stufflog
/
server
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
stufflog graphql server
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11 Commits
1 Branch
0 Tags
280 KiB
Tree: bd024a01a4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'bd024a01a4'
${ noResults }
server/services/auth.go

329 lines
8.4 KiB
Raw Normal View History

> be fist commit
4 years ago
add logging and a lot of loaders.
4 years ago
> be fist commit
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
add logging.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
add logging and a lot of loaders.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
add logging and a lot of loaders.
4 years ago
> be fist commit
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
add logging and a lot of loaders.
4 years ago
> be fist commit
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
rename internal package xlerrors -> slerrors.
4 years ago
Basic API works.
4 years ago
> be fist commit
4 years ago
add logging.
4 years ago
add logging and a lot of loaders.
4 years ago
add logging.
4 years ago
add logging and a lot of loaders.
4 years ago
add logging.
4 years ago
add logging and a lot of loaders.
4 years ago
add logging.
4 years ago
  1. package services
  3. import (
  4. "context"
  5. "errors"
  6. "git.aiterp.net/stufflog/server/database/repositories"
  7. "git.aiterp.net/stufflog/server/graph/loaders"
  8. "git.aiterp.net/stufflog/server/internal/generate"
  9. "git.aiterp.net/stufflog/server/internal/slerrors"
  10. "git.aiterp.net/stufflog/server/models"
  11. "github.com/gin-gonic/gin"
  12. "math/rand"
  13. "time"
  14. )
  16. var ErrLoginFailed = errors.New("login failed")
  17. var ErrInternalLoginFailure = errors.New("login failed due to internal error")
  18. var ErrInternalPermissionFailure = errors.New("permission check failed due to internal error")
  19. var ErrWrongCurrentPassword = errors.New("current password is missing")
  20. var ErrMissingCurrentPassword = errors.New("current password is missing")
  22. var authCookieName = "stufflog_cookie"
  23. var authCtxKey = "stufflog.auth"
  24. var ginCtxKey = "stufflog.gin"
  26. type Auth struct {
  27. users repositories.UserRepository
  28. session repositories.SessionRepository
  29. projects repositories.ProjectRepository
  30. issues repositories.IssueRepository
  31. }
  33. func (auth *Auth) Login(ctx context.Context, username, password string) (*models.User, error) {
  34. user, err := auth.users.Find(ctx, username)
  35. if err != nil {
  36. select {
  37. case <-time.After(time.Millisecond * time.Duration(rand.Int63n(100)+100)):
  38. case <-ctx.Done():
  39. }
  40. return nil, ErrLoginFailed
  41. }
  43. if !user.CheckPassword(password) {
  44. select {
  45. case <-time.After(time.Millisecond * time.Duration(rand.Int63n(50))):
  46. case <-ctx.Done():
  47. }
  48. return nil, ErrLoginFailed
  49. }
  51. session := models.Session{
  52. ID: generate.SessionID(),
  53. UserID: user.ID,
  54. ExpiryTime: time.Now().Add(time.Hour * 168),
  55. }
  56. err = auth.session.Save(ctx, session)
  57. if err != nil {
  58. return nil, ErrInternalLoginFailure
  59. }
  61. if c := ctx.Value(ginCtxKey).(*gin.Context); c != nil {
  62. c.SetCookie(authCookieName, session.ID, 3600*168, "/", "", false, true)
  63. } else {
  64. return nil, ErrInternalLoginFailure
  65. }
  67. return user, nil
  68. }
  70. func (auth *Auth) Logout(ctx context.Context) (*models.User, error) {
  71. user := auth.UserFromContext(ctx)
  72. if user == nil {
  73. return nil, slerrors.PermissionDenied
  74. }
  76. c, ok := ctx.Value(ginCtxKey).(*gin.Context)
  77. if !ok {
  78. return nil, ErrInternalLoginFailure
  79. }
  81. c.SetCookie(authCookieName, "", 0, "/", "", false, true)
  83. return user, nil
  84. }
  86. func (auth *Auth) CreateUser(ctx context.Context, username, password, name string, active, admin bool) (*models.User, error) {
  87. loggedInUser := auth.UserFromContext(ctx)
  88. if loggedInUser == nil || !loggedInUser.Admin {
  89. return nil, slerrors.PermissionDenied
  90. }
  92. user := &models.User{
  93. ID: username,
  94. Name: name,
  95. Active: active,
  96. Admin: admin,
  97. }
  98. err := user.SetPassword(password)
  99. if err != nil {
  100. return nil, err
  101. }
  103. user, err = auth.users.Insert(ctx, *user)
  104. if err != nil {
  105. return nil, err
  106. }
  108. return user, nil
  109. }
  111. func (auth *Auth) UserFromContext(ctx context.Context) *models.User {
  112. user, _ := ctx.Value(authCtxKey).(*models.User)
  113. return user
  114. }
  116. func (auth *Auth) ProjectPermission(ctx context.Context, projectID string) (*models.ProjectPermission, error) {
  117. user := auth.UserFromContext(ctx)
  118. if user == nil || !user.Active {
  119. return nil, slerrors.PermissionDenied
  120. }
  122. permission, err := loaders.ProjectPermissionLoaderFromContext(ctx).Load(projectID)
  123. if err != nil {
  124. return nil, ErrInternalPermissionFailure
  125. }
  126. if permission.Level == models.ProjectPermissionLevelNoAccess {
  127. return nil, slerrors.PermissionDenied
  128. }
  130. return permission, nil
  131. }
  133. func (auth *Auth) IssuePermission(ctx context.Context, issue models.Issue) (*models.ProjectPermission, error) {
  134. user := auth.UserFromContext(ctx)
  135. if user == nil || !user.Active {
  136. return nil, slerrors.PermissionDenied
  137. }
  139. isOwnedOrAssigned := issue.AssigneeID == user.ID || issue.OwnerID == user.ID
  141. permission, err := loaders.ProjectPermissionLoaderFromContext(ctx).Load(issue.ProjectID)
  142. if err != nil {
  143. return nil, ErrInternalPermissionFailure
  144. }
  145. if permission.Level == models.ProjectPermissionLevelNoAccess {
  146. return nil, slerrors.PermissionDenied
  147. }
  148. if !(permission.CanViewAnyIssue() || (permission.CanViewOwnIssue() && isOwnedOrAssigned)) {
  149. return nil, slerrors.PermissionDenied
  150. }
  152. return permission, nil
  153. }
  155. func (auth *Auth) CheckGinSession(c *gin.Context) {
  156. ctx := context.WithValue(c.Request.Context(), ginCtxKey, c)
  158. cookie, err := c.Cookie(authCookieName)
  159. if err != nil {
  160. c.Request = c.Request.WithContext(ctx)
  161. return
  162. }
  164. session, err := auth.session.Find(c.Request.Context(), cookie)
  165. if err != nil {
  166. c.Request = c.Request.WithContext(ctx)
  167. return
  168. }
  170. if time.Until(session.ExpiryTime) < time.Hour*167 {
  171. session.ExpiryTime = time.Now().Add(time.Hour * 168)
  172. _ = auth.session.Save(c.Request.Context(), *session)
  173. c.SetCookie(authCookieName, session.ID, 3600*168, "/", "", false, true)
  174. }
  176. user, err := auth.users.Find(c.Request.Context(), session.UserID)
  177. if err != nil {
  178. c.Request = c.Request.WithContext(ctx)
  179. return
  180. }
  182. ctx = context.WithValue(ctx, authCtxKey, user)
  183. c.Request = c.Request.WithContext(ctx)
  184. }
  186. func (auth *Auth) EditUser(ctx context.Context, username string, setName *string, currentPassword *string, newPassword *string) (*models.User, error) {
  187. loggedInUser := auth.UserFromContext(ctx)
  188. if loggedInUser == nil {
  189. return nil, slerrors.PermissionDenied
  190. }
  192. user, err := auth.users.Find(ctx, username)
  193. if err != nil {
  194. return nil, err
  195. }
  197. if user.ID != loggedInUser.ID && !loggedInUser.Admin {
  198. return nil, slerrors.PermissionDenied
  199. }
  201. if newPassword != nil {
  202. // Only require current password if it's given, or if the user is NOT an admin changing
  203. // another user's password
  204. if currentPassword != nil || !(loggedInUser.Admin && loggedInUser.ID != user.ID) {
  205. if currentPassword == nil {
  206. return nil, ErrMissingCurrentPassword
  207. }
  208. if !user.CheckPassword(*currentPassword) {
  209. return nil, ErrWrongCurrentPassword
  210. }
  211. }
  213. err = user.SetPassword(*newPassword)
  214. if err != nil {
  215. return nil, err
  216. }
  217. }
  219. if setName != nil && *setName != "" {
  220. user.Name = *setName
  221. }
  223. err = auth.users.Save(ctx, *user)
  224. if err != nil {
  225. return nil, err
  226. }
  228. return user, nil
  229. }
  231. func (auth *Auth) FilterLogListCopy(ctx context.Context, logs []*models.Log) []*models.Log {
  232. logs2 := make([]*models.Log, 0, len(logs))
  233. for _, log := range logs {
  234. logs2 = append(logs2, log.Copy())
  235. }
  237. auth.FilterLogList(ctx, &logs2)
  239. return logs2
  240. }
  242. func (auth *Auth) FilterLogList(ctx context.Context, logs *[]*models.Log) {
  243. user := auth.UserFromContext(ctx)
  244. if user == nil {
  245. panic("Auth.FilterLogList called without user")
  246. }
  248. auth.FilterLog(ctx, *logs...)
  249. deleteList := make([]int, 0, len(*logs)/2)
  250. for i, log := range *logs {
  251. if log.Empty() && log.UserID != user.ID {
  252. deleteList = append(deleteList, i-len(deleteList))
  253. }
  254. }
  256. list := *logs
  257. for _, index := range deleteList {
  258. list = append(list[:index], list[index+1:]...)
  259. }
  260. *logs = list
  261. }
  263. func (auth *Auth) FilterLog(ctx context.Context, logs ...*models.Log) {
  264. userID := ""
  265. if user := auth.UserFromContext(ctx); user != nil {
  266. userID = user.ID
  267. }
  269. accessMap := make(map[string]bool)
  270. deleteList := make([]int, 0, 16)
  271. for _, log := range logs {
  272. if userID == log.UserID {
  273. continue
  274. }
  276. deleteList = deleteList[:0]
  277. for i, item := range log.Items {
  278. if access, ok := accessMap[item.IssueID]; ok && access {
  279. continue
  280. } else if ok && !access {
  281. deleteList = append(deleteList, i-len(deleteList))
  282. continue
  283. }
  285. issue, err := loaders.IssueLoaderFromContext(ctx).Load(item.IssueID)
  286. if err != nil {
  287. deleteList = append(deleteList, i-len(deleteList))
  288. accessMap[item.IssueID] = true
  289. continue
  290. }
  292. _, err = auth.IssuePermission(ctx, *issue)
  293. if err != nil {
  294. deleteList = append(deleteList, i-len(deleteList))
  295. }
  297. accessMap[issue.ID] = err != nil
  298. }
  299. for _, index := range deleteList {
  300. log.Items = append(log.Items[:index], log.Items[index+1:]...)
  301. }
  302. deleteList = deleteList[:0]
  303. for i, task := range log.Tasks {
  304. if access, ok := accessMap[task.IssueID]; ok && access {
  305. continue
  306. } else if ok && !access {
  307. deleteList = append(deleteList, i-len(deleteList))
  308. continue
  309. }
  311. issue, err := loaders.IssueLoaderFromContext(ctx).Load(task.IssueID)
  312. if err != nil {
  313. deleteList = append(deleteList, i-len(deleteList))
  314. accessMap[task.IssueID] = true
  315. continue
  316. }
  318. _, err = auth.IssuePermission(ctx, *issue)
  319. if err != nil {
  320. deleteList = append(deleteList, i-len(deleteList))
  321. }
  323. accessMap[issue.ID] = err != nil
  324. }
  325. for _, index := range deleteList {
  326. log.Tasks = append(log.Tasks[:index], log.Tasks[index+1:]...)
  327. }
  328. }
  329. }