softplayer-backend/internal/controllers/tokens.go

package controllers

import (
	"context"
	"database/sql"
	"encoding/json"
	"errors"
	"regexp"
	"time"

	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/logger"
	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/token"
	"github.com/google/uuid"
	"google.golang.org/grpc"
)

type TokenController struct {
	DB          *sql.DB
	HashCost    int16
	ServiceInfo map[string]grpc.ServiceInfo
	rules       []rule
}

// Services that are not available for tokens
var DisabledServicesRegex = []string{".*Accounts.*", ".*Tokens.*"}

// Errors
var (
	ErrServerError = errors.New("internal server error")
)

type TokenData struct {
	UUID        string
	Name        string
	UserID      string
	CreatedAt   time.Time
	LastUserAt  time.Time
	RevokedAt   time.Time
	ExpiresAt   time.Time
	GeneratedAt time.Time
	Scopes      map[string][]string
}

type Scopes struct{}

// Set the grpc info, must happen after all the service are initialized
func (ctrl *TokenController) SetGRPCInfo(info map[string]grpc.ServiceInfo) {
	ctrl.ServiceInfo = info
}

func (ctrl *TokenController) SetRules() {
	rules := []rule{
		{re: regexp.MustCompile(`.*Tokens.*`)},
		{re: regexp.MustCompile(`.*Accounts.*`)},
		{re: regexp.MustCompile(`.*Reflection.*`)},
	}
	ctrl.rules = rules
}

// Create a new token, store its hash in the database and return the token value
func (ctrl *TokenController) Create(ctx context.Context, data *TokenData) (string, error) {
	id := uuid.NewString()
	log := logger.FromContext(ctx).WithValues("uuid", id)
	log.V(2).Info("Creating a new token")

	tokenValue, err := token.GenerateToken()
	if err != nil {
		log.Error(err, "Couldn't create a token")
		return "", ErrServerError
	}

	tokenHash, err := hash.HashPassword(tokenValue, int(ctrl.HashCost))
	if err != nil {
		log.Error(err, "Couldn't calculate token hash")
		return "", ErrServerError
	}

	scopesJson, err := json.Marshal(data.Scopes)
	if err != nil {
		log.Error(err, "Couldn't marshal permissions into json")
		return "", ErrServerError
	}

	query := `
	INSERT INTO tokens (uuid, token_hash, user_id, scopes, created_at, generated_at, expires_at) 
	VALUES ($1, $2, $3, $4, $5, $6, $7)`

	if _, err := ctrl.DB.Query(
		query,
		id,
		tokenHash,
		data.UserID,
		scopesJson,
		time.Now(),
		time.Now(),
		data.ExpiresAt,
	); err != nil {
		log.Error(err, "Couldn't insert a token in the database")
		return "", ErrServerError
	}

	return tokenValue, nil
}

// Update token name or permissions, other changes are ignored by this method
func (ctrl *TokenController) Update(ctx context.Context, data *TokenData) error {
	log := logger.FromContext(ctx).WithValues("uuid", data.UUID)
	log.V(2).Info("Updating a token")

	scopesJson, err := json.Marshal(data.Scopes)
	if err != nil {
		log.Error(err, "Couldn't marshal permissions into json")
		return ErrServerError
	}

	query := "UPDATE tokens SET name = $1, scopes = $2 WHERE uuid = $3;"
	if _, err := ctrl.DB.Query(query, data.Name, scopesJson, data.UUID); err != nil {
		log.Error(err, "Couldn't update a token in the database")
		return ErrServerError
	}

	return nil
}

// ForceExpiration of a token, so it can no longer be used
func (ctrl *TokenController) ForceExpiration(ctx context.Context, id string) error {
	log := logger.FromContext(ctx).WithValues("uuid", id)
	log.V(2).Info("Forcing a token expiration")

	query := "UPDATE tokens SET revoked_at = $1 WHERE uuid = $2;"
	if _, err := ctrl.DB.Query(query, time.Now(), id); err != nil {
		log.Error(err, "Couldn't update a token in the database")
		return ErrServerError
	}

	return nil
}

// Regenerate a token and get a new value
func (ctrl *TokenController) Regenerate(ctx context.Context, id string) (string, error) {
	log := logger.FromContext(ctx).WithValues("uuid", id)
	log.V(2).Info("Regenerating a token")

	tokenValue, err := token.GenerateToken()
	if err != nil {
		log.Error(err, "Couldn't create a token")
		return "", ErrServerError
	}

	tokenHash, err := hash.HashPassword(tokenValue, int(ctrl.HashCost))
	if err != nil {
		log.Error(err, "Couldn't calculate token hash")
		return "", ErrServerError
	}

	query := `
	UPDATE tokens 
	SET 
		token_hash = $1,
		generated_at = $2,
		expires_at = NOW() + (expires_at - generated_at),
	WHERE uuid = $3;`

	if _, err := ctrl.DB.Query(query, tokenHash, time.Now(), id); err != nil {
		log.Error(err, "Couldn't insert a token in the database")
		return "", ErrServerError
	}

	return "", nil
}

// Get an existing token data
func (ctrl *TokenController) Get(ctx context.Context, uuid string) error {
	return nil
}

// List all available token
func (ctrl *TokenController) List(ctx context.Context, userID string) ([]TokenData, error) {
	log := logger.FromContext(ctx).WithValues("user_id", userID)
	log.V(2).Info("Regenerating a token")

	result := []TokenData{}

	query := `
		SELECT uuid, name, generated_at, expires_at
		FROM tokens
		WHERE user_id = $1`

	rows, err := ctrl.DB.QueryContext(ctx, query, userID)
	if err != nil {
		log.Error(err, "Couldn't list tokens")
		return nil, ErrServerError
	}

	defer rows.Close()

	if err := rows.Err(); err != nil {
		log.Error(err, "Couldn't list tokens")
		return nil, ErrServerError
	}

	for rows.Next() {
		var t TokenData

		err := rows.Scan(
			&t.UUID,
			&t.Name,
			&t.GeneratedAt,
			&t.ExpiresAt,
		)
		if err != nil {
			return nil, err
		}

		result = append(result, t)
	}

	return result, nil
}

// Lis all available permissions
func (ctrl *TokenController) ListPermissions(ctx context.Context) (result map[string][]string) {
	result = map[string][]string{}
	for key, val := range ctrl.ServiceInfo {
		if shouldSkip(key, ctrl.rules) {
			continue
		}
		var services []string
		for _, svc := range val.Methods {
			services = append(services, svc.Name)
		}
		result[key] = services
	}
	return
}

type rule struct {
	re *regexp.Regexp
}

func shouldSkip(s string, rules []rule) bool {
	for _, r := range rules {
		if r.re.MatchString(s) {
			return true
		}
	}
	return false
}