✨ Bot token aka. API token

2024-08-24 20:28:10 +08:00 · 2024-08-24 20:28:10 +08:00 · 8f61253bd3
commit 8f61253bd3
parent 516f5593de
12 changed files with 248 additions and 55 deletions
--- a/.idea/workspace.xml
+++ b/.idea/workspace.xml
@ -4,14 +4,19 @@
    <option name="autoReloadType" value="ALL" />
  </component>
  <component name="ChangeListManager">
-    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":alien: Change avatar and banner id to string">
+    <list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":card_file_box: Update modeling">
+      <change afterPath="$PROJECT_DIR$/pkg/internal/models/bot.go" afterDir="false" />
+      <change afterPath="$PROJECT_DIR$/pkg/internal/server/api/bot_token_api.go" afterDir="false" />
+      <change afterPath="$PROJECT_DIR$/pkg/internal/services/bot_token.go" afterDir="false" />
      <change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/models/accounts.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/accounts.go" afterDir="false" />
      <change beforePath="$PROJECT_DIR$/pkg/internal/models/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/auth.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/models/events.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/events.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/models/notifications.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/notifications.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/server/api/userinfo_api.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/api/userinfo_api.go" afterDir="false" />
-      <change beforePath="$PROJECT_DIR$/pkg/internal/services/cleaner.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/cleaner.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/server/api/index.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/api/index.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/server/api/oauth_api.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/api/oauth_api.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/services/encryptor.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/encrypt.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/services/mfa.go" beforeDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/services/ticker_maintainer.go" beforeDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/services/ticket.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/ticket.go" afterDir="false" />
+      <change beforePath="$PROJECT_DIR$/pkg/internal/services/ticket_token.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/ticket_token.go" afterDir="false" />
    </list>
    <option name="SHOW_DIALOG" value="false" />
    <option name="HIGHLIGHT_CONFLICTS" value="true" />
@ -158,7 +163,6 @@
    </option>
  </component>
  <component name="VcsManagerConfiguration">
-    <MESSAGE value=":sparkles: Admin notify one user" />
    <MESSAGE value=":sparkles: Admin check users' auth factor" />
    <MESSAGE value=":sparkles: Admin panel &amp; users, users' permissions management" />
    <MESSAGE value=":bug: Fix clear function doesn't real clear items in slice" />
@ -183,7 +187,8 @@
    <MESSAGE value=":bug: Fix internal token audience update isn't fully applied" />
    <MESSAGE value=":arrow_up: Implement list user relative grpc function" />
    <MESSAGE value=":alien: Change avatar and banner id to string" />
-    <option name="LAST_COMMIT_MESSAGE" value=":alien: Change avatar and banner id to string" />
+    <MESSAGE value=":card_file_box: Update modeling" />
+    <option name="LAST_COMMIT_MESSAGE" value=":card_file_box: Update modeling" />
  </component>
  <component name="VgoProject">
    <settings-migrated>true</settings-migrated>
--- a/pkg/internal/models/auth.go
+++ b/pkg/internal/models/auth.go
@ -46,8 +46,6 @@ type AuthTicket struct {

 	Account   Account `json:"account"`
 	AccountID uint    `json:"account_id"`
-
-	IsApiKey bool `json:"is_api_key"`
 }

 func (v AuthTicket) IsAvailable() error {
--- a/pkg/internal/models/bot.go
+++ b/pkg/internal/models/bot.go
@ -0,0 +1,11 @@
+package models
+
+type ApiKey struct {
+	BaseModel
+
+	Name        string     `json:"name"`
+	Description string     `json:"description"`
+	Lifecycle   *int64     `json:"lifecycle"`
+	Ticket      AuthTicket `json:"ticket" gorm:"TicketID"`
+	TicketID    uint       `json:"ticket_id"`
+}
--- a/pkg/internal/server/api/bot_token_api.go
+++ b/pkg/internal/server/api/bot_token_api.go
@ -0,0 +1,142 @@
+package api
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
+	"github.com/gofiber/fiber/v2"
+)
+
+func listBotKeys(c *fiber.Ctx) error {
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	var keys []models.ApiKey
+	if err := database.C.Where("account_id = ?", user.ID).Find(&keys).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.JSON(keys)
+}
+
+func getBotKey(c *fiber.Ctx) error {
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	id, _ := c.ParamsInt("id", 0)
+
+	var key models.ApiKey
+	if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	return c.JSON(key)
+}
+
+func createBotKey(c *fiber.Ctx) error {
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	var data struct {
+		Name        string   `json:"name" validate:"required"`
+		Description string   `json:"description"`
+		Lifecycle   *int64   `json:"lifecycle"`
+		Claims      []string `json:"claims"`
+	}
+
+	if err := exts.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	key, err := services.NewApiKey(user, models.ApiKey{
+		Name:        data.Name,
+		Description: data.Description,
+		Lifecycle:   data.Lifecycle,
+	}, c.IP(), c.Get(fiber.HeaderUserAgent), data.Claims)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(key)
+}
+
+func editBotKey(c *fiber.Ctx) error {
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	var data struct {
+		Name        string `json:"name" validate:"required"`
+		Description string `json:"description"`
+		Lifecycle   *int64 `json:"lifecycle"`
+	}
+
+	if err := exts.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	id, _ := c.ParamsInt("id", 0)
+
+	var key models.ApiKey
+	if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	key.Name = data.Name
+	key.Description = data.Description
+	key.Lifecycle = data.Lifecycle
+
+	if err := database.C.Save(&key).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(key)
+}
+
+func rollBotKey(c *fiber.Ctx) error {
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	id, _ := c.ParamsInt("id", 0)
+
+	var key models.ApiKey
+	if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if key, err := services.RollApiKey(key); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(key)
+	}
+}
+
+func revokeBotKey(c *fiber.Ctx) error {
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	id, _ := c.ParamsInt("id", 0)
+
+	var key models.ApiKey
+	if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if err := database.C.Delete(&key).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.JSON(key)
+}
--- a/pkg/internal/server/api/index.go
+++ b/pkg/internal/server/api/index.go
@ -100,6 +100,16 @@ func MapAPIs(app *fiber.App, baseURL string) {
 		developers := api.Group("/dev").Name("Developers API")
 		{
 			developers.Post("/notify", notifyUser)
+
+			keys := developers.Group("/keys").Name("Keys")
+			{
+				keys.Get("/", listBotKeys)
+				keys.Get("/:id", getBotKey)
+				keys.Post("/", createBotKey)
+				keys.Post("/:id/roll", rollBotKey)
+				keys.Put("/:id", editBotKey)
+				keys.Delete("/:id", revokeBotKey)
+			}
 		}

 		api.All("/*", func(c *fiber.Ctx) error {
--- a/pkg/internal/server/api/oauth_api.go
+++ b/pkg/internal/server/api/oauth_api.go
@ -44,7 +44,7 @@ func tryAuthorizeThirdClient(c *fiber.Ctx) error {
 				"ticket": nil,
 			})
 		} else {
-			ticket, err = services.RegenSession(ticket)
+			ticket, err = services.RotateTicket(ticket)
 		}

 		return c.JSON(fiber.Map{
--- a/pkg/internal/services/bot_token.go
+++ b/pkg/internal/services/bot_token.go
@ -0,0 +1,53 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
+	"github.com/google/uuid"
+	"github.com/samber/lo"
+	"time"
+)
+
+func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []string) (models.ApiKey, error) {
+	var expiredAt *time.Time
+	if key.Lifecycle != nil {
+		expiredAt = lo.ToPtr(time.Now().Add(time.Duration(*key.Lifecycle) * time.Second))
+	}
+
+	key.Ticket = models.AuthTicket{
+		IpAddress:           ip,
+		UserAgent:           ua,
+		RequireMFA:          false,
+		RequireAuthenticate: false,
+		Claims:              claims,
+		Audiences:           []string{InternalTokenAudience},
+		GrantToken:          lo.ToPtr(uuid.NewString()),
+		AccessToken:         lo.ToPtr(uuid.NewString()),
+		RefreshToken:        lo.ToPtr(uuid.NewString()),
+		AvailableAt:         lo.ToPtr(time.Now()),
+		ExpiredAt:           expiredAt,
+		Account:             user,
+		AccountID:           user.ID,
+	}
+
+	if err := database.C.Save(&key).Error; err != nil {
+		return key, err
+	}
+	return key, nil
+}
+
+func RollApiKey(key models.ApiKey) (models.ApiKey, error) {
+	var ticket models.AuthTicket
+	if err := database.C.Where("ticket_id = ?", key.TicketID).First(&ticket).Error; err != nil {
+		return key, err
+	}
+
+	ticket, err := RotateTicket(ticket)
+	if err != nil {
+		return key, err
+	} else {
+		key.Ticket = ticket
+	}
+
+	return key, nil
+}
--- a/pkg/internal/services/encryptor.go
+++ b/pkg/internal/services/encryptor.go
--- a/pkg/internal/services/mfa.go
+++ b/pkg/internal/services/mfa.go
@ -1,18 +0,0 @@
-package services
-
-import (
-	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
-	"github.com/nicksnyder/go-i18n/v2/i18n"
-)
-
-func GetFactorName(w models.AuthFactorType, localizer *i18n.Localizer) string {
-	unknown, _ := localizer.LocalizeMessage(&i18n.Message{ID: "unknown"})
-	mfaEmail, _ := localizer.LocalizeMessage(&i18n.Message{ID: "mfaFactorEmail"})
-
-	switch w {
-	case models.EmailPasswordFactor:
-		return mfaEmail
-	default:
-		return unknown
-	}
-}
--- a/pkg/internal/services/ticker_maintainer.go
+++ b/pkg/internal/services/ticker_maintainer.go
@ -1,24 +0,0 @@
-package services
-
-import (
-	"time"
-
-	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
-	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
-	"github.com/rs/zerolog/log"
-)
-
-func DoAutoSignoff() {
-	duration := 7 * 24 * time.Hour
-	deadline := time.Now().Add(-duration)
-
-	log.Debug().Time("before", deadline).Msg("Now signing off tickets...")
-
-	if tx := database.C.
-		Where("last_grant_at < ?", deadline).
-		Delete(&models.AuthTicket{}); tx.Error != nil {
-		log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")
-	} else {
-		log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")
-	}
-}
--- a/pkg/internal/services/ticket.go
+++ b/pkg/internal/services/ticket.go
@ -2,6 +2,7 @@ package services

 import (
 	"fmt"
+	"github.com/rs/zerolog/log"
 	"time"

 	"github.com/google/uuid"
@ -146,10 +147,25 @@ func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, cod
 	return ticket, nil
 }

-func RegenSession(ticket models.AuthTicket) (models.AuthTicket, error) {
+func RotateTicket(ticket models.AuthTicket) (models.AuthTicket, error) {
 	ticket.GrantToken = lo.ToPtr(uuid.NewString())
 	ticket.AccessToken = lo.ToPtr(uuid.NewString())
 	ticket.RefreshToken = lo.ToPtr(uuid.NewString())
 	err := database.C.Save(&ticket).Error
 	return ticket, err
 }
+
+func DoAutoSignoff() {
+	duration := 7 * 24 * time.Hour
+	deadline := time.Now().Add(-duration)
+
+	log.Debug().Time("before", deadline).Msg("Now signing off tickets...")
+
+	if tx := database.C.
+		Where("last_grant_at < ?", deadline).
+		Delete(&models.AuthTicket{}); tx.Error != nil {
+		log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")
+	} else {
+		log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")
+	}
+}
--- a/pkg/internal/services/ticket_token.go
+++ b/pkg/internal/services/ticket_token.go
@ -113,7 +113,7 @@ func RefreshToken(token string) (atk, rtk string, err error) {
 		return
 	}

-	if ticket, err = RegenSession(ticket); err != nil {
+	if ticket, err = RotateTicket(ticket); err != nil {
 		return
 	} else {
 		return GetToken(ticket)