golang-saas-starter-kit/internal/user_auth/auth.go

package user_auth

import (
	"context"
	"database/sql"
	"strings"
	"time"

	"geeks-accelerator/oss/saas-starter-kit/internal/account/account_preference"
	"geeks-accelerator/oss/saas-starter-kit/internal/platform/auth"
	"geeks-accelerator/oss/saas-starter-kit/internal/platform/web/webcontext"
	"geeks-accelerator/oss/saas-starter-kit/internal/user"
	"geeks-accelerator/oss/saas-starter-kit/internal/user_account"

	"github.com/huandu/go-sqlbuilder"
	"github.com/lib/pq"
	"github.com/pkg/errors"
	"golang.org/x/crypto/bcrypt"
	"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
)

var (
	// ErrAuthenticationFailure occurs when a user attempts to authenticate but
	// anything goes wrong.
	ErrAuthenticationFailure = errors.New("Authentication failed")

	// ErrForbidden occurs when a user tries to do something that is forbidden to them according to our access control policies.
	ErrForbidden = errors.New("Attempted action is not allowed")
)

const (
	// The database table for User
	userTableName = "users"
	// The database table for Account
	accountTableName = "accounts"
	// The database table for User Account
	userAccountTableName = "users_accounts"
)

// Authenticate finds a user by their email and verifies their password. On success
// it returns a Token that can be used to authenticate access to the application in
// the future.
func (repo *Repository) Authenticate(ctx context.Context, req AuthenticateRequest, expires time.Duration, now time.Time, scopes ...string) (Token, error) {
	span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.Authenticate")
	defer span.Finish()

	// Validate the request.
	v := webcontext.Validator()
	err := v.Struct(req)
	if err != nil {
		return Token{}, err
	}

	u, err := repo.User.ReadByEmail(ctx, auth.Claims{}, req.Email, false)
	if err != nil {
		if errors.Cause(err) == user.ErrNotFound {
			err = errors.WithStack(ErrAuthenticationFailure)
			return Token{}, err
		} else {
			return Token{}, err
		}
	}

	// Append the salt from the user record to the supplied password.
	saltedPassword := req.Password + u.PasswordSalt

	// Compare the provided password with the saved hash. Use the bcrypt comparison
	// function so it is cryptographically secure. Return authentication error for
	// invalid password.
	if err := bcrypt.CompareHashAndPassword(u.PasswordHash, []byte(saltedPassword)); err != nil {
		err = errors.WithStack(ErrAuthenticationFailure)
		return Token{}, err
	}

	// The user is successfully authenticated with the supplied email and password.
	return repo.generateToken(ctx, auth.Claims{}, u.ID, req.AccountID, expires, now, scopes...)
}

// SwitchAccount allows users to switch between multiple accounts, this changes the claim audience.
func (repo *Repository) SwitchAccount(ctx context.Context, claims auth.Claims, req SwitchAccountRequest, expires time.Duration, now time.Time, scopes ...string) (Token, error) {
	span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.SwitchAccount")
	defer span.Finish()

	// Validate the request.
	v := webcontext.Validator()
	err := v.Struct(req)
	if err != nil {
		return Token{}, err
	}

	claims.RootAccountID = req.AccountID

	if claims.RootUserID == "" {
		claims.RootUserID = claims.Subject
	}

	// Generate a token for the user ID in supplied in claims as the Subject. Pass
	// in the supplied claims as well to enforce ACLs when finding the current
	// list of accounts for the user.
	return repo.generateToken(ctx, claims, claims.Subject, req.AccountID, expires, now, scopes...)
}

// VirtualLogin allows users to mock being logged in as other users.
func (repo *Repository) VirtualLogin(ctx context.Context, claims auth.Claims, req VirtualLoginRequest,
	expires time.Duration, now time.Time, scopes ...string) (Token, error) {
	span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.VirtualLogin")
	defer span.Finish()

	// Validate the request.
	v := webcontext.Validator()
	err := v.Struct(req)
	if err != nil {
		return Token{}, err
	}

	// Find all the accounts that the current user has access to.
	usrAccs, err := repo.UserAccount.FindByUserID(ctx, claims, claims.Subject, false)
	if err != nil {
		return Token{}, err
	}

	// The user must have the role of admin to login any other user.
	var hasAccountAdminRole bool
	for _, usrAcc := range usrAccs {
		if usrAcc.HasRole(user_account.UserAccountRole_Admin) {
			if usrAcc.AccountID == req.AccountID {
				hasAccountAdminRole = true
				break
			}
		}
	}
	if !hasAccountAdminRole {
		return Token{}, errors.WithMessagef(ErrForbidden, "User %s does not have correct access to account %s ", claims.Subject, req.AccountID)
	}

	if claims.RootAccountID == "" {
		claims.RootAccountID = claims.Audience
	}
	if claims.RootUserID == "" {
		claims.RootUserID = claims.Subject
	}

	// Generate a token for the user ID in supplied in claims as the Subject. Pass
	// in the supplied claims as well to enforce ACLs when finding the current
	// list of accounts for the user.
	return repo.generateToken(ctx, claims, req.UserID, req.AccountID, expires, now, scopes...)
}

// VirtualLogout allows switch back to their root user/account.
func (repo *Repository) VirtualLogout(ctx context.Context, claims auth.Claims, expires time.Duration, now time.Time, scopes ...string) (Token, error) {
	span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.VirtualLogout")
	defer span.Finish()

	// Generate a token for the user ID in supplied in claims as the Subject. Pass
	// in the supplied claims as well to enforce ACLs when finding the current
	// list of accounts for the user.
	return repo.generateToken(ctx, claims, claims.RootUserID, claims.RootAccountID, expires, now, scopes...)
}

// generateToken generates claims for the supplied user ID and account ID and then
// returns the token for the generated claims used for authentication.
func (repo *Repository) generateToken(ctx context.Context, claims auth.Claims, userID, accountID string, expires time.Duration, now time.Time, scopes ...string) (Token, error) {

	type userAccount struct {
		AccountID       string
		Roles           pq.StringArray
		UserStatus      string
		UserArchived    pq.NullTime
		AccountStatus   string
		AccountArchived pq.NullTime
		AccountTimezone sql.NullString
		UserTimezone    sql.NullString
	}

	// Build select statement for users_accounts table to find all the user accounts for the user
	f := func() ([]userAccount, error) {
		query := sqlbuilder.NewSelectBuilder().Select("ua.account_id, ua.roles, ua.status as userStatus, ua.archived_at userArchived, a.status as accountStatus, a.archived_at, a.timezone, u.timezone as userTimezone").
			From(userAccountTableName+" ua").
			Join(accountTableName+" a", "a.id = ua.account_id").
			Join(userTableName+" u", "u.id = ua.user_id")
		query.Where(query.And(
			query.Equal("ua.user_id", userID),
		))
		query.OrderBy("ua.status, a.status, ua.created_at")

		// fetch all places from the db
		queryStr, queryArgs := query.Build()
		queryStr = repo.DbConn.Rebind(queryStr)
		rows, err := repo.DbConn.QueryContext(ctx, queryStr, queryArgs...)
		if err != nil {
			err = errors.Wrapf(err, "query - %s", query.String())
			return nil, err
		}

		// iterate over each row
		var resp []userAccount
		for rows.Next() {
			var ua userAccount
			err = rows.Scan(&ua.AccountID, &ua.Roles, &ua.UserStatus, &ua.UserArchived, &ua.AccountStatus, &ua.AccountArchived, &ua.AccountTimezone, &ua.UserTimezone)
			if err != nil {
				return nil, errors.WithStack(err)
			}
			if err != nil {
				err = errors.Wrapf(err, "query - %s", query.String())
				return nil, err
			}

			resp = append(resp, ua)
		}

		return resp, nil
	}

	accounts, err := f()
	if err != nil {
		err = errors.WithStack(ErrAuthenticationFailure)
		return Token{}, err
	}

	// Load the user account entry for the specified account ID. If none provided,
	// choose the first.
	var account userAccount
	if accountID == "" {
		// Try to choose the first active user account that has not been archived.
		for _, a := range accounts {
			if a.AccountArchived.Valid && !a.AccountArchived.Time.IsZero() {
				continue
			} else if a.UserArchived.Valid && !a.UserArchived.Time.IsZero() {
				continue
			} else if a.AccountStatus != "active" {
				continue
			} else if a.UserStatus != "active" {
				continue
			}

			account = accounts[0]
			accountID = account.AccountID
			break
		}

		// Select the first account associated with the user. For the login flow,
		// users could be forced to select a specific account to override this.
		if accountID == "" && len(accounts) > 0 {
			account = accounts[0]
			accountID = account.AccountID
		}
	} else {
		// Loop through all the accounts found for the user and select the specified
		// account.
		for _, a := range accounts {
			if a.AccountID == accountID {
				account = a
				break
			}
		}

		// If no matching entry was found for the specified account ID throw an error.
		if account.AccountID == "" {
			err = errors.WithStack(ErrAuthenticationFailure)
			return Token{}, err
		}
	}

	// Validate the user account is completely active.
	if account.AccountArchived.Valid && !account.AccountArchived.Time.IsZero() {
		err = errors.WithMessage(ErrAuthenticationFailure, "account is archived")
		return Token{}, err
	} else if account.UserArchived.Valid && !account.UserArchived.Time.IsZero() {
		err = errors.WithMessage(ErrAuthenticationFailure, "user account is archived")
		return Token{}, err
	} else if account.AccountStatus != "active" {
		err = errors.WithMessagef(ErrAuthenticationFailure, "account is not active with status of %s", account.AccountStatus)
		return Token{}, err
	} else if account.UserStatus != "active" {
		err = errors.WithMessagef(ErrAuthenticationFailure, "user account is not active with status of %s", account.UserStatus)
		return Token{}, err
	}

	// Generate a list of all the account IDs associated with the user so the use
	// has the ability to switch between accounts.
	var accountIds []string
	for _, a := range accounts {
		accountIds = append(accountIds, a.AccountID)
	}

	// Allow the scope to be defined for the claims. This enables testing via the API when a user has the role of admin
	// and would like to limit their role to user.
	var roles []string
	{
		if len(scopes) > 0 && scopes[0] != "" {
			// Parse scopes, handle when one value has a list of scopes
			// separated by a space.
			var scopeList []string
			for _, vs := range scopes {
				for _, v := range strings.Split(vs, " ") {
					v = strings.TrimSpace(v)
					if v == "" {
						continue
					}
					scopeList = append(scopeList, v)
				}
			}

			for _, s := range scopeList {
				var scopeValid bool
				for _, r := range account.Roles {
					if r == s || (s == auth.RoleUser && r == auth.RoleAdmin) {
						scopeValid = true
						break
					}
				}

				if scopeValid {
					roles = append(roles, s)
				} else {
					err := errors.Wrapf(ErrForbidden, "invalid scope '%s'", s)
					return Token{}, err
				}
			}
		} else {
			roles = account.Roles
		}

		if len(roles) == 0 {
			err := errors.Wrapf(ErrForbidden, "no roles defined for user")
			return Token{}, err
		}
	}

	var claimPref auth.ClaimPreferences
	{
		// Set the timezone if one is specifically set on the user.
		var tz *time.Location
		if account.UserTimezone.Valid && account.UserTimezone.String != "" {
			tz, _ = time.LoadLocation(account.UserTimezone.String)
		}

		// If user timezone failed to parse or none is set, check the timezone set on the account.
		if tz == nil && account.AccountTimezone.Valid && account.AccountTimezone.String != "" {
			tz, _ = time.LoadLocation(account.AccountTimezone.String)
		}

		prefs, err := repo.AccountPreference.FindByAccountID(ctx, auth.Claims{}, account_preference.AccountPreferenceFindByAccountIDRequest{
			AccountID: accountID,
		})
		if err != nil {
			return Token{}, err
		}

		var (
			preferenceDatetimeFormat string
			preferenceDateFormat     string
			preferenceTimeFormat     string
		)

		for _, pref := range prefs {
			switch pref.Name {
			case account_preference.AccountPreference_Datetime_Format:
				preferenceDatetimeFormat = pref.Value
			case account_preference.AccountPreference_Date_Format:
				preferenceDateFormat = pref.Value
			case account_preference.AccountPreference_Time_Format:
				preferenceTimeFormat = pref.Value
			}
		}

		if preferenceDatetimeFormat == "" {
			preferenceDatetimeFormat = account_preference.AccountPreference_Datetime_Format_Default
		}
		if preferenceDateFormat == "" {
			preferenceDateFormat = account_preference.AccountPreference_Date_Format_Default
		}
		if preferenceTimeFormat == "" {
			preferenceTimeFormat = account_preference.AccountPreference_Time_Format_Default
		}

		claimPref = auth.NewClaimPreferences(tz, preferenceDatetimeFormat, preferenceDateFormat, preferenceTimeFormat)
	}

	// Ensure the current claims has the root values set.
	if (claims.RootAccountID == "" && claims.Audience != "") || (claims.RootUserID == "" && claims.Subject != "") {
		claims.RootAccountID = claims.Audience
		claims.RootUserID = claims.Subject
	}

	// JWT claims requires both an audience and a subject. For this application:
	// 	Subject: The ID of the user authenticated.
	// 	Audience: The ID of the account the user is accessing. A list of account IDs
	// 			  will also be included to support the user switching between them.
	newClaims := auth.NewClaims(userID, accountID, accountIds, roles, claimPref, now, expires)

	// Copy the original root account/user ID.
	newClaims.RootAccountID = claims.RootAccountID
	newClaims.RootUserID = claims.RootUserID

	// Generate a token for the user with the defined claims.
	tknStr, err := repo.TknGen.GenerateToken(newClaims)
	if err != nil {
		return Token{}, errors.Wrap(err, "generating token")
	}

	tkn := Token{
		AccessToken: tknStr,
		TokenType:   "Bearer",
		claims:      newClaims,
		UserID:      newClaims.Subject,
		AccountID:   newClaims.Audience,
	}

	if expires.Seconds() > 0 {
		tkn.Expiry = now.Add(expires)
		tkn.TTL = expires
	}

	return tkn, nil
}