Passport/pkg/internal/services/ticket.go

175 lines
4.5 KiB
Go
Raw Normal View History

2024-04-20 11:04:33 +00:00
package services
import (
"fmt"
2024-08-24 12:28:10 +00:00
"github.com/rs/zerolog/log"
2024-04-20 11:04:33 +00:00
"time"
"github.com/google/uuid"
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
2024-04-20 11:04:33 +00:00
"github.com/samber/lo"
)
const InternalTokenAudience = "solar-network"
2024-07-28 11:50:49 +00:00
2024-04-20 11:04:33 +00:00
func DetectRisk(user models.Account, ip, ua string) bool {
2024-06-26 07:17:10 +00:00
var clue int64
if err := database.C.
Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
Where("available_at IS NOT NULL").
Model(models.AuthTicket{}).
2024-06-26 07:17:10 +00:00
Count(&clue).Error; err == nil {
if clue >= 1 {
2024-04-20 11:04:33 +00:00
return false
}
}
return true
}
func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
var ticket models.AuthTicket
if err := database.C.
Where("account_id = ? AND expired_at < ? AND available_at IS NULL", time.Now(), user.ID).
First(&ticket).Error; err == nil {
2024-04-20 11:04:33 +00:00
return ticket, nil
}
requireMFA := DetectRisk(user, ip, ua)
if count := CountUserFactor(user.ID); count <= 1 {
requireMFA = false
}
2024-04-20 11:04:33 +00:00
ticket = models.AuthTicket{
2024-04-20 14:50:09 +00:00
Claims: []string{"*"},
2024-07-28 11:50:49 +00:00
Audiences: []string{InternalTokenAudience},
2024-04-20 14:50:09 +00:00
IpAddress: ip,
UserAgent: ua,
RequireMFA: requireMFA,
2024-04-20 14:50:09 +00:00
RequireAuthenticate: true,
2024-04-21 04:20:06 +00:00
ExpiredAt: nil,
2024-04-20 14:50:09 +00:00
AvailableAt: nil,
AccountID: user.ID,
2024-04-20 11:04:33 +00:00
}
err := database.C.Save(&ticket).Error
return ticket, err
}
func NewOauthTicket(
user models.Account,
client models.ThirdClient,
claims, audiences []string,
2024-07-28 14:30:51 +00:00
ip, ua string, nonce *string,
2024-04-20 11:04:33 +00:00
) (models.AuthTicket, error) {
2024-07-28 14:30:51 +00:00
if nonce != nil && len(*nonce) == 0 {
nonce = nil
}
2024-04-20 11:04:33 +00:00
ticket := models.AuthTicket{
Claims: claims,
Audiences: audiences,
IpAddress: ip,
UserAgent: ua,
GrantToken: lo.ToPtr(uuid.NewString()),
AccessToken: lo.ToPtr(uuid.NewString()),
RefreshToken: lo.ToPtr(uuid.NewString()),
AvailableAt: lo.ToPtr(time.Now()),
2024-06-26 06:47:34 +00:00
ExpiredAt: lo.ToPtr(time.Now().Add(7 * 24 * time.Hour)),
2024-07-28 14:30:51 +00:00
Nonce: nonce,
2024-04-20 11:04:33 +00:00
ClientID: &client.ID,
AccountID: user.ID,
}
if err := database.C.Save(&ticket).Error; err != nil {
return ticket, err
}
return ticket, nil
}
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
if ticket.AvailableAt != nil {
return ticket, nil
} else if !ticket.RequireAuthenticate {
2024-04-20 14:50:09 +00:00
return ticket, nil
2024-04-20 11:04:33 +00:00
}
if factor, err := GetPasswordTypeFactor(ticket.AccountID); err != nil {
2024-04-20 11:04:33 +00:00
return ticket, fmt.Errorf("unable to active ticket: %v", err)
} else if err = CheckFactor(factor, password); err != nil {
return ticket, err
}
ticket.RequireAuthenticate = false
2024-04-20 11:04:33 +00:00
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
ticket.AvailableAt = lo.ToPtr(time.Now())
ticket.GrantToken = lo.ToPtr(uuid.NewString())
ticket.AccessToken = lo.ToPtr(uuid.NewString())
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
2024-04-20 11:04:33 +00:00
}
if err := database.C.Save(&ticket).Error; err != nil {
return ticket, err
}
return ticket, nil
}
func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
if ticket.AvailableAt != nil {
return ticket, nil
} else if !ticket.RequireMFA {
return ticket, nil
}
if err := CheckFactor(factor, code); err != nil {
return ticket, fmt.Errorf("invalid code: %v", err)
}
ticket.RequireMFA = false
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
ticket.AvailableAt = lo.ToPtr(time.Now())
ticket.GrantToken = lo.ToPtr(uuid.NewString())
ticket.AccessToken = lo.ToPtr(uuid.NewString())
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
2024-04-20 11:04:33 +00:00
}
if err := database.C.Save(&ticket).Error; err != nil {
return ticket, err
}
return ticket, nil
}
func RotateTicket(ticket models.AuthTicket, fullyRestart ...bool) (models.AuthTicket, error) {
ticket.GrantToken = lo.ToPtr(uuid.NewString())
ticket.AccessToken = lo.ToPtr(uuid.NewString())
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
if len(fullyRestart) > 0 && fullyRestart[0] {
ticket.LastGrantAt = nil
}
err := database.C.Save(&ticket).Error
return ticket, err
2024-04-20 11:04:33 +00:00
}
2024-08-24 12:28:10 +00:00
func DoAutoSignoff() {
duration := 7 * 24 * time.Hour
deadline := time.Now().Add(-duration)
log.Debug().Time("before", deadline).Msg("Now signing off tickets...")
if tx := database.C.
Where("last_grant_at < ?", deadline).
Delete(&models.AuthTicket{}); tx.Error != nil {
log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")
} else {
log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")
}
}