ func (srv *TokensServer) ListPermissions(in *emptypb.Empty, stream grpc.ServerSt
 	}
 	return nil
 }
+
+func (srv *TokensServer) AuthenticateWithToken(ctx context.Context, in *tokens.AuthenticateWithTokenRequest) (*emptypb.Empty, error) {
+	scopes, err := srv.tokenCtrl.AuthenticateWithToken(ctx, in.TokenValue.Token)
+	if err != nil {
+		if errors.Is(err, controllers.ErrBadToken) {
+			return nil, status.Error(codes.Unauthenticated, "Token is not valid")
+		}
+		if errors.Is(err, controllers.ErrServerError) {
+			return nil, status.Error(codes.Internal, "Something is broken on our side")
+		}
+		return nil, status.Error(codes.Aborted, "Couldn't list tokens")
+	}
+	fmt.Println(scopes)
+	return nil, nil
+}

cmd/server.go

@@ -99,6 +99,7 @@ func (cmd *Server) Run(ctx context.Context) error {
 	tokenCtrl := &controllers.TokenController{
 		DB:       db,
 		HashCost: cmd.HashCost,
+		Redis:    rdb,
 	}
 
 	accountCtrl := &controllers.AccountController{
@@ -136,6 +137,7 @@ func selectorRequireAuth(ctx context.Context, callMeta interceptors.CallMeta) bo
 		return false
 	}
 	serviceName := serviceParts[len(serviceParts)-1]
+	fmt.Println(serviceName)
 
 	if strings.HasPrefix(serviceName, "Public") {
 		return false
@@ -145,5 +147,9 @@ func selectorRequireAuth(ctx context.Context, callMeta interceptors.CallMeta) bo
 		return false
 	}
 
+	if strings.Contains(callMeta.Method, "AuthenticateWithToken") {
+		return false
+	}
+
 	return true
 }

go.mod

@@ -3,7 +3,6 @@ module gitea.badhouseplants.net/softplayer/softplayer-backend
 go 1.25.9
 
 require (
-	github.com/alecthomas/assert/v2 v2.11.0
 	github.com/alecthomas/kong v1.15.0
 	github.com/db-operator/can-haz-password v0.1.1
 	github.com/go-logr/logr v1.4.3
@@ -21,12 +20,10 @@ require (
 )
 
 require (
-	github.com/alecthomas/repr v0.5.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/geozelot/intree v1.0.0 // indirect
-	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/kr/pretty v0.3.1 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
@@ -42,7 +39,7 @@ require (
 )
 
 require (
-	gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514152254-9c02001a83fd
+	gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514173933-48bddcf5c686
 	github.com/golang/protobuf v1.5.4
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/sys v0.40.0 // indirect

go.sum

@@ -2,8 +2,8 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMT
 cloud.google.com/go v0.121.6 h1:waZiuajrI28iAf40cWgycWNgaXPO06dupuS+sgibK6c=
 cloud.google.com/go/compute/metadata v0.9.0 h1:pDUj4QMoPejqq20dK0Pg2N4yG9zIkYGdBtwLoEkH9Zs=
 cloud.google.com/go/compute/metadata v0.9.0/go.mod h1:E0bWwX5wTnLPedCKqk3pJmVgCBSM6qQI1yTBdEb3C10=
-gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514152254-9c02001a83fd h1:Qzvr5tAI909J38KNlx3KknzBAgXy5ZJS+0qzvRh/FGI=
-gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514152254-9c02001a83fd/go.mod h1:AgOh1lkPHyRgBf3/s1btKcAqke/33LbKYarTD13qeAg=
+gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514173933-48bddcf5c686 h1:tOSfg7VeD0Xq2NhVQblSiWGICvSH8RWfaaPH7mCvw0Y=
+gitea.badhouseplants.net/softplayer/softplayer-go-proto v0.0.0-20260514173933-48bddcf5c686/go.mod h1:AgOh1lkPHyRgBf3/s1btKcAqke/33LbKYarTD13qeAg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=

internal/controllers/tokens.go

@@ -2,16 +2,21 @@ package controllers
 
 import (
 	"context"
+	"crypto/sha256"
 	"database/sql"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"regexp"
+	"testing"
 	"time"
 
-	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
 	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/logger"
 	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/token"
 	"github.com/google/uuid"
+	"github.com/redis/go-redis/v9"
+	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc"
 )
 
@@ -20,6 +25,7 @@ type TokenController struct {
 	HashCost    int16
 	ServiceInfo map[string]grpc.ServiceInfo
 	rules       []rule
+	Redis       *redis.Client
 }
 
 // Services that are not available for tokens
@@ -27,7 +33,9 @@ var DisabledServicesRegex = []string{".*Accounts.*", ".*Tokens.*"}
 
 // Errors
 var (
-	ErrServerError = errors.New("internal server error")
+	ErrServerError       = errors.New("internal server error")
+	ErrUserTokenMismatch = errors.New("user doesn't match the token")
+	ErrBadToken          = errors.New("bad token")
 )
 
 type TokenData struct {
@@ -58,6 +66,36 @@ func (ctrl *TokenController) SetRules() {
 	ctrl.rules = rules
 }
 
+// Each token operation must first verify that the current user
+// is allowed to manipulate the token.
+func (ctrl *TokenController) VerifyTokenOwner(ctx context.Context, userID, tokenID string) error {
+	log := logger.FromContext(ctx).WithValues("uuid", tokenID, "user_id", userID)
+	log.V(2).Info("Verifying the token owner")
+
+	// First try to get from the redis
+	redisKey := fmt.Sprintf("token:%s", tokenID)
+	realUserID := ctrl.Redis.Get(ctx, redisKey).Val()
+	// If not found in cache, get from postgres
+	if realUserID == "" {
+		query := "SELECT user_id FROM tokens WHERE uuid = $1;"
+		if err := ctrl.DB.QueryRowContext(ctx, query, tokenID).Scan(
+			&realUserID,
+		); err != nil {
+			log.Error(err, "Couldn't get user_id for a token")
+			return ErrServerError
+		}
+	}
+
+	if realUserID != userID {
+		return ErrUserTokenMismatch
+	}
+	err := ctrl.Redis.Set(ctx, redisKey, realUserID, time.Hour)
+	if err != nil {
+		log.Info("Couldn't write to cache", "error", err)
+	}
+	return nil
+}
+
 // Create a new token, store its hash in the database and return the token value
 func (ctrl *TokenController) Create(ctx context.Context, data *TokenData) (string, error) {
 	id := uuid.NewString()
@@ -70,11 +108,7 @@ func (ctrl *TokenController) Create(ctx context.Context, data *TokenData) (strin
 		return "", ErrServerError
 	}
 
-	tokenHash, err := hash.HashPassword(tokenValue, int(ctrl.HashCost))
-	if err != nil {
-		log.Error(err, "Couldn't calculate token hash")
-		return "", ErrServerError
-	}
+	tokenHash := hashSHA256(tokenValue)
 
 	scopesJson, err := json.Marshal(data.Scopes)
 	if err != nil {
@@ -121,8 +155,6 @@ func (ctrl *TokenController) Update(ctx context.Context, data *TokenData) error
 		return ErrServerError
 	}
 
-	data, err := ctrl.Get(ctx, , id string, userID string)
-
 	return nil
 }
 
@@ -151,11 +183,7 @@ func (ctrl *TokenController) Regenerate(ctx context.Context, id string) (string,
 		return "", ErrServerError
 	}
 
-	tokenHash, err := hash.HashPassword(tokenValue, int(ctrl.HashCost))
-	if err != nil {
-		log.Error(err, "Couldn't calculate token hash")
-		return "", ErrServerError
-	}
+	tokenHash := hashSHA256(tokenValue)
 
 	query := `
 	UPDATE tokens 
@@ -301,3 +329,57 @@ func shouldSkip(s string, rules []rule) bool {
 	}
 	return false
 }
+
+func (ctrl *TokenController) AuthenticateWithToken(ctx context.Context, token string) (map[string][]string, error) {
+	log := logger.FromContext(ctx)
+	log.V(2).Info("Authenticating with a token")
+
+	query := `
+	SELECT scopes, expires_at, revoked_at
+	FROM tokens
+	WHERE token_hash = $1`
+
+	var expiresAt sql.NullTime
+	var revokedAt sql.NullTime
+	var scopes string
+	fmt.Println(hashSHA256(token))
+	fmt.Println(hashSHA256(token))
+	if err := ctrl.DB.QueryRowContext(ctx, query, hashSHA256(token)).Scan(
+		&scopes,
+		&expiresAt,
+		&revokedAt,
+	); err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, err
+		}
+		log.Error(err, "Couldn't find a token")
+		return nil, ErrServerError
+	}
+
+	if !revokedAt.Valid {
+		return nil, ErrBadToken
+	}
+
+	if expiresAt.Time.After(time.Now()) {
+		return nil, ErrBadToken
+	}
+
+	scopesMap := map[string][]string{}
+
+	if err := json.Unmarshal([]byte(scopes), scopesMap); err != nil {
+		return nil, ErrServerError
+	}
+	return scopesMap, nil
+}
+
+func hashSHA256(s string) string {
+	hash := sha256.Sum256([]byte(s))
+	return hex.EncodeToString(hash[:])
+}
+
+func TestUnitHashPersistence(t *testing.T) {
+	password := "qwertyu9"
+	hash1 := hashSHA256(password)
+	hash2 := hashSHA256(password)
+	assert.Equal(t, hash1, hash2)
+}

internal/helpers/hash/hash_test.go

@@ -4,17 +4,17 @@ import (
 	"testing"
 
 	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
-	"github.com/alecthomas/assert/v2"
+	"github.com/stretchr/testify/assert"
 )
 
-func TestHashValid(t *testing.T) {
+func TestUnitHashValid(t *testing.T) {
 	password := "qwertyu9"
 	hpass, err := hash.HashPassword(password, 10)
 	assert.NoError(t, err)
 	assert.NoError(t, hash.CheckPasswordHash(password, hpass))
 }
 
-func TestHashInvalid(t *testing.T) {
+func TestUnitHashInvalid(t *testing.T) {
 	password := "qwertyu9"
 	invhash := "qwertyu9"
 	assert.Error(t, hash.CheckPasswordHash(password, invhash))