added discord token check to auth

2026-02-07 18:02:12 +11:00
parent 2e2c2af44d
commit 860cae3977
9 changed files with 183 additions and 13 deletions
--- a/cmd/oslstats/auth.go
+++ b/cmd/oslstats/auth.go
@@ -13,7 +13,7 @@ import (
 )

 func setupAuth(
-	config *hwsauth.Config,
+	cfg *hwsauth.Config,
 	logger *hlog.Logger,
 	conn *bun.DB,
 	server *hws.Server,
@@ -24,7 +24,7 @@ func setupAuth(
 		return tx, err
 	}
 	auth, err := hwsauth.NewAuthenticator(
-		config,
+		cfg,
 		db.GetUserByID,
 		server,
 		beginTx,
@@ -36,11 +36,12 @@ func setupAuth(
 		return nil, errors.Wrap(err, "hwsauth.NewAuthenticator")
 	}

-	auth.IgnorePaths(ignoredPaths...)
+	err = auth.IgnorePaths(ignoredPaths...)
+	if err != nil {
+		return nil, errors.Wrap(err, "auth.IgnorePaths")
+	}

 	db.CurrentUser = auth.CurrentModel

 	return auth, nil
 }
-
-// TODO: make a new getuser function that wraps db.GetUserByID and does OAuth refresh
--- a/cmd/oslstats/httpserver.go
+++ b/cmd/oslstats/httpserver.go
@@ -40,7 +40,8 @@ func setupHTTPServer(
 		"/ws/notifications",
 	}

-	auth, err := setupAuth(cfg.HWSAuth, logger, bun, httpServer, ignoredPaths)
+	auth, err := setupAuth(
+		cfg.HWSAuth, logger, bun, httpServer, ignoredPaths)
 	if err != nil {
 		return nil, errors.Wrap(err, "setupAuth")
 	}
@@ -74,7 +75,7 @@ func setupHTTPServer(
 		return nil, errors.Wrap(err, "addRoutes")
 	}

-	err = addMiddleware(httpServer, auth, cfg, perms)
+	err = addMiddleware(httpServer, auth, cfg, perms, discordAPI, store)
 	if err != nil {
 		return nil, errors.Wrap(err, "addMiddleware")
 	}
--- a/cmd/oslstats/main.go
+++ b/cmd/oslstats/main.go
@@ -38,7 +38,7 @@ func main() {
 		}
 		return
 	}
-	//
+
 	// Setup the logger
 	logger, err := hlog.NewLogger(cfg.HLOG, os.Stdout)
 	if err != nil {
--- a/cmd/oslstats/middleware.go
+++ b/cmd/oslstats/middleware.go
@@ -4,13 +4,17 @@ import (
 	"context"
 	"net/http"
 	"strconv"
+	"strings"
+	"time"

 	"git.haelnorr.com/h/golib/hws"
 	"git.haelnorr.com/h/golib/hwsauth"
 	"git.haelnorr.com/h/oslstats/internal/config"
 	"git.haelnorr.com/h/oslstats/internal/contexts"
 	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/discord"
 	"git.haelnorr.com/h/oslstats/internal/rbac"
+	"git.haelnorr.com/h/oslstats/internal/store"

 	"github.com/pkg/errors"
 	"github.com/uptrace/bun"
@@ -21,9 +25,11 @@ func addMiddleware(
 	auth *hwsauth.Authenticator[*db.User, bun.Tx],
 	cfg *config.Config,
 	perms *rbac.Checker,
+	discordAPI *discord.APIClient,
+	store *store.Store,
 ) error {
 	err := server.AddMiddleware(
-		auth.Authenticate(),
+		auth.Authenticate(tokenRefresh(auth, discordAPI, store)),
 		perms.LoadPermissionsMiddleware(),
 		devMode(cfg),
 	)
@@ -51,3 +57,111 @@ func devMode(cfg *config.Config) hws.Middleware {
 		)
 	}
 }
+
+func tokenRefresh(
+	auth *hwsauth.Authenticator[*db.User, bun.Tx],
+	discordAPI *discord.APIClient,
+	store *store.Store,
+) func(ctx context.Context, user *db.User, tx bun.Tx, w http.ResponseWriter, r *http.Request) (bool, *hws.HWSError) {
+	return func(ctx context.Context, user *db.User, tx bun.Tx, w http.ResponseWriter, r *http.Request) (bool, *hws.HWSError) {
+		success, err := refreshToken(ctx, store, discordAPI, user, tx)
+		if err != nil {
+			return false, &hws.HWSError{
+				Error:           errors.Wrap(err, "refreshToken"),
+				Message:         "Error refreshing discord token",
+				Level:           hws.ErrorERROR,
+				RenderErrorPage: true,
+				StatusCode:      http.StatusInternalServerError,
+			}
+		}
+		if !success {
+			err = auth.Logout(tx, w, r)
+			if err != nil {
+				return false, &hws.HWSError{
+					Error:           errors.Wrap(err, "auth.Logout"),
+					Message:         "Logout failed",
+					Level:           hws.ErrorERROR,
+					RenderErrorPage: true,
+					StatusCode:      http.StatusInternalServerError,
+				}
+			}
+			return false, nil
+		}
+		return true, nil
+	}
+}
+
+func refreshToken(
+	ctx context.Context,
+	store *store.Store,
+	discordAPI *discord.APIClient,
+	user *db.User,
+	tx bun.Tx,
+) (bool, error) {
+	token := store.CheckToken(user)
+	if token != nil {
+		return true, nil
+	}
+	// Get the token
+	token, err := user.GetDiscordToken(ctx, tx)
+	if err != nil {
+		return false, errors.Wrap(err, "user.GetDiscordToken")
+	}
+
+	tokenstatus, err := tokenStatus(token)
+	if err != nil {
+		return false, errors.Wrap(err, "tokenStatus")
+	}
+	switch tokenstatus {
+	case "revoked":
+		return false, nil
+	case "expired", "expiring":
+		newtoken, err := discordAPI.RefreshToken(token.Convert())
+		if err != nil {
+			return false, errors.Wrap(err, "discordAPI.RefreshToken")
+		}
+		err = user.UpdateDiscordToken(ctx, tx, newtoken)
+		if err != nil {
+			return false, errors.Wrap(err, "user.UpdateDiscordToken")
+		}
+		err = store.NewTokenCheck(user, token)
+		if err != nil {
+			return false, errors.Wrap(err, "store.NewTokenCheck")
+		}
+		return true, nil
+	case "valid":
+		err = store.NewTokenCheck(user, token)
+		if err != nil {
+			return false, errors.Wrap(err, "store.NewTokenCheck")
+		}
+		return true, nil
+	default:
+		return false, errors.New("unexpected error occured validating discord token for user")
+	}
+}
+
+func tokenStatus(token *db.DiscordToken) (string, error) {
+	now := time.Now().Unix()
+	dayfromnow := now + int64(24*time.Hour/time.Second)
+	oauthtoken := token.Convert()
+	session, err := discord.NewOAuthSession(oauthtoken)
+	if err != nil {
+		return "", errors.Wrap(err, "discord.NewOAuthSession")
+	}
+	_, err = session.GetUser()
+	if err != nil {
+		if !strings.Contains(err.Error(), "HTTP 401") {
+			// Error not related to token status
+			return "", errors.Wrap(err, "session.GetUser")
+		}
+		// Token not valid
+		if token.ExpiresAt < now {
+			return "expired", nil
+		}
+		return "revoked", nil
+	}
+	if token.ExpiresAt < dayfromnow {
+		return "expiring", nil
+	}
+	return "valid", nil
+}