aboutsummaryrefslogtreecommitdiff
path: root/cmd/server/auth.go
blob: caade978c01ba99851b982e1962b7e0064a789d5 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108

package main

import (
	"crypto/rand"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"net/http"
	"os"
	"strings"

	"riedstra.dev/mitch/go-website/users"
)

type Auth struct {
	Users []*users.SiteUser `json:"Users"`
	// How long are JWTs valid?
	LoginHours int `json:"LoginHours"`
	// JWT secret
	TokenKey string `json:"TokenKey"`
	// Are cookies HTTP only?
	HTTPOnly bool `json:"HTTPOnly"`
	// Do they require HTTPs?
	Secure bool `json:"SecureCookie"`
	// See https://pkg.go.dev/net/http#SameSite
	// You probably want this set to 3
	SameSiteStrict http.SameSite `json:"SameSiteStrict"`
}

func GenTokenKey() string {
	r := make([]byte, 16) // 128 bits
	_, err := rand.Read(r)

	if err != nil {
		// Not my favorite thing, but I consider this to be a
		// critical issue
		panic(fmt.Errorf("reading random bytes: %w", err))
	}

	return base64.RawURLEncoding.EncodeToString(r)
}

func (a *App) ReadAuth(fn string) error { //nolint
	auth := &Auth{
		Users: []*users.SiteUser{
			{
				Username: "admin",
				Password: "admin",
			},
		},
		LoginHours:     1,
		TokenKey:       GenTokenKey(),
		HTTPOnly:       true,
		Secure:         true,
		SameSiteStrict: http.SameSiteStrictMode,
	}

	var dec *json.Decoder

	fh, err := os.Open(fn)
	if err != nil {
		if strings.Contains(err.Error(), "no such file") {
			goto write
		}

		return fmt.Errorf("opening %s: %w", fn, err)
	}

	dec = json.NewDecoder(fh)
	dec.DisallowUnknownFields()

	err = dec.Decode(auth)
	if err != nil {
		return fmt.Errorf("decoding file %s: %w", fn, err)
	}

	err = fh.Close()
	if err != nil {
		return fmt.Errorf("closing file %s: %w", fn, err)
	}

	for _, u := range auth.Users {
		err = u.SetPasswordHashIfNecessary()
		if err != nil {
			return fmt.Errorf("setting password hash for: %s: %w",
				u.Username, err)
		}
	}

write:
	fh, err = os.OpenFile(fn, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)

	if err != nil {
		return fmt.Errorf("opening file %s: %w", fn, err)
	}

	enc := json.NewEncoder(fh)
	enc.SetIndent("", "    ")

	err = enc.Encode(auth)
	if err != nil {
		return fmt.Errorf("encoding to file %s: %w", fn, err)
	}

	a.auth = auth

	return nil
}
You can read more about the author.