Merge pull request #3 from zekroTJA/dev

release 1.3.0

Author: zekroTJA

config/insomnia/insomnia-export.json

@@ -38,6 +38,11 @@ type Middleware interface {
 	DeleteSession(key string, sessionID snowflake.ID) error
 	CleanupExpiredSessions() error
 
+	SetAPIToken(token *objects.APIToken) error
+	GetAPIToken(uID snowflake.ID) (*objects.APIToken, error)
+	ResetAPIToken(uID snowflake.ID) error
+	VerifyAPIToken(tokenStr string) (*objects.User, error)
+
 	SetShare(share *objects.SharePage) error
 	GetShare(ident string, uid, pageID snowflake.ID) (*objects.SharePage, error)
 	DeleteShare(ident string, uid, pageID snowflake.ID) error

docs/restapi-docs.md

@@ -37,6 +37,7 @@ type collections struct {
 	users,
 	pages,
 	sessions,
+	apitokens,
 	shares *mongo.Collection
 }
 
@@ -63,10 +64,11 @@ func (m *MongoDB) Connect(params interface{}) (err error) {
 	m.db = m.client.Database(cfg.DataDB)
 
 	m.collections = &collections{
-		users:    m.db.Collection("users"),
-		pages:    m.db.Collection("pages"),
-		sessions: m.db.Collection("sessions"),
-		shares:   m.db.Collection("shares"),
+		users:     m.db.Collection("users"),
+		pages:     m.db.Collection("pages"),
+		sessions:  m.db.Collection("sessions"),
+		shares:    m.db.Collection("shares"),
+		apitokens: m.db.Collection("apitokens"),
 	}
 
 	return err
@@ -313,6 +315,34 @@ func (m *MongoDB) CleanupExpiredSessions() error {
 	return err
 }
 
+func (m *MongoDB) SetAPIToken(token *objects.APIToken) error {
+	return m.insertOrUpdate(m.collections.apitokens, &bson.M{"userid": token.UserID}, token)
+}
+
+func (m *MongoDB) GetAPIToken(uID snowflake.ID) (*objects.APIToken, error) {
+	token := new(objects.APIToken)
+	ok, err := m.get(m.collections.apitokens, bson.M{"userid": uID}, token)
+	if err != nil || !ok {
+		return nil, err
+	}
+	return token, nil
+}
+
+func (m *MongoDB) ResetAPIToken(uID snowflake.ID) error {
+	_, err := m.collections.apitokens.DeleteOne(ctxTimeout(5*time.Second), bson.M{"userid": uID})
+	return err
+}
+
+func (m *MongoDB) VerifyAPIToken(tokenStr string) (*objects.User, error) {
+	token := new(objects.APIToken)
+	ok, err := m.get(m.collections.apitokens, bson.M{"token": tokenStr}, token)
+	if err != nil || !ok {
+		return nil, err
+	}
+
+	return m.GetUser(token.UserID, "")
+}
+
 func (m *MongoDB) SetShare(share *objects.SharePage) error {
 	return m.insertOrUpdate(m.collections.shares, bson.M{
 		"$or": bson.A{

internal/database/middleware.go

@@ -0,0 +1,13 @@
+package objects
+
+import (
+	"time"
+
+	"github.com/bwmarrin/snowflake"
+)
+
+type APIToken struct {
+	UserID  snowflake.ID `json:"userid"`
+	Token   string       `json:"token"`
+	Created time.Time    `json:"created"`
+}

internal/database/mongodb.go

@@ -17,7 +17,10 @@ import (
 )
 
 const (
+	attemptLimit          = 5 * time.Minute
+	attemptBurst          = 5
 	defCost               = 12
+	apiTokenLength        = 64
 	sessionKeyLength      = 128
 	sessionExpireDefault  = 2 * time.Hour
 	sessionExpireRemember = 30 * 24 * time.Hour
@@ -26,8 +29,10 @@ const (
 var (
 	errBadRequest   = errors.New("bad request")
 	errUnauthorized = errors.New("unauthorized")
+	errRateLimited  = errors.New("rate limited")
 
-	setCookieHeader = []byte("Set-Cookie")
+	setCookieHeader     = []byte("Set-Cookie")
+	authorizationHeader = []byte("Authorization")
 )
 
 type loginRequest struct {
@@ -37,12 +42,14 @@ type loginRequest struct {
 }
 
 type Authorization struct {
-	db database.Middleware
+	db  database.Middleware
+	rlm *RateLimitManager
 }
 
-func NewAuthorization(db database.Middleware) (auth *Authorization) {
+func NewAuthorization(db database.Middleware, rlm *RateLimitManager) (auth *Authorization) {
 	auth = new(Authorization)
 	auth.db = db
+	auth.rlm = rlm
 	return
 }
 
@@ -64,15 +71,23 @@ func (auth *Authorization) Login(ctx *routing.Context) bool {
 		return jsonError(ctx, errBadRequest, fasthttp.StatusBadRequest) != nil
 	}
 
+	limiter := auth.rlm.GetLimiter(fmt.Sprintf("loginAttempt#%s", getIPAddr(ctx)), attemptLimit, attemptBurst)
+
+	if limiter.Tokens() <= 0 {
+		return jsonError(ctx, errRateLimited, fasthttp.StatusTooManyRequests) != nil
+	}
+
 	user, err := auth.db.GetUser(snowflake.ID(-1), strings.ToLower(login.UserName))
 	if err != nil {
 		return jsonError(ctx, err, fasthttp.StatusInternalServerError) != nil
 	}
 	if user == nil {
+		limiter.Allow()
 		return jsonError(ctx, errUnauthorized, fasthttp.StatusUnauthorized) != nil
 	}
 
 	if !auth.CheckHash(user.PassHash, []byte(login.Password)) {
+		limiter.Allow()
 		return jsonError(ctx, errUnauthorized, fasthttp.StatusUnauthorized) != nil
 	}
 
@@ -110,12 +125,31 @@ func (auth *Authorization) CreateSession(ctx *routing.Context, uid snowflake.ID,
 }
 
 func (auth *Authorization) CheckRequestAuth(ctx *routing.Context) error {
-	key := ctx.Request.Header.Cookie("__session")
-	if key == nil || len(key) == 0 {
-		return jsonError(ctx, errUnauthorized, fasthttp.StatusUnauthorized)
+	var user *objects.User
+	var err error
+	var keyStr string
+	var apiToken string
+
+	apiTokenB := ctx.Request.Header.PeekBytes(authorizationHeader)
+	if apiTokenB != nil && len(apiTokenB) > 0 {
+		apiToken := string(apiTokenB)
+		if !strings.HasPrefix(strings.ToLower(apiToken), "basic ") {
+			return jsonError(ctx, errUnauthorized, fasthttp.StatusUnauthorized)
+		}
+
+		apiToken = apiToken[6:]
+		user, err = auth.db.VerifyAPIToken(apiToken)
+	} else {
+		key := ctx.Request.Header.Cookie("__session")
+		if key == nil || len(key) == 0 {
+			return jsonError(ctx, errUnauthorized, fasthttp.StatusUnauthorized)
+		}
+
+		keyStr = string(key)
+
+		user, err = auth.db.GetSession(keyStr, getIPAddr(ctx))
 	}
 
-	user, err := auth.db.GetSession(string(key), getIPAddr(ctx))
 	if err != nil {
 		return jsonError(ctx, err, fasthttp.StatusInternalServerError)
 	}
@@ -124,6 +158,8 @@ func (auth *Authorization) CheckRequestAuth(ctx *routing.Context) error {
 	}
 
 	ctx.Set("user", user)
+	ctx.Set("sessionkey", keyStr)
+	ctx.Set("apitoken", apiToken)
 
 	return nil
 }

internal/objects/apitoken.go

@@ -5,6 +5,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/zekroTJA/myrunes/pkg/random"
+
 	"github.com/bwmarrin/snowflake"
 	"github.com/qiangxue/fasthttp-routing"
 	"github.com/valyala/fasthttp"
@@ -286,17 +288,28 @@ func (ws *WebServer) handlerCheckUsername(ctx *routing.Context) error {
 
 func (ws *WebServer) handlerGetSessions(ctx *routing.Context) error {
 	user := ctx.Get("user").(*objects.User)
+	sessionKey := ctx.Get("sessionkey").(string)
 
 	sessions, err := ws.db.GetSessions(user.UID)
 	if err != nil {
 		return jsonError(ctx, err, fasthttp.StatusInternalServerError)
 	}
 
+	var currentSession *objects.Session
 	for _, s := range sessions {
+		if sessionKey == s.Key {
+			currentSession = s
+		}
 		s.Key = fmt.Sprintf("%s...%s", s.Key[:3], s.Key[len(s.Key)-3:])
 	}
 
-	return jsonResponse(ctx, listResponse{N: len(sessions), Data: sessions}, fasthttp.StatusOK)
+	return jsonResponse(ctx, sessionsResponse{
+		listResponse: listResponse{
+			N:    len(sessions),
+			Data: sessions,
+		},
+		CurrentlyConnectedID: currentSession.SessionID.String(),
+	}, fasthttp.StatusOK)
 }
 
 func (ws *WebServer) handlerDeleteSession(ctx *routing.Context) error {
@@ -544,3 +557,47 @@ func (ws *WebServer) handlerGetVersion(ctx *routing.Context) error {
 		"release": static.Release,
 	}, fasthttp.StatusOK)
 }
+
+func (ws *WebServer) handlerPostAPIToken(ctx *routing.Context) error {
+	user := ctx.Get("user").(*objects.User)
+	var err error
+	token := new(objects.APIToken)
+
+	if token.Token, err = random.GetRandBase64Str(apiTokenLength); err != nil {
+		return jsonError(ctx, err, fasthttp.StatusInternalServerError)
+	}
+
+	token.UserID = user.UID
+	token.Created = time.Now()
+
+	if err = ws.db.SetAPIToken(token); err != nil {
+		return jsonError(ctx, err, fasthttp.StatusInternalServerError)
+	}
+
+	return jsonResponse(ctx, token, fasthttp.StatusOK)
+}
+
+func (ws *WebServer) handlerGetAPIToken(ctx *routing.Context) error {
+	user := ctx.Get("user").(*objects.User)
+
+	token, err := ws.db.GetAPIToken(user.UID)
+	if err != nil {
+		return jsonError(ctx, err, fasthttp.StatusInternalServerError)
+	}
+
+	if token == nil {
+		return jsonError(ctx, errNotFound, fasthttp.StatusNotFound)
+	}
+
+	return jsonResponse(ctx, token, fasthttp.StatusOK)
+}
+
+func (ws *WebServer) handlerDeleteAPIToken(ctx *routing.Context) error {
+	user := ctx.Get("user").(*objects.User)
+
+	if err := ws.db.ResetAPIToken(user.UID); err != nil {
+		return jsonError(ctx, err, fasthttp.StatusInternalServerError)
+	}
+
+	return jsonResponse(ctx, nil, fasthttp.StatusOK)
+}

internal/webserver/auth.go

@@ -57,7 +57,11 @@ func jsonResponse(ctx *routing.Context, v interface{}, status int) error {
 			data = d
 		}
 	} else {
-		data, err = json.MarshalIndent(v, "", "  ")
+		if static.Release != "TRUE" {
+			data, err = json.MarshalIndent(v, "", "  ")
+		} else {
+			data, err = json.Marshal(v)
+		}
 		if err != nil {
 			return jsonError(ctx, err, fasthttp.StatusInternalServerError)
 		}

internal/webserver/handlers.go

@@ -53,7 +53,7 @@ func (rlm *RateLimitManager) GetHandler(limit time.Duration, burst int) routing.
 	rlh.handler = func(ctx *routing.Context) error {
 		limiterID := fmt.Sprintf("%d#%s",
 			rlh.id, getIPAddr(ctx))
-		ok, res := rlm.getLimiter(limiterID, limit, burst).Reserve()
+		ok, res := rlm.GetLimiter(limiterID, limit, burst).Reserve()
 
 		ctx.Response.Header.Set("X-RateLimit-Limit", fmt.Sprintf("%d", res.Burst))
 		ctx.Response.Header.Set("X-RateLimit-Remaining", fmt.Sprintf("%d", res.Remaining))
@@ -75,11 +75,11 @@ func (rlm *RateLimitManager) GetHandler(limit time.Duration, burst int) routing.
 	return rlh.handler
 }
 
-// getLimiter tries to get an existent limiter
+// GetLimiter tries to get an existent limiter
 // from the limiter map. If there is no limiter
 // existent for this address, a new limiter
 // will be created and added to the map.
-func (rlm *RateLimitManager) getLimiter(addr string, limit time.Duration, burst int) *ratelimit.Limiter {
+func (rlm *RateLimitManager) GetLimiter(addr string, limit time.Duration, burst int) *ratelimit.Limiter {
 	var ok bool
 	var limiter *ratelimit.Limiter
 

internal/webserver/helpers.go

@@ -33,3 +33,9 @@ type shareResponse struct {
 	Page  *objects.Page      `json:"page"`
 	User  *objects.User      `json:"user"`
 }
+
+type sessionsResponse struct {
+	listResponse
+
+	CurrentlyConnectedID string `json:"currentlyconnectedid"`
+}