You've already forked golang-saas-starter-kit
mirror of
https://github.com/raseels-repos/golang-saas-starter-kit.git
synced 2025-06-15 00:15:15 +02:00
Completed user and account packages, extracted user_account code to independent package
This commit is contained in:
Lee Brown
226
example-project/internal/user/auth.go
Normal file
226
example-project/internal/user/auth.go
Normal file
@ -0,0 +1,226 @@
|
||||
package user
|
||||
|
||||
import (
|
||||
"context"
|
||||
"time"
|
||||
|
||||
"geeks-accelerator/oss/saas-starter-kit/example-project/internal/platform/auth"
|
||||
"github.com/huandu/go-sqlbuilder"
|
||||
"github.com/jmoiron/sqlx"
|
||||
"github.com/lib/pq"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
|
||||
"gopkg.in/go-playground/validator.v9"
|
||||
)
|
||||
|
||||
// TokenGenerator is the behavior we need in our Authenticate to generate tokens for
|
||||
// authenticated users.
|
||||
type TokenGenerator interface {
|
||||
GenerateToken(auth.Claims) (string, error)
|
||||
ParseClaims(string) (auth.Claims, error)
|
||||
}
|
||||
|
||||
// Authenticate finds a user by their email and verifies their password. On success
|
||||
// it returns a Token that can be used to authenticate access to the application in
|
||||
// the future.
|
||||
func Authenticate(ctx context.Context, dbConn *sqlx.DB, tknGen TokenGenerator, email, password string, expires time.Duration, now time.Time) (Token, error) {
|
||||
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user.Authenticate")
|
||||
defer span.Finish()
|
||||
|
||||
// Generate sql query to select user by email address.
|
||||
query := sqlbuilder.NewSelectBuilder()
|
||||
query.Where(query.Equal("email", email))
|
||||
|
||||
// Run the find, use empty claims to bypass ACLs since this in an internal request
|
||||
// and the current user is not authenticated at this point. If the email is
|
||||
// invalid, return the same error as when an invalid password is supplied.
|
||||
res, err := find(ctx, auth.Claims{}, dbConn, query, []interface{}{}, false)
|
||||
if err != nil {
|
||||
return Token{}, err
|
||||
} else if res == nil || len(res) == 0 {
|
||||
err = errors.WithStack(ErrAuthenticationFailure)
|
||||
return Token{}, err
|
||||
}
|
||||
u := res[0]
|
||||
|
||||
// Append the salt from the user record to the supplied password.
|
||||
saltedPassword := password + u.PasswordSalt
|
||||
|
||||
// Compare the provided password with the saved hash. Use the bcrypt comparison
|
||||
// function so it is cryptographically secure. Return authentication error for
|
||||
// invalid password.
|
||||
if err := bcrypt.CompareHashAndPassword(u.PasswordHash, []byte(saltedPassword)); err != nil {
|
||||
err = errors.WithStack(ErrAuthenticationFailure)
|
||||
return Token{}, err
|
||||
}
|
||||
|
||||
// The user is successfully authenticated with the supplied email and password.
|
||||
return generateToken(ctx, dbConn, tknGen, auth.Claims{}, u.ID, "", expires, now)
|
||||
}
|
||||
|
||||
// Authenticate finds a user by their email and verifies their password. On success
|
||||
// it returns a Token that can be used to authenticate access to the application in
|
||||
// the future.
|
||||
func SwitchAccount(ctx context.Context, dbConn *sqlx.DB, tknGen TokenGenerator, claims auth.Claims, accountID string, expires time.Duration, now time.Time) (Token, error) {
|
||||
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user.SwitchAccount")
|
||||
defer span.Finish()
|
||||
|
||||
// Defines struct to apply validation for the supplied claims and account ID.
|
||||
req := struct {
|
||||
UserID string `validate:"required,uuid"`
|
||||
AccountID string `validate:"required,uuid"`
|
||||
}{
|
||||
UserID: claims.Subject,
|
||||
AccountID: accountID,
|
||||
}
|
||||
|
||||
// Validate the request.
|
||||
err := validator.New().Struct(req)
|
||||
if err != nil {
|
||||
return Token{}, err
|
||||
}
|
||||
|
||||
// Generate a token for the user ID in supplied in claims as the Subject. Pass
|
||||
// in the supplied claims as well to enforce ACLs when finding the current
|
||||
// list of accounts for the user.
|
||||
return generateToken(ctx, dbConn, tknGen, claims, req.UserID, req.AccountID, expires, now)
|
||||
}
|
||||
|
||||
// generateToken generates claims for the supplied user ID and account ID and then
|
||||
// returns the token for the generated claims used for authentication.
|
||||
func generateToken(ctx context.Context, dbConn *sqlx.DB, tknGen TokenGenerator, claims auth.Claims, userID, accountID string, expires time.Duration, now time.Time) (Token, error) {
|
||||
|
||||
type userAccount struct {
|
||||
AccountID string
|
||||
Roles pq.StringArray
|
||||
UserStatus string
|
||||
UserArchived pq.NullTime
|
||||
AccountStatus string
|
||||
AccountArchived pq.NullTime
|
||||
}
|
||||
|
||||
// Build select statement for users_accounts table to find all the user accounts for the user
|
||||
f := func() ([]userAccount, error) {
|
||||
query := sqlbuilder.NewSelectBuilder().Select("ua.account_id, ua.roles, ua.status as userStatus, ua.archived_at userArchived, a.status as accountStatus, a.archived_at as accountArchived").
|
||||
From(userAccountTableName+" ua").
|
||||
Join(accountTableName+" a", "a.id = ua.account_id")
|
||||
query.Where(query.And(
|
||||
query.Equal("ua.user_id", userID),
|
||||
))
|
||||
query.OrderBy("ua.status, a.status, ua.created_at")
|
||||
|
||||
// fetch all places from the db
|
||||
queryStr, queryArgs := query.Build()
|
||||
queryStr = dbConn.Rebind(queryStr)
|
||||
rows, err := dbConn.QueryContext(ctx, queryStr, queryArgs...)
|
||||
if err != nil {
|
||||
err = errors.Wrapf(err, "query - %s", query.String())
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// iterate over each row
|
||||
var resp []userAccount
|
||||
for rows.Next() {
|
||||
var ua userAccount
|
||||
err = rows.Scan(&ua.AccountID, &ua.Roles, &ua.UserStatus, &ua.UserArchived, &ua.AccountStatus, &ua.AccountArchived)
|
||||
if err != nil {
|
||||
return nil, errors.WithStack(err)
|
||||
}
|
||||
if err != nil {
|
||||
err = errors.Wrapf(err, "query - %s", query.String())
|
||||
return nil, err
|
||||
}
|
||||
|
||||
resp = append(resp, ua)
|
||||
}
|
||||
|
||||
return resp, nil
|
||||
}
|
||||
|
||||
accounts, err := f()
|
||||
if err != nil {
|
||||
err = errors.WithStack(ErrAuthenticationFailure)
|
||||
return Token{}, err
|
||||
}
|
||||
|
||||
// Load the user account entry for the specified account ID. If none provided,
|
||||
// choose the first.
|
||||
var account userAccount
|
||||
if accountID == "" {
|
||||
// Try to choose the first active user account that has not been archived.
|
||||
for _, a := range accounts {
|
||||
if a.AccountArchived.Valid && !a.AccountArchived.Time.IsZero() {
|
||||
continue
|
||||
} else if a.UserArchived.Valid && !a.UserArchived.Time.IsZero() {
|
||||
continue
|
||||
} else if a.AccountStatus != "active" {
|
||||
continue
|
||||
} else if a.UserStatus != "active" {
|
||||
continue
|
||||
}
|
||||
|
||||
account = accounts[0]
|
||||
accountID = account.AccountID
|
||||
break
|
||||
}
|
||||
|
||||
// Select the first account associated with the user. For the login flow,
|
||||
// users could be forced to select a specific account to override this.
|
||||
if accountID == "" && len(accounts) > 0 {
|
||||
account = accounts[0]
|
||||
accountID = account.AccountID
|
||||
}
|
||||
} else {
|
||||
// Loop through all the accounts found for the user and select the specified
|
||||
// account.
|
||||
for _, a := range accounts {
|
||||
if a.AccountID == accountID {
|
||||
account = a
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
// If no matching entry was found for the specified account ID throw an error.
|
||||
if account.AccountID == "" {
|
||||
err = errors.WithStack(ErrAuthenticationFailure)
|
||||
return Token{}, err
|
||||
}
|
||||
}
|
||||
|
||||
// Validate the user account is completely active.
|
||||
if account.AccountArchived.Valid && !account.AccountArchived.Time.IsZero() {
|
||||
err = errors.WithMessage(ErrAuthenticationFailure, "account is archived")
|
||||
return Token{}, err
|
||||
} else if account.UserArchived.Valid && !account.UserArchived.Time.IsZero() {
|
||||
err = errors.WithMessage(ErrAuthenticationFailure, "user account is archived")
|
||||
return Token{}, err
|
||||
} else if account.AccountStatus != "active" {
|
||||
err = errors.WithMessagef(ErrAuthenticationFailure, "account is not active with status of %s", account.AccountStatus)
|
||||
return Token{}, err
|
||||
} else if account.UserStatus != "active" {
|
||||
err = errors.WithMessagef(ErrAuthenticationFailure, "user account is not active with status of %s", account.UserStatus)
|
||||
return Token{}, err
|
||||
}
|
||||
|
||||
// Generate a list of all the account IDs associated with the user so the use
|
||||
// has the ability to switch between accounts.
|
||||
var accountIds []string
|
||||
for _, a := range accounts {
|
||||
accountIds = append(accountIds, a.AccountID)
|
||||
}
|
||||
|
||||
// JWT claims requires both an audience and a subject. For this application:
|
||||
// Subject: The ID of the user authenticated.
|
||||
// Audience: The ID of the account the user is accessing. A list of account IDs
|
||||
// will also be included to support the user switching between them.
|
||||
claims = auth.NewClaims(userID, accountID, accountIds, account.Roles, now, expires)
|
||||
|
||||
// Generate a token for the user with the defined claims.
|
||||
tkn, err := tknGen.GenerateToken(claims)
|
||||
if err != nil {
|
||||
return Token{}, errors.Wrap(err, "generating token")
|
||||
}
|
||||
|
||||
return Token{Token: tkn, claims: claims}, nil
|
||||
}
|
||||
Reference in New Issue
Block a user