arian/navidrome
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

feat: add authentication via JWT token

Browse Source
This commit is contained in:
Deluan
2020-02-06 16:48:35 -05:00
parent 690f92a671
commit abb99a8501
10 changed files with 185 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files
engine/auth/auth.go
+64
View File
@@ -0,0 +1,64 @@
package auth
import (
"fmt"
"sync"
"time"
"github.com/deluan/navidrome/consts"
"github.com/deluan/navidrome/log"
"github.com/deluan/navidrome/model"
"github.com/dgrijalva/jwt-go"
"github.com/go-chi/jwtauth"
)
var (
once sync.Once
JwtSecret []byte
TokenAuth *jwtauth.JWTAuth
)
func InitTokenAuth(ds model.DataStore) {
once.Do(func() {
secret, err := ds.Property(nil).DefaultGet(consts.JWTSecretKey, "not so secret")
if err != nil {
log.Error("No JWT secret found in DB. Setting a temp one, but please report this error", err)
}
JwtSecret = []byte(secret)
TokenAuth = jwtauth.New("HS256", JwtSecret, nil)
})
}
func CreateToken(u *model.User) (string, error) {
token := jwt.New(jwt.SigningMethodHS256)
claims := token.Claims.(jwt.MapClaims)
claims["iss"] = consts.JWTIssuer
claims["sub"] = u.UserName
claims["adm"] = u.IsAdmin
return TouchToken(token)
}
func TouchToken(token *jwt.Token) (string, error) {
expireIn := time.Now().Add(consts.JWTTokenExpiration).Unix()
claims := token.Claims.(jwt.MapClaims)
claims["exp"] = expireIn
return token.SignedString(JwtSecret)
}
func Validate(tokenStr string) (jwt.MapClaims, error) {
token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) {
// Don't forget to validate the alg is what you expect:
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
}
// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
return JwtSecret, nil
})
if err != nil {
return nil, err
}
return token.Claims.(jwt.MapClaims), err
}
engine/auth/auth_test.go
+55
View File
@@ -0,0 +1,55 @@
package auth_test
import (
"testing"
"time"
"github.com/deluan/navidrome/engine/auth"
"github.com/deluan/navidrome/log"
"github.com/dgrijalva/jwt-go"
. "github.com/onsi/ginkgo"
. "github.com/onsi/gomega"
)
func TestAuth(t *testing.T) {
log.SetLevel(log.LevelCritical)
RegisterFailHandler(Fail)
RunSpecs(t, "Auth Test Suite")
}
const testJWTSecret = "not so secret"
var _ = Describe("Auth", func() {
BeforeEach(func() {
auth.JwtSecret = []byte(testJWTSecret)
})
Context("Validate", func() {
It("returns error with an invalid JWT token", func() {
_, err := auth.Validate("invalid.token")
Expect(err).To(Not(BeNil()))
})
It("returns the claims from a valid JWT token", func() {
token := jwt.New(jwt.SigningMethodHS256)
claims := token.Claims.(jwt.MapClaims)
claims["iss"] = "issuer"
claims["exp"] = time.Now().Add(1 * time.Minute).Unix()
tokenStr, _ := token.SignedString(auth.JwtSecret)
decodedClaims, err := auth.Validate(tokenStr)
Expect(err).To(BeNil())
Expect(decodedClaims["iss"]).To(Equal("issuer"))
})
It("returns ErrExpired if the `exp` field is in the past", func() {
token := jwt.New(jwt.SigningMethodHS256)
claims := token.Claims.(jwt.MapClaims)
claims["iss"] = "issuer"
claims["exp"] = time.Now().Add(-1 * time.Minute).Unix()
tokenStr, _ := token.SignedString(auth.JwtSecret)
_, err := auth.Validate(tokenStr)
Expect(err).To(MatchError("Token is expired"))
})
})
})
engine/users.go
+6 -2
View File
@@ -7,11 +7,12 @@ import (
"fmt"
"strings"
"github.com/deluan/navidrome/engine/auth"
"github.com/deluan/navidrome/model"
)
type Users interface {
Authenticate(ctx context.Context, username, password, token, salt string) (*model.User, error)
Authenticate(ctx context.Context, username, password, token, salt, jwt string) (*model.User, error)
}
func NewUsers(ds model.DataStore) Users {
@@ -22,7 +23,7 @@ type users struct {
ds model.DataStore
}
func (u *users) Authenticate(ctx context.Context, username, pass, token, salt string) (*model.User, error) {
func (u *users) Authenticate(ctx context.Context, username, pass, token, salt, jwt string) (*model.User, error) {
user, err := u.ds.User(ctx).FindByUsername(username)
if err == model.ErrNotFound {
return nil, model.ErrInvalidAuth
@@ -33,6 +34,9 @@ func (u *users) Authenticate(ctx context.Context, username, pass, token, salt st
valid := false
switch {
case jwt != "":
claims, err := auth.Validate(jwt)
valid = err == nil && claims["sub"] == username
case pass != "":
if strings.HasPrefix(pass, "enc:") {
if dec, err := hex.DecodeString(pass[4:]); err == nil {
engine/users_test.go
+34 -5
View File
@@ -3,6 +3,7 @@ package engine
import (
"context"
"github.com/deluan/navidrome/engine/auth"
"github.com/deluan/navidrome/model"
"github.com/deluan/navidrome/persistence"
. "github.com/onsi/ginkgo"
@@ -19,20 +20,20 @@ var _ = Describe("Users", func() {
Context("Plaintext password", func() {
It("authenticates with plaintext password ", func() {
usr, err := users.Authenticate(context.TODO(), "admin", "wordpass", "", "")
usr, err := users.Authenticate(context.TODO(), "admin", "wordpass", "", "", "")
Expect(err).NotTo(HaveOccurred())
Expect(usr).To(Equal(&model.User{UserName: "admin", Password: "wordpass"}))
})
It("fails authentication with wrong password", func() {
_, err := users.Authenticate(context.TODO(), "admin", "INVALID", "", "")
_, err := users.Authenticate(context.TODO(), "admin", "INVALID", "", "", "")
Expect(err).To(MatchError(model.ErrInvalidAuth))
})
})
Context("Encoded password", func() {
It("authenticates with simple encoded password ", func() {
usr, err := users.Authenticate(context.TODO(), "admin", "enc:776f726470617373", "", "")
usr, err := users.Authenticate(context.TODO(), "admin", "enc:776f726470617373", "", "", "")
Expect(err).NotTo(HaveOccurred())
Expect(usr).To(Equal(&model.User{UserName: "admin", Password: "wordpass"}))
})
@@ -40,13 +41,41 @@ var _ = Describe("Users", func() {
Context("Token based authentication", func() {
It("authenticates with token based authentication", func() {
usr, err := users.Authenticate(context.TODO(), "admin", "", "23b342970e25c7928831c3317edd0b67", "retnlmjetrymazgkt")
usr, err := users.Authenticate(context.TODO(), "admin", "", "23b342970e25c7928831c3317edd0b67", "retnlmjetrymazgkt", "")
Expect(err).NotTo(HaveOccurred())
Expect(usr).To(Equal(&model.User{UserName: "admin", Password: "wordpass"}))
})
It("fails if salt is missing", func() {
_, err := users.Authenticate(context.TODO(), "admin", "", "23b342970e25c7928831c3317edd0b67", "")
_, err := users.Authenticate(context.TODO(), "admin", "", "23b342970e25c7928831c3317edd0b67", "", "")
Expect(err).To(MatchError(model.ErrInvalidAuth))
})
})
Context("JWT based authentication", func() {
var validToken string
BeforeEach(func() {
u := &model.User{UserName: "admin"}
var err error
validToken, err = auth.CreateToken(u)
if err != nil {
panic(err)
}
})
It("authenticates with JWT token based authentication", func() {
usr, err := users.Authenticate(context.TODO(), "admin", "", "", "", validToken)
Expect(err).NotTo(HaveOccurred())
Expect(usr).To(Equal(&model.User{UserName: "admin", Password: "wordpass"}))
})
It("fails if JWT token is invalid", func() {
_, err := users.Authenticate(context.TODO(), "admin", "", "", "", "invalid.token")
Expect(err).To(MatchError(model.ErrInvalidAuth))
})
It("fails if JWT token sub is different than username", func() {
_, err := users.Authenticate(context.TODO(), "not_admin", "", "", "", validToken)
Expect(err).To(MatchError(model.ErrInvalidAuth))
})
})