260 lines
6.6 KiB
Go
260 lines
6.6 KiB
Go
package auth
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/atlasos/calypso/internal/common/config"
|
|
"github.com/atlasos/calypso/internal/common/database"
|
|
"github.com/atlasos/calypso/internal/common/logger"
|
|
"github.com/atlasos/calypso/internal/common/password"
|
|
"github.com/atlasos/calypso/internal/iam"
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
)
|
|
|
|
// Handler handles authentication requests
|
|
type Handler struct {
|
|
db *database.DB
|
|
config *config.Config
|
|
logger *logger.Logger
|
|
}
|
|
|
|
// NewHandler creates a new auth handler
|
|
func NewHandler(db *database.DB, cfg *config.Config, log *logger.Logger) *Handler {
|
|
return &Handler{
|
|
db: db,
|
|
config: cfg,
|
|
logger: log,
|
|
}
|
|
}
|
|
|
|
// LoginRequest represents a login request
|
|
type LoginRequest struct {
|
|
Username string `json:"username" binding:"required"`
|
|
Password string `json:"password" binding:"required"`
|
|
}
|
|
|
|
// LoginResponse represents a login response
|
|
type LoginResponse struct {
|
|
Token string `json:"token"`
|
|
ExpiresAt time.Time `json:"expires_at"`
|
|
User UserInfo `json:"user"`
|
|
}
|
|
|
|
// UserInfo represents user information in auth responses
|
|
type UserInfo struct {
|
|
ID string `json:"id"`
|
|
Username string `json:"username"`
|
|
Email string `json:"email"`
|
|
FullName string `json:"full_name"`
|
|
Roles []string `json:"roles"`
|
|
}
|
|
|
|
// Login handles user login
|
|
func (h *Handler) Login(c *gin.Context) {
|
|
var req LoginRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid request"})
|
|
return
|
|
}
|
|
|
|
// Get user from database
|
|
user, err := iam.GetUserByUsername(h.db, req.Username)
|
|
if err != nil {
|
|
h.logger.Warn("Login attempt failed", "username", req.Username, "error", "user not found")
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid credentials"})
|
|
return
|
|
}
|
|
|
|
// Check if user is active
|
|
if !user.IsActive {
|
|
c.JSON(http.StatusForbidden, gin.H{"error": "account is disabled"})
|
|
return
|
|
}
|
|
|
|
// Verify password
|
|
if !h.verifyPassword(req.Password, user.PasswordHash) {
|
|
h.logger.Warn("Login attempt failed", "username", req.Username, "error", "invalid password")
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid credentials"})
|
|
return
|
|
}
|
|
|
|
// Generate JWT token
|
|
token, expiresAt, err := h.generateToken(user)
|
|
if err != nil {
|
|
h.logger.Error("Failed to generate token", "error", err)
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to generate token"})
|
|
return
|
|
}
|
|
|
|
// Create session
|
|
if err := h.createSession(user.ID, token, c.ClientIP(), c.GetHeader("User-Agent"), expiresAt); err != nil {
|
|
h.logger.Error("Failed to create session", "error", err)
|
|
// Continue anyway, token is still valid
|
|
}
|
|
|
|
// Update last login
|
|
if err := h.updateLastLogin(user.ID); err != nil {
|
|
h.logger.Warn("Failed to update last login", "error", err)
|
|
}
|
|
|
|
// Get user roles
|
|
roles, err := iam.GetUserRoles(h.db, user.ID)
|
|
if err != nil {
|
|
h.logger.Warn("Failed to get user roles", "error", err)
|
|
roles = []string{}
|
|
}
|
|
|
|
h.logger.Info("User logged in successfully", "username", req.Username, "user_id", user.ID)
|
|
|
|
c.JSON(http.StatusOK, LoginResponse{
|
|
Token: token,
|
|
ExpiresAt: expiresAt,
|
|
User: UserInfo{
|
|
ID: user.ID,
|
|
Username: user.Username,
|
|
Email: user.Email,
|
|
FullName: user.FullName,
|
|
Roles: roles,
|
|
},
|
|
})
|
|
}
|
|
|
|
// Logout handles user logout
|
|
func (h *Handler) Logout(c *gin.Context) {
|
|
// Extract token
|
|
authHeader := c.GetHeader("Authorization")
|
|
if authHeader != "" {
|
|
parts := strings.SplitN(authHeader, " ", 2)
|
|
if len(parts) == 2 && parts[0] == "Bearer" {
|
|
// Invalidate session (token hash would be stored)
|
|
// For now, just return success
|
|
}
|
|
}
|
|
|
|
c.JSON(http.StatusOK, gin.H{"message": "logged out successfully"})
|
|
}
|
|
|
|
// Me returns current user information
|
|
func (h *Handler) Me(c *gin.Context) {
|
|
user, exists := c.Get("user")
|
|
if !exists {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "authentication required"})
|
|
return
|
|
}
|
|
|
|
authUser, ok := user.(*iam.User)
|
|
if !ok {
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "invalid user context"})
|
|
return
|
|
}
|
|
|
|
roles, err := iam.GetUserRoles(h.db, authUser.ID)
|
|
if err != nil {
|
|
h.logger.Warn("Failed to get user roles", "error", err)
|
|
roles = []string{}
|
|
}
|
|
|
|
c.JSON(http.StatusOK, UserInfo{
|
|
ID: authUser.ID,
|
|
Username: authUser.Username,
|
|
Email: authUser.Email,
|
|
FullName: authUser.FullName,
|
|
Roles: roles,
|
|
})
|
|
}
|
|
|
|
// ValidateToken validates a JWT token and returns the user
|
|
func (h *Handler) ValidateToken(tokenString string) (*iam.User, error) {
|
|
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, jwt.ErrSignatureInvalid
|
|
}
|
|
return []byte(h.config.Auth.JWTSecret), nil
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !token.Valid {
|
|
return nil, jwt.ErrSignatureInvalid
|
|
}
|
|
|
|
claims, ok := token.Claims.(jwt.MapClaims)
|
|
if !ok {
|
|
return nil, jwt.ErrInvalidKey
|
|
}
|
|
|
|
userID, ok := claims["user_id"].(string)
|
|
if !ok {
|
|
return nil, jwt.ErrInvalidKey
|
|
}
|
|
|
|
// Get user from database
|
|
user, err := iam.GetUserByID(h.db, userID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if !user.IsActive {
|
|
return nil, jwt.ErrInvalidKey
|
|
}
|
|
|
|
return user, nil
|
|
}
|
|
|
|
// verifyPassword verifies a password against an Argon2id hash
|
|
func (h *Handler) verifyPassword(pwd, hash string) bool {
|
|
valid, err := password.VerifyPassword(pwd, hash)
|
|
if err != nil {
|
|
h.logger.Warn("Password verification error", "error", err)
|
|
return false
|
|
}
|
|
return valid
|
|
}
|
|
|
|
// generateToken generates a JWT token for a user
|
|
func (h *Handler) generateToken(user *iam.User) (string, time.Time, error) {
|
|
expiresAt := time.Now().Add(h.config.Auth.TokenLifetime)
|
|
|
|
claims := jwt.MapClaims{
|
|
"user_id": user.ID,
|
|
"username": user.Username,
|
|
"exp": expiresAt.Unix(),
|
|
"iat": time.Now().Unix(),
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
tokenString, err := token.SignedString([]byte(h.config.Auth.JWTSecret))
|
|
if err != nil {
|
|
return "", time.Time{}, err
|
|
}
|
|
|
|
return tokenString, expiresAt, nil
|
|
}
|
|
|
|
// createSession creates a session record in the database
|
|
func (h *Handler) createSession(userID, token, ipAddress, userAgent string, expiresAt time.Time) error {
|
|
// Hash the token for storage using SHA-256
|
|
tokenHash := HashToken(token)
|
|
|
|
query := `
|
|
INSERT INTO sessions (user_id, token_hash, ip_address, user_agent, expires_at)
|
|
VALUES ($1, $2, $3, $4, $5)
|
|
`
|
|
_, err := h.db.Exec(query, userID, tokenHash, ipAddress, userAgent, expiresAt)
|
|
return err
|
|
}
|
|
|
|
// updateLastLogin updates the user's last login timestamp
|
|
func (h *Handler) updateLastLogin(userID string) error {
|
|
query := `UPDATE users SET last_login_at = NOW() WHERE id = $1`
|
|
_, err := h.db.Exec(query, userID)
|
|
return err
|
|
}
|
|
|
|
|