feat: add LDAP authentication module with JWT issuance

internal/auth/ldapauth/ldapauth.go

@@ -0,0 +1,85 @@
+package ldapauth
+
+import (
+    // "crypto/tls"
+    "fmt"
+    "time"
+
+    "github.com/go-ldap/ldap/v3"
+    "github.com/golang-jwt/jwt/v4"
+)
+
+type Config struct {
+    Addr         string
+    BaseDN       string
+    BindUserDN   string // optional
+    BindPassword string // optional
+    JWTSecret    string
+}
+
+type dialerFunc func(addr string, opts ...ldap.DialOpt) (*ldap.Conn, error)
+
+
+type Authenticator struct {
+    cfg Config
+    dialFn dialerFunc
+}
+
+func New(cfg Config) *Authenticator {
+    return &Authenticator{
+        cfg: cfg,
+        dialFn: ldap.DialURL,
+    }
+}
+
+func (a *Authenticator) Authenticate(username, password string) (string, error) {
+    // l, err := ldap.DialURL("ldap://" + a.cfg.Addr)
+    l, err := a.dialFn("ldap://" + a.cfg.Addr)
+
+    if err != nil {
+        return "", fmt.Errorf("failed to connect LDAP: %w", err)
+    }
+    defer l.Close()
+
+    // err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+    // if err != nil {
+    //     return "", fmt.Errorf("TLS error: %w", err)
+    // }
+
+    if a.cfg.BindUserDN != "" {
+        if err := l.Bind(a.cfg.BindUserDN, a.cfg.BindPassword); err != nil {
+            return "", fmt.Errorf("bind failed: %w", err)
+        }
+    }
+
+    searchReq := ldap.NewSearchRequest(
+        a.cfg.BaseDN,
+        ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+        fmt.Sprintf("(uid=%s)", ldap.EscapeFilter(username)),
+        []string{"dn"},
+        nil,
+    )
+
+    sr, err := l.Search(searchReq)
+    if err != nil || len(sr.Entries) != 1 {
+        return "", fmt.Errorf("user not found")
+    }
+
+    userDN := sr.Entries[0].DN
+
+    if err := l.Bind(userDN, password); err != nil {
+        return "", fmt.Errorf("invalid credentials")
+    }
+
+    token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+        "sub": username,
+        "exp": time.Now().Add(1 * time.Hour).Unix(),
+    })
+
+    signed, err := token.SignedString([]byte(a.cfg.JWTSecret))
+    if err != nil {
+        return "", fmt.Errorf("token signing error: %w", err)
+    }
+
+    return signed, nil
+}

internal/auth/ldapauth/ldapauth_test.go

@@ -0,0 +1,27 @@
+package ldapauth
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/go-ldap/ldap/v3"
+)
+
+func TestAuthenticate_InvalidUser(t *testing.T) {
+	auth := &Authenticator{
+		cfg: Config{
+			Addr:      "fakehost",
+			BaseDN:    "dc=example,dc=com",
+			JWTSecret: "testsecret",
+		},
+		dialFn: func(addr string, opts ...ldap.DialOpt) (*ldap.Conn, error) {
+    return nil, errors.New("dial error")
+    },
+
+	}
+
+	_, err := auth.Authenticate("testuser", "testpass")
+	if err == nil {
+		t.Fatal("expected error for invalid dial")
+	}
+}

mainFile/main.go

@@ -0,0 +1,57 @@
+package main
+
+import (
+    "encoding/json"
+    "fmt"
+    "log"
+    "net/http"
+
+    "ldap-auth-go/internal/ldapauth"
+)
+
+var authenticator *ldapauth.Authenticator
+
+func main() {
+    config := ldapauth.Config{
+        Addr:         "localhost:389",                     // change this to your LDAP server
+        BaseDN:       "dc=example,dc=com",                // adjust as per your directory
+        BindUserDN:   "cn=admin,dc=example,dc=com",       // service account (optional)
+        BindPassword: "admin",                            // service password
+        JWTSecret:    "your-secret-key",                  // replace with strong key
+    }
+
+    authenticator = ldapauth.New(config)
+
+    http.HandleFunc("/login", loginHandler)
+    log.Println("Server running on http://localhost:8080")
+    log.Fatal(http.ListenAndServe(":8080", nil))
+}
+
+func loginHandler(w http.ResponseWriter, r *http.Request) {
+    var creds struct {
+        Username string `json:"username"`
+        Password string `json:"password"`
+    }
+
+    if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
+        http.Error(w, "Invalid JSON", http.StatusBadRequest)
+        return
+    }
+
+    token, err := authenticator.Authenticate(creds.Username, creds.Password)
+    if err != nil {
+        http.Error(w, fmt.Sprintf("Login failed: %v", err), http.StatusUnauthorized)
+        return
+    }
+
+    // json.NewEncoder(w).Encode(map[string]string{
+    //     "token": token,
+    // })
+    if err := json.NewEncoder(w).Encode(map[string]string{
+    "token": token,
+}); err != nil {
+    http.Error(w, "Failed to write response", http.StatusInternalServerError)
+    return
+}
+
+}

mainFile/testuser.ldif

@@ -0,0 +1,10 @@
+dn: ou=users,dc=example,dc=com
+objectClass: organizationalUnit
+ou: users
+
+dn: uid=testuser,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+uid: testuser
+sn: User
+cn: Test User
+userPassword: testpass