refactor: remove pocketbase (#1138)

app/auth/token.go

@@ -0,0 +1,225 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+
+	"github.com/SecurityBrewery/catalyst/app/database/sqlc"
+	"github.com/SecurityBrewery/catalyst/app/settings"
+)
+
+const (
+	purposeAccess = "access"
+	purposeReset  = "reset"
+	scopeReset    = "reset"
+)
+
+func CreateAccessToken(ctx context.Context, user *sqlc.User, permissions []string, duration time.Duration, queries *sqlc.Queries) (string, error) {
+	settings, err := settings.Load(ctx, queries)
+	if err != nil {
+		return "", fmt.Errorf("failed to load settings: %w", err)
+	}
+
+	return createToken(user, duration, purposeAccess, permissions, settings.Meta.AppURL, settings.RecordAuthToken.Secret)
+}
+
+func createResetToken(user *sqlc.User, settings *settings.Settings) (string, error) {
+	duration := time.Duration(settings.RecordPasswordResetToken.Duration) * time.Second
+
+	return createResetTokenWithDuration(user, settings.Meta.AppURL, settings.RecordPasswordResetToken.Secret, duration)
+}
+
+func createResetTokenWithDuration(user *sqlc.User, url, appToken string, duration time.Duration) (string, error) {
+	return createToken(user, duration, purposeReset, []string{scopeReset}, url, appToken)
+}
+
+func createToken(user *sqlc.User, duration time.Duration, purpose string, scopes []string, url, appToken string) (string, error) {
+	if scopes == nil {
+		scopes = []string{}
+	}
+
+	claims := jwt.MapClaims{
+		"sub":     user.ID,
+		"exp":     time.Now().Add(duration).Unix(),
+		"iat":     time.Now().Unix(),
+		"iss":     url,
+		"purpose": purpose,
+		"scopes":  scopes,
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+
+	signingKey := user.Tokenkey + appToken
+
+	return token.SignedString([]byte(signingKey))
+}
+
+func verifyToken(tokenStr string, user *sqlc.User, url, appToken string) (jwt.MapClaims, error) { //nolint:cyclop
+	signingKey := user.Tokenkey + appToken
+
+	token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (any, error) {
+		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected algorithm: %v", t.Header["alg"])
+		}
+
+		return []byte(signingKey), nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to verify token: %w", err)
+	}
+
+	if !token.Valid {
+		return nil, fmt.Errorf("token invalid")
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, fmt.Errorf("invalid token claims")
+	}
+
+	iss, err := claims.GetIssuer()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get issuer: %w", err)
+	}
+
+	if iss != url {
+		return nil, fmt.Errorf("token issued by a different server")
+	}
+
+	sub, err := claims.GetSubject()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get subject: %w", err)
+	}
+
+	if sub != user.ID {
+		return nil, fmt.Errorf("token belongs to a different user")
+	}
+
+	iat, err := claims.GetExpirationTime()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get expiration time: %w", err)
+	}
+
+	if iat.Before(time.Now()) {
+		return nil, fmt.Errorf("token expired")
+	}
+
+	return claims, nil
+}
+
+func verifyAccessToken(ctx context.Context, bearerToken string, queries *sqlc.Queries) (*sqlc.User, jwt.MapClaims, error) {
+	token, _, err := jwt.NewParser().ParseUnverified(bearerToken, jwt.MapClaims{})
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to parse token: %w", err)
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, nil, fmt.Errorf("failed to parse token claims")
+	}
+
+	sub, err := claims.GetSubject()
+	if err != nil {
+		return nil, nil, fmt.Errorf("token invalid: %w", err)
+	}
+
+	user, err := queries.GetUser(ctx, sub)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to retrieve user for subject %s: %w", sub, err)
+	}
+
+	settings, err := settings.Load(ctx, queries)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to load settings: %w", err)
+	}
+
+	claims, err = verifyToken(bearerToken, &user, settings.Meta.AppURL, settings.RecordAuthToken.Secret)
+	if err != nil {
+		return nil, nil, fmt.Errorf("failed to verify token: %w", err)
+	}
+
+	if err := hasPurpose(claims, purposeAccess); err != nil {
+		return nil, nil, fmt.Errorf("failed to check scopes: %w", err)
+	}
+
+	return &user, claims, nil
+}
+
+func verifyResetToken(tokenStr string, user *sqlc.User, url, appToken string) error {
+	claims, err := verifyToken(tokenStr, user, url, appToken)
+	if err != nil {
+		return err
+	}
+
+	iat, err := claims.GetIssuedAt()
+	if err != nil {
+		return fmt.Errorf("failed to get issued at: %w", err)
+	}
+
+	lastUpdated := user.Updated // TODO: create a last reset at column
+
+	if iat.Before(lastUpdated) {
+		return fmt.Errorf("token already used")
+	}
+
+	if err := hasPurpose(claims, purposeReset); err != nil {
+		return fmt.Errorf("failed to check scopes: %w", err)
+	}
+
+	return nil
+}
+
+func hasPurpose(claim jwt.MapClaims, expectedPurpose string) error {
+	purpose, err := purpose(claim)
+	if err != nil {
+		return fmt.Errorf("failed to get purposes: %w", err)
+	}
+
+	if purpose != expectedPurpose {
+		return fmt.Errorf("token has wrong purpose: %s, expected: %s", purpose, expectedPurpose)
+	}
+
+	return nil
+}
+
+func purpose(claim jwt.MapClaims) (string, error) {
+	purposeClaim, ok := claim["purpose"]
+	if !ok {
+		return "", fmt.Errorf("no purpose found")
+	}
+
+	purpose, ok := purposeClaim.(string)
+	if !ok {
+		return "", fmt.Errorf("invalid purpose type")
+	}
+
+	return purpose, nil
+}
+
+func scopes(claim jwt.MapClaims) ([]string, error) {
+	scopesClaim, ok := claim["scopes"]
+	if !ok {
+		return nil, fmt.Errorf("no scopes found")
+	}
+
+	scopesSlice, ok := scopesClaim.([]any)
+	if !ok {
+		return nil, fmt.Errorf("invalid scopes claim type: %T", scopesClaim)
+	}
+
+	scopes := make([]string, 0, len(scopesSlice))
+
+	for _, scope := range scopesSlice {
+		scopeStr, ok := scope.(string)
+		if !ok {
+			return nil, fmt.Errorf("invalid scope claim element type: %T", scope)
+		}
+
+		scopes = append(scopes, scopeStr)
+	}
+
+	return scopes, nil
+}