authboss/storage.go

package authboss

import (
	"context"
	"time"

	"github.com/pkg/errors"
)

// Data store constants for attribute names.
const (
	StoreEmail    = "email"
	StoreUsername = "username"
	StorePassword = "password"
)

// Data store constants for OAuth2 attribute names.
const (
	StoreOAuth2UID      = "oauth2_uid"
	StoreOAuth2Provider = "oauth2_provider"
	StoreOAuth2Token    = "oauth2_token"
	StoreOAuth2Refresh  = "oauth2_refresh"
	StoreOAuth2Expiry   = "oauth2_expiry"
)

var (
	// ErrUserNotFound should be returned from Get when the record is not found.
	ErrUserNotFound = errors.New("user not found")
	// ErrTokenNotFound should be returned from UseToken when the record is not found.
	ErrTokenNotFound = errors.New("token not found")
	// ErrUserFound should be returned from Create (see ConfirmUser) when the primaryID
	// of the record is found.
	ErrUserFound = errors.New("user found")
)

// ServerStorer represents the data store that's capable of loading users
// and giving them a context with which to store themselves.
type ServerStorer interface {
	// Load will look up the user based on the passed the PrimaryID
	Load(ctx context.Context, key string) (User, error)

	// Save persists the user in the database
	Save(ctx context.Context, user User) error
}

// User has functions for each piece of data it requires.
// Data should not be persisted on each function call.
// User has a PID (primary ID) that is used on the site as
// a single unique identifier to any given user (very typically e-mail
// or username).
type User interface {
	GetPID(ctx context.Context) (pid string, err error)
	PutPID(ctx context.Context, pid string) error
}

// AuthableUser is identified by a password
type AuthableUser interface {
	User

	GetPassword(ctx context.Context) (password string, err error)
	PutPassword(ctx context.Context, password string) error
}

// ConfirmableUser can be in a state of confirmed or not
type ConfirmableUser interface {
	User

	GetConfirmed(ctx context.Context) (confirmed bool, err error)
	GetConfirmToken(ctx context.Context) (token string, err error)

	PutConfirmed(ctx context.Context, confirmed bool) error
	PutConfirmToken(ctx context.Context, token string) error
}

// ArbitraryUser allows arbitrary data from the web form through. You should
// definitely only pull the keys you want from the map, since this is unfiltered
// input from a web request and is an attack vector.
type ArbitraryUser interface {
	User

	// GetArbitrary is used only to display the arbitrary data back to the user
	// when the form is reset.
	GetArbitrary(ctx context.Context) (arbitrary map[string]string, err error)
	// PutArbitrary allows arbitrary fields defined by the authboss library
	// consumer to add fields to the user registration piece.
	PutArbitrary(ctx context.Context, arbitrary map[string]string) error
}

// OAuth2User allows reading and writing values relating to OAuth2
type OAuth2User interface {
	User

	// IsOAuth2User checks to see if a user was registered in the site as an
	// oauth2 user.
	IsOAuth2User(ctx context.Context) (bool, error)

	GetUID(ctx context.Context) (uid string, err error)
	GetProvider(ctx context.Context) (provider string, err error)
	GetToken(ctx context.Context) (token string, err error)
	GetRefreshToken(ctx context.Context) (refreshToken string, err error)
	GetExpiry(ctx context.Context) (expiry time.Duration, err error)

	PutUID(ctx context.Context, uid string) error
	PutProvider(ctx context.Context, provider string) error
	PutToken(ctx context.Context, token string) error
	PutRefreshToken(ctx context.Context, refreshToken string) error
	PutExpiry(ctx context.Context, expiry time.Duration) error
}

// MustBeAuthable forces an upgrade conversion to Authable
// or will panic.
func MustBeAuthable(u User) AuthableUser {
	if au, ok := u.(AuthableUser); ok {
		return au
	}
	panic("could not upgrade user to an authable user, check your user struct")
}
Add some more infrastructure. - Add module system. - Add storer interface. 2015-01-03 22:03:57 +02:00			`package authboss`

			`import (`
Prototyping 2017-02-21 00:28:38 +02:00			`"context"`
Add some more infrastructure. - Add module system. - Add storer interface. 2015-01-03 22:03:57 +02:00			`"time"`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00
			`"github.com/pkg/errors"`
Add some more infrastructure. - Add module system. - Add storer interface. 2015-01-03 22:03:57 +02:00			`)`

Finish confirm module (except tests). 2015-02-10 10:43:45 +02:00			`// Data store constants for attribute names.`
			`const (`
Finish tests for confirm. - Rename UserXXX to StoreXXX in confirm/authboss. 2015-02-16 23:27:29 +02:00			`StoreEmail = "email"`
			`StoreUsername = "username"`
			`StorePassword = "password"`
Finish confirm module (except tests). 2015-02-10 10:43:45 +02:00			`)`

Add initial oauth2 support. - Needs more providers and more tests. 2015-03-13 04:20:36 +02:00			`// Data store constants for OAuth2 attribute names.`
			`const (`
Make OAuth2 implementation less shoddy. - Add a new storer specifically for OAuth2 to enable clients to choose regular database storing OR Oauth2 but not have to have both. - Stop storing OAuth2 credentials in a combined form inside username. - Add new events to capture OAuth events just like auth. - Have pass-through parameters for OAuth init urls, this allows us to pass additional behavior options (redirects and remember me) as well as other things that should be present on the page that is redirected to. - Context.LoadUser is now OAuth aware. - Remember's callbacks now include an OAuth check to see if a horribly packed state variable contains a flag to say that we want to be remembered. - Change the OAuth2 Callback to use Attributes instead of that custom struct to allow people to append whatever attributes they want into the user that will be saved. 2015-03-14 01:23:43 +02:00			`StoreOAuth2UID = "oauth2_uid"`
			`StoreOAuth2Provider = "oauth2_provider"`
			`StoreOAuth2Token = "oauth2_token"`
			`StoreOAuth2Refresh = "oauth2_refresh"`
			`StoreOAuth2Expiry = "oauth2_expiry"`
Add initial oauth2 support. - Needs more providers and more tests. 2015-03-13 04:20:36 +02:00			`)`

Cleanup various sad things. - Export ModuleAttrMeta so the modules can access it. - Add a couple new events for later use. - Fix a few compile errors. - Prefix err constants with Err. 2015-01-24 01:56:24 +02:00			`var (`
More work on cleaning up recover - Add email layouts 2015-02-02 00:17:18 +02:00			`// ErrUserNotFound should be returned from Get when the record is not found.`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`ErrUserNotFound = errors.New("user not found")`
More work on cleaning up recover - Add email layouts 2015-02-02 00:17:18 +02:00			`// ErrTokenNotFound should be returned from UseToken when the record is not found.`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`ErrTokenNotFound = errors.New("token not found")`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// ErrUserFound should be returned from Create (see ConfirmUser) when the primaryID`
			`// of the record is found.`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`ErrUserFound = errors.New("user found")`
Cleanup various sad things. - Export ModuleAttrMeta so the modules can access it. - Add a couple new events for later use. - Fix a few compile errors. - Prefix err constants with Err. 2015-01-24 01:56:24 +02:00			`)`
Add many new files and types. - Add context. - Add handler type. - Add new storers for client storage and sessions. - Add start of remember module. 2015-01-11 08:52:39 +02:00
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// ServerStorer represents the data store that's capable of loading users`
Prototyping 2017-02-21 00:28:38 +02:00			`// and giving them a context with which to store themselves.`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`type ServerStorer interface {`
			`// Load will look up the user based on the passed the PrimaryID`
			`Load(ctx context.Context, key string) (User, error)`

			`// Save persists the user in the database`
			`Save(ctx context.Context, user User) error`
Prototyping 2017-02-21 00:28:38 +02:00			`}`
Add many new files and types. - Add context. - Add handler type. - Add new storers for client storage and sessions. - Add start of remember module. 2015-01-11 08:52:39 +02:00
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// User has functions for each piece of data it requires.`
			`// Data should not be persisted on each function call.`
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core 2018-02-02 01:42:48 +02:00			`// User has a PID (primary ID) that is used on the site as`
			`// a single unique identifier to any given user (very typically e-mail`
			`// or username).`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`type User interface {`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`GetPID(ctx context.Context) (pid string, err error)`
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core 2018-02-02 01:42:48 +02:00			`PutPID(ctx context.Context, pid string) error`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`}`

			`// AuthableUser is identified by a password`
			`type AuthableUser interface {`
			`User`
Prototyping 2017-02-21 00:28:38 +02:00
			`GetPassword(ctx context.Context) (password string, err error)`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`PutPassword(ctx context.Context, password string) error`
			`}`

			`// ConfirmableUser can be in a state of confirmed or not`
			`type ConfirmableUser interface {`
			`User`

			`GetConfirmed(ctx context.Context) (confirmed bool, err error)`
			`GetConfirmToken(ctx context.Context) (token string, err error)`

			`PutConfirmed(ctx context.Context, confirmed bool) error`
			`PutConfirmToken(ctx context.Context, token string) error`
Prototyping 2017-02-21 00:28:38 +02:00			`}`

Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// ArbitraryUser allows arbitrary data from the web form through. You should`
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-25 02:45:47 +02:00			`// definitely only pull the keys you want from the map, since this is unfiltered`
			`// input from a web request and is an attack vector.`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`type ArbitraryUser interface {`
			`User`
Prototyping 2017-02-21 00:28:38 +02:00
			`// GetArbitrary is used only to display the arbitrary data back to the user`
			`// when the form is reset.`
			`GetArbitrary(ctx context.Context) (arbitrary map[string]string, err error)`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`// PutArbitrary allows arbitrary fields defined by the authboss library`
			`// consumer to add fields to the user registration piece.`
			`PutArbitrary(ctx context.Context, arbitrary map[string]string) error`
Add many new files and types. - Add context. - Add handler type. - Add new storers for client storage and sessions. - Add start of remember module. 2015-01-11 08:52:39 +02:00			`}`

Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// OAuth2User allows reading and writing values relating to OAuth2`
			`type OAuth2User interface {`
			`User`
Prototyping 2017-02-21 00:28:38 +02:00
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// IsOAuth2User checks to see if a user was registered in the site as an`
			`// oauth2 user.`
More gigantic edits. - Change response to be more central to Authboss. Make sure it has useful methods and works with the new rendering idioms. - Change the load user methods to all work with context keys, and even be able to set context keys on the current request to avoid setting contexts everywhere in the code base. 2017-02-24 02:13:25 +02:00			`IsOAuth2User(ctx context.Context) (bool, error)`

Prototyping 2017-02-21 00:28:38 +02:00			`GetUID(ctx context.Context) (uid string, err error)`
			`GetProvider(ctx context.Context) (provider string, err error)`
			`GetToken(ctx context.Context) (token string, err error)`
			`GetRefreshToken(ctx context.Context) (refreshToken string, err error)`
			`GetExpiry(ctx context.Context) (expiry time.Duration, err error)`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00
			`PutUID(ctx context.Context, uid string) error`
			`PutProvider(ctx context.Context, provider string) error`
			`PutToken(ctx context.Context, token string) error`
			`PutRefreshToken(ctx context.Context, refreshToken string) error`
			`PutExpiry(ctx context.Context, expiry time.Duration) error`
Make OAuth2 implementation less shoddy. - Add a new storer specifically for OAuth2 to enable clients to choose regular database storing OR Oauth2 but not have to have both. - Stop storing OAuth2 credentials in a combined form inside username. - Add new events to capture OAuth events just like auth. - Have pass-through parameters for OAuth init urls, this allows us to pass additional behavior options (redirects and remember me) as well as other things that should be present on the page that is redirected to. - Context.LoadUser is now OAuth aware. - Remember's callbacks now include an OAuth check to see if a horribly packed state variable contains a flag to say that we want to be remembered. - Change the OAuth2 Callback to use Attributes instead of that custom struct to allow people to append whatever attributes they want into the user that will be saved. 2015-03-14 01:23:43 +02:00			`}`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-05 07:24:55 +02:00
			`// MustBeAuthable forces an upgrade conversion to Authable`
			`// or will panic.`
			`func MustBeAuthable(u User) AuthableUser {`
			`if au, ok := u.(AuthableUser); ok {`
			`return au`
			`}`
			`panic("could not upgrade user to an authable user, check your user struct")`
			`}`