backup/http_tokens.go

package main

import (
	"bytes"
	"crypto/aes"
	"crypto/cipher"
	"crypto/hmac"
	"crypto/rand"
	"crypto/sha256"
	"encoding/base64"
	"encoding/binary"
	"fmt"
	"hash/crc32"
	"time"

	"github.com/gin-gonic/gin"
	log "github.com/sirupsen/logrus"
)

var sessionMap map[string]uint64

type SessionToken struct {
	Identifier [32]byte
	Verifier   [32]byte
}

type CSRFToken struct {
	Seed     [4]byte
	Path     [16]byte
	Time     int64
	Checksum uint32
}

func NewSessionToken(userID uint64) *SessionToken {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	identifier := make([]byte, 32)
	_, err := rand.Read(identifier)
	if err != nil {
		log.WithFields(log.Fields{"call": "rand.Read", "attr": "identifier", "err": err}).Debugf("")
		return &SessionToken{}
	}

	verifier := make([]byte, 32)
	_, err = rand.Read(verifier)
	if err != nil {
		log.WithFields(log.Fields{"call": "rand.Read", "attr": "verifier", "err": err}).Debugf("")
		return &SessionToken{}
	}

	hash := hmac.New(sha256.New, verifier)
	hash.Write(verifier)
	hashVerifier := hash.Sum(nil)

	t := SessionToken{}

	copy(t.Verifier[:], verifier[:32])
	copy(t.Identifier[:], hashVerifier[:32])

	return &t

}

func (t *SessionToken) Bytes() []byte {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	buf := new(bytes.Buffer)
	_ = binary.Write(buf, binary.LittleEndian, t)
	return buf.Bytes()
}

func (t *SessionToken) Load(b []byte) error {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	if len(b) != binary.Size(t) {
		return fmt.Errorf("wrong size")
	}

	r := bytes.NewReader(b)

	err := binary.Read(r, binary.LittleEndian, t)
	if err != nil {
		return err
	}

	return nil
}

func (t *SessionToken) GetSessionID() uint64 {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	if sessionID, ok := sessionMap[string(t.Identifier[:])]; !ok {
		return 0
	} else {
		return sessionID
	}
}

func GetSessionTokenParam(c *gin.Context) (*SessionToken, error) {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	err := c.Request.ParseForm()
	if err != nil {
		log.WithFields(log.Fields{"call": "Context.Request.ParseForm", "err": err}).Errorf("")
		return nil, err
	}
	session := c.Param("key")

	return DecodeSessionToken(session)
}

func GetSessionTokenCookie(c *gin.Context) (*SessionToken, error) {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	if session, err := c.Cookie("session"); err != nil {
		log.WithFields(log.Fields{"call": "Context.Cookie", "attr": "session", "err": err}).Errorf("")
		return nil, err
	} else {
		return DecodeSessionToken(session)
	}
}

func (t *SessionToken) Encode() string {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	return base64.StdEncoding.EncodeToString(t.Bytes())
}

func DecodeSessionToken(s string) (*SessionToken, error) {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	b, err := base64.StdEncoding.DecodeString(s)
	if err != nil {
		log.WithFields(log.Fields{"call": "base64.StdEncoding.DecodeString", "attr": "session", "err": err}).Errorf("")
		return nil, err
	}

	t := SessionToken{}
	err = t.Load(b)
	if err != nil {
		return nil, err
	}

	return &t, nil
}

func (t *CSRFToken) GetPath() string {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	buf := bytes.Buffer{}
	for _, b := range t.Path {
		if b > 0 {
			buf.WriteByte(b)
		} else {
			break
		}
	}
	return buf.String()
}

func (t *CSRFToken) Bytes() []byte {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	buf := new(bytes.Buffer)
	_ = binary.Write(buf, binary.LittleEndian, t)
	return buf.Bytes()
}

func (t *CSRFToken) Load(b []byte) error {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	if len(b) != binary.Size(t) {
		return fmt.Errorf("wrong size")
	}
	r := bytes.NewReader(b)
	err := binary.Read(r, binary.LittleEndian, t)
	if err != nil {
		log.WithFields(log.Fields{"call": "binary.Read", "attr": "b", "err": err}).Errorf("")
		return err
	}
	chk := t.Checksum
	t.Checksum = 0
	if crc32.ChecksumIEEE(t.Bytes()) != chk {
		return fmt.Errorf("wrong checksum")
	}
	t.Checksum = chk
	return nil
}

func NewCSRFToken(c *gin.Context) *CSRFToken {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	t := CSRFToken{}

	copy(t.Path[:], c.Request.URL.Path[0:])

	t.Time = time.Now().UTC().Unix()

	_, err := rand.Read(t.Seed[:])
	log.WithFields(log.Fields{"call": "rand.Read", "attr": "seed", "err": err}).Errorf("")

	t.Checksum = crc32.ChecksumIEEE(t.Bytes())

	return &t
}

func GetCSRFToken(c *gin.Context) (*CSRFToken, error) {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	if context, err := c.Cookie("context"); err != nil {
		return nil, fmt.Errorf("no context param")
	} else {
		return DecodeCSRFToken(context)
	}
}

func (t *CSRFToken) Encode() string {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	hash := sha256.New()
	hash.Write([]byte(cfg.Admin.Secrets.ContextKey))
	key := hash.Sum(nil)

	block, _ := aes.NewCipher(key)
	ciphertext := make([]byte, 32) // size of CSRFToken
	if binary.Size(t) != 32 {
		log.WithFields(log.Fields{"err": fmt.Errorf("size is wrong")}).Fatalf("")
	}

	iv := make([]byte, aes.BlockSize)

	mode := cipher.NewCBCEncrypter(block, iv)
	mode.CryptBlocks(ciphertext[:], t.Bytes())

	return base64.StdEncoding.EncodeToString(ciphertext)
}

func DecodeCSRFToken(s string) (*CSRFToken, error) {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	b, err := base64.StdEncoding.DecodeString(s)
	if err != nil {
		return nil, err
	}

	if len(b) != binary.Size(CSRFToken{}) {
		return nil, fmt.Errorf("wrong size")
	}

	hash := sha256.New()
	hash.Write([]byte(cfg.Admin.Secrets.ContextKey))
	key := hash.Sum(nil)

	block, err := aes.NewCipher(key)

	iv := make([]byte, aes.BlockSize)

	mode := cipher.NewCBCDecrypter(block, iv)
	mode.CryptBlocks(b, b)

	t := CSRFToken{}
	err = t.Load(b)
	if err != nil {
		return nil, err
	}

	return &t, nil
}

func (t *CSRFToken) Valid() bool {
	log.WithFields(log.Fields{}).Debugf("starting")
	defer log.WithFields(log.Fields{}).Debugf("done")

	if time.Now().UTC().Sub(time.Unix(t.Time, 0)) > time.Duration(cfg.Admin.Secrets.ContextExpiration)*time.Second {
		return false
	}
	return true
}

func SetCSRFToken(c *gin.Context) {
	c.SetCookie("context", NewCSRFToken(c).Encode(), cfg.Admin.Secrets.ContextExpiration, "/", cfg.Admin.URL, false, true)
	return
}
test tokens 2024-11-17 23:37:42 +01:00			`package main`

			`import (`
			`"bytes"`
			`"crypto/aes"`
			`"crypto/cipher"`
			`"crypto/hmac"`
			`"crypto/rand"`
			`"crypto/sha256"`
			`"encoding/base64"`
			`"encoding/binary"`
			`"fmt"`
			`"hash/crc32"`
			`"time"`

			`"github.com/gin-gonic/gin"`
			`log "github.com/sirupsen/logrus"`
			`)`

			`var sessionMap map[string]uint64`

			`type SessionToken struct {`
			`Identifier [32]byte`
			`Verifier [32]byte`
			`}`

			`type CSRFToken struct {`
			`Seed [4]byte`
			`Path [16]byte`
			`Time int64`
			`Checksum uint32`
			`}`

			`func NewSessionToken(userID uint64) *SessionToken {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`identifier := make([]byte, 32)`
			`_, err := rand.Read(identifier)`
			`if err != nil {`
			`log.WithFields(log.Fields{"call": "rand.Read", "attr": "identifier", "err": err}).Debugf("")`
			`return &SessionToken{}`
			`}`

			`verifier := make([]byte, 32)`
			`_, err = rand.Read(verifier)`
			`if err != nil {`
			`log.WithFields(log.Fields{"call": "rand.Read", "attr": "verifier", "err": err}).Debugf("")`
			`return &SessionToken{}`
			`}`

			`hash := hmac.New(sha256.New, verifier)`
			`hash.Write(verifier)`
			`hashVerifier := hash.Sum(nil)`

			`t := SessionToken{}`

			`copy(t.Verifier[:], verifier[:32])`
			`copy(t.Identifier[:], hashVerifier[:32])`

			`return &t`

			`}`

			`func (t *SessionToken) Bytes() []byte {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`buf := new(bytes.Buffer)`
			`_ = binary.Write(buf, binary.LittleEndian, t)`
			`return buf.Bytes()`
			`}`

			`func (t *SessionToken) Load(b []byte) error {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`if len(b) != binary.Size(t) {`
			`return fmt.Errorf("wrong size")`
			`}`

			`r := bytes.NewReader(b)`

			`err := binary.Read(r, binary.LittleEndian, t)`
			`if err != nil {`
			`return err`
			`}`

			`return nil`
			`}`

			`func (t *SessionToken) GetSessionID() uint64 {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`if sessionID, ok := sessionMap[string(t.Identifier[:])]; !ok {`
			`return 0`
			`} else {`
			`return sessionID`
			`}`
			`}`

			`func GetSessionTokenParam(c gin.Context) (SessionToken, error) {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`err := c.Request.ParseForm()`
			`if err != nil {`
			`log.WithFields(log.Fields{"call": "Context.Request.ParseForm", "err": err}).Errorf("")`
			`return nil, err`
			`}`
			`session := c.Param("key")`

			`return DecodeSessionToken(session)`
			`}`

			`func GetSessionTokenCookie(c gin.Context) (SessionToken, error) {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`if session, err := c.Cookie("session"); err != nil {`
			`log.WithFields(log.Fields{"call": "Context.Cookie", "attr": "session", "err": err}).Errorf("")`
			`return nil, err`
			`} else {`
			`return DecodeSessionToken(session)`
			`}`
			`}`

			`func (t *SessionToken) Encode() string {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`return base64.StdEncoding.EncodeToString(t.Bytes())`
			`}`

			`func DecodeSessionToken(s string) (*SessionToken, error) {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`b, err := base64.StdEncoding.DecodeString(s)`
			`if err != nil {`
			`log.WithFields(log.Fields{"call": "base64.StdEncoding.DecodeString", "attr": "session", "err": err}).Errorf("")`
			`return nil, err`
			`}`

			`t := SessionToken{}`
			`err = t.Load(b)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &t, nil`
			`}`

			`func (t *CSRFToken) GetPath() string {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`buf := bytes.Buffer{}`
			`for _, b := range t.Path {`
			`if b > 0 {`
			`buf.WriteByte(b)`
			`} else {`
			`break`
			`}`
			`}`
			`return buf.String()`
			`}`

			`func (t *CSRFToken) Bytes() []byte {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`buf := new(bytes.Buffer)`
			`_ = binary.Write(buf, binary.LittleEndian, t)`
			`return buf.Bytes()`
			`}`

			`func (t *CSRFToken) Load(b []byte) error {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`if len(b) != binary.Size(t) {`
			`return fmt.Errorf("wrong size")`
			`}`
			`r := bytes.NewReader(b)`
			`err := binary.Read(r, binary.LittleEndian, t)`
			`if err != nil {`
			`log.WithFields(log.Fields{"call": "binary.Read", "attr": "b", "err": err}).Errorf("")`
			`return err`
			`}`
			`chk := t.Checksum`
			`t.Checksum = 0`
			`if crc32.ChecksumIEEE(t.Bytes()) != chk {`
			`return fmt.Errorf("wrong checksum")`
			`}`
			`t.Checksum = chk`
			`return nil`
			`}`

			`func NewCSRFToken(c gin.Context) CSRFToken {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`t := CSRFToken{}`

			`copy(t.Path[:], c.Request.URL.Path[0:])`

			`t.Time = time.Now().UTC().Unix()`

			`_, err := rand.Read(t.Seed[:])`
			`log.WithFields(log.Fields{"call": "rand.Read", "attr": "seed", "err": err}).Errorf("")`

			`t.Checksum = crc32.ChecksumIEEE(t.Bytes())`

			`return &t`
			`}`

			`func GetCSRFToken(c gin.Context) (CSRFToken, error) {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`if context, err := c.Cookie("context"); err != nil {`
			`return nil, fmt.Errorf("no context param")`
			`} else {`
			`return DecodeCSRFToken(context)`
			`}`
			`}`

			`func (t *CSRFToken) Encode() string {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`hash := sha256.New()`
			`hash.Write([]byte(cfg.Admin.Secrets.ContextKey))`
			`key := hash.Sum(nil)`

			`block, _ := aes.NewCipher(key)`
			`ciphertext := make([]byte, 32) // size of CSRFToken`
			`if binary.Size(t) != 32 {`
			`log.WithFields(log.Fields{"err": fmt.Errorf("size is wrong")}).Fatalf("")`
			`}`

			`iv := make([]byte, aes.BlockSize)`

			`mode := cipher.NewCBCEncrypter(block, iv)`
			`mode.CryptBlocks(ciphertext[:], t.Bytes())`

			`return base64.StdEncoding.EncodeToString(ciphertext)`
			`}`

			`func DecodeCSRFToken(s string) (*CSRFToken, error) {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`b, err := base64.StdEncoding.DecodeString(s)`
			`if err != nil {`
			`return nil, err`
			`}`

			`if len(b) != binary.Size(CSRFToken{}) {`
			`return nil, fmt.Errorf("wrong size")`
			`}`

			`hash := sha256.New()`
			`hash.Write([]byte(cfg.Admin.Secrets.ContextKey))`
			`key := hash.Sum(nil)`

			`block, err := aes.NewCipher(key)`

			`iv := make([]byte, aes.BlockSize)`

			`mode := cipher.NewCBCDecrypter(block, iv)`
			`mode.CryptBlocks(b, b)`

			`t := CSRFToken{}`
			`err = t.Load(b)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return &t, nil`
			`}`

			`func (t *CSRFToken) Valid() bool {`
			`log.WithFields(log.Fields{}).Debugf("starting")`
			`defer log.WithFields(log.Fields{}).Debugf("done")`

			`if time.Now().UTC().Sub(time.Unix(t.Time, 0)) > time.Duration(cfg.Admin.Secrets.ContextExpiration)*time.Second {`
			`return false`
			`}`
			`return true`
			`}`

			`func SetCSRFToken(c *gin.Context) {`
			`c.SetCookie("context", NewCSRFToken(c).Encode(), cfg.Admin.Secrets.ContextExpiration, "/", cfg.Admin.URL, false, true)`
			`return`
			`}`