♻️ Better sign in flow
This commit is contained in:
parent
ea3d6c20d3
commit
df9fb0a92a
1
go.mod
1
go.mod
@ -11,7 +11,6 @@ require (
|
||||
github.com/golang-jwt/jwt/v5 v5.2.0
|
||||
github.com/google/uuid v1.6.0
|
||||
github.com/json-iterator/go v1.1.12
|
||||
github.com/nicksnyder/go-i18n/v2 v2.4.0
|
||||
github.com/robfig/cron/v3 v3.0.1
|
||||
github.com/rs/zerolog v1.31.0
|
||||
github.com/samber/lo v1.39.0
|
||||
|
10
go.sum
10
go.sum
@ -1,11 +1,5 @@
|
||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240823113302-208da7e90fdb h1:dv4uVDMe53eBprW2Q8ocAhZuO+DKWlWyxGiJMiwE62E=
|
||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240823113302-208da7e90fdb/go.mod h1:Q51JPkKnV0UoOT/IRmdBh5CyfSlp7s8BRGzgooYHqkI=
|
||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240824155914-68c6a5565468 h1:DZ1b5WA1FoUE71zyl6OzQ+QbCo4tPJv077ekM1VQ524=
|
||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240824155914-68c6a5565468/go.mod h1:Q51JPkKnV0UoOT/IRmdBh5CyfSlp7s8BRGzgooYHqkI=
|
||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240911145828-d734d617bfc8 h1:kWheneSdSySG5tz9TAXrtr546JdMpQZTyWDFk4jeGwg=
|
||||
git.solsynth.dev/hydrogen/dealer v0.0.0-20240911145828-d734d617bfc8/go.mod h1:Q51JPkKnV0UoOT/IRmdBh5CyfSlp7s8BRGzgooYHqkI=
|
||||
github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
|
||||
github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
|
||||
github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
|
||||
github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
|
||||
@ -211,8 +205,6 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb
|
||||
github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
|
||||
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
|
||||
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
|
||||
github.com/nicksnyder/go-i18n/v2 v2.4.0 h1:3IcvPOAvnCKwNm0TB0dLDTuawWEj+ax/RERNC+diLMM=
|
||||
github.com/nicksnyder/go-i18n/v2 v2.4.0/go.mod h1:nxYSZE9M0bf3Y70gPQjN9ha7XNHX7gMc814+6wVyEI4=
|
||||
github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
|
||||
github.com/pascaldekloe/goe v0.1.0 h1:cBOtyMzM9HTpWjXfbbunk26uA6nG3a8n06Wieeh0MwY=
|
||||
github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
|
||||
@ -405,8 +397,6 @@ gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
|
||||
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
|
||||
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
|
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
|
||||
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
|
||||
|
@ -31,10 +31,10 @@ type AuthTicket struct {
|
||||
Location string `json:"location"`
|
||||
IpAddress string `json:"ip_address"`
|
||||
UserAgent string `json:"user_agent"`
|
||||
RequireMFA bool `json:"require_mfa"`
|
||||
RequireAuthenticate bool `json:"require_authenticate"`
|
||||
StepRemain int `json:"step_remain"`
|
||||
Claims datatypes.JSONSlice[string] `json:"claims"`
|
||||
Audiences datatypes.JSONSlice[string] `json:"audiences"`
|
||||
FactorTrail datatypes.JSONSlice[int] `json:"factor_trail"`
|
||||
GrantToken *string `json:"grant_token"`
|
||||
AccessToken *string `json:"access_token"`
|
||||
RefreshToken *string `json:"refresh_token"`
|
||||
@ -49,7 +49,7 @@ type AuthTicket struct {
|
||||
}
|
||||
|
||||
func (v AuthTicket) IsAvailable() error {
|
||||
if v.RequireMFA || v.RequireAuthenticate {
|
||||
if v.StepRemain > 0 {
|
||||
return fmt.Errorf("ticket isn't authenticated yet")
|
||||
}
|
||||
if v.AvailableAt != nil && time.Now().Unix() < v.AvailableAt.Unix() {
|
||||
@ -62,6 +62,14 @@ func (v AuthTicket) IsAvailable() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (v AuthTicket) IsCanBeAvailble() error {
|
||||
if v.StepRemain > 0 {
|
||||
return fmt.Errorf("ticket isn't authenticated yet")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
type AuthContext struct {
|
||||
Ticket AuthTicket `json:"ticket"`
|
||||
Account Account `json:"account"`
|
||||
|
@ -28,7 +28,6 @@ func getTicket(c *fiber.Ctx) error {
|
||||
func doAuthenticate(c *fiber.Ctx) error {
|
||||
var data struct {
|
||||
Username string `json:"username" validate:"required"`
|
||||
Password string `json:"password" validate:"required"`
|
||||
}
|
||||
|
||||
if err := exts.BindAndValidate(c, &data); err != nil {
|
||||
@ -39,7 +38,7 @@ func doAuthenticate(c *fiber.Ctx) error {
|
||||
if err != nil {
|
||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err.Error()))
|
||||
} else if user.ConfirmedAt == nil {
|
||||
return fiber.NewError(fiber.StatusForbidden, "account was not confirmed")
|
||||
return fiber.NewError(fiber.StatusForbidden, "account was not confirmed; check your inbox, there will be an email lead you confirm your registration")
|
||||
} else if user.SuspendedAt != nil {
|
||||
return fiber.NewError(fiber.StatusForbidden, "account was suspended")
|
||||
}
|
||||
@ -49,18 +48,13 @@ func doAuthenticate(c *fiber.Ctx) error {
|
||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("unable setup ticket: %v", err.Error()))
|
||||
}
|
||||
|
||||
ticket, err = services.ActiveTicketWithPassword(ticket, data.Password)
|
||||
if err != nil {
|
||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("failed to authenticate: %v", err.Error()))
|
||||
}
|
||||
|
||||
return c.JSON(fiber.Map{
|
||||
"is_finished": ticket.IsAvailable() == nil,
|
||||
"ticket": ticket,
|
||||
})
|
||||
}
|
||||
|
||||
func doMultiFactorAuthenticate(c *fiber.Ctx) error {
|
||||
func doAuthTicketCheck(c *fiber.Ctx) error {
|
||||
var data struct {
|
||||
TicketID uint `json:"ticket_id" validate:"required"`
|
||||
FactorID uint `json:"factor_id" validate:"required"`
|
||||
@ -81,7 +75,7 @@ func doMultiFactorAuthenticate(c *fiber.Ctx) error {
|
||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("factor was not found: %v", err.Error()))
|
||||
}
|
||||
|
||||
ticket, err = services.ActiveTicketWithMFA(ticket, factor, data.Code)
|
||||
ticket, err = services.PerformTicketCheck(ticket, factor, data.Code)
|
||||
if err != nil {
|
||||
return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("failed to authenticate: %v", err.Error()))
|
||||
}
|
||||
|
@ -76,7 +76,7 @@ func MapAPIs(app *fiber.App, baseURL string) {
|
||||
auth := api.Group("/auth").Name("Auth")
|
||||
{
|
||||
auth.Post("/", doAuthenticate)
|
||||
auth.Post("/mfa", doMultiFactorAuthenticate)
|
||||
auth.Patch("/", doAuthTicketCheck)
|
||||
auth.Post("/token", getToken)
|
||||
|
||||
auth.Get("/tickets/:ticketId", getTicket)
|
||||
|
@ -1,11 +1,12 @@
|
||||
package services
|
||||
|
||||
import (
|
||||
"time"
|
||||
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
|
||||
"github.com/google/uuid"
|
||||
"github.com/samber/lo"
|
||||
"time"
|
||||
)
|
||||
|
||||
func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []string) (models.ApiKey, error) {
|
||||
@ -20,8 +21,7 @@ func NewApiKey(user models.Account, key models.ApiKey, ip, ua string, claims []s
|
||||
key.Ticket = models.AuthTicket{
|
||||
IpAddress: ip,
|
||||
UserAgent: ua,
|
||||
RequireMFA: false,
|
||||
RequireAuthenticate: false,
|
||||
StepRemain: 0,
|
||||
Claims: claims,
|
||||
Audiences: []string{InternalTokenAudience},
|
||||
GrantToken: lo.ToPtr(uuid.NewString()),
|
||||
|
@ -2,9 +2,10 @@ package services
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/rs/zerolog/log"
|
||||
"time"
|
||||
|
||||
"github.com/rs/zerolog/log"
|
||||
|
||||
"github.com/google/uuid"
|
||||
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
|
||||
@ -14,7 +15,9 @@ import (
|
||||
|
||||
const InternalTokenAudience = "solar-network"
|
||||
|
||||
func DetectRisk(user models.Account, ip, ua string) bool {
|
||||
// DetectRisk is used for detect user environment is suitable for no multi-factor authenticate or not.
|
||||
// Return the remaining steps, value is from 1 to 2, may appear 3 if user enabled the third-authentication-factor.
|
||||
func DetectRisk(user models.Account, ip, ua string) int {
|
||||
var clue int64
|
||||
if err := database.C.
|
||||
Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
|
||||
@ -22,24 +25,36 @@ func DetectRisk(user models.Account, ip, ua string) bool {
|
||||
Model(models.AuthTicket{}).
|
||||
Count(&clue).Error; err == nil {
|
||||
if clue >= 1 {
|
||||
return false
|
||||
return 1
|
||||
}
|
||||
}
|
||||
|
||||
return true
|
||||
return 2
|
||||
}
|
||||
|
||||
// PickTicketAttempt is trying to pick up the ticket that haven't completed but created by a same client (identify by ip address).
|
||||
// Then the client can continue their journey to get ticket actived.
|
||||
func PickTicketAttempt(user models.Account, ip string) (models.AuthTicket, error) {
|
||||
var ticket models.AuthTicket
|
||||
if err := database.C.
|
||||
Where("account_id = ? AND ip_address = ? AND expired_at < ? AND available_at IS NULL", user.ID, ip, time.Now()).
|
||||
First(&ticket).Error; err != nil {
|
||||
return ticket, err
|
||||
}
|
||||
return ticket, nil
|
||||
}
|
||||
|
||||
func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
|
||||
var ticket models.AuthTicket
|
||||
if err := database.C.
|
||||
Where("account_id = ? AND expired_at < ? AND available_at IS NULL", time.Now(), user.ID).
|
||||
First(&ticket).Error; err == nil {
|
||||
if ticket, err := PickTicketAttempt(user, ip); err == nil {
|
||||
return ticket, nil
|
||||
}
|
||||
|
||||
requireMFA := DetectRisk(user, ip, ua)
|
||||
if count := CountUserFactor(user.ID); count <= 1 {
|
||||
requireMFA = false
|
||||
steps := DetectRisk(user, ip, ua)
|
||||
if count := CountUserFactor(user.ID); count <= 0 {
|
||||
return ticket, fmt.Errorf("specified user didn't enable sign in")
|
||||
} else {
|
||||
steps = min(steps, int(count))
|
||||
}
|
||||
|
||||
ticket = models.AuthTicket{
|
||||
@ -47,8 +62,7 @@ func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
|
||||
Audiences: []string{InternalTokenAudience},
|
||||
IpAddress: ip,
|
||||
UserAgent: ua,
|
||||
RequireMFA: requireMFA,
|
||||
RequireAuthenticate: true,
|
||||
StepRemain: steps,
|
||||
ExpiredAt: nil,
|
||||
AvailableAt: nil,
|
||||
AccountID: user.ID,
|
||||
@ -91,27 +105,17 @@ func NewOauthTicket(
|
||||
return ticket, nil
|
||||
}
|
||||
|
||||
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
|
||||
func ActiveTicket(ticket models.AuthTicket) (models.AuthTicket, error) {
|
||||
if ticket.AvailableAt != nil {
|
||||
return ticket, nil
|
||||
} else if !ticket.RequireAuthenticate {
|
||||
return ticket, nil
|
||||
}
|
||||
|
||||
if factor, err := GetPasswordTypeFactor(ticket.AccountID); err != nil {
|
||||
return ticket, fmt.Errorf("unable to active ticket: %v", err)
|
||||
} else if err = CheckFactor(factor, password); err != nil {
|
||||
} else if err := ticket.IsCanBeAvailble(); err != nil {
|
||||
return ticket, err
|
||||
}
|
||||
|
||||
ticket.RequireAuthenticate = false
|
||||
|
||||
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
|
||||
ticket.AvailableAt = lo.ToPtr(time.Now())
|
||||
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
||||
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
||||
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
||||
}
|
||||
|
||||
if err := database.C.Save(&ticket).Error; err != nil {
|
||||
return ticket, err
|
||||
@ -120,29 +124,60 @@ func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models
|
||||
return ticket, nil
|
||||
}
|
||||
|
||||
func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
|
||||
func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
|
||||
if ticket.AvailableAt != nil {
|
||||
return ticket, nil
|
||||
} else if !ticket.RequireMFA {
|
||||
} else if ticket.StepRemain == 1 {
|
||||
return ticket, fmt.Errorf("multi-factor authentication required")
|
||||
}
|
||||
|
||||
factor, err := GetPasswordTypeFactor(ticket.AccountID)
|
||||
if err != nil {
|
||||
return ticket, fmt.Errorf("unable to authenticate, password factor was not found: %v", err)
|
||||
} else if err := CheckFactor(factor, password); err != nil {
|
||||
return ticket, fmt.Errorf("invalid password: %v", err)
|
||||
}
|
||||
|
||||
ticket.StepRemain--
|
||||
ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))
|
||||
|
||||
ticket.AvailableAt = lo.ToPtr(time.Now())
|
||||
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
||||
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
||||
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
||||
|
||||
if err := database.C.Save(&ticket).Error; err != nil {
|
||||
return ticket, err
|
||||
}
|
||||
|
||||
return ticket, nil
|
||||
}
|
||||
|
||||
func PerformTicketCheck(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
|
||||
if ticket.AvailableAt != nil {
|
||||
return ticket, nil
|
||||
} else if ticket.StepRemain <= 0 {
|
||||
return ticket, nil
|
||||
}
|
||||
|
||||
if lo.Contains(ticket.FactorTrail, int(factor.ID)) {
|
||||
return ticket, fmt.Errorf("already checked this ticket with factor %d", factor.ID)
|
||||
}
|
||||
|
||||
if err := CheckFactor(factor, code); err != nil {
|
||||
return ticket, fmt.Errorf("invalid code: %v", err)
|
||||
}
|
||||
|
||||
ticket.RequireMFA = false
|
||||
|
||||
if !ticket.RequireAuthenticate && !ticket.RequireMFA {
|
||||
ticket.AvailableAt = lo.ToPtr(time.Now())
|
||||
ticket.GrantToken = lo.ToPtr(uuid.NewString())
|
||||
ticket.AccessToken = lo.ToPtr(uuid.NewString())
|
||||
ticket.RefreshToken = lo.ToPtr(uuid.NewString())
|
||||
}
|
||||
ticket.StepRemain--
|
||||
ticket.FactorTrail = append(ticket.FactorTrail, int(factor.ID))
|
||||
|
||||
if ticket.IsCanBeAvailble() == nil {
|
||||
return ActiveTicket(ticket)
|
||||
} else {
|
||||
if err := database.C.Save(&ticket).Error; err != nil {
|
||||
return ticket, err
|
||||
}
|
||||
}
|
||||
|
||||
return ticket, nil
|
||||
}
|
||||
|
@ -1,12 +1,13 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal"
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/gap"
|
||||
"os"
|
||||
"os/signal"
|
||||
"syscall"
|
||||
|
||||
pkg "git.solsynth.dev/hydrogen/passport/pkg/internal"
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/gap"
|
||||
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/grpc"
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/server"
|
||||
"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
|
||||
@ -58,7 +59,7 @@ func main() {
|
||||
quartz.AddFunc("@every 60m", services.DoAutoSignoff)
|
||||
quartz.AddFunc("@every 60m", services.DoAutoDatabaseCleanup)
|
||||
quartz.AddFunc("@every 60s", services.RecycleAuthContext)
|
||||
quartz.AddFunc("@every 60m", services.RecycleUnConfirmAccount)
|
||||
quartz.AddFunc("@midnight", services.RecycleUnConfirmAccount)
|
||||
quartz.AddFunc("@every 60s", services.SaveEventChanges)
|
||||
quartz.Start()
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user