wip

Author: heiytor

api/services/auth.go

@@ -3,10 +3,18 @@ package services
 import (
 	"context"
 	"crypto/rsa"
+	"slices"
+	"strings"
 	"time"
 
+	"github.com/shellhub-io/shellhub/pkg/api/authorizer"
+	"github.com/shellhub-io/shellhub/pkg/api/jwttoken"
 	"github.com/shellhub-io/shellhub/pkg/api/requests"
+	"github.com/shellhub-io/shellhub/pkg/clock"
+	"github.com/shellhub-io/shellhub/pkg/hash"
 	"github.com/shellhub-io/shellhub/pkg/models"
+	"github.com/shellhub-io/shellhub/pkg/uuid"
+	log "github.com/sirupsen/logrus"
 )
 
 type AuthService interface {
@@ -54,7 +62,137 @@ func (s *service) AuthDevice(ctx context.Context, req requests.DeviceAuth, remot
 }
 
 func (s *service) AuthLocalUser(ctx context.Context, req *requests.AuthLocalUser, sourceIP string) (*models.UserAuthResponse, int64, string, error) {
-	return nil, 0, "", nil
+	// if s, err := s.store.SystemGet(ctx); err != nil || !s.Authentication.Local.Enabled {
+	// 	return nil, 0, "", NewErrAuthMethodNotAllowed(models.UserAuthMethodLocal.String())
+	// }
+
+	var err error
+	var user *models.User
+
+	if req.Identifier.IsEmail() {
+		user, err = s.store.UserGetByEmail(ctx, strings.ToLower(string(req.Identifier)))
+	} else {
+		user, err = s.store.UserGetByUsername(ctx, strings.ToLower(string(req.Identifier)))
+	}
+
+	if err != nil || !slices.Contains(user.Preferences.AuthMethods, models.UserAuthMethodLocal) {
+		return nil, 0, "", NewErrAuthUnathorized(nil)
+	}
+
+	switch user.Status {
+	case models.UserStatusInvited:
+		return nil, 0, "", NewErrAuthUnathorized(nil)
+	case models.UserStatusNotConfirmed:
+		return nil, 0, "", NewErrUserNotConfirmed(nil)
+	default:
+		break
+	}
+
+	// Checks whether the user is currently blocked from new login attempts
+	if lockout, attempt, _ := s.cache.HasAccountLockout(ctx, sourceIP, user.ID); lockout > 0 {
+		log.WithFields(log.Fields{
+			"lockout":   lockout,
+			"attempt":   attempt,
+			"source_ip": sourceIP,
+			"user_id":   user.ID,
+		}).
+			Warn("attempt to login blocked")
+
+		return nil, lockout, "", NewErrAuthUnathorized(nil)
+	}
+
+	if !hash.CompareWith(req.Password, user.Password) {
+		lockout, _, err := s.cache.StoreLoginAttempt(ctx, sourceIP, user.ID)
+		if err != nil {
+			log.WithError(err).
+				WithField("source_ip", sourceIP).
+				WithField("user_id", user.ID).
+				Warn("unable to store login attempt")
+		}
+
+		return nil, lockout, "", NewErrAuthUnathorized(nil)
+	}
+
+	// Reset the attempt and timeout values when succeeds
+	if err := s.cache.ResetLoginAttempts(ctx, sourceIP, user.ID); err != nil {
+		log.WithError(err).
+			WithField("source_ip", sourceIP).
+			WithField("user_id", user.ID).
+			Warn("unable to reset authentication attempts")
+	}
+
+	// Users with MFA enabled must authenticate to the cloud instead of community.
+	if user.MFA.Enabled {
+		mfaToken := uuid.Generate()
+		if err := s.cache.Set(ctx, "mfa-token={"+mfaToken+"}", user.ID, 30*time.Minute); err != nil {
+			log.WithError(err).
+				WithField("source_ip", sourceIP).
+				WithField("user_id", user.ID).
+				Warn("unable to store mfa-token")
+		}
+
+		return nil, 0, mfaToken, nil
+	}
+
+	tenantID := ""
+	role := ""
+	// Populate the tenant and role when the user is associated with a namespace. If the member status is pending, we
+	// ignore the namespace.
+	if ns, _ := s.store.NamespaceGetPreferred(ctx, user.ID); ns != nil && ns.TenantID != "" {
+		if m, _ := ns.FindMember(user.ID); m.Status != models.MemberStatusPending {
+			tenantID = ns.TenantID
+			role = m.Role.String()
+		}
+	}
+
+	claims := authorizer.UserClaims{
+		ID:       user.ID,
+		Origin:   user.Origin.String(),
+		TenantID: tenantID,
+		Username: user.Username,
+		MFA:      user.MFA.Enabled,
+	}
+
+	token, err := jwttoken.EncodeUserClaims(claims, s.privKey)
+	if err != nil {
+		return nil, 0, "", NewErrTokenSigned(err)
+	}
+
+	// Updates last_login and the hash algorithm to bcrypt if still using SHA256
+	changes := &models.UserChanges{LastLogin: clock.Now(), PreferredNamespace: &tenantID}
+	if !strings.HasPrefix(user.Password, "$") {
+		if neo, _ := models.HashUserPassword(req.Password); neo.Hash != "" {
+			changes.Password = neo.Hash
+		}
+	}
+
+	// TODO: evaluate make this update in a go routine.
+	if err := s.store.UserUpdate(ctx, user.ID, changes); err != nil {
+		return nil, 0, "", NewErrUserUpdate(user, err)
+	}
+
+	if err := s.AuthCacheToken(ctx, tenantID, user.ID, token); err != nil {
+		log.WithError(err).
+			WithFields(log.Fields{"id": user.ID}).
+			Warn("unable to cache the authentication token")
+	}
+
+	res := &models.UserAuthResponse{
+		ID:            user.ID,
+		Origin:        user.Origin.String(),
+		AuthMethods:   user.Preferences.AuthMethods,
+		User:          user.Username,
+		Name:          user.Name,
+		Email:         user.Email,
+		RecoveryEmail: user.RecoveryEmail,
+		MFA:           user.MFA.Enabled,
+		Tenant:        tenantID,
+		Role:          role,
+		Token:         token,
+		MaxNamespaces: user.MaxNamespaces,
+	}
+
+	return res, 0, "", nil
 }
 
 func (s *service) CreateUserToken(ctx context.Context, req *requests.CreateUserToken) (*models.UserAuthResponse, error) {

api/services/system.go

@@ -15,7 +15,7 @@ type SystemService interface {
 }
 
 func (s *service) GetSystemInfo(ctx context.Context, req *requests.GetSystemInfo) (*responses.SystemInfo, error) {
-	return nil, nil
+	return &responses.SystemInfo{Setup: true, Authentication: &responses.SystemAuthenticationInfo{Local: true}}, nil
 }
 
 func (s *service) SystemDownloadInstallScript(_ context.Context) (string, error) {

api/store/pg/migrations/20250320182030_create_users_table.up.sql

@@ -1,20 +1,42 @@
 BEGIN;
 
-CREATE TYPE user_origin AS ENUM ('local', 'saml');
-CREATE TYPE user_status AS ENUM ('invited', 'pending', 'confirmed');
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'user_origin') THEN
+        CREATE TYPE user_origin AS ENUM ('local', 'saml');
+    END IF;
+    
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'user_status') THEN
+        CREATE TYPE user_status AS ENUM ('invited', 'pending', 'confirmed');
+    END IF;
+    
+    IF NOT EXISTS (SELECT 1 FROM pg_type WHERE typname = 'user_auth_method') THEN
+        CREATE TYPE user_auth_method AS ENUM ('local', 'saml');
+    END IF;
+END
+$$;
+
 
 CREATE TABLE IF NOT EXISTS users(
-    id CHAR(40) PRIMARY KEY,
+    id UUID PRIMARY KEY,
 
-    created_at TIMESTAMPTZ,
-    updated_at TIMESTAMPTZ,
+    created_at TIMESTAMPTZ NOT NULL,
+    updated_at TIMESTAMPTZ NOT NULL,
+    last_login TIMESTAMPTZ,
 
     origin user_origin NOT NULL,
+    external_id VARCHAR,
     status user_status NOT NULL,
-    name VARCHAR (50) NOT NULL,
-    email VARCHAR (300) UNIQUE NOT NULL,
-    password VARCHAR (72) NOT NULL,
-    external_id VARCHAR
+    name VARCHAR(64) NOT NULL,
+    username VARCHAR(32) UNIQUE NOT NULL,
+    email VARCHAR(320) UNIQUE NOT NULL,
+    security_email VARCHAR(320),
+    password_digest CHAR(72) NOT NULL,
+    auth_methods user_auth_method[] NOT NULL,
+
+    namespace_ownership_limit INTEGER NOT NULL,
+    email_marketing BOOLEAN NOT NULL,  
+    preferred_namespace_id UUID
 );
 
 COMMIT;

api/store/pg/user.go

@@ -11,7 +11,7 @@ import (
 )
 
 func (pg *pg) UserCreate(ctx context.Context, user *models.User) (string, error) {
-	user.ID = "USR|" + uuid.Generate()
+	user.ID = uuid.Generate()
 	user.CreatedAt = clock.Now()
 	user.UpdatedAt = clock.Now()
 
@@ -48,22 +48,30 @@ func (pg *pg) UserList(ctx context.Context, paginator query.Paginator, filters q
 }
 
 func (pg *pg) UserGetByID(ctx context.Context, id string, ns bool) (*models.User, int, error) {
-	// TODO: unify get methods
-	return nil, 0, nil
+	u := new(entity.User)
+	if err := pg.driver.NewSelect().Model(u).Where("id = ?", id).Scan(ctx); err != nil {
+		return nil, 0, fromSqlError(err)
+	}
+
+	return &u.User, 0, nil
 }
 
 func (pg *pg) UserGetByUsername(ctx context.Context, username string) (*models.User, error) {
-	// TODO: unify get methods
-	return nil, nil
+	u := new(entity.User)
+	if err := pg.driver.NewSelect().Model(u).Where("username = ?", username).Scan(ctx); err != nil {
+		return nil, fromSqlError(err)
+	}
+
+	return &u.User, nil
 }
 
 func (pg *pg) UserGetByEmail(ctx context.Context, email string) (*models.User, error) {
-	u := new(models.User)
+	u := new(entity.User)
 	if err := pg.driver.NewSelect().Model(u).Where("email = ?", email).Scan(ctx); err != nil {
 		return nil, fromSqlError(err)
 	}
 
-	return u, nil
+	return &u.User, nil
 }
 
 func (pg *pg) UserGetInfo(ctx context.Context, id string) (userInfo *models.UserInfo, err error) {

cli/services/users.go

@@ -36,12 +36,20 @@ func (s *service) UserCreate(ctx context.Context, input *inputs.UserCreate) (*mo
 	}
 
 	user := &models.User{
-		Status:     models.UserStatusConfirmed,
 		Origin:     models.UserOriginLocal,
 		ExternalID: "",
+		Status:     models.UserStatusConfirmed,
 		Name:       cases.Title(language.AmericanEnglish).String(strings.ToLower(input.Username)),
 		Email:      strings.ToLower(input.Email),
+		Username:   strings.ToLower(input.Username),
 		Password:   password.Hash,
+		Preferences: models.UserPreferences{
+			PreferredNamespace: "",
+			AuthMethods:        []models.UserAuthMethod{models.UserAuthMethodLocal},
+			RecoveryEmail:      "",
+			MaxNamespaces:      -1,
+			EmailMarketing:     false,
+		},
 	}
 
 	if _, err := s.store.UserCreate(ctx, user); err != nil {

pkg/models/user.go

@@ -59,25 +59,39 @@ func (a UserAuthMethod) String() string {
 type User struct {
 	ID string `json:"id,omitempty" bson:"_id,omitempty" bun:"id,pk,type:char"`
 
-	CreatedAt time.Time  `json:"created_at" bson:"created_at" bun:"created_at"`
-	UpdatedAt time.Time  `json:"updated_at" bson:"updated_at" bun:"updated_at"`
-	Status    UserStatus `json:"status" bson:"status" bun:"status"`
+	// CreatedAt represents timestamp when the user was created
+	CreatedAt time.Time `json:"created_at" bson:"created_at" bun:"created_at"`
+	// UpdatedAt represents timestamp when the user was last updated
+	UpdatedAt time.Time `json:"updated_at" bson:"updated_at" bun:"updated_at"`
+	// LastLogin represents timestamp of the user's most recent login
+	LastLogin time.Time `json:"last_login" bson:"last_login" bun:"last_login,nullzero"`
+
 	// Origin specifies the the user's signup method.
 	Origin UserOrigin `json:"-" bson:"origin" bun:"origin"`
 	// ExternalID represents the user's identifier in an external system. It is always empty when [User.Origin]
 	// is [UserOriginLocal].
 	ExternalID string `json:"-" bson:"external_id" bun:"external_id,nullzero"`
-	Name       string `json:"name" validate:"required,name" bun:"name"`
-	Email      string `json:"email" bson:"email" validate:"required,email" bun:"email"`
-	Password   string `json:"-" bson:",inline" bun:"password"`
 
-	MFA            UserMFA         `json:"mfa" bson:"mfa" bun:"-"`
-	Preferences    UserPreferences `json:"preferences" bson:"preferences" bun:"-"`
-	RecoveryEmail  string          `json:"recovery_email" bson:"recovery_email" validate:"omitempty,email" bun:"-"`
-	MaxNamespaces  int             `json:"max_namespaces" bson:"max_namespaces" bun:"-"`
-	EmailMarketing bool            `json:"email_marketing" bson:"email_marketing" bun:"-"`
-	Username       string          `json:"username" bson:"username" validate:"required,username" bun:"-"`
-	LastLogin      time.Time       `json:"last_login" bson:"last_login" bun:"-"`
+	Status UserStatus `json:"status" bson:"status" bun:"status"`
+
+	Name     string `json:"name" validate:"required,name" bun:"name"`
+	Username string `json:"username" bson:"username" validate:"required,username" bun:"username"`
+	Email    string `json:"email" bson:"email" validate:"required,email" bun:"email"`
+	Password string `json:"-" bson:",inline" bun:"password_digest"`
+
+	Preferences UserPreferences `json:"preferences" bson:"preferences" bun:"embed:"`
+
+	///
+	///
+	///
+	///
+	///
+	///
+
+	MFA            UserMFA `json:"mfa" bson:"mfa" bun:"-"`
+	RecoveryEmail  string  `json:"recovery_email" bson:"recovery_email" validate:"omitempty,email" bun:"-"`
+	MaxNamespaces  int     `json:"max_namespaces" bson:"max_namespaces" bun:"-"`
+	EmailMarketing bool    `json:"email_marketing" bson:"email_marketing" bun:"-"`
 }
 
 type UserData struct {
@@ -102,11 +116,11 @@ type UserMFA struct {
 }
 
 type UserPreferences struct {
-	// PreferredNamespace represents the namespace the user most recently authenticated with.
-	PreferredNamespace string `json:"-" bson:"preferred_namespace"`
-
-	// AuthMethods indicates the authentication methods that the user can use to authenticate.
-	AuthMethods []UserAuthMethod `json:"auth_methods" bson:"auth_methods"`
+	PreferredNamespace string           `json:"-" bson:"preferred_namespace" bun:"preferred_namespace_id,nullzero"`
+	AuthMethods        []UserAuthMethod `json:"auth_methods" bson:"auth_methods" bun:"auth_methods,array"`
+	RecoveryEmail      string           `json:"recovery_email" bson:"recovery_email" validate:"omitempty,email" bun:"security_email,nullzero"`
+	MaxNamespaces      int              `json:"max_namespaces" bson:"max_namespaces" bun:"namespace_ownership_limit"`
+	EmailMarketing     bool             `json:"email_marketing" bson:"email_marketing" bun:"email_marketing"`
 }
 
 type UserPassword struct {