taskcafe/internal/auth/auth.go

package auth

import (
	"time"

	"github.com/dgrijalva/jwt-go"
	log "github.com/sirupsen/logrus"
)

// RestrictedMode is used restrict JWT access to just the install route
type RestrictedMode string

const (
	// Unrestricted is the code to allow access to all routes
	Unrestricted RestrictedMode = "unrestricted"
	// InstallOnly is the code to restrict access ONLY to install route
	InstallOnly = "install_only"
)

// Role is the role code for the user
type Role string

const (
	// RoleAdmin is the code for the admin role
	RoleAdmin Role = "admin"
	// RoleMember is the code for the member role
	RoleMember Role = "member"
)

// AccessTokenClaims is the claims the access JWT token contains
type AccessTokenClaims struct {
	UserID     string         `json:"userId"`
	Restricted RestrictedMode `json:"restricted"`
	OrgRole    Role           `json:"orgRole"`
	jwt.StandardClaims
}

// ErrExpiredToken is the error returned if the token has expired
type ErrExpiredToken struct{}

// Error returns the error message for ErrExpiredToken
func (r *ErrExpiredToken) Error() string {
	return "token is expired"
}

// ErrMalformedToken is the error returned if the token has malformed
type ErrMalformedToken struct{}

// Error returns the error message for ErrMalformedToken
func (r *ErrMalformedToken) Error() string {
	return "token is malformed"
}

// NewAccessToken generates a new JWT access token with the correct claims
func NewAccessToken(userID string, restrictedMode RestrictedMode, orgRole string, jwtKey []byte) (string, error) {
	role := RoleMember
	if orgRole == "admin" {
		role = RoleAdmin
	}
	accessExpirationTime := time.Now().Add(5 * time.Second)
	accessClaims := &AccessTokenClaims{
		UserID:         userID,
		Restricted:     restrictedMode,
		OrgRole:        role,
		StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},
	}

	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
	accessTokenString, err := accessToken.SignedString(jwtKey)
	if err != nil {
		return "", err
	}
	return accessTokenString, nil
}

// NewAccessTokenCustomExpiration creates an access token with a custom duration
func NewAccessTokenCustomExpiration(userID string, dur time.Duration, jwtKey []byte) (string, error) {
	accessExpirationTime := time.Now().Add(dur)
	accessClaims := &AccessTokenClaims{
		UserID:         userID,
		Restricted:     Unrestricted,
		OrgRole:        RoleMember,
		StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},
	}

	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
	accessTokenString, err := accessToken.SignedString(jwtKey)
	if err != nil {
		return "", err
	}
	return accessTokenString, nil
}

// ValidateAccessToken validates a JWT access token and returns the contained claims or an error if it's invalid
func ValidateAccessToken(accessTokenString string, jwtKey []byte) (AccessTokenClaims, error) {
	accessClaims := &AccessTokenClaims{}
	accessToken, err := jwt.ParseWithClaims(accessTokenString, accessClaims, func(token *jwt.Token) (interface{}, error) {
		return jwtKey, nil
	})

	if err != nil {
		return *accessClaims, nil
	}

	if accessToken.Valid {
		log.WithFields(log.Fields{
			"token":        accessTokenString,
			"timeToExpire": time.Unix(accessClaims.ExpiresAt, 0),
		}).Debug("token is valid")
		return *accessClaims, nil
	}

	if ve, ok := err.(*jwt.ValidationError); ok {
		if ve.Errors&jwt.ValidationErrorMalformed != 0 {
			return AccessTokenClaims{}, &ErrMalformedToken{}
		} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
			return AccessTokenClaims{}, &ErrExpiredToken{}
		}
	}
	return AccessTokenClaims{}, err
}
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`package auth`
initial commit 2020-04-10 04:40:22 +02:00
			`import (`
			`"time"`

			`"github.com/dgrijalva/jwt-go"`
			`log "github.com/sirupsen/logrus"`
			`)`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// RestrictedMode is used restrict JWT access to just the install route`
feature: add first time install process 2020-07-17 02:40:23 +02:00			`type RestrictedMode string`

			`const (`
feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// Unrestricted is the code to allow access to all routes`
feature: add first time install process 2020-07-17 02:40:23 +02:00			`Unrestricted RestrictedMode = "unrestricted"`
feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// InstallOnly is the code to restrict access ONLY to install route`
			`InstallOnly = "install_only"`
feature: add first time install process 2020-07-17 02:40:23 +02:00			`)`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// Role is the role code for the user`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`type Role string`

			`const (`
feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// RoleAdmin is the code for the admin role`
			`RoleAdmin Role = "admin"`
			`// RoleMember is the code for the member role`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`RoleMember Role = "member"`
			`)`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// AccessTokenClaims is the claims the access JWT token contains`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`type AccessTokenClaims struct {`
feature: add first time install process 2020-07-17 02:40:23 +02:00			UserID string `json:"userId"`
			Restricted RestrictedMode `json:"restricted"`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			OrgRole Role `json:"orgRole"`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`jwt.StandardClaims`
			`}`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// ErrExpiredToken is the error returned if the token has expired`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`type ErrExpiredToken struct{}`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// Error returns the error message for ErrExpiredToken`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`func (r *ErrExpiredToken) Error() string {`
			`return "token is expired"`
			`}`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// ErrMalformedToken is the error returned if the token has malformed`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`type ErrMalformedToken struct{}`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// Error returns the error message for ErrMalformedToken`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`func (r *ErrMalformedToken) Error() string {`
			`return "token is malformed"`
			`}`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// NewAccessToken generates a new JWT access token with the correct claims`
fix: secret key is no longer hard coded the secret key for signing JWT tokens is now read from server.secret. if that does not exist, then a random UUID v4 is generated and used instead. a log warning is also shown. 2020-09-13 01:03:17 +02:00			`func NewAccessToken(userID string, restrictedMode RestrictedMode, orgRole string, jwtKey []byte) (string, error) {`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`role := RoleMember`
			`if orgRole == "admin" {`
			`role = RoleAdmin`
			`}`
initial commit 2020-04-10 04:40:22 +02:00			`accessExpirationTime := time.Now().Add(5 * time.Second)`
			`accessClaims := &AccessTokenClaims{`
			`UserID: userID,`
feature: add first time install process 2020-07-17 02:40:23 +02:00			`Restricted: restrictedMode,`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`OrgRole: role,`
initial commit 2020-04-10 04:40:22 +02:00			`StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},`
			`}`

			`accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)`
			`accessTokenString, err := accessToken.SignedString(jwtKey)`
			`if err != nil {`
			`return "", err`
			`}`
			`return accessTokenString, nil`
			`}`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// NewAccessTokenCustomExpiration creates an access token with a custom duration`
fix: secret key is no longer hard coded the secret key for signing JWT tokens is now read from server.secret. if that does not exist, then a random UUID v4 is generated and used instead. a log warning is also shown. 2020-09-13 01:03:17 +02:00			`func NewAccessTokenCustomExpiration(userID string, dur time.Duration, jwtKey []byte) (string, error) {`
initial commit 2020-04-10 04:40:22 +02:00			`accessExpirationTime := time.Now().Add(dur)`
			`accessClaims := &AccessTokenClaims{`
			`UserID: userID,`
feature: add first time install process 2020-07-17 02:40:23 +02:00			`Restricted: Unrestricted,`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`OrgRole: RoleMember,`
initial commit 2020-04-10 04:40:22 +02:00			`StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},`
			`}`

			`accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)`
			`accessTokenString, err := accessToken.SignedString(jwtKey)`
			`if err != nil {`
			`return "", err`
			`}`
			`return accessTokenString, nil`
			`}`

feat: add pre-commit hooks & refactor code to pass linting 2020-08-21 01:11:24 +02:00			`// ValidateAccessToken validates a JWT access token and returns the contained claims or an error if it's invalid`
fix: secret key is no longer hard coded the secret key for signing JWT tokens is now read from server.secret. if that does not exist, then a random UUID v4 is generated and used instead. a log warning is also shown. 2020-09-13 01:03:17 +02:00			`func ValidateAccessToken(accessTokenString string, jwtKey []byte) (AccessTokenClaims, error) {`
initial commit 2020-04-10 04:40:22 +02:00			`accessClaims := &AccessTokenClaims{}`
			`accessToken, err := jwt.ParseWithClaims(accessTokenString, accessClaims, func(token *jwt.Token) (interface{}, error) {`
			`return jwtKey, nil`
			`})`

feature: various additions 2020-06-13 00:21:58 +02:00			`if err != nil {`
			`return *accessClaims, nil`
			`}`

initial commit 2020-04-10 04:40:22 +02:00			`if accessToken.Valid {`
			`log.WithFields(log.Fields{`
			`"token": accessTokenString,`
			`"timeToExpire": time.Unix(accessClaims.ExpiresAt, 0),`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`}).Debug("token is valid")`
initial commit 2020-04-10 04:40:22 +02:00			`return *accessClaims, nil`
			`}`

			`if ve, ok := err.(*jwt.ValidationError); ok {`
			`if ve.Errors&jwt.ValidationErrorMalformed != 0 {`
			`return AccessTokenClaims{}, &ErrMalformedToken{}`
			`} else if ve.Errors&(jwt.ValidationErrorExpired\|jwt.ValidationErrorNotValidYet) != 0 {`
			`return AccessTokenClaims{}, &ErrExpiredToken{}`
			`}`
			`}`
			`return AccessTokenClaims{}, err`
			`}`