authboss/storage.go

package authboss

import (
	"context"
	"time"

	"github.com/pkg/errors"
)

// Data store constants for attribute names.
const (
	StoreEmail    = "email"
	StoreUsername = "username"
	StorePassword = "password"
)

// Data store constants for OAuth2 attribute names.
const (
	StoreOAuth2UID      = "oauth2_uid"
	StoreOAuth2Provider = "oauth2_provider"
	StoreOAuth2Token    = "oauth2_token"
	StoreOAuth2Refresh  = "oauth2_refresh"
	StoreOAuth2Expiry   = "oauth2_expiry"
)

var (
	// ErrUserNotFound should be returned from Get when the record is not found.
	ErrUserNotFound = errors.New("user not found")
	// ErrTokenNotFound should be returned from UseToken when the record is not found.
	ErrTokenNotFound = errors.New("token not found")
	// ErrUserFound should be returned from Create (see ConfirmUser) when the primaryID
	// of the record is found.
	ErrUserFound = errors.New("user found")
)

// ServerStorer represents the data store that's capable of loading users
// and giving them a context with which to store themselves.
type ServerStorer interface {
	// Load will look up the user based on the passed the PrimaryID
	Load(ctx context.Context, key string) (User, error)

	// Save persists the user in the database
	Save(ctx context.Context, user User) error
}

// User has functions for each piece of data it requires.
// Data should not be persisted on each function call.
// User has a PID (primary ID) that is used on the site as
// a single unique identifier to any given user (very typically e-mail
// or username).
//
// User interfaces return no errors or bools to signal that a value was
// not present. Instead 0-value = null = not present, this puts the onus
// on Authboss code to check for this.
type User interface {
	GetPID() (pid string)
	PutPID(pid string)
}

// AuthableUser is identified by a password
type AuthableUser interface {
	User

	GetPassword() (password string)
	PutPassword(password string)
}

// ConfirmableUser can be in a state of confirmed or not
type ConfirmableUser interface {
	User

	GetConfirmed() (confirmed bool)
	GetConfirmToken() (token string)

	PutConfirmed(confirmed bool)
	PutConfirmToken(token string)
}

// ArbitraryUser allows arbitrary data from the web form through. You should
// definitely only pull the keys you want from the map, since this is unfiltered
// input from a web request and is an attack vector.
type ArbitraryUser interface {
	User

	// GetArbitrary is used only to display the arbitrary data back to the user
	// when the form is reset.
	GetArbitrary() (arbitrary map[string]string)
	// PutArbitrary allows arbitrary fields defined by the authboss library
	// consumer to add fields to the user registration piece.
	PutArbitrary(arbitrary map[string]string)
}

// OAuth2User allows reading and writing values relating to OAuth2
type OAuth2User interface {
	User

	// IsOAuth2User checks to see if a user was registered in the site as an
	// oauth2 user.
	IsOAuth2User() bool

	GetUID() (uid string)
	GetProvider() (provider string)
	GetToken() (token string)
	GetRefreshToken() (refreshToken string)
	GetExpiry() (expiry time.Duration)

	PutUID(uid string)
	PutProvider(provider string)
	PutToken(token string)
	PutRefreshToken(refreshToken string)
	PutExpiry(expiry time.Duration)
}

// MustBeAuthable forces an upgrade conversion to Authable
// or will panic.
func MustBeAuthable(u User) AuthableUser {
	if au, ok := u.(AuthableUser); ok {
		return au
	}
	panic("could not upgrade user to an authable user, check your user struct")
}
Add some more infrastructure. - Add module system. - Add storer interface. 2015-01-03 22:03:57 +02:00			`package authboss`

			`import (`
Prototyping 2017-02-21 00:28:38 +02:00			`"context"`
Add some more infrastructure. - Add module system. - Add storer interface. 2015-01-03 22:03:57 +02:00			`"time"`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00
			`"github.com/pkg/errors"`
Add some more infrastructure. - Add module system. - Add storer interface. 2015-01-03 22:03:57 +02:00			`)`

Finish confirm module (except tests). 2015-02-10 10:43:45 +02:00			`// Data store constants for attribute names.`
			`const (`
Finish tests for confirm. - Rename UserXXX to StoreXXX in confirm/authboss. 2015-02-16 23:27:29 +02:00			`StoreEmail = "email"`
			`StoreUsername = "username"`
			`StorePassword = "password"`
Finish confirm module (except tests). 2015-02-10 10:43:45 +02:00			`)`

Add initial oauth2 support. - Needs more providers and more tests. 2015-03-13 04:20:36 +02:00			`// Data store constants for OAuth2 attribute names.`
			`const (`
Make OAuth2 implementation less shoddy. - Add a new storer specifically for OAuth2 to enable clients to choose regular database storing OR Oauth2 but not have to have both. - Stop storing OAuth2 credentials in a combined form inside username. - Add new events to capture OAuth events just like auth. - Have pass-through parameters for OAuth init urls, this allows us to pass additional behavior options (redirects and remember me) as well as other things that should be present on the page that is redirected to. - Context.LoadUser is now OAuth aware. - Remember's callbacks now include an OAuth check to see if a horribly packed state variable contains a flag to say that we want to be remembered. - Change the OAuth2 Callback to use Attributes instead of that custom struct to allow people to append whatever attributes they want into the user that will be saved. 2015-03-14 01:23:43 +02:00			`StoreOAuth2UID = "oauth2_uid"`
			`StoreOAuth2Provider = "oauth2_provider"`
			`StoreOAuth2Token = "oauth2_token"`
			`StoreOAuth2Refresh = "oauth2_refresh"`
			`StoreOAuth2Expiry = "oauth2_expiry"`
Add initial oauth2 support. - Needs more providers and more tests. 2015-03-13 04:20:36 +02:00			`)`

Cleanup various sad things. - Export ModuleAttrMeta so the modules can access it. - Add a couple new events for later use. - Fix a few compile errors. - Prefix err constants with Err. 2015-01-24 01:56:24 +02:00			`var (`
More work on cleaning up recover - Add email layouts 2015-02-02 00:17:18 +02:00			`// ErrUserNotFound should be returned from Get when the record is not found.`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`ErrUserNotFound = errors.New("user not found")`
More work on cleaning up recover - Add email layouts 2015-02-02 00:17:18 +02:00			`// ErrTokenNotFound should be returned from UseToken when the record is not found.`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`ErrTokenNotFound = errors.New("token not found")`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// ErrUserFound should be returned from Create (see ConfirmUser) when the primaryID`
			`// of the record is found.`
Fix errors package - Fix many compilation errors 2017-02-22 01:04:30 +02:00			`ErrUserFound = errors.New("user found")`
Cleanup various sad things. - Export ModuleAttrMeta so the modules can access it. - Add a couple new events for later use. - Fix a few compile errors. - Prefix err constants with Err. 2015-01-24 01:56:24 +02:00			`)`
Add many new files and types. - Add context. - Add handler type. - Add new storers for client storage and sessions. - Add start of remember module. 2015-01-11 08:52:39 +02:00
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// ServerStorer represents the data store that's capable of loading users`
Prototyping 2017-02-21 00:28:38 +02:00			`// and giving them a context with which to store themselves.`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`type ServerStorer interface {`
			`// Load will look up the user based on the passed the PrimaryID`
			`Load(ctx context.Context, key string) (User, error)`

			`// Save persists the user in the database`
			`Save(ctx context.Context, user User) error`
Prototyping 2017-02-21 00:28:38 +02:00			`}`
Add many new files and types. - Add context. - Add handler type. - Add new storers for client storage and sessions. - Add start of remember module. 2015-01-11 08:52:39 +02:00
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// User has functions for each piece of data it requires.`
			`// Data should not be persisted on each function call.`
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core 2018-02-02 01:42:48 +02:00			`// User has a PID (primary ID) that is used on the site as`
			`// a single unique identifier to any given user (very typically e-mail`
			`// or username).`
Move expiry module - Remove the errors from User interfaces 2018-02-15 00:18:03 +02:00			`//`
			`// User interfaces return no errors or bools to signal that a value was`
			`// not present. Instead 0-value = null = not present, this puts the onus`
			`// on Authboss code to check for this.`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`type User interface {`
Remove context and errors from get/set I have a feeling that I wrote all this fanciness in when the user was still able to fetch himself from the database. But since that's been dropped I don't think any of this stuff is necessary. In terms of setting without an error, we should do validation before an attempt to save, not every time we set a field. This will just end up being much nicer error handling, and the database is going to do it's own validation and we can handle that error in the same way. 2018-02-16 20:31:55 +02:00			`GetPID() (pid string)`
			`PutPID(pid string)`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`}`

			`// AuthableUser is identified by a password`
			`type AuthableUser interface {`
			`User`
Prototyping 2017-02-21 00:28:38 +02:00
Remove context and errors from get/set I have a feeling that I wrote all this fanciness in when the user was still able to fetch himself from the database. But since that's been dropped I don't think any of this stuff is necessary. In terms of setting without an error, we should do validation before an attempt to save, not every time we set a field. This will just end up being much nicer error handling, and the database is going to do it's own validation and we can handle that error in the same way. 2018-02-16 20:31:55 +02:00			`GetPassword() (password string)`
			`PutPassword(password string)`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`}`

			`// ConfirmableUser can be in a state of confirmed or not`
			`type ConfirmableUser interface {`
			`User`

Remove context and errors from get/set I have a feeling that I wrote all this fanciness in when the user was still able to fetch himself from the database. But since that's been dropped I don't think any of this stuff is necessary. In terms of setting without an error, we should do validation before an attempt to save, not every time we set a field. This will just end up being much nicer error handling, and the database is going to do it's own validation and we can handle that error in the same way. 2018-02-16 20:31:55 +02:00			`GetConfirmed() (confirmed bool)`
			`GetConfirmToken() (token string)`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00
Remove context and errors from get/set I have a feeling that I wrote all this fanciness in when the user was still able to fetch himself from the database. But since that's been dropped I don't think any of this stuff is necessary. In terms of setting without an error, we should do validation before an attempt to save, not every time we set a field. This will just end up being much nicer error handling, and the database is going to do it's own validation and we can handle that error in the same way. 2018-02-16 20:31:55 +02:00			`PutConfirmed(confirmed bool)`
			`PutConfirmToken(token string)`
Prototyping 2017-02-21 00:28:38 +02:00			`}`

Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// ArbitraryUser allows arbitrary data from the web form through. You should`
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers. 2017-02-25 02:45:47 +02:00			`// definitely only pull the keys you want from the map, since this is unfiltered`
			`// input from a web request and is an attack vector.`
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`type ArbitraryUser interface {`
			`User`
Prototyping 2017-02-21 00:28:38 +02:00
			`// GetArbitrary is used only to display the arbitrary data back to the user`
			`// when the form is reset.`
Remove context and errors from get/set I have a feeling that I wrote all this fanciness in when the user was still able to fetch himself from the database. But since that's been dropped I don't think any of this stuff is necessary. In terms of setting without an error, we should do validation before an attempt to save, not every time we set a field. This will just end up being much nicer error handling, and the database is going to do it's own validation and we can handle that error in the same way. 2018-02-16 20:31:55 +02:00			`GetArbitrary() (arbitrary map[string]string)`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-02 03:23:31 +02:00			`// PutArbitrary allows arbitrary fields defined by the authboss library`
			`// consumer to add fields to the user registration piece.`
Remove context and errors from get/set I have a feeling that I wrote all this fanciness in when the user was still able to fetch himself from the database. But since that's been dropped I don't think any of this stuff is necessary. In terms of setting without an error, we should do validation before an attempt to save, not every time we set a field. This will just end up being much nicer error handling, and the database is going to do it's own validation and we can handle that error in the same way. 2018-02-16 20:31:55 +02:00			`PutArbitrary(arbitrary map[string]string)`
Add many new files and types. - Add context. - Add handler type. - Add new storers for client storage and sessions. - Add start of remember module. 2015-01-11 08:52:39 +02:00			`}`

Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// OAuth2User allows reading and writing values relating to OAuth2`
			`type OAuth2User interface {`
			`User`
Prototyping 2017-02-21 00:28:38 +02:00
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked 2018-02-01 03:07:11 +02:00			`// IsOAuth2User checks to see if a user was registered in the site as an`
			`// oauth2 user.`
Remove context and errors from get/set I have a feeling that I wrote all this fanciness in when the user was still able to fetch himself from the database. But since that's been dropped I don't think any of this stuff is necessary. In terms of setting without an error, we should do validation before an attempt to save, not every time we set a field. This will just end up being much nicer error handling, and the database is going to do it's own validation and we can handle that error in the same way. 2018-02-16 20:31:55 +02:00			`IsOAuth2User() bool`

			`GetUID() (uid string)`
			`GetProvider() (provider string)`
			`GetToken() (token string)`
			`GetRefreshToken() (refreshToken string)`
			`GetExpiry() (expiry time.Duration)`

			`PutUID(uid string)`
			`PutProvider(provider string)`
			`PutToken(token string)`
			`PutRefreshToken(refreshToken string)`
			`PutExpiry(expiry time.Duration)`
Make OAuth2 implementation less shoddy. - Add a new storer specifically for OAuth2 to enable clients to choose regular database storing OR Oauth2 but not have to have both. - Stop storing OAuth2 credentials in a combined form inside username. - Add new events to capture OAuth events just like auth. - Have pass-through parameters for OAuth init urls, this allows us to pass additional behavior options (redirects and remember me) as well as other things that should be present on the page that is redirected to. - Context.LoadUser is now OAuth aware. - Remember's callbacks now include an OAuth check to see if a horribly packed state variable contains a flag to say that we want to be remembered. - Change the OAuth2 Callback to use Attributes instead of that custom struct to allow people to append whatever attributes they want into the user that will be saved. 2015-03-14 01:23:43 +02:00			`}`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-05 07:24:55 +02:00
			`// MustBeAuthable forces an upgrade conversion to Authable`
			`// or will panic.`
			`func MustBeAuthable(u User) AuthableUser {`
			`if au, ok := u.(AuthableUser); ok {`
			`return au`
			`}`
			`panic("could not upgrade user to an authable user, check your user struct")`
			`}`