2015-03-15 08:06:08 -07:00
|
|
|
// Package remember implements persistent logins through the cookie storer.
|
2015-01-10 22:52:39 -08:00
|
|
|
package remember
|
|
|
|
|
|
|
|
import (
|
2015-01-12 14:02:07 -08:00
|
|
|
"bytes"
|
2015-01-10 22:52:39 -08:00
|
|
|
"crypto/md5"
|
|
|
|
"crypto/rand"
|
|
|
|
"encoding/base64"
|
2015-03-24 19:39:20 -07:00
|
|
|
"encoding/json"
|
2017-02-21 15:04:30 -08:00
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
2015-01-10 22:52:39 -08:00
|
|
|
|
2017-07-30 19:39:33 -07:00
|
|
|
"github.com/volatiletech/authboss"
|
2015-01-10 22:52:39 -08:00
|
|
|
)
|
|
|
|
|
2015-01-12 14:02:07 -08:00
|
|
|
const (
|
2015-03-02 22:09:32 -08:00
|
|
|
nRandBytes = 32
|
2015-02-22 12:55:09 -08:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2017-02-21 15:04:30 -08:00
|
|
|
errUserMissing = errors.New("user not loaded in callback")
|
2015-01-12 14:02:07 -08:00
|
|
|
)
|
|
|
|
|
2015-03-15 11:26:25 -07:00
|
|
|
// RememberStorer must be implemented in order to satisfy the remember module's
|
2015-02-24 11:04:27 -08:00
|
|
|
// storage requirements. If the implementer is a typical database then
|
|
|
|
// the tokens should be stored in a separate table since they require a 1-n
|
|
|
|
// with the user for each device the user wishes to remain logged in on.
|
2015-03-27 09:34:36 -07:00
|
|
|
//
|
|
|
|
// Remember storer will look at both authboss's configured Storer and OAuth2Storer
|
|
|
|
// for compatibility.
|
2015-03-15 11:26:25 -07:00
|
|
|
type RememberStorer interface {
|
2015-02-24 11:04:27 -08:00
|
|
|
// AddToken saves a new token for the key.
|
|
|
|
AddToken(key, token string) error
|
|
|
|
// DelTokens removes all tokens for a given key.
|
|
|
|
DelTokens(key string) error
|
|
|
|
// UseToken finds the key-token pair, removes the entry in the store
|
2015-03-15 15:00:37 -07:00
|
|
|
// and returns nil. If the token could not be found return ErrTokenNotFound.
|
|
|
|
UseToken(givenKey, token string) (err error)
|
2015-02-24 11:04:27 -08:00
|
|
|
}
|
2015-01-10 22:52:39 -08:00
|
|
|
|
|
|
|
func init() {
|
2016-05-09 13:20:10 -04:00
|
|
|
authboss.RegisterModule("remember", &Remember{})
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2015-03-16 14:42:45 -07:00
|
|
|
// Remember module
|
2015-03-31 15:27:47 -07:00
|
|
|
type Remember struct {
|
|
|
|
*authboss.Authboss
|
|
|
|
}
|
2015-01-10 22:52:39 -08:00
|
|
|
|
2015-03-16 14:42:45 -07:00
|
|
|
// Initialize module
|
2015-03-31 15:27:47 -07:00
|
|
|
func (r *Remember) Initialize(ab *authboss.Authboss) error {
|
|
|
|
r.Authboss = ab
|
|
|
|
|
2016-05-07 02:12:20 -04:00
|
|
|
if r.Storer != nil || r.OAuth2Storer != nil {
|
|
|
|
if _, ok := r.Storer.(RememberStorer); !ok {
|
|
|
|
if _, ok := r.OAuth2Storer.(RememberStorer); !ok {
|
2017-02-21 15:04:30 -08:00
|
|
|
return errors.New("rememberStorer required for remember functionality")
|
2016-05-07 02:12:20 -04:00
|
|
|
}
|
2015-03-27 09:34:36 -07:00
|
|
|
}
|
2016-05-07 02:12:20 -04:00
|
|
|
} else if r.StoreMaker == nil && r.OAuth2StoreMaker == nil {
|
2017-02-21 15:04:30 -08:00
|
|
|
return errors.New("need a rememberStorer")
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2018-02-01 16:31:08 -08:00
|
|
|
r.Events.Before(authboss.EventGetUserSession, r.auth)
|
|
|
|
r.Events.After(authboss.EventAuth, r.afterAuth)
|
|
|
|
r.Events.After(authboss.EventOAuth, r.afterOAuth)
|
|
|
|
r.Events.After(authboss.EventPasswordReset, r.afterPassword)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2015-01-10 22:52:39 -08:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-03-16 14:42:45 -07:00
|
|
|
// Routes for module
|
2015-01-10 22:52:39 -08:00
|
|
|
func (r *Remember) Routes() authboss.RouteTable {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-03-16 14:42:45 -07:00
|
|
|
// Storage requirements
|
2015-01-10 22:52:39 -08:00
|
|
|
func (r *Remember) Storage() authboss.StorageOptions {
|
2015-03-27 09:34:36 -07:00
|
|
|
return authboss.StorageOptions{
|
2015-03-31 15:27:47 -07:00
|
|
|
r.PrimaryID: authboss.String,
|
2015-03-27 09:34:36 -07:00
|
|
|
}
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2015-02-26 23:09:37 -08:00
|
|
|
// afterAuth is called after authentication is successful.
|
|
|
|
func (r *Remember) afterAuth(ctx *authboss.Context) error {
|
2015-08-02 14:02:14 -07:00
|
|
|
if val := ctx.Values[authboss.CookieRemember]; val != "true" {
|
2015-02-22 12:55:09 -08:00
|
|
|
return nil
|
2015-01-12 14:02:07 -08:00
|
|
|
}
|
|
|
|
|
2015-01-15 02:56:13 -08:00
|
|
|
if ctx.User == nil {
|
2015-02-22 12:55:09 -08:00
|
|
|
return errUserMissing
|
2015-01-15 13:24:12 -08:00
|
|
|
}
|
2015-01-15 15:10:47 -08:00
|
|
|
|
2015-03-31 15:27:47 -07:00
|
|
|
key, err := ctx.User.StringErr(r.PrimaryID)
|
2015-02-22 12:55:09 -08:00
|
|
|
if err != nil {
|
|
|
|
return err
|
2015-01-14 19:18:45 -08:00
|
|
|
}
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2015-02-26 23:09:37 -08:00
|
|
|
if _, err := r.new(ctx.CookieStorer, key); err != nil {
|
2017-02-21 15:04:30 -08:00
|
|
|
return errors.Wrapf(err, "failed to create remember token")
|
2015-01-12 14:02:07 -08:00
|
|
|
}
|
2015-02-22 12:55:09 -08:00
|
|
|
|
|
|
|
return nil
|
2015-01-12 14:02:07 -08:00
|
|
|
}
|
|
|
|
|
2015-03-13 16:23:43 -07:00
|
|
|
// afterOAuth is called after oauth authentication is successful.
|
|
|
|
// Has to pander to horrible state variable packing to figure out if we want
|
|
|
|
// to be remembered.
|
|
|
|
func (r *Remember) afterOAuth(ctx *authboss.Context) error {
|
2015-03-24 19:39:20 -07:00
|
|
|
sessValues, ok := ctx.SessionStorer.Get(authboss.SessionOAuth2Params)
|
2015-03-13 16:23:43 -07:00
|
|
|
if !ok {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-03-24 19:39:20 -07:00
|
|
|
var values map[string]string
|
|
|
|
if err := json.Unmarshal([]byte(sessValues), &values); err != nil {
|
|
|
|
return err
|
2015-03-13 16:23:43 -07:00
|
|
|
}
|
|
|
|
|
2015-03-24 19:39:20 -07:00
|
|
|
val, ok := values[authboss.CookieRemember]
|
|
|
|
should := ok && val == "true"
|
2015-03-13 16:23:43 -07:00
|
|
|
|
|
|
|
if !should {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if ctx.User == nil {
|
|
|
|
return errUserMissing
|
|
|
|
}
|
|
|
|
|
|
|
|
uid, err := ctx.User.StringErr(authboss.StoreOAuth2Provider)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
provider, err := ctx.User.StringErr(authboss.StoreOAuth2Provider)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, err := r.new(ctx.CookieStorer, uid+";"+provider); err != nil {
|
2017-02-21 15:04:30 -08:00
|
|
|
return errors.Wrap(err, "failed to create remember token")
|
2015-03-13 16:23:43 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-03-05 20:05:47 -08:00
|
|
|
// afterPassword is called after the password has been reset.
|
|
|
|
func (r *Remember) afterPassword(ctx *authboss.Context) error {
|
|
|
|
if ctx.User == nil {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-03-31 15:27:47 -07:00
|
|
|
id, ok := ctx.User.String(r.PrimaryID)
|
2015-03-05 20:05:47 -08:00
|
|
|
if !ok {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx.CookieStorer.Del(authboss.CookieRemember)
|
2015-03-27 09:34:36 -07:00
|
|
|
|
|
|
|
var storer RememberStorer
|
2016-05-07 02:12:20 -04:00
|
|
|
if storer, ok = ctx.Storer.(RememberStorer); !ok {
|
|
|
|
if storer, ok = ctx.OAuth2Storer.(RememberStorer); !ok {
|
2015-03-27 09:34:36 -07:00
|
|
|
return nil
|
|
|
|
}
|
2015-03-05 20:05:47 -08:00
|
|
|
}
|
|
|
|
|
2015-03-27 09:34:36 -07:00
|
|
|
return storer.DelTokens(id)
|
2015-03-05 20:05:47 -08:00
|
|
|
}
|
|
|
|
|
2015-03-15 11:26:25 -07:00
|
|
|
// new generates a new remember token and stores it in the configured RememberStorer.
|
2015-01-10 22:52:39 -08:00
|
|
|
// The return value is a token that should only be given to a user if the delivery
|
|
|
|
// method is secure which means at least signed if not encrypted.
|
2015-02-26 23:09:37 -08:00
|
|
|
func (r *Remember) new(cstorer authboss.ClientStorer, storageKey string) (string, error) {
|
2015-01-12 14:02:07 -08:00
|
|
|
token := make([]byte, nRandBytes+len(storageKey)+1)
|
|
|
|
copy(token, []byte(storageKey))
|
|
|
|
token[len(storageKey)] = ';'
|
2015-01-10 22:52:39 -08:00
|
|
|
|
2015-01-12 14:02:07 -08:00
|
|
|
if _, err := rand.Read(token[len(storageKey)+1:]); err != nil {
|
|
|
|
return "", err
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
sum := md5.Sum(token)
|
|
|
|
finalToken := base64.URLEncoding.EncodeToString(token)
|
|
|
|
storageToken := base64.StdEncoding.EncodeToString(sum[:])
|
|
|
|
|
2015-03-27 09:34:36 -07:00
|
|
|
var storer RememberStorer
|
|
|
|
var ok bool
|
2015-03-31 15:27:47 -07:00
|
|
|
if storer, ok = r.Storer.(RememberStorer); !ok {
|
|
|
|
storer, ok = r.OAuth2Storer.(RememberStorer)
|
2015-03-27 09:34:36 -07:00
|
|
|
}
|
|
|
|
|
2015-01-12 14:02:07 -08:00
|
|
|
// Save the token in the DB
|
2015-03-27 09:34:36 -07:00
|
|
|
if err := storer.AddToken(storageKey, storageToken); err != nil {
|
2015-01-10 22:52:39 -08:00
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
|
2015-01-12 14:02:07 -08:00
|
|
|
// Write the finalToken to the cookie
|
2015-03-02 22:09:32 -08:00
|
|
|
cstorer.Put(authboss.CookieRemember, finalToken)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2015-01-10 22:52:39 -08:00
|
|
|
return finalToken, nil
|
|
|
|
}
|
|
|
|
|
2015-02-26 23:09:37 -08:00
|
|
|
// auth takes a token that was given to a user and checks to see if something
|
2015-01-10 22:52:39 -08:00
|
|
|
// is matching in the database. If something is found the old token is deleted
|
2015-03-01 20:40:09 -08:00
|
|
|
// and a new one should be generated.
|
2015-02-26 23:09:37 -08:00
|
|
|
func (r *Remember) auth(ctx *authboss.Context) (authboss.Interrupt, error) {
|
|
|
|
if val, ok := ctx.SessionStorer.Get(authboss.SessionKey); ok || len(val) > 0 {
|
|
|
|
return authboss.InterruptNone, nil
|
|
|
|
}
|
|
|
|
|
2015-03-02 22:09:32 -08:00
|
|
|
finalToken, ok := ctx.CookieStorer.Get(authboss.CookieRemember)
|
2015-02-26 23:09:37 -08:00
|
|
|
if !ok {
|
|
|
|
return authboss.InterruptNone, nil
|
|
|
|
}
|
|
|
|
|
2015-01-10 22:52:39 -08:00
|
|
|
token, err := base64.URLEncoding.DecodeString(finalToken)
|
|
|
|
if err != nil {
|
2015-02-26 23:09:37 -08:00
|
|
|
return authboss.InterruptNone, err
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2015-01-12 14:02:07 -08:00
|
|
|
index := bytes.IndexByte(token, ';')
|
|
|
|
if index < 0 {
|
2017-02-21 15:04:30 -08:00
|
|
|
return authboss.InterruptNone, errors.New("invalid remember token")
|
2015-01-12 14:02:07 -08:00
|
|
|
}
|
|
|
|
|
|
|
|
// Get the key.
|
2015-03-15 15:00:37 -07:00
|
|
|
givenKey := string(token[:index])
|
2015-01-12 14:02:07 -08:00
|
|
|
|
|
|
|
// Verify the tokens match.
|
2015-01-10 22:52:39 -08:00
|
|
|
sum := md5.Sum(token)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2015-03-27 09:34:36 -07:00
|
|
|
var storer RememberStorer
|
2016-05-07 02:12:20 -04:00
|
|
|
if storer, ok = ctx.Storer.(RememberStorer); !ok {
|
|
|
|
storer, ok = ctx.OAuth2Storer.(RememberStorer)
|
2015-03-27 09:34:36 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
err = storer.UseToken(givenKey, base64.StdEncoding.EncodeToString(sum[:]))
|
2015-01-23 15:56:24 -08:00
|
|
|
if err == authboss.ErrTokenNotFound {
|
2015-02-26 23:09:37 -08:00
|
|
|
return authboss.InterruptNone, nil
|
2015-01-10 22:52:39 -08:00
|
|
|
} else if err != nil {
|
2015-02-26 23:09:37 -08:00
|
|
|
return authboss.InterruptNone, err
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2015-03-15 15:00:37 -07:00
|
|
|
_, err = r.new(ctx.CookieStorer, givenKey)
|
2015-03-01 20:40:09 -08:00
|
|
|
if err != nil {
|
|
|
|
return authboss.InterruptNone, err
|
|
|
|
}
|
|
|
|
|
2015-01-12 14:02:07 -08:00
|
|
|
// Ensure a half-auth.
|
2015-02-26 23:09:37 -08:00
|
|
|
ctx.SessionStorer.Put(authboss.SessionHalfAuthKey, "true")
|
2015-01-12 14:02:07 -08:00
|
|
|
// Log the user in.
|
2015-03-15 15:00:37 -07:00
|
|
|
ctx.SessionStorer.Put(authboss.SessionKey, givenKey)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2015-02-26 23:09:37 -08:00
|
|
|
return authboss.InterruptNone, nil
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|