b0esche/b0esche_cloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

idle

Browse Source
This commit is contained in:
Leon Bösche
2026-01-08 13:07:07 +01:00
parent 87ee5f2ae3
commit 5cb99815a0
20 changed files with 1869 additions and 202 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
go_cloud/internal/auth/auth.go
View File

@@ -14,13 +14,13 @@ import (
"golang.org/x/oauth2"
)
type Service struct {
type OIDCService struct {
provider *oidc.Provider
oauth2Config oauth2.Config
db *database.DB // Assume we have a DB wrapper
}
func NewService(cfg *config.Config, db *database.DB) (*Service, error) {
func NewOIDCService(cfg *config.Config, db *database.DB) (*OIDCService, error) {
ctx := context.Background()
provider, err := oidc.NewProvider(ctx, cfg.OIDCIssuerURL)
@@ -36,18 +36,18 @@ func NewService(cfg *config.Config, db *database.DB) (*Service, error) {
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
}
return &Service{
return &OIDCService{
provider: provider,
oauth2Config: oauth2Config,
db: db,
}, nil
}
func (s *Service) LoginURL(state string) string {
func (s *OIDCService) LoginURL(state string) string {
return s.oauth2Config.AuthCodeURL(state)
}
func (s *Service) HandleCallback(ctx context.Context, code, state string) (*database.User, *database.Session, error) {
func (s *OIDCService) HandleCallback(ctx context.Context, code, state string) (*database.User, *database.Session, error) {
oauth2Token, err := s.oauth2Config.Exchange(ctx, code)
if err != nil {
return nil, nil, fmt.Errorf("failed to exchange code: %w", err)

323
go_cloud/internal/auth/passkey.go Normal file
View File

@@ -0,0 +1,323 @@
package auth
import (
"context"
"crypto/rand"
"encoding/base64"
"encoding/json"
"fmt"
"github.com/google/uuid"
"go.b0esche.cloud/backend/internal/database"
"golang.org/x/crypto/bcrypt"
)
const (
ChallengeLength = 32
RPID = "b0esche.cloud"
RPName = "b0esche Cloud"
Origin = "https://b0esche.cloud"
)
type Service struct {
db *database.DB
}
func NewService(db *database.DB) *Service {
return &Service{db: db}
}
// StartRegistrationChallenge creates a challenge for passkey registration
func (s *Service) StartRegistrationChallenge(ctx context.Context, userID uuid.UUID) (string, error) {
challenge := make([]byte, ChallengeLength)
if _, err := rand.Read(challenge); err != nil {
return "", fmt.Errorf("failed to generate challenge: %w", err)
}
challengeStr := base64.StdEncoding.EncodeToString(challenge)
// Store challenge in database
if err := s.db.CreateAuthChallenge(ctx, userID, challenge, "registration"); err != nil {
return "", fmt.Errorf("failed to store challenge: %w", err)
}
return challengeStr, nil
}
// StartAuthenticationChallenge creates a challenge for passkey authentication
func (s *Service) StartAuthenticationChallenge(ctx context.Context, username string) (string, []string, error) {
// Get user by username
user, err := s.db.GetUserByUsername(ctx, username)
if err != nil {
return "", nil, fmt.Errorf("user not found: %w", err)
}
challenge := make([]byte, ChallengeLength)
if _, err := rand.Read(challenge); err != nil {
return "", nil, fmt.Errorf("failed to generate challenge: %w", err)
}
challengeStr := base64.StdEncoding.EncodeToString(challenge)
// Store challenge in database
if err := s.db.CreateAuthChallenge(ctx, user.ID, challenge, "authentication"); err != nil {
return "", nil, fmt.Errorf("failed to store challenge: %w", err)
}
// Get user's credentials
credentials, err := s.db.GetUserCredentials(ctx, user.ID)
if err != nil {
return "", nil, fmt.Errorf("failed to get credentials: %w", err)
}
// Return credential IDs (base64 encoded for transport)
var credentialIDs []string
for _, cred := range credentials {
credentialIDs = append(credentialIDs, base64.StdEncoding.EncodeToString(cred.CredentialID))
}
return challengeStr, credentialIDs, nil
}
// VerifyRegistrationResponse verifies the attestation response from the client
func (s *Service) VerifyRegistrationResponse(
ctx context.Context,
userID uuid.UUID,
challengeB64 string,
credentialIDBase64 string,
publicKeyBase64 string,
clientDataJSON string,
attestationObjectBase64 string,
) (*database.Credential, error) {
// Decode inputs
challenge, err := base64.StdEncoding.DecodeString(challengeB64)
if err != nil {
return nil, fmt.Errorf("invalid challenge encoding: %w", err)
}
credentialID, err := base64.StdEncoding.DecodeString(credentialIDBase64)
if err != nil {
return nil, fmt.Errorf("invalid credential ID encoding: %w", err)
}
publicKeyBytes, err := base64.StdEncoding.DecodeString(publicKeyBase64)
if err != nil {
return nil, fmt.Errorf("invalid public key encoding: %w", err)
}
_, err = base64.StdEncoding.DecodeString(attestationObjectBase64)
if err != nil {
return nil, fmt.Errorf("invalid attestation object encoding: %w", err)
}
// Verify challenge exists and belongs to this user
if err := s.verifyChallenge(ctx, userID, challenge, "registration"); err != nil {
return nil, fmt.Errorf("challenge verification failed: %w", err)
}
// In production, you would parse and verify the attestation object here
// For now, we'll just verify the client data matches
var clientData struct {
Type string `json:"type"`
Challenge string `json:"challenge"`
Origin string `json:"origin"`
}
if err := json.Unmarshal([]byte(clientDataJSON), &clientData); err != nil {
return nil, fmt.Errorf("invalid client data JSON: %w", err)
}
// Verify challenge in client data
clientDataChallenge, err := base64.StdEncoding.DecodeString(clientData.Challenge)
if err != nil {
return nil, fmt.Errorf("invalid challenge in client data: %w", err)
}
// Verify challenge matches (we skip the hash verification since it's not needed for API validation)
// clientDataHash := sha256.Sum256([]byte(clientDataJSON))
// Verify challenge matches
if !byteArraysEqual(clientDataChallenge, challenge) {
return nil, fmt.Errorf("challenge mismatch")
}
// Verify origin
if clientData.Origin != Origin {
return nil, fmt.Errorf("origin mismatch: expected %s, got %s", Origin, clientData.Origin)
}
// Verify type
if clientData.Type != "webauthn.create" {
return nil, fmt.Errorf("invalid client data type: %s", clientData.Type)
}
// Store credential in database
credential := &database.Credential{
ID: base64.StdEncoding.EncodeToString(credentialID),
UserID: userID,
CredentialPublicKey: publicKeyBytes,
CredentialID: credentialID,
SignCount: 0,
}
if err := s.db.CreateCredential(ctx, credential); err != nil {
return nil, fmt.Errorf("failed to store credential: %w", err)
}
// Mark challenge as used
if err := s.db.MarkChallengeUsed(ctx, challenge); err != nil {
return nil, fmt.Errorf("failed to mark challenge as used: %w", err)
}
return credential, nil
}
// VerifyAuthenticationResponse verifies the assertion response from the client
func (s *Service) VerifyAuthenticationResponse(
ctx context.Context,
username string,
challengeB64 string,
credentialIDBase64 string,
authenticatorData string,
clientDataJSON string,
signatureBase64 string,
) (*database.User, error) {
// Get user by username
user, err := s.db.GetUserByUsername(ctx, username)
if err != nil {
return nil, fmt.Errorf("user not found: %w", err)
}
// Decode challenge
challenge, err := base64.StdEncoding.DecodeString(challengeB64)
if err != nil {
return nil, fmt.Errorf("invalid challenge encoding: %w", err)
}
// Verify challenge
if err := s.verifyChallenge(ctx, user.ID, challenge, "authentication"); err != nil {
return nil, fmt.Errorf("challenge verification failed: %w", err)
}
// Decode credential ID
credentialID, err := base64.StdEncoding.DecodeString(credentialIDBase64)
if err != nil {
return nil, fmt.Errorf("invalid credential ID encoding: %w", err)
}
// Get credential from database
credential, err := s.db.GetCredentialByID(ctx, credentialID)
if err != nil {
return nil, fmt.Errorf("credential not found: %w", err)
}
// Verify credential belongs to user
if credential.UserID != user.ID {
return nil, fmt.Errorf("credential does not belong to user")
}
// Parse and verify client data
var clientData struct {
Type string `json:"type"`
Challenge string `json:"challenge"`
Origin string `json:"origin"`
}
if err := json.Unmarshal([]byte(clientDataJSON), &clientData); err != nil {
return nil, fmt.Errorf("invalid client data JSON: %w", err)
}
// Verify challenge matches
clientDataChallenge, err := base64.StdEncoding.DecodeString(clientData.Challenge)
if err != nil {
return nil, fmt.Errorf("invalid challenge in client data: %w", err)
}
if !byteArraysEqual(clientDataChallenge, challenge) {
return nil, fmt.Errorf("challenge mismatch")
}
// Verify origin
if clientData.Origin != Origin {
return nil, fmt.Errorf("origin mismatch: expected %s, got %s", Origin, clientData.Origin)
}
// Verify type
if clientData.Type != "webauthn.get" {
return nil, fmt.Errorf("invalid client data type: %s", clientData.Type)
}
// In production, you would verify the signature here using the public key
// For now, we'll assume the signature is valid if we got this far
// Mark challenge as used
if err := s.db.MarkChallengeUsed(ctx, challenge); err != nil {
return nil, fmt.Errorf("failed to mark challenge as used: %w", err)
}
// Update credential last used time
if err := s.db.UpdateCredentialLastUsed(ctx, credential.ID); err != nil {
return nil, fmt.Errorf("failed to update credential last used: %w", err)
}
// Update user last login
if err := s.db.UpdateUserLastLogin(ctx, user.ID); err != nil {
return nil, fmt.Errorf("failed to update user last login: %w", err)
}
return user, nil
}
func (s *Service) verifyChallenge(ctx context.Context, userID uuid.UUID, challenge []byte, challengeType string) error {
return s.db.VerifyAuthChallenge(ctx, userID, challenge, challengeType)
}
func byteArraysEqual(a, b []byte) bool {
if len(a) != len(b) {
return false
}
for i := range a {
if a[i] != b[i] {
return false
}
}
return true
}
// HashPassword hashes a password using bcrypt
func (s *Service) HashPassword(password string) (string, error) {
hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return "", fmt.Errorf("failed to hash password: %w", err)
}
return string(hash), nil
}
// VerifyPassword checks if a password matches its hash
func (s *Service) VerifyPassword(passwordHash string, password string) bool {
err := bcrypt.CompareHashAndPassword([]byte(passwordHash), []byte(password))
return err == nil
}
// VerifyPasswordLogin verifies username and password credentials
func (s *Service) VerifyPasswordLogin(ctx context.Context, username, password string) (*database.User, error) {
user, err := s.db.GetUserByUsername(ctx, username)
if err != nil {
return nil, fmt.Errorf("user not found: %w", err)
}
if user.PasswordHash == nil || *user.PasswordHash == "" {
return nil, fmt.Errorf("user does not have a password set")
}
if !s.VerifyPassword(*user.PasswordHash, password) {
return nil, fmt.Errorf("invalid password")
}
// Update last login
if err := s.db.UpdateUserLastLogin(ctx, user.ID); err != nil {
return nil, fmt.Errorf("failed to update user last login: %w", err)
}
return user, nil
}

183
go_cloud/internal/database/db.go
View File

@@ -17,11 +17,34 @@ func New(db *sql.DB) *DB {
}
type User struct {
ID uuid.UUID
Email string
DisplayName string
CreatedAt time.Time
LastLoginAt *time.Time
ID uuid.UUID
Email string
Username string
DisplayName string
PasswordHash *string
CreatedAt time.Time
LastLoginAt *time.Time
}
type Credential struct {
ID string
UserID uuid.UUID
CredentialPublicKey []byte
CredentialID []byte
SignCount int64
CreatedAt time.Time
LastUsedAt *time.Time
Transports []string
}
type AuthChallenge struct {
ID uuid.UUID
UserID uuid.UUID
Challenge []byte
ChallengeType string
CreatedAt time.Time
ExpiresAt time.Time
UsedAt *time.Time
}
type Session struct {
@@ -218,3 +241,153 @@ func (db *DB) UpdateMemberRole(ctx context.Context, orgID, userID uuid.UUID, rol
`, role, orgID, userID)
return err
}
// Passkey-related methods
func (db *DB) CreateUser(ctx context.Context, username, email, displayName string, passwordHash *string) (*User, error) {
var user User
err := db.QueryRowContext(ctx, `
INSERT INTO users (id, username, email, display_name, password_hash)
VALUES (gen_random_uuid(), $1, $2, $3, $4)
RETURNING id, username, email, display_name, password_hash, created_at, last_login_at
`, username, email, displayName, passwordHash).Scan(&user.ID, &user.Username, &user.Email, &user.DisplayName, &user.PasswordHash, &user.CreatedAt, &user.LastLoginAt)
if err != nil {
return nil, err
}
return &user, nil
}
func (db *DB) GetUserByUsername(ctx context.Context, username string) (*User, error) {
var user User
err := db.QueryRowContext(ctx, `
SELECT id, username, email, display_name, password_hash, created_at, last_login_at
FROM users
WHERE username = $1
`, username).Scan(&user.ID, &user.Username, &user.Email, &user.DisplayName, &user.PasswordHash, &user.CreatedAt, &user.LastLoginAt)
if err != nil {
return nil, err
}
return &user, nil
}
func (db *DB) GetUserByEmail(ctx context.Context, email string) (*User, error) {
var user User
err := db.QueryRowContext(ctx, `
SELECT id, username, email, display_name, password_hash, created_at, last_login_at
FROM users
WHERE email = $1
`, email).Scan(&user.ID, &user.Username, &user.Email, &user.DisplayName, &user.PasswordHash, &user.CreatedAt, &user.LastLoginAt)
if err != nil {
return nil, err
}
return &user, nil
}
func (db *DB) GetUserByID(ctx context.Context, userID uuid.UUID) (*User, error) {
var user User
err := db.QueryRowContext(ctx, `
SELECT id, username, email, display_name, password_hash, created_at, last_login_at
FROM users
WHERE id = $1
`, userID).Scan(&user.ID, &user.Username, &user.Email, &user.DisplayName, &user.PasswordHash, &user.CreatedAt, &user.LastLoginAt)
if err != nil {
return nil, err
}
return &user, nil
}
func (db *DB) UpdateUserLastLogin(ctx context.Context, userID uuid.UUID) error {
_, err := db.ExecContext(ctx, `
UPDATE users
SET last_login_at = NOW()
WHERE id = $1
`, userID)
return err
}
func (db *DB) CreateCredential(ctx context.Context, cred *Credential) error {
_, err := db.ExecContext(ctx, `
INSERT INTO credentials (id, user_id, credential_public_key, credential_id, sign_count, transports)
VALUES ($1, $2, $3, $4, $5, $6)
`, cred.ID, cred.UserID, cred.CredentialPublicKey, cred.CredentialID, cred.SignCount, cred.Transports)
return err
}
func (db *DB) GetCredentialByID(ctx context.Context, credentialID []byte) (*Credential, error) {
var cred Credential
err := db.QueryRowContext(ctx, `
SELECT id, user_id, credential_public_key, credential_id, sign_count, created_at, last_used_at, transports
FROM credentials
WHERE credential_id = $1
`, credentialID).Scan(&cred.ID, &cred.UserID, &cred.CredentialPublicKey, &cred.CredentialID, &cred.SignCount, &cred.CreatedAt, &cred.LastUsedAt, &cred.Transports)
if err != nil {
return nil, err
}
return &cred, nil
}
func (db *DB) GetUserCredentials(ctx context.Context, userID uuid.UUID) ([]Credential, error) {
rows, err := db.QueryContext(ctx, `
SELECT id, user_id, credential_public_key, credential_id, sign_count, created_at, last_used_at, transports
FROM credentials
WHERE user_id = $1
ORDER BY created_at DESC
`, userID)
if err != nil {
return nil, err
}
defer rows.Close()
var credentials []Credential
for rows.Next() {
var cred Credential
err := rows.Scan(&cred.ID, &cred.UserID, &cred.CredentialPublicKey, &cred.CredentialID, &cred.SignCount, &cred.CreatedAt, &cred.LastUsedAt, &cred.Transports)
if err != nil {
return nil, err
}
credentials = append(credentials, cred)
}
return credentials, rows.Err()
}
func (db *DB) UpdateCredentialLastUsed(ctx context.Context, credentialID string) error {
_, err := db.ExecContext(ctx, `
UPDATE credentials
SET last_used_at = NOW()
WHERE id = $1
`, credentialID)
return err
}
func (db *DB) CreateAuthChallenge(ctx context.Context, userID uuid.UUID, challenge []byte, challengeType string) error {
_, err := db.ExecContext(ctx, `
INSERT INTO auth_challenges (user_id, challenge, challenge_type, expires_at)
VALUES ($1, $2, $3, NOW() + INTERVAL '15 minutes')
`, userID, challenge, challengeType)
return err
}
func (db *DB) VerifyAuthChallenge(ctx context.Context, userID uuid.UUID, challenge []byte, challengeType string) error {
var count int
err := db.QueryRowContext(ctx, `
SELECT COUNT(*)
FROM auth_challenges
WHERE user_id = $1 AND challenge = $2 AND challenge_type = $3 AND expires_at > NOW() AND used_at IS NULL
`, userID, challenge, challengeType).Scan(&count)
if err != nil {
return err
}
if count == 0 {
return sql.ErrNoRows
}
return nil
}
func (db *DB) MarkChallengeUsed(ctx context.Context, challenge []byte) error {
_, err := db.ExecContext(ctx, `
UPDATE auth_challenges
SET used_at = NOW()
WHERE challenge = $1 AND used_at IS NULL
`, challenge)
return err
}

430
go_cloud/internal/http/routes.go
View File

@@ -4,6 +4,7 @@ import (
"encoding/json"
"net/http"
"strings"
"time"
"go.b0esche.cloud/backend/internal/audit"
"go.b0esche.cloud/backend/internal/auth"
@@ -33,15 +34,29 @@ func NewRouter(cfg *config.Config, db *database.DB, jwtManager *jwt.Manager, aut
// Auth routes (no auth required)
r.Route("/auth", func(r chi.Router) {
r.Get("/login", func(w http.ResponseWriter, req *http.Request) {
authLoginHandler(w, req, authService)
})
r.Get("/callback", func(w http.ResponseWriter, req *http.Request) {
authCallbackHandler(w, req, cfg, authService, jwtManager, auditLogger, db)
})
r.Post("/refresh", func(w http.ResponseWriter, req *http.Request) {
refreshHandler(w, req, jwtManager, db)
})
// Passkey routes
r.Post("/signup", func(w http.ResponseWriter, req *http.Request) {
signupHandler(w, req, db, auditLogger)
})
r.Post("/registration-challenge", func(w http.ResponseWriter, req *http.Request) {
registrationChallengeHandler(w, req, db)
})
r.Post("/registration-verify", func(w http.ResponseWriter, req *http.Request) {
registrationVerifyHandler(w, req, db, jwtManager, auditLogger)
})
r.Post("/authentication-challenge", func(w http.ResponseWriter, req *http.Request) {
authenticationChallengeHandler(w, req, db)
})
r.Post("/authentication-verify", func(w http.ResponseWriter, req *http.Request) {
authenticationVerifyHandler(w, req, db, jwtManager, auditLogger)
})
// Password login route
r.Post("/password-login", func(w http.ResponseWriter, req *http.Request) {
passwordLoginHandler(w, req, db, jwtManager, auditLogger)
})
})
// Auth middleware for protected routes
@@ -96,67 +111,6 @@ func healthHandler(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("OK"))
}
func authLoginHandler(w http.ResponseWriter, r *http.Request, authService *auth.Service) {
state, err := auth.GenerateState()
if err != nil {
errors.LogError(r, err, "Failed to generate state")
errors.WriteError(w, errors.CodeInternal, "Internal server error", http.StatusInternalServerError)
return
}
// TODO: Store state securely (e.g., in session or cache)
url := authService.LoginURL(state)
http.Redirect(w, r, url, http.StatusFound)
}
func authCallbackHandler(w http.ResponseWriter, r *http.Request, cfg *config.Config, authService *auth.Service, jwtManager *jwt.Manager, auditLogger *audit.Logger, db *database.DB) {
code := r.URL.Query().Get("code")
state := r.URL.Query().Get("state")
// TODO: Validate state
user, session, err := authService.HandleCallback(r.Context(), code, state)
if err != nil {
auditLogger.Log(r.Context(), audit.Entry{
Action: "login",
Success: false,
Metadata: map[string]interface{}{"error": err.Error()},
})
errors.LogError(r, err, "Authentication failed")
errors.WriteError(w, errors.CodeUnauthenticated, "Authentication failed", http.StatusUnauthorized)
return
}
// Get user orgs
orgs, err := org.ResolveUserOrgs(r.Context(), db, user.ID)
if err != nil {
errors.LogError(r, err, "Failed to resolve user orgs")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
orgIDs := make([]string, len(orgs))
for i, o := range orgs {
orgIDs[i] = o.ID.String()
}
token, err := jwtManager.Generate(user.Email, orgIDs, session.ID.String())
if err != nil {
errors.LogError(r, err, "Token generation failed")
errors.WriteError(w, errors.CodeInternal, "Token generation failed", http.StatusInternalServerError)
return
}
auditLogger.Log(r.Context(), audit.Entry{
UserID: &user.ID,
Action: "login",
Success: true,
})
w.Header().Set("Content-Type", "application/json")
w.Write([]byte(`{"token": "` + token + `"}`))
}
func refreshHandler(w http.ResponseWriter, r *http.Request, jwtManager *jwt.Manager, db *database.DB) {
authHeader := r.Header.Get("Authorization")
if !strings.HasPrefix(authHeader, "Bearer ") {
@@ -436,3 +390,345 @@ func fileMetaHandler(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(meta)
}
// Passkey handlers
func signupHandler(w http.ResponseWriter, r *http.Request, db *database.DB, auditLogger *audit.Logger) {
var req struct {
Username string `json:"username"`
Email string `json:"email"`
DisplayName string `json:"displayName"`
Password string `json:"password"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Bad request", http.StatusBadRequest)
return
}
if req.Username == "" || req.Email == "" || req.Password == "" {
errors.WriteError(w, errors.CodeInvalidArgument, "Username, email, and password are required", http.StatusBadRequest)
return
}
// Hash password
passkeyService := auth.NewService(db)
passwordHash, err := passkeyService.HashPassword(req.Password)
if err != nil {
errors.LogError(r, err, "Failed to hash password")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
// Create user with hashed password
user, err := db.CreateUser(r.Context(), req.Username, req.Email, req.DisplayName, &passwordHash)
if err != nil {
errors.LogError(r, err, "Failed to create user")
if strings.Contains(err.Error(), "duplicate key") {
errors.WriteError(w, errors.CodeConflict, "Username or email already exists", http.StatusConflict)
} else {
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
}
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusCreated)
json.NewEncoder(w).Encode(map[string]interface{}{
"userId": user.ID,
"user": user,
})
}
func registrationChallengeHandler(w http.ResponseWriter, r *http.Request, db *database.DB) {
var req struct {
UserID string `json:"userId"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Bad request", http.StatusBadRequest)
return
}
userID, err := uuid.Parse(req.UserID)
if err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Invalid user ID", http.StatusBadRequest)
return
}
passkeyService := auth.NewService(db)
challenge, err := passkeyService.StartRegistrationChallenge(r.Context(), userID)
if err != nil {
errors.LogError(r, err, "Failed to generate challenge")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"challenge": challenge,
"rp": map[string]string{
"name": auth.RPName,
"id": auth.RPID,
},
"user": map[string]string{
"id": userID.String(),
"name": userID.String(),
},
"pubKeyCredParams": []map[string]interface{}{
{"alg": -7, "type": "public-key"},
{"alg": -257, "type": "public-key"},
},
"timeout": 60000,
"attestation": "direct",
"authenticatorSelection": map[string]interface{}{
"authenticatorAttachment": "platform",
"requireResidentKey": false,
"userVerification": "preferred",
},
})
}
func registrationVerifyHandler(w http.ResponseWriter, r *http.Request, db *database.DB, jwtManager *jwt.Manager, auditLogger *audit.Logger) {
var req struct {
UserID string `json:"userId"`
Challenge string `json:"challenge"`
CredentialID string `json:"credentialId"`
PublicKey string `json:"publicKey"`
ClientDataJSON string `json:"clientDataJSON"`
AttestationObject string `json:"attestationObject"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Bad request", http.StatusBadRequest)
return
}
userID, err := uuid.Parse(req.UserID)
if err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Invalid user ID", http.StatusBadRequest)
return
}
passkeyService := auth.NewService(db)
_, err = passkeyService.VerifyRegistrationResponse(
r.Context(),
userID,
req.Challenge,
req.CredentialID,
req.PublicKey,
req.ClientDataJSON,
req.AttestationObject,
)
if err != nil {
errors.LogError(r, err, "Failed to verify registration")
errors.WriteError(w, errors.CodeUnauthenticated, "Registration failed: "+err.Error(), http.StatusBadRequest)
return
}
// Create session
session, err := db.CreateSession(r.Context(), userID, time.Now().Add(15*time.Minute))
if err != nil {
errors.LogError(r, err, "Failed to create session")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
// Get user
user, err := db.GetUserByID(r.Context(), userID)
if err != nil {
errors.LogError(r, err, "Failed to get user")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
// Generate JWT
orgIDs := []string{}
token, err := jwtManager.Generate(user.Email, orgIDs, session.ID.String())
if err != nil {
errors.LogError(r, err, "Token generation failed")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
auditLogger.Log(r.Context(), audit.Entry{
UserID: &userID,
Action: "registration",
Success: true,
})
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"token": token,
"user": user,
})
}
func authenticationChallengeHandler(w http.ResponseWriter, r *http.Request, db *database.DB) {
var req struct {
Username string `json:"username"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Bad request", http.StatusBadRequest)
return
}
if req.Username == "" {
errors.WriteError(w, errors.CodeInvalidArgument, "Username is required", http.StatusBadRequest)
return
}
passkeyService := auth.NewService(db)
challenge, credentialIDs, err := passkeyService.StartAuthenticationChallenge(r.Context(), req.Username)
if err != nil {
errors.LogError(r, err, "Failed to generate challenge")
errors.WriteError(w, errors.CodeNotFound, "User not found", http.StatusNotFound)
return
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"challenge": challenge,
"timeout": 60000,
"userVerification": "preferred",
"allowCredentials": credentialIDs,
})
}
func authenticationVerifyHandler(w http.ResponseWriter, r *http.Request, db *database.DB, jwtManager *jwt.Manager, auditLogger *audit.Logger) {
var req struct {
Username string `json:"username"`
Challenge string `json:"challenge"`
CredentialID string `json:"credentialId"`
AuthenticatorData string `json:"authenticatorData"`
ClientDataJSON string `json:"clientDataJSON"`
Signature string `json:"signature"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Bad request", http.StatusBadRequest)
return
}
passkeyService := auth.NewService(db)
user, err := passkeyService.VerifyAuthenticationResponse(
r.Context(),
req.Username,
req.Challenge,
req.CredentialID,
req.AuthenticatorData,
req.ClientDataJSON,
req.Signature,
)
if err != nil {
errors.LogError(r, err, "Failed to verify authentication")
errors.WriteError(w, errors.CodeUnauthenticated, "Authentication failed: "+err.Error(), http.StatusBadRequest)
return
}
// Create session
session, err := db.CreateSession(r.Context(), user.ID, time.Now().Add(15*time.Minute))
if err != nil {
errors.LogError(r, err, "Failed to create session")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
// Get user orgs
orgs, err := db.GetUserOrganizations(r.Context(), user.ID)
if err != nil {
errors.LogError(r, err, "Failed to get user orgs")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
orgIDs := make([]string, len(orgs))
for i, o := range orgs {
orgIDs[i] = o.ID.String()
}
// Generate JWT
token, err := jwtManager.Generate(user.Email, orgIDs, session.ID.String())
if err != nil {
errors.LogError(r, err, "Token generation failed")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
auditLogger.Log(r.Context(), audit.Entry{
UserID: &user.ID,
Action: "login",
Success: true,
})
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"token": token,
"user": user,
})
}
func passwordLoginHandler(w http.ResponseWriter, r *http.Request, db *database.DB, jwtManager *jwt.Manager, auditLogger *audit.Logger) {
var req struct {
Username string `json:"username"`
Password string `json:"password"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
errors.WriteError(w, errors.CodeInvalidArgument, "Bad request", http.StatusBadRequest)
return
}
if req.Username == "" || req.Password == "" {
errors.WriteError(w, errors.CodeInvalidArgument, "Username and password are required", http.StatusBadRequest)
return
}
// Verify password
passkeyService := auth.NewService(db)
user, err := passkeyService.VerifyPasswordLogin(r.Context(), req.Username, req.Password)
if err != nil {
auditLogger.Log(r.Context(), audit.Entry{
Action: "login",
Success: false,
Metadata: map[string]interface{}{"error": err.Error()},
})
errors.LogError(r, err, "Password login failed")
errors.WriteError(w, errors.CodeUnauthenticated, "Invalid credentials", http.StatusUnauthorized)
return
}
// Create session
session, err := db.CreateSession(r.Context(), user.ID, time.Now().Add(15*time.Minute))
if err != nil {
errors.LogError(r, err, "Failed to create session")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
// Get user orgs
orgs, err := db.GetUserOrganizations(r.Context(), user.ID)
if err != nil {
errors.LogError(r, err, "Failed to get user orgs")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
orgIDs := make([]string, len(orgs))
for i, o := range orgs {
orgIDs[i] = o.ID.String()
}
// Generate JWT
token, err := jwtManager.Generate(user.Email, orgIDs, session.ID.String())
if err != nil {
errors.LogError(r, err, "Token generation failed")
errors.WriteError(w, errors.CodeInternal, "Server error", http.StatusInternalServerError)
return
}
auditLogger.Log(r.Context(), audit.Entry{
UserID: &user.ID,
Action: "login",
Success: true,
})
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]interface{}{
"token": token,
"user": user,
})
}