started moving oauth to current authentication

README.md

@@ -137,7 +137,7 @@ security:
 For [basic authentication](https://de.wikipedia.org/wiki/HTTP-Authentifizierung) you have to provide your username and password in each request to the server. For example in curl you can do this with the `--user` flag:
 
 ```bash
-curl --username myusername:totalysecretpassword
+curl -u myusername:totalysecretpassword
 ```
 
 #### Oauth 2

cmd/pushbits/main.go

@@ -60,7 +60,7 @@ func main() {
 		log.Fatal(err)
 	}
 
-	engine := router.Create(c.Debug, cm, db, dp, c.Security.Authentication)
+	engine := router.Create(c.Debug, cm, db, dp, c.Authentication)
 
 	runner.Run(engine, c.HTTP.ListenAddress, c.HTTP.Port)
 }

config.example.yml

@@ -47,8 +47,6 @@ matrix:
 security:
     # Wether or not to check for weak passwords using HIBP.
     checkhibp: false
-    # The authentication method to use
-    authentication: basic
 
 crypto:
     # Configuration of the KDF for password storage. Do not change unless you know what you are doing!
@@ -62,3 +60,12 @@ crypto:
 formatting: 
     # Whether to use colored titles based on the message priority (<0: grey, 0-3: default, 4-10: yellow, 10-20: orange, >20: red).
     coloredtitle: false
+
+authentication:
+    # The authentication method to use
+    method: basic
+    oauth:
+        # The storage used for tokens
+        storage: "file"
+        # The connection to the storage
+        connection: "pushbits_token.db"

internal/api/middleware.go

@@ -1,7 +1,13 @@
 package api
 
 import (
+	"fmt"
+	"log"
+
 	"github.com/gin-gonic/gin"
+	"gopkg.in/oauth2.v3"
+
+	ginserver "github.com/go-oauth2/gin-server"
 )
 
 type idInURI struct {
@@ -20,3 +26,16 @@ func RequireIDInURI() gin.HandlerFunc {
 		ctx.Set("id", requestModel.ID)
 	}
 }
+
+// RequireIDFromToken returns a Gin middleware which requires an ID to be supplied by the oauth token
+func RequireIDFromToken() gin.HandlerFunc {
+	return func(ctx *gin.Context) {
+		ti, exists := ctx.Get(ginserver.DefaultConfig.TokenKey)
+		ti2, ok := ti.(oauth2.TokenInfo)
+		log.Println(fmt.Sprintf("USER ID: %s", ti2.GetUserID()))
+		if exists && ok {
+			ctx.Set("id", ti2.GetUserID)
+			return
+		}
+	}
+}

internal/authentication/authentication.go

@@ -3,9 +3,13 @@ package authentication
 import (
 	"errors"
 	"net/http"
+	"strconv"
 
+	ginserver "github.com/go-oauth2/gin-server"
 	"github.com/pushbits/server/internal/authentication/credentials"
+	"github.com/pushbits/server/internal/configuration"
 	"github.com/pushbits/server/internal/model"
+	"gopkg.in/oauth2.v3"
 
 	"github.com/gin-gonic/gin"
 )
@@ -18,11 +22,13 @@ const (
 type Database interface {
 	GetApplicationByToken(token string) (*model.Application, error)
 	GetUserByName(name string) (*model.User, error)
+	GetUserByID(id uint) (*model.User, error)
 }
 
 // Authenticator is the provider for authentication middleware.
 type Authenticator struct {
-	DB Database
+	DB     Database
+	Config configuration.Authentication
 }
 
 type hasUserProperty func(user *model.User) bool
@@ -41,9 +47,42 @@ func (a *Authenticator) userFromBasicAuth(ctx *gin.Context) (*model.User, error)
 	return nil, errors.New("no credentials were supplied")
 }
 
+func (a *Authenticator) userFromToken(ctx *gin.Context) (*model.User, error) {
+	ti, exists := ctx.Get(ginserver.DefaultConfig.TokenKey)
+	if !exists {
+		return nil, errors.New("No token available")
+	}
+
+	token, ok := ti.(oauth2.TokenInfo)
+	if !ok {
+		return nil, errors.New("Wrong token format")
+	}
+
+	userID, err := strconv.ParseUint(token.GetUserID(), 10, 64)
+	if err != nil {
+		return nil, errors.New("User information of wrong format")
+	}
+
+	user, err := a.DB.GetUserByID(uint(userID))
+	if err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
 func (a *Authenticator) requireUserProperty(has hasUserProperty) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
-		user, err := a.userFromBasicAuth(ctx)
+		var user *model.User
+		err := errors.New("No authentication method")
+
+		switch a.Config.Method {
+		case "oauth":
+			user, err = a.userFromToken(ctx)
+		default:
+			user, err = a.userFromBasicAuth(ctx)
+		}
+
 		if err != nil {
 			ctx.AbortWithError(http.StatusForbidden, err)
 			return
@@ -104,3 +143,16 @@ func (a *Authenticator) RequireApplicationToken() gin.HandlerFunc {
 		ctx.Set("app", app)
 	}
 }
+
+// RequireValidAuthentication returns a Gin middleware which requires a valid authentication
+func (a *Authenticator) RequireValidAuthentication() gin.HandlerFunc {
+	switch a.Config.Method {
+	case "oauth":
+		return ginserver.HandleTokenVerify() // TODO cubicroot move to own config and set error handler to display same errors as for basic auth
+	default:
+		// TODO cubicroot: not very nice to have duplicated code here - but we need the HandleTokenVerify somewhere
+		return a.requireUserProperty(func(user *model.User) bool {
+			return true
+		})
+	}
+}

internal/authentication/oauth/init.go

@@ -4,40 +4,49 @@ import (
 	ginserver "github.com/go-oauth2/gin-server"
 	mysql "github.com/imrenagi/go-oauth2-mysql"
 	"github.com/jmoiron/sqlx"
+
+	"github.com/pushbits/server/internal/configuration"
 	"github.com/pushbits/server/internal/database"
 
 	"gopkg.in/oauth2.v3/manage"
 	"gopkg.in/oauth2.v3/models"
 	"gopkg.in/oauth2.v3/server"
 
+	"errors"
 	"log"
 )
 
 // InitializeOauth sets up the basics for oauth authentication
-func InitializeOauth(db *database.Database) error {
-	// Initialize the database
-	dbOauth, err := sqlx.Connect("mysql", "?parseTime=true") // TODO cubicroot add more options and move to settings
-	if err != nil {
-		log.Fatal(err)
+func InitializeOauth(db *database.Database, config configuration.Authentication) error {
+	// TODO cubicroot move that to the authenticator?
+	manager := manage.NewDefaultManager()
+
+	if config.Oauth.Storage == "mysql" {
+		dbOauth, err := sqlx.Connect("mysql", config.Oauth.Connection+"?parseTime=true") // TODO cubicroot add more options and move to settings
+		if err != nil {
+			log.Fatal(err)
+		}
+
+		manager.MustTokenStorage(mysql.NewTokenStore(dbOauth))
+
+		clientStore, _ := mysql.NewClientStore(dbOauth, mysql.WithClientStoreTableName("oauth_clients"))
+		manager.MapClientStorage(clientStore)
+
+		// TODO cubicroot better only store the secret as hashed value and autogenerate?
+		clientStore.Create(&models.Client{
+			ID:     "000000",
+			Secret: "999999",
+			Domain: "http://localhost",
+		})
+	} else {
+		// TODO cubicroot add more storage options
+		return errors.New("Unknown oauth storage")
 	}
 
 	auth := Authenticator{
 		DB: db,
 	}
 
-	manager := manage.NewDefaultManager()
-	manager.MustTokenStorage(mysql.NewTokenStore(dbOauth))
-
-	clientStore, _ := mysql.NewClientStore(dbOauth, mysql.WithClientStoreTableName("oauth_clients"))
-	manager.MapClientStorage(clientStore)
-
-	// TODO cubicroot move to settings
-	clientStore.Create(&models.Client{
-		ID:     "000000",
-		Secret: "999999",
-		Domain: "http://localhost",
-	})
-
 	ginserver.InitServer(manager)
 	ginserver.SetAllowGetAccessRequest(true)
 	ginserver.SetClientInfoHandler(server.ClientFormHandler)

internal/configuration/configuration.go

@@ -23,6 +23,18 @@ type Formatting struct {
 	ColoredTitle bool `default:"false"`
 }
 
+// Authentication holds the settings for the oauth server
+type Authentication struct {
+	Method string `default:"basic"`
+	Oauth  Oauth
+}
+
+// Oauth holds information about the oauth server
+type Oauth struct {
+	Connection string `default:""`
+	Storage    string `default:"file"`
+}
+
 // Configuration holds values that can be configured by the user.
 type Configuration struct {
 	Debug bool `default:"false"`
@@ -45,11 +57,11 @@ type Configuration struct {
 		Password   string `required:"true"`
 	}
 	Security struct {
-		CheckHIBP      bool   `default:"false"`
-		Authentication string `default:"basic"`
+		CheckHIBP bool `default:"false"`
 	}
-	Crypto     CryptoConfig
-	Formatting Formatting
+	Crypto         CryptoConfig
+	Formatting     Formatting
+	Authentication Authentication
 }
 
 func configFiles() []string {

internal/router/router.go

@@ -7,6 +7,7 @@ import (
 	"github.com/pushbits/server/internal/authentication"
 	"github.com/pushbits/server/internal/authentication/credentials"
 	"github.com/pushbits/server/internal/authentication/oauth"
+	"github.com/pushbits/server/internal/configuration"
 	"github.com/pushbits/server/internal/database"
 	"github.com/pushbits/server/internal/dispatcher"
 
@@ -16,14 +17,17 @@ import (
 )
 
 // Create a Gin engine and setup all routes.
-func Create(debug bool, cm *credentials.Manager, db *database.Database, dp *dispatcher.Dispatcher, authMethod string) *gin.Engine {
+func Create(debug bool, cm *credentials.Manager, db *database.Database, dp *dispatcher.Dispatcher, authConfig configuration.Authentication) *gin.Engine {
 	log.Println("Setting up HTTP routes.")
 
 	if !debug {
 		gin.SetMode(gin.ReleaseMode)
 	}
 
-	auth := authentication.Authenticator{DB: db}
+	auth := authentication.Authenticator{
+		DB:     db,
+		Config: authConfig,
+	}
 
 	applicationHandler := api.ApplicationHandler{DB: db, DP: dp}
 	healthHandler := api.HealthHandler{DB: db}
@@ -36,8 +40,8 @@ func Create(debug bool, cm *credentials.Manager, db *database.Database, dp *disp
 	// Example from the library: https://github.com/go-oauth2/oauth2/blob/master/example/server/server.go
 	// Good Tutorial: https://tutorialedge.net/golang/go-oauth2-tutorial/
 
-	if authMethod == "oauth" {
-		oauth.InitializeOauth(db)
+	if authConfig.Method == "oauth" {
+		oauth.InitializeOauth(db, authConfig)
 
 		oauthGroup := r.Group("/oauth2")
 		{
@@ -48,17 +52,20 @@ func Create(debug bool, cm *credentials.Manager, db *database.Database, dp *disp
 		}
 
 		// TODO cubicroot remove - currently only for testing
-		api := r.Group("/oauthtest")
+		oauthtest := r.Group("/oauthtest")
+
+		oauthtest.Use(auth.RequireValidAuthentication())
+		oauthtest.Use(auth.RequireUser())
 		{
-			api.Use(ginserver.HandleTokenVerify())
-			api.GET("/info", func(c *gin.Context) {
+			oauthtest.GET("/info", func(c *gin.Context) {
 				ti, exists := c.Get(ginserver.DefaultConfig.TokenKey)
 				if exists {
 					c.JSON(200, ti)
 					return
 				}
 				c.String(200, "not found")
 			})
+			oauthtest.GET("", api.RequireIDFromToken(), applicationHandler.GetApplications)
 		}
 	} else {
 		// TODO cubicroot add other auth methods here