Initial commit: Open sourcing all of the Maple Open Technologies code.
This commit is contained in:
commit
755d54a99d
2010 changed files with 448675 additions and 0 deletions
222
cloud/maplefile-backend/internal/service/auth/complete_login.go
Normal file
222
cloud/maplefile-backend/internal/service/auth/complete_login.go
Normal file
|
|
@ -0,0 +1,222 @@
|
|||
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/complete_login.go
|
||||
package auth
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/awnumar/memguard"
|
||||
"go.uber.org/zap"
|
||||
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
|
||||
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/hash"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/jwt"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
|
||||
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
|
||||
)
|
||||
|
||||
type CompleteLoginRequestDTO struct {
|
||||
Email string `json:"email"`
|
||||
ChallengeID string `json:"challengeId"`
|
||||
DecryptedData string `json:"decryptedData"`
|
||||
}
|
||||
|
||||
type CompleteLoginResponseDTO struct {
|
||||
Message string `json:"message"`
|
||||
AccessToken string `json:"access_token"`
|
||||
RefreshToken string `json:"refresh_token"`
|
||||
AccessTokenExpiryDate string `json:"access_token_expiry_date"`
|
||||
RefreshTokenExpiryDate string `json:"refresh_token_expiry_date"`
|
||||
Username string `json:"username"`
|
||||
}
|
||||
|
||||
type CompleteLoginService interface {
|
||||
Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error)
|
||||
}
|
||||
|
||||
type completeLoginServiceImpl struct {
|
||||
config *config.Config
|
||||
logger *zap.Logger
|
||||
auditLogger auditlog.AuditLogger
|
||||
userGetByEmailUC uc_user.UserGetByEmailUseCase
|
||||
cache cassandracache.CassandraCacher
|
||||
jwtProvider jwt.JWTProvider
|
||||
}
|
||||
|
||||
func NewCompleteLoginService(
|
||||
config *config.Config,
|
||||
logger *zap.Logger,
|
||||
auditLogger auditlog.AuditLogger,
|
||||
userGetByEmailUC uc_user.UserGetByEmailUseCase,
|
||||
cache cassandracache.CassandraCacher,
|
||||
jwtProvider jwt.JWTProvider,
|
||||
) CompleteLoginService {
|
||||
return &completeLoginServiceImpl{
|
||||
config: config,
|
||||
logger: logger.Named("CompleteLoginService"),
|
||||
auditLogger: auditLogger,
|
||||
userGetByEmailUC: userGetByEmailUC,
|
||||
cache: cache,
|
||||
jwtProvider: jwtProvider,
|
||||
}
|
||||
}
|
||||
|
||||
func (s *completeLoginServiceImpl) Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error) {
|
||||
// Validate request
|
||||
if err := s.validateCompleteLoginRequest(req); err != nil {
|
||||
return nil, err // Returns RFC 9457 ProblemDetail
|
||||
}
|
||||
|
||||
// Create SAGA for complete login workflow
|
||||
saga := transaction.NewSaga("complete-login", s.logger)
|
||||
|
||||
s.logger.Info("starting login completion")
|
||||
|
||||
// Step 1: Normalize email
|
||||
email := strings.ToLower(strings.TrimSpace(req.Email))
|
||||
|
||||
// Step 2: Get the original challenge from cache
|
||||
challengeKey := fmt.Sprintf("challenge:%s", req.ChallengeID)
|
||||
originalChallenge, err := s.cache.Get(ctx, challengeKey)
|
||||
if err != nil || originalChallenge == nil {
|
||||
s.logger.Warn("Challenge not found", zap.String("challenge_id", req.ChallengeID))
|
||||
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure,
|
||||
validation.MaskEmail(email), "", map[string]string{
|
||||
"reason": "challenge_expired",
|
||||
})
|
||||
return nil, httperror.NewUnauthorizedError("Invalid or expired login challenge. Please request a new login code.")
|
||||
}
|
||||
defer memguard.WipeBytes(originalChallenge) // SECURITY: Wipe challenge from memory
|
||||
|
||||
// Step 3: Decode and verify decrypted data matches challenge
|
||||
decryptedData, err := base64.StdEncoding.DecodeString(req.DecryptedData)
|
||||
if err != nil {
|
||||
s.logger.Warn("Failed to decode decrypted data", zap.Error(err))
|
||||
return nil, httperror.NewBadRequestError("Invalid encrypted data format.")
|
||||
}
|
||||
defer memguard.WipeBytes(decryptedData) // SECURITY: Wipe decrypted data from memory
|
||||
|
||||
if !bytes.Equal(decryptedData, originalChallenge) {
|
||||
s.logger.Warn("Challenge verification failed", zap.String("email", validation.MaskEmail(email)))
|
||||
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure,
|
||||
validation.MaskEmail(email), "", map[string]string{
|
||||
"reason": "challenge_verification_failed",
|
||||
})
|
||||
return nil, httperror.NewUnauthorizedError("Challenge verification failed. Incorrect password or encryption keys.")
|
||||
}
|
||||
|
||||
// Step 4: Get user (read-only, no compensation)
|
||||
user, err := s.userGetByEmailUC.Execute(ctx, email)
|
||||
if err != nil || user == nil {
|
||||
s.logger.Error("User not found", zap.String("email", validation.MaskEmail(email)))
|
||||
return nil, httperror.NewUnauthorizedError("Invalid email or password.")
|
||||
}
|
||||
|
||||
// Step 5: Generate JWT token pair
|
||||
accessToken, accessExpiry, refreshToken, refreshExpiry, err := s.jwtProvider.GenerateJWTTokenPair(
|
||||
user.ID.String(),
|
||||
s.config.JWT.AccessTokenDuration,
|
||||
s.config.JWT.RefreshTokenDuration,
|
||||
)
|
||||
if err != nil {
|
||||
s.logger.Error("Failed to generate JWT tokens", zap.Error(err))
|
||||
return nil, httperror.NewInternalServerError("Failed to generate authentication tokens. Please try again.")
|
||||
}
|
||||
|
||||
// Step 6: Store refresh token FIRST (compensate: delete refresh token)
|
||||
// CRITICAL: Store refresh token before deleting challenge to prevent login failure
|
||||
// SECURITY: Hash refresh token to prevent token leakage via cache key inspection
|
||||
refreshTokenHash := hash.HashToken(refreshToken)
|
||||
refreshKey := fmt.Sprintf("refresh:%s", refreshTokenHash)
|
||||
if err := s.cache.SetWithExpiry(ctx, refreshKey, []byte(user.ID.String()), s.config.JWT.RefreshTokenDuration); err != nil {
|
||||
s.logger.Error("Failed to store refresh token", zap.Error(err))
|
||||
return nil, httperror.NewInternalServerError("Failed to store authentication session. Please try again.")
|
||||
}
|
||||
|
||||
// Register compensation: delete refresh token if challenge deletion fails
|
||||
refreshKeyCaptured := refreshKey
|
||||
saga.AddCompensation(func(ctx context.Context) error {
|
||||
s.logger.Info("compensating: deleting refresh token",
|
||||
zap.String("refresh_key", refreshKeyCaptured))
|
||||
return s.cache.Delete(ctx, refreshKeyCaptured)
|
||||
})
|
||||
|
||||
// Step 7: Clear challenge from cache (one-time use) (compensate: restore challenge)
|
||||
challengeKeyCaptured := challengeKey
|
||||
originalChallengeCaptured := originalChallenge
|
||||
if err := s.cache.Delete(ctx, challengeKey); err != nil {
|
||||
s.logger.Error("Failed to delete challenge",
|
||||
zap.String("challenge_key", challengeKey),
|
||||
zap.Error(err))
|
||||
|
||||
// Trigger compensation: Delete refresh token
|
||||
saga.Rollback(ctx)
|
||||
return nil, httperror.NewInternalServerError("Login failed. Please try again.")
|
||||
}
|
||||
|
||||
// Register compensation: restore challenge with reduced TTL (5 minutes for retry)
|
||||
saga.AddCompensation(func(ctx context.Context) error {
|
||||
s.logger.Info("compensating: restoring challenge",
|
||||
zap.String("challenge_key", challengeKeyCaptured))
|
||||
// Restore with reduced TTL (5 minutes) to allow user retry
|
||||
return s.cache.SetWithExpiry(ctx, challengeKeyCaptured, originalChallengeCaptured, 5*time.Minute)
|
||||
})
|
||||
|
||||
s.logger.Info("Login completed successfully",
|
||||
zap.String("user_id", user.ID.String()),
|
||||
zap.String("email", validation.MaskEmail(email)),
|
||||
zap.String("refresh_token", refreshToken[:16]+"...")) // Log prefix for security
|
||||
|
||||
// Audit log successful login
|
||||
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginSuccess, auditlog.OutcomeSuccess,
|
||||
validation.MaskEmail(email), "", map[string]string{
|
||||
"user_id": user.ID.String(),
|
||||
})
|
||||
|
||||
return &CompleteLoginResponseDTO{
|
||||
Message: "Login successful",
|
||||
AccessToken: accessToken,
|
||||
RefreshToken: refreshToken,
|
||||
AccessTokenExpiryDate: accessExpiry.Format(time.RFC3339),
|
||||
RefreshTokenExpiryDate: refreshExpiry.Format(time.RFC3339),
|
||||
Username: user.Email,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// validateCompleteLoginRequest validates the complete login request.
|
||||
// Returns RFC 9457 ProblemDetail error with field-specific errors.
|
||||
func (s *completeLoginServiceImpl) validateCompleteLoginRequest(req *CompleteLoginRequestDTO) error {
|
||||
errors := make(map[string]string)
|
||||
|
||||
// Validate email using shared validation utility
|
||||
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
|
||||
errors["email"] = errMsg
|
||||
}
|
||||
|
||||
// Validate challengeId
|
||||
challengeId := strings.TrimSpace(req.ChallengeID)
|
||||
if challengeId == "" {
|
||||
errors["challengeId"] = "Challenge ID is required"
|
||||
}
|
||||
|
||||
// Validate decryptedData
|
||||
decryptedData := strings.TrimSpace(req.DecryptedData)
|
||||
if decryptedData == "" {
|
||||
errors["decryptedData"] = "Decrypted challenge data is required"
|
||||
}
|
||||
|
||||
// If there are validation errors, return RFC 9457 error
|
||||
if len(errors) > 0 {
|
||||
return httperror.NewValidationError(errors)
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue