Protected POST /account and fixed with JWT stuff in general

2021-01-03 18:21:42 +01:00
parent bb7e525adc
commit a36ec47324
13 changed files with 352 additions and 40 deletions
--- a/src/db/accounts.go
+++ b/src/db/accounts.go
@@ -6,16 +6,17 @@ import (

 	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
+	"gitlab.larvit.se/power-plan/auth/src/utils"
 )

 // AccountCreate writes a user to database
 func (d Db) AccountCreate(input AccountCreateInput) (CreatedAccount, error) {
-	accountSQL := "INSERT INTO accounts (id, \"accountName\", \"apiKey\", password) VALUES($1,$2,$3,$4);"
+	accountSQL := "INSERT INTO accounts (id, name, \"apiKey\", password) VALUES($1,$2,$3,$4);"

-	_, err := d.DbPool.Exec(context.Background(), accountSQL, input.ID, input.AccountName, input.APIKey, input.Password)
+	_, err := d.DbPool.Exec(context.Background(), accountSQL, input.ID, input.Name, input.APIKey, input.Password)
 	if err != nil {
 		if strings.HasPrefix(err.Error(), "ERROR: duplicate key") {
-			log.WithFields(log.Fields{"accountName": input.AccountName}).Debug("Duplicate accountName in accounts database")
+			log.WithFields(log.Fields{"name": input.Name}).Debug("Duplicate name in accounts database")
 		} else {
 			log.Error("Database error when trying to add account: " + err.Error())
 		}
@@ -24,8 +25,8 @@ func (d Db) AccountCreate(input AccountCreateInput) (CreatedAccount, error) {
 	}

 	log.WithFields(log.Fields{
-		"id":          input.ID,
-		"accountName": input.AccountName,
+		"id":   input.ID,
+		"name": input.Name,
 	}).Info("Added account to database")

 	accountFieldsSQL := "INSERT INTO \"accountsFields\" (id, \"accountId\", name, value) VALUES($1,$2,$3,$4);"
@@ -50,8 +51,79 @@ func (d Db) AccountCreate(input AccountCreateInput) (CreatedAccount, error) {
 	}

 	return CreatedAccount{
-		ID:          input.ID,
-		AccountName: input.AccountName,
-		APIKey:      input.APIKey,
+		ID:     input.ID,
+		Name:   input.Name,
+		APIKey: input.APIKey,
 	}, nil
 }
+
+// AccountGet fetches an account from the database
+func (d Db) AccountGet(accountID string, APIKey string) (Account, error) {
+	logContext := log.WithFields(log.Fields{
+		"accountID": accountID,
+		"APIKey":    len(APIKey),
+	})
+
+	logContext.Debug("Trying to get account")
+
+	var account Account
+	var searchParam string
+	accountSQL := "SELECT id, created, name, \"password\" FROM accounts WHERE "
+	if accountID != "" {
+		accountSQL = accountSQL + "id = $1"
+		searchParam = accountID
+	} else if APIKey != "" {
+		accountSQL = accountSQL + "\"apiKey\" = $1"
+		searchParam = APIKey
+	}
+
+	accountErr := d.DbPool.QueryRow(context.Background(), accountSQL, searchParam).Scan(&account.ID, &account.Created, &account.Name, &account.Password)
+	if accountErr != nil {
+		if accountErr.Error() == "no rows in result set" {
+			logContext.Debug("No account found")
+			return Account{}, accountErr
+		}
+
+		logContext.Error("Database error when fetching account, err: " + accountErr.Error())
+		return Account{}, accountErr
+	}
+
+	fieldsSQL := "SELECT name, value FROM \"accountsFields\" WHERE \"accountId\" = $1"
+	rows, fieldsErr := d.DbPool.Query(context.Background(), fieldsSQL, account.ID)
+	if fieldsErr != nil {
+		logContext.Error("Database error when fetching account fields, err: " + accountErr.Error())
+		return Account{}, fieldsErr
+	}
+
+	account.Fields = make(map[string][]string)
+	for rows.Next() {
+		var name string
+		var value []string
+		err := rows.Scan(&name, &value)
+		if err != nil {
+			logContext.Error("Could not get name or value from database row, err: " + err.Error())
+			return Account{}, err
+		}
+		account.Fields[name] = value
+	}
+
+	return account, nil
+}
+
+// RenewalTokenGet obtain a new renewal token
+func (d Db) RenewalTokenGet(accountID string) (string, error) {
+	logContext := log.WithFields(log.Fields{"accountID": accountID})
+
+	logContext.Debug("Createing new renewal token")
+
+	newToken := utils.RandString(60)
+
+	insertSQL := "INSERT INTO \"renewalTokens\" (\"accountId\",token) VALUES($1,$2);"
+	_, insertErr := d.DbPool.Exec(context.Background(), insertSQL, accountID, newToken)
+	if insertErr != nil {
+		logContext.Error("Could not insert into database table \"renewalTokens\", err: " + insertErr.Error())
+		return "", insertErr
+	}
+
+	return newToken, nil
+}
--- a/src/db/types.go
+++ b/src/db/types.go
@@ -1,15 +1,26 @@
 package db

 import (
+	"time"
+
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v4/pgxpool"
 )

+// Account is an account as represented in the database
+type Account struct {
+	ID       uuid.UUID           `json:"id"`
+	Created  time.Time           `json:"created"`
+	Fields   map[string][]string `json:"fields"`
+	Name     string              `json:"name"`
+	Password string              `json:"-"`
+}
+
 // CreatedAccount is a newly created account in the system
 type CreatedAccount struct {
-	ID          uuid.UUID `json:"id"`
-	AccountName string    `json:"accountName"`
-	APIKey      string    `json:"apiKey"`
+	ID     uuid.UUID `json:"id"`
+	Name   string    `json:"name"`
+	APIKey string    `json:"apiKey"`
 }

 // AccountCreateInputFields yes
@@ -20,11 +31,11 @@ type AccountCreateInputFields struct {

 // AccountCreateInput is used as input struct for database creation of account
 type AccountCreateInput struct {
-	ID          uuid.UUID
-	AccountName string
-	APIKey      string
-	Fields      []AccountCreateInputFields
-	Password    string
+	ID       uuid.UUID
+	Name     string
+	APIKey   string
+	Fields   []AccountCreateInputFields
+	Password string
 }

 // Db struct
--- a/src/handlers/helpers.go
+++ b/src/handlers/helpers.go
@@ -0,0 +1,115 @@
+package handlers
+
+import (
+	"errors"
+	"strings"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/gofiber/fiber/v2"
+	log "github.com/sirupsen/logrus"
+	"gitlab.larvit.se/power-plan/auth/src/db"
+)
+
+func (h Handlers) returnTokens(account db.Account, c *fiber.Ctx) error {
+	expirationTime := time.Now().Add(15 * time.Minute)
+
+	claims := &Claims{
+		AccountID:     account.ID.String(),
+		AccountName:   account.Name,
+		AccountFields: account.Fields,
+		StandardClaims: jwt.StandardClaims{
+			ExpiresAt: expirationTime.Unix(),
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	tokenString, err := token.SignedString(h.JwtKey)
+	if err != nil {
+		log.Error("Could not create token string, err: " + err.Error())
+		return c.Status(500).JSON([]ResJSONError{{Error: "Could not create JWT token string"}})
+	}
+
+	renewalToken, renewalTokenErr := h.Db.RenewalTokenGet(account.ID.String())
+	if renewalTokenErr != nil {
+		log.Error("Could not create renewal token, err: " + renewalTokenErr.Error())
+		return c.Status(500).JSON([]ResJSONError{{Error: "Could not create renewal token"}})
+	}
+
+	return c.Status(200).JSON(ResToken{
+		JWT:          tokenString,
+		RenewalToken: renewalToken,
+	})
+}
+
+func (h Handlers) parseJWT(JWT string) (Claims, error) {
+	logContext := log.WithFields(log.Fields{"JWT": JWT})
+	logContext.Trace("Parsing JWT")
+
+	JWT = strings.TrimPrefix(JWT, "bearer ") // Since the Authorization header should always start with "bearer "
+	logContext.WithFields(log.Fields{"TrimmedJWT": JWT}).Trace("JWT trimmed")
+
+	claims := &Claims{}
+
+	token, err := jwt.ParseWithClaims(JWT, claims, func(token *jwt.Token) (interface{}, error) {
+		return h.JwtKey, nil
+	})
+	if err != nil {
+		return Claims{}, err
+	}
+	if !token.Valid {
+		err := errors.New("Invalid token")
+		return Claims{}, err
+	}
+
+	return *claims, nil
+}
+
+func (h Handlers) parseHeaders(c *fiber.Ctx) map[string]string {
+	headersMap := make(map[string]string)
+
+	headersString := c.Request().Header.String()
+	headersLines := strings.Split(headersString, "\r\n")
+
+	for _, line := range headersLines {
+		lineParts := strings.Split(line, ": ")
+
+		if len(lineParts) == 1 {
+			log.WithFields(log.Fields{"line": line}).Trace("Ignoring header line")
+		} else {
+			headersMap[lineParts[0]] = lineParts[1]
+		}
+	}
+
+	return headersMap
+}
+
+// RequireAdminRole returns nil if no error is found
+func (h Handlers) RequireAdminRole(c *fiber.Ctx) error {
+	headers := h.parseHeaders(c)
+
+	if headers["Authorization"] == "" {
+		return errors.New("Authorization header is missing")
+	}
+
+	claims, claimsErr := h.parseJWT(headers["Authorization"])
+	if claimsErr != nil {
+		return claimsErr
+	}
+
+	if claims.AccountFields == nil {
+		return errors.New("Account have no fields at all")
+	}
+
+	if claims.AccountFields["role"] == nil {
+		return errors.New("Account have no field named \"role\"")
+	}
+
+	for _, role := range claims.AccountFields["role"] {
+		if role == "admin" {
+			return nil
+		}
+	}
+
+	return errors.New("No \"admin\" role found on account")
+}
--- a/src/handlers/middlewares.go
+++ b/src/handlers/middlewares.go
@@ -5,6 +5,17 @@ import (
 	log "github.com/sirupsen/logrus"
 )

+// Log all requests
+func (h Handlers) Log(c *fiber.Ctx) error {
+	log.WithFields(log.Fields{
+		"method": c.Method(),
+		"url":    c.OriginalURL(),
+	}).Debug("http request")
+
+	c.Next()
+	return nil
+}
+
 // RequireJSON is a middleware that makes sure the request content-type always is application/json (or nothing, defaulting to application/json)
 func (h Handlers) RequireJSON(c *fiber.Ctx) error {
 	c.Accepts("application/json")
--- a/src/handlers/post.go
+++ b/src/handlers/post.go
@@ -13,10 +13,15 @@ import (

 // AccountCreate creates a new account
 func (h Handlers) AccountCreate(c *fiber.Ctx) error {
+	authErr := h.RequireAdminRole(c)
+	if authErr != nil {
+		return c.Status(403).JSON([]ResJSONError{{Error: authErr.Error()}})
+	}
+
 	type AccountInput struct {
-		AccountName string                        `json:"accountName"`
-		Password    string                        `json:"password"`
-		Fields      []db.AccountCreateInputFields `json:"fields"`
+		Name     string                        `json:"name"`
+		Password string                        `json:"password"`
+		Fields   []db.AccountCreateInputFields `json:"fields"`
 	}

 	accountInput := new(AccountInput)
@@ -29,8 +34,8 @@ func (h Handlers) AccountCreate(c *fiber.Ctx) error {

 	var errors []ResJSONError

-	if accountInput.AccountName == "" {
-		errors = append(errors, ResJSONError{Error: "Can not be empty", Field: "accountName"})
+	if accountInput.Name == "" {
+		errors = append(errors, ResJSONError{Error: "Can not be empty", Field: "name"})
 	}

 	if len(errors) != 0 {
@@ -47,14 +52,12 @@ func (h Handlers) AccountCreate(c *fiber.Ctx) error {
 		log.Fatal("Could not hash password, err: " + pwdErr.Error())
 	}

-	apiKey := utils.RandString(60)
-
 	createdAccount, err := h.Db.AccountCreate(db.AccountCreateInput{
-		ID:          newAccountID,
-		AccountName: accountInput.AccountName,
-		APIKey:      apiKey,
-		Fields:      accountInput.Fields,
-		Password:    hashedPwd,
+		ID:       newAccountID,
+		Name:     accountInput.Name,
+		APIKey:   utils.RandString(60),
+		Fields:   accountInput.Fields,
+		Password: hashedPwd,
 	})

 	if err != nil {
@@ -69,5 +72,17 @@ func (h Handlers) AccountCreate(c *fiber.Ctx) error {

 // AccountAuthAPIKey auths an APIKey
 func (h Handlers) AccountAuthAPIKey(c *fiber.Ctx) error {
-	return c.Status(200).JSON("key höhö")
+	inputAPIKey := string(c.Request().Body())
+	inputAPIKey = inputAPIKey[1 : len(inputAPIKey)-1]
+
+	resolvedAccount, accountErr := h.Db.AccountGet("", inputAPIKey)
+	if accountErr != nil {
+		if accountErr.Error() == "no rows in result set" {
+			return c.Status(403).JSON([]ResJSONError{{Error: "Invalid credentials"}})
+		}
+		log.Error("Something went wrong when trying to fetch account")
+		return c.Status(500).JSON([]ResJSONError{{Error: "Something went wrong when trying to fetch account"}})
+	}
+
+	return h.returnTokens(resolvedAccount, c)
 }
--- a/src/handlers/types.go
+++ b/src/handlers/types.go
@@ -1,12 +1,22 @@
 package handlers

 import (
+	jwt "github.com/dgrijalva/jwt-go"
 	"gitlab.larvit.se/power-plan/auth/src/db"
 )

+// Claims is the JWT struct
+type Claims struct {
+	AccountID     string              `json:"accountId"`
+	AccountFields map[string][]string `json:"accountFields"`
+	AccountName   string              `json:"accountName"`
+	jwt.StandardClaims
+}
+
 // Handlers is the overall struct for all http request handlers
 type Handlers struct {
-	Db db.Db
+	Db     db.Db
+	JwtKey []byte
 }

 // ResJSONError is an error field that is used in JSON error responses
@@ -14,3 +24,9 @@ type ResJSONError struct {
 	Error string `json:"error"`
 	Field string `json:"field,omitempty"`
 }
+
+// ResToken is a response used to return a valid token and valid renewalToken
+type ResToken struct {
+	JWT          string `json:"jwt"`
+	RenewalToken string `json:"renewalToken"`
+}
--- a/src/main.go
+++ b/src/main.go
@@ -20,10 +20,11 @@ func createAdminAccount(Db db.Db) {
 		log.Fatal("Could not create new Uuid, err: " + uuidErr.Error())
 	}
 	_, adminAccountErr := Db.AccountCreate(db.AccountCreateInput{
-		ID:          adminAccountID,
-		AccountName: "admin",
-		APIKey:      os.Getenv("ADMIN_API_KEY"),
-		Password:    "",
+		ID:       adminAccountID,
+		Name:     "admin",
+		APIKey:   os.Getenv("ADMIN_API_KEY"),
+		Password: "",
+		Fields:   []db.AccountCreateInputFields{{Name: "role", Values: []string{"admin"}}},
 	})
 	if adminAccountErr != nil && strings.HasPrefix(adminAccountErr.Error(), "ERROR: duplicate key") {
 		log.Info("Admin account already created, nothing written to database")
@@ -42,6 +43,14 @@ func main() {
 	// log.SetReportCaller(true)
 	log.SetLevel(log.DebugLevel)

+	if os.Getenv("JWT_SHARED_SECRET") == "changeMe" {
+		log.Fatal("You must change JWT_SHARED_SECRET in .env")
+	}
+	if os.Getenv("ADMIN_API_KEY") == "changeMe" {
+		log.Fatal("You must change ADMIN_API_KEY in .env")
+	}
+	jwtKey := []byte(os.Getenv("JWT_SHARED_SECRET"))
+
 	dbPool, err := pgxpool.Connect(context.Background(), os.Getenv("DATABASE_URL"))
 	if err != nil {
 		log.Fatal("Failed to open DB connection: ", err)
@@ -53,10 +62,13 @@ func main() {
 	app := fiber.New()

 	Db := db.Db{DbPool: dbPool}
-	handlers := h.Handlers{Db: Db}
+	handlers := h.Handlers{Db: Db, JwtKey: jwtKey}

 	createAdminAccount(Db)

+	// Log all requests
+	app.Use(handlers.Log)
+
 	// Always require application/json
 	app.Use(handlers.RequireJSON)