authboss/auth/auth.go

// Package auth implements password based user logins.
package auth

import (
	"fmt"
	"net/http"

	"github.com/pkg/errors"
	"github.com/volatiletech/authboss"
	"github.com/volatiletech/authboss/internal/response"
	"golang.org/x/crypto/bcrypt"
)

const (
	tplLogin = "login.html.tpl"
)

func init() {
	authboss.RegisterModule("auth", &Auth{})
}

// Auth module
type Auth struct {
	*authboss.Authboss
}

// Init module
func (a *Auth) Init(ab *authboss.Authboss) (err error) {
	a.Authboss = ab

	if err := a.Authboss.Config.Core.ViewRenderer.Load(tplLogin); err != nil {
		return err
	}

	var logoutRouteMethod func(string, http.Handler)
	switch a.Authboss.Config.Modules.LogoutMethod {
	case "GET":
		logoutRouteMethod = a.Authboss.Config.Core.Router.Get
	case "POST":
		logoutRouteMethod = a.Authboss.Config.Core.Router.Post
	case "DELETE":
		logoutRouteMethod = a.Authboss.Config.Core.Router.Delete
	default:
		return errors.Errorf("auth wants to register a logout route but is given an invalid method: %s", a.Authboss.Config.Modules.LogoutMethod)
	}

	a.Authboss.Config.Core.Router.Get("/login", http.HandlerFunc(loginGet))
	a.Authboss.Config.Core.Router.Post("/login", http.HandlerFunc(loginPost))
	logoutRouteMethod("/logout", http.HandlerFunc(logout))

	return nil
}

func (a *Auth) loginGet(w http.ResponseWriter, r *http.Request) error {
	data := authboss.NewHTMLData(
		"showRemember", a.IsLoaded("remember"),
		"showRecover", a.IsLoaded("recover"),
		"showRegister", a.IsLoaded("register"),
		"primaryID", a.PrimaryID,
		"primaryIDValue", "",
	)
	return a.templates.Render(ctx, w, r, tplLogin, data)
}

func (a *Auth) loginPost(w http.ResponseWriter, r *http.Request) error {
	switch r.Method {
	case methodGET:
	case methodPOST:
		key := r.FormValue(a.PrimaryID)
		password := r.FormValue("password")

		errData := authboss.NewHTMLData(
			"error", fmt.Sprintf("invalid %s and/or password", a.PrimaryID),
			"primaryID", a.PrimaryID,
			"primaryIDValue", key,
			"showRemember", a.IsLoaded("remember"),
			"showRecover", a.IsLoaded("recover"),
			"showRegister", a.IsLoaded("register"),
		)

		if valid, err := validateCredentials(ctx, key, password); err != nil {
			errData["error"] = "Internal server error"
			fmt.Fprintf(ctx.LogWriter, "auth: validate credentials failed: %v\n", err)
			return a.templates.Render(ctx, w, r, tplLogin, errData)
		} else if !valid {
			if err := a.Events.FireAfter(authboss.EventAuthFail, ctx); err != nil {
				fmt.Fprintf(ctx.LogWriter, "EventAuthFail callback error'd out: %v\n", err)
			}
			return a.templates.Render(ctx, w, r, tplLogin, errData)
		}

		interrupted, err := a.Events.FireBefore(authboss.EventAuth, ctx)
		if err != nil {
			return err
		} else if interrupted != authboss.InterruptNone {
			var reason string
			switch interrupted {
			case authboss.InterruptAccountLocked:
				reason = "Your account has been locked."
			case authboss.InterruptAccountNotConfirmed:
				reason = "Your account has not been confirmed."
			}
			response.Redirect(ctx, w, r, a.AuthLoginFailPath, "", reason, false)
			return nil
		}

		ctx.SessionStorer.Put(authboss.SessionKey, key)
		ctx.SessionStorer.Del(authboss.SessionHalfAuthKey)
		ctx.Values = map[string]string{authboss.CookieRemember: r.FormValue(authboss.CookieRemember)}

		if err := a.Events.FireAfter(authboss.EventAuth, ctx); err != nil {
			return err
		}
		response.Redirect(ctx, w, r, a.AuthLoginOKPath, "", "", true)
	default:
		w.WriteHeader(http.StatusMethodNotAllowed)
	}

	return nil
}

func validateCredentials(key, password string) (bool, error) {
	if err := ctx.LoadUser(key); err == authboss.ErrUserNotFound {
		return false, nil
	} else if err != nil {
		return false, err
	}

	actualPassword, err := ctx.User.StringErr(authboss.StorePassword)
	if err != nil {
		return false, err
	}

	if err := bcrypt.CompareHashAndPassword([]byte(actualPassword), []byte(password)); err != nil {
		return false, nil
	}

	return true, nil
}

func (a *Auth) logout(w http.ResponseWriter, r *http.Request) error {
	ctx.SessionStorer.Del(authboss.SessionKey)
	ctx.CookieStorer.Del(authboss.CookieRemember)
	ctx.SessionStorer.Del(authboss.SessionLastAction)

	response.Redirect(ctx, w, r, a.AuthLogoutOKPath, "You have logged out", "", true)

	return nil
}
Change documentation a little bit, and fix one bug. 2015-03-15 17:06:08 +02:00			`// Package auth implements password based user logins.`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`package auth`

			`import (`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 23:24:12 +02:00			`"fmt"`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`"net/http"`

Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`"github.com/pkg/errors"`
Import path fixes 2017-07-31 04:39:33 +02:00			`"github.com/volatiletech/authboss"`
			`"github.com/volatiletech/authboss/internal/response"`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`"golang.org/x/crypto/bcrypt"`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`)`

			`const (`
Proper naming of all templates. Rebuild bindata. 2015-02-26 22:52:45 +02:00			`tplLogin = "login.html.tpl"`
Cleaned up auth module and tests 2015-01-13 07:08:52 +02:00			`)`
Added auth endpoint POST 2015-01-11 08:49:06 +02:00
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`func init() {`
no DisableGoroutines (just check for -Maker); no ModuleNames; test fix 2016-05-09 19:20:10 +02:00			`authboss.RegisterModule("auth", &Auth{})`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`}`

Destroy a list of go lint errors. 2015-03-16 23:42:45 +02:00			`// Auth module`
Rework recover 2015-02-24 01:51:42 +02:00			`type Auth struct {`
Fix modules after refactor. 2015-04-01 00:27:47 +02:00			`*authboss.Authboss`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`// Init module`
			`func (a Auth) Init(ab authboss.Authboss) (err error) {`
Fix modules after refactor. 2015-04-01 00:27:47 +02:00			`a.Authboss = ab`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`if err := a.Authboss.Config.Core.ViewRenderer.Load(tplLogin); err != nil {`
			`return err`
Rework recover 2015-02-24 01:51:42 +02:00			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`var logoutRouteMethod func(string, http.Handler)`
			`switch a.Authboss.Config.Modules.LogoutMethod {`
			`case "GET":`
			`logoutRouteMethod = a.Authboss.Config.Core.Router.Get`
			`case "POST":`
			`logoutRouteMethod = a.Authboss.Config.Core.Router.Post`
			`case "DELETE":`
			`logoutRouteMethod = a.Authboss.Config.Core.Router.Delete`
			`default:`
			`return errors.Errorf("auth wants to register a logout route but is given an invalid method: %s", a.Authboss.Config.Modules.LogoutMethod)`
Add new auth testing and tempaltes 2015-02-25 01:01:56 +02:00			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`a.Authboss.Config.Core.Router.Get("/login", http.HandlerFunc(loginGet))`
			`a.Authboss.Config.Core.Router.Post("/login", http.HandlerFunc(loginPost))`
			`logoutRouteMethod("/logout", http.HandlerFunc(logout))`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00
			`return nil`
			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`func (a Auth) loginGet(w http.ResponseWriter, r http.Request) error {`
			`data := authboss.NewHTMLData(`
			`"showRemember", a.IsLoaded("remember"),`
			`"showRecover", a.IsLoaded("recover"),`
			`"showRegister", a.IsLoaded("register"),`
			`"primaryID", a.PrimaryID,`
			`"primaryIDValue", "",`
			`)`
			`return a.templates.Render(ctx, w, r, tplLogin, data)`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`func (a Auth) loginPost(w http.ResponseWriter, r http.Request) error {`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`switch r.Method {`
			`case methodGET:`
			`case methodPOST:`
auth: Context-Request separation ripple 2015-08-02 20:52:23 +02:00			`key := r.FormValue(a.PrimaryID)`
			`password := r.FormValue("password")`
Add response writer to client storer 2015-01-16 00:01:01 +02:00
Reworking auth 2015-02-21 09:33:35 +02:00			`errData := authboss.NewHTMLData(`
Fix modules after refactor. 2015-04-01 00:27:47 +02:00			`"error", fmt.Sprintf("invalid %s and/or password", a.PrimaryID),`
			`"primaryID", a.PrimaryID,`
Rework recover 2015-02-24 01:51:42 +02:00			`"primaryIDValue", key,`
Fix modules after refactor. 2015-04-01 00:27:47 +02:00			`"showRemember", a.IsLoaded("remember"),`
			`"showRecover", a.IsLoaded("recover"),`
Add 'showRegister' flag to auth module. 2015-04-10 21:04:26 +02:00			`"showRegister", a.IsLoaded("register"),`
Reworking auth 2015-02-21 09:33:35 +02:00			`)`

Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 20:49:28 +02:00			`if valid, err := validateCredentials(ctx, key, password); err != nil {`
			`errData["error"] = "Internal server error"`
final App-Engine-related fixes 2016-05-07 08:12:20 +02:00			`fmt.Fprintf(ctx.LogWriter, "auth: validate credentials failed: %v\n", err)`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 20:49:28 +02:00			`return a.templates.Render(ctx, w, r, tplLogin, errData)`
			`} else if !valid {`
Bring back events - Rename callbacks -> events - Regenerate stringers.go with later version of stringer 2018-02-02 02:31:08 +02:00			`if err := a.Events.FireAfter(authboss.EventAuthFail, ctx); err != nil {`
final App-Engine-related fixes 2016-05-07 08:12:20 +02:00			`fmt.Fprintf(ctx.LogWriter, "EventAuthFail callback error'd out: %v\n", err)`
Ensure we call EventAuthFail. - Remove validation of fields that we never store in the database anyways. 2015-08-02 18:52:30 +02:00			`}`
Reworking auth 2015-02-21 09:33:35 +02:00			`return a.templates.Render(ctx, w, r, tplLogin, errData)`
Made things work with other things. 2015-01-11 09:12:40 +02:00			`}`
Changed remember and auth to work together. 2015-01-16 01:10:47 +02:00
Bring back events - Rename callbacks -> events - Regenerate stringers.go with later version of stringer 2018-02-02 02:31:08 +02:00			`interrupted, err := a.Events.FireBefore(authboss.EventAuth, ctx)`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-26 09:05:14 +02:00			`if err != nil {`
			`return err`
			`} else if interrupted != authboss.InterruptNone {`
			`var reason string`
			`switch interrupted {`
			`case authboss.InterruptAccountLocked:`
			`reason = "Your account has been locked."`
			`case authboss.InterruptAccountNotConfirmed:`
			`reason = "Your account has not been confirmed."`
			`}`
Fix modules after refactor. 2015-04-01 00:27:47 +02:00			`response.Redirect(ctx, w, r, a.AuthLoginFailPath, "", reason, false)`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-26 09:05:14 +02:00			`return nil`
			`}`

			`ctx.SessionStorer.Put(authboss.SessionKey, key)`
			`ctx.SessionStorer.Del(authboss.SessionHalfAuthKey)`
remember: Context+Request separation ripple - Re-add the age-old "Values" from the Context. This was originally there for exactly the documented purpose. However the Context holding the request form values negated it's use. It's back because of this new separation. - Make the auth success path set the authboss.CookieRemember value in the context before calling it's callback. 2015-08-02 23:02:14 +02:00			`ctx.Values = map[string]string{authboss.CookieRemember: r.FormValue(authboss.CookieRemember)}`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-26 09:05:14 +02:00
Bring back events - Rename callbacks -> events - Regenerate stringers.go with later version of stringer 2018-02-02 02:31:08 +02:00			`if err := a.Events.FireAfter(authboss.EventAuth, ctx); err != nil {`
Fix confirm fields. 2015-02-26 09:20:02 +02:00			`return err`
			`}`
Fix modules after refactor. 2015-04-01 00:27:47 +02:00			`response.Redirect(ctx, w, r, a.AuthLoginOKPath, "", "", true)`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`default:`
			`w.WriteHeader(http.StatusMethodNotAllowed)`
			`}`
Reworking auth 2015-02-21 09:33:35 +02:00
			`return nil`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`func validateCredentials(key, password string) (bool, error) {`
Fix internal server error when wrong usr/pwd - Correct tests to stop actually checking for internal server errors on wrong username/password. Sometimes tests aren't everything. - Fix #64 2015-07-02 03:07:26 +02:00			`if err := ctx.LoadUser(key); err == authboss.ErrUserNotFound {`
			`return false, nil`
			`} else if err != nil {`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 20:49:28 +02:00			`return false, err`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 23:24:12 +02:00			`}`

Add PrimaryID to the system. - Fix #17 2015-02-22 23:16:11 +02:00			`actualPassword, err := ctx.User.StringErr(authboss.StorePassword)`
Reworking auth 2015-02-21 09:33:35 +02:00			`if err != nil {`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 20:49:28 +02:00			`return false, err`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 23:24:12 +02:00			`}`

Reworking auth 2015-02-21 09:33:35 +02:00			`if err := bcrypt.CompareHashAndPassword([]byte(actualPassword), []byte(password)); err != nil {`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 20:49:28 +02:00			`return false, nil`
Added auth endpoint POST 2015-01-11 08:49:06 +02:00			`}`

Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 20:49:28 +02:00			`return true, nil`
Added auth endpoint POST 2015-01-11 08:49:06 +02:00			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`func (a Auth) logout(w http.ResponseWriter, r http.Request) error {`
			`ctx.SessionStorer.Del(authboss.SessionKey)`
			`ctx.CookieStorer.Del(authboss.CookieRemember)`
			`ctx.SessionStorer.Del(authboss.SessionLastAction)`
Fix expire token shenanigans - Add session and cookie cleanup on logout 2015-03-03 08:09:32 +02:00
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`response.Redirect(ctx, w, r, a.AuthLogoutOKPath, "You have logged out", "", true)`
Reworking auth 2015-02-21 09:33:35 +02:00
			`return nil`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 20:33:53 +02:00			`}`