cc-backend/internal/auth/auth.go

// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.
// All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package auth

import (
	"context"
	"crypto/rand"
	"database/sql"
	"encoding/base64"
	"errors"
	"net/http"
	"os"
	"time"

	"github.com/ClusterCockpit/cc-backend/pkg/log"
	"github.com/gorilla/sessions"
	"github.com/jmoiron/sqlx"
)

type AuthSource int

const (
	AuthViaLocalPassword AuthSource = iota
	AuthViaLDAP
	AuthViaToken
)

type AuthType int

const (
	AuthToken AuthType = iota
	AuthSession
)

type User struct {
	Username   string     `json:"username"`
	Password   string     `json:"-"`
	Name       string     `json:"name"`
	Roles      []string   `json:"roles"`
	AuthType   AuthType   `json:"authType"`
	AuthSource AuthSource `json:"authSource"`
	Email      string     `json:"email"`
	Projects   []string   `json:"projects"`
}

func (u *User) HasProject(project string) bool {
	for _, p := range u.Projects {
		if p == project {
			return true
		}
	}
	return false
}

func GetUser(ctx context.Context) *User {
	x := ctx.Value(ContextUserKey)
	if x == nil {
		return nil
	}

	return x.(*User)
}

type Authenticator interface {
	Init(auth *Authentication, config interface{}) error
	CanLogin(user *User, username string, rw http.ResponseWriter, r *http.Request) bool
	Login(user *User, rw http.ResponseWriter, r *http.Request) (*User, error)
}

type ContextKey string

const ContextUserKey ContextKey = "user"

type Authentication struct {
	db            *sqlx.DB
	sessionStore  *sessions.CookieStore
	SessionMaxAge time.Duration

	authenticators []Authenticator
	LdapAuth       *LdapAuthenticator
	JwtAuth        *JWTAuthenticator
	LocalAuth      *LocalAuthenticator
}

func (auth *Authentication) AuthViaSession(
	rw http.ResponseWriter,
	r *http.Request) (*User, error) {
	session, err := auth.sessionStore.Get(r, "session")
	if err != nil {
		log.Error("Error while getting session store")
		return nil, err
	}

	if session.IsNew {
		return nil, nil
	}
	//
	// var username string
	// var projects, roles []string
	//
	// if val, ok := session.Values["username"]; ok {
	// 	username, _ = val.(string)
	// } else {
	// 	return nil, errors.New("no key username in session")
	// }
	// if val, ok := session.Values["projects"]; ok {
	// 	projects, _ = val.([]string)
	// } else {
	// 	return nil, errors.New("no key projects in session")
	// }
	// if val, ok := session.Values["projects"]; ok {
	// 	roles, _ = val.([]string)
	// } else {
	// 	return nil, errors.New("no key roles in session")
	// }
	//
	username, _ := session.Values["username"].(string)
	projects, _ := session.Values["projects"].([]string)
	roles, _ := session.Values["roles"].([]string)
	return &User{
		Username:   username,
		Projects:   projects,
		Roles:      roles,
		AuthType:   AuthSession,
		AuthSource: -1,
	}, nil
}

func Init(db *sqlx.DB,
	configs map[string]interface{}) (*Authentication, error) {
	auth := &Authentication{}
	auth.db = db

	sessKey := os.Getenv("SESSION_KEY")
	if sessKey == "" {
		log.Warn("environment variable 'SESSION_KEY' not set (will use non-persistent random key)")
		bytes := make([]byte, 32)
		if _, err := rand.Read(bytes); err != nil {
			log.Error("Error while initializing authentication -> failed to generate random bytes for session key")
			return nil, err
		}
		auth.sessionStore = sessions.NewCookieStore(bytes)
	} else {
		bytes, err := base64.StdEncoding.DecodeString(sessKey)
		if err != nil {
			log.Error("Error while initializing authentication -> decoding session key failed")
			return nil, err
		}
		auth.sessionStore = sessions.NewCookieStore(bytes)
	}

	auth.JwtAuth = &JWTAuthenticator{}
	if err := auth.JwtAuth.Init(auth, configs["jwt"]); err != nil {
		log.Error("Error while initializing authentication -> jwtAuth init failed")
		return nil, err
	}

	if config, ok := configs["ldap"]; ok {
		ldapAuth := &LdapAuthenticator{}
		if err := ldapAuth.Init(auth, config); err != nil {
			log.Warn("Error while initializing authentication -> ldapAuth init failed")
		} else {
			auth.LdapAuth = ldapAuth
			auth.authenticators = append(auth.authenticators, auth.LdapAuth)
		}
	}

	jwtSessionAuth := &JWTSessionAuthenticator{}
	if err := jwtSessionAuth.Init(auth, configs["jwt"]); err != nil {
		log.Warn("Error while initializing authentication -> jwtSessionAuth init failed")
	} else {
		auth.authenticators = append(auth.authenticators, jwtSessionAuth)
	}

	jwtCookieSessionAuth := &JWTCookieSessionAuthenticator{}
	if err := jwtCookieSessionAuth.Init(auth, configs["jwt"]); err != nil {
		log.Warn("Error while initializing authentication -> jwtCookieSessionAuth init failed")
	} else {
		auth.authenticators = append(auth.authenticators, jwtCookieSessionAuth)
	}

	auth.LocalAuth = &LocalAuthenticator{}
	if err := auth.LocalAuth.Init(auth, nil); err != nil {
		log.Error("Error while initializing authentication -> localAuth init failed")
		return nil, err
	}
	auth.authenticators = append(auth.authenticators, auth.LocalAuth)

	return auth, nil
}

func (auth *Authentication) Login(
	onsuccess http.Handler,
	onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error)) http.Handler {

	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
		err := errors.New("no authenticator applied")
		username := r.FormValue("username")
		dbUser := (*User)(nil)

		if username != "" {
			dbUser, err = auth.GetUser(username)
			if err != nil && err != sql.ErrNoRows {
				log.Errorf("Error while loading user '%v'", username)
			}
		}

		for _, authenticator := range auth.authenticators {
			if !authenticator.CanLogin(dbUser, username, rw, r) {
				continue
			}

			user, err := authenticator.Login(dbUser, rw, r)
			if err != nil {
				log.Warnf("user login failed: %s", err.Error())
				onfailure(rw, r, err)
				return
			}

			session, err := auth.sessionStore.New(r, "session")
			if err != nil {
				log.Errorf("session creation failed: %s", err.Error())
				http.Error(rw, err.Error(), http.StatusInternalServerError)
				return
			}

			if auth.SessionMaxAge != 0 {
				session.Options.MaxAge = int(auth.SessionMaxAge.Seconds())
			}
			session.Values["username"] = user.Username
			session.Values["projects"] = user.Projects
			session.Values["roles"] = user.Roles
			if err := auth.sessionStore.Save(r, rw, session); err != nil {
				log.Warnf("session save failed: %s", err.Error())
				http.Error(rw, err.Error(), http.StatusInternalServerError)
				return
			}

			if dbUser == nil {
				if err := auth.AddUser(user); err != nil {
					// TODO Add AuthSource
					log.Errorf("Error while adding user '%v' to auth from XX",
						user.Username)
				}
			}

			log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)
			ctx := context.WithValue(r.Context(), ContextUserKey, user)
			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
			return
		}

		log.Debugf("login failed: no authenticator applied")
		onfailure(rw, r, err)
	})
}

func (auth *Authentication) Auth(
	onsuccess http.Handler,
	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error)) http.Handler {

	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {

		user, err := auth.JwtAuth.AuthViaJWT(rw, r)
		if err != nil {
			log.Infof("authentication failed: %s", err.Error())
			http.Error(rw, err.Error(), http.StatusUnauthorized)
			return
		}

		if user == nil {
			user, err = auth.AuthViaSession(rw, r)
			if err != nil {
				log.Infof("authentication failed: %s", err.Error())
				http.Error(rw, err.Error(), http.StatusUnauthorized)
				return
			}
		}

		if user != nil {
			ctx := context.WithValue(r.Context(), ContextUserKey, user)
			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
			return
		}

		log.Debug("authentication failed")
		onfailure(rw, r, errors.New("unauthorized (please login first)"))
	})
}

func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
		session, err := auth.sessionStore.Get(r, "session")
		if err != nil {
			http.Error(rw, err.Error(), http.StatusInternalServerError)
			return
		}

		if !session.IsNew {
			session.Options.MaxAge = -1
			if err := auth.sessionStore.Save(r, rw, session); err != nil {
				http.Error(rw, err.Error(), http.StatusInternalServerError)
				return
			}
		}

		onsuccess.ServeHTTP(rw, r)
	})
}
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.`
Add copyright and license header. Update license year 2022-07-29 06:29:21 +02:00			`// All rights reserved.`
			`// Use of this source code is governed by a MIT-style`
			`// license that can be found in the LICENSE file.`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`package auth`

			`import (`
			`"context"`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`"crypto/rand"`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`"database/sql"`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`"encoding/base64"`
			`"errors"`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`"net/http"`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`"os"`
Add config option for expiration of sessions/tokens 2022-02-16 11:50:25 +01:00			`"time"`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
Refactor directory structure 2022-06-21 17:52:36 +02:00			`"github.com/ClusterCockpit/cc-backend/pkg/log"`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`"github.com/gorilla/sessions"`
			`"github.com/jmoiron/sqlx"`
			`)`

Rework roles as enum, change AuthSource to enum 2023-03-06 11:44:38 +01:00			`type AuthSource int`

authentication: roles as regular array; simplified LDAP 2022-01-27 09:29:11 +01:00			`const (`
Rework roles as enum, change AuthSource to enum 2023-03-06 11:44:38 +01:00			`AuthViaLocalPassword AuthSource = iota`
			`AuthViaLDAP`
			`AuthViaToken`
authentication: roles as regular array; simplified LDAP 2022-01-27 09:29:11 +01:00			`)`

refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`type AuthType int`

			`const (`
			`AuthToken AuthType = iota`
			`AuthSession`
			`)`

Rework roles as enum, change AuthSource to enum 2023-03-06 11:44:38 +01:00			`type User struct {`
			Username string `json:"username"`
			Password string `json:"-"`
			Name string `json:"name"`
			Roles []string `json:"roles"`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			AuthType AuthType `json:"authType"`
			AuthSource AuthSource `json:"authSource"`
Rework roles as enum, change AuthSource to enum 2023-03-06 11:44:38 +01:00			Email string `json:"email"`
			Projects []string `json:"projects"`
			`}`

Add 'project' to user table, add 'manager' role, conditional web render - Addresses issues #40 #45 #82 - Reworked Navigation Header for all roles - 'Manager' role added, can be assigned a project-id in config by admins - BREAKING! -> Added 'project' column in SQLite3 table 'user' - Manager-Assigned project will be added to all graphql filters: Only show Jobs and Users of given project - 'My Jobs' Tab for all Roles - Switched from Bool "isAdmin" to integer authLevels - Removed critical data frontend logging - Reworked repo.query.SecurityCheck() 2023-01-27 18:36:58 +01:00			`func (u *User) HasProject(project string) bool {`
Add support for multiple projects per manager - Handled like roles in admin view - !! NEW COLUMN CHANGED TO "projects" 2023-02-17 15:45:31 +01:00			`for _, p := range u.Projects {`
			`if p == project {`
			`return true`
			`}`
Add 'project' to user table, add 'manager' role, conditional web render - Addresses issues #40 #45 #82 - Reworked Navigation Header for all roles - 'Manager' role added, can be assigned a project-id in config by admins - BREAKING! -> Added 'project' column in SQLite3 table 'user' - Manager-Assigned project will be added to all graphql filters: Only show Jobs and Users of given project - 'My Jobs' Tab for all Roles - Switched from Bool "isAdmin" to integer authLevels - Removed critical data frontend logging - Reworked repo.query.SecurityCheck() 2023-01-27 18:36:58 +01:00			`}`
Add support for multiple projects per manager - Handled like roles in admin view - !! NEW COLUMN CHANGED TO "projects" 2023-02-17 15:45:31 +01:00			`return false`
Add 'project' to user table, add 'manager' role, conditional web render - Addresses issues #40 #45 #82 - Reworked Navigation Header for all roles - 'Manager' role added, can be assigned a project-id in config by admins - BREAKING! -> Added 'project' column in SQLite3 table 'user' - Manager-Assigned project will be added to all graphql filters: Only show Jobs and Users of given project - 'My Jobs' Tab for all Roles - Switched from Bool "isAdmin" to integer authLevels - Removed critical data frontend logging - Reworked repo.query.SecurityCheck() 2023-01-27 18:36:58 +01:00			`}`

Integrate new auth interface 2022-07-07 14:08:37 +02:00			`func GetUser(ctx context.Context) *User {`
			`x := ctx.Value(ContextUserKey)`
			`if x == nil {`
			`return nil`
			`}`

			`return x.(*User)`
			`}`

			`type Authenticator interface {`
			`Init(auth *Authentication, config interface{}) error`
Add LDAPSyncOnLogin option Cleanup Extend docs Remove obsolete Expiration attribute 2023-08-14 12:40:21 +02:00			`CanLogin(user User, username string, rw http.ResponseWriter, r http.Request) bool`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`Login(user User, rw http.ResponseWriter, r http.Request) (*User, error)`
			`}`

authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`type ContextKey string`

			`const ContextUserKey ContextKey = "user"`

Refactor auth/ 2022-02-14 14:22:44 +01:00			`type Authentication struct {`
			`db *sqlx.DB`
			`sessionStore *sessions.CookieStore`
Add config option for expiration of sessions/tokens 2022-02-16 11:50:25 +01:00			`SessionMaxAge time.Duration`
Integrate new auth interface 2022-07-07 14:08:37 +02:00
			`authenticators []Authenticator`
Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`LdapAuth *LdapAuthenticator`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`JwtAuth *JWTAuthenticator`
			`LocalAuth *LocalAuthenticator`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`func (auth *Authentication) AuthViaSession(`
			`rw http.ResponseWriter,`
			`r http.Request) (User, error) {`
			`session, err := auth.sessionStore.Get(r, "session")`
			`if err != nil {`
			`log.Error("Error while getting session store")`
			`return nil, err`
			`}`

			`if session.IsNew {`
			`return nil, nil`
			`}`
Readd URL token and cleanup Fix session values. 2023-08-12 09:02:41 +02:00			`//`
			`// var username string`
			`// var projects, roles []string`
			`//`
			`// if val, ok := session.Values["username"]; ok {`
			`// username, _ = val.(string)`
			`// } else {`
			`// return nil, errors.New("no key username in session")`
			`// }`
			`// if val, ok := session.Values["projects"]; ok {`
			`// projects, _ = val.([]string)`
			`// } else {`
			`// return nil, errors.New("no key projects in session")`
			`// }`
			`// if val, ok := session.Values["projects"]; ok {`
			`// roles, _ = val.([]string)`
			`// } else {`
			`// return nil, errors.New("no key roles in session")`
			`// }`
			`//`
			`username, _ := session.Values["username"].(string)`
			`projects, _ := session.Values["projects"].([]string)`
			`roles, _ := session.Values["roles"].([]string)`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`return &User{`
			`Username: username,`
			`Projects: projects,`
			`Roles: roles,`
			`AuthType: AuthSession,`
			`AuthSource: -1,`
			`}, nil`
			`}`

Move data structures to config package 2022-09-06 15:43:57 +02:00			`func Init(db *sqlx.DB,`
			`configs map[string]interface{}) (*Authentication, error) {`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`auth := &Authentication{}`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`auth.db = db`
Some new REST endpoints; cleanup 2022-03-03 14:54:37 +01:00
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`sessKey := os.Getenv("SESSION_KEY")`
			`if sessKey == "" {`
			`log.Warn("environment variable 'SESSION_KEY' not set (will use non-persistent random key)")`
			`bytes := make([]byte, 32)`
			`if _, err := rand.Read(bytes); err != nil {`
Add log messages to error events w/o log message, primaryly error level - "log spam" to be controlled via loglevel flag on startup 2023-01-31 18:28:44 +01:00			`log.Error("Error while initializing authentication -> failed to generate random bytes for session key")`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`return nil, err`
			`}`
			`auth.sessionStore = sessions.NewCookieStore(bytes)`
			`} else {`
			`bytes, err := base64.StdEncoding.DecodeString(sessKey)`
			`if err != nil {`
Add log messages to error events w/o log message, primaryly error level - "log spam" to be controlled via loglevel flag on startup 2023-01-31 18:28:44 +01:00			`log.Error("Error while initializing authentication -> decoding session key failed")`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`return nil, err`
			`}`
			`auth.sessionStore = sessions.NewCookieStore(bytes)`
			`}`

Integrate new auth interface 2022-07-07 14:08:37 +02:00			`auth.JwtAuth = &JWTAuthenticator{}`
			`if err := auth.JwtAuth.Init(auth, configs["jwt"]); err != nil {`
Add log messages to error events w/o log message, primaryly error level - "log spam" to be controlled via loglevel flag on startup 2023-01-31 18:28:44 +01:00			`log.Error("Error while initializing authentication -> jwtAuth init failed")`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`return nil, err`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`

Integrate new auth interface 2022-07-07 14:08:37 +02:00			`if config, ok := configs["ldap"]; ok {`
Fix errors in ldap auth 2023-08-16 09:19:41 +02:00			`ldapAuth := &LdapAuthenticator{}`
			`if err := ldapAuth.Init(auth, config); err != nil {`
			`log.Warn("Error while initializing authentication -> ldapAuth init failed")`
			`} else {`
			`auth.LdapAuth = ldapAuth`
			`auth.authenticators = append(auth.authenticators, auth.LdapAuth)`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`

refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`jwtSessionAuth := &JWTSessionAuthenticator{}`
			`if err := jwtSessionAuth.Init(auth, configs["jwt"]); err != nil {`
			`log.Warn("Error while initializing authentication -> jwtSessionAuth init failed")`
			`} else {`
			`auth.authenticators = append(auth.authenticators, jwtSessionAuth)`
			`}`
Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`jwtCookieSessionAuth := &JWTCookieSessionAuthenticator{}`
Fix errors in ldap auth 2023-08-16 09:19:41 +02:00			`if err := jwtCookieSessionAuth.Init(auth, configs["jwt"]); err != nil {`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`log.Warn("Error while initializing authentication -> jwtCookieSessionAuth init failed")`
			`} else {`
			`auth.authenticators = append(auth.authenticators, jwtCookieSessionAuth)`
Add user name/email to GraphQL API 2022-03-15 11:04:54 +01:00			`}`

refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`auth.LocalAuth = &LocalAuthenticator{}`
			`if err := auth.LocalAuth.Init(auth, nil); err != nil {`
			`log.Error("Error while initializing authentication -> localAuth init failed")`
			`return nil, err`
Add user name/email to GraphQL API 2022-03-15 11:04:54 +01:00			`}`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`auth.authenticators = append(auth.authenticators, auth.LocalAuth)`
LDAP users have no email address 2022-03-17 10:54:17 +01:00
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`return auth, nil`
Add user name/email to GraphQL API 2022-03-15 11:04:54 +01:00			`}`

Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`func (auth *Authentication) Login(`
			`onsuccess http.Handler,`
			`onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error)) http.Handler {`

authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
Fix bug if local login provides wrong pw Fixes #140 2023-06-14 14:35:25 +02:00			`err := errors.New("no authenticator applied")`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`username := r.FormValue("username")`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`dbUser := (*User)(nil)`
Refactor auth and add docs Cleanup and reformat 2023-07-05 09:50:44 +02:00
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`if username != "" {`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`dbUser, err = auth.GetUser(username)`
			`if err != nil && err != sql.ErrNoRows {`
			`log.Errorf("Error while loading user '%v'", username)`
			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`

Integrate new auth interface 2022-07-07 14:08:37 +02:00			`for _, authenticator := range auth.authenticators {`
Add LDAPSyncOnLogin option Cleanup Extend docs Remove obsolete Expiration attribute 2023-08-14 12:40:21 +02:00			`if !authenticator.CanLogin(dbUser, username, rw, r) {`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`continue`
			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`user, err := authenticator.Login(dbUser, rw, r)`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`if err != nil {`
Fix bug if local login provides wrong pw Fixes #140 2023-06-14 14:35:25 +02:00			`log.Warnf("user login failed: %s", err.Error())`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`onfailure(rw, r, err)`
			`return`
			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`session, err := auth.sessionStore.New(r, "session")`
			`if err != nil {`
			`log.Errorf("session creation failed: %s", err.Error())`
			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`if auth.SessionMaxAge != 0 {`
			`session.Options.MaxAge = int(auth.SessionMaxAge.Seconds())`
			`}`
			`session.Values["username"] = user.Username`
Add support for multiple projects per manager - Handled like roles in admin view - !! NEW COLUMN CHANGED TO "projects" 2023-02-17 15:45:31 +01:00			`session.Values["projects"] = user.Projects`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`session.Values["roles"] = user.Roles`
			`if err := auth.sessionStore.Save(r, rw, session); err != nil {`
Adapt loglevel for logs, shorten strings, fix formats, streamline - Switched to Warn for most errors, reduces bloat, improves log control 2023-02-01 11:58:27 +01:00			`log.Warnf("session save failed: %s", err.Error())`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`if dbUser == nil {`
			`if err := auth.AddUser(user); err != nil {`
			`// TODO Add AuthSource`
			`log.Errorf("Error while adding user '%v' to auth from XX",`
			`user.Username)`
			`}`
			`}`

Add support for multiple projects per manager - Handled like roles in admin view - !! NEW COLUMN CHANGED TO "projects" 2023-02-17 15:45:31 +01:00			`log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`ctx := context.WithValue(r.Context(), ContextUserKey, user)`
			`onsuccess.ServeHTTP(rw, r.WithContext(ctx))`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`return`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`

lower log level for frequent messages 2023-06-20 15:47:38 +02:00			`log.Debugf("login failed: no authenticator applied")`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`onfailure(rw, r, err)`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`})`
			`}`

Reformat and Refactor packages. Rebuild GraphQL. 2022-09-07 12:24:45 +02:00			`func (auth *Authentication) Auth(`
			`onsuccess http.Handler,`
			`onfailure func(rw http.ResponseWriter, r *http.Request, authErr error)) http.Handler {`

authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00
			`user, err := auth.JwtAuth.AuthViaJWT(rw, r)`
Readd URL token and cleanup Fix session values. 2023-08-12 09:02:41 +02:00			`if err != nil {`
			`log.Infof("authentication failed: %s", err.Error())`
			`http.Error(rw, err.Error(), http.StatusUnauthorized)`
			`return`
			`}`

refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`if user == nil {`
			`user, err = auth.AuthViaSession(rw, r)`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`if err != nil {`
lower log level for frequent messages 2023-06-20 15:47:38 +02:00			`log.Infof("authentication failed: %s", err.Error())`
Integrate new auth interface 2022-07-07 14:08:37 +02:00			`http.Error(rw, err.Error(), http.StatusUnauthorized)`
			`return`
			`}`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`}`
Integrate new auth interface 2022-07-07 14:08:37 +02:00
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`if user != nil {`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`ctx := context.WithValue(r.Context(), ContextUserKey, user)`
Refactor auth/ 2022-02-14 14:22:44 +01:00			`onsuccess.ServeHTTP(rw, r.WithContext(ctx))`
bugfixes in auth/ 2022-07-25 09:33:36 +02:00			`return`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`}`

Readd URL token and cleanup Fix session values. 2023-08-12 09:02:41 +02:00			`log.Debug("authentication failed")`
refactor auth module Restructure module Separate JWT auth variants Cleanup code Fixes #189 2023-08-11 10:00:23 +02:00			`onfailure(rw, r, errors.New("unauthorized (please login first)"))`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`})`
			`}`

Refactor auth/ 2022-02-14 14:22:44 +01:00			`func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {`
			`return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {`
			`session, err := auth.sessionStore.Get(r, "session")`
			`if err != nil {`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

Refactor auth/ 2022-02-14 14:22:44 +01:00			`if !session.IsNew {`
			`session.Options.MaxAge = -1`
			`if err := auth.sessionStore.Save(r, rw, session); err != nil {`
			`http.Error(rw, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`}`

			`onsuccess.ServeHTTP(rw, r)`
authentication via database and/or ldap 2021-12-08 10:03:00 +01:00			`})`
			`}`