auth.go 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561
  1. package auth
  2. /*
  3. ArOZ Online Authentication Module
  4. author: tobychui
  5. This system make use of sessions (similar to PHP SESSION) to remember the user login.
  6. See https://gowebexamples.com/sessions/ for detail.
  7. Auth database are stored as the following key
  8. auth/login/{username}/passhash => hashed password
  9. auth/login/{username}/permission => permission level
  10. Other system variables related to auth
  11. auth/users/usercount => Number of users in the system
  12. Pre-requirement: imuslab.com/arozos/mod/database
  13. */
  14. import (
  15. "crypto/sha512"
  16. "errors"
  17. "net/http"
  18. "strconv"
  19. "strings"
  20. "sync"
  21. "encoding/hex"
  22. "log"
  23. "time"
  24. "github.com/gorilla/sessions"
  25. "imuslab.com/arozos/mod/auth/accesscontrol/blacklist"
  26. "imuslab.com/arozos/mod/auth/accesscontrol/whitelist"
  27. "imuslab.com/arozos/mod/auth/authlogger"
  28. "imuslab.com/arozos/mod/auth/explogin"
  29. db "imuslab.com/arozos/mod/database"
  30. "imuslab.com/arozos/mod/network"
  31. "imuslab.com/arozos/mod/utils"
  32. )
  33. type AuthAgent struct {
  34. //Session related
  35. SessionName string
  36. SessionStore *sessions.CookieStore
  37. Database *db.Database
  38. LoginRedirectionHandler func(http.ResponseWriter, *http.Request)
  39. //Token related
  40. ExpireTime int64 //Set this to 0 to disable token access
  41. tokenStore sync.Map
  42. terminateTokenListener chan bool
  43. mutex *sync.Mutex
  44. //Autologin Related
  45. AllowAutoLogin bool
  46. autoLoginTokens []*AutoLoginToken
  47. //Exponential Delay Retry Handler
  48. ExpDelayHandler *explogin.ExpLoginHandler
  49. //IPLists manager
  50. WhitelistManager *whitelist.WhiteList
  51. BlacklistManager *blacklist.BlackList
  52. //Logger
  53. Logger *authlogger.Logger
  54. }
  55. type AuthEndpoints struct {
  56. Login string
  57. Logout string
  58. Register string
  59. CheckLoggedIn string
  60. Autologin string
  61. }
  62. //Constructor
  63. func NewAuthenticationAgent(sessionName string, key []byte, sysdb *db.Database, allowReg bool, loginRedirectionHandler func(http.ResponseWriter, *http.Request)) *AuthAgent {
  64. store := sessions.NewCookieStore(key)
  65. err := sysdb.NewTable("auth")
  66. if err != nil {
  67. log.Println("Failed to create auth database. Terminating.")
  68. panic(err)
  69. }
  70. //Creat a ticker to clean out outdated token every 5 minutes
  71. ticker := time.NewTicker(300 * time.Second)
  72. done := make(chan bool)
  73. //Create a exponential login delay handler
  74. expLoginHandler := explogin.NewExponentialLoginHandler(2, 10800)
  75. //Create a new whitelist manager
  76. thisWhitelistManager := whitelist.NewWhitelistManager(sysdb)
  77. //Create a new blacklist manager
  78. thisBlacklistManager := blacklist.NewBlacklistManager(sysdb)
  79. //Create a new logger for logging all login request
  80. newLogger, err := authlogger.NewLogger()
  81. if err != nil {
  82. panic(err)
  83. }
  84. //Create a new AuthAgent object
  85. newAuthAgent := AuthAgent{
  86. SessionName: sessionName,
  87. SessionStore: store,
  88. Database: sysdb,
  89. LoginRedirectionHandler: loginRedirectionHandler,
  90. tokenStore: sync.Map{},
  91. ExpireTime: 120,
  92. terminateTokenListener: done,
  93. mutex: &sync.Mutex{},
  94. //Auto login management
  95. AllowAutoLogin: false,
  96. autoLoginTokens: []*AutoLoginToken{},
  97. //Blacklist management
  98. WhitelistManager: thisWhitelistManager,
  99. BlacklistManager: thisBlacklistManager,
  100. ExpDelayHandler: expLoginHandler,
  101. Logger: newLogger,
  102. }
  103. //Create a timer to listen to its token storage
  104. go func(listeningAuthAgent *AuthAgent) {
  105. for {
  106. select {
  107. case <-done:
  108. return
  109. case <-ticker.C:
  110. listeningAuthAgent.ClearTokenStore()
  111. }
  112. }
  113. }(&newAuthAgent)
  114. //Return the authAgent
  115. return &newAuthAgent
  116. }
  117. //Close the authAgent listener
  118. func (a *AuthAgent) Close() {
  119. //Stop the token listening
  120. a.terminateTokenListener <- true
  121. //Close the auth logger database
  122. a.Logger.Close()
  123. }
  124. //This function will handle an http request and redirect to the given login address if not logged in
  125. func (a *AuthAgent) HandleCheckAuth(w http.ResponseWriter, r *http.Request, handler func(http.ResponseWriter, *http.Request)) {
  126. if a.CheckAuth(r) {
  127. //User already logged in
  128. handler(w, r)
  129. } else {
  130. //User not logged in
  131. a.LoginRedirectionHandler(w, r)
  132. }
  133. }
  134. //Handle login request, require POST username and password
  135. func (a *AuthAgent) HandleLogin(w http.ResponseWriter, r *http.Request) {
  136. //Get username from request using POST mode
  137. username, err := utils.Mv(r, "username", true)
  138. if err != nil {
  139. //Username not defined
  140. log.Println("[System Auth] Someone trying to login with username: " + username)
  141. //Write to log
  142. a.Logger.LogAuth(r, false)
  143. sendErrorResponse(w, "Username not defined or empty.")
  144. return
  145. }
  146. //Get password from request using POST mode
  147. password, err := utils.Mv(r, "password", true)
  148. if err != nil {
  149. //Password not defined
  150. a.Logger.LogAuth(r, false)
  151. sendErrorResponse(w, "Password not defined or empty.")
  152. return
  153. }
  154. //Get rememberme settings
  155. rememberme := false
  156. rmbme, _ := utils.Mv(r, "rmbme", true)
  157. if rmbme == "true" {
  158. rememberme = true
  159. }
  160. //Check Exponential Login Handler
  161. ok, nextRetryIn := a.ExpDelayHandler.AllowImmediateAccess(username, r)
  162. if !ok {
  163. //Too many request! (maybe the account is under brute force attack?)
  164. a.ExpDelayHandler.AddUserRetrycount(username, r)
  165. sendErrorResponse(w, "Too many request! Next retry in "+strconv.Itoa(int(nextRetryIn))+" seconds")
  166. return
  167. }
  168. //Check the database and see if this user is in the database
  169. passwordCorrect, rejectionReason := a.ValidateUsernameAndPasswordWithReason(username, password)
  170. //The database contain this user information. Check its password if it is correct
  171. if passwordCorrect {
  172. //Password correct
  173. //Check if this request origin is allowed to access
  174. ok, reasons := a.ValidateLoginRequest(w, r)
  175. if !ok {
  176. sendErrorResponse(w, reasons.Error())
  177. return
  178. }
  179. // Set user as authenticated
  180. a.LoginUserByRequest(w, r, username, rememberme)
  181. //Reset user retry count if any
  182. a.ExpDelayHandler.ResetUserRetryCount(username, r)
  183. //Print the login message to console
  184. log.Println(username + " logged in.")
  185. a.Logger.LogAuth(r, true)
  186. sendOK(w)
  187. } else {
  188. //Password incorrect
  189. log.Println(username + " login request rejected: " + rejectionReason)
  190. //Add to retry count
  191. a.ExpDelayHandler.AddUserRetrycount(username, r)
  192. sendErrorResponse(w, rejectionReason)
  193. a.Logger.LogAuth(r, false)
  194. return
  195. }
  196. }
  197. func (a *AuthAgent) ValidateUsernameAndPassword(username string, password string) bool {
  198. succ, _ := a.ValidateUsernameAndPasswordWithReason(username, password)
  199. return succ
  200. }
  201. //validate the username and password, return reasons if the auth failed
  202. func (a *AuthAgent) ValidateUsernameAndPasswordWithReason(username string, password string) (bool, string) {
  203. hashedPassword := Hash(password)
  204. var passwordInDB string
  205. err := a.Database.Read("auth", "passhash/"+username, &passwordInDB)
  206. if err != nil {
  207. //User not found or db exception
  208. //log.Println("[System Auth] " + username + " login with incorrect password")
  209. return false, "Invalid username or password"
  210. }
  211. if passwordInDB == hashedPassword {
  212. return true, ""
  213. } else {
  214. return false, "Invalid username or password"
  215. }
  216. }
  217. //Validate the user request for login
  218. func (a *AuthAgent) ValidateLoginRequest(w http.ResponseWriter, r *http.Request) (bool, error) {
  219. //Get the ip address of the request
  220. clientIP, err := network.GetIpFromRequest(r)
  221. if err != nil {
  222. return false, nil
  223. }
  224. return a.ValidateLoginIpAccess(clientIP)
  225. }
  226. func (a *AuthAgent) ValidateLoginIpAccess(ipv4 string) (bool, error) {
  227. ipv4 = strings.ReplaceAll(ipv4, " ", "")
  228. //Check if the account is whitelisted
  229. if a.WhitelistManager.Enabled && !a.WhitelistManager.IsWhitelisted(ipv4) {
  230. //Whitelist enabled but this IP is not whitelisted
  231. return false, errors.New("Your IP is not whitelisted on this host")
  232. }
  233. //Check if the account is banned
  234. if a.BlacklistManager.Enabled && a.BlacklistManager.IsBanned(ipv4) {
  235. //This user is banned
  236. return false, errors.New("Your IP is banned by this host")
  237. }
  238. return true, nil
  239. }
  240. //Login the user by creating a valid session for this user
  241. func (a *AuthAgent) LoginUserByRequest(w http.ResponseWriter, r *http.Request, username string, rememberme bool) {
  242. session, _ := a.SessionStore.Get(r, a.SessionName)
  243. session.Values["authenticated"] = true
  244. session.Values["username"] = username
  245. session.Values["rememberMe"] = rememberme
  246. //Check if remember me is clicked. If yes, set the maxage to 1 week.
  247. if rememberme == true {
  248. session.Options = &sessions.Options{
  249. MaxAge: 3600 * 24 * 7, //One week
  250. Path: "/",
  251. }
  252. } else {
  253. session.Options = &sessions.Options{
  254. MaxAge: 3600 * 1, //One hour
  255. Path: "/",
  256. }
  257. }
  258. session.Save(r, w)
  259. }
  260. //Handle logout, reply OK after logged out. WILL NOT DO REDIRECTION
  261. func (a *AuthAgent) HandleLogout(w http.ResponseWriter, r *http.Request) {
  262. username, _ := a.GetUserName(w, r)
  263. if username != "" {
  264. log.Println(username + " logged out.")
  265. }
  266. // Revoke users authentication
  267. err := a.Logout(w, r)
  268. if err != nil {
  269. sendErrorResponse(w, "Logout failed")
  270. return
  271. }
  272. w.Write([]byte("OK"))
  273. }
  274. func (a *AuthAgent) Logout(w http.ResponseWriter, r *http.Request) error {
  275. session, err := a.SessionStore.Get(r, a.SessionName)
  276. if err != nil {
  277. return err
  278. }
  279. session.Values["authenticated"] = false
  280. session.Values["username"] = nil
  281. session.Save(r, w)
  282. return nil
  283. }
  284. //Get the current session username from request
  285. func (a *AuthAgent) GetUserName(w http.ResponseWriter, r *http.Request) (string, error) {
  286. if a.CheckAuth(r) {
  287. //This user has logged in.
  288. session, _ := a.SessionStore.Get(r, a.SessionName)
  289. return session.Values["username"].(string), nil
  290. } else {
  291. //This user has not logged in.
  292. return "", errors.New("User not logged in")
  293. }
  294. }
  295. //Check if the user has logged in, return true / false in JSON
  296. func (a *AuthAgent) CheckLogin(w http.ResponseWriter, r *http.Request) {
  297. if a.CheckAuth(r) != false {
  298. sendJSONResponse(w, "true")
  299. } else {
  300. sendJSONResponse(w, "false")
  301. }
  302. }
  303. //Handle new user register. Require POST username, password, group.
  304. func (a *AuthAgent) HandleRegister(w http.ResponseWriter, r *http.Request) {
  305. userCount := a.GetUserCounts()
  306. //Get username from request
  307. newusername, err := utils.Mv(r, "username", true)
  308. if err != nil {
  309. sendTextResponse(w, "Error. Missing 'username' paramter")
  310. return
  311. }
  312. //Get password from request
  313. password, err := utils.Mv(r, "password", true)
  314. if err != nil {
  315. sendTextResponse(w, "Error. Missing 'password' paramter")
  316. return
  317. }
  318. //Set permission group to default
  319. group, err := utils.Mv(r, "group", true)
  320. if err != nil {
  321. sendTextResponse(w, "Error. Missing 'group' paramter")
  322. return
  323. }
  324. //Check if the number of users in the system is == 0. If yes, there are no need to login before registering new user
  325. if userCount > 0 {
  326. //Require login to create new user
  327. if a.CheckAuth(r) == false {
  328. //System have more than one person and this user is not logged in
  329. sendErrorResponse(w, "Login is needed to create new user")
  330. return
  331. }
  332. }
  333. //Ok to proceed create this user
  334. err = a.CreateUserAccount(newusername, password, []string{group})
  335. if err != nil {
  336. sendErrorResponse(w, err.Error())
  337. return
  338. }
  339. //Return to the client with OK
  340. sendOK(w)
  341. log.Println("[System Auth] New user " + newusername + " added to system.")
  342. return
  343. }
  344. //Check authentication from request header's session value
  345. func (a *AuthAgent) CheckAuth(r *http.Request) bool {
  346. session, _ := a.SessionStore.Get(r, a.SessionName)
  347. // Check if user is authenticated
  348. if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
  349. return false
  350. }
  351. return true
  352. }
  353. //Handle de-register of users. Require POST username.
  354. //THIS FUNCTION WILL NOT CHECK FOR PERMISSION. PLEASE USE WITH PERMISSION HANDLER
  355. func (a *AuthAgent) HandleUnregister(w http.ResponseWriter, r *http.Request) {
  356. //Check if the user is logged in
  357. if a.CheckAuth(r) == false {
  358. //This user has not logged in
  359. sendErrorResponse(w, "Login required to remove user from the system.")
  360. return
  361. }
  362. //Check for permission of this user.
  363. /*
  364. if !system_permission_checkUserIsAdmin(w,r){
  365. //This user is not admin. No permission to access this function
  366. sendErrorResponse(w, "Permission denied")
  367. }
  368. */
  369. //Get username from request
  370. username, err := utils.Mv(r, "username", true)
  371. if err != nil {
  372. sendErrorResponse(w, "Missing 'username' paramter")
  373. return
  374. }
  375. err = a.UnregisterUser(username)
  376. if err != nil {
  377. sendErrorResponse(w, err.Error())
  378. return
  379. }
  380. //Return to the client with OK
  381. sendOK(w)
  382. log.Println("[system_auth] User " + username + " has been removed from the system.")
  383. return
  384. }
  385. func (a *AuthAgent) UnregisterUser(username string) error {
  386. //Check if the user exists in the system database.
  387. if !a.Database.KeyExists("auth", "passhash/"+username) {
  388. //This user do not exists.
  389. return errors.New("This user does not exists.")
  390. }
  391. //OK! Remove the user from the database
  392. a.Database.Delete("auth", "passhash/"+username)
  393. a.Database.Delete("auth", "group/"+username)
  394. a.Database.Delete("auth", "acstatus/"+username)
  395. a.Database.Delete("auth", "profilepic/"+username)
  396. //Remove the user's autologin tokens
  397. a.RemoveAutologinTokenByUsername(username)
  398. return nil
  399. }
  400. //Get the number of users in the system
  401. func (a *AuthAgent) GetUserCounts() int {
  402. entries, _ := a.Database.ListTable("auth")
  403. usercount := 0
  404. for _, keypairs := range entries {
  405. if strings.Contains(string(keypairs[0]), "passhash/") {
  406. //This is a user registry
  407. usercount++
  408. }
  409. }
  410. if usercount == 0 {
  411. log.Println("There are no user in the database.")
  412. }
  413. return usercount
  414. }
  415. //List all username within the system
  416. func (a *AuthAgent) ListUsers() []string {
  417. entries, _ := a.Database.ListTable("auth")
  418. results := []string{}
  419. for _, keypairs := range entries {
  420. if strings.Contains(string(keypairs[0]), "group/") {
  421. username := strings.Split(string(keypairs[0]), "/")[1]
  422. results = append(results, username)
  423. }
  424. }
  425. return results
  426. }
  427. //Check if the given username exists
  428. func (a *AuthAgent) UserExists(username string) bool {
  429. userpasswordhash := ""
  430. err := a.Database.Read("auth", "passhash/"+username, &userpasswordhash)
  431. if err != nil || userpasswordhash == "" {
  432. return false
  433. }
  434. return true
  435. }
  436. //Update the session expire time given the request header.
  437. func (a *AuthAgent) UpdateSessionExpireTime(w http.ResponseWriter, r *http.Request) bool {
  438. session, _ := a.SessionStore.Get(r, a.SessionName)
  439. if session.Values["authenticated"].(bool) == true {
  440. //User authenticated. Extend its expire time
  441. rememberme := session.Values["rememberMe"].(bool)
  442. //Extend the session expire time
  443. if rememberme == true {
  444. session.Options = &sessions.Options{
  445. MaxAge: 3600 * 24 * 7, //One week
  446. Path: "/",
  447. }
  448. } else {
  449. session.Options = &sessions.Options{
  450. MaxAge: 3600 * 1, //One hour
  451. Path: "/",
  452. }
  453. }
  454. session.Save(r, w)
  455. return true
  456. } else {
  457. return false
  458. }
  459. }
  460. //Create user account
  461. func (a *AuthAgent) CreateUserAccount(newusername string, password string, group []string) error {
  462. key := newusername
  463. hashedPassword := Hash(password)
  464. err := a.Database.Write("auth", "passhash/"+key, hashedPassword)
  465. if err != nil {
  466. return err
  467. }
  468. //Store this user's usergroup settings
  469. err = a.Database.Write("auth", "group/"+newusername, group)
  470. if err != nil {
  471. return err
  472. }
  473. return nil
  474. }
  475. //Hash the given raw string into sha512 hash
  476. func Hash(raw string) string {
  477. h := sha512.New()
  478. h.Write([]byte(raw))
  479. return hex.EncodeToString(h.Sum(nil))
  480. }