Auth stuff

This commit is contained in:
LittleSheep 2024-10-22 00:12:28 +08:00
parent 85783aa331
commit ed05782319
12 changed files with 236 additions and 18 deletions

3
.gitignore vendored
View File

@ -1,3 +1,4 @@
/dist /dist
/uploads /uploads
/default.etcd /default.etcd
/keys

1
go.mod
View File

@ -39,6 +39,7 @@ require (
github.com/go-playground/universal-translator v0.18.1 // indirect github.com/go-playground/universal-translator v0.18.1 // indirect
github.com/go-sql-driver/mysql v1.8.1 // indirect github.com/go-sql-driver/mysql v1.8.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/golang/protobuf v1.5.4 // indirect github.com/golang/protobuf v1.5.4 // indirect
github.com/google/uuid v1.6.0 // indirect github.com/google/uuid v1.6.0 // indirect
github.com/hashicorp/consul/api v1.30.0 // indirect github.com/hashicorp/consul/api v1.30.0 // indirect

2
go.sum
View File

@ -69,6 +69,8 @@ github.com/gofiber/fiber/v2 v2.52.5/go.mod h1:KEOE+cXMhXG0zHc9d8+E38hoX+ZN7bhOtg
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0= github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A= github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=

View File

@ -1 +0,0 @@
package auth

View File

@ -0,0 +1,55 @@
package auth
import (
"git.solsynth.dev/hypernet/nexus/pkg/nex/sec"
"github.com/gofiber/fiber/v2"
"strings"
)
var JReader *sec.JwtReader
func SoftAuthMiddleware(c *fiber.Ctx) error {
atk := tokenExtract(c)
c.Locals("nex_token", atk)
if claims, err := tokenRead(atk); err == nil && claims != nil {
c.Locals("nex_principal", claims)
} else if err != nil {
c.Locals("nex_auth_error", err)
}
return c.Next()
}
func HardAuthMiddleware(c *fiber.Ctx) error {
if c.Locals("nex_principal") == nil {
err := c.Locals("nex_auth_error").(error)
return fiber.NewError(fiber.StatusUnauthorized, err.Error())
}
return c.Next()
}
func tokenExtract(c *fiber.Ctx) string {
var atk string
if cookie := c.Cookies(sec.CookieAccessToken); len(cookie) > 0 {
atk = cookie
}
if header := c.Get(fiber.HeaderAuthorization); len(header) > 0 {
tk := strings.Replace(header, "Bearer", "", 1)
atk = strings.TrimSpace(tk)
}
if tk := c.Query("tk"); len(tk) > 0 {
atk = strings.TrimSpace(tk)
}
return atk
}
func tokenRead(in string) (*sec.JwtClaims, error) {
if JReader == nil {
return nil, nil
}
claims, err := sec.ReadJwt[sec.JwtClaims](JReader, in)
return &claims, err
}

View File

@ -2,9 +2,11 @@ package main
import ( import (
"fmt" "fmt"
"git.solsynth.dev/hypernet/nexus/pkg/internal/auth"
"git.solsynth.dev/hypernet/nexus/pkg/internal/database" "git.solsynth.dev/hypernet/nexus/pkg/internal/database"
"git.solsynth.dev/hypernet/nexus/pkg/internal/http" "git.solsynth.dev/hypernet/nexus/pkg/internal/http"
"git.solsynth.dev/hypernet/nexus/pkg/internal/kv" "git.solsynth.dev/hypernet/nexus/pkg/internal/kv"
"git.solsynth.dev/hypernet/nexus/pkg/nex/sec"
"github.com/fatih/color" "github.com/fatih/color"
"os" "os"
"os/signal" "os/signal"
@ -70,6 +72,14 @@ func main() {
} }
} }
// Read the public key for jwt
if reader, err := sec.NewJwtReader(viper.GetString("security.public_key")); err != nil {
log.Error().Err(err).Msg("An error occurred when reading public key for jwt. Authentication related features will be disabled.")
} else {
auth.JReader = reader
log.Info().Msg("Jwt public key loaded.")
}
// Server // Server
go server.NewServer().Listen() go server.NewServer().Listen()

15
pkg/nex/README.md Normal file
View File

@ -0,0 +1,15 @@
# Nex
The Hypernet.Nexus development SDK.
Defined the useful functions and ways to handle data for both server side and client.
## Parts
### Nex.Cruda
Create Read Update Delete Accelerator, aka. Cruda.
Cruda will help you to build a simplified database access layer based on the command system in nexus.
### Nex.Sec
The security part of nexus, including signing and validating the tokens and much more.

12
pkg/nex/sec/const.go Normal file
View File

@ -0,0 +1,12 @@
package sec
const (
CookieAccessToken = "nex_atk"
CookieRefreshToken = "nex_rtk"
)
const (
TokenTypeAccess = "access_token"
RefreshTokenType = "refresh_token"
IdTokenType = "id_token"
)

27
pkg/nex/sec/jwt_claims.go Normal file
View File

@ -0,0 +1,27 @@
package sec
import (
"github.com/golang-jwt/jwt/v5"
"time"
)
type JwtClaims struct {
jwt.RegisteredClaims
// Nexus Standard
Session int `json:"sed"`
CacheTTL time.Duration `json:"ttl,omitempty"`
// OIDC Standard
Name string `json:"name,omitempty"`
Nick string `json:"preferred_username,omitempty"`
Email string `json:"email,omitempty"`
// OAuth2 Standard
AuthorizedParties string `json:"azp,omitempty"`
Nonce string `json:"nonce,omitempty"`
// The usage of this token
// Can be access_token, refresh_token or id_token
Type string `json:"typ"`
}

61
pkg/nex/sec/jwt_reader.go Normal file
View File

@ -0,0 +1,61 @@
package sec
import (
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"github.com/golang-jwt/jwt/v5"
"os"
)
type JwtReader struct {
key *rsa.PublicKey
}
func NewJwtReader(fp string) (*JwtReader, error) {
privateKeyBytes, err := os.ReadFile(fp)
if err != nil {
return nil, err
}
block, _ := pem.Decode(privateKeyBytes)
if block == nil || block.Type != "PUBLIC KEY" {
return nil, fmt.Errorf("failed to decode PEM block containing private key")
}
anyPk, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
return nil, err
}
pk, ok := anyPk.(*rsa.PublicKey)
if !ok {
return nil, fmt.Errorf("not an RSA public key")
}
return &JwtReader{
key: pk,
}, nil
}
func ReadJwt[T jwt.Claims](v *JwtReader, in string) (T, error) {
var out T
token, err := jwt.Parse(in, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return v.key, nil
})
if err != nil {
return out, err
} else if !token.Valid {
return out, fmt.Errorf("token is not valid")
}
if claims, ok := token.Claims.(T); ok {
return claims, nil
} else {
return out, err
}
}

49
pkg/nex/sec/jwt_writer.go Normal file
View File

@ -0,0 +1,49 @@
package sec
import (
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"github.com/golang-jwt/jwt/v5"
"os"
)
type JwtWriter struct {
key *rsa.PrivateKey
}
func NewJwtWriter(fp string) (*JwtWriter, error) {
rawPk, err := os.ReadFile(fp)
if err != nil {
return nil, err
}
block, _ := pem.Decode(rawPk)
if block == nil || block.Type != "PRIVATE KEY" {
return nil, fmt.Errorf("failed to decode PEM block containing private key")
}
anyPk, err := x509.ParsePKCS8PrivateKey(block.Bytes)
if err != nil {
return nil, err
}
pk, ok := anyPk.(*rsa.PrivateKey)
if !ok {
return nil, fmt.Errorf("not an RSA private key")
}
return &JwtWriter{
key: pk,
}, nil
}
func WriteJwt[T jwt.Claims](v *JwtWriter, in T) (string, error) {
token := jwt.NewWithClaims(jwt.SigningMethodRS256, in)
ss, err := token.SignedString(v.key)
if err != nil {
return "", err
}
return ss, nil
}

View File

@ -1,25 +1,11 @@
bind = "0.0.0.0:8001" bind = "0.0.0.0:8001"
grpc_bind = "0.0.0.0:7001" grpc_bind = "0.0.0.0:7001"
domain = "localhost" domain = "localhost"
secret = "LtTjzAGFLshwXhN4ZD4nG5KlMv1MWcsvfv03TSZYnT1VhiAnLIZFTnHUwR0XhGgi"
[debug] [debug]
database = false database = false
print_routes = false print_routes = false
[mailer]
name = "Alphabot <alphabot@smartsheep.studio>"
smtp_host = "smtp.exmail.qq.com"
smtp_port = 465
username = "alphabot@smartsheep.studio"
password = "gz937Zxxzfcd9SeH"
[security]
cookie_domain = "localhost"
cookie_samesite = "Lax"
access_token_duration = 300
refresh_token_duration = 2592000
[services] [services]
aliases = { id = "auth", uc = "files", co = "interactive", im = "messaging" } aliases = { id = "auth", uc = "files", co = "interactive", im = "messaging" }
@ -30,5 +16,5 @@ prefix = "sn_"
[kv] [kv]
endpoints = ["localhost:2379"] endpoints = ["localhost:2379"]
[scraper] [security]
user-agent = "SolarBot/1.0" public_key = "keys/public_key.pem"