Пример #1
0
func authenticate(c *bitmonster.Context) (err error) {
	// Get the socket.
	s := c.Socket()

	// Reset the session authentication values if an error occurs.
	defer func() {
		if err == nil {
			return
		}

		// Reset the socket authentication values.
		resetAuthSocketValue(s)
	}()

	// Obtain the authentication data from the context.
	authData := struct {
		Token       string `json:"token"`
		Fingerprint string `json:"fingerprint"`
	}{}

	err = c.Decode(&authData)
	if err != nil {
		return err
	}

	if len(authData.Token) == 0 || len(authData.Fingerprint) == 0 {
		return fmt.Errorf("invalid authentication data")
	}

	// Parse the authentication data.
	userID, key, token, err := parseAuthToken(authData.Token)
	if err != nil {
		return err
	}

	// Obtain the user.
	user, err := GetUser(userID)
	if err != nil {
		return err
	}

	// Debug log.
	log.L.WithFields(logrus.Fields{
		"remoteAddress": s.RemoteAddr(),
		"user":          user.Username,
		"userID":        user.ID,
	}).Debugf("auth: authentication request")

	// Check if the authenticated sessions map is nil.
	if user.AuthSessions == nil {
		return fmt.Errorf("invalid authentication data")
	}

	// Obtain the authenticated session value.
	as, ok := user.AuthSessions[key]
	if !ok {
		return fmt.Errorf("invalid authentication data")
	}

	// Get the current time.
	timeNow := time.Now()

	// Check if the maximum age is reached.
	if as.Created.Add(authSessionMaxAge).Before(timeNow) {
		return fmt.Errorf("authenticated user session expired: max age reached")
	}

	// Compare the tokens in a constant time span.
	if subtle.ConstantTimeCompare([]byte(as.Token), []byte(token)) != 1 {
		return fmt.Errorf("invalid authentication token")
	}

	// Compare the fingerprints.
	err = comparePasswordHash(as.Fingerprint, authData.Fingerprint)
	if err != nil {
		return fmt.Errorf("invalid fingerprint: %v", err)
	}

	// Hint: Authentication success.
	// -----------------------------

	// Update the timestamps.
	user.LastLogin = timeNow
	as.LastAuth = timeNow

	// If the token is expired, then create a new token.
	// This ensures an authentication token rotation.
	var authToken string
	if as.TokenCreated.Add(authSessionTokenLifetime).Before(timeNow) {
		// Create a new random token.
		as.Token = utils.RandomString(authSessionTokenLength)
		as.TokenCreated = timeNow

		// Create a new encrypted authentication token.
		authToken, err = newAuthToken(user.ID, key, as.Token)
		if err != nil {
			return err
		}

		// Debug log.
		log.L.WithFields(logrus.Fields{
			"remoteAddress": s.RemoteAddr(),
			"user":          user.Username,
			"userID":        user.ID,
		}).Debugf("auth: authentication token rotated")
	}

	// Update the user in the database.
	err = UpdateUser(user)
	if err != nil {
		return err
	}

	// Get or create the auth socket value.
	av := getAuthSocketValue(s)
	if av == nil {
		return fmt.Errorf("failed to create auth socket value for socket")
	}

	// Stop the logout timer if present.
	if av.reauthTimer != nil {
		av.reauthTimer.Stop()
	}

	// Update the auth socket value.
	av.isAuth = true
	av.authSessionKey = key
	av.userID = user.ID

	// Clear the cache.
	clearCache(s)

	// Create the respond data.
	data := struct {
		Token string `json:"token"`
		User  *User  `json:"user"`
	}{
		Token: authToken,
		User:  user,
	}

	// Set it.
	c.Data(data)

	// Debug log.
	log.L.WithFields(logrus.Fields{
		"remoteAddress": s.RemoteAddr(),
		"user":          user.Username,
		"userID":        user.ID,
	}).Debugf("auth: authentication success")

	return nil
}
Пример #2
0
func login(c *bitmonster.Context) error {
	// Obtain the authentication data from the context.
	loginData := struct {
		Username    string `json:"username"`
		Password    string `json:"password"`
		Fingerprint string `json:"fingerprint"`
	}{}

	err := c.Decode(&loginData)
	if err != nil {
		return err
	}

	if len(loginData.Username) == 0 || len(loginData.Password) == 0 || len(loginData.Fingerprint) == 0 {
		c.Error("invalid login credentials")
		return nil
	}

	// Get the user by the username.
	user, err := GetUserByUsername(loginData.Username)
	if err != nil {
		c.Error("invalid login credentials")
		return nil
	}

	// Compare the password.
	if match := user.ComparePasswords(loginData.Password); !match {
		c.Error("invalid login credentials")
		return nil
	}

	// Update the last login timestamp.
	timeNow := time.Now()
	user.LastLogin = timeNow

	// Handle the fingerprint like a password.
	fingerprint, err := hashPassword(loginData.Fingerprint)
	if err != nil {
		return err
	}

	// Create the map if nil.
	if user.AuthSessions == nil {
		user.AuthSessions = make(AuthSessions)
	}

	// Remove the oldest sessions if the maximum count of sessions is reached.
	// Included endless-loop prevention. Just to be sure.
	for i := 0; i < 100 && len(user.AuthSessions) >= maxAuthSessions; i++ {
		minTime := timeNow
		var minKey string
		for key, as := range user.AuthSessions {
			if as.LastAuth.Before(minTime) {
				minTime = as.LastAuth
				minKey = key
			}
		}
		delete(user.AuthSessions, minKey)
	}

	// Create a new authenticated session.
	as := &AuthSession{
		Fingerprint:  fingerprint,
		Token:        utils.RandomString(authSessionTokenLength),
		TokenCreated: timeNow,
		Created:      timeNow,
		LastAuth:     timeNow,
	}

	// Create a new unique key for it.
	key := utils.RandomString(authSessionKeyLength)
	for {
		if _, ok := user.AuthSessions[key]; !ok {
			break
		}
		key = utils.RandomString(authSessionKeyLength)
	}

	// Add it to the map with the key.
	user.AuthSessions[key] = as

	// Create a new encrypted authentication token.
	authToken, err := newAuthToken(user.ID, key, as.Token)
	if err != nil {
		return err
	}

	// Update the user in the database.
	err = UpdateUser(user)
	if err != nil {
		return err
	}

	// Create the respond data.
	data := struct {
		Token string `json:"token"`
	}{
		Token: authToken,
	}

	// Set it.
	c.Data(data)

	return nil
}