stufflog
/
server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
stufflog graphql server
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10 Commits
1 Branch
0 Tags
280 KiB
Tree: a4c019e67b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'a4c019e67b'
${ noResults }
server/services/auth.go

317 lines
8.0 KiB
Raw Normal View History

> be fist commit
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
add logging.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
add logging.
4 years ago
  1. package services
  3. import (
  4. "context"
  5. "errors"
  6. "git.aiterp.net/stufflog/server/database/repositories"
  7. "git.aiterp.net/stufflog/server/internal/generate"
  8. "git.aiterp.net/stufflog/server/internal/slerrors"
  9. "git.aiterp.net/stufflog/server/models"
  10. "github.com/gin-gonic/gin"
  11. "math/rand"
  12. "time"
  13. )
  15. var ErrLoginFailed = errors.New("login failed")
  16. var ErrInternalLoginFailure = errors.New("login failed due to internal error")
  17. var ErrInternalPermissionFailure = errors.New("permission check failed due to internal error")
  18. var ErrWrongCurrentPassword = errors.New("current password is missing")
  19. var ErrMissingCurrentPassword = errors.New("current password is missing")
  21. var authCookieName = "stufflog_cookie"
  22. var authCtxKey = "stufflog.auth"
  23. var ginCtxKey = "stufflog.gin"
  25. type Auth struct {
  26. users repositories.UserRepository
  27. session repositories.SessionRepository
  28. projects repositories.ProjectRepository
  29. issues repositories.IssueRepository
  30. }
  32. func (auth *Auth) Login(ctx context.Context, username, password string) (*models.User, error) {
  33. user, err := auth.users.Find(ctx, username)
  34. if err != nil {
  35. select {
  36. case <-time.After(time.Millisecond * time.Duration(rand.Int63n(100)+100)):
  37. case <-ctx.Done():
  38. }
  39. return nil, ErrLoginFailed
  40. }
  42. if !user.CheckPassword(password) {
  43. select {
  44. case <-time.After(time.Millisecond * time.Duration(rand.Int63n(50))):
  45. case <-ctx.Done():
  46. }
  47. return nil, ErrLoginFailed
  48. }
  50. session := models.Session{
  51. ID: generate.SessionID(),
  52. UserID: user.ID,
  53. ExpiryTime: time.Now().Add(time.Hour * 168),
  54. }
  55. err = auth.session.Save(ctx, session)
  56. if err != nil {
  57. return nil, ErrInternalLoginFailure
  58. }
  60. if c := ctx.Value(ginCtxKey).(*gin.Context); c != nil {
  61. c.SetCookie(authCookieName, session.ID, 3600*168, "/", "", false, true)
  62. } else {
  63. return nil, ErrInternalLoginFailure
  64. }
  66. return user, nil
  67. }
  69. func (auth *Auth) Logout(ctx context.Context) (*models.User, error) {
  70. user := auth.UserFromContext(ctx)
  71. if user == nil {
  72. return nil, slerrors.PermissionDenied
  73. }
  75. c, ok := ctx.Value(ginCtxKey).(*gin.Context)
  76. if !ok {
  77. return nil, ErrInternalLoginFailure
  78. }
  80. c.SetCookie(authCookieName, "", 0, "/", "", false, true)
  82. return user, nil
  83. }
  85. func (auth *Auth) CreateUser(ctx context.Context, username, password, name string, active, admin bool) (*models.User, error) {
  86. loggedInUser := auth.UserFromContext(ctx)
  87. if loggedInUser == nil || !loggedInUser.Admin {
  88. return nil, slerrors.PermissionDenied
  89. }
  91. user := &models.User{
  92. ID: username,
  93. Name: name,
  94. Active: active,
  95. Admin: admin,
  96. }
  97. err := user.SetPassword(password)
  98. if err != nil {
  99. return nil, err
  100. }
  102. user, err = auth.users.Insert(ctx, *user)
  103. if err != nil {
  104. return nil, err
  105. }
  107. return user, nil
  108. }
  110. func (auth *Auth) UserFromContext(ctx context.Context) *models.User {
  111. user, _ := ctx.Value(authCtxKey).(*models.User)
  112. return user
  113. }
  115. func (auth *Auth) ProjectPermission(ctx context.Context, project models.Project) (*models.ProjectPermission, error) {
  116. user := auth.UserFromContext(ctx)
  117. if user == nil || !user.Active {
  118. return nil, slerrors.PermissionDenied
  119. }
  121. permission, err := auth.projects.GetPermission(ctx, project, *user)
  122. if err != nil {
  123. return nil, ErrInternalPermissionFailure
  124. }
  125. if permission.Level == models.ProjectPermissionLevelNoAccess {
  126. return nil, slerrors.PermissionDenied
  127. }
  129. return permission, nil
  130. }
  132. func (auth *Auth) IssuePermission(ctx context.Context, issue models.Issue) (*models.ProjectPermission, error) {
  133. user := auth.UserFromContext(ctx)
  134. if user == nil || !user.Active {
  135. return nil, slerrors.PermissionDenied
  136. }
  138. isOwnedOrAssigned := issue.AssigneeID == user.ID || issue.OwnerID == user.ID
  140. permission, err := auth.projects.GetIssuePermission(ctx, issue, *user)
  141. if err != nil {
  142. return nil, ErrInternalPermissionFailure
  143. }
  144. if permission.Level == models.ProjectPermissionLevelNoAccess {
  145. return nil, slerrors.PermissionDenied
  146. }
  147. if !(permission.CanViewAnyIssue() || (permission.CanViewOwnIssue() && isOwnedOrAssigned)) {
  148. return nil, slerrors.PermissionDenied
  149. }
  151. return permission, nil
  152. }
  154. func (auth *Auth) CheckGinSession(c *gin.Context) {
  155. ctx := context.WithValue(c.Request.Context(), ginCtxKey, c)
  157. cookie, err := c.Cookie(authCookieName)
  158. if err != nil {
  159. c.Request = c.Request.WithContext(ctx)
  160. return
  161. }
  163. session, err := auth.session.Find(c.Request.Context(), cookie)
  164. if err != nil {
  165. c.Request = c.Request.WithContext(ctx)
  166. return
  167. }
  169. if time.Until(session.ExpiryTime) < time.Hour*167 {
  170. session.ExpiryTime = time.Now().Add(time.Hour * 168)
  171. _ = auth.session.Save(c.Request.Context(), *session)
  172. c.SetCookie(authCookieName, session.ID, 3600*168, "/", "", false, true)
  173. }
  175. user, err := auth.users.Find(c.Request.Context(), session.UserID)
  176. if err != nil {
  177. c.Request = c.Request.WithContext(ctx)
  178. return
  179. }
  181. ctx = context.WithValue(ctx, authCtxKey, user)
  182. c.Request = c.Request.WithContext(ctx)
  183. }
  185. func (auth *Auth) EditUser(ctx context.Context, username string, setName *string, currentPassword *string, newPassword *string) (*models.User, error) {
  186. loggedInUser := auth.UserFromContext(ctx)
  187. if loggedInUser == nil {
  188. return nil, slerrors.PermissionDenied
  189. }
  191. user, err := auth.users.Find(ctx, username)
  192. if err != nil {
  193. return nil, err
  194. }
  196. if user.ID != loggedInUser.ID && !loggedInUser.Admin {
  197. return nil, slerrors.PermissionDenied
  198. }
  200. if newPassword != nil {
  201. // Only require current password if it's given, or if the user is NOT an admin changing
  202. // another user's password
  203. if currentPassword != nil || !(loggedInUser.Admin && loggedInUser.ID != user.ID) {
  204. if currentPassword == nil {
  205. return nil, ErrMissingCurrentPassword
  206. }
  207. if !user.CheckPassword(*currentPassword) {
  208. return nil, ErrWrongCurrentPassword
  209. }
  210. }
  212. err = user.SetPassword(*newPassword)
  213. if err != nil {
  214. return nil, err
  215. }
  216. }
  218. if setName != nil && *setName != "" {
  219. user.Name = *setName
  220. }
  222. err = auth.users.Save(ctx, *user)
  223. if err != nil {
  224. return nil, err
  225. }
  227. return user, nil
  228. }
  230. func (auth *Auth) FilterLogList(ctx context.Context, logs *[]*models.Log) {
  231. user := auth.UserFromContext(ctx)
  232. if user == nil {
  233. panic("Auth.FilterLogList called without user")
  234. }
  236. auth.FilterLog(ctx, *logs...)
  237. deleteList := make([]int, 0, len(*logs)/2)
  238. for i, log := range *logs {
  239. if log.Empty() && log.UserID != user.ID {
  240. deleteList = append(deleteList, i-len(deleteList))
  241. }
  242. }
  244. list := *logs
  245. for _, index := range deleteList {
  246. list = append(list[:index], list[index+1:]...)
  247. }
  248. *logs = list
  249. }
  251. func (auth *Auth) FilterLog(ctx context.Context, logs ...*models.Log) {
  252. userID := ""
  253. if user := auth.UserFromContext(ctx); user != nil {
  254. userID = user.ID
  255. }
  257. accessMap := make(map[string]bool)
  258. deleteList := make([]int, 0, 16)
  259. for _, log := range logs {
  260. if userID == log.UserID {
  261. continue
  262. }
  264. deleteList = deleteList[:0]
  265. for i, item := range log.Items {
  266. if access, ok := accessMap[item.IssueID]; ok && access {
  267. continue
  268. } else if ok && !access {
  269. deleteList = append(deleteList, i-len(deleteList))
  270. continue
  271. }
  273. issue, err := auth.issues.Find(ctx, item.IssueID)
  274. if err != nil {
  275. deleteList = append(deleteList, i-len(deleteList))
  276. accessMap[item.IssueID] = true
  277. continue
  278. }
  280. _, err = auth.IssuePermission(ctx, *issue)
  281. if err != nil {
  282. deleteList = append(deleteList, i-len(deleteList))
  283. }
  285. accessMap[issue.ID] = err != nil
  286. }
  287. for _, index := range deleteList {
  288. log.Items = append(log.Items[:index], log.Items[index+1:]...)
  289. }
  290. deleteList = deleteList[:0]
  291. for i, task := range log.Tasks {
  292. if access, ok := accessMap[task.IssueID]; ok && access {
  293. continue
  294. } else if ok && !access {
  295. deleteList = append(deleteList, i-len(deleteList))
  296. continue
  297. }
  299. issue, err := auth.issues.Find(ctx, task.IssueID)
  300. if err != nil {
  301. deleteList = append(deleteList, i-len(deleteList))
  302. accessMap[task.IssueID] = true
  303. continue
  304. }
  306. _, err = auth.IssuePermission(ctx, *issue)
  307. if err != nil {
  308. deleteList = append(deleteList, i-len(deleteList))
  309. }
  311. accessMap[issue.ID] = err != nil
  312. }
  313. for _, index := range deleteList {
  314. log.Tasks = append(log.Tasks[:index], log.Tasks[index+1:]...)
  315. }
  316. }
  317. }