96 lines
2.5 KiB
Go
96 lines
2.5 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
"errors"
|
|
"time"
|
|
|
|
"go.mongodb.org/mongo-driver/v2/bson"
|
|
"go.mongodb.org/mongo-driver/v2/mongo"
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
"logjensticks/internal/db"
|
|
)
|
|
|
|
var ErrInvalidCredentials = errors.New("invalid username or password")
|
|
var ErrSessionNotFound = errors.New("session not found or expired")
|
|
|
|
type User struct {
|
|
Username string `bson:"username"`
|
|
PasswordHash string `bson:"password_hash"`
|
|
Role string `bson:"role"`
|
|
}
|
|
|
|
type Session struct {
|
|
Token string `bson:"token"`
|
|
Username string `bson:"username"`
|
|
Role string `bson:"role"`
|
|
ExpiresAt time.Time `bson:"expires_at"`
|
|
}
|
|
|
|
// Login verifies credentials, creates a session, and returns the session token.
|
|
func Login(ctx context.Context, dbc *db.Client, username, password string) (string, *Session, error) {
|
|
var user User
|
|
err := dbc.Users().FindOne(ctx, bson.D{{Key: "username", Value: username}}).Decode(&user)
|
|
if errors.Is(err, mongo.ErrNoDocuments) {
|
|
return "", nil, ErrInvalidCredentials
|
|
}
|
|
if err != nil {
|
|
return "", nil, err
|
|
}
|
|
|
|
if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(password)); err != nil {
|
|
return "", nil, ErrInvalidCredentials
|
|
}
|
|
|
|
token, err := generateToken()
|
|
if err != nil {
|
|
return "", nil, err
|
|
}
|
|
|
|
session := Session{
|
|
Token: token,
|
|
Username: user.Username,
|
|
Role: user.Role,
|
|
ExpiresAt: time.Now().UTC().Add(db.SessionTTL),
|
|
}
|
|
|
|
if _, err := dbc.Sessions().InsertOne(ctx, session); err != nil {
|
|
return "", nil, err
|
|
}
|
|
|
|
return token, &session, nil
|
|
}
|
|
|
|
// ValidateSession looks up a session by token and confirms it has not expired.
|
|
func ValidateSession(ctx context.Context, dbc *db.Client, token string) (*Session, error) {
|
|
var session Session
|
|
err := dbc.Sessions().FindOne(ctx, bson.D{{Key: "token", Value: token}}).Decode(&session)
|
|
if errors.Is(err, mongo.ErrNoDocuments) {
|
|
return nil, ErrSessionNotFound
|
|
}
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if time.Now().After(session.ExpiresAt) {
|
|
return nil, ErrSessionNotFound
|
|
}
|
|
return &session, nil
|
|
}
|
|
|
|
// DeleteSession removes a session document (used on logout).
|
|
func DeleteSession(ctx context.Context, dbc *db.Client, token string) error {
|
|
_, err := dbc.Sessions().DeleteOne(ctx, bson.D{{Key: "token", Value: token}})
|
|
return err
|
|
}
|
|
|
|
func generateToken() (string, error) {
|
|
b := make([]byte, 32)
|
|
if _, err := rand.Read(b); err != nil {
|
|
return "", err
|
|
}
|
|
return hex.EncodeToString(b), nil
|
|
}
|