taskcafe/internal/auth/auth.go

package auth

import (
	"time"

	"github.com/dgrijalva/jwt-go"
	log "github.com/sirupsen/logrus"
)

var jwtKey = []byte("taskcafe_test_key")

type RestrictedMode string

const (
	Unrestricted RestrictedMode = "unrestricted"
	InstallOnly                 = "install_only"
)

type Role string

const (
	RoleAdmin  Role = "admin"
	RoleMember Role = "member"
)

type AccessTokenClaims struct {
	UserID     string         `json:"userId"`
	Restricted RestrictedMode `json:"restricted"`
	OrgRole    Role           `json:"orgRole"`
	jwt.StandardClaims
}

type RefreshTokenClaims struct {
	UserID string `json:"userId"`
	jwt.StandardClaims
}

type ErrExpiredToken struct{}

func (r *ErrExpiredToken) Error() string {
	return "token is expired"
}

type ErrMalformedToken struct{}

func (r *ErrMalformedToken) Error() string {
	return "token is malformed"
}

func NewAccessToken(userID string, restrictedMode RestrictedMode, orgRole string) (string, error) {
	role := RoleMember
	if orgRole == "admin" {
		role = RoleAdmin
	}
	accessExpirationTime := time.Now().Add(5 * time.Second)
	accessClaims := &AccessTokenClaims{
		UserID:         userID,
		Restricted:     restrictedMode,
		OrgRole:        role,
		StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},
	}

	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
	accessTokenString, err := accessToken.SignedString(jwtKey)
	if err != nil {
		return "", err
	}
	return accessTokenString, nil
}

func NewAccessTokenCustomExpiration(userID string, dur time.Duration) (string, error) {
	accessExpirationTime := time.Now().Add(dur)
	accessClaims := &AccessTokenClaims{
		UserID:         userID,
		Restricted:     Unrestricted,
		OrgRole:        RoleMember,
		StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},
	}

	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
	accessTokenString, err := accessToken.SignedString(jwtKey)
	if err != nil {
		return "", err
	}
	return accessTokenString, nil
}

func ValidateAccessToken(accessTokenString string) (AccessTokenClaims, error) {
	accessClaims := &AccessTokenClaims{}
	accessToken, err := jwt.ParseWithClaims(accessTokenString, accessClaims, func(token *jwt.Token) (interface{}, error) {
		return jwtKey, nil
	})

	if err != nil {
		return *accessClaims, nil
	}

	if accessToken.Valid {
		log.WithFields(log.Fields{
			"token":        accessTokenString,
			"timeToExpire": time.Unix(accessClaims.ExpiresAt, 0),
		}).Debug("token is valid")
		return *accessClaims, nil
	}

	if ve, ok := err.(*jwt.ValidationError); ok {
		if ve.Errors&jwt.ValidationErrorMalformed != 0 {
			return AccessTokenClaims{}, &ErrMalformedToken{}
		} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
			return AccessTokenClaims{}, &ErrExpiredToken{}
		}
	}
	return AccessTokenClaims{}, err
}

func NewRefreshToken(userID string) (string, time.Time, error) {
	refreshExpirationTime := time.Now().Add(24 * time.Hour)
	refreshClaims := &RefreshTokenClaims{
		UserID:         userID,
		StandardClaims: jwt.StandardClaims{ExpiresAt: refreshExpirationTime.Unix()},
	}

	refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)
	refreshTokenString, err := refreshToken.SignedString(jwtKey)
	if err != nil {
		return "", time.Time{}, err
	}
	return refreshTokenString, refreshExpirationTime, nil
}
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`package auth`
initial commit 2020-04-10 04:40:22 +02:00
			`import (`
			`"time"`

			`"github.com/dgrijalva/jwt-go"`
			`log "github.com/sirupsen/logrus"`
			`)`

chore: rename Citadel to Taskcafe 2020-08-07 03:50:35 +02:00			`var jwtKey = []byte("taskcafe_test_key")`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00
feature: add first time install process 2020-07-17 02:40:23 +02:00			`type RestrictedMode string`

			`const (`
			`Unrestricted RestrictedMode = "unrestricted"`
			`InstallOnly = "install_only"`
			`)`

feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`type Role string`

			`const (`
			`RoleAdmin Role = "admin"`
			`RoleMember Role = "member"`
			`)`

cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`type AccessTokenClaims struct {`
feature: add first time install process 2020-07-17 02:40:23 +02:00			UserID string `json:"userId"`
			Restricted RestrictedMode `json:"restricted"`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			OrgRole Role `json:"orgRole"`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`jwt.StandardClaims`
			`}`

			`type RefreshTokenClaims struct {`
			UserID string `json:"userId"`
			`jwt.StandardClaims`
			`}`

			`type ErrExpiredToken struct{}`

			`func (r *ErrExpiredToken) Error() string {`
			`return "token is expired"`
			`}`

			`type ErrMalformedToken struct{}`

			`func (r *ErrMalformedToken) Error() string {`
			`return "token is malformed"`
			`}`

feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`func NewAccessToken(userID string, restrictedMode RestrictedMode, orgRole string) (string, error) {`
			`role := RoleMember`
			`if orgRole == "admin" {`
			`role = RoleAdmin`
			`}`
initial commit 2020-04-10 04:40:22 +02:00			`accessExpirationTime := time.Now().Add(5 * time.Second)`
			`accessClaims := &AccessTokenClaims{`
			`UserID: userID,`
feature: add first time install process 2020-07-17 02:40:23 +02:00			`Restricted: restrictedMode,`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`OrgRole: role,`
initial commit 2020-04-10 04:40:22 +02:00			`StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},`
			`}`

			`accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)`
			`accessTokenString, err := accessToken.SignedString(jwtKey)`
			`if err != nil {`
			`return "", err`
			`}`
			`return accessTokenString, nil`
			`}`

			`func NewAccessTokenCustomExpiration(userID string, dur time.Duration) (string, error) {`
			`accessExpirationTime := time.Now().Add(dur)`
			`accessClaims := &AccessTokenClaims{`
			`UserID: userID,`
feature: add first time install process 2020-07-17 02:40:23 +02:00			`Restricted: Unrestricted,`
feat: enforce user roles enforces user admin role requirement for - creating / deleting / setting role for organization users - creating / deleting / setting role for project users - updating project name - deleting project hides action elements based on role for - admin console - team settings if team is only visible through project membership - add project tile if not team admin - project name text editor if not team / project admin - add redirect from team page if settings only visible through project membership - add redirect from admin console if not org admin role enforcement is handled on the api side through a custom GraphQL directive `hasRole`. on the client side, role information is fetched in the TopNavbar's `me` query and stored in the `UserContext`. there is a custom hook, `useCurrentUser`, that provides a user object with two functions, `isVisibile` & `isAdmin` which is used to check roles in order to render/hide relevant UI elements. 2020-08-01 03:01:14 +02:00			`OrgRole: RoleMember,`
initial commit 2020-04-10 04:40:22 +02:00			`StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},`
			`}`

			`accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)`
			`accessTokenString, err := accessToken.SignedString(jwtKey)`
			`if err != nil {`
			`return "", err`
			`}`
			`return accessTokenString, nil`
			`}`

			`func ValidateAccessToken(accessTokenString string) (AccessTokenClaims, error) {`
			`accessClaims := &AccessTokenClaims{}`
			`accessToken, err := jwt.ParseWithClaims(accessTokenString, accessClaims, func(token *jwt.Token) (interface{}, error) {`
			`return jwtKey, nil`
			`})`

feature: various additions 2020-06-13 00:21:58 +02:00			`if err != nil {`
			`return *accessClaims, nil`
			`}`

initial commit 2020-04-10 04:40:22 +02:00			`if accessToken.Valid {`
			`log.WithFields(log.Fields{`
			`"token": accessTokenString,`
			`"timeToExpire": time.Unix(accessClaims.ExpiresAt, 0),`
cleanup: refactor api architecture & add user roles 2020-07-05 01:02:57 +02:00			`}).Debug("token is valid")`
initial commit 2020-04-10 04:40:22 +02:00			`return *accessClaims, nil`
			`}`

			`if ve, ok := err.(*jwt.ValidationError); ok {`
			`if ve.Errors&jwt.ValidationErrorMalformed != 0 {`
			`return AccessTokenClaims{}, &ErrMalformedToken{}`
			`} else if ve.Errors&(jwt.ValidationErrorExpired\|jwt.ValidationErrorNotValidYet) != 0 {`
			`return AccessTokenClaims{}, &ErrExpiredToken{}`
			`}`
			`}`
			`return AccessTokenClaims{}, err`
			`}`

			`func NewRefreshToken(userID string) (string, time.Time, error) {`
			`refreshExpirationTime := time.Now().Add(24 * time.Hour)`
			`refreshClaims := &RefreshTokenClaims{`
			`UserID: userID,`
			`StandardClaims: jwt.StandardClaims{ExpiresAt: refreshExpirationTime.Unix()},`
			`}`

			`refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)`
			`refreshTokenString, err := refreshToken.SignedString(jwtKey)`
			`if err != nil {`
			`return "", time.Time{}, err`
			`}`
			`return refreshTokenString, refreshExpirationTime, nil`
			`}`