190 lines
6.0 KiB
Go
190 lines
6.0 KiB
Go
// This file is part of the happyDomain (R) project.
|
|
// Copyright (c) 2020-2024 happyDomain
|
|
// Authors: Pierre-Olivier Mercier, et al.
|
|
//
|
|
// This program is offered under a commercial and under the AGPL license.
|
|
// For commercial licensing, contact us at <contact@happydomain.org>.
|
|
//
|
|
// For AGPL licensing:
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published by
|
|
// the Free Software Foundation, either version 3 of the License, or
|
|
// (at your option) any later version.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package happydns
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"crypto/sha512"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"regexp"
|
|
"time"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
// UserAuth represents an account used for authentication (not used in case of external auth).
|
|
type UserAuth struct {
|
|
// Id is the User's identifier.
|
|
Id Identifier
|
|
|
|
// Email is the User's login and mean of contact.
|
|
Email string
|
|
|
|
// EmailVerification is the time when the User verify its email address.
|
|
EmailVerification *time.Time
|
|
|
|
// Password is hashed.
|
|
Password []byte
|
|
|
|
// PasswordRecoveryKey is a string generated when User asks to recover its account.
|
|
PasswordRecoveryKey []byte `json:",omitempty"`
|
|
|
|
// CreatedAt is the time when the User has register is account.
|
|
CreatedAt time.Time
|
|
|
|
// LastLoggedIn is the time when the User has logged in for the last time.
|
|
LastLoggedIn *time.Time
|
|
|
|
// AllowCommercials stores the user preference regarding email contacts.
|
|
AllowCommercials bool
|
|
}
|
|
|
|
// UserAuths is a group of UserAuth.
|
|
type UserAuths []*UserAuth
|
|
|
|
// NewUserAuth fills a new UserAuth structure.
|
|
func NewUserAuth(email string, password string) (u *UserAuth, err error) {
|
|
u = &UserAuth{
|
|
Email: email,
|
|
CreatedAt: time.Now(),
|
|
}
|
|
|
|
if len(password) != 0 {
|
|
err = u.DefinePassword(password)
|
|
}
|
|
|
|
return
|
|
}
|
|
|
|
// CheckPasswordConstraints checks the given password is strong enough.
|
|
func (u *UserAuth) CheckPasswordConstraints(password string) (err error) {
|
|
if len(password) < 8 {
|
|
return fmt.Errorf("Password has to be at least 8 characters long.")
|
|
}
|
|
|
|
if !regexp.MustCompile(`[a-z]`).MatchString(password) {
|
|
return fmt.Errorf("Password has to contain lower case letters.")
|
|
} else if !regexp.MustCompile(`[A-Z]`).MatchString(password) {
|
|
return fmt.Errorf("Password has to contain upper case letters.")
|
|
} else if !regexp.MustCompile(`[0-9]`).MatchString(password) {
|
|
return fmt.Errorf("Password has to contain numbers.")
|
|
} else if len(password) < 11 && !regexp.MustCompile(`[^a-zA-Z0-9]`).MatchString(password) {
|
|
return fmt.Errorf("Password has to be longer or contain symbols.")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// DefinePassword erases the current UserAuth's password by the new one given.
|
|
func (u *UserAuth) DefinePassword(password string) (err error) {
|
|
if err = u.CheckPasswordConstraints(password); err != nil {
|
|
return
|
|
}
|
|
|
|
u.Password, err = bcrypt.GenerateFromPassword([]byte(password), 0)
|
|
u.PasswordRecoveryKey = nil
|
|
|
|
return
|
|
}
|
|
|
|
// CheckAuth compares the given password to the hashed one in the UserAuth struct.
|
|
func (u *UserAuth) CheckAuth(password string) bool {
|
|
if len(password) < 8 {
|
|
return false
|
|
}
|
|
|
|
return bcrypt.CompareHashAndPassword(u.Password, []byte(password)) == nil
|
|
}
|
|
|
|
// RegistrationHashValidity is the time during which the email validation link is at least valid.
|
|
const RegistrationHashValidity = 24 * time.Hour
|
|
|
|
// GenRegistrationHash generates the validation hash for the current or previous period.
|
|
// The hash computation is based on some already filled fields in the structure.
|
|
func (u *UserAuth) GenRegistrationHash(previous bool) string {
|
|
date := time.Now()
|
|
if previous {
|
|
date = date.Add(RegistrationHashValidity * -1)
|
|
}
|
|
date = date.Truncate(RegistrationHashValidity)
|
|
|
|
h := hmac.New(
|
|
sha512.New,
|
|
[]byte(u.CreatedAt.Format(time.RFC3339Nano)),
|
|
)
|
|
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
|
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
|
}
|
|
|
|
// ValidateEmail tries to validate the email address by comparing the given key to the expected one.
|
|
func (u *UserAuth) ValidateEmail(key string) error {
|
|
if key == u.GenRegistrationHash(false) || key == u.GenRegistrationHash(true) {
|
|
now := time.Now()
|
|
u.EmailVerification = &now
|
|
return nil
|
|
}
|
|
|
|
return fmt.Errorf("The validation address link you follow is invalid or has expired (it is valid during %d hours)", RegistrationHashValidity/time.Hour)
|
|
}
|
|
|
|
// AccountRecoveryHashValidityis the time during which the recovery link is at least valid.
|
|
const AccountRecoveryHashValidity = 2 * time.Hour
|
|
|
|
// GenAccountRecoveryHash generates the recovery hash for the current or previous period.
|
|
// It updates the UserAuth structure in some cases, when it needs to generate a new recovery key,
|
|
// so don't forget to save the changes made.
|
|
func (u *UserAuth) GenAccountRecoveryHash(previous bool) string {
|
|
if u.PasswordRecoveryKey == nil {
|
|
u.PasswordRecoveryKey = make([]byte, 64)
|
|
if _, err := rand.Read(u.PasswordRecoveryKey); err != nil {
|
|
return ""
|
|
}
|
|
}
|
|
date := time.Now()
|
|
date = date.Truncate(AccountRecoveryHashValidity)
|
|
if previous {
|
|
date = date.Add(AccountRecoveryHashValidity * -1)
|
|
}
|
|
|
|
if len(u.PasswordRecoveryKey) == 0 {
|
|
return ""
|
|
}
|
|
|
|
h := hmac.New(
|
|
sha512.New,
|
|
u.PasswordRecoveryKey,
|
|
)
|
|
h.Write(date.AppendFormat([]byte{}, time.RFC3339))
|
|
return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
|
|
}
|
|
|
|
// CanRecoverAccount checks if the given key is a valid recovery hash.
|
|
func (u *UserAuth) CanRecoverAccount(key string) error {
|
|
if key == u.GenAccountRecoveryHash(false) || key == u.GenAccountRecoveryHash(true) {
|
|
return nil
|
|
}
|
|
|
|
return fmt.Errorf("The account recovery link you follow is invalid or has expired (it is valid during %d hours)", AccountRecoveryHashValidity/time.Hour)
|
|
}
|