|
|
|
@ -4,6 +4,7 @@ import (
|
|
|
|
|
"context"
|
|
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
|
|
|
"github.com/pkg/errors"
|
|
|
|
@ -11,6 +12,7 @@ import (
|
|
|
|
|
"google.golang.org/grpc/codes"
|
|
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
|
"google.golang.org/grpc/status"
|
|
|
|
|
"google.golang.org/protobuf/types/known/timestamppb"
|
|
|
|
|
|
|
|
|
|
"github.com/usememos/memos/internal/util"
|
|
|
|
|
storepb "github.com/usememos/memos/proto/gen/store"
|
|
|
|
@ -24,6 +26,9 @@ const (
|
|
|
|
|
// The key name used to store username in the context
|
|
|
|
|
// user id is extracted from the jwt token subject field.
|
|
|
|
|
usernameContextKey ContextKey = iota
|
|
|
|
|
// The key name used to store session ID in the context (for session-based auth).
|
|
|
|
|
sessionIDContextKey
|
|
|
|
|
// The key name used to store access token in the context (for token-based auth).
|
|
|
|
|
accessTokenContextKey
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
@ -43,31 +48,29 @@ func NewGRPCAuthInterceptor(store *store.Store, secret string) *GRPCAuthIntercep
|
|
|
|
|
|
|
|
|
|
// AuthenticationInterceptor is the unary interceptor for gRPC API.
|
|
|
|
|
func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, request any, serverInfo *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
|
|
|
|
|
// Check if this method is in the allowlist first
|
|
|
|
|
if isUnauthorizeAllowedMethod(serverInfo.FullMethod) {
|
|
|
|
|
return handler(ctx, request)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
md, ok := metadata.FromIncomingContext(ctx)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, status.Errorf(codes.Unauthenticated, "failed to parse metadata from incoming context")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Try to get access token from either Authorization header or cookie
|
|
|
|
|
accessToken, err := getTokenFromMetadata(md)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, status.Errorf(codes.Unauthenticated, "failed to get access token: %v", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
username, err := in.authenticate(ctx, accessToken)
|
|
|
|
|
// Authenticate using access token (which also validates sessions when it's from cookie)
|
|
|
|
|
username, user, err := in.authenticateByAccessToken(ctx, accessToken)
|
|
|
|
|
if err != nil {
|
|
|
|
|
if isUnauthorizeAllowedMethod(serverInfo.FullMethod) {
|
|
|
|
|
return handler(ctx, request)
|
|
|
|
|
}
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
user, err := in.Store.GetUser(ctx, &store.FindUser{
|
|
|
|
|
Username: &username,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, errors.Wrap(err, "failed to get user")
|
|
|
|
|
}
|
|
|
|
|
if user == nil {
|
|
|
|
|
return nil, errors.Errorf("user %q not exists", username)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check user status
|
|
|
|
|
if user.RowStatus == store.Archived {
|
|
|
|
|
return nil, errors.Errorf("user %q is archived", username)
|
|
|
|
|
}
|
|
|
|
@ -75,14 +78,27 @@ func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, re
|
|
|
|
|
return nil, errors.Errorf("user %q is not admin", username)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Set context values
|
|
|
|
|
ctx = context.WithValue(ctx, usernameContextKey, username)
|
|
|
|
|
ctx = context.WithValue(ctx, accessTokenContextKey, accessToken)
|
|
|
|
|
|
|
|
|
|
// Determine if this came from cookie (session) or header (API token)
|
|
|
|
|
if _, headerErr := getAccessTokenFromMetadata(md); headerErr != nil {
|
|
|
|
|
// Came from cookie, treat as session
|
|
|
|
|
ctx = context.WithValue(ctx, sessionIDContextKey, accessToken)
|
|
|
|
|
// Update session last accessed time
|
|
|
|
|
_ = in.updateSessionLastAccessed(ctx, user.ID, accessToken)
|
|
|
|
|
} else {
|
|
|
|
|
// Came from Authorization header, treat as API token
|
|
|
|
|
ctx = context.WithValue(ctx, accessTokenContextKey, accessToken)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return handler(ctx, request)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken string) (string, error) {
|
|
|
|
|
// authenticateByAccessToken authenticates a user using access token from Authorization header or cookie.
|
|
|
|
|
func (in *GRPCAuthInterceptor) authenticateByAccessToken(ctx context.Context, accessToken string) (string, *store.User, error) {
|
|
|
|
|
if accessToken == "" {
|
|
|
|
|
return "", status.Errorf(codes.Unauthenticated, "access token not found")
|
|
|
|
|
return "", nil, status.Errorf(codes.Unauthenticated, "access token not found")
|
|
|
|
|
}
|
|
|
|
|
claims := &ClaimsMessage{}
|
|
|
|
|
_, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
|
|
|
|
@ -97,42 +113,81 @@ func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken str
|
|
|
|
|
return nil, status.Errorf(codes.Unauthenticated, "unexpected access token kid=%v", t.Header["kid"])
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", status.Errorf(codes.Unauthenticated, "Invalid or expired access token")
|
|
|
|
|
return "", nil, status.Errorf(codes.Unauthenticated, "Invalid or expired access token")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// We either have a valid access token or we will attempt to generate new access token.
|
|
|
|
|
userID, err := util.ConvertStringToInt32(claims.Subject)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.Wrap(err, "malformed ID in the token")
|
|
|
|
|
return "", nil, errors.Wrap(err, "malformed ID in the token")
|
|
|
|
|
}
|
|
|
|
|
user, err := in.Store.GetUser(ctx, &store.FindUser{
|
|
|
|
|
ID: &userID,
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.Wrap(err, "failed to get user")
|
|
|
|
|
return "", nil, errors.Wrap(err, "failed to get user")
|
|
|
|
|
}
|
|
|
|
|
if user == nil {
|
|
|
|
|
return "", errors.Errorf("user %q not exists", userID)
|
|
|
|
|
return "", nil, errors.Errorf("user %q not exists", userID)
|
|
|
|
|
}
|
|
|
|
|
if user.RowStatus == store.Archived {
|
|
|
|
|
return "", errors.Errorf("user %q is archived", userID)
|
|
|
|
|
return "", nil, errors.Errorf("user %q is archived", userID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
accessTokens, err := in.Store.GetUserAccessTokens(ctx, user.ID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", errors.Wrapf(err, "failed to get user access tokens")
|
|
|
|
|
return "", nil, errors.Wrapf(err, "failed to get user access tokens")
|
|
|
|
|
}
|
|
|
|
|
if !validateAccessToken(accessToken, accessTokens) {
|
|
|
|
|
return "", status.Errorf(codes.Unauthenticated, "invalid access token")
|
|
|
|
|
return "", nil, status.Errorf(codes.Unauthenticated, "invalid access token")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// For tokens that might be used as session IDs (from cookies), also validate session existence
|
|
|
|
|
// This is a best-effort check - if sessions can't be retrieved or token isn't a session, that's ok
|
|
|
|
|
if sessions, err := in.Store.GetUserSessions(ctx, user.ID); err == nil {
|
|
|
|
|
validateUserSession(accessToken, sessions) // Result doesn't matter for API tokens
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return user.Username, nil
|
|
|
|
|
return user.Username, user, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// updateSessionLastAccessed updates the last accessed time for a user session.
|
|
|
|
|
func (in *GRPCAuthInterceptor) updateSessionLastAccessed(ctx context.Context, userID int32, sessionID string) error {
|
|
|
|
|
return in.Store.UpdateUserSessionLastAccessed(ctx, userID, sessionID, timestamppb.Now())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// validateUserSession checks if a session exists and is still valid.
|
|
|
|
|
func validateUserSession(sessionID string, userSessions []*storepb.SessionsUserSetting_Session) bool {
|
|
|
|
|
for _, session := range userSessions {
|
|
|
|
|
if sessionID == session.SessionId {
|
|
|
|
|
// Check if session has expired
|
|
|
|
|
if session.ExpireTime != nil && session.ExpireTime.AsTime().Before(time.Now()) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// getAccessTokenFromMetadata extracts access token from Authorization header.
|
|
|
|
|
func getAccessTokenFromMetadata(md metadata.MD) (string, error) {
|
|
|
|
|
// Check the HTTP request Authorization header.
|
|
|
|
|
authorizationHeaders := md.Get("Authorization")
|
|
|
|
|
if len(authorizationHeaders) == 0 {
|
|
|
|
|
return "", errors.New("authorization header not found")
|
|
|
|
|
}
|
|
|
|
|
authHeaderParts := strings.Fields(authorizationHeaders[0])
|
|
|
|
|
if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
|
|
|
|
|
return "", errors.New("authorization header format must be Bearer {token}")
|
|
|
|
|
}
|
|
|
|
|
return authHeaderParts[1], nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getTokenFromMetadata(md metadata.MD) (string, error) {
|
|
|
|
|
// Check the HTTP request header first.
|
|
|
|
|
authorizationHeaders := md.Get("Authorization")
|
|
|
|
|
if len(md.Get("Authorization")) > 0 {
|
|
|
|
|
if len(authorizationHeaders) > 0 {
|
|
|
|
|
authHeaderParts := strings.Fields(authorizationHeaders[0])
|
|
|
|
|
if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
|
|
|
|
|
return "", errors.New("authorization header format must be Bearer {token}")
|
|
|
|
@ -149,6 +204,9 @@ func getTokenFromMetadata(md metadata.MD) (string, error) {
|
|
|
|
|
accessToken = v.Value
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if accessToken == "" {
|
|
|
|
|
return "", errors.New("access token not found")
|
|
|
|
|
}
|
|
|
|
|
return accessToken, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|