[WIP]

auth/auth.go

@@ -1,7 +1,6 @@
 package auth
 
 import (
-	"context"
 	"encoding/json"
 	"fmt"
 	"log"
@@ -9,27 +8,20 @@ import (
 	"strings"
 	"time"
 
+	"git.acooldomain.co/server-manager/backend-kubernetes-go/db_handler/mongo"
 	"git.acooldomain.co/server-manager/backend-kubernetes-go/dbhandler"
 	"git.acooldomain.co/server-manager/backend-kubernetes-go/models"
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt"
-	"go.mongodb.org/mongo-driver/bson"
-	"go.mongodb.org/mongo-driver/mongo"
-	"go.mongodb.org/mongo-driver/mongo/options"
-	"golang.org/x/crypto/bcrypt"
 )
 
-var secret []byte
-var method string
-var DOMAIN string
-
 type Connection struct {
-	usersDbHandler         dbhandler.UsersDBHandler
+	config models.GlobalConfig
-	authorizationDbHandler dbhandler.AuthorizationDbHandler
 
-	authMode          models.AuthMode
+	tokenHandler        dbhandler.InviteTokenDbHandler
-	userAuthDbHandler *dbhandler.UserPassAuthanticationDbHandler
+	userAuthDbHandler   dbhandler.UserPassAuthanticationDbHandler
-	OidcAuthDbHandler *dbhandler.OidcAuthenticationDbHandler
+	serverAuthDbHandler dbhandler.ServersAuthorizationDbHandler
+	OidcAuthDbHandler   dbhandler.OidcAuthenticationDbHandler
 }
 
 type Claims struct {
@@ -43,14 +35,8 @@ type AuthClaims struct {
 	Claims
 }
 
-type InviteToken struct {
+func (con *Connection) signToken(token Claims) (string, error) {
-	Email       string            `bson:"Email"`
+	t := jwt.New(jwt.GetSigningMethod(con.config.Signing.Algorithm))
-	Permissions models.Permission `bson:"Permissions"`
-	Token       string            `bson:"Token"`
-}
-
-func signToken(token Claims) (string, error) {
-	t := jwt.New(jwt.GetSigningMethod(method))
 
 	t.Claims = &AuthClaims{
 		&jwt.StandardClaims{
@@ -59,98 +45,99 @@ func signToken(token Claims) (string, error) {
 		token,
 	}
 
-	return t.SignedString(secret)
+	return t.SignedString(con.config.Signing.Key)
 }
 
-func AuthorizedTo(requiredPermissions models.Permission, overwriters ...func(*gin.Context) bool) gin.HandlerFunc {
+func AuthorizedTo(requiredPermissions models.Permission) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
-		authCookie, err := ctx.Request.Cookie("auth")
+		claimsPointer, exists := ctx.Get("claims")
-		if err != nil {
+		if !exists {
-			ctx.AbortWithError(403, err)
+			log.Printf("LoggedIn was not called first")
+			ctx.AbortWithError(500, fmt.Errorf("Misconfigured method"))
 			return
 		}
 
-		token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) {
+		claims, ok := claimsPointer.(*AuthClaims)
-			// Don't forget to validate the alg is what you expect:
+		if !ok {
-			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-				return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
-			}
-
-			// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
-			return secret, nil
-		})
-		if err != nil {
-			ctx.AbortWithError(403, err)
-			return
-		}
-		if claims, ok := token.Claims.(*AuthClaims); ok && token.Valid {
-			ctx.Set("claims", claims)
-			if (requiredPermissions&claims.Permissions != requiredPermissions) && (models.Admin&claims.Permissions != models.Admin) {
-				for _, overwrite := range overwriters {
-					if overwrite(ctx) {
-						return
-					}
-				}
-				ctx.AbortWithStatusJSON(403, "matching permissions were not found")
-				return
-			}
-		} else {
 			ctx.AbortWithStatus(500)
+			return
+		}
+
+		if (requiredPermissions&claims.Permissions != requiredPermissions) && (models.Admin&claims.Permissions != models.Admin) {
+			ctx.AbortWithStatusJSON(403, "matching permissions were not found")
+			return
 		}
 	}
 }
 
+func (con *Connection) LoggedIn(ctx *gin.Context) {
+	authCookie, err := ctx.Request.Cookie("auth")
+	if err != nil {
+		ctx.AbortWithError(403, err)
+		return
+	}
+
+	token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) {
+		// Don't forget to validate the alg is what you expect:
+		if token.Method.Alg() != con.config.Signing.Algorithm {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+
+		// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
+		return con.config.Signing.Key, nil
+	})
+	if err != nil {
+		ctx.AbortWithError(403, err)
+		return
+	}
+
+	if !token.Valid {
+		ctx.AbortWithStatus(403)
+		return
+	}
+	claims, ok := token.Claims.(*AuthClaims)
+	if !ok {
+		ctx.AbortWithStatus(500)
+		return
+	}
+
+	ctx.Set("claims", claims)
+}
+
 type SignUpRequest struct {
 	Token    string
 	Username string
 	Password string
 }
 
-func (con Connection) signUp(c *gin.Context) {
+func (con Connection) signUp(ctx *gin.Context) {
 	var request SignUpRequest
 
-	err := json.NewDecoder(c.Request.Body).Decode(&request)
+	err := json.NewDecoder(ctx.Request.Body).Decode(&request)
 	if err != nil {
-		c.AbortWithError(500, err)
+		ctx.AbortWithError(500, err)
-	}
-
-	var token InviteToken
-
-	err = con.DatabaseConnection.Database("Backend").Collection("Tokens").FindOne(
-		context.TODO(),
-		bson.D{{}},
-		options.FindOne(),
-	).Decode(&token)
-
-	if err != nil {
-		c.AbortWithError(500, err)
 		return
 	}
+
+	token, err := con.tokenHandler.GetInviteToken(ctx, request.Token)
+	if err != nil {
+		ctx.AbortWithError(500, err)
+		return
+	}
+
 	if token.Token == "" {
-		c.AbortWithStatusJSON(403, "PermissionDenied")
+		ctx.AbortWithStatusJSON(403, "PermissionDenied")
 		return
 	}
 
-	hashedPass, err := hashPassword(request.Password)
+	err = con.userAuthDbHandler.CreateUser(ctx, request.Username, request.Password, token.Permissions, token.Email, con.config.Users.DefaultMaxOwnedServers)
-	if err != nil {
-		c.AbortWithError(500, err)
-		return
-	}
-
-	_, err = con.DatabaseConnection.Database("Backend").Collection("Users").InsertOne(context.TODO(), &models.User{
-		Username:        request.Username,
-		HashedPass:      hashedPass,
-		Permissions:     token.Permissions,
-		MaxOwnedServers: 5,
-		Email:           token.Email,
-	}, &options.InsertOneOptions{})
 
 	if err != nil {
-		c.AbortWithError(500, err)
+		ctx.AbortWithError(500, err)
 		return
 	}
 
-	con.signIn(c)
+	con.signIn(ctx)
 }
 
 type SignInRequest struct {
@@ -158,24 +145,18 @@ type SignInRequest struct {
 	Password string
 }
 
-func (con Connection) signIn(c *gin.Context) {
+func (con Connection) signIn(ctx *gin.Context) {
 
 	var request SignInRequest
-	err := json.NewDecoder(c.Request.Body).Decode(&request)
+	err := json.NewDecoder(ctx.Request.Body).Decode(&request)
 
 	if err != nil {
-		c.AbortWithError(500, err)
+		ctx.AbortWithError(500, err)
 		return
 	}
-	var userItem models.User
+	userItem, err := con.userAuthDbHandler.AuthenticateUser(ctx, request.Username, request.Password)
-	err = con.DatabaseConnection.Database("Backend").Collection("Users").FindOne(context.TODO(), bson.D{{Key: "Username", Value: request.Username}}).Decode(&userItem)
 	if err != nil {
-		c.AbortWithError(403, err)
+		ctx.AbortWithError(403, err)
-		return
-	}
-
-	if bcrypt.CompareHashAndPassword([]byte(userItem.HashedPass), []byte(request.Password)) != nil {
-		c.AbortWithStatus(403)
 		return
 	}
 
@@ -184,76 +165,89 @@ func (con Connection) signIn(c *gin.Context) {
 		Permissions: userItem.Permissions,
 	}
 
-	signedToken, err := signToken(token)
+	signedToken, err := con.signToken(token)
 	if err != nil {
-		c.AbortWithError(500, err)
+		ctx.AbortWithError(500, err)
 		return
 	}
 
-	c.SetCookie("auth", signedToken, int(time.Hour)*24*30, "", ".games.acooldomain.co", true, false)
+	ctx.SetCookie("auth", signedToken, int(time.Hour)*24*30, "", "."+con.config.Domain, true, false)
-	c.IndentedJSON(http.StatusOK, signedToken)
+	ctx.IndentedJSON(http.StatusOK, signedToken)
 }
 
-func (con Connection) verify(c *gin.Context) {
+func (con Connection) Verify(ctx *gin.Context) {
-	authCookie, err := c.Request.Cookie("auth")
+	claimsPointer, exists := ctx.Get("claims")
-	if err != nil {
+	if !exists {
-		c.Redirect(303, fmt.Sprintf("http://%s/", DOMAIN))
+		ctx.Status(403)
 		return
 	}
 
-	token, err := jwt.ParseWithClaims(authCookie.Value, &AuthClaims{}, func(token *jwt.Token) (interface{}, error) {
+	claims := claimsPointer.(*AuthClaims)
-		// Don't forget to validate the alg is what you expect:
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
-		}
 
-		// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
+	forwarded_host := ctx.Request.Header.Get("x-forwarded-host")
-		return secret, nil
-	})
-
-	if err != nil {
-		c.AbortWithError(403, err)
-		return
-	}
-	claims := token.Claims
-
-	forwarded_host := c.Request.Header.Get("x-forwarded-host")
 	log.Printf("Checking auth of %s", forwarded_host)
 
 	domainSegments := strings.Split(forwarded_host, ".")
 
 	serverId, service := domainSegments[0], domainSegments[1]
-	c.AddParam("server_id", serverId)
 
-	if service == "browsers" {
+	switch service {
-		if claims.(*AuthClaims).Permissions&models.Browse == models.Browse || claims.(*AuthClaims).Permissions&models.Admin == models.Admin || con.ServerAuthorized(models.Browse)(c) {
+	case "browsers":
-			c.Header("X-Username", claims.(*AuthClaims).Username)
+		serverPermissions, err := con.serverAuthDbHandler.GetPermissions(ctx, claims.Username, serverId)
-			log.Printf("Set header X-Username %s", claims.(*AuthClaims).Username)
+		if err != nil {
-			c.Status(200)
+			ctx.AbortWithError(500, err)
 			return
 		}
-
+		if (claims.Permissions|serverPermissions)&models.Admin == models.Admin {
-	}
+			ctx.Header("X-Username", claims.Username)
-
+			log.Printf("Set header X-Username %s", claims.Username)
-	if service == "cloud" {
+			ctx.Status(200)
-		if claims.(*AuthClaims).Permissions&models.Cloud == models.Cloud || claims.(*AuthClaims).Permissions&models.Admin == models.Admin {
+			return
-			log.Printf("Set header X-Username %s", claims.(*AuthClaims).Username)
+		}
-			c.Header("X-Username", claims.(*AuthClaims).Username)
+	case "cloud":
-			c.Status(200)
+		if claims.Permissions&models.Cloud == models.Cloud || claims.Permissions&models.Admin == models.Admin {
+			log.Printf("Set header X-Username %s", claims.Username)
+			ctx.Header("X-Username", claims.Username)
+			ctx.Status(200)
 			return
 		}
 	}
 
-	c.Redirect(303, fmt.Sprintf("http://%s/login", DOMAIN))
+	ctx.Redirect(303, fmt.Sprintf("http://%s/login", con.config.Domain))
 }
 func LoadGroup(group *gin.RouterGroup, client *mongo.Client, config models.GlobalConfig) {
-	connection := Connection{DatabaseConnection: client}
+	var userAuthHandler dbhandler.UserPassAuthanticationDbHandler
+	var inviteHandler dbhandler.InviteTokenDbHandler
+	var serverAuthHandler dbhandler.ServersAuthorizationDbHandler
 
-	secret = []byte(config.Key)
+	var err error
-	method = config.Algorithm
+
-	DOMAIN = config.Domain
+	if config.Authentication.UserPass.Type == models.MONGO {
+		userAuthHandler, err = mongo.NewUserPassAuthHandler(*config.Authentication.UserPass.Mongo)
+		if err != nil {
+			panic(err)
+		}
+	}
+
+	if config.Authentication.UserPass.InviteTokenDatabase.Type == models.MONGO {
+		inviteHandler, err = mongo.NewInviteTokenDbHandler(*config.Authentication.UserPass.Mongo)
+		if err != nil {
+			panic(err)
+		}
+	}
+
+	mailClient = *mail.NewMailClient(config.Email)
+
+	connection := Connection{
+		userPassAuthHandler: userAuthHandler,
+		tokenHandler:        inviteHandler,
+		mailClient:          mailClient,
+		config:              &config,
+	}
+
+	connection := Connection{DatabaseConnection: client}
 
 	group.POST("/signin", connection.signIn)
 	group.POST("/signup", AuthorizedTo(models.Admin), connection.signUp)
-	group.Any("/verify", connection.verify)
+	group.Any("/verify", connection.Verify)
 }

db_handler/mongo/servers_authorization.go

@@ -18,12 +18,12 @@ type ServerPermissions struct {
 	Permissions models.Permission `bson:"permissions"`
 }
 
-type AuthorizationDbHandler struct {
+type ServersAuthorizationDbHandler struct {
 	dbhandler.ServersAuthorizationDbHandler
 	collection *mongo.Collection
 }
 
-func (self *AuthorizationDbHandler) RemoveUser(ctx context.Context, username string) error {
+func (self *ServersAuthorizationDbHandler) RemoveUser(ctx context.Context, username string) error {
 	_, err := self.collection.DeleteMany(
 		ctx,
 		bson.M{
@@ -34,7 +34,7 @@ func (self *AuthorizationDbHandler) RemoveUser(ctx context.Context, username str
 	return err
 }
 
-func (self *AuthorizationDbHandler) RemoveServer(ctx context.Context, serverId string) error {
+func (self *ServersAuthorizationDbHandler) RemoveServer(ctx context.Context, serverId string) error {
 	_, err := self.collection.DeleteMany(
 		ctx,
 		bson.M{
@@ -45,7 +45,7 @@ func (self *AuthorizationDbHandler) RemoveServer(ctx context.Context, serverId s
 	return err
 }
 
-func (self *AuthorizationDbHandler) AddPermissions(ctx context.Context, username string, serverId string, permissions models.Permission) error {
+func (self *ServersAuthorizationDbHandler) AddPermissions(ctx context.Context, username string, serverId string, permissions models.Permission) error {
 	var serverPermissions ServerPermissions
 	err := self.collection.FindOne(
 		ctx,
@@ -76,7 +76,7 @@ func (self *AuthorizationDbHandler) AddPermissions(ctx context.Context, username
 	return err
 }
 
-func (self *AuthorizationDbHandler) RemovePermissions(ctx context.Context, username string, serverId string, permissions models.Permission) error {
+func (self *ServersAuthorizationDbHandler) RemovePermissions(ctx context.Context, username string, serverId string, permissions models.Permission) error {
 	var serverPermissions ServerPermissions
 	err := self.collection.FindOne(
 		ctx,
@@ -107,7 +107,7 @@ func (self *AuthorizationDbHandler) RemovePermissions(ctx context.Context, usern
 	return err
 }
 
-func (self *AuthorizationDbHandler) SetPermissions(ctx context.Context, username string, serverId string, permissions models.Permission) error {
+func (self *ServersAuthorizationDbHandler) SetPermissions(ctx context.Context, username string, serverId string, permissions models.Permission) error {
 	_, err := self.collection.UpdateOne(
 		ctx,
 		bson.M{
@@ -123,7 +123,7 @@ func (self *AuthorizationDbHandler) SetPermissions(ctx context.Context, username
 	return err
 }
 
-func (self *AuthorizationDbHandler) GetPermissions(ctx context.Context, username string, serverId string) (models.Permission, error) {
+func (self *ServersAuthorizationDbHandler) GetPermissions(ctx context.Context, username string, serverId string) (models.Permission, error) {
 	var serverPermissions ServerPermissions
 	err := self.collection.FindOne(
 		ctx,
@@ -140,7 +140,7 @@ func (self *AuthorizationDbHandler) GetPermissions(ctx context.Context, username
 	return serverPermissions.Permissions, nil
 }
 
-func NewAuthorizationHandler(config models.MongoDBConfig) (*AuthorizationDbHandler, error) {
+func NewServersAuthorizationHandler(config models.MongoDBConfig) (*ServersAuthorizationDbHandler, error) {
 	clientOptions := options.Client().ApplyURI(config.Url).SetAuth(options.Credential{
 		Username: config.Username,
 		Password: config.Password,
@@ -155,7 +155,7 @@ func NewAuthorizationHandler(config models.MongoDBConfig) (*AuthorizationDbHandl
 		return nil, err
 	}
 
-	return &AuthorizationDbHandler{
+	return &ServersAuthorizationDbHandler{
 		collection: client.Database(config.Database).Collection(config.Collection),
 	}, nil
 }

db_handler/mongo/user_pass_authentication.go

@@ -41,34 +41,42 @@ func (self *UserPassAuthenticationDbHandler) ListUsers(ctx context.Context) ([]m
 	modelUsers := make([]models.User, len(authUsers))
 	for i, authUser := range authUsers {
 		modelUsers[i] = models.User{
-			Username: authUser.Username,
+			Username:        authUser.Username,
-			Nickname: authUser.Nickname,
+			Nickname:        authUser.Nickname,
-			Email:    authUser.Email,
+			Email:           authUser.Email,
+			MaxOwnedServers: authUser.MaxOwnedSevers,
+			Permissions:     authUser.Permissions,
 		}
 	}
 
 	return modelUsers, nil
 }
 
-func (self *UserPassAuthenticationDbHandler) AuthenticateUser(ctx context.Context, username string, password string) (models.Permission, error) {
+func (self *UserPassAuthenticationDbHandler) AuthenticateUser(ctx context.Context, username string, password string) (*models.User, error) {
 	var user AuthUser
 	err := self.collection.FindOne(ctx, bson.M{"username": username}).Decode(&user)
 
 	if err != nil {
-		return 0, err
+		return nil, err
 	}
 
 	hashedPassword, err := dbhandler.HashPassword(password)
 
 	if err != nil {
-		return 0, err
+		return nil, err
 	}
 
 	if user.HashedPassword != hashedPassword {
-		return 0, fmt.Errorf("Incorrect Password")
+		return nil, fmt.Errorf("Incorrect Password")
 	}
 
-	return user.Permissions, nil
+	return &models.User{
+		Username:        user.Username,
+		Nickname:        user.Nickname,
+		Email:           user.Email,
+		MaxOwnedServers: user.MaxOwnedSevers,
+		Permissions:     user.Permissions,
+	}, nil
 }
 
 func (self *UserPassAuthenticationDbHandler) CreateUser(

db_handler/user_pass_auth.go

@@ -26,7 +26,7 @@ type UserSignupRequest struct {
 
 type UserPassAuthanticationDbHandler interface {
 	// Read Only
-	AuthenticateUser(ctx context.Context, username string, password string) (models.Permission, error)
+	AuthenticateUser(ctx context.Context, username string, password string) (*models.User, error)
 	ListUsers(ctx context.Context) ([]models.User, error)
 
 	// Write

go.work

@@ -12,4 +12,5 @@ use (
 	./instance_manager/kubernetes
 	./servers
 	./users
+	./utils
 )

models/config.go

@@ -76,6 +76,10 @@ type ServersAuthorizationDatabaseConfig struct {
 	Mongo *MongoDBConfig `yaml:"mongo"`
 }
 
+type UsersConfig struct {
+	DefaultMaxOwnedServers uint `yaml:"default_max_owned_servers"`
+}
+
 type GlobalConfig struct {
 	// Features Configs
 	Email           EmailConfig           `yaml:"email"`
@@ -83,6 +87,7 @@ type GlobalConfig struct {
 	Signing         SigningConfig         `yaml:"signing"`
 	Authentication  AuthenticationConfig  `yaml:"authentication"`
 	InstanceManager InstanceManagerConfig `yaml:"instance_manager"`
+	Users           UsersConfig           `yaml:"users"`
 
 	// Database Configs
 	ServersDatabase              ServersDatabaseConfig              `yaml:"servers_database"`

models/user.go

@@ -1,8 +1,9 @@
 package models
 
 type User struct {
-	Username        string `json:"username"`
+	Username        string     `json:"username"`
-	Nickname        string `json:"nickname"`
+	Nickname        string     `json:"nickname"`
-	Email           string `json:"email"`
+	Email           string     `json:"email"`
-	MaxOwnedServers int    `json:"maxed_owned_servers"`
+	MaxOwnedServers uint       `json:"maxed_owned_servers"`
+	Permissions     Permission `json:"permissions"`
 }

utils/constructors.go

@@ -0,0 +1,41 @@
+package dbhandler
+
+import (
+	"fmt"
+	"sync"
+
+	"git.acooldomain.co/server-manager/backend-kubernetes-go/db_handler/mongo"
+	"git.acooldomain.co/server-manager/backend-kubernetes-go/dbhandler"
+	"git.acooldomain.co/server-manager/backend-kubernetes-go/models"
+)
+
+var (
+	mu                         sync.Mutex
+	existingServerAuthHandlers = make(map[string]dbhandler.ServersAuthorizationDbHandler)
+)
+
+func configToKey(config any) (string, error) {
+	switch c := config.(type) {
+	case models.MongoDBConfig:
+		return fmt.Sprintf("mongo:%s:%s:%s:%s:%s", c.Url, c.Database, c.Collection, c.Username, c.Password), nil
+	default:
+		return "", fmt.Errorf("unknown config format")
+	}
+}
+
+func GetServersAuthDbHandler(config any) (dbhandler.ServersAuthorizationDbHandler, error) {
+	mu.Lock()
+	defer mu.Unlock()
+	key, err := configToKey(config)
+	if handler, exists := existingServerAuthHandlers[key]; err != nil && exists {
+		return handler, nil
+	}
+
+	switch c := config.(type) {
+	case models.MongoDBConfig:
+		handler, err := mongo.NewServersAuthorizationHandler(c)
+		return handler, err
+	}
+
+	return nil, fmt.Errorf("Unknown config format")
+}

utils/go.mod

@@ -0,0 +1,3 @@
+module git.acooldomain.co/server-manager/backend-kubernetes-go/utils
+
+go 1.22.0