HyperNet/Passport
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

♻️ Better sign in flow

Browse Source
This commit is contained in:
LittleSheep
2024-09-16 02:37:02 +08:00
parent ea3d6c20d3
commit df9fb0a92a
8 changed files with 128 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
pkg/internal/models/auth.go
View File

@ -28,28 +28,28 @@ type AuthFactor struct {
type AuthTicket struct {
BaseModel
Location string `json:"location"`
IpAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
RequireMFA bool `json:"require_mfa"`
RequireAuthenticate bool `json:"require_authenticate"`
Claims datatypes.JSONSlice[string] `json:"claims"`
Audiences datatypes.JSONSlice[string] `json:"audiences"`
GrantToken *string `json:"grant_token"`
AccessToken *string `json:"access_token"`
RefreshToken *string `json:"refresh_token"`
ExpiredAt *time.Time `json:"expired_at"`
AvailableAt *time.Time `json:"available_at"`
LastGrantAt *time.Time `json:"last_grant_at"`
Nonce *string `json:"nonce"`
ClientID *uint `json:"client_id"`
Location string `json:"location"`
IpAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
StepRemain int `json:"step_remain"`
Claims datatypes.JSONSlice[string] `json:"claims"`
Audiences datatypes.JSONSlice[string] `json:"audiences"`
FactorTrail datatypes.JSONSlice[int] `json:"factor_trail"`
GrantToken *string `json:"grant_token"`
AccessToken *string `json:"access_token"`
RefreshToken *string `json:"refresh_token"`
ExpiredAt *time.Time `json:"expired_at"`
AvailableAt *time.Time `json:"available_at"`
LastGrantAt *time.Time `json:"last_grant_at"`
Nonce *string `json:"nonce"`
ClientID *uint `json:"client_id"`
Account Account `json:"account"`
AccountID uint `json:"account_id"`
}
func (v AuthTicket) IsAvailable() error {
if v.RequireMFA || v.RequireAuthenticate {
if v.StepRemain > 0 {
return fmt.Errorf("ticket isn't authenticated yet")
}
if v.AvailableAt != nil && time.Now().Unix() < v.AvailableAt.Unix() {
@ -62,6 +62,14 @@ func (v AuthTicket) IsAvailable() error {
return nil
}
func (v AuthTicket) IsCanBeAvailble() error {
if v.StepRemain > 0 {
return fmt.Errorf("ticket isn't authenticated yet")
}
return nil
}
type AuthContext struct {
Ticket AuthTicket `json:"ticket"`
Account Account `json:"account"`

12
pkg/internal/server/api/auth_api.go
View File

@ -28,7 +28,6 @@ func getTicket(c *fiber.Ctx) error {
func doAuthenticate(c *fiber.Ctx) error {
var data struct {
Username string `json:"username" validate:"required"`
Password string `json:"password" validate:"required"`
}
if err := exts.BindAndValidate(c, &data); err != nil {
@ -39,7 +38,7 @@ func doAuthenticate(c *fiber.Ctx) error {
if err != nil {
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err.Error()))
} else if user.ConfirmedAt == nil {
return fiber.NewError(fiber.StatusForbidden, "account was not confirmed")
return fiber.NewError(fiber.StatusForbidden, "account was not confirmed; check your inbox, there will be an email lead you confirm your registration")
} else if user.SuspendedAt != nil {
return fiber.NewError(fiber.StatusForbidden, "account was suspended")
}
@ -49,18 +48,13 @@ func doAuthenticate(c *fiber.Ctx) error {
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("unable setup ticket: %v", err.Error()))
}
ticket, err = services.ActiveTicketWithPassword(ticket, data.Password)
if err != nil {
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("failed to authenticate: %v", err.Error()))
}
return c.JSON(fiber.Map{
"is_finished": ticket.IsAvailable() == nil,
"ticket": ticket,
})
}
func doMultiFactorAuthenticate(c *fiber.Ctx) error {
func doAuthTicketCheck(c *fiber.Ctx) error {
var data struct {
TicketID uint `json:"ticket_id" validate:"required"`
FactorID uint `json:"factor_id" validate:"required"`
@ -81,7 +75,7 @@ func doMultiFactorAuthenticate(c *fiber.Ctx) error {
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("factor was not found: %v", err.Error()))
}
ticket, err = services.ActiveTicketWithMFA(ticket, factor, data.Code)
ticket, err = services.PerformTicketCheck(ticket, factor, data.Code)
if err != nil {
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("failed to authenticate: %v", err.Error()))
}

2
pkg/internal/server/api/index.go
View File

@ -76,7 +76,7 @@ func MapAPIs(app *fiber.App, baseURL string) {
auth := api.Group("/auth").Name("Auth")
{
auth.Post("/", doAuthenticate)
auth.Post("/mfa", doMultiFactorAuthenticate)
auth.Patch("/", doAuthTicketCheck)
auth.Post("/token", getToken)
auth.Get("/tickets/:ticketId", getTicket)

28
pkg/internal/services/bot_token.go
View File

@ -1,11 +1,12 @@
package services
import (
"time"
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
"github.com/google/uuid"
"github.com/samber/lo"
"time"
)
func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []string) (models.ApiKey, error) {
@ -18,19 +19,18 @@ func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []s
}
key.Ticket = models.AuthTicket{
IpAddress: ip,
UserAgent: ua,
RequireMFA: false,
RequireAuthenticate: false,
Claims: claims,
Audiences: []string{InternalTokenAudience},
GrantToken: lo.ToPtr(uuid.NewString()),
AccessToken: lo.ToPtr(uuid.NewString()),
RefreshToken: lo.ToPtr(uuid.NewString()),
AvailableAt: lo.ToPtr(time.Now()),
ExpiredAt: expiredAt,
Account: user,
AccountID: user.ID,
IpAddress: ip,
UserAgent: ua,
StepRemain: 0,
Claims: claims,
Audiences: []string{InternalTokenAudience},
GrantToken: lo.ToPtr(uuid.NewString()),
AccessToken: lo.ToPtr(uuid.NewString()),
RefreshToken: lo.ToPtr(uuid.NewString()),
AvailableAt: lo.ToPtr(time.Now()),
ExpiredAt: expiredAt,
Account: user,
AccountID: user.ID,
}
if err := database.C.Save(&key).Error; err != nil {

129
pkg/internal/services/ticket.go
View File

@ -2,9 +2,10 @@ package services
import (
"fmt"
"github.com/rs/zerolog/log"
"time"
"github.com/rs/zerolog/log"
"github.com/google/uuid"
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
@ -14,7 +15,9 @@ import (
const InternalTokenAudience = "solar-network"
func DetectRisk(user models.Account, ip, ua string) bool {
// DetectRisk is used for detect user environment is suitable for no multi-factor authenticate or not.
// Return the remaining steps, value is from 1 to 2, may appear 3 if user enabled the third-authentication-factor.
func DetectRisk(user models.Account, ip, ua string) int {
var clue int64
if err := database.C.
Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
@ -22,36 +25,47 @@ func DetectRisk(user models.Account, ip, ua string) bool {
Model(models.AuthTicket{}).
Count(&clue).Error; err == nil {
if clue >= 1 {
return false
return 1
}
}
return true
return 2
}
// PickTicketAttempt is trying to pick up the ticket that haven't completed but created by a same client (identify by ip address).
// Then the client can continue their journey to get ticket actived.
func PickTicketAttempt(user models.Account, ip string) (models.AuthTicket, error) {
var ticket models.AuthTicket
if err := database.C.
Where("account_id = ? AND ip_address = ? AND expired_at < ? AND available_at IS NULL", user.ID, ip, time.Now()).
First(&ticket).Error; err != nil {
return ticket, err
}
return ticket, nil
}
func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
var ticket models.AuthTicket
if err := database.C.
Where("account_id = ? AND expired_at < ? AND available_at IS NULL", time.Now(), user.ID).
First(&ticket).Error; err == nil {
if ticket, err := PickTicketAttempt(user, ip); err == nil {
return ticket, nil
}
requireMFA := DetectRisk(user, ip, ua)
if count := CountUserFactor(user.ID); count <= 1 {
requireMFA = false
steps := DetectRisk(user, ip, ua)
if count := CountUserFactor(user.ID); count <= 0 {
return ticket, fmt.Errorf("specified user didn't enable sign in")
} else {
steps = min(steps, int(count))
}
ticket = models.AuthTicket{
Claims: []string{"*"},
Audiences: []string{InternalTokenAudience},
IpAddress: ip,
UserAgent: ua,
RequireMFA: requireMFA,
RequireAuthenticate: true,
ExpiredAt: nil,
AvailableAt: nil,
AccountID: user.ID,
Claims: []string{"*"},
Audiences: []string{InternalTokenAudience},
IpAddress: ip,
UserAgent: ua,
StepRemain: steps,
ExpiredAt: nil,
AvailableAt: nil,
AccountID: user.ID,
}
err := database.C.Save(&ticket).Error
@ -91,27 +105,17 @@ func NewOauthTicket(
return ticket, nil
}
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
func ActiveTicket(ticket models.AuthTicket) (models.AuthTicket, error) {
if ticket.AvailableAt != nil {
return ticket, nil
} else if !ticket.RequireAuthenticate {
return ticket, nil
}
if factor, err := GetPasswordTypeFactor(ticket.AccountID); err != nil {
return ticket, fmt.Errorf("unable to active ticket: %v", err)
} else if err = CheckFactor(factor, password); err != nil {
} else if err := ticket.IsCanBeAvailble(); err != nil {
return ticket, err
}
ticket.RequireAuthenticate = false
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
ticket.AvailableAt = lo.ToPtr(time.Now())
ticket.GrantToken = lo.ToPtr(uuid.NewString())
ticket.AccessToken = lo.ToPtr(uuid.NewString())
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
}
ticket.AvailableAt = lo.ToPtr(time.Now())
ticket.GrantToken = lo.ToPtr(uuid.NewString())
ticket.AccessToken = lo.ToPtr(uuid.NewString())
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
if err := database.C.Save(&ticket).Error; err != nil {
return ticket, err
@ -120,28 +124,59 @@ func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models
return ticket, nil
}
func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
if ticket.AvailableAt != nil {
return ticket, nil
} else if !ticket.RequireMFA {
} else if ticket.StepRemain == 1 {
return ticket, fmt.Errorf("multi-factor authentication required")
}
factor, err := GetPasswordTypeFactor(ticket.AccountID)
if err != nil {
return ticket, fmt.Errorf("unable to authenticate, password factor was not found: %v", err)
} else if err := CheckFactor(factor, password); err != nil {
return ticket, fmt.Errorf("invalid password: %v", err)
}
ticket.StepRemain--
ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))
ticket.AvailableAt = lo.ToPtr(time.Now())
ticket.GrantToken = lo.ToPtr(uuid.NewString())
ticket.AccessToken = lo.ToPtr(uuid.NewString())
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
if err := database.C.Save(&ticket).Error; err != nil {
return ticket, err
}
return ticket, nil
}
func PerformTicketCheck(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
if ticket.AvailableAt != nil {
return ticket, nil
} else if ticket.StepRemain <= 0 {
return ticket, nil
}
if lo.Contains(ticket.FactorTrail, int(factor.ID)) {
return ticket, fmt.Errorf("already checked this ticket with factor %d", factor.ID)
}
if err := CheckFactor(factor, code); err != nil {
return ticket, fmt.Errorf("invalid code: %v", err)
}
ticket.RequireMFA = false
ticket.StepRemain--
ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
ticket.AvailableAt = lo.ToPtr(time.Now())
ticket.GrantToken = lo.ToPtr(uuid.NewString())
ticket.AccessToken = lo.ToPtr(uuid.NewString())
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
}
if err := database.C.Save(&ticket).Error; err != nil {
return ticket, err
if ticket.IsCanBeAvailble() == nil {
return ActiveTicket(ticket)
} else {
if err := database.C.Save(&ticket).Error; err != nil {
return ticket, err
}
}
return ticket, nil