Core implementation written with Junie.

2025-06-06 10:15:49 -07:00
parent 0ef669352f
commit e22c12fd39
28 changed files with 2597 additions and 24 deletions
--- a/api/auth.go
+++ b/api/auth.go
@@ -0,0 +1,266 @@
+package api
+
+import (
+	"database/sql"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strings"
+	"time"
+
+	"git.wntrmute.dev/kyle/mcias/data"
+	"github.com/oklog/ulid/v2"
+)
+
+type LoginRequest struct {
+	Version string     `json:"version"`
+	Login   data.Login `json:"login"`
+}
+
+type TokenResponse struct {
+	Token   string `json:"token"`
+	Expires int64  `json:"expires"`
+}
+
+type ErrorResponse struct {
+	Error string `json:"error"`
+}
+
+type DatabaseCredentials struct {
+	Host     string `json:"host"`
+	Port     int    `json:"port"`
+	Name     string `json:"name"`
+	User     string `json:"user"`
+	Password string `json:"password"`
+}
+
+func (s *Server) handlePasswordLogin(w http.ResponseWriter, r *http.Request) {
+	var req LoginRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		s.sendError(w, "Invalid request format", http.StatusBadRequest)
+		return
+	}
+
+	if req.Version != "v1" || req.Login.User == "" || req.Login.Password == "" {
+		s.sendError(w, "Invalid login request", http.StatusBadRequest)
+		return
+	}
+
+	user, err := s.getUserByUsername(req.Login.User)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			s.sendError(w, "Invalid username or password", http.StatusUnauthorized)
+		} else {
+			s.Logger.Printf("Database error: %v", err)
+			s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	if !user.Check(&req.Login) {
+		s.sendError(w, "Invalid username or password", http.StatusUnauthorized)
+		return
+	}
+
+	token, expires, err := s.createToken(user.ID)
+	if err != nil {
+		s.Logger.Printf("Token creation error: %v", err)
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(TokenResponse{
+		Token:   token,
+		Expires: expires,
+	}); err != nil {
+		s.Logger.Printf("Error encoding response: %v", err)
+	}
+}
+
+func (s *Server) handleTokenLogin(w http.ResponseWriter, r *http.Request) {
+	var req LoginRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		s.sendError(w, "Invalid request format", http.StatusBadRequest)
+		return
+	}
+
+	if req.Version != "v1" || req.Login.User == "" || req.Login.Token == "" {
+		s.sendError(w, "Invalid login request", http.StatusBadRequest)
+		return
+	}
+
+	userID, err := s.verifyToken(req.Login.User, req.Login.Token)
+	if err != nil {
+		s.sendError(w, "Invalid or expired token", http.StatusUnauthorized)
+		return
+	}
+
+	token, expires, err := s.createToken(userID)
+	if err != nil {
+		s.Logger.Printf("Token creation error: %v", err)
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(TokenResponse{
+		Token:   token,
+		Expires: expires,
+	}); err != nil {
+		s.Logger.Printf("Error encoding response: %v", err)
+	}
+}
+
+func (s *Server) sendError(w http.ResponseWriter, message string, status int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(ErrorResponse{Error: message}); err != nil {
+		s.Logger.Printf("Error encoding error response: %v", err)
+	}
+}
+
+func (s *Server) getUserByUsername(username string) (*data.User, error) {
+	query := `SELECT id, created, user, password, salt FROM users WHERE user = ?`
+	row := s.DB.QueryRow(query, username)
+
+	user := &data.User{}
+	err := row.Scan(&user.ID, &user.Created, &user.User, &user.Password, &user.Salt)
+	if err != nil {
+		return nil, err
+	}
+
+	rolesQuery := `
+		SELECT r.role FROM roles r
+		JOIN user_roles ur ON r.id = ur.rid
+		WHERE ur.uid = ?
+	`
+	rows, err := s.DB.Query(rolesQuery, user.ID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var roles []string
+	for rows.Next() {
+		var role string
+		if err := rows.Scan(&role); err != nil {
+			return nil, err
+		}
+		roles = append(roles, role)
+	}
+	user.Roles = roles
+
+	return user, nil
+}
+
+func (s *Server) createToken(userID string) (string, int64, error) {
+	token := ulid.Make().String()
+
+	expires := time.Now().Add(24 * time.Hour).Unix()
+	query := `INSERT INTO tokens (id, uid, token, expires) VALUES (?, ?, ?, ?)`
+	tokenID := ulid.Make().String()
+	_, err := s.DB.Exec(query, tokenID, userID, token, expires)
+	if err != nil {
+		return "", 0, err
+	}
+
+	return token, expires, nil
+}
+
+func (s *Server) verifyToken(username, token string) (string, error) {
+	query := `
+		SELECT t.uid, t.expires FROM tokens t
+		JOIN users u ON t.uid = u.id
+		WHERE u.user = ? AND t.token = ?
+	`
+	var userID string
+	var expires int64
+	err := s.DB.QueryRow(query, username, token).Scan(&userID, &expires)
+	if err != nil {
+		return "", err
+	}
+
+	if expires > 0 && expires < time.Now().Unix() {
+		return "", errors.New("token expired")
+	}
+
+	return userID, nil
+}
+
+func (s *Server) handleDatabaseCredentials(w http.ResponseWriter, r *http.Request) {
+	// Extract authorization header
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		s.sendError(w, "Authorization header required", http.StatusUnauthorized)
+		return
+	}
+
+	// Check if it's a Bearer token
+	parts := strings.Split(authHeader, " ")
+	if len(parts) != 2 || strings.ToLower(parts[0]) != "bearer" {
+		s.sendError(w, "Invalid authorization format", http.StatusUnauthorized)
+		return
+	}
+
+	token := parts[1]
+	username := r.URL.Query().Get("username")
+	if username == "" {
+		s.sendError(w, "Username parameter required", http.StatusBadRequest)
+		return
+	}
+
+	// Verify the token
+	_, err := s.verifyToken(username, token)
+	if err != nil {
+		s.sendError(w, "Invalid or expired token", http.StatusUnauthorized)
+		return
+	}
+
+	// Check if user has admin role
+	user, err := s.getUserByUsername(username)
+	if err != nil {
+		s.Logger.Printf("Database error: %v", err)
+		s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+
+	hasAdminRole := false
+	for _, role := range user.Roles {
+		if role == "admin" {
+			hasAdminRole = true
+			break
+		}
+	}
+
+	if !hasAdminRole {
+		s.sendError(w, "Insufficient permissions", http.StatusForbidden)
+		return
+	}
+
+	// Retrieve database credentials
+	query := `SELECT id, host, port, name, user, password FROM database LIMIT 1`
+	row := s.DB.QueryRow(query)
+
+	var id string
+	var creds DatabaseCredentials
+	err = row.Scan(&id, &creds.Host, &creds.Port, &creds.Name, &creds.User, &creds.Password)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			s.sendError(w, "No database credentials found", http.StatusNotFound)
+		} else {
+			s.Logger.Printf("Database error: %v", err)
+			s.sendError(w, "Internal server error", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	// Return the credentials
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if err := json.NewEncoder(w).Encode(creds); err != nil {
+		s.Logger.Printf("Error encoding response: %v", err)
+	}
+}