storj/satellite/console/consoleauth/service.go

// Copyright (C) 2022 Storj Labs, Inc.
// See LICENSE for copying information.

package consoleauth

import (
	"context"
	"crypto/subtle"
	"encoding/base64"
	"time"

	"github.com/spacemonkeygo/monkit/v3"

	"storj.io/common/uuid"
)

var mon = monkit.Package()

// Config contains configuration parameters for console auth.
type Config struct {
	TokenExpirationTime time.Duration `help:"expiration time for account recovery and activation tokens" default:"30m"`
}

// Service handles creating, signing, and checking the expiration of auth tokens.
type Service struct {
	config Config
	Signer
}

// NewService creates a new consoleauth service.
func NewService(config Config, signer Signer) *Service {
	return &Service{
		config: config,
		Signer: signer,
	}
}

// Signer creates signature for provided data.
type Signer interface {
	Sign(data []byte) ([]byte, error)
}

// CreateToken creates a new auth token.
func (s *Service) CreateToken(ctx context.Context, id uuid.UUID, email string) (_ string, err error) {
	defer mon.Task()(&ctx)(&err)
	claims := &Claims{
		ID:         id,
		Expiration: time.Now().Add(s.config.TokenExpirationTime),
	}
	if email != "" {
		claims.Email = email
	}

	return s.createToken(ctx, claims)
}

// createToken creates string representation.
func (s *Service) createToken(ctx context.Context, claims *Claims) (_ string, err error) {
	defer mon.Task()(&ctx)(&err)

	json, err := claims.JSON()
	if err != nil {
		return "", err
	}

	token := Token{Payload: json}
	signature, err := s.SignToken(token)
	if err != nil {
		return "", err
	}
	token.Signature = signature

	return token.String(), nil
}

// SignToken returns token signature.
func (s *Service) SignToken(token Token) ([]byte, error) {
	encoded := base64.URLEncoding.EncodeToString(token.Payload)

	signature, err := s.Signer.Sign([]byte(encoded))
	if err != nil {
		return nil, err
	}

	return signature, nil
}

// ValidateToken determines token validity using its signature.
func (s *Service) ValidateToken(token Token) (bool, error) {
	signature, err := s.SignToken(token)
	if err != nil {
		return false, err
	}

	return subtle.ConstantTimeCompare(signature, token.Signature) == 1, nil
}

// IsExpired returns whether token is expired.
func (s *Service) IsExpired(now, tokenCreatedAt time.Time) bool {
	return now.Sub(tokenCreatedAt) > s.config.TokenExpirationTime
}
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00			`// Copyright (C) 2022 Storj Labs, Inc.`
			`// See LICENSE for copying information.`

			`package consoleauth`

			`import (`
			`"context"`
satellite/console: integrate sessions into satellite UI This change integrates the session management database functionality with the web application. Claim-based authentication has been removed in favor of session token-based authentication. Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b 2022-06-05 23:41:38 +01:00			`"crypto/subtle"`
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00			`"encoding/base64"`
			`"time"`

			`"github.com/spacemonkeygo/monkit/v3"`

			`"storj.io/common/uuid"`
			`)`

			`var mon = monkit.Package()`

			`// Config contains configuration parameters for console auth.`
			`type Config struct {`
satellite/{web,console}: token links expiry changes This change reduces the token links expiry time from 24h to 30m and improves the UI to promt users of the expiration. see: https://github.com/storj/storj-private/issues/17 Change-Id: Iac00f5740fa84069937fdf9bd30a739b6db2a9e0 2022-10-11 22:36:29 +01:00			TokenExpirationTime time.Duration `help:"expiration time for account recovery and activation tokens" default:"30m"`
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00			`}`

			`// Service handles creating, signing, and checking the expiration of auth tokens.`
			`type Service struct {`
			`config Config`
			`Signer`
			`}`

			`// NewService creates a new consoleauth service.`
			`func NewService(config Config, signer Signer) *Service {`
			`return &Service{`
			`config: config,`
			`Signer: signer,`
			`}`
			`}`

			`// Signer creates signature for provided data.`
			`type Signer interface {`
			`Sign(data []byte) ([]byte, error)`
			`}`

			`// CreateToken creates a new auth token.`
			`func (s *Service) CreateToken(ctx context.Context, id uuid.UUID, email string) (_ string, err error) {`
			`defer mon.Task()(&ctx)(&err)`
			`claims := &Claims{`
			`ID: id,`
			`Expiration: time.Now().Add(s.config.TokenExpirationTime),`
			`}`
			`if email != "" {`
			`claims.Email = email`
			`}`

			`return s.createToken(ctx, claims)`
			`}`

			`// createToken creates string representation.`
			`func (s Service) createToken(ctx context.Context, claims Claims) (_ string, err error) {`
			`defer mon.Task()(&ctx)(&err)`

			`json, err := claims.JSON()`
			`if err != nil {`
			`return "", err`
			`}`

			`token := Token{Payload: json}`
satellite/console: integrate sessions into satellite UI This change integrates the session management database functionality with the web application. Claim-based authentication has been removed in favor of session token-based authentication. Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b 2022-06-05 23:41:38 +01:00			`signature, err := s.SignToken(token)`
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00			`if err != nil {`
			`return "", err`
			`}`
satellite/console: integrate sessions into satellite UI This change integrates the session management database functionality with the web application. Claim-based authentication has been removed in favor of session token-based authentication. Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b 2022-06-05 23:41:38 +01:00			`token.Signature = signature`
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00
			`return token.String(), nil`
			`}`

satellite/console: integrate sessions into satellite UI This change integrates the session management database functionality with the web application. Claim-based authentication has been removed in favor of session token-based authentication. Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b 2022-06-05 23:41:38 +01:00			`// SignToken returns token signature.`
			`func (s *Service) SignToken(token Token) ([]byte, error) {`
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00			`encoded := base64.URLEncoding.EncodeToString(token.Payload)`

			`signature, err := s.Signer.Sign([]byte(encoded))`
			`if err != nil {`
satellite/console: integrate sessions into satellite UI This change integrates the session management database functionality with the web application. Claim-based authentication has been removed in favor of session token-based authentication. Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b 2022-06-05 23:41:38 +01:00			`return nil, err`
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00			`}`

satellite/console: integrate sessions into satellite UI This change integrates the session management database functionality with the web application. Claim-based authentication has been removed in favor of session token-based authentication. Change-Id: I62a4f5354a3ed8ca80272814aad2448f901eab1b 2022-06-05 23:41:38 +01:00			`return signature, nil`
			`}`

			`// ValidateToken determines token validity using its signature.`
			`func (s *Service) ValidateToken(token Token) (bool, error) {`
			`signature, err := s.SignToken(token)`
			`if err != nil {`
			`return false, err`
			`}`

			`return subtle.ConstantTimeCompare(signature, token.Signature) == 1, nil`
satellite/console: create new consoleauth service We want to send email verification reminders to users from the satellite core, but some of the functionality required to do so exists in the satellite console service. We could simply import the console service into the core to achieve this, but the service requires a lot of dependencies that would go unused just to be able to send these emails. Instead, we break out the needed functionality into a new service which can be imported separately by the console service and the future email chore. The consoleauth service creates, signs, and checks the expiration of auth tokens. Change-Id: I2ad794b7fd256f8af24c1a8d73a203d508069078 2022-04-19 21:50:15 +01:00			`}`

			`// IsExpired returns whether token is expired.`
			`func (s *Service) IsExpired(now, tokenCreatedAt time.Time) bool {`
			`return now.Sub(tokenCreatedAt) > s.config.TokenExpirationTime`
			`}`