Passport/pkg/internal/services/ticket.go

package services

import (
	"fmt"
	"gorm.io/datatypes"
	"time"

	"github.com/rs/zerolog/log"

	"github.com/google/uuid"

	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
	"github.com/samber/lo"
)

const InternalTokenAudience = "solar-network"

// DetectRisk is used for detect user environment is suitable for no multifactorial authenticating or not.
// Return the remaining steps, value is from 1 to 2, may appear 3 if user enabled the third-authentication-factor.
func DetectRisk(user models.Account, ip, ua string) int {
	var clue int64
	if err := database.C.
		Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
		Where("available_at IS NOT NULL").
		Model(models.AuthTicket{}).
		Count(&clue).Error; err == nil {
		if clue >= 1 {
			return 1
		}
	}

	return 3
}

// PickTicketAttempt is trying to pick up the ticket that hasn't completed but created by a same client (identify by ip address).
// Then the client can continue their journey to get ticket activated.
func PickTicketAttempt(user models.Account, ip string) (models.AuthTicket, error) {
	var ticket models.AuthTicket
	if err := database.C.
		Where("account_id = ? AND ip_address = ? AND expired_at < ? AND available_at IS NULL", user.ID, ip, time.Now()).
		First(&ticket).Error; err != nil {
		return ticket, err
	}
	return ticket, nil
}

func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
	var ticket models.AuthTicket
	if ticket, err := PickTicketAttempt(user, ip); err == nil {
		return ticket, nil
	}

	steps := DetectRisk(user, ip, ua)
	if count := CountUserFactor(user.ID); count <= 0 {
		return ticket, fmt.Errorf("specified user didn't enable sign in")
	} else {
		steps = min(steps, int(count))

		cfg, err := GetAuthPreference(user)
		if err == nil && cfg.Config.Data().MaximumAuthSteps >= 1 {
			steps = min(steps, cfg.Config.Data().MaximumAuthSteps)
		}
	}

	ticket = models.AuthTicket{
		Claims:      []string{"*"},
		Audiences:   []string{InternalTokenAudience},
		IpAddress:   ip,
		UserAgent:   ua,
		StepRemain:  steps,
		ExpiredAt:   nil,
		AvailableAt: nil,
		AccountID:   user.ID,
	}

	err := database.C.Save(&ticket).Error

	return ticket, err
}

func NewOauthTicket(
	user models.Account,
	client models.ThirdClient,
	claims, audiences []string,
	ip, ua string, nonce *string,
) (models.AuthTicket, error) {
	if nonce != nil && len(*nonce) == 0 {
		nonce = nil
	}

	ticket := models.AuthTicket{
		Claims:       claims,
		Audiences:    audiences,
		IpAddress:    ip,
		UserAgent:    ua,
		GrantToken:   lo.ToPtr(uuid.NewString()),
		AccessToken:  lo.ToPtr(uuid.NewString()),
		RefreshToken: lo.ToPtr(uuid.NewString()),
		AvailableAt:  lo.ToPtr(time.Now()),
		ExpiredAt:    lo.ToPtr(time.Now().Add(7 * 24 * time.Hour)),
		Nonce:        nonce,
		ClientID:     &client.ID,
		AccountID:    user.ID,
	}

	if err := database.C.Save(&ticket).Error; err != nil {
		return ticket, err
	}

	return ticket, nil
}

func ActiveTicket(ticket models.AuthTicket) (models.AuthTicket, error) {
	if ticket.AvailableAt != nil {
		return ticket, nil
	} else if err := ticket.IsCanBeAvailble(); err != nil {
		return ticket, err
	}

	ticket.AvailableAt = lo.ToPtr(time.Now())
	ticket.GrantToken = lo.ToPtr(uuid.NewString())
	ticket.AccessToken = lo.ToPtr(uuid.NewString())
	ticket.RefreshToken = lo.ToPtr(uuid.NewString())

	if err := database.C.Save(&ticket).Error; err != nil {
		return ticket, err
	} else {
		_ = NewNotification(models.Notification{
			Topic:    "passport.security.alert",
			Title:    "New sign in alert",
			Subtitle: lo.ToPtr(fmt.Sprintf("New sign in from %s", ticket.IpAddress)),
			Body:     fmt.Sprintf("Your account just got a new sign in from %s. Make sure you recongize this device, or sign out it immediately and reset password.", ticket.IpAddress),
			Metadata: datatypes.JSONMap{
				"ip_address":   ticket.IpAddress,
				"created_at":   ticket.CreatedAt,
				"available_at": ticket.AvailableAt,
			},
			AccountID:   ticket.AccountID,
			IsForcePush: true,
		})
	}

	return ticket, nil
}

func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
	if ticket.AvailableAt != nil {
		return ticket, nil
	} else if ticket.StepRemain == 1 {
		return ticket, fmt.Errorf("multi-factor authentication required")
	}

	factor, err := GetPasswordTypeFactor(ticket.AccountID)
	if err != nil {
		return ticket, fmt.Errorf("unable to authenticate, password factor was not found: %v", err)
	} else if err := CheckFactor(factor, password); err != nil {
		return ticket, fmt.Errorf("invalid password: %v", err)
	}

	ticket.StepRemain--
	ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))

	ticket.AvailableAt = lo.ToPtr(time.Now())
	ticket.GrantToken = lo.ToPtr(uuid.NewString())
	ticket.AccessToken = lo.ToPtr(uuid.NewString())
	ticket.RefreshToken = lo.ToPtr(uuid.NewString())

	if err := database.C.Save(&ticket).Error; err != nil {
		return ticket, err
	}

	return ticket, nil
}

func PerformTicketCheck(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
	if ticket.AvailableAt != nil {
		return ticket, nil
	} else if ticket.StepRemain <= 0 {
		return ticket, nil
	}

	if lo.Contains(ticket.FactorTrail, int(factor.ID)) {
		return ticket, fmt.Errorf("already checked this ticket with factor %d", factor.ID)
	}

	if err := CheckFactor(factor, code); err != nil {
		return ticket, fmt.Errorf("invalid code: %v", err)
	}

	ticket.StepRemain--
	ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))

	if ticket.IsCanBeAvailble() == nil {
		return ActiveTicket(ticket)
	} else {
		if err := database.C.Save(&ticket).Error; err != nil {
			return ticket, err
		}
	}

	return ticket, nil
}

func RotateTicket(ticket models.AuthTicket, fullyRestart ...bool) (models.AuthTicket, error) {
	ticket.GrantToken = lo.ToPtr(uuid.NewString())
	ticket.AccessToken = lo.ToPtr(uuid.NewString())
	ticket.RefreshToken = lo.ToPtr(uuid.NewString())
	if len(fullyRestart) > 0 && fullyRestart[0] {
		ticket.LastGrantAt = nil
	}
	err := database.C.Save(&ticket).Error
	return ticket, err
}

func DoAutoSignoff() {
	duration := 7 * 24 * time.Hour
	deadline := time.Now().Add(-duration)

	log.Debug().Time("before", deadline).Msg("Now signing off tickets...")

	if tx := database.C.
		Where("last_grant_at < ?", deadline).
		Delete(&models.AuthTicket{}); tx.Error != nil {
		log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")
	} else {
		log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")
	}
}
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`package services`

			`import (`
			`"fmt"`
:sparkles: New login alert 2024-10-14 14:28:30 +00:00			`"gorm.io/datatypes"`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`"time"`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`"github.com/rs/zerolog/log"`

:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`"github.com/google/uuid"`

:bug: Bug fixes on connection and package naming 2024-06-17 14:21:34 +00:00			`"git.solsynth.dev/hydrogen/passport/pkg/internal/database"`
			`"git.solsynth.dev/hydrogen/passport/pkg/internal/models"`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`"github.com/samber/lo"`
			`)`

:recycle: Separate application domain and token issuer 2024-08-12 12:58:20 +00:00			`const InternalTokenAudience = "solar-network"`
:sparkles: Present azp in token 2024-07-28 11:50:49 +00:00
:bug: Bug fixes on multi-factors based authentication 2024-10-13 06:02:48 +00:00			`// DetectRisk is used for detect user environment is suitable for no multifactorial authenticating or not.`
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`// Return the remaining steps, value is from 1 to 2, may appear 3 if user enabled the third-authentication-factor.`
			`func DetectRisk(user models.Account, ip, ua string) int {`
:bug: Bug fixes 2024-06-26 07:17:10 +00:00			`var clue int64`
:bug: Bug fixes of risk detection :lipstick: Optimized UI 2024-04-30 17:33:11 +00:00			`if err := database.C.`
			`Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).`
			`Where("available_at IS NOT NULL").`
			`Model(models.AuthTicket{}).`
:bug: Bug fixes 2024-06-26 07:17:10 +00:00			`Count(&clue).Error; err == nil {`
			`if clue >= 1 {`
:bug: Bug fixes in non-cached notification preferences 2024-10-14 15:45:28 +00:00			`return 1`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`
			`}`

:bug: Bug fixes on multi-factors based authentication 2024-10-13 06:02:48 +00:00			`return 3`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`

:recycle: Single table to store auth preferences 2024-10-13 04:36:51 +00:00			`// PickTicketAttempt is trying to pick up the ticket that hasn't completed but created by a same client (identify by ip address).`
			`// Then the client can continue their journey to get ticket activated.`
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`func PickTicketAttempt(user models.Account, ip string) (models.AuthTicket, error) {`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`var ticket models.AuthTicket`
:sparkles: An entire complete sign in user flow 2024-04-20 17:33:42 +00:00			`if err := database.C.`
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`Where("account_id = ? AND ip_address = ? AND expired_at < ? AND available_at IS NULL", user.ID, ip, time.Now()).`
			`First(&ticket).Error; err != nil {`
			`return ticket, err`
			`}`
			`return ticket, nil`
			`}`

			`func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {`
			`var ticket models.AuthTicket`
			`if ticket, err := PickTicketAttempt(user, ip); err == nil {`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`return ticket, nil`
			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`steps := DetectRisk(user, ip, ua)`
			`if count := CountUserFactor(user.ID); count <= 0 {`
			`return ticket, fmt.Errorf("specified user didn't enable sign in")`
			`} else {`
			`steps = min(steps, int(count))`
:recycle: Single table to store auth preferences 2024-10-13 04:36:51 +00:00
			`cfg, err := GetAuthPreference(user)`
			`if err == nil && cfg.Config.Data().MaximumAuthSteps >= 1 {`
			`steps = min(steps, cfg.Config.Data().MaximumAuthSteps)`
:sparkles: Auth config to limit auth steps 2024-10-12 17:45:08 +00:00			`}`
:sparkles: An entire complete sign in user flow 2024-04-20 17:33:42 +00:00			`}`

:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`ticket = models.AuthTicket{`
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`Claims: []string{"*"},`
			`Audiences: []string{InternalTokenAudience},`
			`IpAddress: ip,`
			`UserAgent: ua,`
			`StepRemain: steps,`
			`ExpiredAt: nil,`
			`AvailableAt: nil,`
			`AccountID: user.ID,`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`

			`err := database.C.Save(&ticket).Error`

			`return ticket, err`
			`}`

			`func NewOauthTicket(`
			`user models.Account,`
			`client models.ThirdClient,`
			`claims, audiences []string,`
:sparkles: Present nonce in id token 2024-07-28 14:30:51 +00:00			`ip, ua string, nonce *string,`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`) (models.AuthTicket, error) {`
:sparkles: Present nonce in id token 2024-07-28 14:30:51 +00:00			`if nonce != nil && len(*nonce) == 0 {`
			`nonce = nil`
			`}`

:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`ticket := models.AuthTicket{`
			`Claims: claims,`
			`Audiences: audiences,`
			`IpAddress: ip,`
			`UserAgent: ua,`
			`GrantToken: lo.ToPtr(uuid.NewString()),`
			`AccessToken: lo.ToPtr(uuid.NewString()),`
			`RefreshToken: lo.ToPtr(uuid.NewString()),`
			`AvailableAt: lo.ToPtr(time.Now()),`
:recycle: OAuth authenticate 2024-06-26 06:47:34 +00:00			`ExpiredAt: lo.ToPtr(time.Now().Add(7 * 24 * time.Hour)),`
:sparkles: Present nonce in id token 2024-07-28 14:30:51 +00:00			`Nonce: nonce,`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`ClientID: &client.ID,`
			`AccountID: user.ID,`
			`}`

			`if err := database.C.Save(&ticket).Error; err != nil {`
			`return ticket, err`
			`}`

			`return ticket, nil`
			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`func ActiveTicket(ticket models.AuthTicket) (models.AuthTicket, error) {`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`if ticket.AvailableAt != nil {`
			`return ticket, nil`
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`} else if err := ticket.IsCanBeAvailble(); err != nil {`
			`return ticket, err`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`ticket.AvailableAt = lo.ToPtr(time.Now())`
			`ticket.GrantToken = lo.ToPtr(uuid.NewString())`
			`ticket.AccessToken = lo.ToPtr(uuid.NewString())`
			`ticket.RefreshToken = lo.ToPtr(uuid.NewString())`

			`if err := database.C.Save(&ticket).Error; err != nil {`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`return ticket, err`
:sparkles: New login alert 2024-10-14 14:28:30 +00:00			`} else {`
			`_ = NewNotification(models.Notification{`
			`Topic: "passport.security.alert",`
			`Title: "New sign in alert",`
			`Subtitle: lo.ToPtr(fmt.Sprintf("New sign in from %s", ticket.IpAddress)),`
			`Body: fmt.Sprintf("Your account just got a new sign in from %s. Make sure you recongize this device, or sign out it immediately and reset password.", ticket.IpAddress),`
			`Metadata: datatypes.JSONMap{`
			`"ip_address": ticket.IpAddress,`
			`"created_at": ticket.CreatedAt,`
			`"available_at": ticket.AvailableAt,`
			`},`
			`AccountID: ticket.AccountID,`
			`IsForcePush: true,`
			`})`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`return ticket, nil`
			`}`

			`func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {`
			`if ticket.AvailableAt != nil {`
			`return ticket, nil`
			`} else if ticket.StepRemain == 1 {`
			`return ticket, fmt.Errorf("multi-factor authentication required")`
			`}`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`factor, err := GetPasswordTypeFactor(ticket.AccountID)`
			`if err != nil {`
			`return ticket, fmt.Errorf("unable to authenticate, password factor was not found: %v", err)`
			`} else if err := CheckFactor(factor, password); err != nil {`
			`return ticket, fmt.Errorf("invalid password: %v", err)`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`ticket.StepRemain--`
			`ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))`

			`ticket.AvailableAt = lo.ToPtr(time.Now())`
			`ticket.GrantToken = lo.ToPtr(uuid.NewString())`
			`ticket.AccessToken = lo.ToPtr(uuid.NewString())`
			`ticket.RefreshToken = lo.ToPtr(uuid.NewString())`

:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`if err := database.C.Save(&ticket).Error; err != nil {`
			`return ticket, err`
			`}`

			`return ticket, nil`
			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`func PerformTicketCheck(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`if ticket.AvailableAt != nil {`
			`return ticket, nil`
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`} else if ticket.StepRemain <= 0 {`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`return ticket, nil`
			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`if lo.Contains(ticket.FactorTrail, int(factor.ID)) {`
			`return ticket, fmt.Errorf("already checked this ticket with factor %d", factor.ID)`
			`}`

:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`if err := CheckFactor(factor, code); err != nil {`
			`return ticket, fmt.Errorf("invalid code: %v", err)`
			`}`

:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`ticket.StepRemain--`
			`ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00
:recycle: Better sign in flow 2024-09-15 18:37:02 +00:00			`if ticket.IsCanBeAvailble() == nil {`
			`return ActiveTicket(ticket)`
			`} else {`
			`if err := database.C.Save(&ticket).Error; err != nil {`
			`return ticket, err`
			`}`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`

			`return ticket, nil`
			`}`

:sparkles: Bots aka. automated accounts 2024-08-24 15:49:19 +00:00			`func RotateTicket(ticket models.AuthTicket, fullyRestart ...bool) (models.AuthTicket, error) {`
:sparkles: An entire complete sign in user flow 2024-04-20 17:33:42 +00:00			`ticket.GrantToken = lo.ToPtr(uuid.NewString())`
			`ticket.AccessToken = lo.ToPtr(uuid.NewString())`
			`ticket.RefreshToken = lo.ToPtr(uuid.NewString())`
:sparkles: Bots aka. automated accounts 2024-08-24 15:49:19 +00:00			`if len(fullyRestart) > 0 && fullyRestart[0] {`
			`ticket.LastGrantAt = nil`
			`}`
:sparkles: An entire complete sign in user flow 2024-04-20 17:33:42 +00:00			`err := database.C.Save(&ticket).Error`
			`return ticket, err`
:sparkles: New ticket ways 2024-04-20 11:04:33 +00:00			`}`
:sparkles: Bot token aka. API token 2024-08-24 12:28:10 +00:00
			`func DoAutoSignoff() {`
			`duration := 7 * 24 * time.Hour`
			`deadline := time.Now().Add(-duration)`

			`log.Debug().Time("before", deadline).Msg("Now signing off tickets...")`

			`if tx := database.C.`
			`Where("last_grant_at < ?", deadline).`
			`Delete(&models.AuthTicket{}); tx.Error != nil {`
			`log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")`
			`} else {`
			`log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")`
			`}`
			`}`