admin/Authentication
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c87114b30d9d45e852535d9f4c80f5ba94da47e
Authentication/handlers/google_auth.go
T
admin 7c87114b30 fixed
2025-11-26 11:31:09 +08:00

597 lines
20 KiB
Go
Raw Blame History

package handlers
import (
"authentication/db"
"authentication/helper"
"authentication/models"
"authentication/services"
"context"
"crypto/rand"
"encoding/json"
"errors"
"fmt"
"io"
"log"
"net"
"net/http"
"net/url"
"os"
"strings"
"time"
"github.com/golang-jwt/jwt/v5"
"github.com/joho/godotenv"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
)
var googleOauthConfig oauth2.Config
var oauthStateString = generateRandomState()
var DashboardBaseURL string
// init initializes the Google OAuth2 configuration by loading environment variables
// from a .env file. If the .env file cannot be loaded, it logs a fatal error.
// Note: This init runs AFTER .env is loaded in main() init
// But we need to load .env here too since init order is package-based
func init() {
cwd, _ := os.Getwd()
log.Printf("[google_auth.init] Current working directory: %s", cwd)
err := godotenv.Load()
if err != nil {
log.Printf("[google_auth.init] Failed to load .env: %v, trying .env explicitly", err)
err = godotenv.Load(".env")
if err != nil {
log.Printf("[google_auth.init] Failed to load .env explicitly: %v", err)
}
}
clientID := os.Getenv("GOOGLE_CLIENT_ID")
clientSecret := os.Getenv("GOOGLE_CLIENT_SECRET")
backendURL := os.Getenv("BACKEND_URL")
log.Printf("[google_auth.init] GOOGLE_CLIENT_ID: '%s' (length: %d)", clientID, len(clientID))
log.Printf("[google_auth.init] GOOGLE_CLIENT_SECRET: '%s' (length: %d)", clientSecret, len(clientSecret))
log.Printf("[google_auth.init] BACKEND_URL: '%s'", backendURL)
googleOauthConfig = oauth2.Config{
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: fmt.Sprintf("%s/v1/auth/callback", backendURL),
Scopes: []string{
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile",
},
Endpoint: google.Endpoint,
}
if googleOauthConfig.ClientID == "" {
log.Fatal("GOOGLE_CLIENT_ID is not set in environment variables")
}
if googleOauthConfig.ClientSecret == "" {
log.Fatal("GOOGLE_CLIENT_SECRET is not set in environment variables")
}
DashboardBaseURL = os.Getenv("DASHBOARD_URL")
}
func generateRandomState() string {
b := make([]byte, 16)
if _, err := rand.Read(b); err != nil {
helper.LogError(err, "Error generating random state")
return ""
}
return fmt.Sprintf("%x", b)
}
func GoogleLogin(w http.ResponseWriter, r *http.Request) {
helper.LogInfo(fmt.Sprintf("Generated oauth_state: %s", oauthStateString))
isSecure := strings.HasPrefix(os.Getenv("BACKEND_URL"), HTTPS)
http.SetCookie(w, &http.Cookie{
Name: "oauth_state",
Value: oauthStateString,
Path: "/",
HttpOnly: true,
Secure: isSecure,
SameSite: http.SameSiteLaxMode,
Expires: time.Now().Add(5 * time.Minute),
})
url := googleOauthConfig.AuthCodeURL(oauthStateString, oauth2.AccessTypeOffline, oauth2.ApprovalForce)
http.Redirect(w, r, url, http.StatusFound)
}
func getIPAddress(r *http.Request) string {
for header, values := range r.Header {
for _, value := range values {
helper.LogInfo(fmt.Sprintf("Header: %s = %s", header, value))
}
}
xForwardedFor := r.Header.Get("X-Forwarded-For")
if xForwardedFor != "" {
ips := strings.Split(xForwardedFor, ",")
ip := strings.TrimSpace(ips[0])
if net.ParseIP(ip) != nil {
return ip
}
}
xRealIP := r.Header.Get("X-Real-IP")
if xRealIP != "" && net.ParseIP(xRealIP) != nil {
return xRealIP
}
ip, _, err := net.SplitHostPort(r.RemoteAddr)
if err != nil {
helper.LogError(err, "Error parsing remote address")
return ""
}
parsedIP := net.ParseIP(ip)
if parsedIP != nil && parsedIP.IsLoopback() {
return "127.0.0.1"
}
return ip
}
func GoogleCallback(w http.ResponseWriter, r *http.Request) {
ipAddress := getIPAddress(r)
fmt.Printf("INFO: Extracted IP address: %s\n", ipAddress)
userAgent := r.Header.Get("User-Agent")
if !validateState(w, r) {
return
}
userInfo, err := FetchGoogleUserInfo(w, r)
if err != nil {
http.Redirect(w, r, fmt.Sprintf(errorFormat, DashboardBaseURL, url.QueryEscape("")), http.StatusSeeOther)
return
}
email := userInfo.Email
profilePicture := userInfo.Picture
emailExists, err := checkEmailInDB(email)
if err != nil {
helper.LogError(err, "Error checking email")
http.Redirect(w, r, fmt.Sprintf(errorFormat, DashboardBaseURL, url.QueryEscape("Error checking email in database")), http.StatusSeeOther)
return
}
helper.LogError(fmt.Errorf("%v", emailExists), "Email exists in DB")
accessToken, refreshToken, err := GenerateTokens(email, userAgent, ipAddress)
if err != nil {
helper.LogError(err, "Error generating access token")
http.Redirect(w, r, fmt.Sprintf(errorFormat, DashboardBaseURL, url.QueryEscape("Token generation failed")), http.StatusSeeOther)
return
}
var refreshTokenExpiry time.Duration
if emailExists {
refreshTokenExpiry = 7 * 24 * time.Hour
} else {
refreshTokenExpiry = 2 * time.Hour
}
isSecure := strings.HasPrefix(os.Getenv("BACKEND_URL"), HTTPS)
cookieConfig := &http.Cookie{
Name: "refresh_token",
Value: refreshToken,
Path: "/",
HttpOnly: true,
Expires: time.Now().Add(refreshTokenExpiry),
}
if isSecure {
cookieConfig.Secure = true
cookieConfig.SameSite = http.SameSiteLaxMode
helper.LogInfo("Setting refresh_token cookie for PRODUCTION (secure=true)")
} else {
cookieConfig.Secure = false
cookieConfig.SameSite = http.SameSiteLaxMode
cookieConfig.Domain = "localhost"
helper.LogInfo("Setting refresh_token cookie for DEVELOPMENT (secure=false, domain=localhost)")
}
http.SetCookie(w, cookieConfig)
helper.LogInfo(fmt.Sprintf("Refresh token cookie set: Domain=%s, Secure=%v, HttpOnly=%v, SameSite=%v",
cookieConfig.Domain, cookieConfig.Secure, cookieConfig.HttpOnly, cookieConfig.SameSite))
if !emailExists {
helper.LogWarn(fmt.Sprintf("Email %s does not exist in the database", email))
registrationURL := fmt.Sprintf("%s/callback?error=%s&token=%s", DashboardBaseURL, url.QueryEscape("Please register first"), accessToken)
http.Redirect(w, r, registrationURL, http.StatusSeeOther)
return
}
var firstName string
helper.LogInfo("Fetching first name for email: " + email)
helper.LogInfo("Userinfo Email: " + userInfo.Email)
userID, firstNamePtr, lastNamePtr, emailAddressPtr, err := services.GetUser(email)
if err != nil {
helper.LogError(err, "Error fetching user")
http.Redirect(w, r, fmt.Sprintf(errorFormat, DashboardBaseURL, url.QueryEscape("User not found")), http.StatusSeeOther)
return
}
// Dereference pointers to get actual string values
if firstNamePtr != nil {
firstName = *firstNamePtr
}
lastName := ""
if lastNamePtr != nil {
lastName = *lastNamePtr
}
emailAddress := emailAddressPtr
helper.LogInfo("Access Token Generated Copy this: " + accessToken)
err = helper.LogLoginEventV2(userID, ipAddress)
if err != nil {
http.Redirect(w, r, fmt.Sprintf(errorFormat, DashboardBaseURL, url.QueryEscape("Failed to log login event")), http.StatusSeeOther)
return
}
helper.LogInfo("Copy this access token: " + accessToken)
DashboardURL := fmt.Sprintf("%s/callback?token=%s&user_id=%s&first_name=%s&last_name=%s&email_address=%s&profile_picture=%s", DashboardBaseURL, accessToken, userID, firstName, lastName, emailAddress, profilePicture)
http.Redirect(w, r, DashboardURL, http.StatusSeeOther)
}
func validateState(w http.ResponseWriter, r *http.Request) bool {
cookie, err := r.Cookie("oauth_state")
if err != nil || r.URL.Query().Get("state") != cookie.Value {
helper.LogWarn(errorInvalidState)
http.Redirect(w, r, fmt.Sprintf(errorFormat, DashboardBaseURL, url.QueryEscape(errorInvalidState)), http.StatusSeeOther)
return false
}
helper.LogInfo(fmt.Sprintf("Cookie state: %s, Callback state: %s", cookie.Value, r.URL.Query().Get("state")))
return true
}
func FetchGoogleUserInfo(w http.ResponseWriter, r *http.Request) (models.UserGoogleInfo, error) {
code := r.URL.Query().Get("code")
token, err := googleOauthConfig.Exchange(context.Background(), code)
if err != nil {
helper.LogError(err, "Error exchanging token")
// http.Redirect(w, r, DashboardBaseURL, http.StatusSeeOther)
return models.UserGoogleInfo{}, err
}
helper.LogInfo(fmt.Sprintf("Access Token: %s", token.AccessToken))
client := googleOauthConfig.Client(context.Background(), token)
req, err := http.NewRequest("GET", "https://www.googleapis.com/oauth2/v1/userinfo?alt=json", nil)
if err != nil {
helper.LogError(err, "Error creating request")
return models.UserGoogleInfo{}, err
}
req.Header.Set("Authorization", bearerPrefix+token.AccessToken)
resp, err := client.Do(req)
if err != nil {
helper.LogError(err, "Error sending request")
return models.UserGoogleInfo{}, err
}
defer func(Body io.ReadCloser) {
err := Body.Close()
if err != nil {
helper.LogError(err, "Error closing response body")
}
}(resp.Body)
var userInfo models.UserGoogleInfo
if err := json.NewDecoder(resp.Body).Decode(&userInfo); err != nil {
helper.LogError(err, "Error decoding user info")
return models.UserGoogleInfo{}, err
}
return userInfo, nil
}
func HandleTokenRefresh(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodOptions {
w.Header().Set("Access-Control-Allow-Origin", "*")
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS")
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
w.Header().Set("Access-Control-Max-Age", "3600")
w.WriteHeader(http.StatusOK)
return
}
// First, check if access token is provided and if it's expired
helper.LogInfo("Refresh token handler called")
authHeader := r.Header.Get("Authorization")
helper.LogInfo("Authorization header: " + authHeader)
if authHeader != "" && strings.HasPrefix(authHeader, bearerPrefix) {
accessToken := strings.TrimSpace(strings.TrimPrefix(authHeader, bearerPrefix))
helper.LogInfo("Access token from header: " + accessToken)
token, err := jwt.ParseWithClaims(accessToken, &models.AccessToken{}, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return []byte(os.Getenv("JWT_SECRET_KEY")), nil
})
helper.LogInfo("Parsed token: " + fmt.Sprintf("%v", token))
if err == nil && token != nil && token.Claims != nil {
if claims, ok := token.Claims.(*models.AccessToken); ok && claims != nil {
if claims.Exp != 0 && claims.ExpiresAt != nil {
helper.LogInfo("Token expiration timestamp: " + fmt.Sprintf("%v", claims.ExpiresAt.Unix()))
helper.LogInfo("Current timestamp: " + fmt.Sprintf("%v", time.Now().Unix()))
} else {
helper.LogInfo("Token Exp is zero or ExpiresAt is nil")
if claims.Exp != 0 {
helper.LogInfo("Exp: " + fmt.Sprintf("%d (%s)", claims.Exp, time.Unix(claims.Exp, 0).Format(time.RFC3339)))
} else {
helper.LogInfo("Exp field is 0")
}
}
helper.LogInfo("Token expiration (Exp field): " + fmt.Sprintf("%d", claims.Exp))
helper.LogInfo("Current time: " + fmt.Sprintf("%d", time.Now().Unix()))
if claims.Exp < time.Now().Unix() {
helper.LogInfo("Token is actually expired based on Exp field")
} else {
helper.LogInfo("Token is NOT expired based on Exp field")
}
helper.LogInfo("Token valid: " + fmt.Sprintf("%v", token.Valid))
// Always proceed to refresh when requested, regardless of current token validity
helper.LogInfo("Access token present, but proceeding with refresh as requested")
} else {
helper.LogInfo("Failed to cast token claims to AccessToken or claims is nil")
}
} else {
helper.LogInfo("Token parsing failed or token is nil. Error: " + fmt.Sprintf("%v", err))
}
if err != nil && !strings.Contains(err.Error(), "expired") && !strings.Contains(err.Error(), "used before issued") {
helper.LogError(err, "Invalid access token format")
helper.RespondWithError(w, http.StatusBadRequest, "Invalid access token format")
return
}
helper.LogInfo("Access token is expired or invalid, proceeding with refresh")
}
// Log all cookies for debugging
helper.LogInfo("TRACE: All cookies in request: " + fmt.Sprintf("%d cookies", len(r.Cookies())))
for i, cookie := range r.Cookies() {
helper.LogInfo(fmt.Sprintf("TRACE: Cookie %d: Name=%s, Value-length=%d, Domain=%s, Path=%s",
i, cookie.Name, len(cookie.Value), cookie.Domain, cookie.Path))
}
cookie, err := r.Cookie("refresh_token")
helper.LogInfo("TRACE: Cookie retrieval - error: " + fmt.Sprintf("%v", err))
if err != nil {
helper.LogError(err, "Refresh token cookie not found")
helper.RespondWithError(w, http.StatusUnauthorized, "Refresh token not found")
return
}
refreshToken := cookie.Value
helper.LogInfo("TRACE: Refresh token from cookie - length: " + fmt.Sprintf("%d", len(refreshToken)))
if refreshToken == "" {
helper.LogError(errors.New("refresh token cookie is empty"), "refresh token cookie is empty")
helper.RespondWithError(w, http.StatusUnauthorized, "refresh token is empty")
return
}
// Get client info for security validation
userAgent := r.Header.Get("User-Agent")
ipAddress := getIPAddress(r)
// Try to extract email from access token for fallback during refresh
var emailFromToken string
if authHeader != "" && strings.HasPrefix(authHeader, bearerPrefix) {
accessToken := strings.TrimSpace(strings.TrimPrefix(authHeader, bearerPrefix))
if token, err := jwt.ParseWithClaims(accessToken, &models.AccessToken{}, func(token *jwt.Token) (interface{}, error) {
return []byte(os.Getenv("JWT_SECRET_KEY")), nil
}); err == nil {
if claims, ok := token.Claims.(*models.AccessToken); ok && claims.Email != "" {
emailFromToken = claims.Email
helper.LogInfo("TRACE: Extracted email from access token for fallback: " + emailFromToken)
}
}
}
// Use the improved RefreshAccessToken function
newAccessToken, err := GenerateTokensFromRefreshWithEmail(refreshToken, userAgent, ipAddress, emailFromToken)
helper.LogInfo("New access token: " + newAccessToken)
helper.LogInfo("New access token length: " + fmt.Sprintf("%d", len(newAccessToken)))
if newAccessToken == "" {
helper.LogError(errors.New("generated access token is empty"), "Generated access token is empty")
helper.RespondWithError(w, http.StatusUnauthorized, "Failed to generate new access token")
}
if err != nil {
helper.LogError(err, "Failed to refresh access token")
// Return specific error messages
if strings.Contains(err.Error(), "too many refresh attempts") {
helper.RespondWithError(w, http.StatusTooManyRequests, "Too many refresh attempts, please wait")
return
}
if strings.Contains(err.Error(), "expired") || strings.Contains(err.Error(), "revoked") {
helper.RespondWithError(w, http.StatusUnauthorized, "Session expired, please login again")
return
}
helper.RespondWithError(w, http.StatusUnauthorized, "Invalid refresh token")
return
}
var expiresInSeconds int
env := os.Getenv("GO_ENV")
if env == "production" || env == "canary" {
expiresInSeconds = 45 * 60
} else {
expiresInSeconds = 15 * 60
}
response := map[string]interface{}{
"access_token": newAccessToken,
"token_type": "Bearer",
"expires_in": expiresInSeconds,
}
helper.LogInfo("TRACE: About to send response: " + fmt.Sprintf("%+v", response))
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
if err := json.NewEncoder(w).Encode(response); err != nil {
helper.LogError(err, "Failed to encode response")
} else {
helper.LogInfo("TRACE: Response successfully encoded and sent")
}
}
// GenerateTokensFromRefresh creates a new access token from a refresh token
func GenerateTokensFromRefresh(refreshToken, userAgent, ipAddress string) (string, error) {
helper.LogInfo("TRACE: GenerateTokensFromRefresh called")
helper.LogInfo("TRACE: refreshToken length: " + fmt.Sprintf("%d", len(refreshToken)))
helper.LogInfo("TRACE: userAgent: " + userAgent)
helper.LogInfo("TRACE: ipAddress: " + ipAddress)
result, err := RefreshAccessToken(refreshToken, userAgent, ipAddress)
helper.LogInfo("TRACE: RefreshAccessToken returned - token length: " + fmt.Sprintf("%d", len(result)) + ", error: " + fmt.Sprintf("%v", err))
return result, err
}
// GenerateTokensFromRefreshWithEmail creates a new access token from a refresh token with email fallback
func GenerateTokensFromRefreshWithEmail(refreshToken, userAgent, ipAddress, emailFallback string) (string, error) {
helper.LogInfo("TRACE: GenerateTokensFromRefreshWithEmail called")
helper.LogInfo("TRACE: refreshToken length: " + fmt.Sprintf("%d", len(refreshToken)))
helper.LogInfo("TRACE: userAgent: " + userAgent)
helper.LogInfo("TRACE: ipAddress: " + ipAddress)
helper.LogInfo("TRACE: emailFallback: " + emailFallback)
result, err := RefreshAccessTokenWithEmailFallback(refreshToken, userAgent, ipAddress, emailFallback)
helper.LogInfo("TRACE: RefreshAccessTokenWithEmailFallback returned - token length: " + fmt.Sprintf("%d", len(result)) + ", error: " + fmt.Sprintf("%v", err))
return result, err
}
func checkEmailInDB(email string) (bool, error) {
if db.DB == nil {
helper.LogError(nil, dbConnNilError)
return false, errors.New(dbConnNilError)
}
exists, err := services.CheckEmailInDB(email)
if err != nil {
return false, err
}
helper.LogInfo("Email exists in DB: " + fmt.Sprintf("%v", exists))
return exists, nil
}
func LogoutHandler(w http.ResponseWriter, r *http.Request) {
authHeader := r.Header.Get("Authorization")
if !isValidAuthHeader(authHeader) {
helper.RespondWithError(w, http.StatusUnauthorized, "Authorization header missing or invalid")
return
}
tokenString := strings.TrimSpace(strings.TrimPrefix(authHeader, bearerPrefix))
if tokenString == "" {
helper.RespondWithError(w, http.StatusUnauthorized, "Token is missing or empty")
return
}
token, err := jwt.ParseWithClaims(tokenString, &models.AccessToken{}, func(token *jwt.Token) (interface{}, error) {
return []byte(os.Getenv("JWT_SECRET_KEY")), nil
})
if err == nil {
if claims, ok := token.Claims.(*models.AccessToken); ok {
userID, err := services.GetUserIDFromEmail(claims.Email)
if err == nil {
if err := RevokeAllUserSessions(userID); err != nil {
helper.LogError(err, "Failed to revoke user sessions during logout")
}
} else {
helper.LogError(err, "Failed to get user ID during logout")
}
}
} else {
helper.LogError(err, "Failed to parse JWT token during logout")
}
accessLog(w, r, nil, 18, nil)
clearRefreshTokenCookie(w)
response := map[string]interface{}{
"message": "Successfully logged out",
"action": "clear_session_storage",
"keys": []string{"refresh_token", "access_token"},
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
if err := json.NewEncoder(w).Encode(response); err != nil {
helper.LogError(err, "Failed to encode logout response")
}
}
func isValidAuthHeader(authHeader string) bool {
return authHeader != "" && strings.HasPrefix(authHeader, bearerPrefix)
}
func clearRefreshTokenCookie(w http.ResponseWriter) {
helper.LogInfo("Clearing refresh_token cookie...")
isSecure := strings.HasPrefix(os.Getenv("BACKEND_URL"), HTTPS)
helper.LogInfo(fmt.Sprintf("Cookie clearing - isSecure: %v, BACKEND_URL: %s", isSecure, os.Getenv("BACKEND_URL")))
cookieConfig := &http.Cookie{
Name: "refresh_token",
Value: "",
Path: "/",
HttpOnly: true,
Expires: time.Unix(0, 0),
MaxAge: -1,
}
if isSecure {
cookieConfig.Secure = true
cookieConfig.SameSite = http.SameSiteLaxMode
helper.LogInfo("Setting cookie clear for PRODUCTION (secure=true)")
} else {
cookieConfig.Secure = false
cookieConfig.SameSite = http.SameSiteLaxMode
cookieConfig.Domain = "localhost"
helper.LogInfo("Setting cookie clear for DEVELOPMENT (secure=false, domain=localhost)")
}
http.SetCookie(w, cookieConfig)
helper.LogInfo(fmt.Sprintf("Cookie clear #1 sent: Name=%s, Value=%s, Domain=%s, Secure=%v, HttpOnly=%v",
cookieConfig.Name, cookieConfig.Value, cookieConfig.Domain, cookieConfig.Secure, cookieConfig.HttpOnly))
fallbackCookie := &http.Cookie{
Name: "refresh_token",
Value: "",
Path: "/",
HttpOnly: true,
Secure: isSecure,
SameSite: http.SameSiteLaxMode,
Expires: time.Unix(0, 0),
MaxAge: -1,
}
http.SetCookie(w, fallbackCookie)
helper.LogInfo(fmt.Sprintf("Cookie clear #2 sent: Name=%s, Value=%s, Domain=%s, Secure=%v, HttpOnly=%v",
fallbackCookie.Name, fallbackCookie.Value, fallbackCookie.Domain, fallbackCookie.Secure, fallbackCookie.HttpOnly))
helper.LogInfo("Refresh token cookie clearing commands sent to browser")
}
Reference in New Issue View Git Blame Copy Permalink