mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-05-26 14:10:13 +00:00
Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 coderabbitai[bot]
|
bdc0a60116 |
@@ -90,11 +90,6 @@ require (
|
|||||||
github.com/hdevalence/ed25519consensus v0.2.0 // indirect
|
github.com/hdevalence/ed25519consensus v0.2.0 // indirect
|
||||||
github.com/huandu/xstrings v1.5.0 // indirect
|
github.com/huandu/xstrings v1.5.0 // indirect
|
||||||
github.com/huin/goupnp v1.3.0 // indirect
|
github.com/huin/goupnp v1.3.0 // indirect
|
||||||
github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa // indirect
|
|
||||||
github.com/jackc/pgpassfile v1.0.0 // indirect
|
|
||||||
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
|
|
||||||
github.com/jackc/pgx/v5 v5.9.2 // indirect
|
|
||||||
github.com/jackc/puddle/v2 v2.2.2 // indirect
|
|
||||||
github.com/jsimonetti/rtnetlink v1.4.0 // indirect
|
github.com/jsimonetti/rtnetlink v1.4.0 // indirect
|
||||||
github.com/json-iterator/go v1.1.12 // indirect
|
github.com/json-iterator/go v1.1.12 // indirect
|
||||||
github.com/klauspost/compress v1.18.5 // indirect
|
github.com/klauspost/compress v1.18.5 // indirect
|
||||||
|
|||||||
@@ -251,16 +251,6 @@ github.com/illarion/gonotify/v3 v3.0.2 h1:O7S6vcopHexutmpObkeWsnzMJt/r1hONIEogeV
|
|||||||
github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
|
github.com/illarion/gonotify/v3 v3.0.2/go.mod h1:HWGPdPe817GfvY3w7cx6zkbzNZfi3QjcBm/wgVvEL1U=
|
||||||
github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
|
github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 h1:9K06NfxkBh25x56yVhWWlKFE8YpicaSfHwoV8SFbueA=
|
||||||
github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
|
github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2/go.mod h1:3A9PQ1cunSDF/1rbTq99Ts4pVnycWg+vlPkfeD2NLFI=
|
||||||
github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa h1:s+4MhCQ6YrzisK6hFJUX53drDT4UsSW3DEhKn0ifuHw=
|
|
||||||
github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa/go.mod h1:a/s9Lp5W7n/DD0VrVoyJ00FbP2ytTPDVOivvn2bMlds=
|
|
||||||
github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
|
|
||||||
github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
|
|
||||||
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
|
|
||||||
github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
|
|
||||||
github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
|
|
||||||
github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
|
|
||||||
github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
|
|
||||||
github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
|
|
||||||
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
|
github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
|
||||||
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
|
github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
|
||||||
github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
|
github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
|
||||||
@@ -406,7 +396,6 @@ github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpE
|
|||||||
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
|
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
|
||||||
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
|
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
|
||||||
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
|
||||||
github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
|
||||||
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
|
||||||
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
|
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
|
||||||
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
|
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
|
||||||
|
|||||||
@@ -11,5 +11,5 @@ var FrontendAssets embed.FS
|
|||||||
|
|
||||||
// Migrations
|
// Migrations
|
||||||
//
|
//
|
||||||
//go:embed migrations/sqlite/*.sql migrations/postgres/*.sql
|
//go:embed migrations/sqlite/*.sql
|
||||||
var Migrations embed.FS
|
var Migrations embed.FS
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
DROP TABLE IF EXISTS "oidc_tokens";
|
|
||||||
DROP TABLE IF EXISTS "oidc_userinfo";
|
|
||||||
DROP TABLE IF EXISTS "oidc_codes";
|
|
||||||
DROP TABLE IF EXISTS "sessions";
|
|
||||||
@@ -1,60 +0,0 @@
|
|||||||
CREATE TABLE "sessions" (
|
|
||||||
"uuid" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"username" TEXT NOT NULL,
|
|
||||||
"email" TEXT NOT NULL,
|
|
||||||
"name" TEXT NOT NULL,
|
|
||||||
"provider" TEXT NOT NULL,
|
|
||||||
"totp_pending" BOOLEAN NOT NULL,
|
|
||||||
"oauth_groups" TEXT NOT NULL DEFAULT '',
|
|
||||||
"expiry" BIGINT NOT NULL,
|
|
||||||
"created_at" BIGINT NOT NULL,
|
|
||||||
"oauth_name" TEXT NOT NULL DEFAULT '',
|
|
||||||
"oauth_sub" TEXT NOT NULL DEFAULT ''
|
|
||||||
);
|
|
||||||
|
|
||||||
CREATE TABLE "oidc_codes" (
|
|
||||||
"sub" TEXT NOT NULL UNIQUE,
|
|
||||||
"code_hash" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"scope" TEXT NOT NULL,
|
|
||||||
"redirect_uri" TEXT NOT NULL,
|
|
||||||
"client_id" TEXT NOT NULL,
|
|
||||||
"expires_at" BIGINT NOT NULL,
|
|
||||||
"nonce" TEXT NOT NULL DEFAULT '',
|
|
||||||
"code_challenge" TEXT NOT NULL DEFAULT ''
|
|
||||||
);
|
|
||||||
|
|
||||||
CREATE TABLE "oidc_tokens" (
|
|
||||||
"sub" TEXT NOT NULL UNIQUE,
|
|
||||||
"access_token_hash" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"refresh_token_hash" TEXT NOT NULL,
|
|
||||||
"code_hash" TEXT NOT NULL,
|
|
||||||
"scope" TEXT NOT NULL,
|
|
||||||
"client_id" TEXT NOT NULL,
|
|
||||||
"token_expires_at" BIGINT NOT NULL,
|
|
||||||
"refresh_token_expires_at" BIGINT NOT NULL,
|
|
||||||
"nonce" TEXT NOT NULL DEFAULT ''
|
|
||||||
);
|
|
||||||
|
|
||||||
CREATE TABLE "oidc_userinfo" (
|
|
||||||
"sub" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"name" TEXT NOT NULL,
|
|
||||||
"preferred_username" TEXT NOT NULL,
|
|
||||||
"email" TEXT NOT NULL,
|
|
||||||
"groups" TEXT NOT NULL,
|
|
||||||
"updated_at" BIGINT NOT NULL,
|
|
||||||
"given_name" TEXT NOT NULL,
|
|
||||||
"family_name" TEXT NOT NULL,
|
|
||||||
"middle_name" TEXT NOT NULL,
|
|
||||||
"nickname" TEXT NOT NULL,
|
|
||||||
"profile" TEXT NOT NULL,
|
|
||||||
"picture" TEXT NOT NULL,
|
|
||||||
"website" TEXT NOT NULL,
|
|
||||||
"gender" TEXT NOT NULL,
|
|
||||||
"birthdate" TEXT NOT NULL,
|
|
||||||
"zoneinfo" TEXT NOT NULL,
|
|
||||||
"locale" TEXT NOT NULL,
|
|
||||||
"phone_number" TEXT NOT NULL,
|
|
||||||
"address" TEXT NOT NULL
|
|
||||||
);
|
|
||||||
|
|
||||||
CREATE INDEX idx_sessions_expiry ON "sessions" ("expiry");
|
|
||||||
@@ -6,18 +6,15 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
|
|
||||||
"github.com/golang-migrate/migrate/v4"
|
|
||||||
pgxmigrate "github.com/golang-migrate/migrate/v4/database/pgx/v5"
|
|
||||||
"github.com/golang-migrate/migrate/v4/database/sqlite3"
|
|
||||||
"github.com/golang-migrate/migrate/v4/source/iofs"
|
|
||||||
_ "github.com/jackc/pgx/v5/stdlib"
|
|
||||||
_ "modernc.org/sqlite"
|
|
||||||
|
|
||||||
"github.com/tinyauthapp/tinyauth/internal/assets"
|
"github.com/tinyauthapp/tinyauth/internal/assets"
|
||||||
"github.com/tinyauthapp/tinyauth/internal/repository"
|
"github.com/tinyauthapp/tinyauth/internal/repository"
|
||||||
"github.com/tinyauthapp/tinyauth/internal/repository/memory"
|
"github.com/tinyauthapp/tinyauth/internal/repository/memory"
|
||||||
"github.com/tinyauthapp/tinyauth/internal/repository/postgres"
|
|
||||||
"github.com/tinyauthapp/tinyauth/internal/repository/sqlite"
|
"github.com/tinyauthapp/tinyauth/internal/repository/sqlite"
|
||||||
|
|
||||||
|
"github.com/golang-migrate/migrate/v4"
|
||||||
|
"github.com/golang-migrate/migrate/v4/database/sqlite3"
|
||||||
|
"github.com/golang-migrate/migrate/v4/source/iofs"
|
||||||
|
_ "modernc.org/sqlite"
|
||||||
)
|
)
|
||||||
|
|
||||||
func (app *BootstrapApp) SetupStore() (repository.Store, error) {
|
func (app *BootstrapApp) SetupStore() (repository.Store, error) {
|
||||||
@@ -26,10 +23,8 @@ func (app *BootstrapApp) SetupStore() (repository.Store, error) {
|
|||||||
return memory.New(), nil
|
return memory.New(), nil
|
||||||
case "sqlite", "":
|
case "sqlite", "":
|
||||||
return app.setupSQLite(app.config.Database.Path)
|
return app.setupSQLite(app.config.Database.Path)
|
||||||
case "postgres":
|
|
||||||
return app.setupPostgres(app.config.Database.Path)
|
|
||||||
default:
|
default:
|
||||||
return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, postgres, memory", app.config.Database.Driver)
|
return nil, fmt.Errorf("unknown database driver %q: valid values are sqlite, memory", app.config.Database.Driver)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -46,9 +41,9 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
|
|||||||
return nil, fmt.Errorf("failed to open database: %w", err)
|
return nil, fmt.Errorf("failed to open database: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup := true
|
// Close the database if there is an error during migration
|
||||||
defer func() {
|
defer func() {
|
||||||
if cleanup {
|
if err != nil {
|
||||||
db.Close()
|
db.Close()
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
@@ -75,54 +70,11 @@ func (app *BootstrapApp) setupSQLite(databasePath string) (repository.Store, err
|
|||||||
return nil, fmt.Errorf("failed to create migrator: %w", err)
|
return nil, fmt.Errorf("failed to create migrator: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = migrator.Up(); err != nil && err != migrate.ErrNoChange {
|
if err := migrator.Up(); err != nil && err != migrate.ErrNoChange {
|
||||||
return nil, fmt.Errorf("failed to migrate database: %w", err)
|
return nil, fmt.Errorf("failed to migrate database: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup = false
|
|
||||||
app.db = db
|
app.db = db
|
||||||
|
|
||||||
return sqlite.NewStore(sqlite.New(db)), nil
|
return sqlite.NewStore(sqlite.New(db)), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (app *BootstrapApp) setupPostgres(databaseURL string) (repository.Store, error) {
|
|
||||||
db, err := sql.Open("pgx", databaseURL)
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to open database: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
cleanup := true
|
|
||||||
defer func() {
|
|
||||||
if cleanup {
|
|
||||||
db.Close()
|
|
||||||
}
|
|
||||||
}()
|
|
||||||
|
|
||||||
migrations, err := iofs.New(assets.Migrations, "migrations/postgres")
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to create migrations: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
target, err := pgxmigrate.WithInstance(db, &pgxmigrate.Config{})
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to create postgres instance: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
migrator, err := migrate.NewWithInstance("iofs", migrations, "pgx", target)
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to create migrator: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if err = migrator.Up(); err != nil && err != migrate.ErrNoChange {
|
|
||||||
return nil, fmt.Errorf("failed to migrate database: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
cleanup = false
|
|
||||||
app.db = db
|
|
||||||
|
|
||||||
return postgres.NewStore(postgres.New(db)), nil
|
|
||||||
}
|
|
||||||
|
|||||||
@@ -0,0 +1,117 @@
|
|||||||
|
package bootstrap
|
||||||
|
|
||||||
|
import (
|
||||||
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"github.com/tinyauthapp/tinyauth/internal/model"
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestSetupStore_UnknownDriver(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
driver string
|
||||||
|
wantErr string
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
driver: "mysql",
|
||||||
|
wantErr: `unknown database driver "mysql": valid values are sqlite, postgres, memory`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
driver: "redis",
|
||||||
|
wantErr: `unknown database driver "redis": valid values are sqlite, postgres, memory`,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
driver: "baddriver",
|
||||||
|
wantErr: `unknown database driver "baddriver": valid values are sqlite, postgres, memory`,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run("driver_"+tt.driver, func(t *testing.T) {
|
||||||
|
app := NewBootstrapApp(model.Config{
|
||||||
|
Database: model.DatabaseConfig{
|
||||||
|
Driver: tt.driver,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
store, err := app.SetupStore()
|
||||||
|
assert.Nil(t, store)
|
||||||
|
require.Error(t, err)
|
||||||
|
assert.Equal(t, tt.wantErr, err.Error())
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSetupStore_Memory(t *testing.T) {
|
||||||
|
app := NewBootstrapApp(model.Config{
|
||||||
|
Database: model.DatabaseConfig{
|
||||||
|
Driver: "memory",
|
||||||
|
},
|
||||||
|
})
|
||||||
|
store, err := app.SetupStore()
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.NotNil(t, store)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSetupStore_SQLite_ExplicitDriver(t *testing.T) {
|
||||||
|
dir := t.TempDir()
|
||||||
|
dbPath := filepath.Join(dir, "test.db")
|
||||||
|
|
||||||
|
app := NewBootstrapApp(model.Config{
|
||||||
|
Database: model.DatabaseConfig{
|
||||||
|
Driver: "sqlite",
|
||||||
|
Path: dbPath,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
store, err := app.SetupStore()
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.NotNil(t, store)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSetupStore_SQLite_DefaultDriver(t *testing.T) {
|
||||||
|
dir := t.TempDir()
|
||||||
|
dbPath := filepath.Join(dir, "default.db")
|
||||||
|
|
||||||
|
app := NewBootstrapApp(model.Config{
|
||||||
|
Database: model.DatabaseConfig{
|
||||||
|
Driver: "",
|
||||||
|
Path: dbPath,
|
||||||
|
},
|
||||||
|
})
|
||||||
|
store, err := app.SetupStore()
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.NotNil(t, store)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSetupStore_Postgres_InvalidURL(t *testing.T) {
|
||||||
|
app := NewBootstrapApp(model.Config{
|
||||||
|
Database: model.DatabaseConfig{
|
||||||
|
Driver: "postgres",
|
||||||
|
Path: "not-a-valid-postgres-url",
|
||||||
|
},
|
||||||
|
})
|
||||||
|
store, err := app.SetupStore()
|
||||||
|
// sql.Open does not fail on a bad URL for pgx — it only fails on first use.
|
||||||
|
// The error should come from pgxmigrate.WithInstance when the DB is actually
|
||||||
|
// pinged / connected, so we expect either success-with-error or an error here.
|
||||||
|
// What matters is that the postgres case is reached (i.e., no "unknown driver" error).
|
||||||
|
if err != nil {
|
||||||
|
assert.False(t, strings.Contains(err.Error(), "unknown database driver"))
|
||||||
|
assert.Nil(t, store)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSetupStore_ErrorMessageIncludesPostgres(t *testing.T) {
|
||||||
|
app := NewBootstrapApp(model.Config{
|
||||||
|
Database: model.DatabaseConfig{
|
||||||
|
Driver: "oracle",
|
||||||
|
},
|
||||||
|
})
|
||||||
|
_, err := app.SetupStore()
|
||||||
|
require.Error(t, err)
|
||||||
|
assert.Contains(t, err.Error(), "postgres")
|
||||||
|
assert.Contains(t, err.Error(), "sqlite")
|
||||||
|
assert.Contains(t, err.Error(), "memory")
|
||||||
|
}
|
||||||
@@ -42,7 +42,7 @@ func (app *BootstrapApp) setupServices() error {
|
|||||||
oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
|
oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
|
||||||
app.services.oauthBrokerService = oauthBrokerService
|
app.services.oauthBrokerService = oauthBrokerService
|
||||||
|
|
||||||
authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
|
authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, &app.wg, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService)
|
||||||
app.services.authService = authService
|
app.services.authService = authService
|
||||||
|
|
||||||
oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
|
oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ctx, &app.wg)
|
||||||
|
|||||||
@@ -357,6 +357,7 @@ func TestProxyController(t *testing.T) {
|
|||||||
ctx := context.TODO()
|
ctx := context.TODO()
|
||||||
|
|
||||||
broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
|
broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
|
||||||
|
authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
|
||||||
aclsService := service.NewAccessControlsService(log, cfg, nil)
|
aclsService := service.NewAccessControlsService(log, cfg, nil)
|
||||||
|
|
||||||
policyEngine, err := service.NewPolicyEngine(cfg, log)
|
policyEngine, err := service.NewPolicyEngine(cfg, log)
|
||||||
@@ -382,8 +383,6 @@ func TestProxyController(t *testing.T) {
|
|||||||
Log: log,
|
Log: log,
|
||||||
})
|
})
|
||||||
|
|
||||||
authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil, policyEngine)
|
|
||||||
|
|
||||||
for _, test := range tests {
|
for _, test := range tests {
|
||||||
t.Run(test.description, func(t *testing.T) {
|
t.Run(test.description, func(t *testing.T) {
|
||||||
router := gin.Default()
|
router := gin.Default()
|
||||||
|
|||||||
@@ -414,11 +414,8 @@ func TestUserController(t *testing.T) {
|
|||||||
ctx := context.TODO()
|
ctx := context.TODO()
|
||||||
wg := &sync.WaitGroup{}
|
wg := &sync.WaitGroup{}
|
||||||
|
|
||||||
policyEngine, err := service.NewPolicyEngine(cfg, log)
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
|
broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
|
||||||
authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil, policyEngine)
|
authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
|
||||||
|
|
||||||
beforeEach := func() {
|
beforeEach := func() {
|
||||||
// Clear failed login attempts before each test
|
// Clear failed login attempts before each test
|
||||||
|
|||||||
@@ -254,11 +254,8 @@ func TestContextMiddleware(t *testing.T) {
|
|||||||
|
|
||||||
store := memory.New()
|
store := memory.New()
|
||||||
|
|
||||||
policyEngine, err := service.NewPolicyEngine(cfg, log)
|
|
||||||
require.NoError(t, err)
|
|
||||||
|
|
||||||
broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
|
broker := service.NewOAuthBrokerService(log, map[string]model.OAuthServiceConfig{}, ctx)
|
||||||
authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil, policyEngine)
|
authService := service.NewAuthService(log, cfg, runtime, ctx, wg, nil, store, broker, nil)
|
||||||
|
|
||||||
contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
|
contextMiddleware := middleware.NewContextMiddleware(log, runtime, authService, broker, nil)
|
||||||
|
|
||||||
|
|||||||
@@ -91,8 +91,8 @@ type Config struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type DatabaseConfig struct {
|
type DatabaseConfig struct {
|
||||||
Driver string `description:"The database driver to use. Valid values: sqlite, postgres, memory." yaml:"driver"`
|
Driver string `description:"The database driver to use. Valid values: sqlite, memory." yaml:"driver"`
|
||||||
Path string `description:"The path to the SQLite database file, or connection URL when driver is postgres." yaml:"path"`
|
Path string `description:"The path to the SQLite database, including file name. Only used when driver is sqlite." yaml:"path"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type AnalyticsConfig struct {
|
type AnalyticsConfig struct {
|
||||||
|
|||||||
@@ -0,0 +1,90 @@
|
|||||||
|
package model
|
||||||
|
|
||||||
|
import (
|
||||||
|
"reflect"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TestDatabaseConfig_DescriptionMentionsPostgres verifies that the DatabaseConfig
|
||||||
|
// Driver field description explicitly lists "postgres" as a valid value, reflecting
|
||||||
|
// the newly added PostgreSQL support.
|
||||||
|
func TestDatabaseConfig_DescriptionMentionsPostgres(t *testing.T) {
|
||||||
|
rt := reflect.TypeOf(DatabaseConfig{})
|
||||||
|
|
||||||
|
driverField, ok := rt.FieldByName("Driver")
|
||||||
|
assert.True(t, ok, "DatabaseConfig should have a Driver field")
|
||||||
|
|
||||||
|
description := driverField.Tag.Get("description")
|
||||||
|
assert.Contains(t, description, "postgres", "DatabaseConfig.Driver description should mention postgres as a valid value")
|
||||||
|
assert.Contains(t, description, "sqlite", "DatabaseConfig.Driver description should mention sqlite as a valid value")
|
||||||
|
assert.Contains(t, description, "memory", "DatabaseConfig.Driver description should mention memory as a valid value")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestDatabaseConfig_PathDescriptionMentionsConnectionURL verifies that the Path
|
||||||
|
// field description covers both SQLite file path and PostgreSQL connection URL usage.
|
||||||
|
func TestDatabaseConfig_PathDescriptionMentionsConnectionURL(t *testing.T) {
|
||||||
|
rt := reflect.TypeOf(DatabaseConfig{})
|
||||||
|
|
||||||
|
pathField, ok := rt.FieldByName("Path")
|
||||||
|
assert.True(t, ok, "DatabaseConfig should have a Path field")
|
||||||
|
|
||||||
|
description := pathField.Tag.Get("description")
|
||||||
|
assert.Contains(t, description, "postgres",
|
||||||
|
"DatabaseConfig.Path description should mention postgres to clarify connection URL usage")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestIPConfig_NoBypassField verifies that the Bypass field has been removed
|
||||||
|
// from IPConfig as part of the PR changes. IP bypass lists are now only
|
||||||
|
// configured at the per-app ACL level.
|
||||||
|
func TestIPConfig_NoBypassField(t *testing.T) {
|
||||||
|
rt := reflect.TypeOf(IPConfig{})
|
||||||
|
|
||||||
|
_, hasBypass := rt.FieldByName("Bypass")
|
||||||
|
assert.False(t, hasBypass, "IPConfig should not have a Bypass field after PR changes")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestIPConfig_HasAllowAndBlock ensures the remaining Allow and Block fields
|
||||||
|
// are still present in IPConfig after the Bypass removal.
|
||||||
|
func TestIPConfig_HasAllowAndBlock(t *testing.T) {
|
||||||
|
rt := reflect.TypeOf(IPConfig{})
|
||||||
|
|
||||||
|
_, hasAllow := rt.FieldByName("Allow")
|
||||||
|
assert.True(t, hasAllow, "IPConfig should still have an Allow field")
|
||||||
|
|
||||||
|
_, hasBlock := rt.FieldByName("Block")
|
||||||
|
assert.True(t, hasBlock, "IPConfig should still have a Block field")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestOAuthServiceConfig_NoWhitelistField verifies that the per-provider Whitelist
|
||||||
|
// and WhitelistFile fields have been removed from OAuthServiceConfig. The global
|
||||||
|
// OAuthWhitelist on OAuthConfig/RuntimeConfig is now the only whitelist.
|
||||||
|
func TestOAuthServiceConfig_NoWhitelistField(t *testing.T) {
|
||||||
|
rt := reflect.TypeOf(OAuthServiceConfig{})
|
||||||
|
|
||||||
|
_, hasWhitelist := rt.FieldByName("Whitelist")
|
||||||
|
assert.False(t, hasWhitelist, "OAuthServiceConfig should not have a Whitelist field after PR changes")
|
||||||
|
|
||||||
|
_, hasWhitelistFile := rt.FieldByName("WhitelistFile")
|
||||||
|
assert.False(t, hasWhitelistFile, "OAuthServiceConfig should not have a WhitelistFile field after PR changes")
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestOAuthServiceConfig_CoreFieldsPreserved ensures that removing the whitelist
|
||||||
|
// fields did not inadvertently drop unrelated fields.
|
||||||
|
func TestOAuthServiceConfig_CoreFieldsPreserved(t *testing.T) {
|
||||||
|
rt := reflect.TypeOf(OAuthServiceConfig{})
|
||||||
|
|
||||||
|
for _, fieldName := range []string{"ClientID", "ClientSecret", "ClientSecretFile", "Scopes", "RedirectURL", "AuthURL", "TokenURL", "UserinfoURL"} {
|
||||||
|
_, ok := rt.FieldByName(fieldName)
|
||||||
|
assert.True(t, ok, "OAuthServiceConfig should still have a %s field", fieldName)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestDatabaseConfig_ZeroValue ensures DatabaseConfig is usable as a zero value
|
||||||
|
// with the expected default (empty string) driver, which falls back to sqlite.
|
||||||
|
func TestDatabaseConfig_ZeroValue(t *testing.T) {
|
||||||
|
var cfg DatabaseConfig
|
||||||
|
assert.Equal(t, "", cfg.Driver, "zero-value Driver should be an empty string (defaults to sqlite)")
|
||||||
|
assert.Equal(t, "", cfg.Path, "zero-value Path should be an empty string")
|
||||||
|
}
|
||||||
@@ -1,31 +0,0 @@
|
|||||||
// Code generated by sqlc. DO NOT EDIT.
|
|
||||||
// versions:
|
|
||||||
// sqlc v1.31.1
|
|
||||||
|
|
||||||
package postgres
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"database/sql"
|
|
||||||
)
|
|
||||||
|
|
||||||
type DBTX interface {
|
|
||||||
ExecContext(context.Context, string, ...interface{}) (sql.Result, error)
|
|
||||||
PrepareContext(context.Context, string) (*sql.Stmt, error)
|
|
||||||
QueryContext(context.Context, string, ...interface{}) (*sql.Rows, error)
|
|
||||||
QueryRowContext(context.Context, string, ...interface{}) *sql.Row
|
|
||||||
}
|
|
||||||
|
|
||||||
func New(db DBTX) *Queries {
|
|
||||||
return &Queries{db: db}
|
|
||||||
}
|
|
||||||
|
|
||||||
type Queries struct {
|
|
||||||
db DBTX
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) WithTx(tx *sql.Tx) *Queries {
|
|
||||||
return &Queries{
|
|
||||||
db: tx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
package postgres
|
|
||||||
|
|
||||||
//go:generate go run github.com/tinyauthapp/tinyauth/gen/sqlc-wrapper -pkg github.com/tinyauthapp/tinyauth/internal/repository/postgres
|
|
||||||
@@ -1,64 +0,0 @@
|
|||||||
// Code generated by sqlc. DO NOT EDIT.
|
|
||||||
// versions:
|
|
||||||
// sqlc v1.31.1
|
|
||||||
|
|
||||||
package postgres
|
|
||||||
|
|
||||||
type OidcCode struct {
|
|
||||||
Sub string
|
|
||||||
CodeHash string
|
|
||||||
Scope string
|
|
||||||
RedirectURI string
|
|
||||||
ClientID string
|
|
||||||
ExpiresAt int64
|
|
||||||
Nonce string
|
|
||||||
CodeChallenge string
|
|
||||||
}
|
|
||||||
|
|
||||||
type OidcToken struct {
|
|
||||||
Sub string
|
|
||||||
AccessTokenHash string
|
|
||||||
RefreshTokenHash string
|
|
||||||
CodeHash string
|
|
||||||
Scope string
|
|
||||||
ClientID string
|
|
||||||
TokenExpiresAt int64
|
|
||||||
RefreshTokenExpiresAt int64
|
|
||||||
Nonce string
|
|
||||||
}
|
|
||||||
|
|
||||||
type OidcUserinfo struct {
|
|
||||||
Sub string
|
|
||||||
Name string
|
|
||||||
PreferredUsername string
|
|
||||||
Email string
|
|
||||||
Groups string
|
|
||||||
UpdatedAt int64
|
|
||||||
GivenName string
|
|
||||||
FamilyName string
|
|
||||||
MiddleName string
|
|
||||||
Nickname string
|
|
||||||
Profile string
|
|
||||||
Picture string
|
|
||||||
Website string
|
|
||||||
Gender string
|
|
||||||
Birthdate string
|
|
||||||
Zoneinfo string
|
|
||||||
Locale string
|
|
||||||
PhoneNumber string
|
|
||||||
Address string
|
|
||||||
}
|
|
||||||
|
|
||||||
type Session struct {
|
|
||||||
UUID string
|
|
||||||
Username string
|
|
||||||
Email string
|
|
||||||
Name string
|
|
||||||
Provider string
|
|
||||||
TotpPending bool
|
|
||||||
OAuthGroups string
|
|
||||||
Expiry int64
|
|
||||||
CreatedAt int64
|
|
||||||
OAuthName string
|
|
||||||
OAuthSub string
|
|
||||||
}
|
|
||||||
@@ -1,581 +0,0 @@
|
|||||||
// Code generated by sqlc. DO NOT EDIT.
|
|
||||||
// versions:
|
|
||||||
// sqlc v1.31.1
|
|
||||||
// source: oidc_queries.sql
|
|
||||||
|
|
||||||
package postgres
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
)
|
|
||||||
|
|
||||||
const createOidcCode = `-- name: CreateOidcCode :one
|
|
||||||
INSERT INTO "oidc_codes" (
|
|
||||||
"sub",
|
|
||||||
"code_hash",
|
|
||||||
"scope",
|
|
||||||
"redirect_uri",
|
|
||||||
"client_id",
|
|
||||||
"expires_at",
|
|
||||||
"nonce",
|
|
||||||
"code_challenge"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8
|
|
||||||
)
|
|
||||||
RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
|
|
||||||
`
|
|
||||||
|
|
||||||
type CreateOidcCodeParams struct {
|
|
||||||
Sub string
|
|
||||||
CodeHash string
|
|
||||||
Scope string
|
|
||||||
RedirectURI string
|
|
||||||
ClientID string
|
|
||||||
ExpiresAt int64
|
|
||||||
Nonce string
|
|
||||||
CodeChallenge string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) CreateOidcCode(ctx context.Context, arg CreateOidcCodeParams) (OidcCode, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, createOidcCode,
|
|
||||||
arg.Sub,
|
|
||||||
arg.CodeHash,
|
|
||||||
arg.Scope,
|
|
||||||
arg.RedirectURI,
|
|
||||||
arg.ClientID,
|
|
||||||
arg.ExpiresAt,
|
|
||||||
arg.Nonce,
|
|
||||||
arg.CodeChallenge,
|
|
||||||
)
|
|
||||||
var i OidcCode
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.RedirectURI,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.ExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
&i.CodeChallenge,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const createOidcToken = `-- name: CreateOidcToken :one
|
|
||||||
INSERT INTO "oidc_tokens" (
|
|
||||||
"sub",
|
|
||||||
"access_token_hash",
|
|
||||||
"refresh_token_hash",
|
|
||||||
"scope",
|
|
||||||
"client_id",
|
|
||||||
"token_expires_at",
|
|
||||||
"refresh_token_expires_at",
|
|
||||||
"code_hash",
|
|
||||||
"nonce"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8, $9
|
|
||||||
)
|
|
||||||
RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
|
|
||||||
`
|
|
||||||
|
|
||||||
type CreateOidcTokenParams struct {
|
|
||||||
Sub string
|
|
||||||
AccessTokenHash string
|
|
||||||
RefreshTokenHash string
|
|
||||||
Scope string
|
|
||||||
ClientID string
|
|
||||||
TokenExpiresAt int64
|
|
||||||
RefreshTokenExpiresAt int64
|
|
||||||
CodeHash string
|
|
||||||
Nonce string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) CreateOidcToken(ctx context.Context, arg CreateOidcTokenParams) (OidcToken, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, createOidcToken,
|
|
||||||
arg.Sub,
|
|
||||||
arg.AccessTokenHash,
|
|
||||||
arg.RefreshTokenHash,
|
|
||||||
arg.Scope,
|
|
||||||
arg.ClientID,
|
|
||||||
arg.TokenExpiresAt,
|
|
||||||
arg.RefreshTokenExpiresAt,
|
|
||||||
arg.CodeHash,
|
|
||||||
arg.Nonce,
|
|
||||||
)
|
|
||||||
var i OidcToken
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.AccessTokenHash,
|
|
||||||
&i.RefreshTokenHash,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.TokenExpiresAt,
|
|
||||||
&i.RefreshTokenExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const createOidcUserInfo = `-- name: CreateOidcUserInfo :one
|
|
||||||
INSERT INTO "oidc_userinfo" (
|
|
||||||
"sub",
|
|
||||||
"name",
|
|
||||||
"preferred_username",
|
|
||||||
"email",
|
|
||||||
"groups",
|
|
||||||
"updated_at",
|
|
||||||
"given_name",
|
|
||||||
"family_name",
|
|
||||||
"middle_name",
|
|
||||||
"nickname",
|
|
||||||
"profile",
|
|
||||||
"picture",
|
|
||||||
"website",
|
|
||||||
"gender",
|
|
||||||
"birthdate",
|
|
||||||
"zoneinfo",
|
|
||||||
"locale",
|
|
||||||
"phone_number",
|
|
||||||
"address"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
|
|
||||||
)
|
|
||||||
RETURNING sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address
|
|
||||||
`
|
|
||||||
|
|
||||||
type CreateOidcUserInfoParams struct {
|
|
||||||
Sub string
|
|
||||||
Name string
|
|
||||||
PreferredUsername string
|
|
||||||
Email string
|
|
||||||
Groups string
|
|
||||||
UpdatedAt int64
|
|
||||||
GivenName string
|
|
||||||
FamilyName string
|
|
||||||
MiddleName string
|
|
||||||
Nickname string
|
|
||||||
Profile string
|
|
||||||
Picture string
|
|
||||||
Website string
|
|
||||||
Gender string
|
|
||||||
Birthdate string
|
|
||||||
Zoneinfo string
|
|
||||||
Locale string
|
|
||||||
PhoneNumber string
|
|
||||||
Address string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) CreateOidcUserInfo(ctx context.Context, arg CreateOidcUserInfoParams) (OidcUserinfo, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, createOidcUserInfo,
|
|
||||||
arg.Sub,
|
|
||||||
arg.Name,
|
|
||||||
arg.PreferredUsername,
|
|
||||||
arg.Email,
|
|
||||||
arg.Groups,
|
|
||||||
arg.UpdatedAt,
|
|
||||||
arg.GivenName,
|
|
||||||
arg.FamilyName,
|
|
||||||
arg.MiddleName,
|
|
||||||
arg.Nickname,
|
|
||||||
arg.Profile,
|
|
||||||
arg.Picture,
|
|
||||||
arg.Website,
|
|
||||||
arg.Gender,
|
|
||||||
arg.Birthdate,
|
|
||||||
arg.Zoneinfo,
|
|
||||||
arg.Locale,
|
|
||||||
arg.PhoneNumber,
|
|
||||||
arg.Address,
|
|
||||||
)
|
|
||||||
var i OidcUserinfo
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.Name,
|
|
||||||
&i.PreferredUsername,
|
|
||||||
&i.Email,
|
|
||||||
&i.Groups,
|
|
||||||
&i.UpdatedAt,
|
|
||||||
&i.GivenName,
|
|
||||||
&i.FamilyName,
|
|
||||||
&i.MiddleName,
|
|
||||||
&i.Nickname,
|
|
||||||
&i.Profile,
|
|
||||||
&i.Picture,
|
|
||||||
&i.Website,
|
|
||||||
&i.Gender,
|
|
||||||
&i.Birthdate,
|
|
||||||
&i.Zoneinfo,
|
|
||||||
&i.Locale,
|
|
||||||
&i.PhoneNumber,
|
|
||||||
&i.Address,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteExpiredOidcCodes = `-- name: DeleteExpiredOidcCodes :many
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "expires_at" < $1
|
|
||||||
RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]OidcCode, error) {
|
|
||||||
rows, err := q.db.QueryContext(ctx, deleteExpiredOidcCodes, expiresAt)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
defer rows.Close()
|
|
||||||
var items []OidcCode
|
|
||||||
for rows.Next() {
|
|
||||||
var i OidcCode
|
|
||||||
if err := rows.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.RedirectURI,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.ExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
&i.CodeChallenge,
|
|
||||||
); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
items = append(items, i)
|
|
||||||
}
|
|
||||||
if err := rows.Close(); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if err := rows.Err(); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return items, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteExpiredOidcTokens = `-- name: DeleteExpiredOidcTokens :many
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
|
|
||||||
RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
|
|
||||||
`
|
|
||||||
|
|
||||||
type DeleteExpiredOidcTokensParams struct {
|
|
||||||
TokenExpiresAt int64
|
|
||||||
RefreshTokenExpiresAt int64
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) DeleteExpiredOidcTokens(ctx context.Context, arg DeleteExpiredOidcTokensParams) ([]OidcToken, error) {
|
|
||||||
rows, err := q.db.QueryContext(ctx, deleteExpiredOidcTokens, arg.TokenExpiresAt, arg.RefreshTokenExpiresAt)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
defer rows.Close()
|
|
||||||
var items []OidcToken
|
|
||||||
for rows.Next() {
|
|
||||||
var i OidcToken
|
|
||||||
if err := rows.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.AccessTokenHash,
|
|
||||||
&i.RefreshTokenHash,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.TokenExpiresAt,
|
|
||||||
&i.RefreshTokenExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
items = append(items, i)
|
|
||||||
}
|
|
||||||
if err := rows.Close(); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
if err := rows.Err(); err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
return items, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteOidcCode = `-- name: DeleteOidcCode :exec
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "code_hash" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteOidcCode(ctx context.Context, codeHash string) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteOidcCode, codeHash)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteOidcCodeBySub = `-- name: DeleteOidcCodeBySub :exec
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteOidcCodeBySub, sub)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteOidcToken = `-- name: DeleteOidcToken :exec
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "access_token_hash" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteOidcToken, accessTokenHash)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteOidcTokenByCodeHash = `-- name: DeleteOidcTokenByCodeHash :exec
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "code_hash" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteOidcTokenByCodeHash, codeHash)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteOidcTokenBySub = `-- name: DeleteOidcTokenBySub :exec
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteOidcTokenBySub, sub)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteOidcUserInfo = `-- name: DeleteOidcUserInfo :exec
|
|
||||||
DELETE FROM "oidc_userinfo"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteOidcUserInfo(ctx context.Context, sub string) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteOidcUserInfo, sub)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcCode = `-- name: GetOidcCode :one
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "code_hash" = $1
|
|
||||||
RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcCode(ctx context.Context, codeHash string) (OidcCode, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcCode, codeHash)
|
|
||||||
var i OidcCode
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.RedirectURI,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.ExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
&i.CodeChallenge,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcCodeBySub = `-- name: GetOidcCodeBySub :one
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
RETURNING sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcCodeBySub(ctx context.Context, sub string) (OidcCode, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcCodeBySub, sub)
|
|
||||||
var i OidcCode
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.RedirectURI,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.ExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
&i.CodeChallenge,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcCodeBySubUnsafe = `-- name: GetOidcCodeBySubUnsafe :one
|
|
||||||
SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (OidcCode, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcCodeBySubUnsafe, sub)
|
|
||||||
var i OidcCode
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.RedirectURI,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.ExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
&i.CodeChallenge,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcCodeUnsafe = `-- name: GetOidcCodeUnsafe :one
|
|
||||||
SELECT sub, code_hash, scope, redirect_uri, client_id, expires_at, nonce, code_challenge FROM "oidc_codes"
|
|
||||||
WHERE "code_hash" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (OidcCode, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcCodeUnsafe, codeHash)
|
|
||||||
var i OidcCode
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.RedirectURI,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.ExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
&i.CodeChallenge,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcToken = `-- name: GetOidcToken :one
|
|
||||||
SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
|
|
||||||
WHERE "access_token_hash" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcToken(ctx context.Context, accessTokenHash string) (OidcToken, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcToken, accessTokenHash)
|
|
||||||
var i OidcToken
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.AccessTokenHash,
|
|
||||||
&i.RefreshTokenHash,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.TokenExpiresAt,
|
|
||||||
&i.RefreshTokenExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcTokenByRefreshToken = `-- name: GetOidcTokenByRefreshToken :one
|
|
||||||
SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
|
|
||||||
WHERE "refresh_token_hash" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (OidcToken, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcTokenByRefreshToken, refreshTokenHash)
|
|
||||||
var i OidcToken
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.AccessTokenHash,
|
|
||||||
&i.RefreshTokenHash,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.TokenExpiresAt,
|
|
||||||
&i.RefreshTokenExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcTokenBySub = `-- name: GetOidcTokenBySub :one
|
|
||||||
SELECT sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce FROM "oidc_tokens"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcTokenBySub(ctx context.Context, sub string) (OidcToken, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcTokenBySub, sub)
|
|
||||||
var i OidcToken
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.AccessTokenHash,
|
|
||||||
&i.RefreshTokenHash,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.TokenExpiresAt,
|
|
||||||
&i.RefreshTokenExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getOidcUserInfo = `-- name: GetOidcUserInfo :one
|
|
||||||
SELECT sub, name, preferred_username, email, groups, updated_at, given_name, family_name, middle_name, nickname, profile, picture, website, gender, birthdate, zoneinfo, locale, phone_number, address FROM "oidc_userinfo"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetOidcUserInfo(ctx context.Context, sub string) (OidcUserinfo, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getOidcUserInfo, sub)
|
|
||||||
var i OidcUserinfo
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.Name,
|
|
||||||
&i.PreferredUsername,
|
|
||||||
&i.Email,
|
|
||||||
&i.Groups,
|
|
||||||
&i.UpdatedAt,
|
|
||||||
&i.GivenName,
|
|
||||||
&i.FamilyName,
|
|
||||||
&i.MiddleName,
|
|
||||||
&i.Nickname,
|
|
||||||
&i.Profile,
|
|
||||||
&i.Picture,
|
|
||||||
&i.Website,
|
|
||||||
&i.Gender,
|
|
||||||
&i.Birthdate,
|
|
||||||
&i.Zoneinfo,
|
|
||||||
&i.Locale,
|
|
||||||
&i.PhoneNumber,
|
|
||||||
&i.Address,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const updateOidcTokenByRefreshToken = `-- name: UpdateOidcTokenByRefreshToken :one
|
|
||||||
UPDATE "oidc_tokens" SET
|
|
||||||
"access_token_hash" = $1,
|
|
||||||
"refresh_token_hash" = $2,
|
|
||||||
"token_expires_at" = $3,
|
|
||||||
"refresh_token_expires_at" = $4
|
|
||||||
WHERE "refresh_token_hash" = $5
|
|
||||||
RETURNING sub, access_token_hash, refresh_token_hash, code_hash, scope, client_id, token_expires_at, refresh_token_expires_at, nonce
|
|
||||||
`
|
|
||||||
|
|
||||||
type UpdateOidcTokenByRefreshTokenParams struct {
|
|
||||||
AccessTokenHash string
|
|
||||||
RefreshTokenHash string
|
|
||||||
TokenExpiresAt int64
|
|
||||||
RefreshTokenExpiresAt int64
|
|
||||||
RefreshTokenHash_2 string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) UpdateOidcTokenByRefreshToken(ctx context.Context, arg UpdateOidcTokenByRefreshTokenParams) (OidcToken, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, updateOidcTokenByRefreshToken,
|
|
||||||
arg.AccessTokenHash,
|
|
||||||
arg.RefreshTokenHash,
|
|
||||||
arg.TokenExpiresAt,
|
|
||||||
arg.RefreshTokenExpiresAt,
|
|
||||||
arg.RefreshTokenHash_2,
|
|
||||||
)
|
|
||||||
var i OidcToken
|
|
||||||
err := row.Scan(
|
|
||||||
&i.Sub,
|
|
||||||
&i.AccessTokenHash,
|
|
||||||
&i.RefreshTokenHash,
|
|
||||||
&i.CodeHash,
|
|
||||||
&i.Scope,
|
|
||||||
&i.ClientID,
|
|
||||||
&i.TokenExpiresAt,
|
|
||||||
&i.RefreshTokenExpiresAt,
|
|
||||||
&i.Nonce,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
@@ -1,176 +0,0 @@
|
|||||||
// Code generated by sqlc. DO NOT EDIT.
|
|
||||||
// versions:
|
|
||||||
// sqlc v1.31.1
|
|
||||||
// source: session_queries.sql
|
|
||||||
|
|
||||||
package postgres
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
)
|
|
||||||
|
|
||||||
const createSession = `-- name: CreateSession :one
|
|
||||||
INSERT INTO "sessions" (
|
|
||||||
"uuid",
|
|
||||||
"username",
|
|
||||||
"email",
|
|
||||||
"name",
|
|
||||||
"provider",
|
|
||||||
"totp_pending",
|
|
||||||
"oauth_groups",
|
|
||||||
"expiry",
|
|
||||||
"created_at",
|
|
||||||
"oauth_name",
|
|
||||||
"oauth_sub"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11
|
|
||||||
)
|
|
||||||
RETURNING uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub
|
|
||||||
`
|
|
||||||
|
|
||||||
type CreateSessionParams struct {
|
|
||||||
UUID string
|
|
||||||
Username string
|
|
||||||
Email string
|
|
||||||
Name string
|
|
||||||
Provider string
|
|
||||||
TotpPending bool
|
|
||||||
OAuthGroups string
|
|
||||||
Expiry int64
|
|
||||||
CreatedAt int64
|
|
||||||
OAuthName string
|
|
||||||
OAuthSub string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) CreateSession(ctx context.Context, arg CreateSessionParams) (Session, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, createSession,
|
|
||||||
arg.UUID,
|
|
||||||
arg.Username,
|
|
||||||
arg.Email,
|
|
||||||
arg.Name,
|
|
||||||
arg.Provider,
|
|
||||||
arg.TotpPending,
|
|
||||||
arg.OAuthGroups,
|
|
||||||
arg.Expiry,
|
|
||||||
arg.CreatedAt,
|
|
||||||
arg.OAuthName,
|
|
||||||
arg.OAuthSub,
|
|
||||||
)
|
|
||||||
var i Session
|
|
||||||
err := row.Scan(
|
|
||||||
&i.UUID,
|
|
||||||
&i.Username,
|
|
||||||
&i.Email,
|
|
||||||
&i.Name,
|
|
||||||
&i.Provider,
|
|
||||||
&i.TotpPending,
|
|
||||||
&i.OAuthGroups,
|
|
||||||
&i.Expiry,
|
|
||||||
&i.CreatedAt,
|
|
||||||
&i.OAuthName,
|
|
||||||
&i.OAuthSub,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteExpiredSessions = `-- name: DeleteExpiredSessions :exec
|
|
||||||
DELETE FROM "sessions"
|
|
||||||
WHERE "expiry" < $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteExpiredSessions, expiry)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const deleteSession = `-- name: DeleteSession :exec
|
|
||||||
DELETE FROM "sessions"
|
|
||||||
WHERE "uuid" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) DeleteSession(ctx context.Context, uuid string) error {
|
|
||||||
_, err := q.db.ExecContext(ctx, deleteSession, uuid)
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
const getSession = `-- name: GetSession :one
|
|
||||||
SELECT uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub FROM "sessions"
|
|
||||||
WHERE "uuid" = $1
|
|
||||||
`
|
|
||||||
|
|
||||||
func (q *Queries) GetSession(ctx context.Context, uuid string) (Session, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, getSession, uuid)
|
|
||||||
var i Session
|
|
||||||
err := row.Scan(
|
|
||||||
&i.UUID,
|
|
||||||
&i.Username,
|
|
||||||
&i.Email,
|
|
||||||
&i.Name,
|
|
||||||
&i.Provider,
|
|
||||||
&i.TotpPending,
|
|
||||||
&i.OAuthGroups,
|
|
||||||
&i.Expiry,
|
|
||||||
&i.CreatedAt,
|
|
||||||
&i.OAuthName,
|
|
||||||
&i.OAuthSub,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
|
|
||||||
const updateSession = `-- name: UpdateSession :one
|
|
||||||
UPDATE "sessions" SET
|
|
||||||
"username" = $1,
|
|
||||||
"email" = $2,
|
|
||||||
"name" = $3,
|
|
||||||
"provider" = $4,
|
|
||||||
"totp_pending" = $5,
|
|
||||||
"oauth_groups" = $6,
|
|
||||||
"expiry" = $7,
|
|
||||||
"oauth_name" = $8,
|
|
||||||
"oauth_sub" = $9
|
|
||||||
WHERE "uuid" = $10
|
|
||||||
RETURNING uuid, username, email, name, provider, totp_pending, oauth_groups, expiry, created_at, oauth_name, oauth_sub
|
|
||||||
`
|
|
||||||
|
|
||||||
type UpdateSessionParams struct {
|
|
||||||
Username string
|
|
||||||
Email string
|
|
||||||
Name string
|
|
||||||
Provider string
|
|
||||||
TotpPending bool
|
|
||||||
OAuthGroups string
|
|
||||||
Expiry int64
|
|
||||||
OAuthName string
|
|
||||||
OAuthSub string
|
|
||||||
UUID string
|
|
||||||
}
|
|
||||||
|
|
||||||
func (q *Queries) UpdateSession(ctx context.Context, arg UpdateSessionParams) (Session, error) {
|
|
||||||
row := q.db.QueryRowContext(ctx, updateSession,
|
|
||||||
arg.Username,
|
|
||||||
arg.Email,
|
|
||||||
arg.Name,
|
|
||||||
arg.Provider,
|
|
||||||
arg.TotpPending,
|
|
||||||
arg.OAuthGroups,
|
|
||||||
arg.Expiry,
|
|
||||||
arg.OAuthName,
|
|
||||||
arg.OAuthSub,
|
|
||||||
arg.UUID,
|
|
||||||
)
|
|
||||||
var i Session
|
|
||||||
err := row.Scan(
|
|
||||||
&i.UUID,
|
|
||||||
&i.Username,
|
|
||||||
&i.Email,
|
|
||||||
&i.Name,
|
|
||||||
&i.Provider,
|
|
||||||
&i.TotpPending,
|
|
||||||
&i.OAuthGroups,
|
|
||||||
&i.Expiry,
|
|
||||||
&i.CreatedAt,
|
|
||||||
&i.OAuthName,
|
|
||||||
&i.OAuthSub,
|
|
||||||
)
|
|
||||||
return i, err
|
|
||||||
}
|
|
||||||
@@ -1,209 +0,0 @@
|
|||||||
// Code generated by cmd/gen/sqlc-wrapper. DO NOT EDIT.
|
|
||||||
package postgres
|
|
||||||
|
|
||||||
import (
|
|
||||||
"context"
|
|
||||||
"database/sql"
|
|
||||||
"errors"
|
|
||||||
|
|
||||||
"github.com/tinyauthapp/tinyauth/internal/repository"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Store wraps *Queries and implements repository.Store.
|
|
||||||
type Store struct {
|
|
||||||
q *Queries
|
|
||||||
}
|
|
||||||
|
|
||||||
// NewStore wraps a *Queries to satisfy repository.Store.
|
|
||||||
func NewStore(q *Queries) repository.Store {
|
|
||||||
return &Store{q: q}
|
|
||||||
}
|
|
||||||
|
|
||||||
var errorMap = map[error]error{
|
|
||||||
sql.ErrNoRows: repository.ErrNotFound,
|
|
||||||
}
|
|
||||||
|
|
||||||
func mapErr(err error) error {
|
|
||||||
for from, to := range errorMap {
|
|
||||||
if errors.Is(err, from) {
|
|
||||||
return to
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) CreateOidcCode(ctx context.Context, arg repository.CreateOidcCodeParams) (repository.OidcCode, error) {
|
|
||||||
r, err := s.q.CreateOidcCode(ctx, CreateOidcCodeParams(arg))
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcCode{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcCode(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) CreateOidcToken(ctx context.Context, arg repository.CreateOidcTokenParams) (repository.OidcToken, error) {
|
|
||||||
r, err := s.q.CreateOidcToken(ctx, CreateOidcTokenParams(arg))
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcToken{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcToken(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) CreateOidcUserInfo(ctx context.Context, arg repository.CreateOidcUserInfoParams) (repository.OidcUserinfo, error) {
|
|
||||||
r, err := s.q.CreateOidcUserInfo(ctx, CreateOidcUserInfoParams(arg))
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcUserinfo{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcUserinfo(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) CreateSession(ctx context.Context, arg repository.CreateSessionParams) (repository.Session, error) {
|
|
||||||
r, err := s.q.CreateSession(ctx, CreateSessionParams(arg))
|
|
||||||
if err != nil {
|
|
||||||
return repository.Session{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.Session(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteExpiredOidcCodes(ctx context.Context, expiresAt int64) ([]repository.OidcCode, error) {
|
|
||||||
rows, err := s.q.DeleteExpiredOidcCodes(ctx, expiresAt)
|
|
||||||
if err != nil {
|
|
||||||
return nil, mapErr(err)
|
|
||||||
}
|
|
||||||
out := make([]repository.OidcCode, len(rows))
|
|
||||||
for i, row := range rows {
|
|
||||||
out[i] = repository.OidcCode(row)
|
|
||||||
}
|
|
||||||
return out, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteExpiredOidcTokens(ctx context.Context, arg repository.DeleteExpiredOidcTokensParams) ([]repository.OidcToken, error) {
|
|
||||||
rows, err := s.q.DeleteExpiredOidcTokens(ctx, DeleteExpiredOidcTokensParams(arg))
|
|
||||||
if err != nil {
|
|
||||||
return nil, mapErr(err)
|
|
||||||
}
|
|
||||||
out := make([]repository.OidcToken, len(rows))
|
|
||||||
for i, row := range rows {
|
|
||||||
out[i] = repository.OidcToken(row)
|
|
||||||
}
|
|
||||||
return out, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteExpiredSessions(ctx context.Context, expiry int64) error {
|
|
||||||
return mapErr(s.q.DeleteExpiredSessions(ctx, expiry))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteOidcCode(ctx context.Context, codeHash string) error {
|
|
||||||
return mapErr(s.q.DeleteOidcCode(ctx, codeHash))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteOidcCodeBySub(ctx context.Context, sub string) error {
|
|
||||||
return mapErr(s.q.DeleteOidcCodeBySub(ctx, sub))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteOidcToken(ctx context.Context, accessTokenHash string) error {
|
|
||||||
return mapErr(s.q.DeleteOidcToken(ctx, accessTokenHash))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteOidcTokenByCodeHash(ctx context.Context, codeHash string) error {
|
|
||||||
return mapErr(s.q.DeleteOidcTokenByCodeHash(ctx, codeHash))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteOidcTokenBySub(ctx context.Context, sub string) error {
|
|
||||||
return mapErr(s.q.DeleteOidcTokenBySub(ctx, sub))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteOidcUserInfo(ctx context.Context, sub string) error {
|
|
||||||
return mapErr(s.q.DeleteOidcUserInfo(ctx, sub))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) DeleteSession(ctx context.Context, uuid string) error {
|
|
||||||
return mapErr(s.q.DeleteSession(ctx, uuid))
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcCode(ctx context.Context, codeHash string) (repository.OidcCode, error) {
|
|
||||||
r, err := s.q.GetOidcCode(ctx, codeHash)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcCode{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcCode(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcCodeBySub(ctx context.Context, sub string) (repository.OidcCode, error) {
|
|
||||||
r, err := s.q.GetOidcCodeBySub(ctx, sub)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcCode{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcCode(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcCodeBySubUnsafe(ctx context.Context, sub string) (repository.OidcCode, error) {
|
|
||||||
r, err := s.q.GetOidcCodeBySubUnsafe(ctx, sub)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcCode{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcCode(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcCodeUnsafe(ctx context.Context, codeHash string) (repository.OidcCode, error) {
|
|
||||||
r, err := s.q.GetOidcCodeUnsafe(ctx, codeHash)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcCode{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcCode(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcToken(ctx context.Context, accessTokenHash string) (repository.OidcToken, error) {
|
|
||||||
r, err := s.q.GetOidcToken(ctx, accessTokenHash)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcToken{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcToken(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcTokenByRefreshToken(ctx context.Context, refreshTokenHash string) (repository.OidcToken, error) {
|
|
||||||
r, err := s.q.GetOidcTokenByRefreshToken(ctx, refreshTokenHash)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcToken{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcToken(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcTokenBySub(ctx context.Context, sub string) (repository.OidcToken, error) {
|
|
||||||
r, err := s.q.GetOidcTokenBySub(ctx, sub)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcToken{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcToken(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetOidcUserInfo(ctx context.Context, sub string) (repository.OidcUserinfo, error) {
|
|
||||||
r, err := s.q.GetOidcUserInfo(ctx, sub)
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcUserinfo{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcUserinfo(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) GetSession(ctx context.Context, uuid string) (repository.Session, error) {
|
|
||||||
r, err := s.q.GetSession(ctx, uuid)
|
|
||||||
if err != nil {
|
|
||||||
return repository.Session{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.Session(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) UpdateOidcTokenByRefreshToken(ctx context.Context, arg repository.UpdateOidcTokenByRefreshTokenParams) (repository.OidcToken, error) {
|
|
||||||
r, err := s.q.UpdateOidcTokenByRefreshToken(ctx, UpdateOidcTokenByRefreshTokenParams(arg))
|
|
||||||
if err != nil {
|
|
||||||
return repository.OidcToken{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.OidcToken(r), nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *Store) UpdateSession(ctx context.Context, arg repository.UpdateSessionParams) (repository.Session, error) {
|
|
||||||
r, err := s.q.UpdateSession(ctx, UpdateSessionParams(arg))
|
|
||||||
if err != nil {
|
|
||||||
return repository.Session{}, mapErr(err)
|
|
||||||
}
|
|
||||||
return repository.Session(r), nil
|
|
||||||
}
|
|
||||||
@@ -0,0 +1,162 @@
|
|||||||
|
package postgres
|
||||||
|
|
||||||
|
import (
|
||||||
|
"context"
|
||||||
|
"database/sql"
|
||||||
|
"errors"
|
||||||
|
"fmt"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
"github.com/tinyauthapp/tinyauth/internal/repository"
|
||||||
|
)
|
||||||
|
|
||||||
|
// TestMapErr verifies that mapErr translates known sentinel errors and
|
||||||
|
// passes through all other errors unchanged.
|
||||||
|
func TestMapErr(t *testing.T) {
|
||||||
|
sentinel := errors.New("some other error")
|
||||||
|
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
input error
|
||||||
|
want error
|
||||||
|
isWant bool // use errors.Is check
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "nil passes through unchanged",
|
||||||
|
input: nil,
|
||||||
|
want: nil,
|
||||||
|
isWant: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "sql.ErrNoRows maps to repository.ErrNotFound",
|
||||||
|
input: sql.ErrNoRows,
|
||||||
|
want: repository.ErrNotFound,
|
||||||
|
isWant: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wrapped sql.ErrNoRows maps to repository.ErrNotFound",
|
||||||
|
input: fmt.Errorf("wrapped: %w", sql.ErrNoRows),
|
||||||
|
want: repository.ErrNotFound,
|
||||||
|
isWant: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "arbitrary error passes through unchanged",
|
||||||
|
input: sentinel,
|
||||||
|
want: sentinel,
|
||||||
|
isWant: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wrapped arbitrary error passes through unchanged",
|
||||||
|
input: fmt.Errorf("outer: %w", sentinel),
|
||||||
|
want: fmt.Errorf("outer: %w", sentinel),
|
||||||
|
isWant: false,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
got := mapErr(tt.input)
|
||||||
|
if tt.input == nil {
|
||||||
|
assert.Nil(t, got)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if tt.isWant {
|
||||||
|
assert.True(t, errors.Is(got, tt.want), "expected errors.Is(%v, %v) to be true, got %v", got, tt.want, got)
|
||||||
|
} else {
|
||||||
|
// For wrapped-arbitrary-error passthrough: the original wrapped error is returned as-is
|
||||||
|
assert.Equal(t, tt.input, got)
|
||||||
|
}
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestMapErr_ErrNoRows_IsRepositoryErrNotFound specifically asserts the contract
|
||||||
|
// that callers outside the package can detect repository.ErrNotFound using errors.Is.
|
||||||
|
func TestMapErr_ErrNoRows_IsRepositoryErrNotFound(t *testing.T) {
|
||||||
|
result := mapErr(sql.ErrNoRows)
|
||||||
|
require.NotNil(t, result)
|
||||||
|
assert.True(t, errors.Is(result, repository.ErrNotFound))
|
||||||
|
// Must NOT still be sql.ErrNoRows after mapping
|
||||||
|
assert.False(t, errors.Is(result, sql.ErrNoRows))
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestMapErr_OtherError_IsNotRepositoryErrNotFound ensures unrecognised errors
|
||||||
|
// are NOT silently converted to ErrNotFound.
|
||||||
|
func TestMapErr_OtherError_IsNotRepositoryErrNotFound(t *testing.T) {
|
||||||
|
someErr := errors.New("connection refused")
|
||||||
|
result := mapErr(someErr)
|
||||||
|
require.NotNil(t, result)
|
||||||
|
assert.False(t, errors.Is(result, repository.ErrNotFound))
|
||||||
|
assert.True(t, errors.Is(result, someErr))
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestNewStore ensures that NewStore returns a value satisfying the
|
||||||
|
// repository.Store interface (compile-time verified) and is not nil.
|
||||||
|
func TestNewStore(t *testing.T) {
|
||||||
|
q := New(nil) // Queries with a nil DBTX — adequate for construction checks
|
||||||
|
var store repository.Store = NewStore(q)
|
||||||
|
assert.NotNil(t, store)
|
||||||
|
}
|
||||||
|
|
||||||
|
// mockDBTX is a minimal DBTX implementation that returns a configurable error.
|
||||||
|
type mockDBTX struct {
|
||||||
|
err error
|
||||||
|
rowErr error
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mockDBTX) ExecContext(_ context.Context, _ string, _ ...interface{}) (sql.Result, error) {
|
||||||
|
return nil, m.err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mockDBTX) PrepareContext(_ context.Context, _ string) (*sql.Stmt, error) {
|
||||||
|
return nil, m.err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mockDBTX) QueryContext(_ context.Context, _ string, _ ...interface{}) (*sql.Rows, error) {
|
||||||
|
return nil, m.err
|
||||||
|
}
|
||||||
|
|
||||||
|
func (m *mockDBTX) QueryRowContext(_ context.Context, _ string, _ ...interface{}) *sql.Row {
|
||||||
|
// *sql.Row cannot be constructed without internals; returning nil causes a
|
||||||
|
// nil-dereference in callers, so we can only test ExecContext-backed methods.
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestStore_DeleteSession_PropagatesError verifies that an error returned by the
|
||||||
|
// underlying DBTX is forwarded (possibly mapped) by the Store wrapper.
|
||||||
|
func TestStore_DeleteSession_PropagatesError(t *testing.T) {
|
||||||
|
customErr := errors.New("exec error")
|
||||||
|
mock := &mockDBTX{err: customErr}
|
||||||
|
store := NewStore(New(mock))
|
||||||
|
|
||||||
|
err := store.DeleteSession(context.Background(), "some-uuid")
|
||||||
|
require.Error(t, err)
|
||||||
|
// The error is not ErrNoRows, so it must be passed through as-is.
|
||||||
|
assert.True(t, errors.Is(err, customErr))
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestStore_DeleteOidcCode_PropagatesError verifies error propagation for a
|
||||||
|
// different delete method.
|
||||||
|
func TestStore_DeleteOidcCode_PropagatesError(t *testing.T) {
|
||||||
|
customErr := errors.New("exec error")
|
||||||
|
mock := &mockDBTX{err: customErr}
|
||||||
|
store := NewStore(New(mock))
|
||||||
|
|
||||||
|
err := store.DeleteOidcCode(context.Background(), "some-hash")
|
||||||
|
require.Error(t, err)
|
||||||
|
assert.True(t, errors.Is(err, customErr))
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestStore_DeleteExpiredSessions_PropagatesErrNoRowsAsNotFound verifies that
|
||||||
|
// sql.ErrNoRows is mapped to repository.ErrNotFound through the Store wrapper.
|
||||||
|
func TestStore_DeleteExpiredSessions_PropagatesError(t *testing.T) {
|
||||||
|
customErr := errors.New("db unavailable")
|
||||||
|
mock := &mockDBTX{err: customErr}
|
||||||
|
store := NewStore(New(mock))
|
||||||
|
|
||||||
|
err := store.DeleteExpiredSessions(context.Background(), 0)
|
||||||
|
require.Error(t, err)
|
||||||
|
assert.True(t, errors.Is(err, customErr))
|
||||||
|
}
|
||||||
@@ -75,11 +75,10 @@ type AuthService struct {
|
|||||||
runtime model.RuntimeConfig
|
runtime model.RuntimeConfig
|
||||||
context context.Context
|
context context.Context
|
||||||
|
|
||||||
ldap *LdapService
|
ldap *LdapService
|
||||||
queries repository.Store
|
queries repository.Store
|
||||||
oauthBroker *OAuthBrokerService
|
oauthBroker *OAuthBrokerService
|
||||||
tailscale *TailscaleService
|
tailscale *TailscaleService
|
||||||
policyEngine *PolicyEngine
|
|
||||||
|
|
||||||
loginAttempts map[string]*LoginAttempt
|
loginAttempts map[string]*LoginAttempt
|
||||||
ldapGroupsCache map[string]*LdapGroupsCache
|
ldapGroupsCache map[string]*LdapGroupsCache
|
||||||
@@ -102,7 +101,6 @@ func NewAuthService(
|
|||||||
queries repository.Store,
|
queries repository.Store,
|
||||||
oauthBroker *OAuthBrokerService,
|
oauthBroker *OAuthBrokerService,
|
||||||
tailscale *TailscaleService,
|
tailscale *TailscaleService,
|
||||||
policy *PolicyEngine,
|
|
||||||
) *AuthService {
|
) *AuthService {
|
||||||
service := &AuthService{
|
service := &AuthService{
|
||||||
log: log,
|
log: log,
|
||||||
@@ -116,7 +114,6 @@ func NewAuthService(
|
|||||||
queries: queries,
|
queries: queries,
|
||||||
oauthBroker: oauthBroker,
|
oauthBroker: oauthBroker,
|
||||||
tailscale: tailscale,
|
tailscale: tailscale,
|
||||||
policyEngine: policy,
|
|
||||||
}
|
}
|
||||||
|
|
||||||
wg.Go(service.CleanupOAuthSessionsRoutine)
|
wg.Go(service.CleanupOAuthSessionsRoutine)
|
||||||
@@ -288,27 +285,18 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// We could also directly access the policyEngine.effectToAccess but
|
|
||||||
// I believe it's better to use the exported functions instead
|
|
||||||
func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool {
|
func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool {
|
||||||
return auth.policyEngine.EvaluateFunc(func() Effect {
|
whitelist := auth.runtime.OAuthWhitelist
|
||||||
whitelist := auth.runtime.OAuthWhitelist
|
if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
|
||||||
if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
|
whitelist = providerConfig.Whitelist
|
||||||
whitelist = providerConfig.Whitelist
|
}
|
||||||
}
|
|
||||||
match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
|
match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == utils.ErrFilterEmpty {
|
auth.log.App.Warn().Err(err).Str("provider", provider).Str("email", email).Msg("Invalid email filter pattern")
|
||||||
return EffectAbstain
|
return false
|
||||||
}
|
}
|
||||||
auth.log.App.Error().Err(err).Str("email", email).Msg("Failed to evaluate email whitelist filter, defaulting to deny")
|
return match
|
||||||
return EffectDeny
|
|
||||||
}
|
|
||||||
if match {
|
|
||||||
return EffectAllow
|
|
||||||
}
|
|
||||||
return EffectDeny
|
|
||||||
})
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
|
func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
|
||||||
|
|||||||
@@ -8,7 +8,105 @@ import (
|
|||||||
"github.com/tinyauthapp/tinyauth/internal/utils/logger"
|
"github.com/tinyauthapp/tinyauth/internal/utils/logger"
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
|
func newTestAuthService(whitelist []string) *AuthService {
|
||||||
|
log := logger.NewLogger().WithTestConfig()
|
||||||
|
log.Init()
|
||||||
|
return &AuthService{
|
||||||
|
log: log,
|
||||||
|
runtime: model.RuntimeConfig{
|
||||||
|
OAuthWhitelist: whitelist,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestIsEmailWhitelisted(t *testing.T) {
|
||||||
|
tests := []struct {
|
||||||
|
name string
|
||||||
|
whitelist []string
|
||||||
|
email string
|
||||||
|
expected bool
|
||||||
|
}{
|
||||||
|
{
|
||||||
|
name: "empty whitelist denies all",
|
||||||
|
whitelist: []string{},
|
||||||
|
email: "user@example.com",
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "nil whitelist denies all",
|
||||||
|
whitelist: nil,
|
||||||
|
email: "user@example.com",
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "matching email is allowed",
|
||||||
|
whitelist: []string{"user@example.com"},
|
||||||
|
email: "user@example.com",
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "non-matching email is denied",
|
||||||
|
whitelist: []string{"user@example.com"},
|
||||||
|
email: "other@example.com",
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "multiple entries, matching email is allowed",
|
||||||
|
whitelist: []string{"alice@example.com", "bob@example.com"},
|
||||||
|
email: "bob@example.com",
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "multiple entries, non-matching email is denied",
|
||||||
|
whitelist: []string{"alice@example.com", "bob@example.com"},
|
||||||
|
email: "charlie@example.com",
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "regex pattern matches email",
|
||||||
|
whitelist: []string{"/@example\\.com$/"},
|
||||||
|
email: "anyone@example.com",
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "regex pattern does not match different domain",
|
||||||
|
whitelist: []string{"/@example\\.com$/"},
|
||||||
|
email: "anyone@other.com",
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wildcard domain pattern with regex",
|
||||||
|
whitelist: []string{"/^.+@mycompany\\.org$/"},
|
||||||
|
email: "employee@mycompany.org",
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "only global whitelist is used, not any per-provider list",
|
||||||
|
whitelist: []string{"global@example.com"},
|
||||||
|
email: "global@example.com",
|
||||||
|
expected: true,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "whitespace-only entries are handled gracefully",
|
||||||
|
whitelist: []string{" "},
|
||||||
|
email: "user@example.com",
|
||||||
|
expected: false,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tt := range tests {
|
||||||
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
auth := newTestAuthService(tt.whitelist)
|
||||||
|
result := auth.IsEmailWhitelisted(tt.email)
|
||||||
|
assert.Equal(t, tt.expected, result)
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// TestIsEmailWhitelistedNoPerProviderList verifies the new behaviour where
|
||||||
|
// per-provider whitelist overrides are no longer applied; only the global
|
||||||
|
// OAuthWhitelist is consulted regardless of which OAuth provider was used.
|
||||||
|
func TestIsEmailWhitelistedNoPerProviderList(t *testing.T) {
|
||||||
log := logger.NewLogger().WithTestConfig()
|
log := logger.NewLogger().WithTestConfig()
|
||||||
log.Init()
|
log.Init()
|
||||||
|
|
||||||
@@ -16,24 +114,18 @@ func TestIsEmailWhitelistedUsesProviderSpecificList(t *testing.T) {
|
|||||||
log: log,
|
log: log,
|
||||||
runtime: model.RuntimeConfig{
|
runtime: model.RuntimeConfig{
|
||||||
OAuthWhitelist: []string{"global@example.com"},
|
OAuthWhitelist: []string{"global@example.com"},
|
||||||
|
// OAuthProviders still present but their Whitelist field has been removed
|
||||||
OAuthProviders: map[string]model.OAuthServiceConfig{
|
OAuthProviders: map[string]model.OAuthServiceConfig{
|
||||||
"github": {
|
"github": {
|
||||||
Whitelist: []string{"github@example.com"},
|
ClientID: "github-client-id",
|
||||||
},
|
|
||||||
"pocketid": {
|
|
||||||
Whitelist: []string{"pocket@example.com"},
|
|
||||||
},
|
|
||||||
"gitlab": {
|
|
||||||
Whitelist: []string{},
|
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
assert.True(t, auth.IsEmailWhitelisted("github", "github@example.com"))
|
// Global whitelist allows this email regardless of provider
|
||||||
assert.False(t, auth.IsEmailWhitelisted("github", "pocket@example.com"))
|
assert.True(t, auth.IsEmailWhitelisted("global@example.com"))
|
||||||
assert.True(t, auth.IsEmailWhitelisted("pocketid", "pocket@example.com"))
|
// Global whitelist denies this email even though it was previously
|
||||||
assert.True(t, auth.IsEmailWhitelisted("google", "global@example.com"))
|
// allowed by a provider-specific list in the old implementation
|
||||||
assert.True(t, auth.IsEmailWhitelisted("gitlab", "global@example.com"))
|
assert.False(t, auth.IsEmailWhitelisted("provider-only@example.com"))
|
||||||
assert.False(t, auth.IsEmailWhitelisted("gitlab", "unknown@example.com"))
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -108,7 +108,3 @@ func (engine *PolicyEngine) Policy() Policy {
|
|||||||
func (engine *PolicyEngine) Rules() map[RuleName]Rule {
|
func (engine *PolicyEngine) Rules() map[RuleName]Rule {
|
||||||
return engine.rules
|
return engine.rules
|
||||||
}
|
}
|
||||||
|
|
||||||
func (engine *PolicyEngine) EvaluateFunc(f func() Effect) bool {
|
|
||||||
return engine.effectToAccess(f())
|
|
||||||
}
|
|
||||||
|
|||||||
@@ -3,7 +3,6 @@ package utils
|
|||||||
import (
|
import (
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
"regexp"
|
"regexp"
|
||||||
@@ -12,10 +11,6 @@ import (
|
|||||||
"github.com/google/uuid"
|
"github.com/google/uuid"
|
||||||
)
|
)
|
||||||
|
|
||||||
var (
|
|
||||||
ErrFilterEmpty = errors.New("filter is empty")
|
|
||||||
)
|
|
||||||
|
|
||||||
func GetSecret(conf string, file string) string {
|
func GetSecret(conf string, file string) string {
|
||||||
if conf == "" && file == "" {
|
if conf == "" && file == "" {
|
||||||
return ""
|
return ""
|
||||||
@@ -83,7 +78,7 @@ func CheckIPFilter(filter string, ip string) (bool, error) {
|
|||||||
|
|
||||||
func CheckFilter(filter string, input string) (bool, error) {
|
func CheckFilter(filter string, input string) (bool, error) {
|
||||||
if len(strings.TrimSpace(filter)) == 0 {
|
if len(strings.TrimSpace(filter)) == 0 {
|
||||||
return false, ErrFilterEmpty
|
return false, fmt.Errorf("filter is empty")
|
||||||
}
|
}
|
||||||
|
|
||||||
if strings.HasPrefix(filter, "/") && strings.HasSuffix(filter, "/") {
|
if strings.HasPrefix(filter, "/") && strings.HasSuffix(filter, "/") {
|
||||||
|
|||||||
@@ -1,133 +0,0 @@
|
|||||||
-- name: CreateOidcCode :one
|
|
||||||
INSERT INTO "oidc_codes" (
|
|
||||||
"sub",
|
|
||||||
"code_hash",
|
|
||||||
"scope",
|
|
||||||
"redirect_uri",
|
|
||||||
"client_id",
|
|
||||||
"expires_at",
|
|
||||||
"nonce",
|
|
||||||
"code_challenge"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8
|
|
||||||
)
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: GetOidcCodeUnsafe :one
|
|
||||||
SELECT * FROM "oidc_codes"
|
|
||||||
WHERE "code_hash" = $1;
|
|
||||||
|
|
||||||
-- name: GetOidcCode :one
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "code_hash" = $1
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: GetOidcCodeBySubUnsafe :one
|
|
||||||
SELECT * FROM "oidc_codes"
|
|
||||||
WHERE "sub" = $1;
|
|
||||||
|
|
||||||
-- name: GetOidcCodeBySub :one
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "sub" = $1
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: DeleteOidcCode :exec
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "code_hash" = $1;
|
|
||||||
|
|
||||||
-- name: DeleteOidcCodeBySub :exec
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "sub" = $1;
|
|
||||||
|
|
||||||
-- name: CreateOidcToken :one
|
|
||||||
INSERT INTO "oidc_tokens" (
|
|
||||||
"sub",
|
|
||||||
"access_token_hash",
|
|
||||||
"refresh_token_hash",
|
|
||||||
"scope",
|
|
||||||
"client_id",
|
|
||||||
"token_expires_at",
|
|
||||||
"refresh_token_expires_at",
|
|
||||||
"code_hash",
|
|
||||||
"nonce"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8, $9
|
|
||||||
)
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: UpdateOidcTokenByRefreshToken :one
|
|
||||||
UPDATE "oidc_tokens" SET
|
|
||||||
"access_token_hash" = $1,
|
|
||||||
"refresh_token_hash" = $2,
|
|
||||||
"token_expires_at" = $3,
|
|
||||||
"refresh_token_expires_at" = $4
|
|
||||||
WHERE "refresh_token_hash" = $5
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: GetOidcToken :one
|
|
||||||
SELECT * FROM "oidc_tokens"
|
|
||||||
WHERE "access_token_hash" = $1;
|
|
||||||
|
|
||||||
-- name: GetOidcTokenByRefreshToken :one
|
|
||||||
SELECT * FROM "oidc_tokens"
|
|
||||||
WHERE "refresh_token_hash" = $1;
|
|
||||||
|
|
||||||
-- name: GetOidcTokenBySub :one
|
|
||||||
SELECT * FROM "oidc_tokens"
|
|
||||||
WHERE "sub" = $1;
|
|
||||||
|
|
||||||
-- name: DeleteOidcTokenByCodeHash :exec
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "code_hash" = $1;
|
|
||||||
|
|
||||||
-- name: DeleteOidcToken :exec
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "access_token_hash" = $1;
|
|
||||||
|
|
||||||
-- name: DeleteOidcTokenBySub :exec
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "sub" = $1;
|
|
||||||
|
|
||||||
-- name: CreateOidcUserInfo :one
|
|
||||||
INSERT INTO "oidc_userinfo" (
|
|
||||||
"sub",
|
|
||||||
"name",
|
|
||||||
"preferred_username",
|
|
||||||
"email",
|
|
||||||
"groups",
|
|
||||||
"updated_at",
|
|
||||||
"given_name",
|
|
||||||
"family_name",
|
|
||||||
"middle_name",
|
|
||||||
"nickname",
|
|
||||||
"profile",
|
|
||||||
"picture",
|
|
||||||
"website",
|
|
||||||
"gender",
|
|
||||||
"birthdate",
|
|
||||||
"zoneinfo",
|
|
||||||
"locale",
|
|
||||||
"phone_number",
|
|
||||||
"address"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19
|
|
||||||
)
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: GetOidcUserInfo :one
|
|
||||||
SELECT * FROM "oidc_userinfo"
|
|
||||||
WHERE "sub" = $1;
|
|
||||||
|
|
||||||
-- name: DeleteOidcUserInfo :exec
|
|
||||||
DELETE FROM "oidc_userinfo"
|
|
||||||
WHERE "sub" = $1;
|
|
||||||
|
|
||||||
-- name: DeleteExpiredOidcCodes :many
|
|
||||||
DELETE FROM "oidc_codes"
|
|
||||||
WHERE "expires_at" < $1
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: DeleteExpiredOidcTokens :many
|
|
||||||
DELETE FROM "oidc_tokens"
|
|
||||||
WHERE "token_expires_at" < $1 AND "refresh_token_expires_at" < $2
|
|
||||||
RETURNING *;
|
|
||||||
@@ -1,44 +0,0 @@
|
|||||||
CREATE TABLE IF NOT EXISTS "oidc_codes" (
|
|
||||||
"sub" TEXT NOT NULL UNIQUE,
|
|
||||||
"code_hash" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"scope" TEXT NOT NULL,
|
|
||||||
"redirect_uri" TEXT NOT NULL,
|
|
||||||
"client_id" TEXT NOT NULL,
|
|
||||||
"expires_at" BIGINT NOT NULL,
|
|
||||||
"nonce" TEXT NOT NULL DEFAULT '',
|
|
||||||
"code_challenge" TEXT NOT NULL DEFAULT ''
|
|
||||||
);
|
|
||||||
|
|
||||||
CREATE TABLE IF NOT EXISTS "oidc_tokens" (
|
|
||||||
"sub" TEXT NOT NULL UNIQUE,
|
|
||||||
"access_token_hash" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"refresh_token_hash" TEXT NOT NULL,
|
|
||||||
"code_hash" TEXT NOT NULL,
|
|
||||||
"scope" TEXT NOT NULL,
|
|
||||||
"client_id" TEXT NOT NULL,
|
|
||||||
"token_expires_at" BIGINT NOT NULL,
|
|
||||||
"refresh_token_expires_at" BIGINT NOT NULL,
|
|
||||||
"nonce" TEXT NOT NULL DEFAULT ''
|
|
||||||
);
|
|
||||||
|
|
||||||
CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
|
|
||||||
"sub" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"name" TEXT NOT NULL,
|
|
||||||
"preferred_username" TEXT NOT NULL,
|
|
||||||
"email" TEXT NOT NULL,
|
|
||||||
"groups" TEXT NOT NULL,
|
|
||||||
"updated_at" BIGINT NOT NULL,
|
|
||||||
"given_name" TEXT NOT NULL,
|
|
||||||
"family_name" TEXT NOT NULL,
|
|
||||||
"middle_name" TEXT NOT NULL,
|
|
||||||
"nickname" TEXT NOT NULL,
|
|
||||||
"profile" TEXT NOT NULL,
|
|
||||||
"picture" TEXT NOT NULL,
|
|
||||||
"website" TEXT NOT NULL,
|
|
||||||
"gender" TEXT NOT NULL,
|
|
||||||
"birthdate" TEXT NOT NULL,
|
|
||||||
"zoneinfo" TEXT NOT NULL,
|
|
||||||
"locale" TEXT NOT NULL,
|
|
||||||
"phone_number" TEXT NOT NULL,
|
|
||||||
"address" TEXT NOT NULL
|
|
||||||
);
|
|
||||||
@@ -1,43 +0,0 @@
|
|||||||
-- name: CreateSession :one
|
|
||||||
INSERT INTO "sessions" (
|
|
||||||
"uuid",
|
|
||||||
"username",
|
|
||||||
"email",
|
|
||||||
"name",
|
|
||||||
"provider",
|
|
||||||
"totp_pending",
|
|
||||||
"oauth_groups",
|
|
||||||
"expiry",
|
|
||||||
"created_at",
|
|
||||||
"oauth_name",
|
|
||||||
"oauth_sub"
|
|
||||||
) VALUES (
|
|
||||||
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11
|
|
||||||
)
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: GetSession :one
|
|
||||||
SELECT * FROM "sessions"
|
|
||||||
WHERE "uuid" = $1;
|
|
||||||
|
|
||||||
-- name: DeleteSession :exec
|
|
||||||
DELETE FROM "sessions"
|
|
||||||
WHERE "uuid" = $1;
|
|
||||||
|
|
||||||
-- name: UpdateSession :one
|
|
||||||
UPDATE "sessions" SET
|
|
||||||
"username" = $1,
|
|
||||||
"email" = $2,
|
|
||||||
"name" = $3,
|
|
||||||
"provider" = $4,
|
|
||||||
"totp_pending" = $5,
|
|
||||||
"oauth_groups" = $6,
|
|
||||||
"expiry" = $7,
|
|
||||||
"oauth_name" = $8,
|
|
||||||
"oauth_sub" = $9
|
|
||||||
WHERE "uuid" = $10
|
|
||||||
RETURNING *;
|
|
||||||
|
|
||||||
-- name: DeleteExpiredSessions :exec
|
|
||||||
DELETE FROM "sessions"
|
|
||||||
WHERE "expiry" < $1;
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
CREATE TABLE IF NOT EXISTS "sessions" (
|
|
||||||
"uuid" TEXT NOT NULL PRIMARY KEY,
|
|
||||||
"username" TEXT NOT NULL,
|
|
||||||
"email" TEXT NOT NULL,
|
|
||||||
"name" TEXT NOT NULL,
|
|
||||||
"provider" TEXT NOT NULL,
|
|
||||||
"totp_pending" BOOLEAN NOT NULL,
|
|
||||||
"oauth_groups" TEXT NOT NULL DEFAULT '',
|
|
||||||
"expiry" BIGINT NOT NULL,
|
|
||||||
"created_at" BIGINT NOT NULL,
|
|
||||||
"oauth_name" TEXT NOT NULL DEFAULT '',
|
|
||||||
"oauth_sub" TEXT NOT NULL DEFAULT ''
|
|
||||||
);
|
|
||||||
@@ -28,16 +28,3 @@ sql:
|
|||||||
go_type: "string"
|
go_type: "string"
|
||||||
- column: "oidc_codes.code_challenge"
|
- column: "oidc_codes.code_challenge"
|
||||||
go_type: "string"
|
go_type: "string"
|
||||||
- engine: "postgresql"
|
|
||||||
queries: "sql/postgres/*_queries.sql"
|
|
||||||
schema: "sql/postgres/*_schemas.sql"
|
|
||||||
gen:
|
|
||||||
go:
|
|
||||||
package: "postgres"
|
|
||||||
out: "internal/repository/postgres"
|
|
||||||
rename:
|
|
||||||
uuid: "UUID"
|
|
||||||
oauth_groups: "OAuthGroups"
|
|
||||||
oauth_name: "OAuthName"
|
|
||||||
oauth_sub: "OAuthSub"
|
|
||||||
redirect_uri: "RedirectURI"
|
|
||||||
|
|||||||
Reference in New Issue
Block a user