jfa-go/auth.go

package main

import (
	"encoding/base64"
	"fmt"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/dgrijalva/jwt-go"
	"github.com/gin-gonic/gin"
	"github.com/lithammer/shortuuid/v3"
)

func (app *appContext) webAuth() gin.HandlerFunc {
	return app.authenticate
}

// CreateToken returns a web token as well as a refresh token, which can be used to obtain new tokens.
func CreateToken(userId, jfId string) (string, string, error) {
	var token, refresh string
	claims := jwt.MapClaims{
		"valid": true,
		"id":    userId,
		"exp":   strconv.FormatInt(time.Now().Add(time.Minute*20).Unix(), 10),
		"jfid":  jfId,
		"type":  "bearer",
	}

	tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
	if err != nil {
		return "", "", err
	}
	claims["exp"] = strconv.FormatInt(time.Now().Add(time.Hour*24).Unix(), 10)
	claims["type"] = "refresh"
	tk = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	refresh, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
	if err != nil {
		return "", "", err
	}
	return token, refresh, nil
}

// Check header for token
func (app *appContext) authenticate(gc *gin.Context) {
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	if header[0] != "Basic" {
		app.debug.Println("Invalid authentication header")
		respond(401, "Unauthorized", gc)
		return
	}
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	token, err := jwt.Parse(creds[0], checkToken)
	if err != nil {
		app.debug.Printf("Auth denied: %s", err)
		respond(401, "Unauthorized", gc)
		return
	}
	claims, ok := token.Claims.(jwt.MapClaims)
	expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
	if err != nil {
		app.debug.Printf("Auth denied: %s", err)
		respond(401, "Unauthorized", gc)
		return
	}
	expiry := time.Unix(expiryUnix, 0)
	if !(ok && token.Valid && claims["type"].(string) == "bearer" && expiry.After(time.Now())) {
		app.debug.Printf("Auth denied: Invalid token")
		respond(401, "Unauthorized", gc)
		return
	}
	userID := claims["id"].(string)
	jfID := claims["jfid"].(string)
	match := false
	for _, user := range app.users {
		if user.UserID == userID {
			match = true
			break
		}
	}
	if !match {
		app.debug.Printf("Couldn't find user ID \"%s\"", userID)
		respond(401, "Unauthorized", gc)
		return
	}
	gc.Set("jfId", jfID)
	gc.Set("userId", userID)
	app.debug.Println("Auth succeeded")
	gc.Next()
}

func checkToken(token *jwt.Token) (interface{}, error) {
	if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
		return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])
	}
	return []byte(os.Getenv("JFA_SECRET")), nil
}

type getTokenDTO struct {
	Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else.
}

// getToken checks the header for a username and password, as well as checking the refresh cookie.

// @Summary Grabs an API token using username & password, or via a refresh cookie.
// @description Click the lock icon next to this, login with your normal jfa-go credentials. Click 'try it out', then 'execute' and an API Key will be returned, copy it (not including quotes). On any of the other routes, click the lock icon and use the token as your -Username-. The password can be anything.
// @Produce json
// @Success 200 {object} getTokenDTO
// @Failure 401 {object} stringResponse
// @Router /getToken [get]
// @tags Auth
// @Security getTokenAuth
func (app *appContext) getToken(gc *gin.Context) {
	app.info.Println("Token requested (login attempt)")
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	// check cookie first
	var userID, jfID string
	valid := false
	noLogin := false
	checkLogin := func() {
		if creds[0] == "" || creds[1] == "" {
			app.debug.Println("Auth denied: blank username/password")
			respond(401, "Unauthorized", gc)
			return
		}
		match := false
		for _, user := range app.users {
			if user.Username == creds[0] && user.Password == creds[1] {
				match = true
				app.debug.Println("Found existing user")
				userID = user.UserID
				break
			}
		}
		if !app.jellyfinLogin && !match {
			app.info.Println("Auth denied: Invalid username/password")
			respond(401, "Unauthorized", gc)
			return
		}
		if !match {
			var status int
			var err error
			var user map[string]interface{}
			user, status, err = app.authJf.Authenticate(creds[0], creds[1])
			if status != 200 || err != nil {
				if status == 401 || status == 400 {
					app.info.Println("Auth denied: Invalid username/password (Jellyfin)")
					respond(401, "Unauthorized", gc)
					return
				}
				app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)
				respond(500, "Jellyfin error", gc)
				return
			}
			jfID = user["Id"].(string)
			if app.config.Section("ui").Key("admin_only").MustBool(true) {
				if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
					app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])
					respond(401, "Unauthorized", gc)
					return
				}
			}
			// New users are only added when using jellyfinLogin.
			userID = shortuuid.New()
			newUser := User{
				UserID: userID,
			}
			app.debug.Printf("Token generated for user \"%s\"", creds[0])
			app.users = append(app.users, newUser)
		}
		valid = true
	}
	checkCookie := func() {
		cookie, err := gc.Cookie("refresh")
		if err == nil && cookie != "" {
			for _, token := range app.invalidTokens {
				if cookie == token {
					if creds[0] == "" || creds[1] == "" {
						app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
						respond(401, "Unauthorized", gc)
						noLogin = true
						return
					}
					app.debug.Println("getToken: Invalid token but username/password provided")
					return
				}
			}
			token, err := jwt.Parse(cookie, checkToken)
			if err != nil {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Println("getToken: Invalid token but username/password provided")
				return
			}
			claims, ok := token.Claims.(jwt.MapClaims)
			expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
			if err != nil {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
				return
			}
			expiry := time.Unix(expiryUnix, 0)
			if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
				return
			}
			userID = claims["id"].(string)
			jfID = claims["jfid"].(string)
			valid = true
		}
	}
	checkCookie()
	if !valid && !noLogin {
		checkLogin()
	}
	if valid {
		token, refresh, err := CreateToken(userID, jfID)
		if err != nil {
			app.err.Printf("getToken failed: Couldn't generate token (%s)", err)
			respond(500, "Couldn't generate token", gc)
			return
		}
		gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
		gc.JSON(200, getTokenDTO{token})
	} else {
		gc.AbortWithStatus(401)
	}
}
first 4 years ago			`package main`

			`import (`
			`"encoding/base64"`
			`"fmt"`
			`"os"`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`"strconv"`
first 4 years ago			`"strings"`
			`"time"`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago
			`"github.com/dgrijalva/jwt-go"`
			`"github.com/gin-gonic/gin"`
			`"github.com/lithammer/shortuuid/v3"`
first 4 years ago			`)`

use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`func (app *appContext) webAuth() gin.HandlerFunc {`
			`return app.authenticate`
first 4 years ago			`}`

cleaned up auth 4 years ago			`// CreateToken returns a web token as well as a refresh token, which can be used to obtain new tokens.`
			`func CreateToken(userId, jfId string) (string, string, error) {`
			`var token, refresh string`
			`claims := jwt.MapClaims{`
			`"valid": true,`
			`"id": userId,`
			`"exp": strconv.FormatInt(time.Now().Add(time.Minute*20).Unix(), 10),`
			`"jfid": jfId,`
			`"type": "bearer",`
			`}`

			`tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))`
			`if err != nil {`
			`return "", "", err`
			`}`
			`claims["exp"] = strconv.FormatInt(time.Now().Add(time.Hour*24).Unix(), 10)`
			`claims["type"] = "refresh"`
			`tk = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`refresh, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))`
			`if err != nil {`
			`return "", "", err`
			`}`
			`return token, refresh, nil`
			`}`

			`// Check header for token`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`func (app appContext) authenticate(gc gin.Context) {`
first 4 years ago			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`if header[0] != "Basic" {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`app.debug.Println("Invalid authentication header")`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
cleaned up auth 4 years ago			`token, err := jwt.Parse(creds[0], checkToken)`
first 4 years ago			`if err != nil {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`app.debug.Printf("Auth denied: %s", err)`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`claims, ok := token.Claims.(jwt.MapClaims)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)`
			`if err != nil {`
			`app.debug.Printf("Auth denied: %s", err)`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`expiry := time.Unix(expiryUnix, 0)`
cleaned up auth 4 years ago			`if !(ok && token.Valid && claims["type"].(string) == "bearer" && expiry.After(time.Now())) {`
			`app.debug.Printf("Auth denied: Invalid token")`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 4 years ago			`userID := claims["id"].(string)`
			`jfID := claims["jfid"].(string)`
first 4 years ago			`match := false`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`for _, user := range app.users {`
cleaned up auth 4 years ago			`if user.UserID == userID {`
first 4 years ago			`match = true`
cleaned up auth 4 years ago			`break`
first 4 years ago			`}`
			`}`
			`if !match {`
cleaned up auth 4 years ago			`app.debug.Printf("Couldn't find user ID \"%s\"", userID)`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 4 years ago			`gc.Set("jfId", jfID)`
			`gc.Set("userId", userID)`
			`app.debug.Println("Auth succeeded")`
first 4 years ago			`gc.Next()`
			`}`

cleaned up auth 4 years ago			`func checkToken(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])`
			`}`
			`return []byte(os.Getenv("JFA_SECRET")), nil`
			`}`

Add auth and tags to swagger 4 years ago			`type getTokenDTO struct {`
			Token string `json:"token" example:"kjsdklsfdkljfsjsdfklsdfkldsfjdfskjsdfjklsdf"` // API token for use with everything else.
			`}`

cleaned up auth 4 years ago			`// getToken checks the header for a username and password, as well as checking the refresh cookie.`
Add auth and tags to swagger 4 years ago
			`// @Summary Grabs an API token using username & password, or via a refresh cookie.`
			`// @description Click the lock icon next to this, login with your normal jfa-go credentials. Click 'try it out', then 'execute' and an API Key will be returned, copy it (not including quotes). On any of the other routes, click the lock icon and use the token as your -Username-. The password can be anything.`
			`// @Produce json`
			`// @Success 200 {object} getTokenDTO`
			`// @Failure 401 {object} stringResponse`
			`// @Router /getToken [get]`
			`// @tags Auth`
			`// @Security getTokenAuth`
cleaned up auth 4 years ago			`func (app appContext) getToken(gc gin.Context) {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`app.info.Println("Token requested (login attempt)")`
first 4 years ago			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
cleaned up auth 4 years ago			`// check cookie first`
			`var userID, jfID string`
			`valid := false`
			`noLogin := false`
			`checkLogin := func() {`
			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("Auth denied: blank username/password")`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`match := false`
			`for _, user := range app.users {`
			`if user.Username == creds[0] && user.Password == creds[1] {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`match = true`
			`app.debug.Println("Found existing user")`
cleaned up auth 4 years ago			`userID = user.UserID`
			`break`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`}`
first 4 years ago			`}`
cleaned up auth 4 years ago			`if !app.jellyfinLogin && !match {`
			`app.info.Println("Auth denied: Invalid username/password")`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 4 years ago			`if !match {`
			`var status int`
			`var err error`
			`var user map[string]interface{}`
refactor; separate jfapi and ombi into modules 4 years ago			`user, status, err = app.authJf.Authenticate(creds[0], creds[1])`
cleaned up auth 4 years ago			`if status != 200 \|\| err != nil {`
			`if status == 401 \|\| status == 400 {`
			`app.info.Println("Auth denied: Invalid username/password (Jellyfin)")`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)`
			`respond(500, "Jellyfin error", gc)`
			`return`
			`}`
			`jfID = user["Id"].(string)`
			`if app.config.Section("ui").Key("admin_only").MustBool(true) {`
			`if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {`
			`app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`}`
			`// New users are only added when using jellyfinLogin.`
			`userID = shortuuid.New()`
			`newUser := User{`
			`UserID: userID,`
			`}`
			`app.debug.Printf("Token generated for user \"%s\"", creds[0])`
			`app.users = append(app.users, newUser)`
			`}`
			`valid = true`
			`}`
			`checkCookie := func() {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`cookie, err := gc.Cookie("refresh")`
cleaned up auth 4 years ago			`if err == nil && cookie != "" {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`for _, token := range app.invalidTokens {`
			`if cookie == token {`
cleaned up auth 4 years ago			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Println("getToken: Invalid token but username/password provided")`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`return`
			`}`
			`}`
cleaned up auth 4 years ago			`token, err := jwt.Parse(cookie, checkToken)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`if err != nil {`
cleaned up auth 4 years ago			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Println("getToken: Invalid token but username/password provided")`
Add auth & gin logging, fixed dummy logger 4 years ago			`return`
			`}`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`claims, ok := token.Claims.(jwt.MapClaims)`
			`expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)`
			`if err != nil {`
cleaned up auth 4 years ago			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`return`
			`}`
			`expiry := time.Unix(expiryUnix, 0)`
cleaned up auth 4 years ago			`if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {`
			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`return`
			`}`
cleaned up auth 4 years ago			`app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`return`
			`}`
cleaned up auth 4 years ago			`userID = claims["id"].(string)`
			`jfID = claims["jfid"].(string)`
			`valid = true`
first 4 years ago			`}`
			`}`
cleaned up auth 4 years ago			`checkCookie()`
			`if !valid && !noLogin {`
			`checkLogin()`
first 4 years ago			`}`
cleaned up auth 4 years ago			`if valid {`
			`token, refresh, err := CreateToken(userID, jfID)`
			`if err != nil {`
			`app.err.Printf("getToken failed: Couldn't generate token (%s)", err)`
			`respond(500, "Couldn't generate token", gc)`
			`return`
			`}`
			`gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)`
Add auth and tags to swagger 4 years ago			`gc.JSON(200, getTokenDTO{token})`
cleaned up auth 4 years ago			`} else {`
			`gc.AbortWithStatus(401)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`}`
first 4 years ago			`}`