jfa-go/auth.go

package main

import (
	"encoding/base64"
	"fmt"
	"os"
	"strings"
	"time"

	"github.com/dgrijalva/jwt-go"
	"github.com/gin-gonic/gin"
	"github.com/lithammer/shortuuid/v3"
)

func (app *appContext) webAuth() gin.HandlerFunc {
	return app.authenticate
}

func (app *appContext) authenticate(gc *gin.Context) {
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	if header[0] != "Basic" {
		app.debug.Println("Invalid authentication header")
		respond(401, "Unauthorized", gc)
		return
	}
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	token, err := jwt.Parse(creds[0], func(token *jwt.Token) (interface{}, error) {
		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
			app.debug.Printf("Invalid JWT signing method %s", token.Header["alg"])
			return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])
		}
		return []byte(os.Getenv("JFA_SECRET")), nil
	})
	if err != nil {
		app.debug.Printf("Auth denied: %s", err)
		respond(401, "Unauthorized", gc)
		return
	}
	claims, ok := token.Claims.(jwt.MapClaims)
	var userId string
	var jfId string
	if ok && token.Valid {
		userId = claims["id"].(string)
		jfId = claims["jfid"].(string)
	} else {
		app.debug.Printf("Invalid token")
		respond(401, "Unauthorized", gc)
		return
	}
	match := false
	for _, user := range app.users {
		if user.UserID == userId {
			match = true
		}
	}
	if !match {
		app.debug.Printf("Couldn't find user ID %s", userId)
		respond(401, "Unauthorized", gc)
		return
	}
	gc.Set("jfId", jfId)
	gc.Set("userId", userId)
	app.debug.Println("Authentication successful")
	gc.Next()
}

func (app *appContext) GetToken(gc *gin.Context) {
	app.info.Println("Token requested (login attempt)")
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	if header[0] != "Basic" {
		app.debug.Println("Invalid authentication header")
		respond(401, "Unauthorized", gc)
		return
	}
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	match := false
	var userId string
	for _, user := range app.users {
		if user.Username == creds[0] && user.Password == creds[1] {
			match = true
			userId = user.UserID
		}
	}
	jfId := ""
	if !match {
		if !app.jellyfinLogin {
			app.info.Println("Auth failed: Invalid username and/or password")
			respond(401, "Unauthorized", gc)
			return
		}
		var status int
		var err error
		var user map[string]interface{}
		user, status, err = app.authJf.authenticate(creds[0], creds[1])
		if status != 200 || err != nil {
			if status == 401 || status == 400 {
				app.info.Println("Auth failed: Invalid username and/or password")
				respond(401, "Invalid username/password", gc)
				return
			}
			app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin: Code %d", status)
			respond(500, "Jellyfin error", gc)
			return
		} else {
			jfId = user["Id"].(string)
			if app.config.Section("ui").Key("admin_only").MustBool(true) {
				if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
					app.debug.Printf("Auth failed: User \"%s\" isn't admin", creds[0])
					respond(401, "Unauthorized", gc)
				}
			}
			newuser := User{}
			newuser.UserID = shortuuid.New()
			userId = newuser.UserID
			// uuid, nothing else identifiable!
			app.debug.Printf("Token generated for user \"%s\"", creds[0])
			app.users = append(app.users, newuser)
		}
	}
	token, err := CreateToken(userId, jfId)
	if err != nil {
		respond(500, "Error generating token", gc)
	}
	resp := map[string]string{"token": token}
	gc.JSON(200, resp)
}

func CreateToken(userId string, jfId string) (string, error) {
	claims := jwt.MapClaims{
		"valid": true,
		"id":    userId,
		"exp":   time.Now().Add(time.Minute * 20).Unix(),
		"jfid":  jfId,
	}

	tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
	if err != nil {
		return "", err
	}
	return token, nil
}

func respond(code int, message string, gc *gin.Context) {
	resp := map[string]string{"error": message}
	gc.JSON(code, resp)
	gc.Abort()
}
first 2020-07-29 23:11:28 +02:00			`package main`

			`import (`
			`"encoding/base64"`
			`"fmt"`
			`"os"`
			`"strings"`
			`"time"`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00
			`"github.com/dgrijalva/jwt-go"`
			`"github.com/gin-gonic/gin"`
			`"github.com/lithammer/shortuuid/v3"`
first 2020-07-29 23:11:28 +02:00			`)`

use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`func (app *appContext) webAuth() gin.HandlerFunc {`
			`return app.authenticate`
first 2020-07-29 23:11:28 +02:00			`}`

use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`func (app appContext) authenticate(gc gin.Context) {`
first 2020-07-29 23:11:28 +02:00			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`if header[0] != "Basic" {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Println("Invalid authentication header")`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
			`token, err := jwt.Parse(creds[0], func(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Printf("Invalid JWT signing method %s", token.Header["alg"])`
first 2020-07-29 23:11:28 +02:00			`return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])`
			`}`
			`return []byte(os.Getenv("JFA_SECRET")), nil`
			`})`
			`if err != nil {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Printf("Auth denied: %s", err)`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`claims, ok := token.Claims.(jwt.MapClaims)`
Settings functional, start adding logging Modifying settings also formats it nicely, as a bonus. Also we using shortuuid instead of normal uuidv4 now because its the same length as what I used in the python version. 2020-07-31 23:07:09 +02:00			`var userId string`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`var jfId string`
first 2020-07-29 23:11:28 +02:00			`if ok && token.Valid {`
Settings functional, start adding logging Modifying settings also formats it nicely, as a bonus. Also we using shortuuid instead of normal uuidv4 now because its the same length as what I used in the python version. 2020-07-31 23:07:09 +02:00			`userId = claims["id"].(string)`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`jfId = claims["jfid"].(string)`
first 2020-07-29 23:11:28 +02:00			`} else {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Printf("Invalid token")`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`match := false`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`for _, user := range app.users {`
first 2020-07-29 23:11:28 +02:00			`if user.UserID == userId {`
			`match = true`
			`}`
			`}`
			`if !match {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Printf("Couldn't find user ID %s", userId)`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`gc.Set("jfId", jfId)`
Settings functional, start adding logging Modifying settings also formats it nicely, as a bonus. Also we using shortuuid instead of normal uuidv4 now because its the same length as what I used in the python version. 2020-07-31 23:07:09 +02:00			`gc.Set("userId", userId)`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Println("Authentication successful")`
first 2020-07-29 23:11:28 +02:00			`gc.Next()`
			`}`

use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`func (app appContext) GetToken(gc gin.Context) {`
			`app.info.Println("Token requested (login attempt)")`
first 2020-07-29 23:11:28 +02:00			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`if header[0] != "Basic" {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Println("Invalid authentication header")`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
			`match := false`
Settings functional, start adding logging Modifying settings also formats it nicely, as a bonus. Also we using shortuuid instead of normal uuidv4 now because its the same length as what I used in the python version. 2020-07-31 23:07:09 +02:00			`var userId string`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`for _, user := range app.users {`
first 2020-07-29 23:11:28 +02:00			`if user.Username == creds[0] && user.Password == creds[1] {`
			`match = true`
			`userId = user.UserID`
			`}`
			`}`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`jfId := ""`
first 2020-07-29 23:11:28 +02:00			`if !match {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`if !app.jellyfinLogin {`
			`app.info.Println("Auth failed: Invalid username and/or password")`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`var status int`
			`var err error`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`var user map[string]interface{}`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`user, status, err = app.authJf.authenticate(creds[0], creds[1])`
first 2020-07-29 23:11:28 +02:00			`if status != 200 \|\| err != nil {`
Avoid panic on invalid password with jellyfin_login jfId was assigned too early, before checking errors. Also, handle 400 as well as 401 from jellyfin as an invalid password. 2020-08-19 15:36:15 +02:00			`if status == 401 \|\| status == 400 {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.info.Println("Auth failed: Invalid username and/or password")`
provide error message on login and display it nicely server now provides a reason for login fail to the web ui, and displays it inside the login button, which looks a lot nicer than the previously used error box. 2020-08-19 15:50:16 +02:00			`respond(401, "Invalid username/password", gc)`
Add auth & gin logging, fixed dummy logger 2020-08-01 15:08:55 +02:00			`return`
			`}`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin: Code %d", status)`
Add auth & gin logging, fixed dummy logger 2020-08-01 15:08:55 +02:00			`respond(500, "Jellyfin error", gc)`
first 2020-07-29 23:11:28 +02:00			`return`
			`} else {`
Avoid panic on invalid password with jellyfin_login jfId was assigned too early, before checking errors. Also, handle 400 as well as 401 from jellyfin as an invalid password. 2020-08-19 15:36:15 +02:00			`jfId = user["Id"].(string)`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`if app.config.Section("ui").Key("admin_only").MustBool(true) {`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Printf("Auth failed: User \"%s\" isn't admin", creds[0])`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`respond(401, "Unauthorized", gc)`
			`}`
			`}`
first 2020-07-29 23:11:28 +02:00			`newuser := User{}`
Settings functional, start adding logging Modifying settings also formats it nicely, as a bonus. Also we using shortuuid instead of normal uuidv4 now because its the same length as what I used in the python version. 2020-07-31 23:07:09 +02:00			`newuser.UserID = shortuuid.New()`
first 2020-07-29 23:11:28 +02:00			`userId = newuser.UserID`
			`// uuid, nothing else identifiable!`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Printf("Token generated for user \"%s\"", creds[0])`
			`app.users = append(app.users, newuser)`
first 2020-07-29 23:11:28 +02:00			`}`
			`}`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`token, err := CreateToken(userId, jfId)`
first 2020-07-29 23:11:28 +02:00			`if err != nil {`
			`respond(500, "Error generating token", gc)`
			`}`
			`resp := map[string]string{"token": token}`
			`gc.JSON(200, resp)`
			`}`

Settings functional, start adding logging Modifying settings also formats it nicely, as a bonus. Also we using shortuuid instead of normal uuidv4 now because its the same length as what I used in the python version. 2020-07-31 23:07:09 +02:00			`func CreateToken(userId string, jfId string) (string, error) {`
first 2020-07-29 23:11:28 +02:00			`claims := jwt.MapClaims{`
			`"valid": true,`
			`"id": userId,`
			`"exp": time.Now().Add(time.Minute * 20).Unix(),`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00			`"jfid": jfId,`
first 2020-07-29 23:11:28 +02:00			`}`
Functioning user creation, notifications, Fixed password validation for new users, add invite route, couple other fixes. 2020-07-31 13:48:37 +02:00
first 2020-07-29 23:11:28 +02:00			`tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))`
			`if err != nil {`
			`return "", err`
			`}`
			`return token, nil`
			`}`

			`func respond(code int, message string, gc *gin.Context) {`
			`resp := map[string]string{"error": message}`
			`gc.JSON(code, resp)`
			`gc.Abort()`
			`}`