litelist/litelist-api/source/auth.d

/**
 * Logic for user authentication.
 */
module auth;

import handy_httpd;
import handy_httpd.handlers.filtered_handler;
import slf4d;

import std.typecons;

import data.user;

immutable string AUTH_METADATA_KEY = "AuthContext";

/**
 * Generates a new access token for an authenticated user.
 * Params:
 *   user = The user to generate a token for.
 *   secret = The secret key to use to sign the token.
 * Returns: The base-64 encoded and signed token string.
 */
string generateToken(in User user, in string secret) {
    import jwt.jwt : Token;
    import jwt.algorithms : JWTAlgorithm;
    import std.datetime;
    Token token = new Token(JWTAlgorithm.HS512);
    token.claims.aud("litelist-api");
    token.claims.sub(user.username);
    token.claims.exp(Clock.currTime.toUnixTime() + 5000);
    token.claims.iss("litelist-api");
    return token.encode(secret);
}

void sendUnauthenticatedResponse(ref HttpResponse resp) {
    resp.setStatus(HttpStatus.UNAUTHORIZED);
    resp.writeBodyString("Invalid credentials.");
}

string loadTokenSecret() {
    import std.file : exists;
    import d_properties;
    if (exists("application.properties")) {
        Properties props = Properties("application.properties");
        if (props.has("secret")) {
            return props.get("secret");
        }
    }
    error("Couldn't load token secret from application.properties. Using insecure secret.");
    return "supersecret";
}

class AuthContext {
    string token;
    User user;

    this(string token, User user) {
        this.token = token;
        this.user = user;
    }
}

/**
 * Validates any request that should be authenticated with an access token,
 * and sets the AuthContextHolder's context if the user is authenticated.
 * Otherwise, sends an appropriate "unauthorized" response.
 * Params:
 *   ctx = The request context to validate.
 *   secret = The secret key that should have been used to sign the token.
 * Returns: The AuthContext if authentication is successful, or null otherwise.
 */
Nullable!AuthContext validateAuthenticatedRequest(ref HttpRequestContext ctx, in string secret) {
    import jwt.jwt : verify, Token;
    import jwt.algorithms : JWTAlgorithm;
    import std.typecons;

    immutable HEADER_NAME = "Authorization";
    if (!ctx.request.hasHeader(HEADER_NAME)) {
        ctx.response.setStatus(HttpStatus.UNAUTHORIZED);
        ctx.response.writeBodyString("Missing Authorization header.");
        return Nullable!AuthContext.init;
    }
    string authHeader = ctx.request.getHeader(HEADER_NAME);
    if (authHeader.length < 7 || authHeader[0 .. 7] != "Bearer ") {
        ctx.response.setStatus(HttpStatus.UNAUTHORIZED);
        ctx.response.writeBodyString("Invalid bearer token authorization header.");
        return Nullable!AuthContext.init;
    }

    string rawToken = authHeader[7 .. $];
    string username;
    try {
        Token token = verify(rawToken, secret, [JWTAlgorithm.HS512]);
        username = token.claims.sub;
    } catch (Exception e) {
        warn("Failed to verify user token.", e);
        ctx.response.setStatus(HttpStatus.UNAUTHORIZED);
        ctx.response.writeBodyString("Invalid or malformed token.");
        return Nullable!AuthContext.init;
    }

    Nullable!User user = userDataSource.getUser(username);
    if (user.isNull) {
        ctx.response.setStatus(HttpStatus.UNAUTHORIZED);
        ctx.response.writeBodyString("User does not exist.");
        return Nullable!AuthContext.init;
    }

    return nullable(new AuthContext(rawToken, user.get));
}

class TokenFilter : HttpRequestFilter {
    private immutable string secret;

    this(string secret) {
        this.secret = secret;
    }

    void apply(ref HttpRequestContext ctx, FilterChain filterChain) {
        Nullable!AuthContext optionalAuth = validateAuthenticatedRequest(ctx, this.secret);
        if (!optionalAuth.isNull) {
            ctx.metadata[AUTH_METADATA_KEY] = optionalAuth.get();
            filterChain.doFilter(ctx); // Only continue the filter chain if we're authenticated.
        }
    }
}

class AdminFilter : HttpRequestFilter {
    void apply(ref HttpRequestContext ctx, FilterChain filterChain) {
        AuthContext authCtx = getAuthContextOrThrow(ctx);
        if (authCtx.user.admin) {
            filterChain.doFilter(ctx);
        } else {
            ctx.response.setStatus(HttpStatus.FORBIDDEN);
        }
    }
}

AuthContext getAuthContextOrThrow(ref HttpRequestContext ctx) {
    if (AUTH_METADATA_KEY in ctx.metadata) {
        if (auto authCtx = cast(AuthContext) ctx.metadata[AUTH_METADATA_KEY]) {
            return authCtx;
        }
    }
    throw new HttpStatusException(HttpStatus.UNAUTHORIZED, "Not authenticated.");
}
Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`/**`
			`* Logic for user authentication.`
			`*/`
Added start of application. 2023-08-16 14:37:39 +00:00			`module auth;`

			`import handy_httpd;`
			`import handy_httpd.handlers.filtered_handler;`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`import slf4d;`

Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`import std.typecons;`

Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`import data.user;`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`immutable string AUTH_METADATA_KEY = "AuthContext";`

Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`/**`
			`* Generates a new access token for an authenticated user.`
			`* Params:`
			`* user = The user to generate a token for.`
			`* secret = The secret key to use to sign the token.`
			`* Returns: The base-64 encoded and signed token string.`
			`*/`
			`string generateToken(in User user, in string secret) {`
			`import jwt.jwt : Token;`
			`import jwt.algorithms : JWTAlgorithm;`
			`import std.datetime;`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`Token token = new Token(JWTAlgorithm.HS512);`
			`token.claims.aud("litelist-api");`
			`token.claims.sub(user.username);`
			`token.claims.exp(Clock.currTime.toUnixTime() + 5000);`
			`token.claims.iss("litelist-api");`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`return token.encode(secret);`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`}`

Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`void sendUnauthenticatedResponse(ref HttpResponse resp) {`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`resp.setStatus(HttpStatus.UNAUTHORIZED);`
			`resp.writeBodyString("Invalid credentials.");`
Added start of application. 2023-08-16 14:37:39 +00:00			`}`

Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`string loadTokenSecret() {`
			`import std.file : exists;`
			`import d_properties;`
			`if (exists("application.properties")) {`
			`Properties props = Properties("application.properties");`
			`if (props.has("secret")) {`
			`return props.get("secret");`
			`}`
			`}`
			`error("Couldn't load token secret from application.properties. Using insecure secret.");`
			`return "supersecret";`
			`}`

Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`class AuthContext {`
Added start of application. 2023-08-16 14:37:39 +00:00			`string token;`
			`User user;`

Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`this(string token, User user) {`
			`this.token = token;`
			`this.user = user;`
Added start of application. 2023-08-16 14:37:39 +00:00			`}`
			`}`

Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`/**`
			`* Validates any request that should be authenticated with an access token,`
			`* and sets the AuthContextHolder's context if the user is authenticated.`
			`* Otherwise, sends an appropriate "unauthorized" response.`
			`* Params:`
			`* ctx = The request context to validate.`
Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`* secret = The secret key that should have been used to sign the token.`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`* Returns: The AuthContext if authentication is successful, or null otherwise.`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`*/`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`Nullable!AuthContext validateAuthenticatedRequest(ref HttpRequestContext ctx, in string secret) {`
Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`import jwt.jwt : verify, Token;`
			`import jwt.algorithms : JWTAlgorithm;`
			`import std.typecons;`

Added start of application. 2023-08-16 14:37:39 +00:00			`immutable HEADER_NAME = "Authorization";`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`if (!ctx.request.hasHeader(HEADER_NAME)) {`
			`ctx.response.setStatus(HttpStatus.UNAUTHORIZED);`
			`ctx.response.writeBodyString("Missing Authorization header.");`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`return Nullable!AuthContext.init;`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`}`
			`string authHeader = ctx.request.getHeader(HEADER_NAME);`
			`if (authHeader.length < 7 \|\| authHeader[0 .. 7] != "Bearer ") {`
			`ctx.response.setStatus(HttpStatus.UNAUTHORIZED);`
			`ctx.response.writeBodyString("Invalid bearer token authorization header.");`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`return Nullable!AuthContext.init;`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`}`

			`string rawToken = authHeader[7 .. $];`
			`string username;`
			`try {`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`Token token = verify(rawToken, secret, [JWTAlgorithm.HS512]);`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`username = token.claims.sub;`
			`} catch (Exception e) {`
			`warn("Failed to verify user token.", e);`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`ctx.response.setStatus(HttpStatus.UNAUTHORIZED);`
			`ctx.response.writeBodyString("Invalid or malformed token.");`
			`return Nullable!AuthContext.init;`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`}`

			`Nullable!User user = userDataSource.getUser(username);`
			`if (user.isNull) {`
			`ctx.response.setStatus(HttpStatus.UNAUTHORIZED);`
			`ctx.response.writeBodyString("User does not exist.");`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`return Nullable!AuthContext.init;`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`}`

Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`return nullable(new AuthContext(rawToken, user.get));`
Added more API stuff, front-end stuff too. 2023-08-17 15:55:05 +00:00			`}`

			`class TokenFilter : HttpRequestFilter {`
Refactored API sources, added registration to app. 2023-08-22 14:05:26 +00:00			`private immutable string secret;`

			`this(string secret) {`
			`this.secret = secret;`
			`}`

Added start of application. 2023-08-16 14:37:39 +00:00			`void apply(ref HttpRequestContext ctx, FilterChain filterChain) {`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`Nullable!AuthContext optionalAuth = validateAuthenticatedRequest(ctx, this.secret);`
			`if (!optionalAuth.isNull) {`
			`ctx.metadata[AUTH_METADATA_KEY] = optionalAuth.get();`
			`filterChain.doFilter(ctx); // Only continue the filter chain if we're authenticated.`
			`}`
			`}`
			`}`

			`class AdminFilter : HttpRequestFilter {`
			`void apply(ref HttpRequestContext ctx, FilterChain filterChain) {`
			`AuthContext authCtx = getAuthContextOrThrow(ctx);`
			`if (authCtx.user.admin) {`
			`filterChain.doFilter(ctx);`
			`} else {`
			`ctx.response.setStatus(HttpStatus.FORBIDDEN);`
			`}`
			`}`
			`}`

			`AuthContext getAuthContextOrThrow(ref HttpRequestContext ctx) {`
			`if (AUTH_METADATA_KEY in ctx.metadata) {`
			`if (auto authCtx = cast(AuthContext) ctx.metadata[AUTH_METADATA_KEY]) {`
			`return authCtx;`
			`}`
Added start of application. 2023-08-16 14:37:39 +00:00			`}`
Added admin page and more authentication improvements with latest handy-httpd version. 2023-08-24 19:37:25 +00:00			`throw new HttpStatusException(HttpStatus.UNAUTHORIZED, "Not authenticated.");`
Added start of application. 2023-08-16 14:37:39 +00:00			`}`