✨ Admin check users' auth factor

.idea/workspace.xml

@@ -4,14 +4,12 @@
     <option name="autoReloadType" value="ALL" />
   </component>
   <component name="ChangeListManager">
-    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":recycle: Optimized the initial permission system">
+    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":sparkles: Admin notify one user">
-      <change afterPath="$PROJECT_DIR$/pkg/internal/models/audit.go" afterDir="false" />
+      <change afterPath="$PROJECT_DIR$/pkg/internal/server/admin/factors_api.go" afterDir="false" />
-      <change afterPath="$PROJECT_DIR$/pkg/internal/server/admin/permissions_api.go" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/database/migrator.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/database/migrator.go" afterDir="false" />
       <change beforePath="$PROJECT_DIR$/pkg/internal/server/admin/index.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/admin/index.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/services/events.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/events.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/server/admin/user_api.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/admin/users_api.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/main.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/main.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/settings.toml" beforeDir="false" afterPath="$PROJECT_DIR$/settings.toml" afterDir="false" />
     </list>
     <option name="SHOW_DIALOG" value="false" />
     <option name="HIGHLIGHT_CONFLICTS" value="true" />
@@ -157,9 +155,6 @@
     </option>
   </component>
   <component name="VcsManagerConfiguration">
-    <MESSAGE value=":sparkles: Status system" />
-    <MESSAGE value=":bug: Fix status expired in cache" />
-    <MESSAGE value=":bug: Fix online condition" />
     <MESSAGE value=":sparkles: Last seen at" />
     <MESSAGE value=":sparkles: Edit, delete current status" />
     <MESSAGE value=":bug: Fix clear status affected the statutes cleared before" />
@@ -182,7 +177,10 @@
     <MESSAGE value=":sparkles: Reset password APIs" />
     <MESSAGE value=":sparkles: Password reset &amp; user lookup API" />
     <MESSAGE value=":recycle: Optimized the initial permission system" />
-    <option name="LAST_COMMIT_MESSAGE" value=":recycle: Optimized the initial permission system" />
+    <MESSAGE value=":zap: Optimized audit, event logging system&#10;:sparkles: Audit logs&#10;:sparkles: Admin edit user permissions" />
+    <MESSAGE value=":sparkles: Admin force confirm account" />
+    <MESSAGE value=":sparkles: Admin notify one user" />
+    <option name="LAST_COMMIT_MESSAGE" value=":sparkles: Admin notify one user" />
   </component>
   <component name="VgoProject">
     <settings-migrated>true</settings-migrated>

pkg/internal/server/admin/factors_api.go

@@ -0,0 +1,40 @@
+package admin
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
+	"github.com/gofiber/fiber/v2"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/samber/lo"
+)
+
+func getUserAuthFactors(c *fiber.Ctx) error {
+	userId, _ := c.ParamsInt("user")
+
+	if err := exts.EnsureGrantedPerm(c, "AdminAuthFactors", true); err != nil {
+		return err
+	}
+
+	var factors []models.AuthFactor
+	if err := database.C.Where("account_id = ?", userId).Find(&factors).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	encodedResp := lo.Map(factors, func(item models.AuthFactor, idx int) map[string]any {
+		var encoded map[string]any
+		raw, _ := jsoniter.Marshal(item)
+		_ = jsoniter.Unmarshal(raw, &encoded)
+
+		// Blur out the secret if it isn't current rolling email one-time-password
+		if item.Type != models.EmailPasswordFactor && len(item.Secret) != 6 {
+			encoded["secret"] = "**CENSORED**"
+		} else {
+			encoded["secret"] = item.Secret
+		}
+
+		return encoded
+	})
+
+	return c.JSON(encodedResp)
+}

pkg/internal/server/admin/index.go

@@ -11,7 +11,12 @@ func MapAdminAPIs(app *fiber.App) {
 		admin.Delete("/badges/:badgeId", revokeBadge)
 
 		admin.Post("/notify/all", notifyAllUser)
+		admin.Post("/notify/:user", notifyOneUser)
 
+		admin.Get("/users", listUser)
+		admin.Get("/users/:user", getUser)
+		admin.Get("/users/:user/factors", getUserAuthFactors)
 		admin.Put("/users/:user/permissions", editUserPermission)
+		admin.Post("/users/:user/confirm", forceConfirmAccount)
 	}
 }

pkg/internal/server/admin/notify_api.go

@@ -27,10 +27,15 @@ func notifyAllUser(c *fiber.Ctx) error {
 	if err := exts.EnsureGrantedPerm(c, "AdminNotifyAll", true); err != nil {
 		return err
 	}
+	operator := c.Locals("user").(models.Account)
 
 	var users []models.Account
 	if err := database.C.Find(&users).Error; err != nil {
 		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		services.AddAuditRecord(operator, "notify.all", c.IP(), c.Get(fiber.HeaderUserAgent), map[string]any{
+			"payload": data,
+		})
 	}
 
 	go func() {
@@ -59,3 +64,57 @@ func notifyAllUser(c *fiber.Ctx) error {
 
 	return c.SendStatus(fiber.StatusOK)
 }
+
+func notifyOneUser(c *fiber.Ctx) error {
+	var data struct {
+		Type        string                    `json:"type" validate:"required"`
+		Subject     string                    `json:"subject" validate:"required,max=1024"`
+		Content     string                    `json:"content" validate:"required,max=4096"`
+		Metadata    map[string]any            `json:"metadata"`
+		Links       []models.NotificationLink `json:"links"`
+		IsForcePush bool                      `json:"is_force_push"`
+		IsRealtime  bool                      `json:"is_realtime"`
+		UserID      uint                      `json:"user_id"`
+	}
+
+	if err := exts.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	if err := exts.EnsureGrantedPerm(c, "AdminNotifyAll", true); err != nil {
+		return err
+	}
+	operator := c.Locals("user").(models.Account)
+
+	var user models.Account
+	if err := database.C.Where("id = ?", data.UserID).First(&user).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		services.AddAuditRecord(operator, "notify.one", c.IP(), c.Get(fiber.HeaderUserAgent), map[string]any{
+			"user_id": user.ID,
+			"payload": data,
+		})
+	}
+
+	notification := models.Notification{
+		Type:        data.Type,
+		Subject:     data.Subject,
+		Content:     data.Content,
+		Links:       data.Links,
+		IsRealtime:  data.IsRealtime,
+		IsForcePush: data.IsForcePush,
+		RecipientID: user.ID,
+	}
+
+	if data.IsRealtime {
+		if err := services.PushNotification(notification); err != nil {
+			log.Error().Err(err).Uint("user", user.ID).Msg("Failed to push notification...")
+		}
+	} else {
+		if err := services.NewNotification(notification); err != nil {
+			log.Error().Err(err).Uint("user", user.ID).Msg("Failed to create notification...")
+		}
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/server/admin/permissions_api.go

@@ -37,6 +37,7 @@ func editUserPermission(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
 	} else {
 		services.AddAuditRecord(operator, "user.permissions.edit", c.IP(), c.Get(fiber.HeaderUserAgent), map[string]any{
+			"user_id":              user.ID,
 			"previous_permissions": prev,
 			"new_permissions":      data.PermNodes,
 		})

pkg/internal/server/admin/users_api.go

@@ -0,0 +1,73 @@
+package admin
+
+import "C"
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
+	"github.com/gofiber/fiber/v2"
+)
+
+func listUser(c *fiber.Ctx) error {
+	take := c.QueryInt("take", 0)
+	offset := c.QueryInt("offset", 0)
+
+	if err := exts.EnsureGrantedPerm(c, "AdminUser", true); err != nil {
+		return err
+	}
+
+	var count int64
+	if err := database.C.Model(&models.Account{}).Count(&count).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+	var items []models.Account
+	if err := database.C.Offset(offset).Limit(take).Find(&items).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.JSON(fiber.Map{
+		"count": count,
+		"data":  items,
+	})
+}
+
+func getUser(c *fiber.Ctx) error {
+	userId, _ := c.ParamsInt("user")
+
+	if err := exts.EnsureGrantedPerm(c, "AdminUser", true); err != nil {
+		return err
+	}
+
+	var user models.Account
+	if err := database.C.Where("id = ?", userId).First(&user).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err))
+	}
+
+	return c.JSON(user)
+}
+
+func forceConfirmAccount(c *fiber.Ctx) error {
+	userId, _ := c.ParamsInt("user")
+
+	if err := exts.EnsureGrantedPerm(c, "AdminUserConfirmation", true); err != nil {
+		return err
+	}
+	operator := c.Locals("user").(models.Account)
+
+	var user models.Account
+	if err := database.C.Where("id = ?", userId).First(&user).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err))
+	}
+
+	if err := services.ForceConfirmAccount(user); err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		services.AddAuditRecord(operator, "user.confirm", c.IP(), c.Get(fiber.HeaderUserAgent), map[string]any{
+			"user_id": user.ID,
+		})
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/services/accounts.go

@@ -11,7 +11,6 @@ import (
 	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
 	"github.com/google/uuid"
 	"github.com/samber/lo"
-	"gorm.io/gorm"
 )
 
 func GetAccount(id uint) (models.Account, error) {
@@ -112,28 +111,33 @@ func ConfirmAccount(code string) error {
 		return err
 	}
 
-	return database.C.Transaction(func(tx *gorm.DB) error {
+	if err = ForceConfirmAccount(user); err != nil {
-		user.ConfirmedAt = lo.ToPtr(time.Now())
+		return err
+	} else {
+		database.C.Delete(&token)
+	}
 
-		for k, v := range viper.GetStringMap("permissions.verified") {
+	return nil
-			if val, ok := user.PermNodes[k]; !ok {
+}
-				user.PermNodes[k] = v
+
-			} else {
+func ForceConfirmAccount(user models.Account) error {
-				user.PermNodes[k] = val
+	user.ConfirmedAt = lo.ToPtr(time.Now())
-			}
+
+	for k, v := range viper.GetStringMap("permissions.verified") {
+		if val, ok := user.PermNodes[k]; !ok {
+			user.PermNodes[k] = v
+		} else {
+			user.PermNodes[k] = val
 		}
+	}
 
-		if err := database.C.Delete(&token).Error; err != nil {
+	if err := database.C.Save(&user).Error; err != nil {
-			return err
+		return err
-		}
+	}
-		if err := database.C.Save(&user).Error; err != nil {
-			return err
-		}
 
-		InvalidAuthCacheWithUser(user.ID)
+	InvalidAuthCacheWithUser(user.ID)
 
-		return nil
+	return nil
-	})
 }
 
 func CheckAbleToResetPassword(user models.Account) error {

pkg/internal/services/events.go

@@ -31,7 +31,7 @@ func AddAuditRecord(operator models.Account, act, ip, ua string, metadata map[st
 	})
 }
 
-// SaveEventChanges runs every 60 seconds to save events / audits changes into database
+// SaveEventChanges runs every 60 seconds to save events / audits changes into the database
 func SaveEventChanges() {
 	if len(writeEventQueue) > 0 {
 		count := len(writeEventQueue)

pkg/internal/services/notifications.go

@@ -42,6 +42,7 @@ func AddNotifySubscriber(user models.Account, provider, id, tk, ua string) (mode
 	return subscriber, err
 }
 
+// NewNotification will create a notification and push via the push method it
 func NewNotification(notification models.Notification) error {
 	if err := database.C.Save(&notification).Error; err != nil {
 		return err
@@ -54,6 +55,9 @@ func NewNotification(notification models.Notification) error {
 	return nil
 }
 
+// PushNotification will push the notification what ever it is exists record in the database
+// Recommend push another goroutine when you need to push a lot of notification
+// And just use block statement when you just push one notification, the time of create a new sub-process is much more than push notification
 func PushNotification(notification models.Notification) error {
 	for conn := range wsConn[notification.RecipientID] {
 		_ = conn.WriteMessage(1, models.UnifiedCommand{
@@ -62,7 +66,7 @@ func PushNotification(notification models.Notification) error {
 		}.Marshal())
 	}
 
-	// Skip push notify
+	// Skip push notification
 	if GetStatusDisturbable(notification.RecipientID) != nil {
 		return nil
 	}

settings.toml

@@ -44,10 +44,10 @@ dsn = "host=localhost user=postgres password=password dbname=hy_passport port=54
 prefix = "passport_"
 
 [permissions.default]
-CreatePost = true
+CreatePosts = true
 CreateAttachments = 1048576
 
 [permissions.verified]
-CreateRealm = true
+CreateRealms = true
-CreateArticle = true
+CreateArticles = true
 CreateAttachments = 26214400