2024-04-20 11:04:33 +00:00
|
|
|
package services
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
"github.com/google/uuid"
|
|
|
|
|
2024-06-17 14:21:34 +00:00
|
|
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
|
|
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
2024-04-20 11:04:33 +00:00
|
|
|
"github.com/samber/lo"
|
|
|
|
)
|
|
|
|
|
2024-07-28 11:50:49 +00:00
|
|
|
const InternalTokenAudience = "passport"
|
|
|
|
|
2024-04-20 11:04:33 +00:00
|
|
|
func DetectRisk(user models.Account, ip, ua string) bool {
|
2024-06-26 07:17:10 +00:00
|
|
|
var clue int64
|
2024-04-30 17:33:11 +00:00
|
|
|
if err := database.C.
|
|
|
|
Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
|
|
|
|
Where("available_at IS NOT NULL").
|
|
|
|
Model(models.AuthTicket{}).
|
2024-06-26 07:17:10 +00:00
|
|
|
Count(&clue).Error; err == nil {
|
|
|
|
if clue >= 1 {
|
2024-04-20 11:04:33 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
|
|
|
|
var ticket models.AuthTicket
|
2024-04-20 17:33:42 +00:00
|
|
|
if err := database.C.
|
|
|
|
Where("account_id = ? AND expired_at < ? AND available_at IS NULL", time.Now(), user.ID).
|
|
|
|
First(&ticket).Error; err == nil {
|
2024-04-20 11:04:33 +00:00
|
|
|
return ticket, nil
|
|
|
|
}
|
|
|
|
|
2024-04-20 17:33:42 +00:00
|
|
|
requireMFA := DetectRisk(user, ip, ua)
|
|
|
|
if count := CountUserFactor(user.ID); count <= 1 {
|
|
|
|
requireMFA = false
|
|
|
|
}
|
|
|
|
|
2024-04-20 11:04:33 +00:00
|
|
|
ticket = models.AuthTicket{
|
2024-04-20 14:50:09 +00:00
|
|
|
Claims: []string{"*"},
|
2024-07-28 11:50:49 +00:00
|
|
|
Audiences: []string{InternalTokenAudience},
|
2024-04-20 14:50:09 +00:00
|
|
|
IpAddress: ip,
|
|
|
|
UserAgent: ua,
|
2024-04-20 17:33:42 +00:00
|
|
|
RequireMFA: requireMFA,
|
2024-04-20 14:50:09 +00:00
|
|
|
RequireAuthenticate: true,
|
2024-04-21 04:20:06 +00:00
|
|
|
ExpiredAt: nil,
|
2024-04-20 14:50:09 +00:00
|
|
|
AvailableAt: nil,
|
|
|
|
AccountID: user.ID,
|
2024-04-20 11:04:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
err := database.C.Save(&ticket).Error
|
|
|
|
|
|
|
|
return ticket, err
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewOauthTicket(
|
|
|
|
user models.Account,
|
|
|
|
client models.ThirdClient,
|
|
|
|
claims, audiences []string,
|
|
|
|
ip, ua string,
|
|
|
|
) (models.AuthTicket, error) {
|
|
|
|
ticket := models.AuthTicket{
|
|
|
|
Claims: claims,
|
|
|
|
Audiences: audiences,
|
|
|
|
IpAddress: ip,
|
|
|
|
UserAgent: ua,
|
|
|
|
GrantToken: lo.ToPtr(uuid.NewString()),
|
|
|
|
AccessToken: lo.ToPtr(uuid.NewString()),
|
|
|
|
RefreshToken: lo.ToPtr(uuid.NewString()),
|
|
|
|
AvailableAt: lo.ToPtr(time.Now()),
|
2024-06-26 06:47:34 +00:00
|
|
|
ExpiredAt: lo.ToPtr(time.Now().Add(7 * 24 * time.Hour)),
|
2024-04-20 11:04:33 +00:00
|
|
|
ClientID: &client.ID,
|
|
|
|
AccountID: user.ID,
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := database.C.Save(&ticket).Error; err != nil {
|
|
|
|
return ticket, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return ticket, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
|
|
|
|
if ticket.AvailableAt != nil {
|
|
|
|
return ticket, nil
|
|
|
|
} else if !ticket.RequireAuthenticate {
|
2024-04-20 14:50:09 +00:00
|
|
|
return ticket, nil
|
2024-04-20 11:04:33 +00:00
|
|
|
}
|
|
|
|
|
2024-04-20 17:33:42 +00:00
|
|
|
if factor, err := GetPasswordTypeFactor(ticket.AccountID); err != nil {
|
2024-04-20 11:04:33 +00:00
|
|
|
return ticket, fmt.Errorf("unable to active ticket: %v", err)
|
|
|
|
} else if err = CheckFactor(factor, password); err != nil {
|
|
|
|
return ticket, err
|
|
|
|
}
|
|
|
|
|
2024-04-20 17:33:42 +00:00
|
|
|
ticket.RequireAuthenticate = false
|
2024-04-20 11:04:33 +00:00
|
|
|
|
|
|
|
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
|
|
|
|
ticket.AvailableAt = lo.ToPtr(time.Now())
|
2024-04-20 17:33:42 +00:00
|
|
|
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
|
|
|
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
|
|
|
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
2024-04-20 11:04:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err := database.C.Save(&ticket).Error; err != nil {
|
|
|
|
return ticket, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return ticket, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
|
|
|
|
if ticket.AvailableAt != nil {
|
|
|
|
return ticket, nil
|
|
|
|
} else if !ticket.RequireMFA {
|
|
|
|
return ticket, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if err := CheckFactor(factor, code); err != nil {
|
|
|
|
return ticket, fmt.Errorf("invalid code: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
ticket.RequireMFA = false
|
|
|
|
|
|
|
|
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
|
|
|
|
ticket.AvailableAt = lo.ToPtr(time.Now())
|
2024-04-20 17:33:42 +00:00
|
|
|
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
|
|
|
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
|
|
|
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
2024-04-20 11:04:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err := database.C.Save(&ticket).Error; err != nil {
|
|
|
|
return ticket, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return ticket, nil
|
|
|
|
}
|
|
|
|
|
2024-04-20 17:33:42 +00:00
|
|
|
func RegenSession(ticket models.AuthTicket) (models.AuthTicket, error) {
|
|
|
|
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
|
|
|
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
|
|
|
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
|
|
|
err := database.C.Save(&ticket).Error
|
|
|
|
return ticket, err
|
2024-04-20 11:04:33 +00:00
|
|
|
}
|