jfa-go/auth.go

package main

import (
	"encoding/base64"
	"fmt"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/dgrijalva/jwt-go"
	"github.com/gin-gonic/gin"
	"github.com/lithammer/shortuuid/v3"
)

func (app *appContext) webAuth() gin.HandlerFunc {
	return app.authenticate
}

// CreateToken returns a web token as well as a refresh token, which can be used to obtain new tokens.
func CreateToken(userId, jfId string) (string, string, error) {
	var token, refresh string
	claims := jwt.MapClaims{
		"valid": true,
		"id":    userId,
		"exp":   strconv.FormatInt(time.Now().Add(time.Minute*20).Unix(), 10),
		"jfid":  jfId,
		"type":  "bearer",
	}

	tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
	if err != nil {
		return "", "", err
	}
	claims["exp"] = strconv.FormatInt(time.Now().Add(time.Hour*24).Unix(), 10)
	claims["type"] = "refresh"
	tk = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	refresh, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
	if err != nil {
		return "", "", err
	}
	return token, refresh, nil
}

// Check header for token
func (app *appContext) authenticate(gc *gin.Context) {
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	if header[0] != "Basic" {
		app.debug.Println("Invalid authentication header")
		respond(401, "Unauthorized", gc)
		return
	}
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	token, err := jwt.Parse(creds[0], checkToken)
	if err != nil {
		app.debug.Printf("Auth denied: %s", err)
		respond(401, "Unauthorized", gc)
		return
	}
	claims, ok := token.Claims.(jwt.MapClaims)
	expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
	if err != nil {
		app.debug.Printf("Auth denied: %s", err)
		respond(401, "Unauthorized", gc)
		return
	}
	expiry := time.Unix(expiryUnix, 0)
	if !(ok && token.Valid && claims["type"].(string) == "bearer" && expiry.After(time.Now())) {
		app.debug.Printf("Auth denied: Invalid token")
		respond(401, "Unauthorized", gc)
		return
	}
	userID := claims["id"].(string)
	jfID := claims["jfid"].(string)
	match := false
	for _, user := range app.users {
		if user.UserID == userID {
			match = true
			break
		}
	}
	if !match {
		app.debug.Printf("Couldn't find user ID \"%s\"", userID)
		respond(401, "Unauthorized", gc)
		return
	}
	gc.Set("jfId", jfID)
	gc.Set("userId", userID)
	app.debug.Println("Auth succeeded")
	gc.Next()
}

func checkToken(token *jwt.Token) (interface{}, error) {
	if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
		return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])
	}
	return []byte(os.Getenv("JFA_SECRET")), nil
}

// getToken checks the header for a username and password, as well as checking the refresh cookie.
func (app *appContext) getToken(gc *gin.Context) {
	app.info.Println("Token requested (login attempt)")
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	// check cookie first
	var userID, jfID string
	valid := false
	noLogin := false
	checkLogin := func() {
		if creds[0] == "" || creds[1] == "" {
			app.debug.Println("Auth denied: blank username/password")
			respond(401, "Unauthorized", gc)
			return
		}
		match := false
		for _, user := range app.users {
			if user.Username == creds[0] && user.Password == creds[1] {
				match = true
				app.debug.Println("Found existing user")
				userID = user.UserID
				break
			}
		}
		if !app.jellyfinLogin && !match {
			app.info.Println("Auth denied: Invalid username/password")
			respond(401, "Unauthorized", gc)
			return
		}
		if !match {
			var status int
			var err error
			var user map[string]interface{}
			user, status, err = app.authJf.authenticate(creds[0], creds[1])
			if status != 200 || err != nil {
				if status == 401 || status == 400 {
					app.info.Println("Auth denied: Invalid username/password (Jellyfin)")
					respond(401, "Unauthorized", gc)
					return
				}
				app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)
				respond(500, "Jellyfin error", gc)
				return
			}
			jfID = user["Id"].(string)
			if app.config.Section("ui").Key("admin_only").MustBool(true) {
				if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
					app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])
					respond(401, "Unauthorized", gc)
					return
				}
			}
			// New users are only added when using jellyfinLogin.
			userID = shortuuid.New()
			newUser := User{
				UserID: userID,
			}
			app.debug.Printf("Token generated for user \"%s\"", creds[0])
			app.users = append(app.users, newUser)
		}
		valid = true
	}
	checkCookie := func() {
		cookie, err := gc.Cookie("refresh")
		if err == nil && cookie != "" {
			for _, token := range app.invalidTokens {
				if cookie == token {
					if creds[0] == "" || creds[1] == "" {
						app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
						respond(401, "Unauthorized", gc)
						noLogin = true
						return
					}
					app.debug.Println("getToken: Invalid token but username/password provided")
					return
				}
			}
			token, err := jwt.Parse(cookie, checkToken)
			if err != nil {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Println("getToken: Invalid token but username/password provided")
				return
			}
			claims, ok := token.Claims.(jwt.MapClaims)
			expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
			if err != nil {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
				return
			}
			expiry := time.Unix(expiryUnix, 0)
			if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
				return
			}
			userID = claims["id"].(string)
			jfID = claims["jfid"].(string)
			valid = true
		}
	}
	checkCookie()
	if !valid && !noLogin {
		checkLogin()
	}
	if valid {
		token, refresh, err := CreateToken(userID, jfID)
		if err != nil {
			app.err.Printf("getToken failed: Couldn't generate token (%s)", err)
			respond(500, "Couldn't generate token", gc)
			return
		}
		gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
		gc.JSON(200, map[string]string{"token": token})
	} else {
		gc.AbortWithStatus(401)
	}
}
first 2020-07-29 23:11:28 +02:00			`package main`

			`import (`
			`"encoding/base64"`
			`"fmt"`
			`"os"`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`"strconv"`
first 2020-07-29 23:11:28 +02:00			`"strings"`
			`"time"`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00
			`"github.com/dgrijalva/jwt-go"`
			`"github.com/gin-gonic/gin"`
			`"github.com/lithammer/shortuuid/v3"`
first 2020-07-29 23:11:28 +02:00			`)`

use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`func (app *appContext) webAuth() gin.HandlerFunc {`
			`return app.authenticate`
first 2020-07-29 23:11:28 +02:00			`}`

cleaned up auth 2020-08-23 15:59:07 +02:00			`// CreateToken returns a web token as well as a refresh token, which can be used to obtain new tokens.`
			`func CreateToken(userId, jfId string) (string, string, error) {`
			`var token, refresh string`
			`claims := jwt.MapClaims{`
			`"valid": true,`
			`"id": userId,`
			`"exp": strconv.FormatInt(time.Now().Add(time.Minute*20).Unix(), 10),`
			`"jfid": jfId,`
			`"type": "bearer",`
			`}`

			`tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))`
			`if err != nil {`
			`return "", "", err`
			`}`
			`claims["exp"] = strconv.FormatInt(time.Now().Add(time.Hour*24).Unix(), 10)`
			`claims["type"] = "refresh"`
			`tk = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`refresh, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))`
			`if err != nil {`
			`return "", "", err`
			`}`
			`return token, refresh, nil`
			`}`

			`// Check header for token`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`func (app appContext) authenticate(gc gin.Context) {`
first 2020-07-29 23:11:28 +02:00			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`if header[0] != "Basic" {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Println("Invalid authentication header")`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
cleaned up auth 2020-08-23 15:59:07 +02:00			`token, err := jwt.Parse(creds[0], checkToken)`
first 2020-07-29 23:11:28 +02:00			`if err != nil {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.debug.Printf("Auth denied: %s", err)`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`claims, ok := token.Claims.(jwt.MapClaims)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)`
			`if err != nil {`
			`app.debug.Printf("Auth denied: %s", err)`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`expiry := time.Unix(expiryUnix, 0)`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if !(ok && token.Valid && claims["type"].(string) == "bearer" && expiry.After(time.Now())) {`
			`app.debug.Printf("Auth denied: Invalid token")`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`userID := claims["id"].(string)`
			`jfID := claims["jfid"].(string)`
first 2020-07-29 23:11:28 +02:00			`match := false`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`for _, user := range app.users {`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if user.UserID == userID {`
first 2020-07-29 23:11:28 +02:00			`match = true`
cleaned up auth 2020-08-23 15:59:07 +02:00			`break`
first 2020-07-29 23:11:28 +02:00			`}`
			`}`
			`if !match {`
cleaned up auth 2020-08-23 15:59:07 +02:00			`app.debug.Printf("Couldn't find user ID \"%s\"", userID)`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`gc.Set("jfId", jfID)`
			`gc.Set("userId", userID)`
			`app.debug.Println("Auth succeeded")`
first 2020-07-29 23:11:28 +02:00			`gc.Next()`
			`}`

cleaned up auth 2020-08-23 15:59:07 +02:00			`func checkToken(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])`
			`}`
			`return []byte(os.Getenv("JFA_SECRET")), nil`
			`}`

			`// getToken checks the header for a username and password, as well as checking the refresh cookie.`
			`func (app appContext) getToken(gc gin.Context) {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 2020-08-16 14:36:54 +02:00			`app.info.Println("Token requested (login attempt)")`
first 2020-07-29 23:11:28 +02:00			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
cleaned up auth 2020-08-23 15:59:07 +02:00			`// check cookie first`
			`var userID, jfID string`
			`valid := false`
			`noLogin := false`
			`checkLogin := func() {`
			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("Auth denied: blank username/password")`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`match := false`
			`for _, user := range app.users {`
			`if user.Username == creds[0] && user.Password == creds[1] {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 2020-08-20 21:20:31 +02:00			`match = true`
			`app.debug.Println("Found existing user")`
cleaned up auth 2020-08-23 15:59:07 +02:00			`userID = user.UserID`
			`break`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 2020-08-20 21:20:31 +02:00			`}`
first 2020-07-29 23:11:28 +02:00			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if !app.jellyfinLogin && !match {`
			`app.info.Println("Auth denied: Invalid username/password")`
first 2020-07-29 23:11:28 +02:00			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if !match {`
			`var status int`
			`var err error`
			`var user map[string]interface{}`
			`user, status, err = app.authJf.authenticate(creds[0], creds[1])`
			`if status != 200 \|\| err != nil {`
			`if status == 401 \|\| status == 400 {`
			`app.info.Println("Auth denied: Invalid username/password (Jellyfin)")`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)`
			`respond(500, "Jellyfin error", gc)`
			`return`
			`}`
			`jfID = user["Id"].(string)`
			`if app.config.Section("ui").Key("admin_only").MustBool(true) {`
			`if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {`
			`app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`}`
			`// New users are only added when using jellyfinLogin.`
			`userID = shortuuid.New()`
			`newUser := User{`
			`UserID: userID,`
			`}`
			`app.debug.Printf("Token generated for user \"%s\"", creds[0])`
			`app.users = append(app.users, newUser)`
			`}`
			`valid = true`
			`}`
			`checkCookie := func() {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 2020-08-20 21:20:31 +02:00			`cookie, err := gc.Cookie("refresh")`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if err == nil && cookie != "" {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 2020-08-20 21:20:31 +02:00			`for _, token := range app.invalidTokens {`
			`if cookie == token {`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Println("getToken: Invalid token but username/password provided")`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 2020-08-20 21:20:31 +02:00			`return`
			`}`
			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`token, err := jwt.Parse(cookie, checkToken)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`if err != nil {`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Println("getToken: Invalid token but username/password provided")`
Add auth & gin logging, fixed dummy logger 2020-08-01 15:08:55 +02:00			`return`
			`}`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`claims, ok := token.Claims.(jwt.MapClaims)`
			`expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)`
			`if err != nil {`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`return`
			`}`
			`expiry := time.Unix(expiryUnix, 0)`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {`
			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`return`
			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`return`
			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`userID = claims["id"].(string)`
			`jfID = claims["jfid"].(string)`
			`valid = true`
first 2020-07-29 23:11:28 +02:00			`}`
			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`checkCookie()`
			`if !valid && !noLogin {`
			`checkLogin()`
first 2020-07-29 23:11:28 +02:00			`}`
cleaned up auth 2020-08-23 15:59:07 +02:00			`if valid {`
			`token, refresh, err := CreateToken(userID, jfID)`
			`if err != nil {`
			`app.err.Printf("getToken failed: Couldn't generate token (%s)", err)`
			`respond(500, "Couldn't generate token", gc)`
			`return`
			`}`
			`gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)`
			`gc.JSON(200, map[string]string{"token": token})`
			`} else {`
			`gc.AbortWithStatus(401)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 2020-08-19 23:30:54 +02:00			`}`
first 2020-07-29 23:11:28 +02:00			`}`