✨ Bot token aka. API token
This commit is contained in:
parent
516f5593de
commit
8f61253bd3
21
.idea/workspace.xml
generated
21
.idea/workspace.xml
generated
@ -4,14 +4,19 @@
|
|||||||
<option name="autoReloadType" value="ALL" />
|
<option name="autoReloadType" value="ALL" />
|
||||||
</component>
|
</component>
|
||||||
<component name="ChangeListManager">
|
<component name="ChangeListManager">
|
||||||
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":alien: Change avatar and banner id to string">
|
<list default="true" id="3fefb2c4-b6f9-466b-a523-53352e8d6f95" name="更改" comment=":card_file_box: Update modeling">
|
||||||
|
<change afterPath="$PROJECT_DIR$/pkg/internal/models/bot.go" afterDir="false" />
|
||||||
|
<change afterPath="$PROJECT_DIR$/pkg/internal/server/api/bot_token_api.go" afterDir="false" />
|
||||||
|
<change afterPath="$PROJECT_DIR$/pkg/internal/services/bot_token.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/.idea/workspace.xml" beforeDir="false" afterPath="$PROJECT_DIR$/.idea/workspace.xml" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/internal/models/accounts.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/accounts.go" afterDir="false" />
|
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/internal/models/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/auth.go" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/models/auth.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/auth.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/internal/models/events.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/events.go" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/server/api/index.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/api/index.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/internal/models/notifications.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/models/notifications.go" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/server/api/oauth_api.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/api/oauth_api.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/internal/server/api/userinfo_api.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/server/api/userinfo_api.go" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/encryptor.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/encrypt.go" afterDir="false" />
|
||||||
<change beforePath="$PROJECT_DIR$/pkg/internal/services/cleaner.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/cleaner.go" afterDir="false" />
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/mfa.go" beforeDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/ticker_maintainer.go" beforeDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/ticket.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/ticket.go" afterDir="false" />
|
||||||
|
<change beforePath="$PROJECT_DIR$/pkg/internal/services/ticket_token.go" beforeDir="false" afterPath="$PROJECT_DIR$/pkg/internal/services/ticket_token.go" afterDir="false" />
|
||||||
</list>
|
</list>
|
||||||
<option name="SHOW_DIALOG" value="false" />
|
<option name="SHOW_DIALOG" value="false" />
|
||||||
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
<option name="HIGHLIGHT_CONFLICTS" value="true" />
|
||||||
@ -158,7 +163,6 @@
|
|||||||
</option>
|
</option>
|
||||||
</component>
|
</component>
|
||||||
<component name="VcsManagerConfiguration">
|
<component name="VcsManagerConfiguration">
|
||||||
<MESSAGE value=":sparkles: Admin notify one user" />
|
|
||||||
<MESSAGE value=":sparkles: Admin check users' auth factor" />
|
<MESSAGE value=":sparkles: Admin check users' auth factor" />
|
||||||
<MESSAGE value=":sparkles: Admin panel & users, users' permissions management" />
|
<MESSAGE value=":sparkles: Admin panel & users, users' permissions management" />
|
||||||
<MESSAGE value=":bug: Fix clear function doesn't real clear items in slice" />
|
<MESSAGE value=":bug: Fix clear function doesn't real clear items in slice" />
|
||||||
@ -183,7 +187,8 @@
|
|||||||
<MESSAGE value=":bug: Fix internal token audience update isn't fully applied" />
|
<MESSAGE value=":bug: Fix internal token audience update isn't fully applied" />
|
||||||
<MESSAGE value=":arrow_up: Implement list user relative grpc function" />
|
<MESSAGE value=":arrow_up: Implement list user relative grpc function" />
|
||||||
<MESSAGE value=":alien: Change avatar and banner id to string" />
|
<MESSAGE value=":alien: Change avatar and banner id to string" />
|
||||||
<option name="LAST_COMMIT_MESSAGE" value=":alien: Change avatar and banner id to string" />
|
<MESSAGE value=":card_file_box: Update modeling" />
|
||||||
|
<option name="LAST_COMMIT_MESSAGE" value=":card_file_box: Update modeling" />
|
||||||
</component>
|
</component>
|
||||||
<component name="VgoProject">
|
<component name="VgoProject">
|
||||||
<settings-migrated>true</settings-migrated>
|
<settings-migrated>true</settings-migrated>
|
||||||
|
@ -46,8 +46,6 @@ type AuthTicket struct {
|
|||||||
|
|
||||||
Account Account `json:"account"`
|
Account Account `json:"account"`
|
||||||
AccountID uint `json:"account_id"`
|
AccountID uint `json:"account_id"`
|
||||||
|
|
||||||
IsApiKey bool `json:"is_api_key"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v AuthTicket) IsAvailable() error {
|
func (v AuthTicket) IsAvailable() error {
|
||||||
|
11
pkg/internal/models/bot.go
Normal file
11
pkg/internal/models/bot.go
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
package models
|
||||||
|
|
||||||
|
type ApiKey struct {
|
||||||
|
BaseModel
|
||||||
|
|
||||||
|
Name string `json:"name"`
|
||||||
|
Description string `json:"description"`
|
||||||
|
Lifecycle *int64 `json:"lifecycle"`
|
||||||
|
Ticket AuthTicket `json:"ticket" gorm:"TicketID"`
|
||||||
|
TicketID uint `json:"ticket_id"`
|
||||||
|
}
|
142
pkg/internal/server/api/bot_token_api.go
Normal file
142
pkg/internal/server/api/bot_token_api.go
Normal file
@ -0,0 +1,142 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
|
||||||
|
"github.com/gofiber/fiber/v2"
|
||||||
|
)
|
||||||
|
|
||||||
|
func listBotKeys(c *fiber.Ctx) error {
|
||||||
|
if err := exts.EnsureAuthenticated(c); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
user := c.Locals("user").(models.Account)
|
||||||
|
|
||||||
|
var keys []models.ApiKey
|
||||||
|
if err := database.C.Where("account_id = ?", user.ID).Find(&keys).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusInternalServerError, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JSON(keys)
|
||||||
|
}
|
||||||
|
|
||||||
|
func getBotKey(c *fiber.Ctx) error {
|
||||||
|
if err := exts.EnsureAuthenticated(c); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
user := c.Locals("user").(models.Account)
|
||||||
|
|
||||||
|
id, _ := c.ParamsInt("id", 0)
|
||||||
|
|
||||||
|
var key models.ApiKey
|
||||||
|
if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusNotFound, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JSON(key)
|
||||||
|
}
|
||||||
|
|
||||||
|
func createBotKey(c *fiber.Ctx) error {
|
||||||
|
if err := exts.EnsureAuthenticated(c); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
user := c.Locals("user").(models.Account)
|
||||||
|
|
||||||
|
var data struct {
|
||||||
|
Name string `json:"name" validate:"required"`
|
||||||
|
Description string `json:"description"`
|
||||||
|
Lifecycle *int64 `json:"lifecycle"`
|
||||||
|
Claims []string `json:"claims"`
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := exts.BindAndValidate(c, &data); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
key, err := services.NewApiKey(user, models.ApiKey{
|
||||||
|
Name: data.Name,
|
||||||
|
Description: data.Description,
|
||||||
|
Lifecycle: data.Lifecycle,
|
||||||
|
}, c.IP(), c.Get(fiber.HeaderUserAgent), data.Claims)
|
||||||
|
if err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusBadRequest, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JSON(key)
|
||||||
|
}
|
||||||
|
|
||||||
|
func editBotKey(c *fiber.Ctx) error {
|
||||||
|
if err := exts.EnsureAuthenticated(c); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
user := c.Locals("user").(models.Account)
|
||||||
|
|
||||||
|
var data struct {
|
||||||
|
Name string `json:"name" validate:"required"`
|
||||||
|
Description string `json:"description"`
|
||||||
|
Lifecycle *int64 `json:"lifecycle"`
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := exts.BindAndValidate(c, &data); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
id, _ := c.ParamsInt("id", 0)
|
||||||
|
|
||||||
|
var key models.ApiKey
|
||||||
|
if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusNotFound, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
key.Name = data.Name
|
||||||
|
key.Description = data.Description
|
||||||
|
key.Lifecycle = data.Lifecycle
|
||||||
|
|
||||||
|
if err := database.C.Save(&key).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusBadRequest, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JSON(key)
|
||||||
|
}
|
||||||
|
|
||||||
|
func rollBotKey(c *fiber.Ctx) error {
|
||||||
|
if err := exts.EnsureAuthenticated(c); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
user := c.Locals("user").(models.Account)
|
||||||
|
|
||||||
|
id, _ := c.ParamsInt("id", 0)
|
||||||
|
|
||||||
|
var key models.ApiKey
|
||||||
|
if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusNotFound, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
if key, err := services.RollApiKey(key); err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusBadRequest, err.Error())
|
||||||
|
} else {
|
||||||
|
return c.JSON(key)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func revokeBotKey(c *fiber.Ctx) error {
|
||||||
|
if err := exts.EnsureAuthenticated(c); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
user := c.Locals("user").(models.Account)
|
||||||
|
|
||||||
|
id, _ := c.ParamsInt("id", 0)
|
||||||
|
|
||||||
|
var key models.ApiKey
|
||||||
|
if err := database.C.Where("id = ? AND account_id = ?", id, user.ID).First(&key).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusNotFound, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := database.C.Delete(&key).Error; err != nil {
|
||||||
|
return fiber.NewError(fiber.StatusInternalServerError, err.Error())
|
||||||
|
}
|
||||||
|
|
||||||
|
return c.JSON(key)
|
||||||
|
}
|
@ -100,6 +100,16 @@ func MapAPIs(app *fiber.App, baseURL string) {
|
|||||||
developers := api.Group("/dev").Name("Developers API")
|
developers := api.Group("/dev").Name("Developers API")
|
||||||
{
|
{
|
||||||
developers.Post("/notify", notifyUser)
|
developers.Post("/notify", notifyUser)
|
||||||
|
|
||||||
|
keys := developers.Group("/keys").Name("Keys")
|
||||||
|
{
|
||||||
|
keys.Get("/", listBotKeys)
|
||||||
|
keys.Get("/:id", getBotKey)
|
||||||
|
keys.Post("/", createBotKey)
|
||||||
|
keys.Post("/:id/roll", rollBotKey)
|
||||||
|
keys.Put("/:id", editBotKey)
|
||||||
|
keys.Delete("/:id", revokeBotKey)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
api.All("/*", func(c *fiber.Ctx) error {
|
api.All("/*", func(c *fiber.Ctx) error {
|
||||||
|
@ -44,7 +44,7 @@ func tryAuthorizeThirdClient(c *fiber.Ctx) error {
|
|||||||
"ticket": nil,
|
"ticket": nil,
|
||||||
})
|
})
|
||||||
} else {
|
} else {
|
||||||
ticket, err = services.RegenSession(ticket)
|
ticket, err = services.RotateTicket(ticket)
|
||||||
}
|
}
|
||||||
|
|
||||||
return c.JSON(fiber.Map{
|
return c.JSON(fiber.Map{
|
||||||
|
53
pkg/internal/services/bot_token.go
Normal file
53
pkg/internal/services/bot_token.go
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
package services
|
||||||
|
|
||||||
|
import (
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
||||||
|
"github.com/google/uuid"
|
||||||
|
"github.com/samber/lo"
|
||||||
|
"time"
|
||||||
|
)
|
||||||
|
|
||||||
|
func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []string) (models.ApiKey, error) {
|
||||||
|
var expiredAt *time.Time
|
||||||
|
if key.Lifecycle != nil {
|
||||||
|
expiredAt = lo.ToPtr(time.Now().Add(time.Duration(*key.Lifecycle) * time.Second))
|
||||||
|
}
|
||||||
|
|
||||||
|
key.Ticket = models.AuthTicket{
|
||||||
|
IpAddress: ip,
|
||||||
|
UserAgent: ua,
|
||||||
|
RequireMFA: false,
|
||||||
|
RequireAuthenticate: false,
|
||||||
|
Claims: claims,
|
||||||
|
Audiences: []string{InternalTokenAudience},
|
||||||
|
GrantToken: lo.ToPtr(uuid.NewString()),
|
||||||
|
AccessToken: lo.ToPtr(uuid.NewString()),
|
||||||
|
RefreshToken: lo.ToPtr(uuid.NewString()),
|
||||||
|
AvailableAt: lo.ToPtr(time.Now()),
|
||||||
|
ExpiredAt: expiredAt,
|
||||||
|
Account: user,
|
||||||
|
AccountID: user.ID,
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := database.C.Save(&key).Error; err != nil {
|
||||||
|
return key, err
|
||||||
|
}
|
||||||
|
return key, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func RollApiKey(key models.ApiKey) (models.ApiKey, error) {
|
||||||
|
var ticket models.AuthTicket
|
||||||
|
if err := database.C.Where("ticket_id = ?", key.TicketID).First(&ticket).Error; err != nil {
|
||||||
|
return key, err
|
||||||
|
}
|
||||||
|
|
||||||
|
ticket, err := RotateTicket(ticket)
|
||||||
|
if err != nil {
|
||||||
|
return key, err
|
||||||
|
} else {
|
||||||
|
key.Ticket = ticket
|
||||||
|
}
|
||||||
|
|
||||||
|
return key, nil
|
||||||
|
}
|
@ -1,18 +0,0 @@
|
|||||||
package services
|
|
||||||
|
|
||||||
import (
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
|
||||||
"github.com/nicksnyder/go-i18n/v2/i18n"
|
|
||||||
)
|
|
||||||
|
|
||||||
func GetFactorName(w models.AuthFactorType, localizer *i18n.Localizer) string {
|
|
||||||
unknown, _ := localizer.LocalizeMessage(&i18n.Message{ID: "unknown"})
|
|
||||||
mfaEmail, _ := localizer.LocalizeMessage(&i18n.Message{ID: "mfaFactorEmail"})
|
|
||||||
|
|
||||||
switch w {
|
|
||||||
case models.EmailPasswordFactor:
|
|
||||||
return mfaEmail
|
|
||||||
default:
|
|
||||||
return unknown
|
|
||||||
}
|
|
||||||
}
|
|
@ -1,24 +0,0 @@
|
|||||||
package services
|
|
||||||
|
|
||||||
import (
|
|
||||||
"time"
|
|
||||||
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
|
||||||
"github.com/rs/zerolog/log"
|
|
||||||
)
|
|
||||||
|
|
||||||
func DoAutoSignoff() {
|
|
||||||
duration := 7 * 24 * time.Hour
|
|
||||||
deadline := time.Now().Add(-duration)
|
|
||||||
|
|
||||||
log.Debug().Time("before", deadline).Msg("Now signing off tickets...")
|
|
||||||
|
|
||||||
if tx := database.C.
|
|
||||||
Where("last_grant_at < ?", deadline).
|
|
||||||
Delete(&models.AuthTicket{}); tx.Error != nil {
|
|
||||||
log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")
|
|
||||||
} else {
|
|
||||||
log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")
|
|
||||||
}
|
|
||||||
}
|
|
@ -2,6 +2,7 @@ package services
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"github.com/rs/zerolog/log"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
@ -146,10 +147,25 @@ func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, cod
|
|||||||
return ticket, nil
|
return ticket, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func RegenSession(ticket models.AuthTicket) (models.AuthTicket, error) {
|
func RotateTicket(ticket models.AuthTicket) (models.AuthTicket, error) {
|
||||||
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
||||||
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
||||||
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
||||||
err := database.C.Save(&ticket).Error
|
err := database.C.Save(&ticket).Error
|
||||||
return ticket, err
|
return ticket, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func DoAutoSignoff() {
|
||||||
|
duration := 7 * 24 * time.Hour
|
||||||
|
deadline := time.Now().Add(-duration)
|
||||||
|
|
||||||
|
log.Debug().Time("before", deadline).Msg("Now signing off tickets...")
|
||||||
|
|
||||||
|
if tx := database.C.
|
||||||
|
Where("last_grant_at < ?", deadline).
|
||||||
|
Delete(&models.AuthTicket{}); tx.Error != nil {
|
||||||
|
log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")
|
||||||
|
} else {
|
||||||
|
log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
@ -113,7 +113,7 @@ func RefreshToken(token string) (atk, rtk string, err error) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if ticket, err = RegenSession(ticket); err != nil {
|
if ticket, err = RotateTicket(ticket); err != nil {
|
||||||
return
|
return
|
||||||
} else {
|
} else {
|
||||||
return GetToken(ticket)
|
return GetToken(ticket)
|
||||||
|
Loading…
Reference in New Issue
Block a user