Started the big refactor to extract common logic from engine package (Subsonic only) to core package (more generic)

core/auth/auth.go

@@ -0,0 +1,76 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"sync"
+	"time"
+
+	"github.com/deluan/navidrome/conf"
+	"github.com/deluan/navidrome/consts"
+	"github.com/deluan/navidrome/log"
+	"github.com/deluan/navidrome/model"
+	"github.com/dgrijalva/jwt-go"
+	"github.com/go-chi/jwtauth"
+)
+
+var (
+	once           sync.Once
+	JwtSecret      []byte
+	TokenAuth      *jwtauth.JWTAuth
+	sessionTimeOut time.Duration
+)
+
+func InitTokenAuth(ds model.DataStore) {
+	once.Do(func() {
+		secret, err := ds.Property(context.TODO()).DefaultGet(consts.JWTSecretKey, "not so secret")
+		if err != nil {
+			log.Error("No JWT secret found in DB. Setting a temp one, but please report this error", err)
+		}
+		JwtSecret = []byte(secret)
+		TokenAuth = jwtauth.New("HS256", JwtSecret, nil)
+	})
+}
+
+func CreateToken(u *model.User) (string, error) {
+	token := jwt.New(jwt.SigningMethodHS256)
+	claims := token.Claims.(jwt.MapClaims)
+	claims["iss"] = consts.JWTIssuer
+	claims["sub"] = u.UserName
+	claims["adm"] = u.IsAdmin
+
+	return TouchToken(token)
+}
+
+func getSessionTimeOut() time.Duration {
+	if sessionTimeOut == 0 {
+		sessionTimeOut = conf.Server.SessionTimeout
+		log.Info("Setting Session Timeout", "value", sessionTimeOut)
+	}
+	return sessionTimeOut
+}
+
+func TouchToken(token *jwt.Token) (string, error) {
+	timeout := getSessionTimeOut()
+	expireIn := time.Now().Add(timeout).Unix()
+	claims := token.Claims.(jwt.MapClaims)
+	claims["exp"] = expireIn
+
+	return token.SignedString(JwtSecret)
+}
+
+func Validate(tokenStr string) (jwt.MapClaims, error) {
+	token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
+		// Don't forget to validate the alg is what you expect:
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+		}
+
+		// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
+		return JwtSecret, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return token.Claims.(jwt.MapClaims), err
+}

core/auth/auth_test.go

@@ -0,0 +1,55 @@
+package auth_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/deluan/navidrome/core/auth"
+	"github.com/deluan/navidrome/log"
+	"github.com/dgrijalva/jwt-go"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestAuth(t *testing.T) {
+	log.SetLevel(log.LevelCritical)
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Auth Test Suite")
+}
+
+const testJWTSecret = "not so secret"
+
+var _ = Describe("Auth", func() {
+	BeforeEach(func() {
+		auth.JwtSecret = []byte(testJWTSecret)
+	})
+	Context("Validate", func() {
+		It("returns error with an invalid JWT token", func() {
+			_, err := auth.Validate("invalid.token")
+			Expect(err).To(Not(BeNil()))
+		})
+
+		It("returns the claims from a valid JWT token", func() {
+			token := jwt.New(jwt.SigningMethodHS256)
+			claims := token.Claims.(jwt.MapClaims)
+			claims["iss"] = "issuer"
+			claims["exp"] = time.Now().Add(1 * time.Minute).Unix()
+			tokenStr, _ := token.SignedString(auth.JwtSecret)
+
+			decodedClaims, err := auth.Validate(tokenStr)
+			Expect(err).To(BeNil())
+			Expect(decodedClaims["iss"]).To(Equal("issuer"))
+		})
+
+		It("returns ErrExpired if the `exp` field is in the past", func() {
+			token := jwt.New(jwt.SigningMethodHS256)
+			claims := token.Claims.(jwt.MapClaims)
+			claims["iss"] = "issuer"
+			claims["exp"] = time.Now().Add(-1 * time.Minute).Unix()
+			tokenStr, _ := token.SignedString(auth.JwtSecret)
+
+			_, err := auth.Validate(tokenStr)
+			Expect(err).To(MatchError("Token is expired"))
+		})
+	})
+})