Semaphore/api/auth.go

package api

import (
	"database/sql"
	"fmt"
	"net/http"
	"strings"
	"time"

	"github.com/ansible-semaphore/semaphore/db"
	"github.com/ansible-semaphore/semaphore/util"
	"github.com/gorilla/context"
)

func authentication(w http.ResponseWriter, r *http.Request) {
	var userID int

	if authHeader := strings.ToLower(r.Header.Get("authorization")); len(authHeader) > 0 && strings.Contains(authHeader, "bearer") {
		var token db.APIToken
		if err := db.Mysql.SelectOne(&token, "select * from user__token where id=? and expired=0", strings.Replace(authHeader, "bearer ", "", 1)); err != nil {
			if err == sql.ErrNoRows {
				w.WriteHeader(http.StatusForbidden)
				return
			}

			panic(err)
		}

		userID = token.UserID
	} else {
		// fetch session from cookie
		cookie, err := r.Cookie("semaphore")
		if err != nil {
			w.WriteHeader(http.StatusForbidden)
			return
		}

		value := make(map[string]interface{})
		if err = util.Cookie.Decode("semaphore", cookie.Value, &value); err != nil {
			w.WriteHeader(http.StatusForbidden)
			return
		}

		user, ok := value["user"]
		sessionVal, okSession := value["session"]
		if !ok || !okSession {
			w.WriteHeader(http.StatusForbidden)
			return
		}

		userID = user.(int)
		sessionID := sessionVal.(int)

		// fetch session
		var session db.Session
		if err := db.Mysql.SelectOne(&session, "select * from session where id=? and user_id=? and expired=0", sessionID, userID); err != nil {
			w.WriteHeader(http.StatusForbidden)
			return
		}

		if time.Now().Sub(session.LastActive).Hours() > 7*24 {
			// more than week old unused session
			// destroy.
			if _, err := db.Mysql.Exec("update session set expired=1 where id=?", sessionID); err != nil {
				panic(err)
			}

			w.WriteHeader(http.StatusForbidden)
			return
		}

		if _, err := db.Mysql.Exec("update session set last_active=UTC_TIMESTAMP() where id=?", sessionID); err != nil {
			panic(err)
		}
	}

	user, err := db.FetchUser(userID)
	if err != nil {
		fmt.Println("Can't find user", err)
		w.WriteHeader(http.StatusForbidden)
		return
	}

	context.Set(r, "user", user)
}
refactoring 2016-05-24 11:55:48 +02:00			`package api`
Initial v2 work 2016-01-05 00:32:53 +01:00
			`import (`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`"database/sql"`
Initial v2 work 2016-01-05 00:32:53 +01:00			`"fmt"`
🎉 gin -> net/http 2017-02-23 00:21:49 +01:00			`"net/http"`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00			`"strings"`
Initial v2 work 2016-01-05 00:32:53 +01:00			`"time"`
Use proper github path 2016-03-16 22:49:43 +01:00
merge models -> db 2017-02-23 06:12:16 +01:00			`"github.com/ansible-semaphore/semaphore/db"`
Use proper github path 2016-03-16 22:49:43 +01:00			`"github.com/ansible-semaphore/semaphore/util"`
🎉 gin -> net/http 2017-02-23 00:21:49 +01:00			`"github.com/gorilla/context"`
Initial v2 work 2016-01-05 00:32:53 +01:00			`)`

begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`func authentication(w http.ResponseWriter, r *http.Request) {`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`var userID int`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`if authHeader := strings.ToLower(r.Header.Get("authorization")); len(authHeader) > 0 && strings.Contains(authHeader, "bearer") {`
merge models -> db 2017-02-23 06:12:16 +01:00			`var token db.APIToken`
			`if err := db.Mysql.SelectOne(&token, "select * from user__token where id=? and expired=0", strings.Replace(authHeader, "bearer ", "", 1)); err != nil {`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`if err == sql.ErrNoRows {`
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`w.WriteHeader(http.StatusForbidden)`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`return`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00			`}`

🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`panic(err)`
Initial v2 work 2016-01-05 00:32:53 +01:00			`}`

🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`userID = token.UserID`
			`} else {`
			`// fetch session from cookie`
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`cookie, err := r.Cookie("semaphore")`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`if err != nil {`
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`w.WriteHeader(http.StatusForbidden)`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`return`
			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`value := make(map[string]interface{})`
			`if err = util.Cookie.Decode("semaphore", cookie.Value, &value); err != nil {`
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`w.WriteHeader(http.StatusForbidden)`
improve setup - fix bug with -setup not accepting spaces - fix pointless panic while decoding cookies - fix bug generating secure hashes for cookies during setup 2016-05-17 22:17:17 +02:00			`return`
Initial v2 work 2016-01-05 00:32:53 +01:00			`}`

🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`user, ok := value["user"]`
			`sessionVal, okSession := value["session"]`
			`if !ok \|\| !okSession {`
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`w.WriteHeader(http.StatusForbidden)`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`return`
			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`userID = user.(int)`
			`sessionID := sessionVal.(int)`
Initial v2 work 2016-01-05 00:32:53 +01:00
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`// fetch session`
merge models -> db 2017-02-23 06:12:16 +01:00			`var session db.Session`
			`if err := db.Mysql.SelectOne(&session, "select * from session where id=? and user_id=? and expired=0", sessionID, userID); err != nil {`
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`w.WriteHeader(http.StatusForbidden)`
Auth page - Restructuring & co 2016-03-18 23:03:28 +01:00			`return`
			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`if time.Now().Sub(session.LastActive).Hours() > 7*24 {`
			`// more than week old unused session`
			`// destroy.`
merge models -> db 2017-02-23 06:12:16 +01:00			`if _, err := db.Mysql.Exec("update session set expired=1 where id=?", sessionID); err != nil {`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`panic(err)`
			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`w.WriteHeader(http.StatusForbidden)`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`return`
			`}`
API Tokens, Documentation - API Tokens - More documentation - Update API 2016-04-09 21:09:57 +02:00
Merge branch 'master' into develop # Conflicts: # api/auth.go # cli/main.go # db/Event.go 2017-03-06 20:34:10 +01:00			`if _, err := db.Mysql.Exec("update session set last_active=UTC_TIMESTAMP() where id=?", sessionID); err != nil {`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`panic(err)`
			`}`
			`}`
Initial v2 work 2016-01-05 00:32:53 +01:00
merge models -> db 2017-02-23 06:12:16 +01:00			`user, err := db.FetchUser(userID)`
🎉 remove redis dependency - Remove mandrill - Remove redis - Sessions & more transparency into who's logged into your user - Session is stored in cookies (map of two integers.) - Encrypted sessions, configurable keys (auto-generated) 2016-04-30 14:28:47 +02:00			`if err != nil {`
			`fmt.Println("Can't find user", err)`
begin refactor gin -> net/http 2017-02-22 23:17:36 +01:00			`w.WriteHeader(http.StatusForbidden)`
Initial v2 work 2016-01-05 00:32:53 +01:00			`return`
			`}`

🎉 gin -> net/http 2017-02-23 00:21:49 +01:00			`context.Set(r, "user", user)`
Initial v2 work 2016-01-05 00:32:53 +01:00			`}`