add OAuth authentication with JWT tokens and API key support

2026-01-18 21:00:03 +01:00
parent 2eb6292dc2
commit 8601bb5ba3
8 changed files with 1004 additions and 44 deletions
--- a/portal/internal/api/handlers/auth.go
+++ b/portal/internal/api/handlers/auth.go
@@ -0,0 +1,264 @@
+package handlers
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"time"
+
+	"github.com/omixlab/mosis-portal/internal/api/middleware"
+	"github.com/omixlab/mosis-portal/internal/auth"
+	"github.com/omixlab/mosis-portal/internal/database"
+)
+
+// AuthHandler handles authentication endpoints
+type AuthHandler struct {
+	oauthManager *auth.OAuthManager
+	jwtManager   *auth.JWTManager
+	db           *database.DB
+}
+
+// NewAuthHandler creates a new auth handler
+func NewAuthHandler(oauthManager *auth.OAuthManager, jwtManager *auth.JWTManager, db *database.DB) *AuthHandler {
+	return &AuthHandler{
+		oauthManager: oauthManager,
+		jwtManager:   jwtManager,
+		db:           db,
+	}
+}
+
+// OAuthStart initiates OAuth flow
+func (h *AuthHandler) OAuthStart(provider auth.OAuthProvider) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		state, err := auth.GenerateState()
+		if err != nil {
+			http.Error(w, "Failed to generate state", http.StatusInternalServerError)
+			return
+		}
+
+		// Store state in cookie for verification
+		http.SetCookie(w, &http.Cookie{
+			Name:     "oauth_state",
+			Value:    state,
+			Path:     "/",
+			MaxAge:   300, // 5 minutes
+			HttpOnly: true,
+			Secure:   r.TLS != nil,
+			SameSite: http.SameSiteLaxMode,
+		})
+
+		authURL, err := h.oauthManager.GetAuthURL(provider, state)
+		if err != nil {
+			http.Error(w, "OAuth not configured: "+err.Error(), http.StatusNotImplemented)
+			return
+		}
+
+		http.Redirect(w, r, authURL, http.StatusTemporaryRedirect)
+	}
+}
+
+// OAuthCallback handles OAuth callback
+func (h *AuthHandler) OAuthCallback(provider auth.OAuthProvider) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Verify state
+		stateCookie, err := r.Cookie("oauth_state")
+		if err != nil || stateCookie.Value != r.URL.Query().Get("state") {
+			http.Error(w, "Invalid state", http.StatusBadRequest)
+			return
+		}
+
+		// Clear state cookie
+		http.SetCookie(w, &http.Cookie{
+			Name:   "oauth_state",
+			Value:  "",
+			Path:   "/",
+			MaxAge: -1,
+		})
+
+		// Check for error from provider
+		if errMsg := r.URL.Query().Get("error"); errMsg != "" {
+			http.Error(w, "OAuth error: "+errMsg, http.StatusBadRequest)
+			return
+		}
+
+		code := r.URL.Query().Get("code")
+		if code == "" {
+			http.Error(w, "No code provided", http.StatusBadRequest)
+			return
+		}
+
+		// Exchange code for user info
+		oauthUser, err := h.oauthManager.Exchange(r.Context(), provider, code)
+		if err != nil {
+			log.Printf("OAuth exchange failed: %v", err)
+			http.Error(w, "Authentication failed", http.StatusInternalServerError)
+			return
+		}
+
+		if oauthUser.Email == "" {
+			http.Error(w, "Email not available from OAuth provider", http.StatusBadRequest)
+			return
+		}
+
+		// Find or create developer
+		developer, err := h.db.FindOrCreateDeveloper(r.Context(), &database.Developer{
+			Email:         oauthUser.Email,
+			Name:          oauthUser.Name,
+			OAuthProvider: string(oauthUser.Provider),
+			OAuthID:       oauthUser.ID,
+			AvatarURL:     oauthUser.Avatar,
+		})
+		if err != nil {
+			log.Printf("Failed to find/create developer: %v", err)
+			http.Error(w, "Failed to create account", http.StatusInternalServerError)
+			return
+		}
+
+		// Generate tokens
+		tokenPair, err := h.jwtManager.GenerateTokenPair(developer.ID, developer.Email)
+		if err != nil {
+			log.Printf("Failed to generate tokens: %v", err)
+			http.Error(w, "Failed to generate tokens", http.StatusInternalServerError)
+			return
+		}
+
+		// Set refresh token in HttpOnly cookie
+		http.SetCookie(w, &http.Cookie{
+			Name:     "refresh_token",
+			Value:    tokenPair.RefreshToken,
+			Path:     "/",
+			MaxAge:   30 * 24 * 60 * 60, // 30 days
+			HttpOnly: true,
+			Secure:   r.TLS != nil,
+			SameSite: http.SameSiteStrictMode,
+		})
+
+		// Log the authentication
+		h.db.LogAudit(r.Context(), developer.ID, "oauth_login", r.RemoteAddr, r.UserAgent(), true, "")
+
+		// Return access token
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(map[string]interface{}{
+			"access_token": tokenPair.AccessToken,
+			"token_type":   tokenPair.TokenType,
+			"expires_in":   tokenPair.ExpiresIn,
+			"developer": map[string]interface{}{
+				"id":         developer.ID,
+				"email":      developer.Email,
+				"name":       developer.Name,
+				"avatar_url": developer.AvatarURL,
+			},
+		})
+	}
+}
+
+// Refresh refreshes the access token using refresh token
+func (h *AuthHandler) Refresh(w http.ResponseWriter, r *http.Request) {
+	// Get refresh token from cookie or body
+	var refreshToken string
+
+	cookie, err := r.Cookie("refresh_token")
+	if err == nil {
+		refreshToken = cookie.Value
+	}
+
+	// If not in cookie, try request body
+	if refreshToken == "" {
+		var body struct {
+			RefreshToken string `json:"refresh_token"`
+		}
+		if err := json.NewDecoder(r.Body).Decode(&body); err == nil {
+			refreshToken = body.RefreshToken
+		}
+	}
+
+	if refreshToken == "" {
+		http.Error(w, "Refresh token required", http.StatusBadRequest)
+		return
+	}
+
+	// Validate refresh token
+	claims, err := h.jwtManager.ValidateRefreshToken(refreshToken)
+	if err != nil {
+		// Clear invalid cookie
+		http.SetCookie(w, &http.Cookie{
+			Name:   "refresh_token",
+			Value:  "",
+			Path:   "/",
+			MaxAge: -1,
+		})
+		http.Error(w, "Invalid refresh token", http.StatusUnauthorized)
+		return
+	}
+
+	// Generate new token pair
+	tokenPair, err := h.jwtManager.GenerateTokenPair(claims.Subject, claims.Email)
+	if err != nil {
+		http.Error(w, "Failed to generate tokens", http.StatusInternalServerError)
+		return
+	}
+
+	// Set new refresh token in cookie
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    tokenPair.RefreshToken,
+		Path:     "/",
+		MaxAge:   30 * 24 * 60 * 60,
+		HttpOnly: true,
+		Secure:   r.TLS != nil,
+		SameSite: http.SameSiteStrictMode,
+	})
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"access_token": tokenPair.AccessToken,
+		"token_type":   tokenPair.TokenType,
+		"expires_in":   tokenPair.ExpiresIn,
+	})
+}
+
+// Logout invalidates the current session
+func (h *AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
+	// Clear refresh token cookie
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   r.TLS != nil,
+		SameSite: http.SameSiteStrictMode,
+	})
+
+	// Log the logout if authenticated
+	developerID := middleware.GetDeveloperID(r.Context())
+	if developerID != "" {
+		h.db.LogAudit(r.Context(), developerID, "logout", r.RemoteAddr, r.UserAgent(), true, "")
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// Me returns the current user's information
+func (h *AuthHandler) Me(w http.ResponseWriter, r *http.Request) {
+	developerID := middleware.GetDeveloperID(r.Context())
+	if developerID == "" {
+		http.Error(w, "Not authenticated", http.StatusUnauthorized)
+		return
+	}
+
+	developer, err := h.db.GetDeveloper(r.Context(), developerID)
+	if err != nil {
+		http.Error(w, "Developer not found", http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"id":         developer.ID,
+		"email":      developer.Email,
+		"name":       developer.Name,
+		"avatar_url": developer.AvatarURL,
+		"created_at": developer.CreatedAt.Format(time.RFC3339),
+	})
+}
--- a/portal/internal/api/middleware/auth.go
+++ b/portal/internal/api/middleware/auth.go
@@ -0,0 +1,127 @@
+// Package middleware provides HTTP middleware for the API
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/omixlab/mosis-portal/internal/auth"
+	"github.com/omixlab/mosis-portal/internal/database"
+)
+
+type contextKey string
+
+const (
+	DeveloperContextKey contextKey = "developer"
+	ClaimsContextKey    contextKey = "claims"
+)
+
+// AuthMiddleware handles JWT and API key authentication
+type AuthMiddleware struct {
+	jwtManager *auth.JWTManager
+	db         *database.DB
+}
+
+// NewAuthMiddleware creates a new auth middleware
+func NewAuthMiddleware(jwtManager *auth.JWTManager, db *database.DB) *AuthMiddleware {
+	return &AuthMiddleware{
+		jwtManager: jwtManager,
+		db:         db,
+	}
+}
+
+// RequireAuth requires a valid JWT or API key
+func (m *AuthMiddleware) RequireAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Try Bearer token first
+		authHeader := r.Header.Get("Authorization")
+		if strings.HasPrefix(authHeader, "Bearer ") {
+			token := strings.TrimPrefix(authHeader, "Bearer ")
+			claims, err := m.jwtManager.ValidateAccessToken(token)
+			if err != nil {
+				http.Error(w, "Invalid or expired token", http.StatusUnauthorized)
+				return
+			}
+
+			// Add claims to context
+			ctx := context.WithValue(r.Context(), ClaimsContextKey, claims)
+			next.ServeHTTP(w, r.WithContext(ctx))
+			return
+		}
+
+		// Try API key
+		apiKey := r.Header.Get("X-API-Key")
+		if apiKey != "" {
+			developer, err := m.db.ValidateAPIKey(r.Context(), apiKey)
+			if err != nil {
+				http.Error(w, "Invalid API key", http.StatusUnauthorized)
+				return
+			}
+
+			// Add developer to context
+			ctx := context.WithValue(r.Context(), DeveloperContextKey, developer)
+			next.ServeHTTP(w, r.WithContext(ctx))
+			return
+		}
+
+		http.Error(w, "Authorization required", http.StatusUnauthorized)
+	})
+}
+
+// OptionalAuth adds developer info to context if authenticated, but doesn't require it
+func (m *AuthMiddleware) OptionalAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Try Bearer token
+		authHeader := r.Header.Get("Authorization")
+		if strings.HasPrefix(authHeader, "Bearer ") {
+			token := strings.TrimPrefix(authHeader, "Bearer ")
+			claims, err := m.jwtManager.ValidateAccessToken(token)
+			if err == nil {
+				ctx := context.WithValue(r.Context(), ClaimsContextKey, claims)
+				next.ServeHTTP(w, r.WithContext(ctx))
+				return
+			}
+		}
+
+		// Try API key
+		apiKey := r.Header.Get("X-API-Key")
+		if apiKey != "" {
+			developer, err := m.db.ValidateAPIKey(r.Context(), apiKey)
+			if err == nil {
+				ctx := context.WithValue(r.Context(), DeveloperContextKey, developer)
+				next.ServeHTTP(w, r.WithContext(ctx))
+				return
+			}
+		}
+
+		// Continue without authentication
+		next.ServeHTTP(w, r)
+	})
+}
+
+// GetClaims retrieves JWT claims from context
+func GetClaims(ctx context.Context) *auth.Claims {
+	claims, ok := ctx.Value(ClaimsContextKey).(*auth.Claims)
+	if !ok {
+		return nil
+	}
+	return claims
+}
+
+// GetDeveloperID retrieves the developer ID from context (from JWT or API key)
+func GetDeveloperID(ctx context.Context) string {
+	// First check JWT claims
+	claims := GetClaims(ctx)
+	if claims != nil {
+		return claims.Subject
+	}
+
+	// Then check developer from API key
+	developer, ok := ctx.Value(DeveloperContextKey).(*database.Developer)
+	if ok && developer != nil {
+		return developer.ID
+	}
+
+	return ""
+}
--- a/portal/internal/api/router.go
+++ b/portal/internal/api/router.go
@@ -2,24 +2,36 @@
 package api

 import (
-	"database/sql"
 	"net/http"

 	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/chi/v5/middleware"
+	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/omixlab/mosis-portal/internal/api/handlers"
+	"github.com/omixlab/mosis-portal/internal/api/middleware"
+	"github.com/omixlab/mosis-portal/internal/auth"
 	"github.com/omixlab/mosis-portal/internal/config"
+	"github.com/omixlab/mosis-portal/internal/database"
 )

 // NewRouter creates and configures the HTTP router
-func NewRouter(cfg *config.Config, db *sql.DB) http.Handler {
+func NewRouter(cfg *config.Config, db *database.DB) http.Handler {
 	r := chi.NewRouter()

 	// Middleware
-	r.Use(middleware.Logger)
-	r.Use(middleware.Recoverer)
-	r.Use(middleware.RealIP)
-	r.Use(middleware.RequestID)
+	r.Use(chimw.Logger)
+	r.Use(chimw.Recoverer)
+	r.Use(chimw.RealIP)
+	r.Use(chimw.RequestID)
+
+	// Initialize auth components
+	jwtManager := auth.NewJWTManager(cfg.JWTSecret)
+	oauthManager := auth.NewOAuthManager(
+		cfg.BaseURL,
+		cfg.GitHubClientID, cfg.GitHubClientSecret,
+		cfg.GoogleClientID, cfg.GoogleClientSecret,
+	)
+	authMiddleware := middleware.NewAuthMiddleware(jwtManager, db)
+	authHandler := handlers.NewAuthHandler(oauthManager, jwtManager, db)

 	// Health check
 	r.Get("/health", func(w http.ResponseWriter, r *http.Request) {
@@ -29,47 +41,57 @@ func NewRouter(cfg *config.Config, db *sql.DB) http.Handler {

 	// API v1
 	r.Route("/v1", func(r chi.Router) {
-		// Auth routes
+		// Auth routes (public)
 		r.Route("/auth", func(r chi.Router) {
-			r.Post("/oauth/github", handlers.NotImplemented)
-			r.Get("/oauth/github/callback", handlers.NotImplemented)
-			r.Post("/oauth/google", handlers.NotImplemented)
-			r.Get("/oauth/google/callback", handlers.NotImplemented)
-			r.Post("/refresh", handlers.NotImplemented)
-			r.Post("/logout", handlers.NotImplemented)
-			r.Get("/me", handlers.NotImplemented)
+			// OAuth - use GET for initiating (redirect based)
+			r.Get("/oauth/github", authHandler.OAuthStart(auth.ProviderGitHub))
+			r.Get("/oauth/github/callback", authHandler.OAuthCallback(auth.ProviderGitHub))
+			r.Get("/oauth/google", authHandler.OAuthStart(auth.ProviderGoogle))
+			r.Get("/oauth/google/callback", authHandler.OAuthCallback(auth.ProviderGoogle))
+
+			// Token management
+			r.Post("/refresh", authHandler.Refresh)
+			r.Post("/logout", authHandler.Logout)
+
+			// Current user (requires auth)
+			r.With(authMiddleware.RequireAuth).Get("/me", authHandler.Me)
 		})

-		// Developer apps
-		r.Route("/apps", func(r chi.Router) {
-			r.Get("/", handlers.NotImplemented)
-			r.Post("/", handlers.NotImplemented)
-			r.Get("/{appID}", handlers.NotImplemented)
-			r.Patch("/{appID}", handlers.NotImplemented)
-			r.Delete("/{appID}", handlers.NotImplemented)
+		// Protected developer routes
+		r.Group(func(r chi.Router) {
+			r.Use(authMiddleware.RequireAuth)

-			// Versions
-			r.Route("/{appID}/versions", func(r chi.Router) {
+			// Developer apps
+			r.Route("/apps", func(r chi.Router) {
 				r.Get("/", handlers.NotImplemented)
 				r.Post("/", handlers.NotImplemented)
-				r.Get("/{versionID}", handlers.NotImplemented)
-				r.Post("/{versionID}/submit", handlers.NotImplemented)
-				r.Post("/{versionID}/publish", handlers.NotImplemented)
+				r.Get("/{appID}", handlers.NotImplemented)
+				r.Patch("/{appID}", handlers.NotImplemented)
+				r.Delete("/{appID}", handlers.NotImplemented)
+
+				// Versions
+				r.Route("/{appID}/versions", func(r chi.Router) {
+					r.Get("/", handlers.NotImplemented)
+					r.Post("/", handlers.NotImplemented)
+					r.Get("/{versionID}", handlers.NotImplemented)
+					r.Post("/{versionID}/submit", handlers.NotImplemented)
+					r.Post("/{versionID}/publish", handlers.NotImplemented)
+				})
 			})
-		})

-		// API Keys
-		r.Route("/api-keys", func(r chi.Router) {
-			r.Get("/", handlers.NotImplemented)
-			r.Post("/", handlers.NotImplemented)
-			r.Delete("/{keyID}", handlers.NotImplemented)
-		})
+			// API Keys
+			r.Route("/api-keys", func(r chi.Router) {
+				r.Get("/", handlers.NotImplemented)
+				r.Post("/", handlers.NotImplemented)
+				r.Delete("/{keyID}", handlers.NotImplemented)
+			})

-		// Signing Keys
-		r.Route("/signing-keys", func(r chi.Router) {
-			r.Get("/", handlers.NotImplemented)
-			r.Post("/", handlers.NotImplemented)
-			r.Delete("/{keyID}", handlers.NotImplemented)
+			// Signing Keys
+			r.Route("/signing-keys", func(r chi.Router) {
+				r.Get("/", handlers.NotImplemented)
+				r.Post("/", handlers.NotImplemented)
+				r.Delete("/{keyID}", handlers.NotImplemented)
+			})
 		})

 		// Public store endpoints
@@ -80,15 +102,16 @@ func NewRouter(cfg *config.Config, db *sql.DB) http.Handler {
 			r.Get("/apps/updates", handlers.NotImplemented)
 		})

-		// Telemetry
+		// Telemetry (API key auth preferred, but can work without for initial setup)
 		r.Route("/telemetry", func(r chi.Router) {
 			r.Post("/events", handlers.NotImplemented)
 			r.Post("/crash", handlers.NotImplemented)
 		})
 	})

-	// Admin routes (htmx UI)
+	// Admin routes (htmx UI) - requires auth
 	r.Route("/admin", func(r chi.Router) {
+		r.Use(authMiddleware.RequireAuth)
 		r.Get("/", handlers.NotImplemented)
 		r.Get("/review-queue", handlers.NotImplemented)
 		r.Get("/review/{versionID}", handlers.NotImplemented)