package auth import ( "crypto/rand" "encoding/binary" "errors" "strconv" "git.aiterp.net/rpdata/api/internal/store" "github.com/globalsign/mgo" ) var keyCollection *mgo.Collection // A Key contains a JWT secret and the limitations of it. There are two types of // keys, single-user keys and wildcard keys. The former is used to authenticate // a single user (e.g. the logbot) through an API while the latter is only for // services that can be trusted to perform its own authentication (a frontend). type Key struct { ID string `bson:"_id"` Name string `bson:"name"` User string `bson:"user"` Secret string `bson:"secret"` } // ValidForUser returns true if the key's user is the same as // the user, or it's a wildcard key. func (key *Key) ValidForUser(user string) bool { return key.User == user || key.User == "*" } // FindKey finds a key by kid (key ID) func FindKey(kid string) (Key, error) { key := Key{} err := keyCollection.FindId(kid).One(&key) return key, err } // NewKey generates a new key for the user and name. This // does not allow generating wildcard keys, they have to be // manually inserted into the DB. func NewKey(name, user string) (*Key, error) { if user == "*" { return nil, errors.New("auth: wildcard keys not allowed") } secret, err := makeKeySecret() if err != nil { return nil, err } key := &Key{ ID: makeKeyID(), Name: name, User: user, Secret: secret, } if err := keyCollection.Insert(key); err != nil { return nil, err } return key, nil } func init() { store.HandleInit(func(db *mgo.Database) { keyCollection = db.C("auth.keys") keyCollection.EnsureIndexKey("user") }) } // makeKeyID makes a random story ID that's 16 characters long func makeKeyID() string { result := "K" offset := 0 data := make([]byte, 32) rand.Read(data) for len(result) < 16 { result += strconv.FormatUint(binary.LittleEndian.Uint64(data[offset:]), 36) offset += 8 if offset >= 32 { rand.Read(data) offset = 0 } } return result[:16] } func makeKeySecret() (string, error) { data := make([]byte, 64) alphabet := "0123456789abcdefghjiklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSUTVWXYZ-_" _, err := rand.Read(data) if err != nil { return "", err } for i := range data { data[i] = alphabet[data[i]%64] } return string(data), nil }