authboss/auth/auth.go

// Package auth implements password based user logins.
package auth

import (
	"context"
	"net/http"

	"golang.org/x/crypto/bcrypt"

	"github.com/volatiletech/authboss"
)

const (
	// PageLogin is for identifying the login page for parsing & validation
	PageLogin = "login"
)

func init() {
	authboss.RegisterModule("auth", &Auth{})
}

// Auth module
type Auth struct {
	*authboss.Authboss
}

// Init module
func (a *Auth) Init(ab *authboss.Authboss) (err error) {
	a.Authboss = ab

	if err = a.Authboss.Config.Core.ViewRenderer.Load(PageLogin); err != nil {
		return err
	}

	a.Authboss.Config.Core.Router.Get("/login", a.Authboss.Core.ErrorHandler.Wrap(a.LoginGet))
	a.Authboss.Config.Core.Router.Post("/login", a.Authboss.Core.ErrorHandler.Wrap(a.LoginPost))

	return nil
}

// LoginGet simply displays the login form
func (a *Auth) LoginGet(w http.ResponseWriter, r *http.Request) error {
	data := authboss.HTMLData{}
	if redir := r.URL.Query().Get(authboss.FormValueRedirect); len(redir) != 0 {
		data[authboss.FormValueRedirect] = redir
	}
	return a.Core.Responder.Respond(w, r, http.StatusOK, PageLogin, data)
}

// LoginPost attempts to validate the credentials passed in
// to log in a user.
func (a *Auth) LoginPost(w http.ResponseWriter, r *http.Request) error {
	logger := a.RequestLogger(r)

	validatable, err := a.Authboss.Core.BodyReader.Read(PageLogin, r)
	if err != nil {
		return err
	}

	// Skip validation since all the validation happens during the database lookup and
	// password check.
	creds := authboss.MustHaveUserValues(validatable)

	pid := creds.GetPID()
	pidUser, err := a.Authboss.Storage.Server.Load(r.Context(), pid)
	if err == authboss.ErrUserNotFound {
		logger.Infof("failed to load user requested by pid: %s", pid)
		data := authboss.HTMLData{authboss.DataErr: "Invalid Credentials"}
		return a.Authboss.Core.Responder.Respond(w, r, http.StatusOK, PageLogin, data)
	} else if err != nil {
		return err
	}

	authUser := authboss.MustBeAuthable(pidUser)
	password := authUser.GetPassword()

	r = r.WithContext(context.WithValue(r.Context(), authboss.CTXKeyUser, pidUser))

	var handled bool
	err = bcrypt.CompareHashAndPassword([]byte(password), []byte(creds.GetPassword()))
	if err != nil {
		handled, err = a.Authboss.Events.FireAfter(authboss.EventAuthFail, w, r)
		if err != nil {
			return err
		} else if handled {
			return nil
		}

		logger.Infof("user %s failed to log in", pid)
		data := authboss.HTMLData{authboss.DataErr: "Invalid Credentials"}
		return a.Authboss.Core.Responder.Respond(w, r, http.StatusOK, PageLogin, data)
	}

	r = r.WithContext(context.WithValue(r.Context(), authboss.CTXKeyValues, validatable))

	handled, err = a.Events.FireBefore(authboss.EventAuth, w, r)
	if err != nil {
		return err
	} else if handled {
		return nil
	}

	logger.Infof("user %s logged in", pid)
	authboss.PutSession(w, authboss.SessionKey, pid)
	authboss.DelSession(w, authboss.SessionHalfAuthKey)

	handled, err = a.Authboss.Events.FireAfter(authboss.EventAuth, w, r)
	if err != nil {
		return err
	} else if handled {
		return nil
	}

	ro := authboss.RedirectOptions{
		Code:             http.StatusTemporaryRedirect,
		RedirectPath:     a.Authboss.Paths.AuthLoginOK,
		FollowRedirParam: true,
	}
	return a.Authboss.Core.Redirector.Redirect(w, r, ro)
}
Change documentation a little bit, and fix one bug. 2015-03-15 08:06:08 -07:00			`// Package auth implements password based user logins.`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`package auth`

			`import (`
Make auth tests more solid 2018-02-21 12:10:18 -08:00			`"context"`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`"net/http"`

Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`"golang.org/x/crypto/bcrypt"`

Import path fixes 2017-07-30 19:39:33 -07:00			`"github.com/volatiletech/authboss"`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`)`

			`const (`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`// PageLogin is for identifying the login page for parsing & validation`
			`PageLogin = "login"`
Cleaned up auth module and tests 2015-01-12 21:08:52 -08:00			`)`
Added auth endpoint POST 2015-01-10 22:49:06 -08:00
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`func init() {`
no DisableGoroutines (just check for -Maker); no ModuleNames; test fix 2016-05-09 13:20:10 -04:00			`authboss.RegisterModule("auth", &Auth{})`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Destroy a list of go lint errors. 2015-03-16 14:42:45 -07:00			`// Auth module`
Rework recover 2015-02-23 15:51:42 -08:00			`type Auth struct {`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`*authboss.Authboss`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-01 17:23:31 -08:00			`// Init module`
			`func (a Auth) Init(ab authboss.Authboss) (err error) {`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`a.Authboss = ab`

Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`if err = a.Authboss.Config.Core.ViewRenderer.Load(PageLogin); err != nil {`
Work on the auth module - Move more *User interfaces into storage.go, no need for them to be in each individual module. 2018-02-01 17:23:31 -08:00			`return err`
Rework recover 2015-02-23 15:51:42 -08:00			`}`

Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`a.Authboss.Config.Core.Router.Get("/login", a.Authboss.Core.ErrorHandler.Wrap(a.LoginGet))`
			`a.Authboss.Config.Core.Router.Post("/login", a.Authboss.Core.ErrorHandler.Wrap(a.LoginPost))`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00
			`return nil`
			`}`

Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`// LoginGet simply displays the login form`
			`func (a Auth) LoginGet(w http.ResponseWriter, r http.Request) error {`
Fix login get endpoint when no FormValueRedirect is given 2018-11-01 14:44:54 +09:00			`data := authboss.HTMLData{}`
Fix redirects using Middleware 2018-08-31 14:57:22 -07:00			`if redir := r.URL.Query().Get(authboss.FormValueRedirect); len(redir) != 0 {`
Fix login get endpoint when no FormValueRedirect is given 2018-11-01 14:44:54 +09:00			`data[authboss.FormValueRedirect] = redir`
Fix redirects using Middleware 2018-08-31 14:57:22 -07:00			`}`
			`return a.Core.Responder.Respond(w, r, http.StatusOK, PageLogin, data)`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`// LoginPost attempts to validate the credentials passed in`
			`// to log in a user.`
			`func (a Auth) LoginPost(w http.ResponseWriter, r http.Request) error {`
Finish auth module 2018-02-20 08:58:59 -08:00			`logger := a.RequestLogger(r)`

Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`validatable, err := a.Authboss.Core.BodyReader.Read(PageLogin, r)`
			`if err != nil {`
			`return err`
			`}`
Changed remember and auth to work together. 2015-01-15 15:10:47 -08:00
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`// Skip validation since all the validation happens during the database lookup and`
			`// password check.`
			`creds := authboss.MustHaveUserValues(validatable)`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-25 23:05:14 -08:00
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`pid := creds.GetPID()`
			`pidUser, err := a.Authboss.Storage.Server.Load(r.Context(), pid)`
			`if err == authboss.ErrUserNotFound {`
Finish auth module 2018-02-20 08:58:59 -08:00			`logger.Infof("failed to load user requested by pid: %s", pid)`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`data := authboss.HTMLData{authboss.DataErr: "Invalid Credentials"}`
			`return a.Authboss.Core.Responder.Respond(w, r, http.StatusOK, PageLogin, data)`
			`} else if err != nil {`
			`return err`
			`}`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-25 23:05:14 -08:00
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`authUser := authboss.MustBeAuthable(pidUser)`
Finish auth module 2018-02-20 08:58:59 -08:00			`password := authUser.GetPassword()`
Reworking auth 2015-02-20 23:33:35 -08:00
Make auth tests more solid 2018-02-21 12:10:18 -08:00			`r = r.WithContext(context.WithValue(r.Context(), authboss.CTXKeyUser, pidUser))`

Finish auth module 2018-02-20 08:58:59 -08:00			`var handled bool`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`err = bcrypt.CompareHashAndPassword([]byte(password), []byte(creds.GetPassword()))`
			`if err != nil {`
Finish auth module 2018-02-20 08:58:59 -08:00			`handled, err = a.Authboss.Events.FireAfter(authboss.EventAuthFail, w, r)`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`if err != nil {`
			`return err`
Finish auth module 2018-02-20 08:58:59 -08:00			`} else if handled {`
			`return nil`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`}`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00
Finish auth module 2018-02-20 08:58:59 -08:00			`logger.Infof("user %s failed to log in", pid)`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`data := authboss.HTMLData{authboss.DataErr: "Invalid Credentials"}`
			`return a.Authboss.Core.Responder.Respond(w, r, http.StatusOK, PageLogin, data)`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 13:24:12 -08:00			`}`

Make "remember" value passing unobtrusive - Remove RM context key for Values. - Add values types and code to be able to pull the remember me bool checkbox from the user. 2018-03-07 15:17:22 -08:00			`r = r.WithContext(context.WithValue(r.Context(), authboss.CTXKeyValues, validatable))`

Finish auth module 2018-02-20 08:58:59 -08:00			`handled, err = a.Events.FireBefore(authboss.EventAuth, w, r)`
Reworking auth 2015-02-20 23:33:35 -08:00			`if err != nil {`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`return err`
Finish auth module 2018-02-20 08:58:59 -08:00			`} else if handled {`
			`return nil`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 13:24:12 -08:00			`}`

Finish auth module 2018-02-20 08:58:59 -08:00			`logger.Infof("user %s logged in", pid)`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`authboss.PutSession(w, authboss.SessionKey, pid)`
			`authboss.DelSession(w, authboss.SessionHalfAuthKey)`

Finish auth module 2018-02-20 08:58:59 -08:00			`handled, err = a.Authboss.Events.FireAfter(authboss.EventAuth, w, r)`
			`if err != nil {`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`return err`
Finish auth module 2018-02-20 08:58:59 -08:00			`} else if handled {`
			`return nil`
Added auth endpoint POST 2015-01-10 22:49:06 -08:00			`}`

Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`ro := authboss.RedirectOptions{`
WIP 2018-07-17 07:09:38 -07:00			`Code: http.StatusTemporaryRedirect,`
			`RedirectPath: a.Authboss.Paths.AuthLoginOK,`
			`FollowRedirParam: true,`
Rewrite auth module Discovered many problems with the abstractions along the way and did small fixes to get to the end of the auth module. - Use more constants for random strings - Create forcing functions to deal with the upgrades to different interfaces 2018-02-04 21:24:55 -08:00			`}`
			`return a.Authboss.Core.Redirector.Redirect(w, r, ro)`
Added auth endpoint POST 2015-01-10 22:49:06 -08:00			`}`