go/golang-saas-starter-kit
1
0
Fork 0
mirror of https://github.com/raseels-repos/golang-saas-starter-kit.git synced 2025-06-06 23:46:29 +02:00
Code Issues Releases Activity
golang-saas-starter-kit/example-project/internal/user/auth.go

227 lines
8.0 KiB
Go
Raw Blame History

package user
import (
"context"
"time"
"geeks-accelerator/oss/saas-starter-kit/example-project/internal/platform/auth"
"github.com/huandu/go-sqlbuilder"
"github.com/jmoiron/sqlx"
"github.com/lib/pq"
"github.com/pkg/errors"
"golang.org/x/crypto/bcrypt"
"gopkg.in/DataDog/dd-trace-go.v1/ddtrace/tracer"
"gopkg.in/go-playground/validator.v9"
)
// TokenGenerator is the behavior we need in our Authenticate to generate tokens for
// authenticated users.
type TokenGenerator interface {
GenerateToken(auth.Claims) (string, error)
ParseClaims(string) (auth.Claims, error)
}
// Authenticate finds a user by their email and verifies their password. On success
// it returns a Token that can be used to authenticate access to the application in
// the future.
func Authenticate(ctx context.Context, dbConn *sqlx.DB, tknGen TokenGenerator, email, password string, expires time.Duration, now time.Time) (Token, error) {
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user.Authenticate")
defer span.Finish()
// Generate sql query to select user by email address.
query := sqlbuilder.NewSelectBuilder()
query.Where(query.Equal("email", email))
// Run the find, use empty claims to bypass ACLs since this in an internal request
// and the current user is not authenticated at this point. If the email is
// invalid, return the same error as when an invalid password is supplied.
res, err := find(ctx, auth.Claims{}, dbConn, query, []interface{}{}, false)
if err != nil {
return Token{}, err
} else if res == nil || len(res) == 0 {
err = errors.WithStack(ErrAuthenticationFailure)
return Token{}, err
}
u := res[0]
// Append the salt from the user record to the supplied password.
saltedPassword := password + u.PasswordSalt
// Compare the provided password with the saved hash. Use the bcrypt comparison
// function so it is cryptographically secure. Return authentication error for
// invalid password.
if err := bcrypt.CompareHashAndPassword(u.PasswordHash, []byte(saltedPassword)); err != nil {
err = errors.WithStack(ErrAuthenticationFailure)
return Token{}, err
}
// The user is successfully authenticated with the supplied email and password.
return generateToken(ctx, dbConn, tknGen, auth.Claims{}, u.ID, "", expires, now)
}
// Authenticate finds a user by their email and verifies their password. On success
// it returns a Token that can be used to authenticate access to the application in
// the future.
func SwitchAccount(ctx context.Context, dbConn *sqlx.DB, tknGen TokenGenerator, claims auth.Claims, accountID string, expires time.Duration, now time.Time) (Token, error) {
span, ctx := tracer.StartSpanFromContext(ctx, "internal.user.SwitchAccount")
defer span.Finish()
// Defines struct to apply validation for the supplied claims and account ID.
req := struct {
UserID string `validate:"required,uuid"`
AccountID string `validate:"required,uuid"`
}{
UserID: claims.Subject,
AccountID: accountID,
}
// Validate the request.
err := validator.New().Struct(req)
if err != nil {
return Token{}, err
}
// Generate a token for the user ID in supplied in claims as the Subject. Pass
// in the supplied claims as well to enforce ACLs when finding the current
// list of accounts for the user.
return generateToken(ctx, dbConn, tknGen, claims, req.UserID, req.AccountID, expires, now)
}
// generateToken generates claims for the supplied user ID and account ID and then
// returns the token for the generated claims used for authentication.
func generateToken(ctx context.Context, dbConn *sqlx.DB, tknGen TokenGenerator, claims auth.Claims, userID, accountID string, expires time.Duration, now time.Time) (Token, error) {
type userAccount struct {
AccountID string
Roles pq.StringArray
UserStatus string
UserArchived pq.NullTime
AccountStatus string
AccountArchived pq.NullTime
}
// Build select statement for users_accounts table to find all the user accounts for the user
f := func() ([]userAccount, error) {
query := sqlbuilder.NewSelectBuilder().Select("ua.account_id, ua.roles, ua.status as userStatus, ua.archived_at userArchived, a.status as accountStatus, a.archived_at as accountArchived").
From(userAccountTableName+" ua").
Join(accountTableName+" a", "a.id = ua.account_id")
query.Where(query.And(
query.Equal("ua.user_id", userID),
))
query.OrderBy("ua.status, a.status, ua.created_at")
// fetch all places from the db
queryStr, queryArgs := query.Build()
queryStr = dbConn.Rebind(queryStr)
rows, err := dbConn.QueryContext(ctx, queryStr, queryArgs...)
if err != nil {
err = errors.Wrapf(err, "query - %s", query.String())
return nil, err
}
// iterate over each row
var resp []userAccount
for rows.Next() {
var ua userAccount
err = rows.Scan(&ua.AccountID, &ua.Roles, &ua.UserStatus, &ua.UserArchived, &ua.AccountStatus, &ua.AccountArchived)
if err != nil {
return nil, errors.WithStack(err)
}
if err != nil {
err = errors.Wrapf(err, "query - %s", query.String())
return nil, err
}
resp = append(resp, ua)
}
return resp, nil
}
accounts, err := f()
if err != nil {
err = errors.WithStack(ErrAuthenticationFailure)
return Token{}, err
}
// Load the user account entry for the specified account ID. If none provided,
// choose the first.
var account userAccount
if accountID == "" {
// Try to choose the first active user account that has not been archived.
for _, a := range accounts {
if a.AccountArchived.Valid && !a.AccountArchived.Time.IsZero() {
continue
} else if a.UserArchived.Valid && !a.UserArchived.Time.IsZero() {
continue
} else if a.AccountStatus != "active" {
continue
} else if a.UserStatus != "active" {
continue
}
account = accounts[0]
accountID = account.AccountID
break
}
// Select the first account associated with the user. For the login flow,
// users could be forced to select a specific account to override this.
if accountID == "" && len(accounts) > 0 {
account = accounts[0]
accountID = account.AccountID
}
} else {
// Loop through all the accounts found for the user and select the specified
// account.
for _, a := range accounts {
if a.AccountID == accountID {
account = a
break
}
}
// If no matching entry was found for the specified account ID throw an error.
if account.AccountID == "" {
err = errors.WithStack(ErrAuthenticationFailure)
return Token{}, err
}
}
// Validate the user account is completely active.
if account.AccountArchived.Valid && !account.AccountArchived.Time.IsZero() {
err = errors.WithMessage(ErrAuthenticationFailure, "account is archived")
return Token{}, err
} else if account.UserArchived.Valid && !account.UserArchived.Time.IsZero() {
err = errors.WithMessage(ErrAuthenticationFailure, "user account is archived")
return Token{}, err
} else if account.AccountStatus != "active" {
err = errors.WithMessagef(ErrAuthenticationFailure, "account is not active with status of %s", account.AccountStatus)
return Token{}, err
} else if account.UserStatus != "active" {
err = errors.WithMessagef(ErrAuthenticationFailure, "user account is not active with status of %s", account.UserStatus)
return Token{}, err
}
// Generate a list of all the account IDs associated with the user so the use
// has the ability to switch between accounts.
var accountIds []string
for _, a := range accounts {
accountIds = append(accountIds, a.AccountID)
}
// JWT claims requires both an audience and a subject. For this application:
// Subject: The ID of the user authenticated.
// Audience: The ID of the account the user is accessing. A list of account IDs
// will also be included to support the user switching between them.
claims = auth.NewClaims(userID, accountID, accountIds, account.Roles, now, expires)
// Generate a token for the user with the defined claims.
tkn, err := tknGen.GenerateToken(claims)
if err != nil {
return Token{}, errors.Wrap(err, "generating token")
}
return Token{Token: tkn, claims: claims}, nil
}
Reference in New Issue View Git Blame Copy Permalink