add OAuth authentication with JWT tokens and API key support

2026-01-18 21:00:03 +01:00
parent 2eb6292dc2
commit 8601bb5ba3
8 changed files with 1004 additions and 44 deletions
--- a/portal/internal/database/database.go
+++ b/portal/internal/database/database.go
@@ -2,14 +2,42 @@
 package database

 import (
+	"context"
 	"database/sql"
 	"fmt"
 	"os"
 	"path/filepath"
+	"time"

+	"github.com/google/uuid"
+	"golang.org/x/crypto/bcrypt"
 	_ "modernc.org/sqlite"
 )

+// DB wraps the database connection with business logic
+type DB struct {
+	*sql.DB
+}
+
+// Developer represents a developer account
+type Developer struct {
+	ID            string
+	Email         string
+	Name          string
+	PasswordHash  string
+	OAuthProvider string
+	OAuthID       string
+	AvatarURL     string
+	Verified      bool
+	CreatedAt     time.Time
+	UpdatedAt     time.Time
+}
+
+// NewDB creates a new DB wrapper
+func NewDB(db *sql.DB) *DB {
+	return &DB{db}
+}
+
 // Open opens the SQLite database with WAL mode enabled
 func Open(path string) (*sql.DB, error) {
 	// Ensure directory exists
@@ -201,3 +229,134 @@ CREATE INDEX IF NOT EXISTS idx_crashes_app ON crash_reports(app_id, timestamp);
 CREATE INDEX IF NOT EXISTS idx_audit_developer ON audit_logs(developer_id);
 CREATE INDEX IF NOT EXISTS idx_audit_created ON audit_logs(created_at);
 `
+
+// FindOrCreateDeveloper finds an existing developer by email or creates a new one
+func (db *DB) FindOrCreateDeveloper(ctx context.Context, dev *Developer) (*Developer, error) {
+	// First try to find by email
+	existing, err := db.GetDeveloperByEmail(ctx, dev.Email)
+	if err == nil {
+		// Update OAuth info if changed
+		if dev.OAuthProvider != "" && (existing.OAuthProvider != dev.OAuthProvider || existing.OAuthID != dev.OAuthID) {
+			_, err := db.ExecContext(ctx, `
+				UPDATE developers SET oauth_provider = ?, oauth_id = ?, updated_at = datetime('now')
+				WHERE id = ?
+			`, dev.OAuthProvider, dev.OAuthID, existing.ID)
+			if err != nil {
+				return nil, fmt.Errorf("update oauth: %w", err)
+			}
+			existing.OAuthProvider = dev.OAuthProvider
+			existing.OAuthID = dev.OAuthID
+		}
+		return existing, nil
+	}
+
+	// Create new developer
+	dev.ID = uuid.New().String()
+	_, err = db.ExecContext(ctx, `
+		INSERT INTO developers (id, email, name, oauth_provider, oauth_id, verified)
+		VALUES (?, ?, ?, ?, ?, 1)
+	`, dev.ID, dev.Email, dev.Name, dev.OAuthProvider, dev.OAuthID)
+	if err != nil {
+		return nil, fmt.Errorf("create developer: %w", err)
+	}
+
+	dev.Verified = true
+	dev.CreatedAt = time.Now()
+	dev.UpdatedAt = dev.CreatedAt
+	return dev, nil
+}
+
+// GetDeveloper retrieves a developer by ID
+func (db *DB) GetDeveloper(ctx context.Context, id string) (*Developer, error) {
+	row := db.QueryRowContext(ctx, `
+		SELECT id, email, name, password_hash, oauth_provider, oauth_id, verified, created_at, updated_at
+		FROM developers WHERE id = ?
+	`, id)
+
+	return scanDeveloper(row)
+}
+
+// GetDeveloperByEmail retrieves a developer by email
+func (db *DB) GetDeveloperByEmail(ctx context.Context, email string) (*Developer, error) {
+	row := db.QueryRowContext(ctx, `
+		SELECT id, email, name, password_hash, oauth_provider, oauth_id, verified, created_at, updated_at
+		FROM developers WHERE email = ?
+	`, email)
+
+	return scanDeveloper(row)
+}
+
+func scanDeveloper(row *sql.Row) (*Developer, error) {
+	var dev Developer
+	var passwordHash, oauthProvider, oauthID sql.NullString
+	var createdAt, updatedAt string
+
+	err := row.Scan(&dev.ID, &dev.Email, &dev.Name, &passwordHash, &oauthProvider, &oauthID, &dev.Verified, &createdAt, &updatedAt)
+	if err != nil {
+		return nil, err
+	}
+
+	dev.PasswordHash = passwordHash.String
+	dev.OAuthProvider = oauthProvider.String
+	dev.OAuthID = oauthID.String
+	dev.CreatedAt, _ = time.Parse("2006-01-02 15:04:05", createdAt)
+	dev.UpdatedAt, _ = time.Parse("2006-01-02 15:04:05", updatedAt)
+
+	return &dev, nil
+}
+
+// ValidateAPIKey validates an API key and returns the associated developer
+func (db *DB) ValidateAPIKey(ctx context.Context, key string) (*Developer, error) {
+	// Extract prefix (first 15 chars: mk_live_xxxxxxx)
+	if len(key) < 15 {
+		return nil, fmt.Errorf("invalid key format")
+	}
+	prefix := key[:15]
+
+	// Find key by prefix
+	row := db.QueryRowContext(ctx, `
+		SELECT k.key_hash, k.developer_id, k.expires_at
+		FROM api_keys k
+		WHERE k.key_prefix = ?
+	`, prefix)
+
+	var keyHash, developerID string
+	var expiresAt sql.NullString
+	if err := row.Scan(&keyHash, &developerID, &expiresAt); err != nil {
+		return nil, fmt.Errorf("key not found")
+	}
+
+	// Check expiration
+	if expiresAt.Valid {
+		expiry, err := time.Parse("2006-01-02 15:04:05", expiresAt.String)
+		if err == nil && time.Now().After(expiry) {
+			return nil, fmt.Errorf("key expired")
+		}
+	}
+
+	// Verify key hash
+	if err := bcrypt.CompareHashAndPassword([]byte(keyHash), []byte(key)); err != nil {
+		return nil, fmt.Errorf("invalid key")
+	}
+
+	// Update last used
+	db.ExecContext(ctx, `UPDATE api_keys SET last_used_at = datetime('now') WHERE key_prefix = ?`, prefix)
+
+	// Get developer
+	return db.GetDeveloper(ctx, developerID)
+}
+
+// LogAudit logs an audit event
+func (db *DB) LogAudit(ctx context.Context, developerID, action, ipAddress, userAgent string, success bool, failureReason string) {
+	details := ""
+	if !success {
+		details = fmt.Sprintf(`{"success":false,"reason":"%s"}`, failureReason)
+	} else {
+		details = `{"success":true}`
+	}
+
+	db.ExecContext(ctx, `
+		INSERT INTO audit_logs (developer_id, action, details, ip_address, user_agent)
+		VALUES (?, ?, ?, ?, ?)
+	`, developerID, action, details, ipAddress, userAgent)
+}