mirror of https://github.com/usememos/memos
feat: impl auth interceptor (#2055)
* feat: impl auth interceptor * chore: update * chore: update * chore: updatepull/2058/head
boojack
2 years ago
committed by
GitHub
parent
5d3ea57d82
commit
cc3a47fc65
@ -0,0 +1,297 @@
|
||||
// Package auth handles the auth of gRPC server.
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/metadata"
|
||||
"google.golang.org/grpc/status"
|
||||
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
errs "github.com/pkg/errors"
|
||||
|
||||
"github.com/usememos/memos/store"
|
||||
)
|
||||
|
||||
// ContextKey is the key type of context value.
|
||||
type ContextKey int
|
||||
|
||||
const (
|
||||
// The key name used to store user id in the context
|
||||
// user id is extracted from the jwt token subject field.
|
||||
UserIDContextKey ContextKey = iota
|
||||
// issuer is the issuer of the jwt token.
|
||||
issuer = "memos"
|
||||
// Signing key section. For now, this is only used for signing, not for verifying since we only
|
||||
// have 1 version. But it will be used to maintain backward compatibility if we change the signing mechanism.
|
||||
keyID = "v1"
|
||||
// AccessTokenAudienceName is the audience name of the access token.
|
||||
AccessTokenAudienceName = "user.access-token"
|
||||
// RefreshTokenAudienceName is the audience name of the refresh token.
|
||||
RefreshTokenAudienceName = "user.refresh-token"
|
||||
apiTokenDuration = 2 * time.Hour
|
||||
accessTokenDuration = 24 * time.Hour
|
||||
refreshTokenDuration = 7 * 24 * time.Hour
|
||||
|
||||
// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
|
||||
// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
|
||||
// Suppose we have a valid refresh token, we will refresh the token in cases:
|
||||
// 1. The access token has already expired, we refresh the token so that the ongoing request can pass through.
|
||||
CookieExpDuration = refreshTokenDuration - 1*time.Minute
|
||||
// AccessTokenCookieName is the cookie name of access token.
|
||||
AccessTokenCookieName = "memos.access-token"
|
||||
// RefreshTokenCookieName is the cookie name of refresh token.
|
||||
RefreshTokenCookieName = "memos.refresh-token"
|
||||
)
|
||||
|
||||
// GRPCAuthInterceptor is the auth interceptor for gRPC server.
|
||||
type GRPCAuthInterceptor struct {
|
||||
store *store.Store
|
||||
secret string
|
||||
}
|
||||
|
||||
// NewGRPCAuthInterceptor returns a new API auth interceptor.
|
||||
func NewGRPCAuthInterceptor(store *store.Store, secret string) *GRPCAuthInterceptor {
|
||||
return &GRPCAuthInterceptor{
|
||||
store: store,
|
||||
secret: secret,
|
||||
}
|
||||
}
|
||||
|
||||
// AuthenticationInterceptor is the unary interceptor for gRPC API.
|
||||
func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, request any, serverInfo *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
|
||||
md, ok := metadata.FromIncomingContext(ctx)
|
||||
if !ok {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "failed to parse metadata from incoming context")
|
||||
}
|
||||
accessTokenStr, refreshTokenStr, err := getTokenFromMetadata(md)
|
||||
if err != nil {
|
||||
return nil, status.Errorf(codes.Unauthenticated, err.Error())
|
||||
}
|
||||
|
||||
userID, err := in.authenticate(ctx, accessTokenStr, refreshTokenStr)
|
||||
if err != nil {
|
||||
if IsAuthenticationAllowed(serverInfo.FullMethod) {
|
||||
return handler(ctx, request)
|
||||
}
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Stores userID into context.
|
||||
childCtx := context.WithValue(ctx, UserIDContextKey, userID)
|
||||
return handler(childCtx, request)
|
||||
}
|
||||
|
||||
func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessTokenStr, refreshTokenStr string) (int, error) {
|
||||
if accessTokenStr == "" {
|
||||
return 0, status.Errorf(codes.Unauthenticated, "access token not found")
|
||||
}
|
||||
claims := &claimsMessage{}
|
||||
generateToken := false
|
||||
accessToken, err := jwt.ParseWithClaims(accessTokenStr, claims, func(t *jwt.Token) (any, error) {
|
||||
if t.Method.Alg() != jwt.SigningMethodHS256.Name {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
|
||||
}
|
||||
if kid, ok := t.Header["kid"].(string); ok {
|
||||
if kid == "v1" {
|
||||
return []byte(in.secret), nil
|
||||
}
|
||||
}
|
||||
return nil, status.Errorf(codes.Unauthenticated, "unexpected access token kid=%v", t.Header["kid"])
|
||||
})
|
||||
if err != nil {
|
||||
var ve *jwt.ValidationError
|
||||
if errors.As(err, &ve) && ve.Errors == jwt.ValidationErrorExpired {
|
||||
// If expiration error is the only error, we will clear the err
|
||||
// and generate new access token and refresh token
|
||||
if refreshTokenStr == "" {
|
||||
return 0, status.Errorf(codes.Unauthenticated, "access token is expired")
|
||||
}
|
||||
generateToken = true
|
||||
} else {
|
||||
return 0, status.Errorf(codes.Unauthenticated, "failed to parse claim")
|
||||
}
|
||||
}
|
||||
if !audienceContains(claims.Audience, AccessTokenAudienceName) {
|
||||
return 0, status.Errorf(codes.Unauthenticated,
|
||||
"invalid access token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",
|
||||
claims.Audience,
|
||||
AccessTokenAudienceName,
|
||||
)
|
||||
}
|
||||
|
||||
userID, err := strconv.Atoi(claims.Subject)
|
||||
if err != nil {
|
||||
return 0, status.Errorf(codes.Unauthenticated, "malformed ID %q in the access token", claims.Subject)
|
||||
}
|
||||
user, err := in.store.GetUser(ctx, &store.FindUser{
|
||||
ID: &userID,
|
||||
})
|
||||
if err != nil {
|
||||
return 0, status.Errorf(codes.Unauthenticated, "failed to find user ID %q in the access token", userID)
|
||||
}
|
||||
if user == nil {
|
||||
return 0, status.Errorf(codes.Unauthenticated, "user ID %q not exists in the access token", userID)
|
||||
}
|
||||
if user.RowStatus == store.Archived {
|
||||
return 0, status.Errorf(codes.Unauthenticated, "user ID %q has been deactivated by administrators", userID)
|
||||
}
|
||||
|
||||
if generateToken {
|
||||
generateTokenFunc := func() error {
|
||||
// Parses token and checks if it's valid.
|
||||
refreshTokenClaims := &claimsMessage{}
|
||||
refreshToken, err := jwt.ParseWithClaims(refreshTokenStr, refreshTokenClaims, func(t *jwt.Token) (any, error) {
|
||||
if t.Method.Alg() != jwt.SigningMethodHS256.Name {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "unexpected refresh token signing method=%v, expected %v", t.Header["alg"], jwt.SigningMethodHS256)
|
||||
}
|
||||
|
||||
if kid, ok := t.Header["kid"].(string); ok {
|
||||
if kid == "v1" {
|
||||
return []byte(in.secret), nil
|
||||
}
|
||||
}
|
||||
return nil, errs.Errorf("unexpected refresh token kid=%v", t.Header["kid"])
|
||||
})
|
||||
if err != nil {
|
||||
if err == jwt.ErrSignatureInvalid {
|
||||
return errs.Errorf("failed to generate access token: invalid refresh token signature")
|
||||
}
|
||||
return errs.Errorf("Server error to refresh expired token, user ID %d", userID)
|
||||
}
|
||||
|
||||
if !audienceContains(refreshTokenClaims.Audience, RefreshTokenAudienceName) {
|
||||
return errs.Errorf("Invalid refresh token, audience mismatch, got %q, expected %q. you may send request to the wrong environment",
|
||||
refreshTokenClaims.Audience,
|
||||
RefreshTokenAudienceName,
|
||||
)
|
||||
}
|
||||
|
||||
// If we have a valid refresh token, we will generate new access token and refresh token
|
||||
if refreshToken != nil && refreshToken.Valid {
|
||||
if err := generateTokensAndSetCookies(ctx, user.Username, user.ID, in.secret); err != nil {
|
||||
return errs.Wrapf(err, "failed to regenerate token")
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// It may happen that we still have a valid access token, but we encounter issue when trying to generate new token
|
||||
// In such case, we won't return the error.
|
||||
if err := generateTokenFunc(); err != nil && !accessToken.Valid {
|
||||
return 0, status.Errorf(codes.Unauthenticated, err.Error())
|
||||
}
|
||||
}
|
||||
return userID, nil
|
||||
}
|
||||
|
||||
func getTokenFromMetadata(md metadata.MD) (string, string, error) {
|
||||
authorizationHeaders := md.Get("Authorization")
|
||||
if len(md.Get("Authorization")) > 0 {
|
||||
authHeaderParts := strings.Fields(authorizationHeaders[0])
|
||||
if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
|
||||
return "", "", errs.Errorf("authorization header format must be Bearer {token}")
|
||||
}
|
||||
return authHeaderParts[1], "", nil
|
||||
}
|
||||
// check the HTTP cookie
|
||||
var accessToken, refreshToken string
|
||||
for _, t := range append(md.Get("grpcgateway-cookie"), md.Get("cookie")...) {
|
||||
header := http.Header{}
|
||||
header.Add("Cookie", t)
|
||||
request := http.Request{Header: header}
|
||||
if v, _ := request.Cookie(AccessTokenCookieName); v != nil {
|
||||
accessToken = v.Value
|
||||
}
|
||||
if v, _ := request.Cookie(RefreshTokenCookieName); v != nil {
|
||||
refreshToken = v.Value
|
||||
}
|
||||
}
|
||||
if accessToken != "" && refreshToken != "" {
|
||||
return accessToken, refreshToken, nil
|
||||
}
|
||||
return "", "", nil
|
||||
}
|
||||
|
||||
func audienceContains(audience jwt.ClaimStrings, token string) bool {
|
||||
for _, v := range audience {
|
||||
if v == token {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
type claimsMessage struct {
|
||||
Name string `json:"name"`
|
||||
jwt.RegisteredClaims
|
||||
}
|
||||
|
||||
// generateTokensAndSetCookies generates jwt token and saves it to the http-only cookie.
|
||||
func generateTokensAndSetCookies(ctx context.Context, username string, userID int, secret string) error {
|
||||
accessToken, err := GenerateAccessToken(username, userID, secret)
|
||||
if err != nil {
|
||||
return errs.Wrap(err, "failed to generate access token")
|
||||
}
|
||||
// We generate here a new refresh token and saving it to the cookie.
|
||||
refreshToken, err := GenerateRefreshToken(username, userID, secret)
|
||||
if err != nil {
|
||||
return errs.Wrap(err, "failed to generate refresh token")
|
||||
}
|
||||
|
||||
if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
|
||||
AccessTokenCookieName: accessToken,
|
||||
RefreshTokenCookieName: refreshToken,
|
||||
})); err != nil {
|
||||
return errs.Wrapf(err, "failed to set grpc header")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GenerateAccessToken generates an access token for web.
|
||||
func GenerateAccessToken(username string, userID int, secret string) (string, error) {
|
||||
expirationTime := time.Now().Add(accessTokenDuration)
|
||||
return generateToken(username, userID, AccessTokenAudienceName, expirationTime, []byte(secret))
|
||||
}
|
||||
|
||||
// GenerateRefreshToken generates a refresh token for web.
|
||||
func GenerateRefreshToken(username string, userID int, secret string) (string, error) {
|
||||
expirationTime := time.Now().Add(refreshTokenDuration)
|
||||
return generateToken(username, userID, RefreshTokenAudienceName, expirationTime, []byte(secret))
|
||||
}
|
||||
|
||||
// Pay attention to this function. It holds the main JWT token generation logic.
|
||||
func generateToken(username string, userID int, aud string, expirationTime time.Time, secret []byte) (string, error) {
|
||||
// Create the JWT claims, which includes the username and expiry time.
|
||||
claims := &claimsMessage{
|
||||
Name: username,
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
Audience: jwt.ClaimStrings{aud},
|
||||
// In JWT, the expiry time is expressed as unix milliseconds.
|
||||
ExpiresAt: jwt.NewNumericDate(expirationTime),
|
||||
IssuedAt: jwt.NewNumericDate(time.Now()),
|
||||
Issuer: issuer,
|
||||
Subject: strconv.Itoa(userID),
|
||||
},
|
||||
}
|
||||
|
||||
// Declare the token with the HS256 algorithm used for signing, and the claims.
|
||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
token.Header["kid"] = keyID
|
||||
|
||||
// Create the JWT string.
|
||||
tokenString, err := token.SignedString(secret)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return tokenString, nil
|
||||
}
|
||||
@ -0,0 +1,15 @@
|
||||
package auth
|
||||
|
||||
import "strings"
|
||||
|
||||
var authenticationAllowlistMethods = map[string]bool{
|
||||
"/memos.api.v2.UserService/GetUser": true,
|
||||
}
|
||||
|
||||
// IsAuthenticationAllowed returns whether the method is exempted from authentication.
|
||||
func IsAuthenticationAllowed(fullMethodName string) bool {
|
||||
if strings.HasPrefix(fullMethodName, "/grpc.reflection") {
|
||||
return true
|
||||
}
|
||||
return authenticationAllowlistMethods[fullMethodName]
|
||||
}
|
||||
Loading…
Reference in New Issue