trev/trevstack
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases 9 Activity

feat: next

Browse Source
This commit is contained in:
trev
2025-05-12 11:30:33 -04:00
parent cdeaa13d92
commit 07cec78aa5
36 changed files with 1553 additions and 327 deletions
Download Patch File Download Diff File Expand all files Collapse all files

283
server/internal/handlers/user/v1/auth.go
View File

@ -3,15 +3,20 @@ package user
import (
"context"
"database/sql"
"encoding/json"
"errors"
"net/http"
"strconv"
"sync"
"time"
_ "crypto/sha256" // Crypto
"connectrpc.com/connect"
"connectrpc.com/validate"
"github.com/go-webauthn/webauthn/protocol"
"github.com/go-webauthn/webauthn/webauthn"
"github.com/golang-jwt/jwt/v5"
"github.com/google/uuid"
"github.com/spotdemo4/trevstack/server/internal/auth"
userv1 "github.com/spotdemo4/trevstack/server/internal/connect/user/v1"
"github.com/spotdemo4/trevstack/server/internal/connect/user/v1/userv1connect"
"github.com/spotdemo4/trevstack/server/internal/interceptors"
@ -20,8 +25,13 @@ import (
)
type AuthHandler struct {
db *sqlc.Queries
key []byte
db *sqlc.Queries
webAuthn *webauthn.WebAuthn
key []byte
name string
sessions *map[string]*webauthn.SessionData
mu sync.Mutex
}
func (h *AuthHandler) Login(ctx context.Context, req *connect.Request[userv1.LoginRequest]) (*connect.Response[userv1.LoginResponse], error) {
@ -40,37 +50,18 @@ func (h *AuthHandler) Login(ctx context.Context, req *connect.Request[userv1.Log
return nil, connect.NewError(connect.CodePermissionDenied, errors.New("invalid username or password"))
}
// Generate JWT
t := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
Issuer: "trevstack",
Subject: strconv.FormatInt(user.ID, 10),
IssuedAt: &jwt.NumericDate{
Time: time.Now(),
},
ExpiresAt: &jwt.NumericDate{
Time: time.Now().Add(time.Hour * 24),
},
})
ss, err := t.SignedString(h.key)
// Create JWT
token, cookie, err := h.createJWT(user.ID)
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
}
// Create cookie
cookie := http.Cookie{
Name: "token",
Value: ss,
Path: "/",
MaxAge: 86400,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteStrictMode,
}
// Create response
res := connect.NewResponse(&userv1.LoginResponse{
Token: ss,
Token: token,
})
res.Header().Set("Set-Cookie", cookie.String())
return res, nil
}
@ -82,7 +73,7 @@ func (h *AuthHandler) SignUp(ctx context.Context, req *connect.Request[userv1.Si
return nil, connect.NewError(connect.CodeInternal, err)
}
} else {
return nil, connect.NewError(connect.CodeAlreadyExists, err)
return nil, connect.NewError(connect.CodeAlreadyExists, errors.New("user already exists"))
}
// Check if confirmation passwords match
@ -98,8 +89,9 @@ func (h *AuthHandler) SignUp(ctx context.Context, req *connect.Request[userv1.Si
// Create user
_, err = h.db.InsertUser(ctx, sqlc.InsertUserParams{
Username: req.Msg.Username,
Password: string(hash),
Username: req.Msg.Username,
Password: string(hash),
WebauthnID: uuid.New().String(),
})
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
@ -123,104 +115,173 @@ func (h *AuthHandler) Logout(_ context.Context, _ *connect.Request[userv1.Logout
res := connect.NewResponse(&userv1.LogoutResponse{})
res.Header().Set("Set-Cookie", cookie.String())
return res, nil
}
// func (h *AuthHandler) GetPasskeyIDs(_ context.Context, req *connect.Request[userv1.GetPasskeyIDsRequest]) (*connect.Response[userv1.GetPasskeyIDsResponse], error) {
// // Get user
// user := models.User{}
// if err := h.db.Preload("Passkeys").First(&user, "username = ?", req.Msg.Username).Error; err != nil {
// return nil, connect.NewError(connect.CodeNotFound, err)
// }
func (h *AuthHandler) BeginPasskeyLogin(ctx context.Context, req *connect.Request[userv1.BeginPasskeyLoginRequest]) (*connect.Response[userv1.BeginPasskeyLoginResponse], error) {
// Get user
pUser, _, err := h.getPasskeyUser(ctx, req.Msg.Username)
if err != nil {
return nil, connect.NewError(connect.CodeUnauthenticated, err)
}
// // Get IDs
// ids := []string{}
// for _, passkey := range user.Passkeys {
// ids = append(ids, passkey.ID)
// }
// Get options for user
options, session, err := h.webAuthn.BeginLogin(pUser)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// return connect.NewResponse(&userv1.GetPasskeyIDsResponse{
// PasskeyIds: ids,
// }), nil
// }
// Turn the options into json
optionsJSON, err := json.Marshal(options)
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
}
// func (h *AuthHandler) PasskeyLogin(_ context.Context, req *connect.Request[userv1.PasskeyLoginRequest]) (*connect.Response[userv1.PasskeyLoginResponse], error) {
// // Get passkey
// passkey := models.Passkey{}
// if err := h.db.First(&passkey, "id = ?", req.Msg.Id).Error; err != nil {
// return nil, connect.NewError(connect.CodeNotFound, err)
// }
// Set session for validation later
h.setSession(req.Msg.Username, session)
// // create a verifier from a trusted private key
// var verifier cose.Verifier
// var err error
// switch req.Msg.Algorithm {
// case -7:
// verifier, err = cose.NewVerifier(cose.AlgorithmES256, passkey.PublicKey)
return connect.NewResponse(&userv1.BeginPasskeyLoginResponse{
OptionsJson: string(optionsJSON),
}), nil
}
// case -257:
// verifier, err = cose.NewVerifier(cose.AlgorithmRS256, passkey.PublicKey)
func (h *AuthHandler) FinishPasskeyLogin(ctx context.Context, req *connect.Request[userv1.FinishPasskeyLoginRequest]) (*connect.Response[userv1.FinishPasskeyLoginResponse], error) {
// Get user
pUser, userID, err := h.getPasskeyUser(ctx, req.Msg.Username)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// default:
// return nil, connect.NewError(connect.CodeInternal, errors.New("decode algorithm not implemented"))
// }
// if err != nil {
// return nil, connect.NewError(connect.CodeInternal, err)
// }
// Get the session data previously set
session, err := h.getSession(req.Msg.Username)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// // create a sign message from a raw signature payload
// var msg cose.Sign1Message
// if err = msg.UnmarshalCBOR(req.Msg.Signature); err != nil {
// return nil, connect.NewError(connect.CodeInternal, err)
// }
// Parse the attestation response
parsedResponse, err := protocol.ParseCredentialRequestResponseBytes([]byte(req.Msg.Attestation))
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// // Validate passkey
// err = msg.Verify(nil, verifier)
// if err != nil {
// return nil, connect.NewError(connect.CodeUnauthenticated, err)
// }
// Validate the login
credential, err := h.webAuthn.ValidateLogin(pUser, *session, parsedResponse)
if err != nil {
return nil, connect.NewError(connect.CodeUnauthenticated, err)
}
// // Generate JWT
// t := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
// Issuer: "trevstack",
// Subject: strconv.FormatUint(uint64(passkey.UserID), 10),
// IssuedAt: &jwt.NumericDate{
// Time: time.Now(),
// },
// ExpiresAt: &jwt.NumericDate{
// Time: time.Now().Add(time.Hour * 24),
// },
// })
// ss, err := t.SignedString(h.key)
// if err != nil {
// return nil, connect.NewError(connect.CodeInternal, err)
// }
// Update the credential in the database
lastUsed := time.Now()
signCount := int64(credential.Authenticator.SignCount)
err = h.db.UpdateCredential(ctx, sqlc.UpdateCredentialParams{
// set
LastUsed: &lastUsed,
SignCount: &signCount,
// // Create cookie
// cookie := http.Cookie{
// Name: "token",
// Value: ss,
// Path: "/",
// MaxAge: 86400,
// HttpOnly: true,
// Secure: true,
// SameSite: http.SameSiteStrictMode,
// }
// where
ID: string(credential.ID),
UserID: userID,
})
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
}
// res := connect.NewResponse(&userv1.PasskeyLoginResponse{
// Token: ss,
// })
// res.Header().Set("Set-Cookie", cookie.String())
// return res, nil
// }
// Create JWT
token, cookie, err := h.createJWT(userID)
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
}
func NewAuthHandler(db *sqlc.Queries, key string) (string, http.Handler) {
interceptors := connect.WithInterceptors(interceptors.NewRateLimitInterceptor(key))
// Create response
resp := connect.NewResponse(&userv1.FinishPasskeyLoginResponse{
Token: token,
})
resp.Header().Set("Set-Cookie", cookie.String())
return resp, nil
}
func (h *AuthHandler) getPasskeyUser(ctx context.Context, username string) (*auth.User, int64, error) {
user, err := h.db.GetUserbyUsername(ctx, username)
if err != nil {
return nil, 0, err
}
creds, err := h.db.GetCredentials(ctx, user.ID)
if err != nil {
return nil, 0, err
}
webCreds := auth.NewCreds(creds)
webUser := auth.NewUser(user.WebauthnID, user.Username, webCreds)
return &webUser, user.ID, nil
}
func (h *AuthHandler) getSession(username string) (*webauthn.SessionData, error) {
h.mu.Lock()
defer h.mu.Unlock()
session, ok := (*h.sessions)[username]
if !ok {
return nil, errors.New("session does not exist")
}
delete(*h.sessions, username)
return session, nil
}
func (h *AuthHandler) setSession(username string, data *webauthn.SessionData) {
h.mu.Lock()
defer h.mu.Unlock()
(*h.sessions)[username] = data
}
func (h *AuthHandler) createJWT(userid int64) (string, *http.Cookie, error) {
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
Issuer: h.name,
Subject: strconv.Itoa(int(userid)),
IssuedAt: &jwt.NumericDate{
Time: time.Now(),
},
ExpiresAt: &jwt.NumericDate{
Time: time.Now().Add(time.Hour * 24),
},
})
tokenString, err := token.SignedString(h.key)
if err != nil {
return "", nil, err
}
cookie := http.Cookie{
Name: "token",
Value: tokenString,
Path: "/",
MaxAge: 86400,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteStrictMode,
}
return tokenString, &cookie, nil
}
func NewAuthHandler(vi *validate.Interceptor, db *sqlc.Queries, webauth *webauthn.WebAuthn, name string, key string) (string, http.Handler) {
interceptors := connect.WithInterceptors(vi, interceptors.NewRateLimitInterceptor(key))
sd := map[string]*webauthn.SessionData{}
return userv1connect.NewAuthServiceHandler(
&AuthHandler{
db: db,
key: []byte(key),
db: db,
webAuthn: webauth,
name: name,
key: []byte(key),
sessions: &sd,
mu: sync.Mutex{},
},
interceptors,
)

194
server/internal/handlers/user/v1/user.go
View File

@ -3,13 +3,19 @@ package user
import (
"context"
"database/sql"
"encoding/json"
"errors"
"net/http"
"strconv"
"sync"
"time"
"connectrpc.com/connect"
"connectrpc.com/validate"
"github.com/go-webauthn/webauthn/protocol"
"github.com/go-webauthn/webauthn/webauthn"
"github.com/golang-jwt/jwt/v5"
"github.com/spotdemo4/trevstack/server/internal/auth"
userv1 "github.com/spotdemo4/trevstack/server/internal/connect/user/v1"
"github.com/spotdemo4/trevstack/server/internal/connect/user/v1/userv1connect"
"github.com/spotdemo4/trevstack/server/internal/interceptors"
@ -27,8 +33,12 @@ func userToConnect(item sqlc.User) *userv1.User {
}
type Handler struct {
db *sqlc.Queries
key []byte
db *sqlc.Queries
webAuthn *webauthn.WebAuthn
key []byte
sessions *map[int64]*webauthn.SessionData
mu sync.Mutex
}
func (h *Handler) GetUser(ctx context.Context, _ *connect.Request[userv1.GetUserRequest]) (*connect.Response[userv1.GetUserResponse], error) {
@ -200,75 +210,149 @@ func (h *Handler) UpdateProfilePicture(ctx context.Context, req *connect.Request
return res, nil
}
// func (h *Handler) BeginPasskeyRegistration(ctx context.Context, req *connect.Request[userv1.BeginPasskeyRegistrationRequest]) (*connect.Response[userv1.BeginPasskeyRegistrationResponse], error) {
// // Get user ID from context
// userid, ok := interceptors.GetUserContext(ctx)
// if !ok {
// return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("user not authenticated"))
// }
func (h *Handler) BeginPasskeyRegistration(ctx context.Context, _ *connect.Request[userv1.BeginPasskeyRegistrationRequest]) (*connect.Response[userv1.BeginPasskeyRegistrationResponse], error) {
userid, ok := interceptors.GetUserContext(ctx)
if !ok {
return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("unauthenticated"))
}
// // Get user
// user := models.User{}
// if err := h.db.First(&user, "id = ?", userid).Error; err != nil {
// return nil, connect.NewError(connect.CodeInternal, err)
// }
// Get user
pUser, err := h.getPasskeyUser(ctx, userid)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// return connect.NewResponse(&userv1.BeginPasskeyRegistrationResponse{}), nil
// }
// Get options for user
options, session, err := h.webAuthn.BeginRegistration(pUser)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// func (h *Handler) FinishPasskeyRegistration(ctx context.Context, req *connect.Request[userv1.FinishPasskeyRegistrationRequest]) (*connect.Response[userv1.FinishPasskeyRegistrationResponse], error) {
// // Get user ID from context
// userid, ok := interceptors.GetUserContext(ctx)
// if !ok {
// return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("user not authenticated"))
// }
// Turn options into json
optionsJSON, err := json.Marshal(options)
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
}
// // Get user
// user := models.User{}
// if err := h.db.First(&user, "id = ?", userid).Error; err != nil {
// return nil, connect.NewError(connect.CodeInternal, err)
// }
// Set session for validation later
h.setSession(userid, session)
// return connect.NewResponse(&userv1.FinishPasskeyRegistrationResponse{}), nil
// }
return connect.NewResponse(&userv1.BeginPasskeyRegistrationResponse{
OptionsJson: string(optionsJSON),
}), nil
}
// func BeginRegistration(ctx context.Context) error {
// userid, ok := interceptors.GetUserContext(ctx)
// if !ok {
// return nil
// }
func (h *Handler) FinishPasskeyRegistration(ctx context.Context, req *connect.Request[userv1.FinishPasskeyRegistrationRequest]) (*connect.Response[userv1.FinishPasskeyRegistrationResponse], error) {
userid, ok := interceptors.GetUserContext(ctx)
if !ok {
return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("unauthenticated"))
}
// wconfig := &webauthn.Config{
// RPDisplayName: "Go Webauthn", // Display Name for your site
// RPID: "go-webauthn.local", // Generally the FQDN for your site
// RPOrigins: []string{"https://login.go-webauthn.local"}, // The origin URLs allowed for WebAuthn requests
// }
// webAuthn, err := webauthn.New(wconfig)
// if err != nil {
// return nil
// }
// Get user
pUser, err := h.getPasskeyUser(ctx, userid)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// var user webauthn.User
// user.WebAuthnCredentials()
// Get the session data previously set
session, err := h.getSession(userid)
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// var cred webauthn.Credential
// cred.Verify()
// Parse the attestation response
parsedResponse, err := protocol.ParseCredentialCreationResponseBytes([]byte(req.Msg.Attestation))
if err != nil {
return nil, connect.NewError(connect.CodeInvalidArgument, err)
}
// var test metadata.Provider
// test.
// Create the credential
credential, err := h.webAuthn.CreateCredential(pUser, *session, parsedResponse)
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
}
// options, session, err := webAuthn.BeginRegistration(user)
transports := transportsToString(credential.Transport)
// return nil
// }
// Save the credential
err = h.db.InsertCredential(ctx, sqlc.InsertCredentialParams{
CredID: string(credential.ID),
CredPublicKey: credential.PublicKey,
SignCount: int64(credential.Authenticator.SignCount),
Transports: &transports,
UserVerified: &credential.Flags.UserVerified,
BackupEligible: &credential.Flags.BackupEligible,
BackupState: &credential.Flags.BackupState,
AttestationObject: credential.Attestation.Object,
AttestationClientData: credential.Attestation.ClientDataJSON,
CreatedAt: time.Now(),
LastUsed: time.Now(),
UserID: userid,
})
if err != nil {
return nil, connect.NewError(connect.CodeInternal, err)
}
func NewHandler(db *sqlc.Queries, key string) (string, http.Handler) {
interceptors := connect.WithInterceptors(interceptors.NewAuthInterceptor(key))
return connect.NewResponse(&userv1.FinishPasskeyRegistrationResponse{}), nil
}
func (h *Handler) getPasskeyUser(ctx context.Context, userid int64) (*auth.User, error) {
user, err := h.db.GetUser(ctx, userid)
if err != nil {
return nil, err
}
creds, err := h.db.GetCredentials(ctx, user.ID)
if err != nil {
return nil, err
}
webCreds := auth.NewCreds(creds)
webUser := auth.NewUser(user.WebauthnID, user.Username, webCreds)
return &webUser, nil
}
func (h *Handler) getSession(userid int64) (*webauthn.SessionData, error) {
h.mu.Lock()
defer h.mu.Unlock()
session, ok := (*h.sessions)[userid]
if !ok {
return nil, errors.New("session does not exist")
}
delete(*h.sessions, userid)
return session, nil
}
func (h *Handler) setSession(userid int64, data *webauthn.SessionData) {
h.mu.Lock()
defer h.mu.Unlock()
(*h.sessions)[userid] = data
}
func transportsToString(transports []protocol.AuthenticatorTransport) string {
s := ""
for _, transport := range transports {
s += string(transport) + ", "
}
return s
}
func NewHandler(vi *validate.Interceptor, db *sqlc.Queries, webauth *webauthn.WebAuthn, key string) (string, http.Handler) {
interceptors := connect.WithInterceptors(interceptors.NewAuthInterceptor(key), vi)
sd := map[int64]*webauthn.SessionData{}
return userv1connect.NewUserServiceHandler(
&Handler{
db: db,
key: []byte(key),
db: db,
webAuthn: webauth,
key: []byte(key),
sessions: &sd,
mu: sync.Mutex{},
},
interceptors,
)