mirror of
https://github.com/raseels-repos/golang-saas-starter-kit.git
synced 2025-06-04 23:37:49 +02:00
417 lines
14 KiB
Go
417 lines
14 KiB
Go
package user_auth
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"strings"
|
|
"time"
|
|
|
|
"geeks-accelerator/oss/saas-starter-kit/internal/account/account_preference"
|
|
"geeks-accelerator/oss/saas-starter-kit/internal/platform/auth"
|
|
"geeks-accelerator/oss/saas-starter-kit/internal/platform/web/webcontext"
|
|
"geeks-accelerator/oss/saas-starter-kit/internal/user"
|
|
"geeks-accelerator/oss/saas-starter-kit/internal/user_account"
|
|
|
|
"github.com/huandu/go-sqlbuilder"
|
|
"github.com/lib/pq"
|
|
"github.com/pkg/errors"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
|
|
)
|
|
|
|
var (
|
|
// ErrAuthenticationFailure occurs when a user attempts to authenticate but
|
|
// anything goes wrong.
|
|
ErrAuthenticationFailure = errors.New("Authentication failed")
|
|
|
|
// ErrForbidden occurs when a user tries to do something that is forbidden to them according to our access control policies.
|
|
ErrForbidden = errors.New("Attempted action is not allowed")
|
|
)
|
|
|
|
const (
|
|
// The database table for User
|
|
userTableName = "users"
|
|
// The database table for Account
|
|
accountTableName = "accounts"
|
|
// The database table for User Account
|
|
userAccountTableName = "users_accounts"
|
|
)
|
|
|
|
// Authenticate finds a user by their email and verifies their password. On success
|
|
// it returns a Token that can be used to authenticate access to the application in
|
|
// the future.
|
|
func (repo *Repository) Authenticate(ctx context.Context, req AuthenticateRequest, expires time.Duration, now time.Time, scopes ...string) (Token, error) {
|
|
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.Authenticate")
|
|
defer span.Finish()
|
|
|
|
// Validate the request.
|
|
v := webcontext.Validator()
|
|
err := v.Struct(req)
|
|
if err != nil {
|
|
return Token{}, err
|
|
}
|
|
|
|
u, err := repo.User.ReadByEmail(ctx, auth.Claims{}, req.Email, false)
|
|
if err != nil {
|
|
if errors.Cause(err) == user.ErrNotFound {
|
|
err = errors.WithStack(ErrAuthenticationFailure)
|
|
return Token{}, err
|
|
} else {
|
|
return Token{}, err
|
|
}
|
|
}
|
|
|
|
// Append the salt from the user record to the supplied password.
|
|
saltedPassword := req.Password + u.PasswordSalt
|
|
|
|
// Compare the provided password with the saved hash. Use the bcrypt comparison
|
|
// function so it is cryptographically secure. Return authentication error for
|
|
// invalid password.
|
|
if err := bcrypt.CompareHashAndPassword(u.PasswordHash, []byte(saltedPassword)); err != nil {
|
|
err = errors.WithStack(ErrAuthenticationFailure)
|
|
return Token{}, err
|
|
}
|
|
|
|
// The user is successfully authenticated with the supplied email and password.
|
|
return repo.generateToken(ctx, auth.Claims{}, u.ID, req.AccountID, expires, now, scopes...)
|
|
}
|
|
|
|
// SwitchAccount allows users to switch between multiple accounts, this changes the claim audience.
|
|
func (repo *Repository) SwitchAccount(ctx context.Context, claims auth.Claims, req SwitchAccountRequest, expires time.Duration, now time.Time, scopes ...string) (Token, error) {
|
|
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.SwitchAccount")
|
|
defer span.Finish()
|
|
|
|
// Validate the request.
|
|
v := webcontext.Validator()
|
|
err := v.Struct(req)
|
|
if err != nil {
|
|
return Token{}, err
|
|
}
|
|
|
|
claims.RootAccountID = req.AccountID
|
|
|
|
if claims.RootUserID == "" {
|
|
claims.RootUserID = claims.Subject
|
|
}
|
|
|
|
// Generate a token for the user ID in supplied in claims as the Subject. Pass
|
|
// in the supplied claims as well to enforce ACLs when finding the current
|
|
// list of accounts for the user.
|
|
return repo.generateToken(ctx, claims, claims.Subject, req.AccountID, expires, now, scopes...)
|
|
}
|
|
|
|
// VirtualLogin allows users to mock being logged in as other users.
|
|
func (repo *Repository) VirtualLogin(ctx context.Context, claims auth.Claims, req VirtualLoginRequest,
|
|
expires time.Duration, now time.Time, scopes ...string) (Token, error) {
|
|
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.VirtualLogin")
|
|
defer span.Finish()
|
|
|
|
// Validate the request.
|
|
v := webcontext.Validator()
|
|
err := v.Struct(req)
|
|
if err != nil {
|
|
return Token{}, err
|
|
}
|
|
|
|
// Find all the accounts that the current user has access to.
|
|
usrAccs, err := repo.UserAccount.FindByUserID(ctx, claims, claims.Subject, false)
|
|
if err != nil {
|
|
return Token{}, err
|
|
}
|
|
|
|
// The user must have the role of admin to login any other user.
|
|
var hasAccountAdminRole bool
|
|
for _, usrAcc := range usrAccs {
|
|
if usrAcc.HasRole(user_account.UserAccountRole_Admin) {
|
|
if usrAcc.AccountID == req.AccountID {
|
|
hasAccountAdminRole = true
|
|
break
|
|
}
|
|
}
|
|
}
|
|
if !hasAccountAdminRole {
|
|
return Token{}, errors.WithMessagef(ErrForbidden, "User %s does not have correct access to account %s ", claims.Subject, req.AccountID)
|
|
}
|
|
|
|
if claims.RootAccountID == "" {
|
|
claims.RootAccountID = claims.Audience
|
|
}
|
|
if claims.RootUserID == "" {
|
|
claims.RootUserID = claims.Subject
|
|
}
|
|
|
|
// Generate a token for the user ID in supplied in claims as the Subject. Pass
|
|
// in the supplied claims as well to enforce ACLs when finding the current
|
|
// list of accounts for the user.
|
|
return repo.generateToken(ctx, claims, req.UserID, req.AccountID, expires, now, scopes...)
|
|
}
|
|
|
|
// VirtualLogout allows switch back to their root user/account.
|
|
func (repo *Repository) VirtualLogout(ctx context.Context, claims auth.Claims, expires time.Duration, now time.Time, scopes ...string) (Token, error) {
|
|
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user_auth.VirtualLogout")
|
|
defer span.Finish()
|
|
|
|
// Generate a token for the user ID in supplied in claims as the Subject. Pass
|
|
// in the supplied claims as well to enforce ACLs when finding the current
|
|
// list of accounts for the user.
|
|
return repo.generateToken(ctx, claims, claims.RootUserID, claims.RootAccountID, expires, now, scopes...)
|
|
}
|
|
|
|
// generateToken generates claims for the supplied user ID and account ID and then
|
|
// returns the token for the generated claims used for authentication.
|
|
func (repo *Repository) generateToken(ctx context.Context, claims auth.Claims, userID, accountID string, expires time.Duration, now time.Time, scopes ...string) (Token, error) {
|
|
|
|
type userAccount struct {
|
|
AccountID string
|
|
Roles pq.StringArray
|
|
UserStatus string
|
|
UserArchived pq.NullTime
|
|
AccountStatus string
|
|
AccountArchived pq.NullTime
|
|
AccountTimezone sql.NullString
|
|
UserTimezone sql.NullString
|
|
}
|
|
|
|
// Build select statement for users_accounts table to find all the user accounts for the user
|
|
f := func() ([]userAccount, error) {
|
|
query := sqlbuilder.NewSelectBuilder().Select("ua.account_id, ua.roles, ua.status as userStatus, ua.archived_at userArchived, a.status as accountStatus, a.archived_at, a.timezone, u.timezone as userTimezone").
|
|
From(userAccountTableName+" ua").
|
|
Join(accountTableName+" a", "a.id = ua.account_id").
|
|
Join(userTableName+" u", "u.id = ua.user_id")
|
|
query.Where(query.And(
|
|
query.Equal("ua.user_id", userID),
|
|
))
|
|
query.OrderBy("ua.status, a.status, ua.created_at")
|
|
|
|
// fetch all places from the db
|
|
queryStr, queryArgs := query.Build()
|
|
queryStr = repo.DbConn.Rebind(queryStr)
|
|
rows, err := repo.DbConn.QueryContext(ctx, queryStr, queryArgs...)
|
|
if err != nil {
|
|
err = errors.Wrapf(err, "query - %s", query.String())
|
|
return nil, err
|
|
}
|
|
|
|
// iterate over each row
|
|
var resp []userAccount
|
|
for rows.Next() {
|
|
var ua userAccount
|
|
err = rows.Scan(&ua.AccountID, &ua.Roles, &ua.UserStatus, &ua.UserArchived, &ua.AccountStatus, &ua.AccountArchived, &ua.AccountTimezone, &ua.UserTimezone)
|
|
if err != nil {
|
|
return nil, errors.WithStack(err)
|
|
}
|
|
if err != nil {
|
|
err = errors.Wrapf(err, "query - %s", query.String())
|
|
return nil, err
|
|
}
|
|
|
|
resp = append(resp, ua)
|
|
}
|
|
|
|
return resp, nil
|
|
}
|
|
|
|
accounts, err := f()
|
|
if err != nil {
|
|
err = errors.WithStack(ErrAuthenticationFailure)
|
|
return Token{}, err
|
|
}
|
|
|
|
// Load the user account entry for the specified account ID. If none provided,
|
|
// choose the first.
|
|
var account userAccount
|
|
if accountID == "" {
|
|
// Try to choose the first active user account that has not been archived.
|
|
for _, a := range accounts {
|
|
if a.AccountArchived.Valid && !a.AccountArchived.Time.IsZero() {
|
|
continue
|
|
} else if a.UserArchived.Valid && !a.UserArchived.Time.IsZero() {
|
|
continue
|
|
} else if a.AccountStatus != "active" {
|
|
continue
|
|
} else if a.UserStatus != "active" {
|
|
continue
|
|
}
|
|
|
|
account = accounts[0]
|
|
accountID = account.AccountID
|
|
break
|
|
}
|
|
|
|
// Select the first account associated with the user. For the login flow,
|
|
// users could be forced to select a specific account to override this.
|
|
if accountID == "" && len(accounts) > 0 {
|
|
account = accounts[0]
|
|
accountID = account.AccountID
|
|
}
|
|
} else {
|
|
// Loop through all the accounts found for the user and select the specified
|
|
// account.
|
|
for _, a := range accounts {
|
|
if a.AccountID == accountID {
|
|
account = a
|
|
break
|
|
}
|
|
}
|
|
|
|
// If no matching entry was found for the specified account ID throw an error.
|
|
if account.AccountID == "" {
|
|
err = errors.WithStack(ErrAuthenticationFailure)
|
|
return Token{}, err
|
|
}
|
|
}
|
|
|
|
// Validate the user account is completely active.
|
|
if account.AccountArchived.Valid && !account.AccountArchived.Time.IsZero() {
|
|
err = errors.WithMessage(ErrAuthenticationFailure, "account is archived")
|
|
return Token{}, err
|
|
} else if account.UserArchived.Valid && !account.UserArchived.Time.IsZero() {
|
|
err = errors.WithMessage(ErrAuthenticationFailure, "user account is archived")
|
|
return Token{}, err
|
|
} else if account.AccountStatus != "active" {
|
|
err = errors.WithMessagef(ErrAuthenticationFailure, "account is not active with status of %s", account.AccountStatus)
|
|
return Token{}, err
|
|
} else if account.UserStatus != "active" {
|
|
err = errors.WithMessagef(ErrAuthenticationFailure, "user account is not active with status of %s", account.UserStatus)
|
|
return Token{}, err
|
|
}
|
|
|
|
// Generate a list of all the account IDs associated with the user so the use
|
|
// has the ability to switch between accounts.
|
|
var accountIds []string
|
|
for _, a := range accounts {
|
|
accountIds = append(accountIds, a.AccountID)
|
|
}
|
|
|
|
// Allow the scope to be defined for the claims. This enables testing via the API when a user has the role of admin
|
|
// and would like to limit their role to user.
|
|
var roles []string
|
|
{
|
|
if len(scopes) > 0 && scopes[0] != "" {
|
|
// Parse scopes, handle when one value has a list of scopes
|
|
// separated by a space.
|
|
var scopeList []string
|
|
for _, vs := range scopes {
|
|
for _, v := range strings.Split(vs, " ") {
|
|
v = strings.TrimSpace(v)
|
|
if v == "" {
|
|
continue
|
|
}
|
|
scopeList = append(scopeList, v)
|
|
}
|
|
}
|
|
|
|
for _, s := range scopeList {
|
|
var scopeValid bool
|
|
for _, r := range account.Roles {
|
|
if r == s || (s == auth.RoleUser && r == auth.RoleAdmin) {
|
|
scopeValid = true
|
|
break
|
|
}
|
|
}
|
|
|
|
if scopeValid {
|
|
roles = append(roles, s)
|
|
} else {
|
|
err := errors.Wrapf(ErrForbidden, "invalid scope '%s'", s)
|
|
return Token{}, err
|
|
}
|
|
}
|
|
} else {
|
|
roles = account.Roles
|
|
}
|
|
|
|
if len(roles) == 0 {
|
|
err := errors.Wrapf(ErrForbidden, "no roles defined for user")
|
|
return Token{}, err
|
|
}
|
|
}
|
|
|
|
var claimPref auth.ClaimPreferences
|
|
{
|
|
// Set the timezone if one is specifically set on the user.
|
|
var tz *time.Location
|
|
if account.UserTimezone.Valid && account.UserTimezone.String != "" {
|
|
tz, _ = time.LoadLocation(account.UserTimezone.String)
|
|
}
|
|
|
|
// If user timezone failed to parse or none is set, check the timezone set on the account.
|
|
if tz == nil && account.AccountTimezone.Valid && account.AccountTimezone.String != "" {
|
|
tz, _ = time.LoadLocation(account.AccountTimezone.String)
|
|
}
|
|
|
|
prefs, err := repo.AccountPreference.FindByAccountID(ctx, auth.Claims{}, account_preference.AccountPreferenceFindByAccountIDRequest{
|
|
AccountID: accountID,
|
|
})
|
|
if err != nil {
|
|
return Token{}, err
|
|
}
|
|
|
|
var (
|
|
preferenceDatetimeFormat string
|
|
preferenceDateFormat string
|
|
preferenceTimeFormat string
|
|
)
|
|
|
|
for _, pref := range prefs {
|
|
switch pref.Name {
|
|
case account_preference.AccountPreference_Datetime_Format:
|
|
preferenceDatetimeFormat = pref.Value
|
|
case account_preference.AccountPreference_Date_Format:
|
|
preferenceDateFormat = pref.Value
|
|
case account_preference.AccountPreference_Time_Format:
|
|
preferenceTimeFormat = pref.Value
|
|
}
|
|
}
|
|
|
|
if preferenceDatetimeFormat == "" {
|
|
preferenceDatetimeFormat = account_preference.AccountPreference_Datetime_Format_Default
|
|
}
|
|
if preferenceDateFormat == "" {
|
|
preferenceDateFormat = account_preference.AccountPreference_Date_Format_Default
|
|
}
|
|
if preferenceTimeFormat == "" {
|
|
preferenceTimeFormat = account_preference.AccountPreference_Time_Format_Default
|
|
}
|
|
|
|
claimPref = auth.NewClaimPreferences(tz, preferenceDatetimeFormat, preferenceDateFormat, preferenceTimeFormat)
|
|
}
|
|
|
|
// Ensure the current claims has the root values set.
|
|
if (claims.RootAccountID == "" && claims.Audience != "") || (claims.RootUserID == "" && claims.Subject != "") {
|
|
claims.RootAccountID = claims.Audience
|
|
claims.RootUserID = claims.Subject
|
|
}
|
|
|
|
// JWT claims requires both an audience and a subject. For this application:
|
|
// Subject: The ID of the user authenticated.
|
|
// Audience: The ID of the account the user is accessing. A list of account IDs
|
|
// will also be included to support the user switching between them.
|
|
newClaims := auth.NewClaims(userID, accountID, accountIds, roles, claimPref, now, expires)
|
|
|
|
// Copy the original root account/user ID.
|
|
newClaims.RootAccountID = claims.RootAccountID
|
|
newClaims.RootUserID = claims.RootUserID
|
|
|
|
// Generate a token for the user with the defined claims.
|
|
tknStr, err := repo.TknGen.GenerateToken(newClaims)
|
|
if err != nil {
|
|
return Token{}, errors.Wrap(err, "generating token")
|
|
}
|
|
|
|
tkn := Token{
|
|
AccessToken: tknStr,
|
|
TokenType: "Bearer",
|
|
claims: newClaims,
|
|
UserID: newClaims.Subject,
|
|
AccountID: newClaims.Audience,
|
|
}
|
|
|
|
if expires.Seconds() > 0 {
|
|
tkn.Expiry = now.Add(expires)
|
|
tkn.TTL = expires
|
|
}
|
|
|
|
return tkn, nil
|
|
}
|