Start adding token auth

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>

internal/controllers/tokens.go

@@ -2,16 +2,21 @@ package controllers
 
 import (
 	"context"
+	"crypto/sha256"
 	"database/sql"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"regexp"
+	"testing"
 	"time"
 
-	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
 	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/logger"
 	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/token"
 	"github.com/google/uuid"
+	"github.com/redis/go-redis/v9"
+	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc"
 )
 
@@ -20,6 +25,7 @@ type TokenController struct {
 	HashCost    int16
 	ServiceInfo map[string]grpc.ServiceInfo
 	rules       []rule
+	Redis       *redis.Client
 }
 
 // Services that are not available for tokens
@@ -27,7 +33,9 @@ var DisabledServicesRegex = []string{".*Accounts.*", ".*Tokens.*"}
 
 // Errors
 var (
-	ErrServerError = errors.New("internal server error")
+	ErrServerError       = errors.New("internal server error")
+	ErrUserTokenMismatch = errors.New("user doesn't match the token")
+	ErrBadToken          = errors.New("bad token")
 )
 
 type TokenData struct {
@@ -58,6 +66,36 @@ func (ctrl *TokenController) SetRules() {
 	ctrl.rules = rules
 }
 
+// Each token operation must first verify that the current user
+// is allowed to manipulate the token.
+func (ctrl *TokenController) VerifyTokenOwner(ctx context.Context, userID, tokenID string) error {
+	log := logger.FromContext(ctx).WithValues("uuid", tokenID, "user_id", userID)
+	log.V(2).Info("Verifying the token owner")
+
+	// First try to get from the redis
+	redisKey := fmt.Sprintf("token:%s", tokenID)
+	realUserID := ctrl.Redis.Get(ctx, redisKey).Val()
+	// If not found in cache, get from postgres
+	if realUserID == "" {
+		query := "SELECT user_id FROM tokens WHERE uuid = $1;"
+		if err := ctrl.DB.QueryRowContext(ctx, query, tokenID).Scan(
+			&realUserID,
+		); err != nil {
+			log.Error(err, "Couldn't get user_id for a token")
+			return ErrServerError
+		}
+	}
+
+	if realUserID != userID {
+		return ErrUserTokenMismatch
+	}
+	err := ctrl.Redis.Set(ctx, redisKey, realUserID, time.Hour)
+	if err != nil {
+		log.Info("Couldn't write to cache", "error", err)
+	}
+	return nil
+}
+
 // Create a new token, store its hash in the database and return the token value
 func (ctrl *TokenController) Create(ctx context.Context, data *TokenData) (string, error) {
 	id := uuid.NewString()
@@ -70,11 +108,7 @@ func (ctrl *TokenController) Create(ctx context.Context, data *TokenData) (strin
 		return "", ErrServerError
 	}
 
-	tokenHash, err := hash.HashPassword(tokenValue, int(ctrl.HashCost))
-	if err != nil {
-		log.Error(err, "Couldn't calculate token hash")
-		return "", ErrServerError
-	}
+	tokenHash := hashSHA256(tokenValue)
 
 	scopesJson, err := json.Marshal(data.Scopes)
 	if err != nil {
@@ -121,8 +155,6 @@ func (ctrl *TokenController) Update(ctx context.Context, data *TokenData) error
 		return ErrServerError
 	}
 
-	data, err := ctrl.Get(ctx, , id string, userID string)
-
 	return nil
 }
 
@@ -151,11 +183,7 @@ func (ctrl *TokenController) Regenerate(ctx context.Context, id string) (string,
 		return "", ErrServerError
 	}
 
-	tokenHash, err := hash.HashPassword(tokenValue, int(ctrl.HashCost))
-	if err != nil {
-		log.Error(err, "Couldn't calculate token hash")
-		return "", ErrServerError
-	}
+	tokenHash := hashSHA256(tokenValue)
 
 	query := `
 	UPDATE tokens 
@@ -301,3 +329,57 @@ func shouldSkip(s string, rules []rule) bool {
 	}
 	return false
 }
+
+func (ctrl *TokenController) AuthenticateWithToken(ctx context.Context, token string) (map[string][]string, error) {
+	log := logger.FromContext(ctx)
+	log.V(2).Info("Authenticating with a token")
+
+	query := `
+	SELECT scopes, expires_at, revoked_at
+	FROM tokens
+	WHERE token_hash = $1`
+
+	var expiresAt sql.NullTime
+	var revokedAt sql.NullTime
+	var scopes string
+	fmt.Println(hashSHA256(token))
+	fmt.Println(hashSHA256(token))
+	if err := ctrl.DB.QueryRowContext(ctx, query, hashSHA256(token)).Scan(
+		&scopes,
+		&expiresAt,
+		&revokedAt,
+	); err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, err
+		}
+		log.Error(err, "Couldn't find a token")
+		return nil, ErrServerError
+	}
+
+	if !revokedAt.Valid {
+		return nil, ErrBadToken
+	}
+
+	if expiresAt.Time.After(time.Now()) {
+		return nil, ErrBadToken
+	}
+
+	scopesMap := map[string][]string{}
+
+	if err := json.Unmarshal([]byte(scopes), scopesMap); err != nil {
+		return nil, ErrServerError
+	}
+	return scopesMap, nil
+}
+
+func hashSHA256(s string) string {
+	hash := sha256.Sum256([]byte(s))
+	return hex.EncodeToString(hash[:])
+}
+
+func TestUnitHashPersistence(t *testing.T) {
+	password := "qwertyu9"
+	hash1 := hashSHA256(password)
+	hash2 := hashSHA256(password)
+	assert.Equal(t, hash1, hash2)
+}

internal/helpers/hash/hash_test.go

@@ -4,17 +4,17 @@ import (
 	"testing"
 
 	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
-	"github.com/alecthomas/assert/v2"
+	"github.com/stretchr/testify/assert"
 )
 
-func TestHashValid(t *testing.T) {
+func TestUnitHashValid(t *testing.T) {
 	password := "qwertyu9"
 	hpass, err := hash.HashPassword(password, 10)
 	assert.NoError(t, err)
 	assert.NoError(t, hash.CheckPasswordHash(password, hpass))
 }
 
-func TestHashInvalid(t *testing.T) {
+func TestUnitHashInvalid(t *testing.T) {
 	password := "qwertyu9"
 	invhash := "qwertyu9"
 	assert.Error(t, hash.CheckPasswordHash(password, invhash))