Add access tokens (#602)

internal/db/access_token.go

@@ -0,0 +1,125 @@
+package db
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"time"
+)
+
+const (
+	NoPermission        = 0
+	ReadPermission      = 1
+	ReadWritePermission = 2
+)
+
+type AccessToken struct {
+	ID         uint `gorm:"primaryKey"`
+	Name       string
+	TokenHash  string `gorm:"uniqueIndex,size:64"` // SHA-256 hash of the token
+	CreatedAt  int64
+	ExpiresAt  int64 // 0 means no expiration
+	LastUsedAt int64
+	UserID     uint
+	User       User `validate:"-"`
+
+	ScopeGist uint // 0 = none, 1 = read, 2 = read+write
+}
+
+// GenerateToken creates a new random token and returns the plain text token.
+// The token hash is stored in the AccessToken struct.
+// The plain text token should be shown to the user once and never stored.
+func (t *AccessToken) GenerateToken() (string, error) {
+	bytes := make([]byte, 32)
+	if _, err := rand.Read(bytes); err != nil {
+		return "", err
+	}
+
+	plainToken := "og_" + hex.EncodeToString(bytes)
+
+	hash := sha256.Sum256([]byte(plainToken))
+	t.TokenHash = hex.EncodeToString(hash[:])
+
+	return plainToken, nil
+}
+
+func GetAccessTokenByID(tokenID uint) (*AccessToken, error) {
+	token := new(AccessToken)
+	err := db.
+		Where("id = ?", tokenID).
+		First(&token).Error
+	return token, err
+}
+
+func GetAccessTokenByToken(plainToken string) (*AccessToken, error) {
+	hash := sha256.Sum256([]byte(plainToken))
+	tokenHash := hex.EncodeToString(hash[:])
+
+	token := new(AccessToken)
+	err := db.
+		Preload("User").
+		Where("token_hash = ?", tokenHash).
+		First(&token).Error
+	return token, err
+}
+
+func GetAccessTokensByUserID(userID uint) ([]*AccessToken, error) {
+	var tokens []*AccessToken
+	err := db.
+		Where("user_id = ?", userID).
+		Order("created_at desc").
+		Find(&tokens).Error
+	return tokens, err
+}
+
+func (t *AccessToken) Create() error {
+	t.CreatedAt = time.Now().Unix()
+	return db.Create(t).Error
+}
+
+func (t *AccessToken) Delete() error {
+	return db.Delete(t).Error
+}
+
+func (t *AccessToken) UpdateLastUsed() error {
+	return db.Model(t).Update("last_used_at", time.Now().Unix()).Error
+}
+
+func (t *AccessToken) IsExpired() bool {
+	if t.ExpiresAt == 0 {
+		return false
+	}
+	return time.Now().Unix() > t.ExpiresAt
+}
+
+func (t *AccessToken) HasGistReadPermission() bool {
+	return t.ScopeGist >= ReadPermission
+}
+
+func (t *AccessToken) HasGistWritePermission() bool {
+	return t.ScopeGist >= ReadWritePermission
+}
+
+// -- DTO -- //
+
+type AccessTokenDTO struct {
+	Name      string `form:"name" validate:"required,max=255"`
+	ScopeGist uint   `form:"scope_gist" validate:"min=0,max=2"`
+	ExpiresAt string `form:"expires_at"` // empty means no expiration, otherwise date format (YYYY-MM-DD)
+}
+
+func (dto *AccessTokenDTO) ToAccessToken() *AccessToken {
+	var expiresAt int64
+	if dto.ExpiresAt != "" {
+		// date input format: 2006-01-02, expires at end of day
+		if t, err := time.ParseInLocation("2006-01-02", dto.ExpiresAt, time.Local); err == nil {
+			expiresAt = t.Add(24*time.Hour - time.Second).Unix()
+		}
+	}
+
+	return &AccessToken{
+		Name:      dto.Name,
+		ScopeGist: dto.ScopeGist,
+		ExpiresAt: expiresAt,
+	}
+}

internal/db/db.go

@@ -155,7 +155,7 @@ func Setup(dbUri string) error {
 		return err
 	}
 
-	if err = db.AutoMigrate(&User{}, &Gist{}, &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}, &TOTP{}, &GistTopic{}, &GistLanguage{}, &GistInitQueue{}); err != nil {
+	if err = db.AutoMigrate(&User{}, &Gist{}, &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}, &TOTP{}, &GistTopic{}, &GistLanguage{}, &GistInitQueue{}, &AccessToken{}); err != nil {
 		return err
 	}
 
@@ -269,5 +269,5 @@ func DeprecationDBFilename() {
 }
 
 func TruncateDatabase() error {
-	return db.Migrator().DropTable("likes", &User{}, "gists", &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}, &TOTP{}, &GistTopic{}, &GistLanguage{}, &GistInitQueue{})
+	return db.Migrator().DropTable("likes", &User{}, "gists", &SSHKey{}, &AdminSetting{}, &Invitation{}, &WebAuthnCredential{}, &TOTP{}, &GistTopic{}, &GistLanguage{}, &GistInitQueue{}, &AccessToken{})
 }

internal/db/user.go

@@ -25,6 +25,7 @@ type User struct {
 	SSHKeys             []SSHKey             `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
 	Liked               []Gist               `gorm:"many2many:likes;constraint:OnUpdate:CASCADE,OnDelete:CASCADE"`
 	WebAuthnCredentials []WebAuthnCredential `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
+	AccessTokens        []AccessToken        `gorm:"constraint:OnUpdate:CASCADE,OnDelete:CASCADE;foreignKey:UserID"`
 }
 
 func (user *User) BeforeDelete(tx *gorm.DB) error {
@@ -72,6 +73,11 @@ func (user *User) BeforeDelete(tx *gorm.DB) error {
 		return err
 	}
 
+	err = tx.Where("user_id = ?", user.ID).Delete(&AccessToken{}).Error
+	if err != nil {
+		return err
+	}
+
 	err = tx.Where("user_id = ?", user.ID).Delete(&Gist{}).Error
 	if err != nil {
 		return err