implement JWT tokens

2025-05-25 11:22:55 -04:00
parent d5db656ca2
commit cb28c07ff4
53 changed files with 2939 additions and 119 deletions
--- a/api/auth.go
+++ b/api/auth.go
@@ -2,14 +2,26 @@ package api

 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
 	"log/slog"
 	"net/http"
+	"os"
 	"time"

+	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
 )

+var jwtSecret = []byte(os.Getenv("JWT_SECRET"))
+
+func hashToken(token string) string {
+	hash := sha256.Sum256([]byte(token))
+	return hex.EncodeToString(hash[:])
+}
+
 func Login(w http.ResponseWriter, r *http.Request) {
 	err := r.ParseMultipartForm(64 << 10)
 	if err != nil {
@@ -36,7 +48,7 @@ func Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	sessionToken := CreateSession(username)
+	sessionToken := CreateSession(user.ID)

 	http.SetCookie(w, &http.Cookie{
 		Name:     "session_token",
@@ -46,7 +58,7 @@ func Login(w http.ResponseWriter, r *http.Request) {
 		Secure:   false,
 	})

-	slog.Info("auth: login successful", "user", user.Name)
+	slog.Info("auth: login successful", "userID", user.ID, "userName", user.Name)
 	w.Write([]byte("Login successful"))
 }

@@ -58,71 +70,126 @@ func Logout(w http.ResponseWriter, r *http.Request) {
 	}

 	sessionToken := cookie.Value
-	username, valid := ValidateSession(sessionToken)
+	userID, valid := ValidateSession(sessionToken)
 	if !valid {
 		http.Error(w, "Session cookie could not be validated. You are already logged out", http.StatusBadRequest)
 		return
 	}

+	user, err := dbGetUser(userID.String())
+	if err != nil {
+		http.Error(w, "Session cookie validated but user could not be found", http.StatusInternalServerError)
+		return
+	}
+
 	DeleteSession(sessionToken)

 	cookie.Expires = time.Now()
 	http.SetCookie(w, cookie)

-	slog.Debug("auth: logout successful", "user", username)
-	w.Write([]byte(username + " has been logged out"))
+	slog.Debug("auth: logout successful", "userID", user.ID, "userName", user.Name)
+	w.Write([]byte(fmt.Sprintf("%v has been logged out", user.Name)))

 }

 type Session struct {
-	Token    uuid.UUID
-	Username string
+	Token  string
+	UserID uuid.UUID
+	Expiry time.Time
 }

-func CreateSession(username string) string {
+func CreateSession(userID uuid.UUID) string {
+
+	expiry := time.Now().Add(7 * 24 * time.Hour)
+
+	claims := jwt.MapClaims{
+		"userID": userID.String(),
+		"exp":    expiry.Unix(), // 7 day token expiry
+		"iat":    time.Now().Unix(),
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	tokenString, err := token.SignedString(jwtSecret)
+	if err != nil {
+		slog.Error("auth: failed to create JWT", "error", err)
+		return ""
+	}
+
+	hashedToken := hashToken(tokenString)
 	session := Session{
-		Token:    uuid.New(),
-		Username: username,
+		Token:  hashedToken,
+		UserID: userID,
+		Expiry: expiry,
 	}
 	dbAddSession(&session)
-	slog.Debug("auth: new session created", "user", session.Username)
-	return session.Token.String()
+
+	slog.Debug("auth: new session created", "userID", session.UserID)
+	return tokenString
 }

-func ValidateSession(sessionToken string) (string, bool) {
-	tokenUUID, err := uuid.Parse(sessionToken)
-	if err != nil {
-		return "", false
+func ValidateSession(sessionToken string) (uuid.UUID, bool) {
+	token, err := jwt.Parse(sessionToken, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return jwtSecret, nil
+	})
+	if err != nil || !token.Valid {
+		slog.Debug("auth: session token invalid, rejecting")
+		return uuid.Nil, false
 	}

-	session, err := dbGetSession(tokenUUID)
-	if err != nil {
-		return "", false
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		slog.Debug("auth: could not map claims from JWT")
+		return uuid.Nil, false
 	}
-	slog.Debug("auth: session validated", "user", session.Username)
-	return session.Username, true
+
+	userIDStr, ok := claims["userID"].(string)
+	if !ok {
+		slog.Debug("auth: userID claim is not a string")
+		return uuid.Nil, false
+	}
+
+	userID, err := uuid.Parse(userIDStr)
+	if err != nil {
+		slog.Debug("auth: failed to parse userID as uuid", "error", err)
+		return uuid.Nil, false
+	}
+
+	hashedToken := hashToken(sessionToken)
+
+	session, err := dbGetSession(hashedToken)
+	if err != nil {
+		slog.Debug("auth: failed to retrieve session from db", "error", err)
+		return uuid.Nil, false
+	}
+	if time.Now().After(session.Expiry) {
+		slog.Debug("auth: session is expired (or otherwise invalid) in db")
+		return uuid.Nil, false
+	}
+
+	slog.Debug("auth: session validated", "userID", session.UserID)
+	return userID, true
 }

-func DeleteSession(sessionToken string) (string, bool) {
-	tokenUUID, err := uuid.Parse(sessionToken)
+func DeleteSession(sessionToken string) bool {
+
+	hashedToken := hashToken(sessionToken)
+
+	err := dbDeleteSession(hashedToken)
 	if err != nil {
-		return "", false
+		slog.Error("auth: failed to delete session", "error", err)
+		return false
 	}

-	session, err := dbGetSession(tokenUUID)
-	if err != nil {
-		return "", false
-	} else {
-		dbDeleteSession(session.Token)
-	}
-
-	slog.Debug("auth: session deleted", "user", session.Username)
-	return session.Username, true
+	slog.Debug("auth: session deleted", "token", hashedToken)
+	return true
 }

 type contextKey string

-const usernameKey contextKey = "username"
+const userIDKey contextKey = "userID"

 func SessionAuthMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -133,14 +200,14 @@ func SessionAuthMiddleware(next http.Handler) http.Handler {
 		}

 		sessionToken := cookie.Value
-		username, valid := ValidateSession(sessionToken)
+		userID, valid := ValidateSession(sessionToken)
 		if !valid {
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 			return
 		}

 		// Add username to request context
-		ctx := context.WithValue(r.Context(), usernameKey, username)
+		ctx := context.WithValue(r.Context(), userIDKey, userID)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
--- a/api/db.go
+++ b/api/db.go
@@ -7,7 +7,6 @@ import (

 	"git.dubyatp.xyz/chat-api-server/db"
 	"github.com/gocql/gocql"
-	"github.com/google/uuid"
 )

 func dbGetUser(id string) (*User, error) {
@@ -28,8 +27,6 @@ func dbGetUser(id string) (*User, error) {
 }

 func dbGetUserByName(username string) (*User, error) {
-	// This will be deprecated soon after implementing https://git.dubyatp.xyz/williamp/chatservice_concept/issues/1
-
 	query := `SELECT id, name, password FROM users WHERE name = ?`
 	var user User
 	err := db.Session.Query(query, username).Scan(&user.ID, &user.Name, &user.Password)
@@ -128,23 +125,24 @@ func dbGetAllMessages() ([]*Message, error) {
 }

 func dbAddSession(session *Session) error {
-	query := `INSERT INTO sessions (session_token, username) VALUES (?, ?)`
-	err := db.Session.Query(query, session.Token, session.Username).Exec()
+	query := `INSERT INTO sessions (jwttoken, userid, expiry) VALUES (?, ?, ?)`
+	err := db.Session.Query(query, session.Token, session.UserID, session.Expiry).Exec()
 	if err != nil {
 		slog.Error("db: failed to add session", "error", err)
 		return fmt.Errorf("failed to add session")
 	}

-	slog.Debug("db: session added", "username", session.Username)
+	slog.Debug("db: session added", "userID", session.UserID)
 	return nil
 }

-func dbGetSession(id uuid.UUID) (*Session, error) {
-	query := `SELECT session_token, username FROM sessions WHERE session_token = ?`
+func dbGetSession(jwtToken string) (*Session, error) {
+	query := `SELECT jwttoken, userid, expiry FROM sessions WHERE jwttoken = ?`
 	var session Session
-	err := db.Session.Query(query, id).Scan(
+	err := db.Session.Query(query, jwtToken).Scan(
 		&session.Token,
-		&session.Username)
+		&session.UserID,
+		&session.Expiry)
 	if err == gocql.ErrNotFound {
 		slog.Debug("db: session not found")
 		return nil, errors.New("Session not found")
@@ -156,10 +154,10 @@ func dbGetSession(id uuid.UUID) (*Session, error) {
 	return &session, nil
 }

-func dbDeleteSession(id uuid.UUID) error {
-	query := `DELETE FROM sessions WHERE session_token = ?`
+func dbDeleteSession(jwtToken string) error {
+	query := `DELETE FROM sessions WHERE jwttoken = ?`

-	err := db.Session.Query(query, id).Exec()
+	err := db.Session.Query(query, jwtToken).Exec()

 	if err != nil {
 		slog.Error("db: failed to delete session")
--- a/api/user.go
+++ b/api/user.go
@@ -52,17 +52,17 @@ func Whoami(w http.ResponseWriter, r *http.Request) {
 func LoginCtx(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		slog.Debug("user: entering LoginCtx middleware")
-		username, ok := r.Context().Value(usernameKey).(string)
-		if !ok || username == "" {
-			slog.Debug("user: no username provided, assuming anonymous user")
+		userID, ok := r.Context().Value(userIDKey).(uuid.UUID)
+		if !ok || userID == uuid.Nil {
+			slog.Debug("user: no user ID provided, assuming anonymous user")
 			next.ServeHTTP(w, r)
 			return
 		}

-		slog.Debug("user: fetching user by username", "username", username)
-		user, err := dbGetUserByName(username)
+		slog.Debug("user: fetching user by user ID", "userID", userID)
+		user, err := dbGetUser(userID.String())
 		if err != nil {
-			slog.Error("user: failed to fetch user by username", "username", username, "error", err)
+			slog.Error("user: failed to fetch user by user ID", "userID", userID, "error", err)
 			render.Render(w, r, ErrNotFound)
 			return
 		}