2015-01-03 12:03:57 -08:00
|
|
|
/*
|
|
|
|
Package authboss is a modular authentication system for the web. It tries to
|
|
|
|
remove as much boilerplate and "hard things" as possible so that each time you
|
|
|
|
start a new web project in Go, you can plug it in, configure and be off to the
|
2015-03-16 21:38:00 -07:00
|
|
|
races without having to think about how to store passwords or remember tokens.
|
2015-01-03 12:03:57 -08:00
|
|
|
*/
|
2016-12-19 22:43:51 -08:00
|
|
|
package authboss
|
2015-01-05 00:18:41 -08:00
|
|
|
|
2018-03-09 13:11:08 -08:00
|
|
|
import (
|
|
|
|
"context"
|
2018-04-30 18:17:07 -07:00
|
|
|
"net/http"
|
2018-03-09 13:11:08 -08:00
|
|
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
)
|
2015-01-05 00:18:41 -08:00
|
|
|
|
2015-03-31 12:34:03 -07:00
|
|
|
// Authboss contains a configuration and other details for running.
|
|
|
|
type Authboss struct {
|
|
|
|
Config
|
2018-02-01 16:31:08 -08:00
|
|
|
Events *Events
|
|
|
|
|
2018-02-01 15:42:48 -08:00
|
|
|
loadedModules map[string]Moduler
|
2015-03-31 12:34:03 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
// New makes a new instance of authboss with a default
|
|
|
|
// configuration.
|
|
|
|
func New() *Authboss {
|
2018-01-31 17:07:11 -08:00
|
|
|
ab := &Authboss{}
|
2018-02-01 16:31:08 -08:00
|
|
|
|
2018-02-01 15:42:48 -08:00
|
|
|
ab.loadedModules = make(map[string]Moduler)
|
2018-02-01 16:31:08 -08:00
|
|
|
ab.Events = NewEvents()
|
2018-02-01 15:42:48 -08:00
|
|
|
|
2015-03-31 15:08:43 -07:00
|
|
|
ab.Config.Defaults()
|
2015-03-31 12:34:03 -07:00
|
|
|
return ab
|
|
|
|
}
|
|
|
|
|
2018-01-31 17:07:11 -08:00
|
|
|
// Init authboss, modules, renderers
|
2018-02-01 15:42:48 -08:00
|
|
|
func (a *Authboss) Init(modulesToLoad ...string) error {
|
|
|
|
if len(modulesToLoad) == 0 {
|
|
|
|
modulesToLoad = RegisteredModules()
|
2015-01-05 00:18:41 -08:00
|
|
|
}
|
|
|
|
|
2018-02-01 15:42:48 -08:00
|
|
|
for _, name := range modulesToLoad {
|
2018-02-01 17:10:26 -08:00
|
|
|
if err := a.loadModule(name); err != nil {
|
2018-04-30 18:17:07 -07:00
|
|
|
return errors.Errorf("module %s failed to load: %+v", name, err)
|
2018-02-01 15:42:48 -08:00
|
|
|
}
|
2017-02-23 16:13:25 -08:00
|
|
|
}
|
2015-01-17 02:42:42 -08:00
|
|
|
|
2017-02-23 16:13:25 -08:00
|
|
|
return nil
|
2015-01-17 02:42:42 -08:00
|
|
|
}
|
2015-03-16 22:58:32 -07:00
|
|
|
|
2018-03-09 13:11:08 -08:00
|
|
|
// UpdatePassword updates the password field of a user using the same semantics
|
|
|
|
// that register/auth do to create and verify passwords. It saves this using the storer.
|
|
|
|
//
|
|
|
|
// In addition to that, it also invalidates any remember me tokens, if the storer supports
|
|
|
|
// that kind of operation.
|
|
|
|
//
|
|
|
|
// If it's also desirable to log the user out, use: authboss.DelKnown(Session|Cookie)
|
|
|
|
func (a *Authboss) UpdatePassword(ctx context.Context, user AuthableUser, newPassword string) error {
|
|
|
|
pass, err := bcrypt.GenerateFromPassword([]byte(newPassword), a.Config.Modules.BCryptCost)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
2017-02-23 16:13:25 -08:00
|
|
|
}
|
|
|
|
|
2018-03-09 13:11:08 -08:00
|
|
|
user.PutPassword(string(pass))
|
|
|
|
|
|
|
|
storer := a.Config.Storage.Server
|
|
|
|
if err := storer.Save(ctx, user); err != nil {
|
2017-02-23 16:13:25 -08:00
|
|
|
return err
|
|
|
|
}
|
2015-03-16 22:58:32 -07:00
|
|
|
|
2018-03-09 13:11:08 -08:00
|
|
|
rmStorer, ok := storer.(RememberingServerStorer)
|
|
|
|
if !ok {
|
2017-02-23 16:13:25 -08:00
|
|
|
return nil
|
|
|
|
}
|
2015-03-16 22:58:32 -07:00
|
|
|
|
2018-03-09 13:11:08 -08:00
|
|
|
return rmStorer.DelRememberTokens(user.GetPID())
|
2015-03-16 22:58:32 -07:00
|
|
|
}
|
2018-04-30 18:17:07 -07:00
|
|
|
|
|
|
|
// Middleware prevents someone from accessing a route by returning a 404 if they are not logged in.
|
|
|
|
// This middleware also loads the current user.
|
|
|
|
func Middleware(ab *Authboss) func(http.Handler) http.Handler {
|
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
log := ab.RequestLogger(r)
|
|
|
|
if u, err := ab.LoadCurrentUser(&r); err != nil {
|
|
|
|
log.Errorf("error fetching current user: %+v", err)
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
} else if u == nil {
|
|
|
|
log.Infof("providing not found for unauthorized user at: %s", r.URL.Path)
|
|
|
|
w.WriteHeader(http.StatusNotFound)
|
|
|
|
return
|
|
|
|
} else {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|