jfa-go/auth.go

package main

import (
	"encoding/base64"
	"fmt"
	"os"
	"strconv"
	"strings"
	"time"

	"github.com/dgrijalva/jwt-go"
	"github.com/gin-gonic/gin"
	"github.com/lithammer/shortuuid/v3"
)

func (app *appContext) webAuth() gin.HandlerFunc {
	return app.authenticate
}

// CreateToken returns a web token as well as a refresh token, which can be used to obtain new tokens.
func CreateToken(userId, jfId string) (string, string, error) {
	var token, refresh string
	claims := jwt.MapClaims{
		"valid": true,
		"id":    userId,
		"exp":   strconv.FormatInt(time.Now().Add(time.Minute*20).Unix(), 10),
		"jfid":  jfId,
		"type":  "bearer",
	}

	tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
	if err != nil {
		return "", "", err
	}
	claims["exp"] = strconv.FormatInt(time.Now().Add(time.Hour*24).Unix(), 10)
	claims["type"] = "refresh"
	tk = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	refresh, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))
	if err != nil {
		return "", "", err
	}
	return token, refresh, nil
}

// Check header for token
func (app *appContext) authenticate(gc *gin.Context) {
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	if header[0] != "Basic" {
		app.debug.Println("Invalid authentication header")
		respond(401, "Unauthorized", gc)
		return
	}
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	token, err := jwt.Parse(creds[0], checkToken)
	if err != nil {
		app.debug.Printf("Auth denied: %s", err)
		respond(401, "Unauthorized", gc)
		return
	}
	claims, ok := token.Claims.(jwt.MapClaims)
	expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
	if err != nil {
		app.debug.Printf("Auth denied: %s", err)
		respond(401, "Unauthorized", gc)
		return
	}
	expiry := time.Unix(expiryUnix, 0)
	if !(ok && token.Valid && claims["type"].(string) == "bearer" && expiry.After(time.Now())) {
		app.debug.Printf("Auth denied: Invalid token")
		respond(401, "Unauthorized", gc)
		return
	}
	userID := claims["id"].(string)
	jfID := claims["jfid"].(string)
	match := false
	for _, user := range app.users {
		if user.UserID == userID {
			match = true
			break
		}
	}
	if !match {
		app.debug.Printf("Couldn't find user ID \"%s\"", userID)
		respond(401, "Unauthorized", gc)
		return
	}
	gc.Set("jfId", jfID)
	gc.Set("userId", userID)
	app.debug.Println("Auth succeeded")
	gc.Next()
}

func checkToken(token *jwt.Token) (interface{}, error) {
	if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
		return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])
	}
	return []byte(os.Getenv("JFA_SECRET")), nil
}

// getToken checks the header for a username and password, as well as checking the refresh cookie.
func (app *appContext) getToken(gc *gin.Context) {
	app.info.Println("Token requested (login attempt)")
	header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)
	auth, _ := base64.StdEncoding.DecodeString(header[1])
	creds := strings.SplitN(string(auth), ":", 2)
	// check cookie first
	var userID, jfID string
	valid := false
	noLogin := false
	checkLogin := func() {
		if creds[0] == "" || creds[1] == "" {
			app.debug.Println("Auth denied: blank username/password")
			respond(401, "Unauthorized", gc)
			return
		}
		match := false
		for _, user := range app.users {
			if user.Username == creds[0] && user.Password == creds[1] {
				match = true
				app.debug.Println("Found existing user")
				userID = user.UserID
				break
			}
		}
		if !app.jellyfinLogin && !match {
			app.info.Println("Auth denied: Invalid username/password")
			respond(401, "Unauthorized", gc)
			return
		}
		if !match {
			var status int
			var err error
			var user map[string]interface{}
			user, status, err = app.authJf.authenticate(creds[0], creds[1])
			if status != 200 || err != nil {
				if status == 401 || status == 400 {
					app.info.Println("Auth denied: Invalid username/password (Jellyfin)")
					respond(401, "Unauthorized", gc)
					return
				}
				app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)
				respond(500, "Jellyfin error", gc)
				return
			}
			jfID = user["Id"].(string)
			if app.config.Section("ui").Key("admin_only").MustBool(true) {
				if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {
					app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])
					respond(401, "Unauthorized", gc)
					return
				}
			}
			// New users are only added when using jellyfinLogin.
			userID = shortuuid.New()
			newUser := User{
				UserID: userID,
			}
			app.debug.Printf("Token generated for user \"%s\"", creds[0])
			app.users = append(app.users, newUser)
		}
		valid = true
	}
	checkCookie := func() {
		cookie, err := gc.Cookie("refresh")
		if err == nil && cookie != "" {
			for _, token := range app.invalidTokens {
				if cookie == token {
					if creds[0] == "" || creds[1] == "" {
						app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
						respond(401, "Unauthorized", gc)
						noLogin = true
						return
					}
					app.debug.Println("getToken: Invalid token but username/password provided")
					return
				}
			}
			token, err := jwt.Parse(cookie, checkToken)
			if err != nil {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Println("getToken: Invalid token but username/password provided")
				return
			}
			claims, ok := token.Claims.(jwt.MapClaims)
			expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)
			if err != nil {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
				return
			}
			expiry := time.Unix(expiryUnix, 0)
			if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {
				if creds[0] == "" || creds[1] == "" {
					app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)
					respond(401, "Unauthorized", gc)
					noLogin = true
					return
				}
				app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)
				return
			}
			userID = claims["id"].(string)
			jfID = claims["jfid"].(string)
			valid = true
		}
	}
	checkCookie()
	if !valid && !noLogin {
		checkLogin()
	}
	if valid {
		token, refresh, err := CreateToken(userID, jfID)
		if err != nil {
			app.err.Printf("getToken failed: Couldn't generate token (%s)", err)
			respond(500, "Couldn't generate token", gc)
			return
		}
		gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)
		gc.JSON(200, map[string]string{"token": token})
	} else {
		gc.AbortWithStatus(401)
	}
}
first 4 years ago			`package main`

			`import (`
			`"encoding/base64"`
			`"fmt"`
			`"os"`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`"strconv"`
first 4 years ago			`"strings"`
			`"time"`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago
			`"github.com/dgrijalva/jwt-go"`
			`"github.com/gin-gonic/gin"`
			`"github.com/lithammer/shortuuid/v3"`
first 4 years ago			`)`

use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`func (app *appContext) webAuth() gin.HandlerFunc {`
			`return app.authenticate`
first 4 years ago			`}`

cleaned up auth 4 years ago			`// CreateToken returns a web token as well as a refresh token, which can be used to obtain new tokens.`
			`func CreateToken(userId, jfId string) (string, string, error) {`
			`var token, refresh string`
			`claims := jwt.MapClaims{`
			`"valid": true,`
			`"id": userId,`
			`"exp": strconv.FormatInt(time.Now().Add(time.Minute*20).Unix(), 10),`
			`"jfid": jfId,`
			`"type": "bearer",`
			`}`

			`tk := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`token, err := tk.SignedString([]byte(os.Getenv("JFA_SECRET")))`
			`if err != nil {`
			`return "", "", err`
			`}`
			`claims["exp"] = strconv.FormatInt(time.Now().Add(time.Hour*24).Unix(), 10)`
			`claims["type"] = "refresh"`
			`tk = jwt.NewWithClaims(jwt.SigningMethodHS256, claims)`
			`refresh, err = tk.SignedString([]byte(os.Getenv("JFA_SECRET")))`
			`if err != nil {`
			`return "", "", err`
			`}`
			`return token, refresh, nil`
			`}`

			`// Check header for token`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`func (app appContext) authenticate(gc gin.Context) {`
first 4 years ago			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`if header[0] != "Basic" {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`app.debug.Println("Invalid authentication header")`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
cleaned up auth 4 years ago			`token, err := jwt.Parse(creds[0], checkToken)`
first 4 years ago			`if err != nil {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`app.debug.Printf("Auth denied: %s", err)`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`claims, ok := token.Claims.(jwt.MapClaims)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)`
			`if err != nil {`
			`app.debug.Printf("Auth denied: %s", err)`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`expiry := time.Unix(expiryUnix, 0)`
cleaned up auth 4 years ago			`if !(ok && token.Valid && claims["type"].(string) == "bearer" && expiry.After(time.Now())) {`
			`app.debug.Printf("Auth denied: Invalid token")`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 4 years ago			`userID := claims["id"].(string)`
			`jfID := claims["jfid"].(string)`
first 4 years ago			`match := false`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`for _, user := range app.users {`
cleaned up auth 4 years ago			`if user.UserID == userID {`
first 4 years ago			`match = true`
cleaned up auth 4 years ago			`break`
first 4 years ago			`}`
			`}`
			`if !match {`
cleaned up auth 4 years ago			`app.debug.Printf("Couldn't find user ID \"%s\"", userID)`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 4 years ago			`gc.Set("jfId", jfID)`
			`gc.Set("userId", userID)`
			`app.debug.Println("Auth succeeded")`
first 4 years ago			`gc.Next()`
			`}`

cleaned up auth 4 years ago			`func checkToken(token *jwt.Token) (interface{}, error) {`
			`if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {`
			`return nil, fmt.Errorf("Unexpected signing method %v", token.Header["alg"])`
			`}`
			`return []byte(os.Getenv("JFA_SECRET")), nil`
			`}`

			`// getToken checks the header for a username and password, as well as checking the refresh cookie.`
			`func (app appContext) getToken(gc gin.Context) {`
use app identifier instead of ctx changing this because ctx is commonly used with the context package. 4 years ago			`app.info.Println("Token requested (login attempt)")`
first 4 years ago			`header := strings.SplitN(gc.Request.Header.Get("Authorization"), " ", 2)`
			`auth, _ := base64.StdEncoding.DecodeString(header[1])`
			`creds := strings.SplitN(string(auth), ":", 2)`
cleaned up auth 4 years ago			`// check cookie first`
			`var userID, jfID string`
			`valid := false`
			`noLogin := false`
			`checkLogin := func() {`
			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("Auth denied: blank username/password")`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`match := false`
			`for _, user := range app.users {`
			`if user.Username == creds[0] && user.Password == creds[1] {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`match = true`
			`app.debug.Println("Found existing user")`
cleaned up auth 4 years ago			`userID = user.UserID`
			`break`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`}`
first 4 years ago			`}`
cleaned up auth 4 years ago			`if !app.jellyfinLogin && !match {`
			`app.info.Println("Auth denied: Invalid username/password")`
first 4 years ago			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
cleaned up auth 4 years ago			`if !match {`
			`var status int`
			`var err error`
			`var user map[string]interface{}`
			`user, status, err = app.authJf.authenticate(creds[0], creds[1])`
			`if status != 200 \|\| err != nil {`
			`if status == 401 \|\| status == 400 {`
			`app.info.Println("Auth denied: Invalid username/password (Jellyfin)")`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`app.err.Printf("Auth failed: Couldn't authenticate with Jellyfin (%d/%s)", status, err)`
			`respond(500, "Jellyfin error", gc)`
			`return`
			`}`
			`jfID = user["Id"].(string)`
			`if app.config.Section("ui").Key("admin_only").MustBool(true) {`
			`if !user["Policy"].(map[string]interface{})["IsAdministrator"].(bool) {`
			`app.debug.Printf("Auth denied: Users \"%s\" isn't admin", creds[0])`
			`respond(401, "Unauthorized", gc)`
			`return`
			`}`
			`}`
			`// New users are only added when using jellyfinLogin.`
			`userID = shortuuid.New()`
			`newUser := User{`
			`UserID: userID,`
			`}`
			`app.debug.Printf("Token generated for user \"%s\"", creds[0])`
			`app.users = append(app.users, newUser)`
			`}`
			`valid = true`
			`}`
			`checkCookie := func() {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`cookie, err := gc.Cookie("refresh")`
cleaned up auth 4 years ago			`if err == nil && cookie != "" {`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`for _, token := range app.invalidTokens {`
			`if cookie == token {`
cleaned up auth 4 years ago			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Println("getToken: Invalid token but username/password provided")`
Fixed flaw with jellyfin_login; store refresh token in cookies with jellyfin_login enabled, the username and password vals in the User struct would be "". If you disabled 'required' on the login form, blank username and password would allow you in. 4 years ago			`return`
			`}`
			`}`
cleaned up auth 4 years ago			`token, err := jwt.Parse(cookie, checkToken)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`if err != nil {`
cleaned up auth 4 years ago			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Println("getToken denied: Invalid refresh token and no username/password provided")`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Println("getToken: Invalid token but username/password provided")`
Add auth & gin logging, fixed dummy logger 4 years ago			`return`
			`}`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`claims, ok := token.Claims.(jwt.MapClaims)`
			`expiryUnix, err := strconv.ParseInt(claims["exp"].(string), 10, 64)`
			`if err != nil {`
cleaned up auth 4 years ago			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
			`return`
			`}`
			`app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`return`
			`}`
			`expiry := time.Unix(expiryUnix, 0)`
cleaned up auth 4 years ago			`if !(ok && token.Valid && claims["type"].(string) == "refresh" && expiry.After(time.Now())) {`
			`if creds[0] == "" \|\| creds[1] == "" {`
			`app.debug.Printf("getToken denied: Invalid token (%s) and no username/password provided", err)`
			`respond(401, "Unauthorized", gc)`
			`noLogin = true`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`return`
			`}`
cleaned up auth 4 years ago			`app.debug.Printf("getToken: Invalid token (%s) but username/password provided", err)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`return`
			`}`
cleaned up auth 4 years ago			`userID = claims["id"].(string)`
			`jfID = claims["jfid"].(string)`
			`valid = true`
first 4 years ago			`}`
			`}`
cleaned up auth 4 years ago			`checkCookie()`
			`if !valid && !noLogin {`
			`checkLogin()`
first 4 years ago			`}`
cleaned up auth 4 years ago			`if valid {`
			`token, refresh, err := CreateToken(userID, jfID)`
			`if err != nil {`
			`app.err.Printf("getToken failed: Couldn't generate token (%s)", err)`
			`respond(500, "Couldn't generate token", gc)`
			`return`
			`}`
			`gc.SetCookie("refresh", refresh, (3600 * 24), "/", gc.Request.URL.Hostname(), true, true)`
			`gc.JSON(200, map[string]string{"token": token})`
			`} else {`
			`gc.AbortWithStatus(401)`
Add refresh tokens for persistent login, logout button the main JWT is stored temporarily, whereas the refresh token is stored as a cookie and can only be used to obtain a new main token. Logout button adds token to blocklist internally and deletes JWT and refresh token from browser storage. 4 years ago			`}`
first 4 years ago			`}`