mirror of
https://github.com/garethgeorge/backrest.git
synced 2025-12-14 09:35:41 +00:00
139 lines
3.2 KiB
Go
139 lines
3.2 KiB
Go
package auth
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"time"
|
|
|
|
v1 "github.com/garethgeorge/backrest/gen/go/v1"
|
|
"github.com/garethgeorge/backrest/internal/config"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
var (
|
|
anonymousUser = &v1.User{
|
|
Name: "default",
|
|
Password: &v1.User_PasswordBcrypt{PasswordBcrypt: "JDJhJDEwJDNCdzJoNFlhaWFZQy9TSDN3ZGxSRHVPZHdzV2lsNmtBSHdFSmtIWHk1dS8wYjZuUWJrMGFx"}, // default password is "password"
|
|
}
|
|
defaultUsers = []*v1.User{
|
|
anonymousUser,
|
|
}
|
|
)
|
|
|
|
type Authenticator struct {
|
|
config config.ConfigStore
|
|
key []byte
|
|
}
|
|
|
|
func NewAuthenticator(key []byte, config config.ConfigStore) *Authenticator {
|
|
return &Authenticator{
|
|
config: config,
|
|
key: key,
|
|
}
|
|
}
|
|
|
|
var ErrUserNotFound = errors.New("user not found")
|
|
var ErrInvalidPassword = errors.New("invalid password")
|
|
|
|
func (a *Authenticator) Login(username, password string) (*v1.User, error) {
|
|
config, err := a.config.Get()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("get config: %w", err)
|
|
}
|
|
auth := config.GetAuth()
|
|
if auth.GetDisabled() {
|
|
return nil, errors.New("authentication is disabled")
|
|
}
|
|
|
|
for _, user := range auth.GetUsers() {
|
|
if user.Name != username {
|
|
continue
|
|
}
|
|
|
|
if err := checkPassword(user, password); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return user, nil
|
|
}
|
|
|
|
return nil, ErrUserNotFound
|
|
}
|
|
|
|
func (a *Authenticator) VerifyJWT(token string) (*v1.User, error) {
|
|
config, err := a.config.Get()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("get config: %w", err)
|
|
}
|
|
auth := config.GetAuth()
|
|
if auth == nil {
|
|
return nil, fmt.Errorf("auth config not set")
|
|
}
|
|
|
|
t, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
|
|
return a.key, nil
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, fmt.Errorf("parse token: %w", err)
|
|
}
|
|
if !t.Valid {
|
|
return nil, fmt.Errorf("invalid token")
|
|
}
|
|
|
|
subject, err := t.Claims.GetSubject()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("get subject: %w", err)
|
|
}
|
|
|
|
for _, user := range auth.GetUsers() {
|
|
if user.Name == subject {
|
|
return user, nil
|
|
}
|
|
}
|
|
|
|
return nil, ErrUserNotFound
|
|
}
|
|
|
|
func (a *Authenticator) CreateJWT(user *v1.User) (string, error) {
|
|
claims := &jwt.RegisteredClaims{
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(7 * 24 * time.Hour)),
|
|
Subject: user.Name,
|
|
}
|
|
|
|
t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
s, err := t.SignedString(a.key)
|
|
if err != nil {
|
|
return "", fmt.Errorf("sign token: %w", err)
|
|
}
|
|
|
|
return s, nil
|
|
}
|
|
|
|
// checkPassword returns nil if the password is correct, or an error if it is not.
|
|
func checkPassword(user *v1.User, password string) error {
|
|
switch pw := user.Password.(type) {
|
|
case *v1.User_PasswordBcrypt:
|
|
pwHash, err := base64.StdEncoding.DecodeString(pw.PasswordBcrypt)
|
|
if err != nil {
|
|
return fmt.Errorf("decode password: %w", err)
|
|
}
|
|
if err := bcrypt.CompareHashAndPassword(pwHash, []byte(password)); err != nil {
|
|
return fmt.Errorf("%w: %w", ErrInvalidPassword, err)
|
|
}
|
|
default:
|
|
return fmt.Errorf("unsupported password type: %T", pw)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func CreatePassword(password string) (string, error) {
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
return "", fmt.Errorf("generate password: %w", err)
|
|
}
|
|
return base64.StdEncoding.EncodeToString(hash), nil
|
|
}
|