aboutsummaryrefslogtreecommitdiff
path: root/cmd/server/auth.go
blob: 1adc366ef3bc46041163e1ef413d41be53d7e69a (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112

package main

import (
	"crypto/rand"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"io/fs"
	"net/http"
	"os"

	"riedstra.dev/mitch/go-website/users"
)

const tokenKeyBytes = 128 / 8
const authConfFileMode = 0600

type Auth struct {
	Users []*users.SiteUser `json:"Users"`
	// How long are JWTs valid?
	LoginHours int `json:"LoginHours"`
	// JWT secret
	TokenKey string `json:"TokenKey"`
	// Are cookies HTTP only?
	HTTPOnly bool `json:"HTTPOnly"`
	// Do they require HTTPs?
	Secure bool `json:"SecureCookie"`
	// See https://pkg.go.dev/net/http#SameSite
	// You probably want this set to 3
	SameSiteStrict http.SameSite `json:"SameSiteStrict"`
}

func GenTokenKey() string {
	r := make([]byte, tokenKeyBytes)
	_, err := rand.Read(r)

	if err != nil {
		// Not my favorite thing, but I consider this to be a
		// critical issue
		panic(fmt.Errorf("reading random bytes: %w", err))
	}

	return base64.RawURLEncoding.EncodeToString(r)
}

func (a *App) ReadAuth(fn string) error { //nolint
	auth := &Auth{
		Users: []*users.SiteUser{
			{
				Username: "admin",
				Password: "admin",
			},
		},
		LoginHours:     1,
		TokenKey:       GenTokenKey(),
		HTTPOnly:       true,
		Secure:         true,
		SameSiteStrict: http.SameSiteStrictMode,
	}

	var dec *json.Decoder

	fh, err := os.Open(fn)
	if err != nil {
		if errors.Is(err, fs.ErrNotExist) {
			goto write
		}

		return fmt.Errorf("opening %s: %w", fn, err)
	}

	dec = json.NewDecoder(fh)
	dec.DisallowUnknownFields()

	err = dec.Decode(auth)
	if err != nil {
		return fmt.Errorf("decoding file %s: %w", fn, err)
	}

	err = fh.Close()
	if err != nil {
		return fmt.Errorf("closing file %s: %w", fn, err)
	}

	for _, u := range auth.Users {
		err = u.SetPasswordHashIfNecessary()
		if err != nil {
			return fmt.Errorf("setting password hash for: %s: %w",
				u.Username, err)
		}
	}

write:
	fh, err = os.OpenFile(fn, os.O_RDWR|os.O_CREATE|os.O_TRUNC, authConfFileMode)

	if err != nil {
		return fmt.Errorf("opening file %s: %w", fn, err)
	}

	enc := json.NewEncoder(fh)
	enc.SetIndent("", "    ")

	err = enc.Encode(auth)
	if err != nil {
		return fmt.Errorf("encoding to file %s: %w", fn, err)
	}

	a.auth = auth

	return nil
}
You can read more about the author.