go-jwtserver/middleware/accounts.go

package middleware

import (
	"encoding/json"
	"errors"
	"fmt"
	"net/http"
	"strconv"
	"time"

	"github.com/dgrijalva/jwt-go"
	"github.com/gofrs/uuid"
	"github.com/joho/godotenv"

	"strings"

	"github.com/jinzhu/gorm"

	"os"

	"golang.org/x/crypto/bcrypt"
)

var (
	accessExpires     int
	refreshExpiration int
	audience          string
	subject           string
)

func init() {
	e := godotenv.Load() //Load .env file
	if e != nil {
		fmt.Print(e)
	}
	var err error
	accessExpires, err = strconv.Atoi(os.Getenv("access_expiration"))
	if err != nil {
		panic(err)
	}
	refreshExpiration, err = strconv.Atoi(os.Getenv("access_expiration"))
	if err != nil {
		panic(err)
	}
	audience = os.Getenv("audience")
	subject = os.Getenv("subject")
}

// TokenDetails struct
type TokenDetails struct {
	UserID uuid.UUID `json:"user_id"`
	jwt.StandardClaims
}

//Account struct to rep user account
type Account struct {
	ID             uuid.UUID `gorm:"type:uuid;primary_key;"`
	Email          string    `json:"email"`
	Password       string    `json:"password,omitempty"`
	Token          string    `json:"access_token,omitempty" sql:"-"`
	RefreshToken   string    `json:"refresh_token,omitempty" sql:"-"`
	TokenExpiresAt string    `json:"-"`
}

//Validate incoming user details...
func (account *Account) Validate() (map[string]interface{}, bool) {

	if !strings.Contains(account.Email, "@") {
		return message(false, "Email address is required"), false
	}

	if len(account.Password) < 1 {
		return message(false, "Password is required"), false
	}

	//Email must be unique
	temp := &Account{}

	//check for errors and duplicate emails
	err := GetDB().Table("accounts").Where("email = ?", account.Email).First(temp).Error
	if err != nil && err != gorm.ErrRecordNotFound {
		return message(false, "Connection error. Please retry"), false
	}
	if temp.Email != "" {
		return message(false, "Email address already in use by another user."), false
	}

	return message(false, "Requirement passed"), true
}

// Create user account
func (account *Account) Create() map[string]interface{} {

	if resp, ok := account.Validate(); !ok {
		return resp
	}

	hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(account.Password), bcrypt.DefaultCost)
	account.Password = string(hashedPassword)

	GetDB().Create(account)

	if account.ID == uuid.Nil {
		return message(false, "Failed to create account, connection error.")
	}

	account.Password = "" //delete password

	response := message(true, "Account has been created")
	response["account"] = account
	return response
}

// Login and provides user token
func Login(email, password string) map[string]interface{} {

	account := &Account{}
	err := GetDB().Table("accounts").Where("email = ?", email).First(account).Error
	if err != nil {
		if err == gorm.ErrRecordNotFound {
			return message(false, "Email address not found")
		}
		return message(false, "Connection error. Please retry")
	}

	err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(password))
	if err != nil && err == bcrypt.ErrMismatchedHashAndPassword { //Password does not match!
		return message(false, "Invalid login credentials. Please try again")
	}
	//Worked! Logged In
	account.Password = ""
	account.GenerateTokenPair()
	//account.CreateAuth(td)

	resp := make(map[string]interface{})
	resp["access_token"] = account.Token
	resp["refresh_token"] = account.RefreshToken
	return resp
}

// GenerateTokenPair return access_token and refresh_token pair
func (account *Account) GenerateTokenPair() (*TokenDetails, error) {
	//Create JWT token
	tk := &TokenDetails{
		account.ID,
		jwt.StandardClaims{
			IssuedAt:  time.Now().Unix(),
			ExpiresAt: time.Now().Add(time.Second * time.Duration(accessExpires)).Unix(),
			Audience:  audience,
			Subject:   subject,
		},
	}
	token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), tk)
	tokenString, err := token.SignedString([]byte(os.Getenv("access_token_password")))
	if err != nil {
		return nil, err
	}
	account.Token = tokenString //Store the token in the response

	reftk := &TokenDetails{
		account.ID,
		jwt.StandardClaims{
			ExpiresAt: time.Now().Add(time.Minute * time.Duration(refreshExpiration)).Unix(),
		},
	}
	refreshtoken := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), reftk)
	refreshtokenString, err := refreshtoken.SignedString([]byte(os.Getenv("refresh_token_password")))
	if err != nil {
		return nil, err
	}
	account.RefreshToken = refreshtokenString //Store the token in the response

	return reftk, nil
}

// CreateAuth stores refresh_token expires
// func (account *Account) CreateAuth(td *TokenDetails) {
// 	rt := time.Unix(td.ExpiresAt, 0)

// 	db.Model(&account).Update(account.TokenExpiresAt, rt.String())

// }

// GetUser in the database
func GetUser(u uuid.UUID) *Account {

	acc := &Account{}
	GetDB().Table("accounts").Where("id = ?", u).First(acc)
	if acc.Email == "" { //User not found!
		return nil
	}

	acc.Password = ""
	return acc
}

// CreateAccount middleware to create user account
var CreateAccount = func(w http.ResponseWriter, r *http.Request) {

	account := &Account{}
	err := json.NewDecoder(r.Body).Decode(account) //decode the request body into struct and failed if any error occur
	if err != nil {
		respond(w, message(false, "Invalid request"))
		return
	}

	resp := account.Create() //Create account
	respond(w, resp)
}

// Authenticate middleware to authenticate the user
var Authenticate = func(w http.ResponseWriter, r *http.Request) {

	account := &Account{}
	err := json.NewDecoder(r.Body).Decode(account) //decode the request body into struct and failed if any error occur
	if err != nil {
		respond(w, message(false, "Invalid request"))
		return
	}

	resp := Login(account.Email, account.Password)
	respond(w, resp)
}

// Refresh middleware to authenticate the user
var Refresh = func(w http.ResponseWriter, r *http.Request) {
	tk, err := ValidateToken(w, r)
	if err != nil {
		w.WriteHeader(http.StatusForbidden)
		w.Header().Add("Content-Type", "application/json")
		response := message(true, "Refreshed expired")
		respond(w, response)
		return
	}
	// check if user exists in database
	acc := GetUser(tk.UserID)
	if acc == nil {
		respond(w, message(false, "User not found"))
		return
	}

	acc.Password = ""
	acc.GenerateTokenPair()
	//account.CreateAuth(td)
	resp := make(map[string]interface{})
	resp["access_token"] = acc.Token
	resp["refresh_token"] = acc.RefreshToken

	//update refresh expirity

	// rt := time.Now().Add(time.Minute * time.Duration(refreshExpiration)).Unix()
	// log.Println(rt)
	// db.Model(&acc).Update(acc.TokenExpiresAt, rt)

	respond(w, resp)
}

// ValidateToken to check if token is valid
func ValidateToken(w http.ResponseWriter, r *http.Request) (*TokenDetails, error) {
	var pwd string
	urltomatch := r.URL.String()
	if strings.Contains(urltomatch, "/api/user/refresh") {
		pwd = "refresh_token_password"
	} else {
		pwd = "access_token_password"
	}

	response := make(map[string]interface{})
	tk := &TokenDetails{}
	bearToken := r.Header.Get("Authorization") //Grab the token from the header

	if bearToken == "" { //Token is missing, returns with error code 403 Unauthorized
		response = message(false, "Missing auth token")
		w.WriteHeader(http.StatusForbidden)
		w.Header().Add("Content-Type", "application/json")
		respond(w, response)
		return tk, errors.New("Missing auth token")
	}

	splitted := strings.Split(bearToken, " ") //The token normally comes in format `Bearer {token-body}`, we check if the retrieved token matched this requirement
	if len(splitted) != 2 {
		response = message(false, "Invalid/Malformed auth token")
		w.WriteHeader(http.StatusForbidden)
		w.Header().Add("Content-Type", "application/json")
		respond(w, response)
		return tk, errors.New("Invalid/Malformed auth token")
	}

	tokenPart := splitted[1] //Grab the token part, what we are truly interested in

	token, err := jwt.ParseWithClaims(tokenPart, tk, func(token *jwt.Token) (interface{}, error) {
		return []byte(os.Getenv(pwd)), nil
	})

	if err != nil { //Malformed token, returns with http code 403 as usual
		response = message(false, "Malformed authentication token")
		w.WriteHeader(http.StatusForbidden)
		w.Header().Add("Content-Type", "application/json")
		respond(w, response)
		return tk, errors.New("Malformed authentication token")
	}

	if !token.Valid { //Token is invalid, maybe not signed on this server
		response = message(false, "Token is not valid.")
		w.WriteHeader(http.StatusForbidden)
		w.Header().Add("Content-Type", "application/json")
		respond(w, response)
		return tk, errors.New("Token is not valid")
	}
	return tk, nil
}
func message(status bool, message string) map[string]interface{} {
	return map[string]interface{}{"status": status, "message": message}
}

func respond(w http.ResponseWriter, data map[string]interface{}) {
	w.Header().Add("Content-Type", "application/json")
	json.NewEncoder(w).Encode(data)
}
refactor project structure 2020-07-16 13:56:57 +02:00			`package middleware`
first commit 2020-07-16 10:51:50 +02:00
			`import (`
			`"encoding/json"`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`"errors"`
			`"fmt"`
first commit 2020-07-16 10:51:50 +02:00			`"net/http"`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`"strconv"`
			`"time"`
first commit 2020-07-16 10:51:50 +02:00
			`"github.com/dgrijalva/jwt-go"`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`"github.com/gofrs/uuid"`
			`"github.com/joho/godotenv"`
first commit 2020-07-16 10:51:50 +02:00
			`"strings"`

			`"github.com/jinzhu/gorm"`

			`"os"`

			`"golang.org/x/crypto/bcrypt"`
			`)`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`var (`
			`accessExpires int`
			`refreshExpiration int`
			`audience string`
			`subject string`
			`)`

			`func init() {`
			`e := godotenv.Load() //Load .env file`
			`if e != nil {`
			`fmt.Print(e)`
			`}`
			`var err error`
			`accessExpires, err = strconv.Atoi(os.Getenv("access_expiration"))`
			`if err != nil {`
			`panic(err)`
			`}`
			`refreshExpiration, err = strconv.Atoi(os.Getenv("access_expiration"))`
			`if err != nil {`
			`panic(err)`
			`}`
			`audience = os.Getenv("audience")`
			`subject = os.Getenv("subject")`
			`}`

			`// TokenDetails struct`
			`type TokenDetails struct {`
			UserID uuid.UUID `json:"user_id"`
first commit 2020-07-16 10:51:50 +02:00			`jwt.StandardClaims`
			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`//Account struct to rep user account`
first commit 2020-07-16 10:51:50 +02:00			`type Account struct {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			ID uuid.UUID `gorm:"type:uuid;primary_key;"`
			Email string `json:"email"`
			Password string `json:"password,omitempty"`
			Token string `json:"access_token,omitempty" sql:"-"`
			RefreshToken string `json:"refresh_token,omitempty" sql:"-"`
			TokenExpiresAt string `json:"-"`
first commit 2020-07-16 10:51:50 +02:00			`}`

			`//Validate incoming user details...`
			`func (account *Account) Validate() (map[string]interface{}, bool) {`

			`if !strings.Contains(account.Email, "@") {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Email address is required"), false`
first commit 2020-07-16 10:51:50 +02:00			`}`

			`if len(account.Password) < 1 {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Password is required"), false`
first commit 2020-07-16 10:51:50 +02:00			`}`

			`//Email must be unique`
			`temp := &Account{}`

			`//check for errors and duplicate emails`
			`err := GetDB().Table("accounts").Where("email = ?", account.Email).First(temp).Error`
			`if err != nil && err != gorm.ErrRecordNotFound {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Connection error. Please retry"), false`
first commit 2020-07-16 10:51:50 +02:00			`}`
			`if temp.Email != "" {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Email address already in use by another user."), false`
first commit 2020-07-16 10:51:50 +02:00			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Requirement passed"), true`
first commit 2020-07-16 10:51:50 +02:00			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`// Create user account`
first commit 2020-07-16 10:51:50 +02:00			`func (account *Account) Create() map[string]interface{} {`

			`if resp, ok := account.Validate(); !ok {`
			`return resp`
			`}`

			`hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(account.Password), bcrypt.DefaultCost)`
			`account.Password = string(hashedPassword)`

			`GetDB().Create(account)`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`if account.ID == uuid.Nil {`
			`return message(false, "Failed to create account, connection error.")`
first commit 2020-07-16 10:51:50 +02:00			`}`

			`account.Password = "" //delete password`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`response := message(true, "Account has been created")`
first commit 2020-07-16 10:51:50 +02:00			`response["account"] = account`
			`return response`
			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`// Login and provides user token`
first commit 2020-07-16 10:51:50 +02:00			`func Login(email, password string) map[string]interface{} {`

			`account := &Account{}`
			`err := GetDB().Table("accounts").Where("email = ?", email).First(account).Error`
			`if err != nil {`
			`if err == gorm.ErrRecordNotFound {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Email address not found")`
first commit 2020-07-16 10:51:50 +02:00			`}`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Connection error. Please retry")`
first commit 2020-07-16 10:51:50 +02:00			`}`

			`err = bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(password))`
			`if err != nil && err == bcrypt.ErrMismatchedHashAndPassword { //Password does not match!`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`return message(false, "Invalid login credentials. Please try again")`
first commit 2020-07-16 10:51:50 +02:00			`}`
			`//Worked! Logged In`
			`account.Password = ""`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`account.GenerateTokenPair()`
			`//account.CreateAuth(td)`
first commit 2020-07-16 10:51:50 +02:00
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`resp := make(map[string]interface{})`
			`resp["access_token"] = account.Token`
			`resp["refresh_token"] = account.RefreshToken`
			`return resp`
			`}`

			`// GenerateTokenPair return access_token and refresh_token pair`
			`func (account Account) GenerateTokenPair() (TokenDetails, error) {`
first commit 2020-07-16 10:51:50 +02:00			`//Create JWT token`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`tk := &TokenDetails{`
			`account.ID,`
			`jwt.StandardClaims{`
			`IssuedAt: time.Now().Unix(),`
			`ExpiresAt: time.Now().Add(time.Second * time.Duration(accessExpires)).Unix(),`
			`Audience: audience,`
			`Subject: subject,`
			`},`
			`}`
first commit 2020-07-16 10:51:50 +02:00			`token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), tk)`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`tokenString, err := token.SignedString([]byte(os.Getenv("access_token_password")))`
			`if err != nil {`
			`return nil, err`
			`}`
first commit 2020-07-16 10:51:50 +02:00			`account.Token = tokenString //Store the token in the response`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`reftk := &TokenDetails{`
			`account.ID,`
			`jwt.StandardClaims{`
			`ExpiresAt: time.Now().Add(time.Minute * time.Duration(refreshExpiration)).Unix(),`
			`},`
			`}`
			`refreshtoken := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), reftk)`
			`refreshtokenString, err := refreshtoken.SignedString([]byte(os.Getenv("refresh_token_password")))`
			`if err != nil {`
			`return nil, err`
			`}`
			`account.RefreshToken = refreshtokenString //Store the token in the response`

			`return reftk, nil`
first commit 2020-07-16 10:51:50 +02:00			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`// CreateAuth stores refresh_token expires`
			`// func (account Account) CreateAuth(td TokenDetails) {`
			`// rt := time.Unix(td.ExpiresAt, 0)`

			`// db.Model(&account).Update(account.TokenExpiresAt, rt.String())`

			`// }`

			`// GetUser in the database`
			`func GetUser(u uuid.UUID) *Account {`
first commit 2020-07-16 10:51:50 +02:00
			`acc := &Account{}`
			`GetDB().Table("accounts").Where("id = ?", u).First(acc)`
			`if acc.Email == "" { //User not found!`
			`return nil`
			`}`

			`acc.Password = ""`
			`return acc`
			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`// CreateAccount middleware to create user account`
first commit 2020-07-16 10:51:50 +02:00			`var CreateAccount = func(w http.ResponseWriter, r *http.Request) {`

			`account := &Account{}`
			`err := json.NewDecoder(r.Body).Decode(account) //decode the request body into struct and failed if any error occur`
			`if err != nil {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`respond(w, message(false, "Invalid request"))`
first commit 2020-07-16 10:51:50 +02:00			`return`
			`}`

			`resp := account.Create() //Create account`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`respond(w, resp)`
first commit 2020-07-16 10:51:50 +02:00			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`// Authenticate middleware to authenticate the user`
first commit 2020-07-16 10:51:50 +02:00			`var Authenticate = func(w http.ResponseWriter, r *http.Request) {`

			`account := &Account{}`
			`err := json.NewDecoder(r.Body).Decode(account) //decode the request body into struct and failed if any error occur`
			`if err != nil {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`respond(w, message(false, "Invalid request"))`
first commit 2020-07-16 10:51:50 +02:00			`return`
			`}`

			`resp := Login(account.Email, account.Password)`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`respond(w, resp)`
first commit 2020-07-16 10:51:50 +02:00			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`// Refresh middleware to authenticate the user`
			`var Refresh = func(w http.ResponseWriter, r *http.Request) {`
			`tk, err := ValidateToken(w, r)`
			`if err != nil {`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Header().Add("Content-Type", "application/json")`
			`response := message(true, "Refreshed expired")`
			`respond(w, response)`
			`return`
			`}`
			`// check if user exists in database`
			`acc := GetUser(tk.UserID)`
			`if acc == nil {`
			`respond(w, message(false, "User not found"))`
			`return`
			`}`

			`acc.Password = ""`
			`acc.GenerateTokenPair()`
			`//account.CreateAuth(td)`
			`resp := make(map[string]interface{})`
			`resp["access_token"] = acc.Token`
			`resp["refresh_token"] = acc.RefreshToken`

			`//update refresh expirity`

			`// rt := time.Now().Add(time.Minute * time.Duration(refreshExpiration)).Unix()`
			`// log.Println(rt)`
			`// db.Model(&acc).Update(acc.TokenExpiresAt, rt)`

			`respond(w, resp)`
			`}`

			`// ValidateToken to check if token is valid`
			`func ValidateToken(w http.ResponseWriter, r http.Request) (TokenDetails, error) {`
			`var pwd string`
			`urltomatch := r.URL.String()`
update comparison script 2020-07-21 11:20:06 +02:00			`if strings.Contains(urltomatch, "/api/user/refresh") {`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`pwd = "refresh_token_password"`
			`} else {`
			`pwd = "access_token_password"`
			`}`

			`response := make(map[string]interface{})`
			`tk := &TokenDetails{}`
			`bearToken := r.Header.Get("Authorization") //Grab the token from the header`

			`if bearToken == "" { //Token is missing, returns with error code 403 Unauthorized`
			`response = message(false, "Missing auth token")`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Header().Add("Content-Type", "application/json")`
			`respond(w, response)`
update error return 2020-07-21 11:21:39 +02:00			`return tk, errors.New("Missing auth token")`
set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`}`

			splitted := strings.Split(bearToken, " ") //The token normally comes in format `Bearer {token-body}`, we check if the retrieved token matched this requirement
			`if len(splitted) != 2 {`
			`response = message(false, "Invalid/Malformed auth token")`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Header().Add("Content-Type", "application/json")`
			`respond(w, response)`
			`return tk, errors.New("Invalid/Malformed auth token")`
			`}`

			`tokenPart := splitted[1] //Grab the token part, what we are truly interested in`

			`token, err := jwt.ParseWithClaims(tokenPart, tk, func(token *jwt.Token) (interface{}, error) {`
			`return []byte(os.Getenv(pwd)), nil`
			`})`

			`if err != nil { //Malformed token, returns with http code 403 as usual`
			`response = message(false, "Malformed authentication token")`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Header().Add("Content-Type", "application/json")`
			`respond(w, response)`
			`return tk, errors.New("Malformed authentication token")`
			`}`

			`if !token.Valid { //Token is invalid, maybe not signed on this server`
			`response = message(false, "Token is not valid.")`
			`w.WriteHeader(http.StatusForbidden)`
			`w.Header().Add("Content-Type", "application/json")`
			`respond(w, response)`
			`return tk, errors.New("Token is not valid")`
			`}`
			`return tk, nil`
			`}`
			`func message(status bool, message string) map[string]interface{} {`
first commit 2020-07-16 10:51:50 +02:00			`return map[string]interface{}{"status": status, "message": message}`
			`}`

set uuid and refresh token path 2020-07-21 11:08:01 +02:00			`func respond(w http.ResponseWriter, data map[string]interface{}) {`
first commit 2020-07-16 10:51:50 +02:00			`w.Header().Add("Content-Type", "application/json")`
			`json.NewEncoder(w).Encode(data)`
			`}`