♻️ Better sign in flow
This commit is contained in:
parent
ea3d6c20d3
commit
df9fb0a92a
1
go.mod
1
go.mod
@ -11,7 +11,6 @@ require (
|
|||||||
github.com/golang-jwt/jwt/v5 v5.2.0
|
github.com/golang-jwt/jwt/v5 v5.2.0
|
||||||
github.com/google/uuid v1.6.0
|
github.com/google/uuid v1.6.0
|
||||||
github.com/json-iterator/go v1.1.12
|
github.com/json-iterator/go v1.1.12
|
||||||
github.com/nicksnyder/go-i18n/v2 v2.4.0
|
|
||||||
github.com/robfig/cron/v3 v3.0.1
|
github.com/robfig/cron/v3 v3.0.1
|
||||||
github.com/rs/zerolog v1.31.0
|
github.com/rs/zerolog v1.31.0
|
||||||
github.com/samber/lo v1.39.0
|
github.com/samber/lo v1.39.0
|
||||||
|
10
go.sum
10
go.sum
@ -1,11 +1,5 @@
|
|||||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240823113302-208da7e90fdb h1:dv4uVDMe53eBprW2Q8ocAhZuO+DKWlWyxGiJMiwE62E=
|
|
||||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240823113302-208da7e90fdb/go.mod h1:Q51JPkKnV0UoOT/IRmdBh5CyfSlp7s8BRGzgooYHqkI=
|
|
||||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240824155914-68c6a5565468 h1:DZ1b5WA1FoUE71zyl6OzQ+QbCo4tPJv077ekM1VQ524=
|
|
||||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240824155914-68c6a5565468/go.mod h1:Q51JPkKnV0UoOT/IRmdBh5CyfSlp7s8BRGzgooYHqkI=
|
|
||||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240911145828-d734d617bfc8 h1:kWheneSdSySG5tz9TAXrtr546JdMpQZTyWDFk4jeGwg=
|
git.solsynth.dev/hydrogen/dealer v0.0.0-20240911145828-d734d617bfc8 h1:kWheneSdSySG5tz9TAXrtr546JdMpQZTyWDFk4jeGwg=
|
||||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240911145828-d734d617bfc8/go.mod h1:Q51JPkKnV0UoOT/IRmdBh5CyfSlp7s8BRGzgooYHqkI=
|
git.solsynth.dev/hydrogen/dealer v0.0.0-20240911145828-d734d617bfc8/go.mod h1:Q51JPkKnV0UoOT/IRmdBh5CyfSlp7s8BRGzgooYHqkI=
|
||||||
github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
|
|
||||||
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
|
|
||||||
github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
|
github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
|
||||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||||
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||||
@ -211,8 +205,6 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb
|
|||||||
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
|
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
|
||||||
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
|
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
|
||||||
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||||
github.com/nicksnyder/go-i18n/v2 v2.4.0 h1:3IcvPOAvnCKwNm0TB0dLDTuawWEj+ax/RERNC+diLMM=
|
|
||||||
github.com/nicksnyder/go-i18n/v2 v2.4.0/go.mod h1:nxYSZE9M0bf3Y70gPQjN9ha7XNHX7gMc814+6wVyEI4=
|
|
||||||
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
|
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
|
||||||
github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
|
github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
|
||||||
github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
|
github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
|
||||||
@ -405,8 +397,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
|||||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
|
||||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
|
||||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||||
|
@ -28,28 +28,28 @@ type AuthFactor struct {
|
|||||||
type AuthTicket struct {
|
type AuthTicket struct {
|
||||||
BaseModel
|
BaseModel
|
||||||
|
|
||||||
Location string `json:"location"`
|
Location string `json:"location"`
|
||||||
IpAddress string `json:"ip_address"`
|
IpAddress string `json:"ip_address"`
|
||||||
UserAgent string `json:"user_agent"`
|
UserAgent string `json:"user_agent"`
|
||||||
RequireMFA bool `json:"require_mfa"`
|
StepRemain int `json:"step_remain"`
|
||||||
RequireAuthenticate bool `json:"require_authenticate"`
|
Claims datatypes.JSONSlice[string] `json:"claims"`
|
||||||
Claims datatypes.JSONSlice[string] `json:"claims"`
|
Audiences datatypes.JSONSlice[string] `json:"audiences"`
|
||||||
Audiences datatypes.JSONSlice[string] `json:"audiences"`
|
FactorTrail datatypes.JSONSlice[int] `json:"factor_trail"`
|
||||||
GrantToken *string `json:"grant_token"`
|
GrantToken *string `json:"grant_token"`
|
||||||
AccessToken *string `json:"access_token"`
|
AccessToken *string `json:"access_token"`
|
||||||
RefreshToken *string `json:"refresh_token"`
|
RefreshToken *string `json:"refresh_token"`
|
||||||
ExpiredAt *time.Time `json:"expired_at"`
|
ExpiredAt *time.Time `json:"expired_at"`
|
||||||
AvailableAt *time.Time `json:"available_at"`
|
AvailableAt *time.Time `json:"available_at"`
|
||||||
LastGrantAt *time.Time `json:"last_grant_at"`
|
LastGrantAt *time.Time `json:"last_grant_at"`
|
||||||
Nonce *string `json:"nonce"`
|
Nonce *string `json:"nonce"`
|
||||||
ClientID *uint `json:"client_id"`
|
ClientID *uint `json:"client_id"`
|
||||||
|
|
||||||
Account Account `json:"account"`
|
Account Account `json:"account"`
|
||||||
AccountID uint `json:"account_id"`
|
AccountID uint `json:"account_id"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v AuthTicket) IsAvailable() error {
|
func (v AuthTicket) IsAvailable() error {
|
||||||
if v.RequireMFA || v.RequireAuthenticate {
|
if v.StepRemain > 0 {
|
||||||
return fmt.Errorf("ticket isn't authenticated yet")
|
return fmt.Errorf("ticket isn't authenticated yet")
|
||||||
}
|
}
|
||||||
if v.AvailableAt != nil && time.Now().Unix() < v.AvailableAt.Unix() {
|
if v.AvailableAt != nil && time.Now().Unix() < v.AvailableAt.Unix() {
|
||||||
@ -62,6 +62,14 @@ func (v AuthTicket) IsAvailable() error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (v AuthTicket) IsCanBeAvailble() error {
|
||||||
|
if v.StepRemain > 0 {
|
||||||
|
return fmt.Errorf("ticket isn't authenticated yet")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
type AuthContext struct {
|
type AuthContext struct {
|
||||||
Ticket AuthTicket `json:"ticket"`
|
Ticket AuthTicket `json:"ticket"`
|
||||||
Account Account `json:"account"`
|
Account Account `json:"account"`
|
||||||
|
@ -28,7 +28,6 @@ func getTicket(c *fiber.Ctx) error {
|
|||||||
func doAuthenticate(c *fiber.Ctx) error {
|
func doAuthenticate(c *fiber.Ctx) error {
|
||||||
var data struct {
|
var data struct {
|
||||||
Username string `json:"username" validate:"required"`
|
Username string `json:"username" validate:"required"`
|
||||||
Password string `json:"password" validate:"required"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := exts.BindAndValidate(c, &data); err != nil {
|
if err := exts.BindAndValidate(c, &data); err != nil {
|
||||||
@ -39,7 +38,7 @@ func doAuthenticate(c *fiber.Ctx) error {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err.Error()))
|
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err.Error()))
|
||||||
} else if user.ConfirmedAt == nil {
|
} else if user.ConfirmedAt == nil {
|
||||||
return fiber.NewError(fiber.StatusForbidden, "account was not confirmed")
|
return fiber.NewError(fiber.StatusForbidden, "account was not confirmed; check your inbox, there will be an email lead you confirm your registration")
|
||||||
} else if user.SuspendedAt != nil {
|
} else if user.SuspendedAt != nil {
|
||||||
return fiber.NewError(fiber.StatusForbidden, "account was suspended")
|
return fiber.NewError(fiber.StatusForbidden, "account was suspended")
|
||||||
}
|
}
|
||||||
@ -49,18 +48,13 @@ func doAuthenticate(c *fiber.Ctx) error {
|
|||||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("unable setup ticket: %v", err.Error()))
|
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("unable setup ticket: %v", err.Error()))
|
||||||
}
|
}
|
||||||
|
|
||||||
ticket, err = services.ActiveTicketWithPassword(ticket, data.Password)
|
|
||||||
if err != nil {
|
|
||||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("failed to authenticate: %v", err.Error()))
|
|
||||||
}
|
|
||||||
|
|
||||||
return c.JSON(fiber.Map{
|
return c.JSON(fiber.Map{
|
||||||
"is_finished": ticket.IsAvailable() == nil,
|
"is_finished": ticket.IsAvailable() == nil,
|
||||||
"ticket": ticket,
|
"ticket": ticket,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func doMultiFactorAuthenticate(c *fiber.Ctx) error {
|
func doAuthTicketCheck(c *fiber.Ctx) error {
|
||||||
var data struct {
|
var data struct {
|
||||||
TicketID uint `json:"ticket_id" validate:"required"`
|
TicketID uint `json:"ticket_id" validate:"required"`
|
||||||
FactorID uint `json:"factor_id" validate:"required"`
|
FactorID uint `json:"factor_id" validate:"required"`
|
||||||
@ -81,7 +75,7 @@ func doMultiFactorAuthenticate(c *fiber.Ctx) error {
|
|||||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("factor was not found: %v", err.Error()))
|
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("factor was not found: %v", err.Error()))
|
||||||
}
|
}
|
||||||
|
|
||||||
ticket, err = services.ActiveTicketWithMFA(ticket, factor, data.Code)
|
ticket, err = services.PerformTicketCheck(ticket, factor, data.Code)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("failed to authenticate: %v", err.Error()))
|
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("failed to authenticate: %v", err.Error()))
|
||||||
}
|
}
|
||||||
|
@ -76,7 +76,7 @@ func MapAPIs(app *fiber.App, baseURL string) {
|
|||||||
auth := api.Group("/auth").Name("Auth")
|
auth := api.Group("/auth").Name("Auth")
|
||||||
{
|
{
|
||||||
auth.Post("/", doAuthenticate)
|
auth.Post("/", doAuthenticate)
|
||||||
auth.Post("/mfa", doMultiFactorAuthenticate)
|
auth.Patch("/", doAuthTicketCheck)
|
||||||
auth.Post("/token", getToken)
|
auth.Post("/token", getToken)
|
||||||
|
|
||||||
auth.Get("/tickets/:ticketId", getTicket)
|
auth.Get("/tickets/:ticketId", getTicket)
|
||||||
|
@ -1,11 +1,12 @@
|
|||||||
package services
|
package services
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"time"
|
||||||
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
"github.com/samber/lo"
|
"github.com/samber/lo"
|
||||||
"time"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []string) (models.ApiKey, error) {
|
func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []string) (models.ApiKey, error) {
|
||||||
@ -18,19 +19,18 @@ func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []s
|
|||||||
}
|
}
|
||||||
|
|
||||||
key.Ticket = models.AuthTicket{
|
key.Ticket = models.AuthTicket{
|
||||||
IpAddress: ip,
|
IpAddress: ip,
|
||||||
UserAgent: ua,
|
UserAgent: ua,
|
||||||
RequireMFA: false,
|
StepRemain: 0,
|
||||||
RequireAuthenticate: false,
|
Claims: claims,
|
||||||
Claims: claims,
|
Audiences: []string{InternalTokenAudience},
|
||||||
Audiences: []string{InternalTokenAudience},
|
GrantToken: lo.ToPtr(uuid.NewString()),
|
||||||
GrantToken: lo.ToPtr(uuid.NewString()),
|
AccessToken: lo.ToPtr(uuid.NewString()),
|
||||||
AccessToken: lo.ToPtr(uuid.NewString()),
|
RefreshToken: lo.ToPtr(uuid.NewString()),
|
||||||
RefreshToken: lo.ToPtr(uuid.NewString()),
|
AvailableAt: lo.ToPtr(time.Now()),
|
||||||
AvailableAt: lo.ToPtr(time.Now()),
|
ExpiredAt: expiredAt,
|
||||||
ExpiredAt: expiredAt,
|
Account: user,
|
||||||
Account: user,
|
AccountID: user.ID,
|
||||||
AccountID: user.ID,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := database.C.Save(&key).Error; err != nil {
|
if err := database.C.Save(&key).Error; err != nil {
|
||||||
|
@ -2,9 +2,10 @@ package services
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/rs/zerolog/log"
|
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
"github.com/rs/zerolog/log"
|
||||||
|
|
||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||||
@ -14,7 +15,9 @@ import (
|
|||||||
|
|
||||||
const InternalTokenAudience = "solar-network"
|
const InternalTokenAudience = "solar-network"
|
||||||
|
|
||||||
func DetectRisk(user models.Account, ip, ua string) bool {
|
// DetectRisk is used for detect user environment is suitable for no multi-factor authenticate or not.
|
||||||
|
// Return the remaining steps, value is from 1 to 2, may appear 3 if user enabled the third-authentication-factor.
|
||||||
|
func DetectRisk(user models.Account, ip, ua string) int {
|
||||||
var clue int64
|
var clue int64
|
||||||
if err := database.C.
|
if err := database.C.
|
||||||
Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
|
Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
|
||||||
@ -22,36 +25,47 @@ func DetectRisk(user models.Account, ip, ua string) bool {
|
|||||||
Model(models.AuthTicket{}).
|
Model(models.AuthTicket{}).
|
||||||
Count(&clue).Error; err == nil {
|
Count(&clue).Error; err == nil {
|
||||||
if clue >= 1 {
|
if clue >= 1 {
|
||||||
return false
|
return 1
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return true
|
return 2
|
||||||
|
}
|
||||||
|
|
||||||
|
// PickTicketAttempt is trying to pick up the ticket that haven't completed but created by a same client (identify by ip address).
|
||||||
|
// Then the client can continue their journey to get ticket actived.
|
||||||
|
func PickTicketAttempt(user models.Account, ip string) (models.AuthTicket, error) {
|
||||||
|
var ticket models.AuthTicket
|
||||||
|
if err := database.C.
|
||||||
|
Where("account_id = ? AND ip_address = ? AND expired_at < ? AND available_at IS NULL", user.ID, ip, time.Now()).
|
||||||
|
First(&ticket).Error; err != nil {
|
||||||
|
return ticket, err
|
||||||
|
}
|
||||||
|
return ticket, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
|
func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
|
||||||
var ticket models.AuthTicket
|
var ticket models.AuthTicket
|
||||||
if err := database.C.
|
if ticket, err := PickTicketAttempt(user, ip); err == nil {
|
||||||
Where("account_id = ? AND expired_at < ? AND available_at IS NULL", time.Now(), user.ID).
|
|
||||||
First(&ticket).Error; err == nil {
|
|
||||||
return ticket, nil
|
return ticket, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
requireMFA := DetectRisk(user, ip, ua)
|
steps := DetectRisk(user, ip, ua)
|
||||||
if count := CountUserFactor(user.ID); count <= 1 {
|
if count := CountUserFactor(user.ID); count <= 0 {
|
||||||
requireMFA = false
|
return ticket, fmt.Errorf("specified user didn't enable sign in")
|
||||||
|
} else {
|
||||||
|
steps = min(steps, int(count))
|
||||||
}
|
}
|
||||||
|
|
||||||
ticket = models.AuthTicket{
|
ticket = models.AuthTicket{
|
||||||
Claims: []string{"*"},
|
Claims: []string{"*"},
|
||||||
Audiences: []string{InternalTokenAudience},
|
Audiences: []string{InternalTokenAudience},
|
||||||
IpAddress: ip,
|
IpAddress: ip,
|
||||||
UserAgent: ua,
|
UserAgent: ua,
|
||||||
RequireMFA: requireMFA,
|
StepRemain: steps,
|
||||||
RequireAuthenticate: true,
|
ExpiredAt: nil,
|
||||||
ExpiredAt: nil,
|
AvailableAt: nil,
|
||||||
AvailableAt: nil,
|
AccountID: user.ID,
|
||||||
AccountID: user.ID,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
err := database.C.Save(&ticket).Error
|
err := database.C.Save(&ticket).Error
|
||||||
@ -91,27 +105,17 @@ func NewOauthTicket(
|
|||||||
return ticket, nil
|
return ticket, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
|
func ActiveTicket(ticket models.AuthTicket) (models.AuthTicket, error) {
|
||||||
if ticket.AvailableAt != nil {
|
if ticket.AvailableAt != nil {
|
||||||
return ticket, nil
|
return ticket, nil
|
||||||
} else if !ticket.RequireAuthenticate {
|
} else if err := ticket.IsCanBeAvailble(); err != nil {
|
||||||
return ticket, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
if factor, err := GetPasswordTypeFactor(ticket.AccountID); err != nil {
|
|
||||||
return ticket, fmt.Errorf("unable to active ticket: %v", err)
|
|
||||||
} else if err = CheckFactor(factor, password); err != nil {
|
|
||||||
return ticket, err
|
return ticket, err
|
||||||
}
|
}
|
||||||
|
|
||||||
ticket.RequireAuthenticate = false
|
ticket.AvailableAt = lo.ToPtr(time.Now())
|
||||||
|
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
||||||
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
|
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
||||||
ticket.AvailableAt = lo.ToPtr(time.Now())
|
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
||||||
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
|
||||||
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
|
||||||
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := database.C.Save(&ticket).Error; err != nil {
|
if err := database.C.Save(&ticket).Error; err != nil {
|
||||||
return ticket, err
|
return ticket, err
|
||||||
@ -120,28 +124,59 @@ func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models
|
|||||||
return ticket, nil
|
return ticket, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
|
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
|
||||||
if ticket.AvailableAt != nil {
|
if ticket.AvailableAt != nil {
|
||||||
return ticket, nil
|
return ticket, nil
|
||||||
} else if !ticket.RequireMFA {
|
} else if ticket.StepRemain == 1 {
|
||||||
|
return ticket, fmt.Errorf("multi-factor authentication required")
|
||||||
|
}
|
||||||
|
|
||||||
|
factor, err := GetPasswordTypeFactor(ticket.AccountID)
|
||||||
|
if err != nil {
|
||||||
|
return ticket, fmt.Errorf("unable to authenticate, password factor was not found: %v", err)
|
||||||
|
} else if err := CheckFactor(factor, password); err != nil {
|
||||||
|
return ticket, fmt.Errorf("invalid password: %v", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
ticket.StepRemain--
|
||||||
|
ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))
|
||||||
|
|
||||||
|
ticket.AvailableAt = lo.ToPtr(time.Now())
|
||||||
|
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
||||||
|
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
||||||
|
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
||||||
|
|
||||||
|
if err := database.C.Save(&ticket).Error; err != nil {
|
||||||
|
return ticket, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return ticket, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func PerformTicketCheck(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
|
||||||
|
if ticket.AvailableAt != nil {
|
||||||
return ticket, nil
|
return ticket, nil
|
||||||
|
} else if ticket.StepRemain <= 0 {
|
||||||
|
return ticket, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if lo.Contains(ticket.FactorTrail, int(factor.ID)) {
|
||||||
|
return ticket, fmt.Errorf("already checked this ticket with factor %d", factor.ID)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := CheckFactor(factor, code); err != nil {
|
if err := CheckFactor(factor, code); err != nil {
|
||||||
return ticket, fmt.Errorf("invalid code: %v", err)
|
return ticket, fmt.Errorf("invalid code: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ticket.RequireMFA = false
|
ticket.StepRemain--
|
||||||
|
ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))
|
||||||
|
|
||||||
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
|
if ticket.IsCanBeAvailble() == nil {
|
||||||
ticket.AvailableAt = lo.ToPtr(time.Now())
|
return ActiveTicket(ticket)
|
||||||
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
} else {
|
||||||
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
if err := database.C.Save(&ticket).Error; err != nil {
|
||||||
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
return ticket, err
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := database.C.Save(&ticket).Error; err != nil {
|
|
||||||
return ticket, err
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return ticket, nil
|
return ticket, nil
|
||||||
|
@ -1,12 +1,13 @@
|
|||||||
package main
|
package main
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal"
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/gap"
|
|
||||||
"os"
|
"os"
|
||||||
"os/signal"
|
"os/signal"
|
||||||
"syscall"
|
"syscall"
|
||||||
|
|
||||||
|
pkg "git.solsynth.dev/hydrogen/passport/pkg/internal"
|
||||||
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/gap"
|
||||||
|
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/grpc"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/grpc"
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/server"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/server"
|
||||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
|
"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
|
||||||
@ -58,7 +59,7 @@ func main() {
|
|||||||
quartz.AddFunc("@every 60m", services.DoAutoSignoff)
|
quartz.AddFunc("@every 60m", services.DoAutoSignoff)
|
||||||
quartz.AddFunc("@every 60m", services.DoAutoDatabaseCleanup)
|
quartz.AddFunc("@every 60m", services.DoAutoDatabaseCleanup)
|
||||||
quartz.AddFunc("@every 60s", services.RecycleAuthContext)
|
quartz.AddFunc("@every 60s", services.RecycleAuthContext)
|
||||||
quartz.AddFunc("@every 60m", services.RecycleUnConfirmAccount)
|
quartz.AddFunc("@midnight", services.RecycleUnConfirmAccount)
|
||||||
quartz.AddFunc("@every 60s", services.SaveEventChanges)
|
quartz.AddFunc("@every 60s", services.SaveEventChanges)
|
||||||
quartz.Start()
|
quartz.Start()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user