2023-11-22 17:26:21 +01:00
|
|
|
// Copyright 2023 The Forgejo Authors. All rights reserved.
|
2023-10-14 02:56:41 +02:00
|
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
|
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2023-11-22 17:26:21 +01:00
|
|
|
"crypto/sha256"
|
|
|
|
"encoding/hex"
|
|
|
|
"fmt"
|
|
|
|
"time"
|
2023-10-14 02:56:41 +02:00
|
|
|
|
|
|
|
"code.gitea.io/gitea/models/db"
|
|
|
|
"code.gitea.io/gitea/modules/timeutil"
|
|
|
|
"code.gitea.io/gitea/modules/util"
|
|
|
|
)
|
|
|
|
|
2024-08-11 05:13:01 +02:00
|
|
|
type AuthorizationPurpose string
|
|
|
|
|
|
|
|
var (
|
|
|
|
// Used to store long term authorization tokens.
|
|
|
|
LongTermAuthorization AuthorizationPurpose = "long_term_authorization"
|
|
|
|
|
|
|
|
// Used to activate a user account.
|
|
|
|
UserActivation AuthorizationPurpose = "user_activation"
|
|
|
|
|
|
|
|
// Used to reset the password.
|
|
|
|
PasswordReset AuthorizationPurpose = "password_reset"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Used to activate the specified email address for a user.
|
|
|
|
func EmailActivation(email string) AuthorizationPurpose {
|
|
|
|
return AuthorizationPurpose("email_activation:" + email)
|
|
|
|
}
|
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
// AuthorizationToken represents a authorization token to a user.
|
|
|
|
type AuthorizationToken struct {
|
|
|
|
ID int64 `xorm:"pk autoincr"`
|
|
|
|
UID int64 `xorm:"INDEX"`
|
|
|
|
LookupKey string `xorm:"INDEX UNIQUE"`
|
|
|
|
HashedValidator string
|
2024-11-16 10:53:46 +01:00
|
|
|
Purpose AuthorizationPurpose `xorm:"NOT NULL DEFAULT 'long_term_authorization'"`
|
2023-11-22 17:26:21 +01:00
|
|
|
Expiry timeutil.TimeStamp
|
|
|
|
}
|
2023-10-14 02:56:41 +02:00
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
// TableName provides the real table name.
|
|
|
|
func (AuthorizationToken) TableName() string {
|
|
|
|
return "forgejo_auth_token"
|
2023-10-14 02:56:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
func init() {
|
2023-11-22 17:26:21 +01:00
|
|
|
db.RegisterModel(new(AuthorizationToken))
|
2023-10-14 02:56:41 +02:00
|
|
|
}
|
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
// IsExpired returns if the authorization token is expired.
|
|
|
|
func (authToken *AuthorizationToken) IsExpired() bool {
|
|
|
|
return authToken.Expiry.AsLocalTime().Before(time.Now())
|
2023-10-14 02:56:41 +02:00
|
|
|
}
|
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
// GenerateAuthToken generates a new authentication token for the given user.
|
|
|
|
// It returns the lookup key and validator values that should be passed to the
|
|
|
|
// user via a long-term cookie.
|
2024-08-11 05:13:01 +02:00
|
|
|
func GenerateAuthToken(ctx context.Context, userID int64, expiry timeutil.TimeStamp, purpose AuthorizationPurpose) (lookupKey, validator string, err error) {
|
2023-11-22 17:26:21 +01:00
|
|
|
// Request 64 random bytes. The first 32 bytes will be used for the lookupKey
|
|
|
|
// and the other 32 bytes will be used for the validator.
|
|
|
|
rBytes, err := util.CryptoRandomBytes(64)
|
|
|
|
if err != nil {
|
|
|
|
return "", "", err
|
|
|
|
}
|
|
|
|
hexEncoded := hex.EncodeToString(rBytes)
|
|
|
|
validator, lookupKey = hexEncoded[64:], hexEncoded[:64]
|
2023-10-14 02:56:41 +02:00
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
_, err = db.GetEngine(ctx).Insert(&AuthorizationToken{
|
|
|
|
UID: userID,
|
|
|
|
Expiry: expiry,
|
|
|
|
LookupKey: lookupKey,
|
|
|
|
HashedValidator: HashValidator(rBytes[32:]),
|
2024-08-11 05:13:01 +02:00
|
|
|
Purpose: purpose,
|
2023-11-22 17:26:21 +01:00
|
|
|
})
|
|
|
|
return lookupKey, validator, err
|
|
|
|
}
|
|
|
|
|
|
|
|
// FindAuthToken will find a authorization token via the lookup key.
|
2024-08-11 05:13:01 +02:00
|
|
|
func FindAuthToken(ctx context.Context, lookupKey string, purpose AuthorizationPurpose) (*AuthorizationToken, error) {
|
2023-11-22 17:26:21 +01:00
|
|
|
var authToken AuthorizationToken
|
2024-08-11 05:13:01 +02:00
|
|
|
has, err := db.GetEngine(ctx).Where("lookup_key = ? AND purpose = ?", lookupKey, purpose).Get(&authToken)
|
2023-10-14 02:56:41 +02:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
2023-11-22 17:26:21 +01:00
|
|
|
} else if !has {
|
|
|
|
return nil, fmt.Errorf("lookup key %q: %w", lookupKey, util.ErrNotExist)
|
2023-10-14 02:56:41 +02:00
|
|
|
}
|
2023-11-22 17:26:21 +01:00
|
|
|
return &authToken, nil
|
2023-10-14 02:56:41 +02:00
|
|
|
}
|
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
// DeleteAuthToken will delete the authorization token.
|
|
|
|
func DeleteAuthToken(ctx context.Context, authToken *AuthorizationToken) error {
|
|
|
|
_, err := db.DeleteByBean(ctx, authToken)
|
2023-10-14 02:56:41 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
// DeleteAuthTokenByUser will delete all authorization tokens for the user.
|
|
|
|
func DeleteAuthTokenByUser(ctx context.Context, userID int64) error {
|
|
|
|
if userID == 0 {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err := db.DeleteByBean(ctx, &AuthorizationToken{UID: userID})
|
2023-10-14 02:56:41 +02:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-11-22 17:26:21 +01:00
|
|
|
// HashValidator will return a hexified hashed version of the validator.
|
|
|
|
func HashValidator(validator []byte) string {
|
|
|
|
h := sha256.New()
|
|
|
|
h.Write(validator)
|
|
|
|
return hex.EncodeToString(h.Sum(nil))
|
2023-10-14 02:56:41 +02:00
|
|
|
}
|