wallet-sync-server/auth/auth.go

package auth

import (
	"crypto/rand"
	"crypto/sha256"
	"encoding/hex"
	"fmt"
	"time"
)

// TODO - Learn how to use https://github.com/golang/oauth2 instead
// TODO - Look into jwt, etc.
// For now I just want a process that's shaped like what I'm looking for.
//   (email/password, encrypted wallets, hmac, lastSynced, etc)

type UserId int32
type Email string
type DeviceId string
type Password string
type AuthTokenString string
type AuthScope string

const ScopeFull = AuthScope("*")

// For test stubs
type AuthInterface interface {
	// TODO maybe have a "refresh token" thing if the client won't have email available all the time?
	NewToken(UserId, DeviceId, AuthScope) (*AuthToken, error)
}

type Auth struct{}

// Note that everything here is given to anybody who presents a valid
// downloadKey and associated email. Currently these fields are safe to give
// at that low security level, but keep this in mind as we change this struct.
type AuthToken struct {
	Token      AuthTokenString `json:"token"`
	DeviceId   DeviceId        `json:"deviceId"`
	Scope      AuthScope       `json:"scope"`
	UserId     UserId          `json:"userId"`
	Expiration *time.Time      `json:"expiration"`
}

const AuthTokenLength = 32

func (a *Auth) NewToken(userId UserId, deviceId DeviceId, scope AuthScope) (*AuthToken, error) {
	b := make([]byte, AuthTokenLength)
	// TODO - Is this is a secure random function? (Maybe audit)
	if _, err := rand.Read(b); err != nil {
		return nil, fmt.Errorf("Error generating token: %+v", err)
	}

	return &AuthToken{
		Token:    AuthTokenString(hex.EncodeToString(b)),
		DeviceId: deviceId,
		Scope:    scope,
		UserId:   userId,
		// TODO add Expiration here instead of putting it in store.go. and thus redo store.go. d'oh.
	}, nil
}

// NOTE - not stubbing methods of structs like this. more convoluted than it's worth right now
func (at *AuthToken) ScopeValid(required AuthScope) bool {
	// So far the only scope issued. Used to have more, didn't want to delete
	// this feature yet in case we add more again. We'll delete it if it's of
	// no use and ends up complicating anything.
	return at.Scope == ScopeFull
}

func (p Password) Obfuscate() string {
	// TODO KDF instead
	hash := sha256.Sum256([]byte(p))
	return hex.EncodeToString(hash[:])
}
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`package auth`

			`import (`
			`"crypto/rand"`
			`"crypto/sha256"`
			`"encoding/hex"`
			`"fmt"`
			`"time"`
			`)`

			`// TODO - Learn how to use https://github.com/golang/oauth2 instead`
			`// TODO - Look into jwt, etc.`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`// For now I just want a process that's shaped like what I'm looking for.`
			`// (email/password, encrypted wallets, hmac, lastSynced, etc)`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`type UserId int32`
			`type Email string`
			`type DeviceId string`
			`type Password string`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`type AuthTokenString string`
			`type AuthScope string`

			`const ScopeFull = AuthScope("*")`

			`// For test stubs`
			`type AuthInterface interface {`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`// TODO maybe have a "refresh token" thing if the client won't have email available all the time?`
			`NewToken(UserId, DeviceId, AuthScope) (*AuthToken, error)`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`}`

			`type Auth struct{}`

			`// Note that everything here is given to anybody who presents a valid`
			`// downloadKey and associated email. Currently these fields are safe to give`
			`// at that low security level, but keep this in mind as we change this struct.`
			`type AuthToken struct {`
			Token AuthTokenString `json:"token"`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			DeviceId DeviceId `json:"deviceId"`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			Scope AuthScope `json:"scope"`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			UserId UserId `json:"userId"`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			Expiration *time.Time `json:"expiration"`
			`}`

			`const AuthTokenLength = 32`

Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`func (a Auth) NewToken(userId UserId, deviceId DeviceId, scope AuthScope) (AuthToken, error) {`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`b := make([]byte, AuthTokenLength)`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`// TODO - Is this is a secure random function? (Maybe audit)`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`if _, err := rand.Read(b); err != nil {`
			`return nil, fmt.Errorf("Error generating token: %+v", err)`
			`}`

			`return &AuthToken{`
			`Token: AuthTokenString(hex.EncodeToString(b)),`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00			`DeviceId: deviceId,`
			`Scope: scope,`
			`UserId: userId,`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`// TODO add Expiration here instead of putting it in store.go. and thus redo store.go. d'oh.`
			`}, nil`
			`}`

			`// NOTE - not stubbing methods of structs like this. more convoluted than it's worth right now`
			`func (at *AuthToken) ScopeValid(required AuthScope) bool {`
Delete some things we don't need anymore 2022-06-08 00:15:46 +02:00			`// So far the only scope issued. Used to have more, didn't want to delete`
			`// this feature yet in case we add more again. We'll delete it if it's of`
			`// no use and ends up complicating anything.`
			`return at.Scope == ScopeFull`
Get/Post WalletState, account recover, test client A few things at once because it was faster to get a demo out the door. Skipping most test implementation though I made failing stubs so I know what to fill in later. * Get/Post WalletState * downloadKey/email so that a second client can log in, and/or recover from lost client * Test client in Python to demonstrate the above * Organize into packages 2021-12-25 02:16:58 +01:00			`}`
Change to normal password auth, and various things 2022-06-07 19:25:14 +02:00
			`func (p Password) Obfuscate() string {`
			`// TODO KDF instead`
			`hash := sha256.Sum256([]byte(p))`
			`return hex.EncodeToString(hash[:])`
			`}`