newsbot-api/internal/handler/v1/auth.go

package v1

import (
	"net/http"
	"strings"
	"time"

	"git.jamestombleson.com/jtom38/newsbot-api/internal/domain"
	"git.jamestombleson.com/jtom38/newsbot-api/internal/repository"

	"github.com/labstack/echo/v4"
)

const (
	ErrUserNotFound          = "requested user does not exist"
	ErrUsernameAlreadyExists = "the requested username already exists"
)

// @Summary  Creates a new user
// @Router   /v1/users/register [post]
// @Param    request  formData  domain.LoginFormRequest  true  "form"
// @Accepts  x-www-form-urlencoded
// @Produce  json
// @Tags      Users
// @Success  200  {object}  domain.BaseResponse
// @Failure   400  {object}  domain.BaseResponse
// @Failure   500  {object}  domain.BaseResponse
func (h *Handler) AuthRegister(c echo.Context) error {
	username := c.FormValue("username")
	password := c.FormValue("password")

	//username := c.QueryParam("username")
	exists, err := h.repo.Users.GetUser(c.Request().Context(), username)
	if err != nil {
		// if we have an err, validate that if its not user not found.
		// if the user is not found, we can use that name
		if err.Error() != repository.ErrUserNotFound {
			return h.WriteError(c, err, http.StatusBadRequest)
		}
	}
	if exists.Username == username {
		return h.InternalServerErrorResponse(c, ErrUsernameAlreadyExists)
	}

	//password := c.QueryParam("password")
	err = h.repo.Users.CheckPasswordForRequirements(password)
	if err != nil {
		return h.WriteError(c, err, http.StatusInternalServerError)
	}

	_, err = h.repo.Users.Create(c.Request().Context(), username, password, domain.ScopeArticleRead)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	return c.JSON(http.StatusCreated, domain.BaseResponse{
		Message: "OK",
	})
}

// @Summary  Logs into the API and returns a bearer token if successful
// @Router   /v1/users/login [post]
// @Param    request  formData  domain.LoginFormRequest  true  "form"
// @Accepts  x-www-form-urlencoded
// @Produce  json
// @Tags     Users
// @Success   200  {object}  domain.LoginResponse
// @Failure  400  {object}  domain.BaseResponse
// @Failure  500  {object}  domain.BaseResponse
func (h *Handler) AuthLogin(c echo.Context) error {
	username := c.FormValue("username")
	password := c.FormValue("password")

	// Check to see if they are trying to login with the admin token
	if username == "" {
		return h.createAdminToken(c, password)
	}

	// check if the user exists
	user, err := h.repo.Users.GetUser(c.Request().Context(), username)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	// make sure the hash matches
	err = h.repo.Users.DoesPasswordMatchHash(c.Request().Context(), username, password)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	// TODO think about moving this down some?
	expiresAt := time.Now().Add(time.Hour * 48)
	userScopes := strings.Split(user.Scopes, ",")

	jwt, err := h.generateJwtWithExp(username, h.config.ServerAddress, userScopes, user.ID, expiresAt)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	refresh, err := h.repo.RefreshTokens.Create(c.Request().Context(), username)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	return c.JSON(http.StatusOK, domain.LoginResponse{
		BaseResponse: domain.BaseResponse{
			Message: "OK",
		},
		Token:        jwt,
		Type:         "Bearer",
		RefreshToken: refresh,
	})
}

func (h *Handler) createAdminToken(c echo.Context, password string) error {
	// if the admin token is blank, then the admin wanted this disabled.
	// this will fail right away and not progress.
	if h.config.AdminSecret == "" {
		return h.InternalServerErrorResponse(c, ErrUserNotFound)
	}

	if h.config.AdminSecret != password {
		return h.UnauthorizedResponse(c, ErrUserNotFound)
	}
	var userScopes []string
	userScopes = append(userScopes, domain.ScopeAll)

	token, err := h.generateJwt("admin", h.config.ServerAddress, userScopes, -1)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	return c.JSON(http.StatusOK, domain.LoginResponse{
		BaseResponse: domain.BaseResponse{
			Message: "OK",
		},
		Token: token,
		Type:  "Bearer",
	})
}

// This will take collect some information about the requested refresh, validate and then return a new jwt token if approved.
// Register
// @Summary   Generates a new token
// @Router    /v1/users/refreshToken [post]
// @Param     request  body  domain.RefreshTokenRequest  true  "body"
// @Tags     Users
// @Success  200  {object}  domain.LoginResponse
// @Failure  400  {object}  domain.BaseResponse
// @Failure  500  {object}  domain.BaseResponse
// @Security  Bearer
func (h *Handler) RefreshJwtToken(c echo.Context) error {
	_, err := h.ValidateJwtToken(c, domain.ScopeDiscordWebHookCreate)
	if err != nil {
		return h.WriteError(c, err, http.StatusBadRequest)
	}

	// Check the context for the refresh token
	var request domain.RefreshTokenRequest
	err = (&echo.DefaultBinder{}).BindBody(c, &request)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	err = h.repo.RefreshTokens.IsRequestValid(c.Request().Context(), request.Username, request.RefreshToken)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	user, err := h.repo.Users.GetUser(c.Request().Context(), request.Username)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}
	userScopes := strings.Split(user.Scopes, ",")

	jwt, err := h.generateJwtWithExp(request.Username, h.config.ServerAddress, userScopes, user.ID, time.Now().Add(time.Hour*48))
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	newRefreshToken, err := h.repo.RefreshTokens.Create(c.Request().Context(), request.Username)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	return c.JSON(http.StatusOK, domain.LoginResponse{
		BaseResponse: domain.BaseResponse{
			Message: "OK",
		},
		Token:        jwt,
		Type:         "Bearer",
		RefreshToken: newRefreshToken,
	})
}

// @Summary  Adds a new scope to a user account
// @Router   /v1/users/scopes/add [post]
// @Param    request  body  domain.UpdateScopesRequest  true  "body"
// @Tags     Users
// @Accept   json
// @Produce  json
// @Success  200  {object}  domain.BaseResponse
// @Failure  400  {object}  domain.BaseResponse
// @Failure  500  {object}  domain.BaseResponse
func (h *Handler) AddScopes(c echo.Context) error {
	_, err := h.ValidateJwtToken(c, domain.ScopeAll)
	if err != nil {
		return h.WriteError(c, err, http.StatusBadRequest)
	}

	request := domain.UpdateScopesRequest{}
	err = (&echo.DefaultBinder{}).BindBody(c, &request)
	if err != nil {
		return h.WriteError(c, err, http.StatusBadRequest)
	}

	err = h.repo.Users.AddScopes(c.Request().Context(), request.Username, request.Scopes)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	return c.JSON(http.StatusOK, domain.BaseResponse{
		Message: "OK",
	})
}

// @Summary  Adds a new scope to a user account
// @Router   /v1/users/scopes/remove [post]
// @Param    request  body  domain.UpdateScopesRequest  true  "body"
// @Tags     Users
// @Accept   json
// @Produce  json
// @Success  200  {object}  domain.BaseResponse
// @Failure  400  {object}  domain.BaseResponse
// @Failure  500  {object}  domain.BaseResponse
func (h *Handler) RemoveScopes(c echo.Context) error {
	token, err := h.getJwtTokenFromContext(c)
	if err != nil {
		return h.WriteError(c, err, http.StatusUnauthorized)
	}

	err = token.IsValid(domain.ScopeAll)
	if err != nil {
		return h.WriteError(c, err, http.StatusUnauthorized)
	}

	request := domain.UpdateScopesRequest{}
	err = (&echo.DefaultBinder{}).BindBody(c, &request)
	if err != nil {
		h.WriteError(c, err, http.StatusBadRequest)

	}

	err = h.repo.Users.RemoveScopes(c.Request().Context(), request.Username, request.Scopes)
	if err != nil {
		return h.InternalServerErrorResponse(c, err.Error())
	}

	return c.JSON(http.StatusOK, domain.BaseResponse{
		Message: "OK",
	})
}
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`package v1`

			`import (`
			`"net/http"`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`"strings"`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`"time"`

			`"git.jamestombleson.com/jtom38/newsbot-api/internal/domain"`
			`"git.jamestombleson.com/jtom38/newsbot-api/internal/repository"`

			`"github.com/labstack/echo/v4"`
			`)`

			`const (`
			`ErrUserNotFound = "requested user does not exist"`
			`ErrUsernameAlreadyExists = "the requested username already exists"`
			`)`

			`// @Summary Creates a new user`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`// @Router /v1/users/register [post]`
			`// @Param request formData domain.LoginFormRequest true "form"`
			`// @Accepts x-www-form-urlencoded`
			`// @Produce json`
			`// @Tags Users`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`// @Success 200 {object} domain.BaseResponse`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`// @Failure 400 {object} domain.BaseResponse`
			`// @Failure 500 {object} domain.BaseResponse`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`func (h *Handler) AuthRegister(c echo.Context) error {`
			`username := c.FormValue("username")`
			`password := c.FormValue("password")`

			`//username := c.QueryParam("username")`
			`exists, err := h.repo.Users.GetUser(c.Request().Context(), username)`
			`if err != nil {`
			`// if we have an err, validate that if its not user not found.`
			`// if the user is not found, we can use that name`
			`if err.Error() != repository.ErrUserNotFound {`
			`return h.WriteError(c, err, http.StatusBadRequest)`
			`}`
			`}`
			`if exists.Username == username {`
			`return h.InternalServerErrorResponse(c, ErrUsernameAlreadyExists)`
			`}`

			`//password := c.QueryParam("password")`
			`err = h.repo.Users.CheckPasswordForRequirements(password)`
			`if err != nil {`
			`return h.WriteError(c, err, http.StatusInternalServerError)`
			`}`

got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`_, err = h.repo.Users.Create(c.Request().Context(), username, password, domain.ScopeArticleRead)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`return c.JSON(http.StatusCreated, domain.BaseResponse{`
			`Message: "OK",`
			`})`
			`}`

got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`// @Summary Logs into the API and returns a bearer token if successful`
			`// @Router /v1/users/login [post]`
			`// @Param request formData domain.LoginFormRequest true "form"`
			`// @Accepts x-www-form-urlencoded`
			`// @Produce json`
			`// @Tags Users`
			`// @Success 200 {object} domain.LoginResponse`
			`// @Failure 400 {object} domain.BaseResponse`
			`// @Failure 500 {object} domain.BaseResponse`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`func (h *Handler) AuthLogin(c echo.Context) error {`
			`username := c.FormValue("username")`
			`password := c.FormValue("password")`

			`// Check to see if they are trying to login with the admin token`
			`if username == "" {`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`return h.createAdminToken(c, password)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`}`

			`// check if the user exists`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`user, err := h.repo.Users.GetUser(c.Request().Context(), username)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`// make sure the hash matches`
			`err = h.repo.Users.DoesPasswordMatchHash(c.Request().Context(), username, password)`
			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`// TODO think about moving this down some?`
			`expiresAt := time.Now().Add(time.Hour * 48)`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`userScopes := strings.Split(user.Scopes, ",")`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`jwt, err := h.generateJwtWithExp(username, h.config.ServerAddress, userScopes, user.ID, expiresAt)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`refresh, err := h.repo.RefreshTokens.Create(c.Request().Context(), username)`
			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`return c.JSON(http.StatusOK, domain.LoginResponse{`
			`BaseResponse: domain.BaseResponse{`
			`Message: "OK",`
			`},`
			`Token: jwt,`
			`Type: "Bearer",`
			`RefreshToken: refresh,`
			`})`
			`}`

got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`func (h *Handler) createAdminToken(c echo.Context, password string) error {`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`// if the admin token is blank, then the admin wanted this disabled.`
			`// this will fail right away and not progress.`
			`if h.config.AdminSecret == "" {`
			`return h.InternalServerErrorResponse(c, ErrUserNotFound)`
			`}`

			`if h.config.AdminSecret != password {`
			`return h.UnauthorizedResponse(c, ErrUserNotFound)`
			`}`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`var userScopes []string`
			`userScopes = append(userScopes, domain.ScopeAll)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`token, err := h.generateJwt("admin", h.config.ServerAddress, userScopes, -1)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`return c.JSON(http.StatusOK, domain.LoginResponse{`
			`BaseResponse: domain.BaseResponse{`
			`Message: "OK",`
			`},`
adding userId to the jwt and updated routes to use scope requirements 2024-05-07 19:14:37 -07:00			`Token: token,`
			`Type: "Bearer",`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`})`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`}`

			`// This will take collect some information about the requested refresh, validate and then return a new jwt token if approved.`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`// Register`
			`// @Summary Generates a new token`
			`// @Router /v1/users/refreshToken [post]`
			`// @Param request body domain.RefreshTokenRequest true "body"`
			`// @Tags Users`
			`// @Success 200 {object} domain.LoginResponse`
			`// @Failure 400 {object} domain.BaseResponse`
			`// @Failure 500 {object} domain.BaseResponse`
			`// @Security Bearer`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`func (h *Handler) RefreshJwtToken(c echo.Context) error {`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`_, err := h.ValidateJwtToken(c, domain.ScopeDiscordWebHookCreate)`
			`if err != nil {`
			`return h.WriteError(c, err, http.StatusBadRequest)`
			`}`

Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`// Check the context for the refresh token`
			`var request domain.RefreshTokenRequest`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`err = (&echo.DefaultBinder{}).BindBody(c, &request)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`err = h.repo.RefreshTokens.IsRequestValid(c.Request().Context(), request.Username, request.RefreshToken)`
			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`user, err := h.repo.Users.GetUser(c.Request().Context(), request.Username)`
			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`userScopes := strings.Split(user.Scopes, ",")`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`jwt, err := h.generateJwtWithExp(request.Username, h.config.ServerAddress, userScopes, user.ID, time.Now().Add(time.Hour*48))`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`newRefreshToken, err := h.repo.RefreshTokens.Create(c.Request().Context(), request.Username)`
			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`return c.JSON(http.StatusOK, domain.LoginResponse{`
			`BaseResponse: domain.BaseResponse{`
			`Message: "OK",`
			`},`
			`Token: jwt,`
			`Type: "Bearer",`
			`RefreshToken: newRefreshToken,`
			`})`
			`}`

got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`// @Summary Adds a new scope to a user account`
			`// @Router /v1/users/scopes/add [post]`
			`// @Param request body domain.UpdateScopesRequest true "body"`
			`// @Tags Users`
			`// @Accept json`
			`// @Produce json`
			`// @Success 200 {object} domain.BaseResponse`
			`// @Failure 400 {object} domain.BaseResponse`
			`// @Failure 500 {object} domain.BaseResponse`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`func (h *Handler) AddScopes(c echo.Context) error {`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`_, err := h.ValidateJwtToken(c, domain.ScopeAll)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`return h.WriteError(c, err, http.StatusBadRequest)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`}`

			`request := domain.UpdateScopesRequest{}`
			`err = (&echo.DefaultBinder{}).BindBody(c, &request)`
			`if err != nil {`
updated error handling and refined how the jwt gets used and validated 2024-05-07 22:01:32 -07:00			`return h.WriteError(c, err, http.StatusBadRequest)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`}`

			`err = h.repo.Users.AddScopes(c.Request().Context(), request.Username, request.Scopes)`
			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`return c.JSON(http.StatusOK, domain.BaseResponse{`
			`Message: "OK",`
			`})`
			`}`

got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`// @Summary Adds a new scope to a user account`
			`// @Router /v1/users/scopes/remove [post]`
			`// @Param request body domain.UpdateScopesRequest true "body"`
			`// @Tags Users`
			`// @Accept json`
			`// @Produce json`
			`// @Success 200 {object} domain.BaseResponse`
			`// @Failure 400 {object} domain.BaseResponse`
			`// @Failure 500 {object} domain.BaseResponse`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`func (h *Handler) RemoveScopes(c echo.Context) error {`
got the user routes exposed with swagger, added jwt support to swagger and also updated how the scopes are validated 2024-05-07 18:19:41 -07:00			`token, err := h.getJwtTokenFromContext(c)`
Getting the user and jwt stuff added to the api. Now to get swagger working 2024-05-05 10:02:17 -07:00			`if err != nil {`
			`return h.WriteError(c, err, http.StatusUnauthorized)`
			`}`

			`err = token.IsValid(domain.ScopeAll)`
			`if err != nil {`
			`return h.WriteError(c, err, http.StatusUnauthorized)`
			`}`

			`request := domain.UpdateScopesRequest{}`
			`err = (&echo.DefaultBinder{}).BindBody(c, &request)`
			`if err != nil {`
			`h.WriteError(c, err, http.StatusBadRequest)`

			`}`

			`err = h.repo.Users.RemoveScopes(c.Request().Context(), request.Username, request.Scopes)`
			`if err != nil {`
			`return h.InternalServerErrorResponse(c, err.Error())`
			`}`

			`return c.JSON(http.StatusOK, domain.BaseResponse{`
			`Message: "OK",`
			`})`
			`}`