// This file is part of the happyDomain (R) project. // Copyright (c) 2020-2024 happyDomain // Authors: Pierre-Olivier Mercier, et al. // // This program is offered under a commercial and under the AGPL license. // For commercial licensing, contact us at . // // For AGPL licensing: // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU Affero General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Affero General Public License for more details. // // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . package api import ( "crypto/rand" "encoding/base64" "fmt" "log" "net/http" "time" "github.com/gin-gonic/gin" "github.com/golang-jwt/jwt/v5" "git.happydns.org/happyDomain/config" "git.happydns.org/happyDomain/model" "git.happydns.org/happyDomain/storage" ) const NO_AUTH_ACCOUNT = "_no_auth" func declareAuthenticationRoutes(opts *config.Options, router *gin.RouterGroup) { router.POST("/auth", func(c *gin.Context) { checkAuth(opts, c) }) router.POST("/auth/logout", func(c *gin.Context) { logout(opts, c) }) apiAuthRoutes := router.Group("/auth") apiAuthRoutes.Use(authMiddleware(opts, true)) apiAuthRoutes.GET("", func(c *gin.Context) { if _, exists := c.Get("MySession"); exists { displayAuthToken(c) } else { displayNotAuthToken(opts, c) } }) } type DisplayUser struct { // Id is the user identifier Id happydns.Identifier `json:"id" swaggertype:"string"` // Email is the user email. Email string `json:"email"` // CreatedAt stores the date of the account creation. CreatedAt time.Time `json:"created_at,omitempty"` // Settings holds the user configuration. Settings happydns.UserSettings `json:"settings,omitempty"` } func currentUser(u *happydns.User) *DisplayUser { return &DisplayUser{ Id: u.Id, Email: u.Email, CreatedAt: u.CreatedAt, Settings: u.Settings, } } // displayAuthToken returns the user information. // // @Summary User info. // @Schemes // @Description Retrieve information about the currently logged user. // @Tags user_auth // @Accept json // @Produce json // @Security securitydefinitions.basic // @Success 200 {object} DisplayUser // @Failure 401 {object} happydns.Error "Authentication failure" // @Router /auth [get] func displayAuthToken(c *gin.Context) { user := c.MustGet("LoggedUser").(*happydns.User) c.JSON(http.StatusOK, currentUser(user)) } func displayNotAuthToken(opts *config.Options, c *gin.Context) *UserClaims { if !opts.NoAuth { requireLogin(opts, c, "Authorization required") return nil } claims, err := completeAuth(opts, c, UserProfile{ UserId: []byte{0}, Email: NO_AUTH_ACCOUNT, EmailVerified: true, }) if err != nil { log.Printf("%s %s", c.ClientIP(), err.Error()) c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Something went wrong during your authentication. Please retry in a few minutes"}) return nil } realUser, err := retrieveUserFromClaims(claims) if err != nil { c.JSON(http.StatusOK, gin.H{"errmsg": "Login success"}) } else { c.JSON(http.StatusOK, currentUser(realUser)) } return claims } // logout closes the user session. // // @Summary Close session. // @Schemes // @Description Erase the HTTP-only cookie. This leads to user logout in its browser. // @Tags user_auth // @Accept json // @Produce json // @Success 204 {null} null "Loged out" // @Failure 401 {object} happydns.Error "Authentication failure" // @Router /auth/logout [post] func logout(opts *config.Options, c *gin.Context) { c.SetCookie( COOKIE_NAME, "", -1, opts.BaseURL+"/", "", opts.DevProxy == "" && opts.ExternalURL.URL.Scheme != "http", true, ) c.Status(http.StatusNoContent) } type LoginForm struct { // Email of the user. Email string // Password of the user. Password string } // checkAuth validate user authentication and delivers a session token. // // @Summary Authenticate user. // @Schemes // @Description Validate user authentication and delivers a session token. // @Tags user_auth // @Accept json // @Produce json // @Param body body LoginForm true "Login information" // @Success 200 {object} DisplayUser "Login success" // @Failure 401 {object} happydns.Error "Authentication failure" // @Failure 500 {object} happydns.Error // @Router /auth [post] func checkAuth(opts *config.Options, c *gin.Context) { var lf LoginForm if err := c.ShouldBindJSON(&lf); err != nil { log.Printf("%s sends invalid LoginForm JSON: %s", c.ClientIP(), err.Error()) c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": fmt.Sprintf("Something is wrong in received data: %s", err.Error())}) return } user, err := storage.MainStore.GetAuthUserByEmail(lf.Email) if err != nil { log.Printf("%s user's email (%s) not found: %s", c.ClientIP(), lf.Email, err.Error()) c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "Invalid username or password."}) return } if !user.CheckAuth(lf.Password) { log.Printf("%s tries to login as %q, but sent an invalid password", c.ClientIP(), lf.Email) c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "Invalid username or password."}) return } if user.EmailVerification == nil { log.Printf("%s tries to login as %q, but sent an invalid password", c.ClientIP(), lf.Email) c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"errmsg": "Please validate your e-mail address before your first login.", "href": "/email-validation"}) return } claims, err := completeAuth(opts, c, UserProfile{ UserId: user.Id, Email: user.Email, EmailVerified: user.EmailVerification != nil, CreatedAt: user.CreatedAt, Newsletter: user.AllowCommercials, }) if err != nil { log.Printf("%s %s", c.ClientIP(), err.Error()) c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "Something went wrong during your authentication. Please retry in a few minutes"}) return } log.Printf("%s now logged as %q\n", c.ClientIP(), user.Email) realUser, err := retrieveUserFromClaims(claims) if err != nil { c.JSON(http.StatusOK, gin.H{"errmsg": "Login success"}) } else { c.JSON(http.StatusOK, currentUser(realUser)) } } func completeAuth(opts *config.Options, c *gin.Context, userprofile UserProfile) (*UserClaims, error) { // Issue a new JWT token jti := make([]byte, 16) _, err := rand.Read(jti) if err != nil { return nil, fmt.Errorf("unable to read enough random bytes: %w", err) } iat := jwt.NewNumericDate(time.Now()) claims := &UserClaims{ userprofile, jwt.RegisteredClaims{ IssuedAt: iat, ID: base64.StdEncoding.EncodeToString(jti), }, } jwtToken := jwt.NewWithClaims(signingMethod, claims) jwtToken.Header["kid"] = "1" token, err := jwtToken.SignedString([]byte(opts.JWTSecretKey)) if err != nil { return nil, fmt.Errorf("unable to sign user claims: %w", err) } c.SetCookie( COOKIE_NAME, // name token, // value 30*24*3600, // maxAge opts.BaseURL+"/", // path "", // domain opts.DevProxy == "" && opts.ExternalURL.URL.Scheme != "http", // secure true, // httpOnly ) return claims, nil }