authboss/auth/auth.go

// Package auth implements password based user logins.
package auth

import (
	"errors"
	"fmt"
	"net/http"

	"golang.org/x/crypto/bcrypt"
	"gopkg.in/authboss.v1"
	"gopkg.in/authboss.v1/internal/response"
)

const (
	methodGET  = "GET"
	methodPOST = "POST"

	tplLogin = "login.html.tpl"
)

func init() {
	authboss.RegisterModule("auth", &Auth{})
}

// Auth module
type Auth struct {
	*authboss.Authboss
	templates response.Templates
}

// Initialize module
func (a *Auth) Initialize(ab *authboss.Authboss) (err error) {
	a.Authboss = ab

	if a.Storer == nil && a.StoreMaker == nil {
		return errors.New("auth: Need a Storer")
	}

	if len(a.XSRFName) == 0 {
		return errors.New("auth: XSRFName must be set")
	}

	if a.XSRFMaker == nil {
		return errors.New("auth: XSRFMaker must be defined")
	}

	a.templates, err = response.LoadTemplates(a.Authboss, a.Layout, a.ViewsPath, tplLogin)
	if err != nil {
		return err
	}

	return nil
}

// Routes for the module
func (a *Auth) Routes() authboss.RouteTable {
	return authboss.RouteTable{
		"/login":  a.loginHandlerFunc,
		"/logout": a.logoutHandlerFunc,
	}
}

// Storage requirements
func (a *Auth) Storage() authboss.StorageOptions {
	return authboss.StorageOptions{
		a.PrimaryID:            authboss.String,
		authboss.StorePassword: authboss.String,
	}
}

func (a *Auth) loginHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r *http.Request) error {
	switch r.Method {
	case methodGET:
		data := authboss.NewHTMLData(
			"showRemember", a.IsLoaded("remember"),
			"showRecover", a.IsLoaded("recover"),
			"showRegister", a.IsLoaded("register"),
			"primaryID", a.PrimaryID,
			"primaryIDValue", "",
		)
		return a.templates.Render(ctx, w, r, tplLogin, data)
	case methodPOST:
		key := r.FormValue(a.PrimaryID)
		password := r.FormValue("password")

		errData := authboss.NewHTMLData(
			"error", fmt.Sprintf("invalid %s and/or password", a.PrimaryID),
			"primaryID", a.PrimaryID,
			"primaryIDValue", key,
			"showRemember", a.IsLoaded("remember"),
			"showRecover", a.IsLoaded("recover"),
			"showRegister", a.IsLoaded("register"),
		)

		if valid, err := validateCredentials(ctx, key, password); err != nil {
			errData["error"] = "Internal server error"
			fmt.Fprintf(ctx.LogWriter, "auth: validate credentials failed: %v\n", err)
			return a.templates.Render(ctx, w, r, tplLogin, errData)
		} else if !valid {
			if err := a.Callbacks.FireAfter(authboss.EventAuthFail, ctx); err != nil {
				fmt.Fprintf(ctx.LogWriter, "EventAuthFail callback error'd out: %v\n", err)
			}
			return a.templates.Render(ctx, w, r, tplLogin, errData)
		}

		interrupted, err := a.Callbacks.FireBefore(authboss.EventAuth, ctx)
		if err != nil {
			return err
		} else if interrupted != authboss.InterruptNone {
			var reason string
			switch interrupted {
			case authboss.InterruptAccountLocked:
				reason = "Your account has been locked."
			case authboss.InterruptAccountNotConfirmed:
				reason = "Your account has not been confirmed."
			}
			response.Redirect(ctx, w, r, a.AuthLoginFailPath, "", reason, false)
			return nil
		}

		ctx.SessionStorer.Put(authboss.SessionKey, key)
		ctx.SessionStorer.Del(authboss.SessionHalfAuthKey)
		ctx.Values = map[string]string{authboss.CookieRemember: r.FormValue(authboss.CookieRemember)}

		if err := a.Callbacks.FireAfter(authboss.EventAuth, ctx); err != nil {
			return err
		}
		response.Redirect(ctx, w, r, a.AuthLoginOKPath, "", "", true)
	default:
		w.WriteHeader(http.StatusMethodNotAllowed)
	}

	return nil
}

func validateCredentials(ctx *authboss.Context, key, password string) (bool, error) {
	if err := ctx.LoadUser(key); err == authboss.ErrUserNotFound {
		return false, nil
	} else if err != nil {
		return false, err
	}

	actualPassword, err := ctx.User.StringErr(authboss.StorePassword)
	if err != nil {
		return false, err
	}

	if err := bcrypt.CompareHashAndPassword([]byte(actualPassword), []byte(password)); err != nil {
		return false, nil
	}

	return true, nil
}

func (a *Auth) logoutHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r *http.Request) error {
	switch r.Method {
	case methodGET:
		ctx.SessionStorer.Del(authboss.SessionKey)
		ctx.CookieStorer.Del(authboss.CookieRemember)
		ctx.SessionStorer.Del(authboss.SessionLastAction)

		response.Redirect(ctx, w, r, a.AuthLogoutOKPath, "You have logged out", "", true)
	default:
		w.WriteHeader(http.StatusMethodNotAllowed)
	}

	return nil
}
Change documentation a little bit, and fix one bug. 2015-03-15 08:06:08 -07:00			`// Package auth implements password based user logins.`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`package auth`

			`import (`
Rework recover 2015-02-23 15:51:42 -08:00			`"errors"`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 13:24:12 -08:00			`"fmt"`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`"net/http"`

Fix bad hg dependencies :D 2015-01-12 23:51:25 -08:00			`"golang.org/x/crypto/bcrypt"`
Fix imports 2016-12-19 22:45:52 -08:00			`"gopkg.in/authboss.v1"`
			`"gopkg.in/authboss.v1/internal/response"`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`)`

			`const (`
			`methodGET = "GET"`
			`methodPOST = "POST"`

Proper naming of all templates. Rebuild bindata. 2015-02-26 12:52:45 -08:00			`tplLogin = "login.html.tpl"`
Cleaned up auth module and tests 2015-01-12 21:08:52 -08:00			`)`
Added auth endpoint POST 2015-01-10 22:49:06 -08:00
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`func init() {`
no DisableGoroutines (just check for -Maker); no ModuleNames; test fix 2016-05-09 13:20:10 -04:00			`authboss.RegisterModule("auth", &Auth{})`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Destroy a list of go lint errors. 2015-03-16 14:42:45 -07:00			`// Auth module`
Rework recover 2015-02-23 15:51:42 -08:00			`type Auth struct {`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`*authboss.Authboss`
Rename internal/render to internal/response 2015-03-28 09:08:05 -07:00			`templates response.Templates`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Destroy a list of go lint errors. 2015-03-16 14:42:45 -07:00			`// Initialize module`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`func (a Auth) Initialize(ab authboss.Authboss) (err error) {`
			`a.Authboss = ab`

final App-Engine-related fixes 2016-05-07 02:12:20 -04:00			`if a.Storer == nil && a.StoreMaker == nil {`
Destroy a list of go lint errors. 2015-03-16 14:42:45 -07:00			`return errors.New("auth: Need a Storer")`
Rework recover 2015-02-23 15:51:42 -08:00			`}`

Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`if len(a.XSRFName) == 0 {`
Add new auth testing and tempaltes 2015-02-24 15:01:56 -08:00			`return errors.New("auth: XSRFName must be set")`
			`}`

Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`if a.XSRFMaker == nil {`
Add new auth testing and tempaltes 2015-02-24 15:01:56 -08:00			`return errors.New("auth: XSRFMaker must be defined")`
			`}`

Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`a.templates, err = response.LoadTemplates(a.Authboss, a.Layout, a.ViewsPath, tplLogin)`
Reworking auth 2015-02-20 23:33:35 -08:00			`if err != nil {`
Move all html to internal packge views 2015-01-18 14:24:20 -08:00			`return err`
Added styles to modules. Stylized login module. Added tester 2015-01-04 20:41:20 -08:00			`}`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00
			`return nil`
			`}`

Destroy a list of go lint errors. 2015-03-16 14:42:45 -07:00			`// Routes for the module`
Rework recover 2015-02-23 15:51:42 -08:00			`func (a *Auth) Routes() authboss.RouteTable {`
Reworking auth 2015-02-20 23:33:35 -08:00			`return authboss.RouteTable{`
Recover now builds. Start adding tests. 2015-02-25 10:22:55 -08:00			`"/login": a.loginHandlerFunc,`
			`"/logout": a.logoutHandlerFunc,`
Reworking auth 2015-02-20 23:33:35 -08:00			`}`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Destroy a list of go lint errors. 2015-03-16 14:42:45 -07:00			`// Storage requirements`
Rework recover 2015-02-23 15:51:42 -08:00			`func (a *Auth) Storage() authboss.StorageOptions {`
Reworking auth 2015-02-20 23:33:35 -08:00			`return authboss.StorageOptions{`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`a.PrimaryID: authboss.String,`
Add PrimaryID to the system. - Fix #17 2015-02-22 13:16:11 -08:00			`authboss.StorePassword: authboss.String,`
Reworking auth 2015-02-20 23:33:35 -08:00			`}`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Rework recover 2015-02-23 15:51:42 -08:00			`func (a Auth) loginHandlerFunc(ctx authboss.Context, w http.ResponseWriter, r *http.Request) error {`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`switch r.Method {`
			`case methodGET:`
Rework recover 2015-02-23 15:51:42 -08:00			`data := authboss.NewHTMLData(`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`"showRemember", a.IsLoaded("remember"),`
			`"showRecover", a.IsLoaded("recover"),`
Add 'showRegister' flag to auth module. 2015-04-10 12:04:26 -07:00			`"showRegister", a.IsLoaded("register"),`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`"primaryID", a.PrimaryID,`
Rework recover 2015-02-23 15:51:42 -08:00			`"primaryIDValue", "",`
			`)`
Reworking auth 2015-02-20 23:33:35 -08:00			`return a.templates.Render(ctx, w, r, tplLogin, data)`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`case methodPOST:`
auth: Context-Request separation ripple 2015-08-02 11:52:23 -07:00			`key := r.FormValue(a.PrimaryID)`
			`password := r.FormValue("password")`
Add response writer to client storer 2015-01-15 14:01:01 -08:00
Reworking auth 2015-02-20 23:33:35 -08:00			`errData := authboss.NewHTMLData(`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`"error", fmt.Sprintf("invalid %s and/or password", a.PrimaryID),`
			`"primaryID", a.PrimaryID,`
Rework recover 2015-02-23 15:51:42 -08:00			`"primaryIDValue", key,`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`"showRemember", a.IsLoaded("remember"),`
			`"showRecover", a.IsLoaded("recover"),`
Add 'showRegister' flag to auth module. 2015-04-10 12:04:26 -07:00			`"showRegister", a.IsLoaded("register"),`
Reworking auth 2015-02-20 23:33:35 -08:00			`)`

Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 11:49:28 -07:00			`if valid, err := validateCredentials(ctx, key, password); err != nil {`
			`errData["error"] = "Internal server error"`
final App-Engine-related fixes 2016-05-07 02:12:20 -04:00			`fmt.Fprintf(ctx.LogWriter, "auth: validate credentials failed: %v\n", err)`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 11:49:28 -07:00			`return a.templates.Render(ctx, w, r, tplLogin, errData)`
			`} else if !valid {`
Ensure we call EventAuthFail. - Remove validation of fields that we never store in the database anyways. 2015-08-02 09:52:30 -07:00			`if err := a.Callbacks.FireAfter(authboss.EventAuthFail, ctx); err != nil {`
final App-Engine-related fixes 2016-05-07 02:12:20 -04:00			`fmt.Fprintf(ctx.LogWriter, "EventAuthFail callback error'd out: %v\n", err)`
Ensure we call EventAuthFail. - Remove validation of fields that we never store in the database anyways. 2015-08-02 09:52:30 -07:00			`}`
Reworking auth 2015-02-20 23:33:35 -08:00			`return a.templates.Render(ctx, w, r, tplLogin, errData)`
Made things work with other things. 2015-01-10 23:12:40 -08:00			`}`
Changed remember and auth to work together. 2015-01-15 15:10:47 -08:00
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`interrupted, err := a.Callbacks.FireBefore(authboss.EventAuth, ctx)`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-25 23:05:14 -08:00			`if err != nil {`
			`return err`
			`} else if interrupted != authboss.InterruptNone {`
			`var reason string`
			`switch interrupted {`
			`case authboss.InterruptAccountLocked:`
			`reason = "Your account has been locked."`
			`case authboss.InterruptAccountNotConfirmed:`
			`reason = "Your account has not been confirmed."`
			`}`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`response.Redirect(ctx, w, r, a.AuthLoginFailPath, "", reason, false)`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-25 23:05:14 -08:00			`return nil`
			`}`

			`ctx.SessionStorer.Put(authboss.SessionKey, key)`
			`ctx.SessionStorer.Del(authboss.SessionHalfAuthKey)`
remember: Context+Request separation ripple - Re-add the age-old "Values" from the Context. This was originally there for exactly the documented purpose. However the Context holding the request form values negated it's use. It's back because of this new separation. - Make the auth success path set the authboss.CookieRemember value in the context before calling it's callback. 2015-08-02 14:02:14 -07:00			`ctx.Values = map[string]string{authboss.CookieRemember: r.FormValue(authboss.CookieRemember)}`
Add mountedpath so forms work on mounted paths. - Refactor naming for config "redirect" variables. - Removed flash messages from config, Fix #19 2015-02-25 23:05:14 -08:00
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`if err := a.Callbacks.FireAfter(authboss.EventAuth, ctx); err != nil {`
Fix confirm fields. 2015-02-25 23:20:02 -08:00			`return err`
			`}`
Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`response.Redirect(ctx, w, r, a.AuthLoginOKPath, "", "", true)`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`default:`
			`w.WriteHeader(http.StatusMethodNotAllowed)`
			`}`
Reworking auth 2015-02-20 23:33:35 -08:00
			`return nil`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`

Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 11:49:28 -07:00			`func validateCredentials(ctx *authboss.Context, key, password string) (bool, error) {`
Fix internal server error when wrong usr/pwd - Correct tests to stop actually checking for internal server errors on wrong username/password. Sometimes tests aren't everything. - Fix #64 2015-07-01 18:07:26 -07:00			`if err := ctx.LoadUser(key); err == authboss.ErrUserNotFound {`
			`return false, nil`
			`} else if err != nil {`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 11:49:28 -07:00			`return false, err`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 13:24:12 -08:00			`}`

Add PrimaryID to the system. - Fix #17 2015-02-22 13:16:11 -08:00			`actualPassword, err := ctx.User.StringErr(authboss.StorePassword)`
Reworking auth 2015-02-20 23:33:35 -08:00			`if err != nil {`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 11:49:28 -07:00			`return false, err`
Fixed auth and auth tests. - Added more error checking to remember module. 2015-01-15 13:24:12 -08:00			`}`

Reworking auth 2015-02-20 23:33:35 -08:00			`if err := bcrypt.CompareHashAndPassword([]byte(actualPassword), []byte(password)); err != nil {`
Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 11:49:28 -07:00			`return false, nil`
Added auth endpoint POST 2015-01-10 22:49:06 -08:00			`}`

Remove cloaking of errors on auth credentail validation. Errors properly log to LogWriter. 2015-04-03 11:49:28 -07:00			`return true, nil`
Added auth endpoint POST 2015-01-10 22:49:06 -08:00			`}`

Rework recover 2015-02-23 15:51:42 -08:00			`func (a Auth) logoutHandlerFunc(ctx authboss.Context, w http.ResponseWriter, r *http.Request) error {`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`switch r.Method {`
			`case methodGET:`
Implement auth logout - Add del to client storer interface 2015-01-15 16:04:33 -08:00			`ctx.SessionStorer.Del(authboss.SessionKey)`
Fix expire token shenanigans - Add session and cookie cleanup on logout 2015-03-02 22:09:32 -08:00			`ctx.CookieStorer.Del(authboss.CookieRemember)`
			`ctx.SessionStorer.Del(authboss.SessionLastAction)`

Fix modules after refactor. 2015-03-31 15:27:47 -07:00			`response.Redirect(ctx, w, r, a.AuthLogoutOKPath, "You have logged out", "", true)`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`default:`
			`w.WriteHeader(http.StatusMethodNotAllowed)`
			`}`
Reworking auth 2015-02-20 23:33:35 -08:00
			`return nil`
started work on auth module. redefined how configuration is going to work and where core is going to reside 2015-01-04 10:33:53 -08:00			`}`