documize/core/api/endpoint/authentication_endpoint.go

// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com

package endpoint

import (
	"database/sql"
	"encoding/json"
	"errors"
	"fmt"
	"net/http"
	"strings"

	"github.com/documize/community/core/api/endpoint/models"
	"github.com/documize/community/core/api/entity"
	"github.com/documize/community/core/api/request"
	"github.com/documize/community/core/api/util"
	"github.com/documize/community/core/log"
	"github.com/documize/community/core/secrets"
	"github.com/documize/community/core/section/provider"
	"github.com/documize/community/core/web"
)

// Authenticate user based up HTTP Authorization header.
// An encrypted authentication token is issued with an expiry date.
func Authenticate(w http.ResponseWriter, r *http.Request) {
	method := "Authenticate"
	p := request.GetPersister(r)

	authHeader := r.Header.Get("Authorization")

	// check for http header
	if len(authHeader) == 0 {
		writeBadRequestError(w, method, "Missing Authorization header")
		return
	}

	// decode what we received
	data := strings.Replace(authHeader, "Basic ", "", 1)

	decodedBytes, err := secrets.DecodeBase64([]byte(data))
	if err != nil {
		writeBadRequestError(w, method, "Unable to decode authentication token")
		return
	}
	decoded := string(decodedBytes)

	// check that we have domain:email:password (but allow for : in password field!)
	credentials := strings.SplitN(decoded, ":", 3)

	if len(credentials) != 3 {
		writeBadRequestError(w, method, "Bad authentication token, expecting domain:email:password")
		return
	}

	domain := strings.TrimSpace(strings.ToLower(credentials[0]))
	domain = request.CheckDomain(domain) // TODO optimize by removing this once js allows empty domains
	email := strings.TrimSpace(strings.ToLower(credentials[1]))
	password := credentials[2]
	log.Info("logon attempt " + email + " @ " + domain)

	user, err := p.GetUserByDomain(domain, email)

	if err == sql.ErrNoRows {
		writeUnauthorizedError(w)
		return
	}

	if err != nil {
		writeServerError(w, method, err)
		return
	}

	if len(user.Reset) > 0 || len(user.Password) == 0 {
		writeUnauthorizedError(w)
		return
	}

	// Password correct and active user
	if email != strings.TrimSpace(strings.ToLower(user.Email)) || !secrets.MatchPassword(user.Password, password, user.Salt) {
		writeUnauthorizedError(w)
		return
	}

	org, err := p.GetOrganizationByDomain(domain)
	if err != nil {
		writeUnauthorizedError(w)
		return
	}

	// Attach user accounts and work out permissions
	attachUserAccounts(p, org.RefID, &user)

	// active check

	if len(user.Accounts) == 0 {
		writeUnauthorizedError(w)
		return
	}

	authModel := models.AuthenticationModel{}
	authModel.Token = generateJWT(user.RefID, org.RefID, domain)
	authModel.User = user

	json, err := json.Marshal(authModel)
	if err != nil {
		writeJSONMarshalError(w, method, "user", err)
		return
	}

	writeSuccessBytes(w, json)
}

// Authorize secure API calls by inspecting authentication token.
// request.Context provides caller user information.
// Site meta sent back as HTTP custom headers.
func Authorize(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
	method := "Authorize"

	// Let certain requests pass straight through
	authenticated := preAuthorizeStaticAssets(r)

	if !authenticated {
		token := findJWT(r)
		hasToken := len(token) > 1
		context, _, tokenErr := decodeJWT(token)

		var org = entity.Organization{}
		var err = errors.New("")

		// We always grab the org record regardless of token status.
		// Why? If bad token we might be OK to alow anonymous access
		// depending upon the domain in question.
		p := request.GetPersister(r)

		if len(context.OrgID) == 0 {
			org, err = p.GetOrganizationByDomain(request.GetRequestSubdomain(r))
		} else {
			org, err = p.GetOrganization(context.OrgID)
		}

		context.Subdomain = org.Domain

		// Inability to find org record spells the end of this request.
		if err != nil {
			writeForbiddenError(w)
			return
		}

		// If we have bad auth token and the domain does not allow anon access
		if !org.AllowAnonymousAccess && tokenErr != nil {
			writeUnauthorizedError(w)
			return
		}

		domain := request.GetSubdomainFromHost(r)
		domain2 := request.GetRequestSubdomain(r)
		if org.Domain != domain && org.Domain != domain2 {
			log.Info(fmt.Sprintf("domain mismatch %s vs. %s vs. %s", domain, domain2, org.Domain))

			writeUnauthorizedError(w)
			return
		}

		// If we have bad auth token and the domain allows anon access
		// then we generate guest context.
		if org.AllowAnonymousAccess {
			// So you have a bad token
			if hasToken {
				if tokenErr != nil {
					writeUnauthorizedError(w)
					return
				}
			} else {
				// Just grant anon user guest access
				context.UserID = "0"
				context.OrgID = org.RefID
				context.Authenticated = false
				context.Guest = true
			}
		}

		// Refresh context and persister
		request.SetContext(r, context)
		p = request.GetPersister(r)

		context.AllowAnonymousAccess = org.AllowAnonymousAccess
		context.OrgName = org.Title
		context.Administrator = false
		context.Editor = false
		context.Global = false

		// Fetch user permissions for this org
		if context.Authenticated {
			user, err := getSecuredUser(p, org.RefID, context.UserID)

			if err != nil {
				writeServerError(w, method, err)
				return
			}

			context.Administrator = user.Admin
			context.Editor = user.Editor
			context.Global = user.Global

			var state struct {
				Active bool `json:"active"`
				Admin  bool `json:"admin"`
				Editor bool `json:"editor"`
			}

			state.Active = user.Active
			state.Admin = user.Admin
			state.Editor = user.Editor
			sb, err := json.Marshal(state)

			w.Header().Add("X-Documize-Status", string(sb))
		}

		request.SetContext(r, context)
		p = request.GetPersister(r)

		// Middleware moves on if we say 'yes' -- authenticated or allow anon access.
		authenticated = context.Authenticated || org.AllowAnonymousAccess
	}

	if authenticated {
		next(w, r)
	} else {
		w.WriteHeader(http.StatusUnauthorized)
	}
}

// ValidateAuthToken finds and validates authentication token.
func ValidateAuthToken(w http.ResponseWriter, r *http.Request) {

	log.Info("cb gh")
	// TODO should this go after token validation?
	if s := r.URL.Query().Get("section"); s != "" {
		if err := provider.Callback(s, w, r); err != nil {
			log.Error("section validation failure", err)
			w.WriteHeader(http.StatusUnauthorized)
		}

		return
	}

	token := findJWT(r)
	hasToken := len(token) > 1
	context, _, tokenErr := decodeJWT(token)

	var org = entity.Organization{}
	var err = errors.New("")
	p := request.GetPersister(r)

	// We always grab the org record regardless of token status.
	// Why? If bad token we might be OK to alow anonymous access
	// depending upon the domain in question.
	if len(context.OrgID) == 0 {
		org, err = p.GetOrganizationByDomain(request.GetRequestSubdomain(r))
	} else {
		org, err = p.GetOrganization(context.OrgID)
	}

	context.Subdomain = org.Domain

	// Inability to find org record spells the end of this request.
	if err != nil {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	// If we have bad auth token and the domain does not allow anon access
	if !org.AllowAnonymousAccess && tokenErr != nil {
		return
	}

	domain := request.GetSubdomainFromHost(r)
	domain2 := request.GetRequestSubdomain(r)
	if org.Domain != domain && org.Domain != domain2 {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	// If we have bad auth token and the domain allows anon access
	// then we generate guest context.
	if org.AllowAnonymousAccess {
		// So you have a bad token
		if hasToken {
			if tokenErr != nil {
				w.WriteHeader(http.StatusUnauthorized)
				return
			}
		} else {
			// Just grant anon user guest access
			context.UserID = "0"
			context.OrgID = org.RefID
			context.Authenticated = false
			context.Guest = true
		}
	}

	// Refresh context and persister
	request.SetContext(r, context)
	p = request.GetPersister(r)

	context.AllowAnonymousAccess = org.AllowAnonymousAccess
	context.OrgName = org.Title
	context.Administrator = false
	context.Editor = false
	context.Global = false

	// Fetch user permissions for this org
	if !context.Authenticated {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	user, err := getSecuredUser(p, org.RefID, context.UserID)

	if err != nil {
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	context.Administrator = user.Admin
	context.Editor = user.Editor
	context.Global = user.Global

	util.WriteJSON(w, user)
	return
}

// Certain assets/URL do not require authentication.
// Just stops the log files being clogged up with failed auth errors.
func preAuthorizeStaticAssets(r *http.Request) bool {
	if strings.ToLower(r.URL.Path) == "/" ||
		strings.ToLower(r.URL.Path) == "/validate" ||
		strings.ToLower(r.URL.Path) == "/favicon.ico" ||
		strings.ToLower(r.URL.Path) == "/robots.txt" ||
		strings.ToLower(r.URL.Path) == "/version" ||
		strings.HasPrefix(strings.ToLower(r.URL.Path), "/api/public/") ||
		((web.SiteMode == web.SiteModeSetup) && (strings.ToLower(r.URL.Path) == "/api/setup")) {

		return true
	}

	return false
}