2018-03-07 15:13:06 -08:00
|
|
|
// Package remember implements persistent logins using cookies
|
2015-01-10 22:52:39 -08:00
|
|
|
package remember
|
|
|
|
|
|
|
|
import (
|
2015-01-12 14:02:07 -08:00
|
|
|
"bytes"
|
2018-05-08 18:11:13 -07:00
|
|
|
"context"
|
2015-01-10 22:52:39 -08:00
|
|
|
"crypto/rand"
|
2018-03-07 15:13:06 -08:00
|
|
|
"crypto/sha512"
|
2015-01-10 22:52:39 -08:00
|
|
|
"encoding/base64"
|
2018-07-17 10:10:07 -07:00
|
|
|
"io"
|
2018-03-07 15:13:06 -08:00
|
|
|
"net/http"
|
2017-02-21 15:04:30 -08:00
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
2015-01-10 22:52:39 -08:00
|
|
|
|
2017-07-30 19:39:33 -07:00
|
|
|
"github.com/volatiletech/authboss"
|
2015-01-10 22:52:39 -08:00
|
|
|
)
|
|
|
|
|
2015-01-12 14:02:07 -08:00
|
|
|
const (
|
2018-03-07 15:13:06 -08:00
|
|
|
nNonceSize = 32
|
2015-02-22 12:55:09 -08:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
2017-02-21 15:04:30 -08:00
|
|
|
errUserMissing = errors.New("user not loaded in callback")
|
2015-01-12 14:02:07 -08:00
|
|
|
)
|
|
|
|
|
2015-01-10 22:52:39 -08:00
|
|
|
func init() {
|
2016-05-09 13:20:10 -04:00
|
|
|
authboss.RegisterModule("remember", &Remember{})
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2015-03-16 14:42:45 -07:00
|
|
|
// Remember module
|
2015-03-31 15:27:47 -07:00
|
|
|
type Remember struct {
|
|
|
|
*authboss.Authboss
|
|
|
|
}
|
2015-01-10 22:52:39 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
// Init module
|
|
|
|
func (r *Remember) Init(ab *authboss.Authboss) error {
|
2015-03-31 15:27:47 -07:00
|
|
|
r.Authboss = ab
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
r.Events.After(authboss.EventAuth, r.RememberAfterAuth)
|
2018-03-09 13:11:08 -08:00
|
|
|
r.Events.After(authboss.EventOAuth2, r.RememberAfterAuth)
|
2018-03-07 15:13:06 -08:00
|
|
|
r.Events.After(authboss.EventPasswordReset, r.AfterPasswordReset)
|
2015-01-10 22:52:39 -08:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
// RememberAfterAuth creates a remember token and saves it in the user's cookies.
|
|
|
|
func (r *Remember) RememberAfterAuth(w http.ResponseWriter, req *http.Request, handled bool) (bool, error) {
|
2018-03-07 15:17:22 -08:00
|
|
|
rmIntf := req.Context().Value(authboss.CTXKeyValues)
|
2018-03-07 15:13:06 -08:00
|
|
|
if rmIntf == nil {
|
|
|
|
return false, nil
|
2018-03-07 15:17:22 -08:00
|
|
|
} else if rm, ok := rmIntf.(authboss.RememberValuer); ok && !rm.GetShouldRemember() {
|
2018-03-07 15:13:06 -08:00
|
|
|
return false, nil
|
2015-01-15 13:24:12 -08:00
|
|
|
}
|
2015-01-15 15:10:47 -08:00
|
|
|
|
2018-03-07 16:41:58 -08:00
|
|
|
user := r.Authboss.CurrentUserP(req)
|
2018-03-07 15:13:06 -08:00
|
|
|
hash, token, err := GenerateToken(user.GetPID())
|
2015-02-22 12:55:09 -08:00
|
|
|
if err != nil {
|
2018-03-07 15:13:06 -08:00
|
|
|
return false, err
|
2015-01-14 19:18:45 -08:00
|
|
|
}
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
storer := authboss.EnsureCanRemember(r.Authboss.Config.Storage.Server)
|
2018-06-27 10:58:53 -07:00
|
|
|
if err = storer.AddRememberToken(req.Context(), user.GetPID(), hash); err != nil {
|
2018-03-07 15:13:06 -08:00
|
|
|
return false, err
|
2015-01-12 14:02:07 -08:00
|
|
|
}
|
2015-02-22 12:55:09 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
authboss.PutCookie(w, authboss.CookieRemember, token)
|
|
|
|
|
|
|
|
return false, nil
|
2015-01-12 14:02:07 -08:00
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
// Middleware automatically authenticates users if they have remember me tokens
|
|
|
|
// If the user has been loaded already, it returns early
|
|
|
|
func Middleware(ab *authboss.Authboss) func(http.Handler) http.Handler {
|
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if r.Context().Value(authboss.CTXKeyPID) == nil && r.Context().Value(authboss.CTXKeyUser) == nil {
|
2018-05-08 18:11:13 -07:00
|
|
|
if err := Authenticate(ab, w, &r); err != nil {
|
2018-03-07 15:13:06 -08:00
|
|
|
logger := ab.RequestLogger(r)
|
|
|
|
logger.Errorf("failed to authenticate user via remember me: %+v", err)
|
|
|
|
}
|
|
|
|
}
|
2015-03-13 16:23:43 -07:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
2015-03-05 20:05:47 -08:00
|
|
|
}
|
2018-03-07 15:13:06 -08:00
|
|
|
}
|
2015-03-05 20:05:47 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
// Authenticate the user using their remember cookie.
|
|
|
|
// If the cookie proves unusable it will be deleted. A cookie
|
|
|
|
// may be unusable for the following reasons:
|
|
|
|
// - Can't decode the base64
|
|
|
|
// - Invalid token format
|
|
|
|
// - Can't find token in DB
|
2018-05-08 18:11:13 -07:00
|
|
|
//
|
|
|
|
// In order to authenticate it adds to the request context as well as to the
|
|
|
|
// cookie and session states.
|
|
|
|
func Authenticate(ab *authboss.Authboss, w http.ResponseWriter, req **http.Request) error {
|
|
|
|
logger := ab.RequestLogger(*req)
|
|
|
|
cookie, ok := authboss.GetCookie(*req, authboss.CookieRemember)
|
2015-03-05 20:05:47 -08:00
|
|
|
if !ok {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
rawToken, err := base64.URLEncoding.DecodeString(cookie)
|
|
|
|
if err != nil {
|
|
|
|
authboss.DelCookie(w, authboss.CookieRemember)
|
|
|
|
logger.Infof("failed to decode remember me cookie, deleting cookie")
|
|
|
|
return nil
|
2015-03-05 20:05:47 -08:00
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
index := bytes.IndexByte(rawToken, ';')
|
|
|
|
if index < 0 {
|
|
|
|
authboss.DelCookie(w, authboss.CookieRemember)
|
|
|
|
logger.Infof("failed to decode remember me token, deleting cookie")
|
|
|
|
return nil
|
|
|
|
}
|
2015-03-05 20:05:47 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
pid := string(rawToken[:index])
|
|
|
|
sum := sha512.Sum512(rawToken)
|
|
|
|
hash := base64.StdEncoding.EncodeToString(sum[:])
|
2015-01-10 22:52:39 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
storer := authboss.EnsureCanRemember(ab.Config.Storage.Server)
|
2018-06-27 10:58:53 -07:00
|
|
|
err = storer.UseRememberToken((*req).Context(), pid, hash)
|
2018-03-07 15:13:06 -08:00
|
|
|
switch {
|
|
|
|
case err == authboss.ErrTokenNotFound:
|
|
|
|
logger.Infof("remember me cookie had a token that was not in storage, deleting cookie")
|
|
|
|
authboss.DelCookie(w, authboss.CookieRemember)
|
|
|
|
return nil
|
|
|
|
case err != nil:
|
|
|
|
return err
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
hash, token, err := GenerateToken(pid)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2015-03-27 09:34:36 -07:00
|
|
|
}
|
|
|
|
|
2018-06-27 10:58:53 -07:00
|
|
|
if err = storer.AddRememberToken((*req).Context(), pid, hash); err != nil {
|
2018-05-08 18:11:13 -07:00
|
|
|
return errors.Wrap(err, "failed to save remember me token")
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2018-05-08 18:11:13 -07:00
|
|
|
*req = (*req).WithContext(context.WithValue((*req).Context(), authboss.CTXKeyPID, pid))
|
2018-03-07 15:13:06 -08:00
|
|
|
authboss.PutSession(w, authboss.SessionKey, pid)
|
|
|
|
authboss.PutSession(w, authboss.SessionHalfAuthKey, "true")
|
|
|
|
authboss.DelCookie(w, authboss.CookieRemember)
|
|
|
|
authboss.PutCookie(w, authboss.CookieRemember, token)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
return nil
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
// AfterPasswordReset is called after the password has been reset, since
|
|
|
|
// it should invalidate all tokens associated to that user.
|
|
|
|
func (r *Remember) AfterPasswordReset(w http.ResponseWriter, req *http.Request, handled bool) (bool, error) {
|
2018-03-07 16:41:58 -08:00
|
|
|
user, err := r.Authboss.CurrentUser(req)
|
2015-01-10 22:52:39 -08:00
|
|
|
if err != nil {
|
2018-03-07 15:13:06 -08:00
|
|
|
return false, err
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
logger := r.Authboss.RequestLogger(req)
|
|
|
|
storer := authboss.EnsureCanRemember(r.Authboss.Config.Storage.Server)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
pid := user.GetPID()
|
|
|
|
authboss.DelCookie(w, authboss.CookieRemember)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
logger.Infof("deleting tokens and rm cookies for user %s due to password reset", pid)
|
2015-01-12 14:02:07 -08:00
|
|
|
|
2018-06-27 10:58:53 -07:00
|
|
|
return false, storer.DelRememberTokens(req.Context(), pid)
|
2018-03-07 15:13:06 -08:00
|
|
|
}
|
2015-03-27 09:34:36 -07:00
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
// GenerateToken creates a remember me token
|
|
|
|
func GenerateToken(pid string) (hash string, token string, err error) {
|
|
|
|
rawToken := make([]byte, nNonceSize+len(pid)+1)
|
|
|
|
copy(rawToken, []byte(pid))
|
|
|
|
rawToken[len(pid)] = ';'
|
2015-01-10 22:52:39 -08:00
|
|
|
|
2018-07-17 10:10:07 -07:00
|
|
|
if _, err := io.ReadFull(rand.Reader, rawToken[len(pid)+1:]); err != nil {
|
2018-03-07 15:13:06 -08:00
|
|
|
return "", "", errors.Wrap(err, "failed to create remember me nonce")
|
2015-03-01 20:40:09 -08:00
|
|
|
}
|
|
|
|
|
2018-03-07 15:13:06 -08:00
|
|
|
sum := sha512.Sum512(rawToken)
|
|
|
|
return base64.StdEncoding.EncodeToString(sum[:]), base64.URLEncoding.EncodeToString(rawToken), nil
|
2015-01-10 22:52:39 -08:00
|
|
|
}
|