Add Access Tokens UI

2023-01-27 23:10:59 -05:00 · 2023-01-27 23:10:59 -05:00 · 16c14bf709
commit 16c14bf709
parent 62140ec001
19 changed files with 643 additions and 132 deletions
--- a/user/manager.go
+++ b/user/manager.go
@ -28,8 +28,7 @@ const (
 	userHardDeleteAfterDuration     = 7 * 24 * time.Hour
 	tokenPrefix                     = "tk_"
 	tokenLength                     = 32
-	tokenMaxCount                   = 10             // Only keep this many tokens in the table per user
-	tokenExpiryDuration             = 72 * time.Hour // Extend tokens by this much
+	tokenMaxCount                   = 10 // Only keep this many tokens in the table per user
 )

 var (
@ -92,6 +91,7 @@ const (
 		CREATE TABLE IF NOT EXISTS user_token (
 			user_id TEXT NOT NULL,
 			token TEXT NOT NULL,
+			label TEXT NOT NULL,
 			expires INT NOT NULL,
 			PRIMARY KEY (user_id, token),
 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE
@ -126,7 +126,7 @@ const (
 		FROM user u
 		JOIN user_token t on u.id = t.user_id
 		LEFT JOIN tier t on t.id = u.tier_id
-		WHERE t.token = ? AND t.expires >= ?
+		WHERE t.token = ? AND (t.expires = 0 OR t.expires >= ?)
 	`
 	selectUserByStripeCustomerIDQuery = `
 		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_price_id
@ -216,11 +216,14 @@ const (
  	`

 	selectTokenCountQuery    = `SELECT COUNT(*) FROM user_token WHERE user_id = ?`
-	insertTokenQuery         = `INSERT INTO user_token (user_id, token, expires) VALUES (?, ?, ?)`
-	updateTokenExpiryQuery   = `UPDATE user_token SET expires = ? WHERE user_id = (SELECT id FROM user WHERE user = ?) AND token = ?`
+	selectTokensQuery        = `SELECT token, label, expires FROM user_token WHERE user_id = ?`
+	selectTokenQuery         = `SELECT token, label, expires FROM user_token WHERE user_id = ? AND token = ?`
+	insertTokenQuery         = `INSERT INTO user_token (user_id, token, label, expires) VALUES (?, ?, ?, ?)`
+	updateTokenExpiryQuery   = `UPDATE user_token SET expires = ? WHERE user_id = ? AND token = ?`
+	updateTokenLabelQuery    = `UPDATE user_token SET label = ? WHERE user_id = ? AND token = ?`
 	deleteTokenQuery         = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
 	deleteAllTokenQuery      = `DELETE FROM user_token WHERE user_id = ?`
-	deleteExpiredTokensQuery = `DELETE FROM user_token WHERE expires < ?`
+	deleteExpiredTokensQuery = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
 	deleteExcessTokensQuery  = `
 		DELETE FROM user_token
 		WHERE (user_id, token) NOT IN (
@ -285,7 +288,6 @@ const (
 		DROP TABLE access;
 		DROP TABLE user_old;
 	`
-	migrate1To2UpdateSyncTopicNoTx = `UPDATE user SET sync_topic = ? WHERE id = ?`
 )

 // Manager is an implementation of Manager. It stores users and access control list
@ -363,19 +365,19 @@ func (a *Manager) AuthenticateToken(token string) (*User, error) {
 }

 // CreateToken generates a random token for the given user and returns it. The token expires
-// after a fixed duration unless ExtendToken is called. This function also prunes tokens for the
+// after a fixed duration unless ChangeToken is called. This function also prunes tokens for the
 // given user, if there are too many of them.
-func (a *Manager) CreateToken(user *User) (*Token, error) {
-	token, expires := util.RandomStringPrefix(tokenPrefix, tokenLength), time.Now().Add(tokenExpiryDuration)
+func (a *Manager) CreateToken(userID, label string, expires time.Time) (*Token, error) {
+	token := util.RandomStringPrefix(tokenPrefix, tokenLength)
 	tx, err := a.db.Begin()
 	if err != nil {
 		return nil, err
 	}
 	defer tx.Rollback()
-	if _, err := tx.Exec(insertTokenQuery, user.ID, token, expires.Unix()); err != nil {
+	if _, err := tx.Exec(insertTokenQuery, userID, token, label, expires.Unix()); err != nil {
 		return nil, err
 	}
-	rows, err := tx.Query(selectTokenCountQuery, user.ID)
+	rows, err := tx.Query(selectTokenCountQuery, userID)
 	if err != nil {
 		return nil, err
 	}
@ -390,7 +392,7 @@ func (a *Manager) CreateToken(user *User) (*Token, error) {
 	if tokenCount >= tokenMaxCount {
 		// This pruning logic is done in two queries for efficiency. The SELECT above is a lookup
 		// on two indices, whereas the query below is a full table scan.
-		if _, err := tx.Exec(deleteExcessTokensQuery, user.ID, tokenMaxCount); err != nil {
+		if _, err := tx.Exec(deleteExcessTokensQuery, userID, tokenMaxCount); err != nil {
 			return nil, err
 		}
 	}
@ -399,31 +401,89 @@ func (a *Manager) CreateToken(user *User) (*Token, error) {
 	}
 	return &Token{
 		Value:   token,
+		Label:   label,
 		Expires: expires,
 	}, nil
 }

-// ExtendToken sets the new expiry date for a token, thereby extending its use further into the future.
-func (a *Manager) ExtendToken(user *User) (*Token, error) {
-	if user.Token == "" {
-		return nil, errNoTokenProvided
+func (a *Manager) Tokens(userID string) ([]*Token, error) {
+	rows, err := a.db.Query(selectTokensQuery, userID)
+	if err != nil {
+		return nil, err
 	}
-	newExpires := time.Now().Add(tokenExpiryDuration)
-	if _, err := a.db.Exec(updateTokenExpiryQuery, newExpires.Unix(), user.Name, user.Token); err != nil {
+	defer rows.Close()
+	tokens := make([]*Token, 0)
+	for {
+		token, err := a.readToken(rows)
+		if err == ErrTokenNotFound {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		tokens = append(tokens, token)
+	}
+	return tokens, nil
+}
+
+func (a *Manager) Token(userID, token string) (*Token, error) {
+	rows, err := a.db.Query(selectTokenQuery, userID, token)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	return a.readToken(rows)
+}
+
+func (a *Manager) readToken(rows *sql.Rows) (*Token, error) {
+	var token, label string
+	var expires int64
+	if !rows.Next() {
+		return nil, ErrTokenNotFound
+	}
+	if err := rows.Scan(&token, &label, &expires); err != nil {
+		return nil, err
+	} else if err := rows.Err(); err != nil {
 		return nil, err
 	}
 	return &Token{
-		Value:   user.Token,
-		Expires: newExpires,
+		Value:   token,
+		Label:   label,
+		Expires: time.Unix(expires, 0),
 	}, nil
 }

-// RemoveToken deletes the token defined in User.Token
-func (a *Manager) RemoveToken(user *User) error {
-	if user.Token == "" {
-		return ErrUnauthorized
+// ChangeToken updates a token's label and/or expiry date
+func (a *Manager) ChangeToken(userID, token string, label *string, expires *time.Time) (*Token, error) {
+	if token == "" {
+		return nil, errNoTokenProvided
 	}
-	if _, err := a.db.Exec(deleteTokenQuery, user.ID, user.Token); err != nil {
+	tx, err := a.db.Begin()
+	if err != nil {
+		return nil, err
+	}
+	defer tx.Rollback()
+	if label != nil {
+		if _, err := tx.Exec(updateTokenLabelQuery, *label, userID, token); err != nil {
+			return nil, err
+		}
+	}
+	if expires != nil {
+		if _, err := tx.Exec(updateTokenExpiryQuery, expires.Unix(), userID, token); err != nil {
+			return nil, err
+		}
+	}
+	if err := tx.Commit(); err != nil {
+		return nil, err
+	}
+	return a.Token(userID, token)
+}
+
+// RemoveToken deletes the token defined in User.Token
+func (a *Manager) RemoveToken(userID, token string) error {
+	if token == "" {
+		return errNoTokenProvided
+	}
+	if _, err := a.db.Exec(deleteTokenQuery, userID, token); err != nil {
 		return err
 	}
 	return nil
--- a/user/manager_test.go
+++ b/user/manager_test.go
@ -138,7 +138,7 @@ func TestManager_MarkUserRemoved_RemoveDeletedUsers(t *testing.T) {
 	require.Nil(t, err)
 	require.False(t, u.Deleted)

-	token, err := a.CreateToken(u)
+	token, err := a.CreateToken(u.ID, "", time.Now().Add(time.Hour))
 	require.Nil(t, err)

 	u, err = a.Authenticate("user", "pass")
@ -396,9 +396,10 @@ func TestManager_Token_Valid(t *testing.T) {
 	require.Nil(t, err)

 	// Create token for user
-	token, err := a.CreateToken(u)
+	token, err := a.CreateToken(u.ID, "some label", time.Now().Add(72*time.Hour))
 	require.Nil(t, err)
 	require.NotEmpty(t, token.Value)
+	require.Equal(t, "some label", token.Label)
 	require.True(t, time.Now().Add(71*time.Hour).Unix() < token.Expires.Unix())

 	u2, err := a.AuthenticateToken(token.Value)
@ -406,8 +407,13 @@ func TestManager_Token_Valid(t *testing.T) {
 	require.Equal(t, u.Name, u2.Name)
 	require.Equal(t, token.Value, u2.Token)

+	token2, err := a.Token(u.ID, token.Value)
+	require.Nil(t, err)
+	require.Equal(t, token.Value, token2.Value)
+	require.Equal(t, "some label", token2.Label)
+
 	// Remove token and auth again
-	require.Nil(t, a.RemoveToken(u2))
+	require.Nil(t, a.RemoveToken(u2.ID, u2.Token))
 	u3, err := a.AuthenticateToken(token.Value)
 	require.Equal(t, ErrUnauthenticated, err)
 	require.Nil(t, u3)
@ -434,12 +440,12 @@ func TestManager_Token_Expire(t *testing.T) {
 	require.Nil(t, err)

 	// Create tokens for user
-	token1, err := a.CreateToken(u)
+	token1, err := a.CreateToken(u.ID, "", time.Now().Add(72*time.Hour))
 	require.Nil(t, err)
 	require.NotEmpty(t, token1.Value)
 	require.True(t, time.Now().Add(71*time.Hour).Unix() < token1.Expires.Unix())

-	token2, err := a.CreateToken(u)
+	token2, err := a.CreateToken(u.ID, "", time.Now().Add(72*time.Hour))
 	require.Nil(t, err)
 	require.NotEmpty(t, token2.Value)
 	require.NotEqual(t, token1.Value, token2.Value)
@ -482,23 +488,23 @@ func TestManager_Token_Extend(t *testing.T) {
 	u, err := a.User("ben")
 	require.Nil(t, err)

-	_, err = a.ExtendToken(u)
+	_, err = a.ChangeToken(u.ID, u.Token, util.String("some label"), util.Time(time.Now().Add(time.Hour)))
 	require.Equal(t, errNoTokenProvided, err)

 	// Create token for user
-	token, err := a.CreateToken(u)
+	token, err := a.CreateToken(u.ID, "", time.Now().Add(72*time.Hour))
 	require.Nil(t, err)
 	require.NotEmpty(t, token.Value)

 	userWithToken, err := a.AuthenticateToken(token.Value)
 	require.Nil(t, err)

-	time.Sleep(1100 * time.Millisecond)
-
-	extendedToken, err := a.ExtendToken(userWithToken)
+	extendedToken, err := a.ChangeToken(userWithToken.ID, userWithToken.Token, util.String("changed label"), util.Time(time.Now().Add(100*time.Hour)))
 	require.Nil(t, err)
 	require.Equal(t, token.Value, extendedToken.Value)
+	require.Equal(t, "changed label", extendedToken.Label)
 	require.True(t, token.Expires.Unix() < extendedToken.Expires.Unix())
+	require.True(t, time.Now().Add(99*time.Hour).Unix() < extendedToken.Expires.Unix())
 }

 func TestManager_Token_MaxCount_AutoDelete(t *testing.T) {
@ -513,7 +519,7 @@ func TestManager_Token_MaxCount_AutoDelete(t *testing.T) {
 	baseTime := time.Now().Add(24 * time.Hour)
 	tokens := make([]string, 0)
 	for i := 0; i < 12; i++ {
-		token, err := a.CreateToken(u)
+		token, err := a.CreateToken(u.ID, "", time.Now().Add(72*time.Hour))
 		require.Nil(t, err)
 		require.NotEmpty(t, token.Value)
 		tokens = append(tokens, token.Value)
--- a/user/types.go
+++ b/user/types.go
@ -47,6 +47,7 @@ type Auther interface {
 // Token represents a user token, including expiry date
 type Token struct {
 	Value   string
+	Label   string
 	Expires time.Time
 }

@ -237,5 +238,6 @@ var (
 	ErrInvalidArgument     = errors.New("invalid argument")
 	ErrUserNotFound        = errors.New("user not found")
 	ErrTierNotFound        = errors.New("tier not found")
+	ErrTokenNotFound       = errors.New("token not found")
 	ErrTooManyReservations = errors.New("new tier has lower reservation limit")
 )