2019-10-21 13:48:29 +01:00
|
|
|
// Copyright (C) 2019 Storj Labs, Inc.
|
|
|
|
// See LICENSE for copying information.
|
|
|
|
|
|
|
|
package consoleapi
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2020-10-21 11:52:24 +01:00
|
|
|
"errors"
|
2023-01-23 19:23:32 +00:00
|
|
|
"html/template"
|
2019-10-21 13:48:29 +01:00
|
|
|
"net/http"
|
2022-01-19 23:45:35 +00:00
|
|
|
"regexp"
|
2022-02-18 12:52:23 +00:00
|
|
|
"strings"
|
2021-07-13 18:21:16 +01:00
|
|
|
"time"
|
2019-10-21 13:48:29 +01:00
|
|
|
|
2019-10-21 17:42:49 +01:00
|
|
|
"github.com/gorilla/mux"
|
|
|
|
"github.com/zeebo/errs"
|
2019-10-21 13:48:29 +01:00
|
|
|
"go.uber.org/zap"
|
|
|
|
|
2020-03-30 10:08:50 +01:00
|
|
|
"storj.io/common/uuid"
|
2019-11-14 19:46:15 +00:00
|
|
|
"storj.io/storj/private/post"
|
2021-06-25 12:17:55 +01:00
|
|
|
"storj.io/storj/private/web"
|
2021-03-23 15:52:34 +00:00
|
|
|
"storj.io/storj/satellite/analytics"
|
2019-10-21 13:48:29 +01:00
|
|
|
"storj.io/storj/satellite/console"
|
2022-11-18 16:25:31 +00:00
|
|
|
"storj.io/storj/satellite/console/consoleweb/consoleapi/utils"
|
2020-01-20 18:57:14 +00:00
|
|
|
"storj.io/storj/satellite/console/consoleweb/consolewebauth"
|
2019-10-21 13:48:29 +01:00
|
|
|
"storj.io/storj/satellite/mailservice"
|
|
|
|
)
|
|
|
|
|
2020-10-21 11:52:24 +01:00
|
|
|
var (
|
|
|
|
// ErrAuthAPI - console auth api error type.
|
2021-04-28 09:06:17 +01:00
|
|
|
ErrAuthAPI = errs.Class("consoleapi auth")
|
2020-10-21 11:52:24 +01:00
|
|
|
|
|
|
|
// errNotImplemented is the error value used by handlers of this package to
|
|
|
|
// response with status Not Implemented.
|
|
|
|
errNotImplemented = errs.New("not implemented")
|
2021-08-12 19:21:33 +01:00
|
|
|
|
|
|
|
// supportedCORSOrigins allows us to support visitors who sign up from the website.
|
|
|
|
supportedCORSOrigins = map[string]bool{
|
|
|
|
"https://storj.io": true,
|
|
|
|
"https://www.storj.io": true,
|
|
|
|
}
|
2020-10-21 11:52:24 +01:00
|
|
|
)
|
2019-10-21 17:42:49 +01:00
|
|
|
|
2019-10-21 13:48:29 +01:00
|
|
|
// Auth is an api controller that exposes all auth functionality.
|
|
|
|
type Auth struct {
|
2021-11-18 18:55:37 +00:00
|
|
|
log *zap.Logger
|
|
|
|
ExternalAddress string
|
|
|
|
LetUsKnowURL string
|
|
|
|
TermsAndConditionsURL string
|
|
|
|
ContactInfoURL string
|
2022-06-28 17:12:43 +01:00
|
|
|
GeneralRequestURL string
|
2021-11-18 18:55:37 +00:00
|
|
|
PasswordRecoveryURL string
|
|
|
|
CancelPasswordRecoveryURL string
|
|
|
|
ActivateAccountURL string
|
2022-06-28 17:12:43 +01:00
|
|
|
SatelliteName string
|
2021-11-18 18:55:37 +00:00
|
|
|
service *console.Service
|
2022-12-14 15:00:14 +00:00
|
|
|
accountFreezeService *console.AccountFreezeService
|
2021-11-18 18:55:37 +00:00
|
|
|
analytics *analytics.Service
|
|
|
|
mailService *mailservice.Service
|
|
|
|
cookieAuth *consolewebauth.CookieAuth
|
2019-10-21 13:48:29 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewAuth is a constructor for api auth controller.
|
2023-01-27 21:07:32 +00:00
|
|
|
func NewAuth(log *zap.Logger, service *console.Service, accountFreezeService *console.AccountFreezeService, mailService *mailservice.Service, cookieAuth *consolewebauth.CookieAuth, analytics *analytics.Service, satelliteName string, externalAddress string, letUsKnowURL string, termsAndConditionsURL string, contactInfoURL string, generalRequestURL string) *Auth {
|
2019-10-21 13:48:29 +01:00
|
|
|
return &Auth{
|
2021-11-18 18:55:37 +00:00
|
|
|
log: log,
|
|
|
|
ExternalAddress: externalAddress,
|
|
|
|
LetUsKnowURL: letUsKnowURL,
|
|
|
|
TermsAndConditionsURL: termsAndConditionsURL,
|
|
|
|
ContactInfoURL: contactInfoURL,
|
2022-06-28 17:12:43 +01:00
|
|
|
GeneralRequestURL: generalRequestURL,
|
|
|
|
SatelliteName: satelliteName,
|
2023-02-16 20:50:15 +00:00
|
|
|
PasswordRecoveryURL: externalAddress + "password-recovery",
|
|
|
|
CancelPasswordRecoveryURL: externalAddress + "cancel-password-recovery",
|
|
|
|
ActivateAccountURL: externalAddress + "activation",
|
2021-11-18 18:55:37 +00:00
|
|
|
service: service,
|
2022-12-14 15:00:14 +00:00
|
|
|
accountFreezeService: accountFreezeService,
|
2021-11-18 18:55:37 +00:00
|
|
|
mailService: mailService,
|
|
|
|
cookieAuth: cookieAuth,
|
|
|
|
analytics: analytics,
|
2019-10-21 13:48:29 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-21 17:42:49 +01:00
|
|
|
// Token authenticates user by credentials and returns auth token.
|
2019-10-21 13:48:29 +01:00
|
|
|
func (a *Auth) Token(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
2021-07-13 18:21:16 +01:00
|
|
|
tokenRequest := console.AuthUser{}
|
2019-10-21 13:48:29 +01:00
|
|
|
err = json.NewDecoder(r.Body).Decode(&tokenRequest)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-06-05 23:41:38 +01:00
|
|
|
tokenRequest.UserAgent = r.UserAgent()
|
|
|
|
tokenRequest.IP, err = web.GetRequestIP(r)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-07-19 10:26:18 +01:00
|
|
|
tokenInfo, err := a.service.Token(ctx, tokenRequest)
|
2019-10-21 13:48:29 +01:00
|
|
|
if err != nil {
|
2021-11-18 18:55:37 +00:00
|
|
|
if console.ErrMFAMissing.Has(err) {
|
2022-11-21 18:58:42 +00:00
|
|
|
web.ServeCustomJSONError(a.log, w, http.StatusOK, err, a.getUserErrorMessage(err))
|
2021-11-18 18:55:37 +00:00
|
|
|
} else {
|
2021-07-13 18:21:16 +01:00
|
|
|
a.log.Info("Error authenticating token request", zap.String("email", tokenRequest.Email), zap.Error(ErrAuthAPI.Wrap(err)))
|
2021-11-18 18:55:37 +00:00
|
|
|
a.serveJSONError(w, err)
|
2021-07-13 18:21:16 +01:00
|
|
|
}
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-07-19 10:26:18 +01:00
|
|
|
a.cookieAuth.SetTokenCookie(w, *tokenInfo)
|
2020-01-20 18:57:14 +00:00
|
|
|
|
2019-11-12 13:05:35 +00:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2022-07-19 10:26:18 +01:00
|
|
|
err = json.NewEncoder(w).Encode(struct {
|
|
|
|
console.TokenInfo
|
|
|
|
Token string `json:"token"`
|
|
|
|
}{*tokenInfo, tokenInfo.Token.String()})
|
2019-10-21 13:48:29 +01:00
|
|
|
if err != nil {
|
2019-10-23 18:33:24 +01:00
|
|
|
a.log.Error("token handler could not encode token response", zap.Error(ErrAuthAPI.Wrap(err)))
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-11-21 22:56:09 +00:00
|
|
|
// getSessionID gets the session ID from the request.
|
|
|
|
func (a *Auth) getSessionID(r *http.Request) (id uuid.UUID, err error) {
|
|
|
|
|
|
|
|
tokenInfo, err := a.cookieAuth.GetToken(r)
|
|
|
|
if err != nil {
|
|
|
|
return uuid.UUID{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
sessionID, err := uuid.FromBytes(tokenInfo.Token.Payload)
|
|
|
|
if err != nil {
|
|
|
|
return uuid.UUID{}, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return sessionID, nil
|
|
|
|
}
|
|
|
|
|
2020-01-29 13:10:13 +00:00
|
|
|
// Logout removes auth cookie.
|
|
|
|
func (a *Auth) Logout(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
defer mon.Task()(&ctx)(nil)
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2022-06-05 23:41:38 +01:00
|
|
|
|
2022-11-21 22:56:09 +00:00
|
|
|
sessionID, err := a.getSessionID(r)
|
2022-07-19 10:26:18 +01:00
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-11-21 22:56:09 +00:00
|
|
|
err = a.service.DeleteSession(ctx, sessionID)
|
2022-06-05 23:41:38 +01:00
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
a.cookieAuth.RemoveTokenCookie(w)
|
2020-01-29 13:10:13 +00:00
|
|
|
}
|
|
|
|
|
2023-01-23 19:23:32 +00:00
|
|
|
// replaceSpecialCharacters replaces characters that could be used to represent a url or html.
|
|
|
|
func replaceSpecialCharacters(s string) string {
|
2022-01-20 11:28:01 +00:00
|
|
|
re := regexp.MustCompile(`[\/:\.]`)
|
2023-01-23 19:23:32 +00:00
|
|
|
s = template.HTMLEscapeString(s)
|
|
|
|
s = template.JSEscapeString(s)
|
2022-01-20 11:28:01 +00:00
|
|
|
return re.ReplaceAllString(s, "-")
|
2022-01-19 23:45:35 +00:00
|
|
|
}
|
|
|
|
|
2019-10-21 17:42:49 +01:00
|
|
|
// Register creates new user, sends activation e-mail.
|
2021-11-18 18:55:37 +00:00
|
|
|
// If a user with the given e-mail address already exists, a password reset e-mail is sent instead.
|
2019-10-21 13:48:29 +01:00
|
|
|
func (a *Auth) Register(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
2021-08-12 19:21:33 +01:00
|
|
|
origin := r.Header.Get("Origin")
|
|
|
|
if supportedCORSOrigins[origin] {
|
|
|
|
// we should send the exact origin back, rather than a wildcard
|
|
|
|
w.Header().Set("Access-Control-Allow-Origin", origin)
|
|
|
|
w.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS")
|
2021-08-25 17:47:14 +01:00
|
|
|
w.Header().Set("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
|
2021-08-12 19:21:33 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// OPTIONS is a pre-flight check for cross-origin (CORS) permissions
|
|
|
|
if r.Method == "OPTIONS" {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-10-29 14:24:16 +00:00
|
|
|
var registerData struct {
|
2022-05-06 21:56:18 +01:00
|
|
|
FullName string `json:"fullName"`
|
|
|
|
ShortName string `json:"shortName"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
Partner string `json:"partner"`
|
|
|
|
UserAgent []byte `json:"userAgent"`
|
|
|
|
Password string `json:"password"`
|
|
|
|
SecretInput string `json:"secret"`
|
|
|
|
ReferrerUserID string `json:"referrerUserId"`
|
|
|
|
IsProfessional bool `json:"isProfessional"`
|
|
|
|
Position string `json:"position"`
|
|
|
|
CompanyName string `json:"companyName"`
|
|
|
|
EmployeeCount string `json:"employeeCount"`
|
|
|
|
HaveSalesContact bool `json:"haveSalesContact"`
|
|
|
|
CaptchaResponse string `json:"captchaResponse"`
|
|
|
|
SignupPromoCode string `json:"signupPromoCode"`
|
2019-10-21 13:48:29 +01:00
|
|
|
}
|
|
|
|
|
2019-10-29 14:24:16 +00:00
|
|
|
err = json.NewDecoder(r.Body).Decode(®isterData)
|
2019-10-21 13:48:29 +01:00
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-02-18 12:52:23 +00:00
|
|
|
// trim leading and trailing spaces of email address.
|
|
|
|
registerData.Email = strings.TrimSpace(registerData.Email)
|
|
|
|
|
2022-11-18 16:25:31 +00:00
|
|
|
isValidEmail := utils.ValidateEmail(registerData.Email)
|
2022-02-18 12:52:23 +00:00
|
|
|
if !isValidEmail {
|
|
|
|
a.serveJSONError(w, console.ErrValidation.Wrap(errs.New("Invalid email.")))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2023-01-23 19:23:32 +00:00
|
|
|
// remove special characters from submitted info so that malicious link or code cannot be injected anywhere.
|
|
|
|
registerData.FullName = replaceSpecialCharacters(registerData.FullName)
|
|
|
|
registerData.ShortName = replaceSpecialCharacters(registerData.ShortName)
|
|
|
|
registerData.Partner = replaceSpecialCharacters(registerData.Partner)
|
|
|
|
registerData.Position = replaceSpecialCharacters(registerData.Position)
|
|
|
|
registerData.CompanyName = replaceSpecialCharacters(registerData.CompanyName)
|
|
|
|
registerData.EmployeeCount = replaceSpecialCharacters(registerData.EmployeeCount)
|
2022-01-19 23:45:35 +00:00
|
|
|
|
2022-08-01 12:43:23 +01:00
|
|
|
if len([]rune(registerData.Partner)) > 100 {
|
|
|
|
a.serveJSONError(w, console.ErrValidation.Wrap(errs.New("Partner must be less than or equal to 100 characters")))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
if len([]rune(registerData.SignupPromoCode)) > 100 {
|
|
|
|
a.serveJSONError(w, console.ErrValidation.Wrap(errs.New("Promo code must be less than or equal to 100 characters")))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
verified, unverified, err := a.service.GetUserByEmailWithUnverified(ctx, registerData.Email)
|
|
|
|
if err != nil && !console.ErrEmailNotFound.Has(err) {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
if verified != nil {
|
2022-07-01 18:31:14 +01:00
|
|
|
satelliteAddress := a.ExternalAddress
|
|
|
|
if !strings.HasSuffix(satelliteAddress, "/") {
|
|
|
|
satelliteAddress += "/"
|
2021-11-18 18:55:37 +00:00
|
|
|
}
|
|
|
|
a.mailService.SendRenderedAsync(
|
|
|
|
ctx,
|
2022-07-01 18:31:14 +01:00
|
|
|
[]post.Address{{Address: verified.Email}},
|
2022-07-14 14:44:06 +01:00
|
|
|
&console.AccountAlreadyExistsEmail{
|
2022-07-01 18:31:14 +01:00
|
|
|
Origin: satelliteAddress,
|
|
|
|
SatelliteName: a.SatelliteName,
|
|
|
|
SignInLink: satelliteAddress + "login",
|
|
|
|
ResetPasswordLink: satelliteAddress + "forgot-password",
|
|
|
|
CreateAccountLink: satelliteAddress + "signup",
|
2021-11-18 18:55:37 +00:00
|
|
|
},
|
|
|
|
)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
var user *console.User
|
|
|
|
if len(unverified) > 0 {
|
|
|
|
user = &unverified[0]
|
|
|
|
} else {
|
|
|
|
secret, err := console.RegistrationSecretFromBase64(registerData.SecretInput)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
2019-10-21 13:48:29 +01:00
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
if registerData.Partner != "" {
|
|
|
|
registerData.UserAgent = []byte(registerData.Partner)
|
|
|
|
}
|
|
|
|
|
|
|
|
ip, err := web.GetRequestIP(r)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
user, err = a.service.CreateUser(ctx,
|
|
|
|
console.CreateUser{
|
2022-05-06 21:56:18 +01:00
|
|
|
FullName: registerData.FullName,
|
|
|
|
ShortName: registerData.ShortName,
|
|
|
|
Email: registerData.Email,
|
|
|
|
UserAgent: registerData.UserAgent,
|
|
|
|
Password: registerData.Password,
|
|
|
|
IsProfessional: registerData.IsProfessional,
|
|
|
|
Position: registerData.Position,
|
|
|
|
CompanyName: registerData.CompanyName,
|
|
|
|
EmployeeCount: registerData.EmployeeCount,
|
|
|
|
HaveSalesContact: registerData.HaveSalesContact,
|
|
|
|
CaptchaResponse: registerData.CaptchaResponse,
|
|
|
|
IP: ip,
|
|
|
|
SignupPromoCode: registerData.SignupPromoCode,
|
2021-11-18 18:55:37 +00:00
|
|
|
},
|
|
|
|
secret,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-30 19:42:01 +00:00
|
|
|
// see if referrer was provided in URL query, otherwise use the Referer header in the request.
|
|
|
|
referrer := r.URL.Query().Get("referrer")
|
|
|
|
if referrer == "" {
|
|
|
|
referrer = r.Referer()
|
|
|
|
}
|
2022-03-29 20:36:06 +01:00
|
|
|
hubspotUTK := ""
|
|
|
|
hubspotCookie, err := r.Cookie("hubspotutk")
|
|
|
|
if err == nil {
|
|
|
|
hubspotUTK = hubspotCookie.Value
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
trackCreateUserFields := analytics.TrackCreateUserFields{
|
2021-11-30 19:42:01 +00:00
|
|
|
ID: user.ID,
|
|
|
|
AnonymousID: loadSession(r),
|
|
|
|
FullName: user.FullName,
|
|
|
|
Email: user.Email,
|
|
|
|
Type: analytics.Personal,
|
|
|
|
OriginHeader: origin,
|
|
|
|
Referrer: referrer,
|
2022-03-29 20:36:06 +01:00
|
|
|
HubspotUTK: hubspotUTK,
|
2022-07-29 22:27:24 +01:00
|
|
|
UserAgent: string(user.UserAgent),
|
2021-11-18 18:55:37 +00:00
|
|
|
}
|
|
|
|
if user.IsProfessional {
|
|
|
|
trackCreateUserFields.Type = analytics.Professional
|
|
|
|
trackCreateUserFields.EmployeeCount = user.EmployeeCount
|
|
|
|
trackCreateUserFields.CompanyName = user.CompanyName
|
|
|
|
trackCreateUserFields.JobTitle = user.Position
|
|
|
|
trackCreateUserFields.HaveSalesContact = user.HaveSalesContact
|
|
|
|
}
|
|
|
|
a.analytics.TrackCreateUser(trackCreateUserFields)
|
2021-03-23 15:52:34 +00:00
|
|
|
}
|
|
|
|
|
2019-10-21 13:48:29 +01:00
|
|
|
token, err := a.service.GenerateActivationToken(ctx, user.ID, user.Email)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
link := a.ActivateAccountURL + "?token=" + token
|
2019-10-21 13:48:29 +01:00
|
|
|
|
|
|
|
a.mailService.SendRenderedAsync(
|
|
|
|
ctx,
|
2023-01-31 21:22:17 +00:00
|
|
|
[]post.Address{{Address: user.Email}},
|
2022-07-14 14:44:06 +01:00
|
|
|
&console.AccountActivationEmail{
|
2019-10-21 13:48:29 +01:00
|
|
|
ActivationLink: link,
|
|
|
|
Origin: a.ExternalAddress,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2021-04-08 22:04:44 +01:00
|
|
|
// loadSession looks for a cookie for the session id.
|
|
|
|
// this cookie is set from the reverse proxy if the user opts into cookies from Storj.
|
|
|
|
func loadSession(req *http.Request) string {
|
|
|
|
sessionCookie, err := req.Cookie("webtraf-sid")
|
|
|
|
if err != nil {
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
return sessionCookie.Value
|
|
|
|
}
|
|
|
|
|
2022-12-14 15:00:14 +00:00
|
|
|
// IsAccountFrozen checks to see if an account is frozen.
|
|
|
|
func (a *Auth) IsAccountFrozen(w http.ResponseWriter, r *http.Request) {
|
|
|
|
type FrozenResult struct {
|
|
|
|
Frozen bool `json:"frozen"`
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
userID, err := a.service.GetUserID(ctx)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
frozenBool, err := a.accountFreezeService.IsUserFrozen(ctx, userID)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
err = json.NewEncoder(w).Encode(FrozenResult{
|
|
|
|
Frozen: frozenBool,
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
a.log.Error("could not encode account status", zap.Error(ErrAuthAPI.Wrap(err)))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-29 14:24:16 +00:00
|
|
|
// UpdateAccount updates user's full name and short name.
|
|
|
|
func (a *Auth) UpdateAccount(w http.ResponseWriter, r *http.Request) {
|
2019-10-25 13:07:17 +01:00
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
var updatedInfo struct {
|
|
|
|
FullName string `json:"fullName"`
|
|
|
|
ShortName string `json:"shortName"`
|
|
|
|
}
|
|
|
|
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&updatedInfo)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-25 13:07:17 +01:00
|
|
|
return
|
|
|
|
}
|
2023-01-23 19:23:32 +00:00
|
|
|
updatedInfo.FullName = replaceSpecialCharacters(updatedInfo.FullName)
|
|
|
|
updatedInfo.ShortName = replaceSpecialCharacters(updatedInfo.ShortName)
|
2019-10-25 13:07:17 +01:00
|
|
|
|
|
|
|
if err = a.service.UpdateAccount(ctx, updatedInfo.FullName, updatedInfo.ShortName); err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-25 13:07:17 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-29 14:24:16 +00:00
|
|
|
// GetAccount gets authorized user and take it's params.
|
|
|
|
func (a *Auth) GetAccount(w http.ResponseWriter, r *http.Request) {
|
2019-10-25 13:07:17 +01:00
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
var user struct {
|
2021-08-14 21:52:09 +01:00
|
|
|
ID uuid.UUID `json:"id"`
|
|
|
|
FullName string `json:"fullName"`
|
|
|
|
ShortName string `json:"shortName"`
|
|
|
|
Email string `json:"email"`
|
2023-01-20 16:41:02 +00:00
|
|
|
Partner string `json:"partner"`
|
2021-08-14 21:52:09 +01:00
|
|
|
ProjectLimit int `json:"projectLimit"`
|
|
|
|
IsProfessional bool `json:"isProfessional"`
|
|
|
|
Position string `json:"position"`
|
|
|
|
CompanyName string `json:"companyName"`
|
|
|
|
EmployeeCount string `json:"employeeCount"`
|
|
|
|
HaveSalesContact bool `json:"haveSalesContact"`
|
|
|
|
PaidTier bool `json:"paidTier"`
|
|
|
|
MFAEnabled bool `json:"isMFAEnabled"`
|
|
|
|
MFARecoveryCodeCount int `json:"mfaRecoveryCodeCount"`
|
2023-02-07 10:50:07 +00:00
|
|
|
CreatedAt time.Time `json:"createdAt"`
|
2019-10-25 13:07:17 +01:00
|
|
|
}
|
|
|
|
|
2022-06-05 23:41:38 +01:00
|
|
|
consoleUser, err := console.GetUser(ctx)
|
2019-10-25 13:07:17 +01:00
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-25 13:07:17 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-06-05 23:41:38 +01:00
|
|
|
user.ShortName = consoleUser.ShortName
|
|
|
|
user.FullName = consoleUser.FullName
|
|
|
|
user.Email = consoleUser.Email
|
|
|
|
user.ID = consoleUser.ID
|
2023-01-20 16:41:02 +00:00
|
|
|
if consoleUser.UserAgent != nil {
|
|
|
|
user.Partner = string(consoleUser.UserAgent)
|
|
|
|
}
|
2022-06-05 23:41:38 +01:00
|
|
|
user.ProjectLimit = consoleUser.ProjectLimit
|
|
|
|
user.IsProfessional = consoleUser.IsProfessional
|
|
|
|
user.CompanyName = consoleUser.CompanyName
|
|
|
|
user.Position = consoleUser.Position
|
|
|
|
user.EmployeeCount = consoleUser.EmployeeCount
|
|
|
|
user.HaveSalesContact = consoleUser.HaveSalesContact
|
|
|
|
user.PaidTier = consoleUser.PaidTier
|
|
|
|
user.MFAEnabled = consoleUser.MFAEnabled
|
|
|
|
user.MFARecoveryCodeCount = len(consoleUser.MFARecoveryCodes)
|
2023-02-07 10:50:07 +00:00
|
|
|
user.CreatedAt = consoleUser.CreatedAt
|
2019-10-25 13:07:17 +01:00
|
|
|
|
2019-11-12 13:05:35 +00:00
|
|
|
w.Header().Set("Content-Type", "application/json")
|
2019-10-25 13:07:17 +01:00
|
|
|
err = json.NewEncoder(w).Encode(&user)
|
|
|
|
if err != nil {
|
|
|
|
a.log.Error("could not encode user info", zap.Error(ErrAuthAPI.Wrap(err)))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-10-06 11:25:12 +01:00
|
|
|
// DeleteAccount authorizes user and deletes account by password.
|
2019-10-29 14:24:16 +00:00
|
|
|
func (a *Auth) DeleteAccount(w http.ResponseWriter, r *http.Request) {
|
2019-10-22 17:17:09 +01:00
|
|
|
ctx := r.Context()
|
2020-10-21 11:52:24 +01:00
|
|
|
defer mon.Task()(&ctx)(&errNotImplemented)
|
2019-10-22 17:17:09 +01:00
|
|
|
|
2020-10-06 11:25:12 +01:00
|
|
|
// We do not want to allow account deletion via API currently.
|
2020-10-21 11:52:24 +01:00
|
|
|
a.serveJSONError(w, errNotImplemented)
|
2019-10-22 17:17:09 +01:00
|
|
|
}
|
|
|
|
|
2020-11-05 16:16:55 +00:00
|
|
|
// ChangeEmail auth user, changes users email for a new one.
|
|
|
|
func (a *Auth) ChangeEmail(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
var emailChange struct {
|
|
|
|
NewEmail string `json:"newEmail"`
|
|
|
|
}
|
|
|
|
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&emailChange)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err = a.service.ChangeEmail(ctx, emailChange.NewEmail)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-21 17:42:49 +01:00
|
|
|
// ChangePassword auth user, changes users password for a new one.
|
|
|
|
func (a *Auth) ChangePassword(w http.ResponseWriter, r *http.Request) {
|
2019-10-21 13:48:29 +01:00
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
var passwordChange struct {
|
|
|
|
CurrentPassword string `json:"password"`
|
|
|
|
NewPassword string `json:"newPassword"`
|
|
|
|
}
|
|
|
|
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&passwordChange)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err = a.service.ChangePassword(ctx, passwordChange.CurrentPassword, passwordChange.NewPassword)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 13:48:29 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-21 17:42:49 +01:00
|
|
|
// ForgotPassword creates password-reset token and sends email to user.
|
|
|
|
func (a *Auth) ForgotPassword(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
2022-09-01 03:19:06 +01:00
|
|
|
var forgotPassword struct {
|
|
|
|
Email string `json:"email"`
|
|
|
|
CaptchaResponse string `json:"captchaResponse"`
|
|
|
|
}
|
|
|
|
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&forgotPassword)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
ip, err := web.GetRequestIP(r)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 17:42:49 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-09-01 03:19:06 +01:00
|
|
|
valid, err := a.service.VerifyForgotPasswordCaptcha(ctx, forgotPassword.CaptchaResponse, ip)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if !valid {
|
|
|
|
a.serveJSONError(w, console.ErrCaptcha.New("captcha validation unsuccessful"))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
user, _, err := a.service.GetUserByEmailWithUnverified(ctx, forgotPassword.Email)
|
2021-11-18 18:55:37 +00:00
|
|
|
if err != nil || user == nil {
|
2022-06-28 17:12:43 +01:00
|
|
|
satelliteAddress := a.ExternalAddress
|
|
|
|
|
|
|
|
if !strings.HasSuffix(satelliteAddress, "/") {
|
|
|
|
satelliteAddress += "/"
|
|
|
|
}
|
|
|
|
resetPasswordLink := satelliteAddress + "forgot-password"
|
|
|
|
doubleCheckLink := satelliteAddress + "login"
|
|
|
|
createAccountLink := satelliteAddress + "signup"
|
|
|
|
|
|
|
|
a.mailService.SendRenderedAsync(
|
|
|
|
ctx,
|
2022-09-01 03:19:06 +01:00
|
|
|
[]post.Address{{Address: forgotPassword.Email, Name: ""}},
|
2022-07-14 14:44:06 +01:00
|
|
|
&console.UnknownResetPasswordEmail{
|
2022-06-28 17:12:43 +01:00
|
|
|
Satellite: a.SatelliteName,
|
2022-09-01 03:19:06 +01:00
|
|
|
Email: forgotPassword.Email,
|
2022-06-28 17:12:43 +01:00
|
|
|
DoubleCheckLink: doubleCheckLink,
|
|
|
|
ResetPasswordLink: resetPasswordLink,
|
|
|
|
CreateAnAccountLink: createAccountLink,
|
|
|
|
SupportTeamLink: a.GeneralRequestURL,
|
|
|
|
},
|
|
|
|
)
|
2019-10-21 17:42:49 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
recoveryToken, err := a.service.GeneratePasswordRecoveryToken(ctx, user.ID)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 17:42:49 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
passwordRecoveryLink := a.PasswordRecoveryURL + "?token=" + recoveryToken
|
|
|
|
cancelPasswordRecoveryLink := a.CancelPasswordRecoveryURL + "?token=" + recoveryToken
|
2019-10-21 17:42:49 +01:00
|
|
|
userName := user.ShortName
|
|
|
|
if user.ShortName == "" {
|
|
|
|
userName = user.FullName
|
|
|
|
}
|
|
|
|
|
|
|
|
contactInfoURL := a.ContactInfoURL
|
|
|
|
letUsKnowURL := a.LetUsKnowURL
|
|
|
|
termsAndConditionsURL := a.TermsAndConditionsURL
|
|
|
|
|
|
|
|
a.mailService.SendRenderedAsync(
|
|
|
|
ctx,
|
|
|
|
[]post.Address{{Address: user.Email, Name: userName}},
|
2022-07-14 14:44:06 +01:00
|
|
|
&console.ForgotPasswordEmail{
|
2019-10-21 17:42:49 +01:00
|
|
|
Origin: a.ExternalAddress,
|
|
|
|
UserName: userName,
|
|
|
|
ResetLink: passwordRecoveryLink,
|
|
|
|
CancelPasswordRecoveryLink: cancelPasswordRecoveryLink,
|
|
|
|
LetUsKnowURL: letUsKnowURL,
|
|
|
|
ContactInfoURL: contactInfoURL,
|
|
|
|
TermsAndConditionsURL: termsAndConditionsURL,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
// ResendEmail generates activation token by e-mail address and sends email account activation email to user.
|
|
|
|
// If the account is already activated, a password reset e-mail is sent instead.
|
2019-10-21 17:42:49 +01:00
|
|
|
func (a *Auth) ResendEmail(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
params := mux.Vars(r)
|
2021-11-18 18:55:37 +00:00
|
|
|
email, ok := params["email"]
|
2019-10-21 17:42:49 +01:00
|
|
|
if !ok {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
verified, unverified, err := a.service.GetUserByEmailWithUnverified(ctx, email)
|
2019-10-21 17:42:49 +01:00
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
if verified != nil {
|
|
|
|
recoveryToken, err := a.service.GeneratePasswordRecoveryToken(ctx, verified.ID)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
userName := verified.ShortName
|
|
|
|
if verified.ShortName == "" {
|
|
|
|
userName = verified.FullName
|
|
|
|
}
|
|
|
|
|
|
|
|
a.mailService.SendRenderedAsync(
|
|
|
|
ctx,
|
|
|
|
[]post.Address{{Address: verified.Email, Name: userName}},
|
2022-07-14 14:44:06 +01:00
|
|
|
&console.ForgotPasswordEmail{
|
2021-11-18 18:55:37 +00:00
|
|
|
Origin: a.ExternalAddress,
|
|
|
|
UserName: userName,
|
|
|
|
ResetLink: a.PasswordRecoveryURL + "?token=" + recoveryToken,
|
|
|
|
CancelPasswordRecoveryLink: a.CancelPasswordRecoveryURL + "?token=" + recoveryToken,
|
|
|
|
LetUsKnowURL: a.LetUsKnowURL,
|
|
|
|
ContactInfoURL: a.ContactInfoURL,
|
|
|
|
TermsAndConditionsURL: a.TermsAndConditionsURL,
|
|
|
|
},
|
|
|
|
)
|
2019-10-21 17:42:49 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
user := unverified[0]
|
|
|
|
|
2019-10-21 17:42:49 +01:00
|
|
|
token, err := a.service.GenerateActivationToken(ctx, user.ID, user.Email)
|
|
|
|
if err != nil {
|
2019-11-12 11:53:00 +00:00
|
|
|
a.serveJSONError(w, err)
|
2019-10-21 17:42:49 +01:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-11-18 18:55:37 +00:00
|
|
|
link := a.ActivateAccountURL + "?token=" + token
|
2019-10-21 17:42:49 +01:00
|
|
|
contactInfoURL := a.ContactInfoURL
|
|
|
|
termsAndConditionsURL := a.TermsAndConditionsURL
|
|
|
|
|
|
|
|
a.mailService.SendRenderedAsync(
|
|
|
|
ctx,
|
2023-01-31 21:22:17 +00:00
|
|
|
[]post.Address{{Address: user.Email}},
|
2022-07-14 14:44:06 +01:00
|
|
|
&console.AccountActivationEmail{
|
2019-10-21 17:42:49 +01:00
|
|
|
Origin: a.ExternalAddress,
|
|
|
|
ActivationLink: link,
|
|
|
|
TermsAndConditionsURL: termsAndConditionsURL,
|
|
|
|
ContactInfoURL: contactInfoURL,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2021-07-13 18:21:16 +01:00
|
|
|
// EnableUserMFA enables multi-factor authentication for the user.
|
|
|
|
func (a *Auth) EnableUserMFA(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
2021-07-20 12:34:40 +01:00
|
|
|
var data struct {
|
|
|
|
Passcode string `json:"passcode"`
|
|
|
|
}
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&data)
|
2021-07-13 18:21:16 +01:00
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-07-20 12:34:40 +01:00
|
|
|
err = a.service.EnableUserMFA(ctx, data.Passcode, time.Now())
|
2021-07-13 18:21:16 +01:00
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
2022-11-21 22:56:09 +00:00
|
|
|
|
|
|
|
sessionID, err := a.getSessionID(r)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
consoleUser, err := console.GetUser(ctx)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err = a.service.DeleteAllSessionsByUserIDExcept(ctx, consoleUser.ID, sessionID)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
2021-07-13 18:21:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// DisableUserMFA disables multi-factor authentication for the user.
|
|
|
|
func (a *Auth) DisableUserMFA(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
2021-07-20 12:34:40 +01:00
|
|
|
var data struct {
|
2021-08-16 22:23:06 +01:00
|
|
|
Passcode string `json:"passcode"`
|
|
|
|
RecoveryCode string `json:"recoveryCode"`
|
2021-07-20 12:34:40 +01:00
|
|
|
}
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&data)
|
2021-07-13 18:21:16 +01:00
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-08-16 22:23:06 +01:00
|
|
|
err = a.service.DisableUserMFA(ctx, data.Passcode, time.Now(), data.RecoveryCode)
|
2021-07-13 18:21:16 +01:00
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
2022-11-21 22:56:09 +00:00
|
|
|
|
|
|
|
sessionID, err := a.getSessionID(r)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
consoleUser, err := console.GetUser(ctx)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
err = a.service.DeleteAllSessionsByUserIDExcept(ctx, consoleUser.ID, sessionID)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
2021-07-13 18:21:16 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// GenerateMFASecretKey creates a new TOTP secret key for the user.
|
|
|
|
func (a *Auth) GenerateMFASecretKey(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
key, err := a.service.ResetMFASecretKey(ctx)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
err = json.NewEncoder(w).Encode(key)
|
|
|
|
if err != nil {
|
|
|
|
a.log.Error("could not encode MFA secret key", zap.Error(ErrAuthAPI.Wrap(err)))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// GenerateMFARecoveryCodes creates a new set of MFA recovery codes for the user.
|
|
|
|
func (a *Auth) GenerateMFARecoveryCodes(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
codes, err := a.service.ResetMFARecoveryCodes(ctx)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
err = json.NewEncoder(w).Encode(codes)
|
|
|
|
if err != nil {
|
|
|
|
a.log.Error("could not encode MFA recovery codes", zap.Error(ErrAuthAPI.Wrap(err)))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-07-23 21:53:19 +01:00
|
|
|
// ResetPassword resets user's password using recovery token.
|
|
|
|
func (a *Auth) ResetPassword(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
var resetPassword struct {
|
2022-01-12 01:42:38 +00:00
|
|
|
RecoveryToken string `json:"token"`
|
|
|
|
NewPassword string `json:"password"`
|
|
|
|
MFAPasscode string `json:"mfaPasscode"`
|
|
|
|
MFARecoveryCode string `json:"mfaRecoveryCode"`
|
2021-07-23 21:53:19 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
err = json.NewDecoder(r.Body).Decode(&resetPassword)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
}
|
|
|
|
|
2022-01-12 01:42:38 +00:00
|
|
|
err = a.service.ResetPassword(ctx, resetPassword.RecoveryToken, resetPassword.NewPassword, resetPassword.MFAPasscode, resetPassword.MFARecoveryCode, time.Now())
|
|
|
|
|
|
|
|
if console.ErrMFAMissing.Has(err) || console.ErrMFAPasscode.Has(err) || console.ErrMFARecoveryCode.Has(err) {
|
|
|
|
w.WriteHeader(a.getStatusCode(err))
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
|
|
|
err = json.NewEncoder(w).Encode(map[string]string{
|
|
|
|
"error": a.getUserErrorMessage(err),
|
|
|
|
"code": "mfa_required",
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
a.log.Error("failed to write json response", zap.Error(ErrUtils.Wrap(err)))
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-10-11 22:36:29 +01:00
|
|
|
if console.ErrTokenExpiration.Has(err) {
|
|
|
|
w.WriteHeader(a.getStatusCode(err))
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
|
|
|
|
err = json.NewEncoder(w).Encode(map[string]string{
|
|
|
|
"error": a.getUserErrorMessage(err),
|
|
|
|
"code": "token_expired",
|
|
|
|
})
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
a.log.Error("password-reset-token expired: failed to write json response", zap.Error(ErrUtils.Wrap(err)))
|
|
|
|
}
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-07-23 21:53:19 +01:00
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
2022-07-22 18:25:54 +01:00
|
|
|
} else {
|
|
|
|
a.cookieAuth.RemoveTokenCookie(w)
|
2021-07-23 21:53:19 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-07-19 10:26:18 +01:00
|
|
|
// RefreshSession refreshes the user's session.
|
|
|
|
func (a *Auth) RefreshSession(w http.ResponseWriter, r *http.Request) {
|
|
|
|
ctx := r.Context()
|
|
|
|
var err error
|
|
|
|
defer mon.Task()(&ctx)(&err)
|
|
|
|
|
|
|
|
tokenInfo, err := a.cookieAuth.GetToken(r)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
id, err := uuid.FromBytes(tokenInfo.Token.Payload)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
tokenInfo.ExpiresAt, err = a.service.RefreshSession(ctx, id)
|
|
|
|
if err != nil {
|
|
|
|
a.serveJSONError(w, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
a.cookieAuth.SetTokenCookie(w, tokenInfo)
|
|
|
|
|
|
|
|
err = json.NewEncoder(w).Encode(tokenInfo.ExpiresAt)
|
|
|
|
if err != nil {
|
|
|
|
a.log.Error("could not encode refreshed session expiration date", zap.Error(ErrAuthAPI.Wrap(err)))
|
|
|
|
return
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-10-21 13:48:29 +01:00
|
|
|
// serveJSONError writes JSON error to response output stream.
|
2019-11-12 11:53:00 +00:00
|
|
|
func (a *Auth) serveJSONError(w http.ResponseWriter, err error) {
|
2021-06-28 18:34:33 +01:00
|
|
|
status := a.getStatusCode(err)
|
2022-11-21 18:58:42 +00:00
|
|
|
web.ServeCustomJSONError(a.log, w, status, err, a.getUserErrorMessage(err))
|
2019-10-21 13:48:29 +01:00
|
|
|
}
|
2019-11-12 11:53:00 +00:00
|
|
|
|
|
|
|
// getStatusCode returns http.StatusCode depends on console error class.
|
|
|
|
func (a *Auth) getStatusCode(err error) int {
|
|
|
|
switch {
|
2022-12-15 12:52:28 +00:00
|
|
|
case console.ErrValidation.Has(err), console.ErrCaptcha.Has(err), console.ErrMFAMissing.Has(err), console.ErrMFAPasscode.Has(err), console.ErrMFARecoveryCode.Has(err), console.ErrChangePassword.Has(err):
|
2019-11-12 11:53:00 +00:00
|
|
|
return http.StatusBadRequest
|
2022-11-30 04:54:07 +00:00
|
|
|
case console.ErrUnauthorized.Has(err), console.ErrTokenExpiration.Has(err), console.ErrRecoveryToken.Has(err), console.ErrLoginCredentials.Has(err):
|
2019-11-12 11:53:00 +00:00
|
|
|
return http.StatusUnauthorized
|
2021-08-16 22:23:06 +01:00
|
|
|
case console.ErrEmailUsed.Has(err), console.ErrMFAConflict.Has(err):
|
2020-03-26 15:35:14 +00:00
|
|
|
return http.StatusConflict
|
2020-10-21 11:52:24 +01:00
|
|
|
case errors.Is(err, errNotImplemented):
|
|
|
|
return http.StatusNotImplemented
|
2019-11-12 11:53:00 +00:00
|
|
|
default:
|
|
|
|
return http.StatusInternalServerError
|
|
|
|
}
|
|
|
|
}
|
2021-07-15 22:06:23 +01:00
|
|
|
|
|
|
|
// getUserErrorMessage returns a user-friendly representation of the error.
|
|
|
|
func (a *Auth) getUserErrorMessage(err error) string {
|
|
|
|
switch {
|
2022-05-06 21:56:18 +01:00
|
|
|
case console.ErrCaptcha.Has(err):
|
|
|
|
return "Validation of captcha was unsuccessful"
|
2021-07-15 22:06:23 +01:00
|
|
|
case console.ErrRegToken.Has(err):
|
|
|
|
return "We are unable to create your account. This is an invite-only alpha, please join our waitlist to receive an invitation"
|
|
|
|
case console.ErrEmailUsed.Has(err):
|
|
|
|
return "This email is already in use; try another"
|
2021-07-23 21:53:19 +01:00
|
|
|
case console.ErrRecoveryToken.Has(err):
|
|
|
|
if console.ErrTokenExpiration.Has(err) {
|
|
|
|
return "The recovery token has expired"
|
|
|
|
}
|
|
|
|
return "The recovery token is invalid"
|
2021-08-16 22:23:06 +01:00
|
|
|
case console.ErrMFAMissing.Has(err):
|
|
|
|
return "A MFA passcode or recovery code is required"
|
|
|
|
case console.ErrMFAConflict.Has(err):
|
|
|
|
return "Expected either passcode or recovery code, but got both"
|
|
|
|
case console.ErrMFAPasscode.Has(err):
|
2022-12-15 12:52:28 +00:00
|
|
|
return "The MFA passcode is not valid or has expired"
|
2021-08-16 22:23:06 +01:00
|
|
|
case console.ErrMFARecoveryCode.Has(err):
|
2022-12-15 12:52:28 +00:00
|
|
|
return "The MFA recovery code is not valid or has been previously used"
|
2021-11-18 18:55:37 +00:00
|
|
|
case console.ErrLoginCredentials.Has(err):
|
|
|
|
return "Your login credentials are incorrect, please try again"
|
2022-12-15 12:52:28 +00:00
|
|
|
case console.ErrValidation.Has(err), console.ErrChangePassword.Has(err):
|
2022-08-01 12:43:23 +01:00
|
|
|
return err.Error()
|
2021-07-15 22:06:23 +01:00
|
|
|
case errors.Is(err, errNotImplemented):
|
|
|
|
return "The server is incapable of fulfilling the request"
|
|
|
|
default:
|
|
|
|
return "There was an error processing your request"
|
|
|
|
}
|
|
|
|
}
|