222 lines
8.6 KiB
Go
222 lines
8.6 KiB
Go
// codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/service/auth/complete_login.go
|
|
package auth
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/awnumar/memguard"
|
|
"go.uber.org/zap"
|
|
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/config"
|
|
uc_user "codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/internal/usecase/user"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/auditlog"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/httperror"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/hash"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/security/jwt"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/storage/cache/cassandracache"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/transaction"
|
|
"codeberg.org/mapleopentech/monorepo/cloud/maplefile-backend/pkg/validation"
|
|
)
|
|
|
|
type CompleteLoginRequestDTO struct {
|
|
Email string `json:"email"`
|
|
ChallengeID string `json:"challengeId"`
|
|
DecryptedData string `json:"decryptedData"`
|
|
}
|
|
|
|
type CompleteLoginResponseDTO struct {
|
|
Message string `json:"message"`
|
|
AccessToken string `json:"access_token"`
|
|
RefreshToken string `json:"refresh_token"`
|
|
AccessTokenExpiryDate string `json:"access_token_expiry_date"`
|
|
RefreshTokenExpiryDate string `json:"refresh_token_expiry_date"`
|
|
Username string `json:"username"`
|
|
}
|
|
|
|
type CompleteLoginService interface {
|
|
Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error)
|
|
}
|
|
|
|
type completeLoginServiceImpl struct {
|
|
config *config.Config
|
|
logger *zap.Logger
|
|
auditLogger auditlog.AuditLogger
|
|
userGetByEmailUC uc_user.UserGetByEmailUseCase
|
|
cache cassandracache.CassandraCacher
|
|
jwtProvider jwt.JWTProvider
|
|
}
|
|
|
|
func NewCompleteLoginService(
|
|
config *config.Config,
|
|
logger *zap.Logger,
|
|
auditLogger auditlog.AuditLogger,
|
|
userGetByEmailUC uc_user.UserGetByEmailUseCase,
|
|
cache cassandracache.CassandraCacher,
|
|
jwtProvider jwt.JWTProvider,
|
|
) CompleteLoginService {
|
|
return &completeLoginServiceImpl{
|
|
config: config,
|
|
logger: logger.Named("CompleteLoginService"),
|
|
auditLogger: auditLogger,
|
|
userGetByEmailUC: userGetByEmailUC,
|
|
cache: cache,
|
|
jwtProvider: jwtProvider,
|
|
}
|
|
}
|
|
|
|
func (s *completeLoginServiceImpl) Execute(ctx context.Context, req *CompleteLoginRequestDTO) (*CompleteLoginResponseDTO, error) {
|
|
// Validate request
|
|
if err := s.validateCompleteLoginRequest(req); err != nil {
|
|
return nil, err // Returns RFC 9457 ProblemDetail
|
|
}
|
|
|
|
// Create SAGA for complete login workflow
|
|
saga := transaction.NewSaga("complete-login", s.logger)
|
|
|
|
s.logger.Info("starting login completion")
|
|
|
|
// Step 1: Normalize email
|
|
email := strings.ToLower(strings.TrimSpace(req.Email))
|
|
|
|
// Step 2: Get the original challenge from cache
|
|
challengeKey := fmt.Sprintf("challenge:%s", req.ChallengeID)
|
|
originalChallenge, err := s.cache.Get(ctx, challengeKey)
|
|
if err != nil || originalChallenge == nil {
|
|
s.logger.Warn("Challenge not found", zap.String("challenge_id", req.ChallengeID))
|
|
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure,
|
|
validation.MaskEmail(email), "", map[string]string{
|
|
"reason": "challenge_expired",
|
|
})
|
|
return nil, httperror.NewUnauthorizedError("Invalid or expired login challenge. Please request a new login code.")
|
|
}
|
|
defer memguard.WipeBytes(originalChallenge) // SECURITY: Wipe challenge from memory
|
|
|
|
// Step 3: Decode and verify decrypted data matches challenge
|
|
decryptedData, err := base64.StdEncoding.DecodeString(req.DecryptedData)
|
|
if err != nil {
|
|
s.logger.Warn("Failed to decode decrypted data", zap.Error(err))
|
|
return nil, httperror.NewBadRequestError("Invalid encrypted data format.")
|
|
}
|
|
defer memguard.WipeBytes(decryptedData) // SECURITY: Wipe decrypted data from memory
|
|
|
|
if !bytes.Equal(decryptedData, originalChallenge) {
|
|
s.logger.Warn("Challenge verification failed", zap.String("email", validation.MaskEmail(email)))
|
|
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginFailure, auditlog.OutcomeFailure,
|
|
validation.MaskEmail(email), "", map[string]string{
|
|
"reason": "challenge_verification_failed",
|
|
})
|
|
return nil, httperror.NewUnauthorizedError("Challenge verification failed. Incorrect password or encryption keys.")
|
|
}
|
|
|
|
// Step 4: Get user (read-only, no compensation)
|
|
user, err := s.userGetByEmailUC.Execute(ctx, email)
|
|
if err != nil || user == nil {
|
|
s.logger.Error("User not found", zap.String("email", validation.MaskEmail(email)))
|
|
return nil, httperror.NewUnauthorizedError("Invalid email or password.")
|
|
}
|
|
|
|
// Step 5: Generate JWT token pair
|
|
accessToken, accessExpiry, refreshToken, refreshExpiry, err := s.jwtProvider.GenerateJWTTokenPair(
|
|
user.ID.String(),
|
|
s.config.JWT.AccessTokenDuration,
|
|
s.config.JWT.RefreshTokenDuration,
|
|
)
|
|
if err != nil {
|
|
s.logger.Error("Failed to generate JWT tokens", zap.Error(err))
|
|
return nil, httperror.NewInternalServerError("Failed to generate authentication tokens. Please try again.")
|
|
}
|
|
|
|
// Step 6: Store refresh token FIRST (compensate: delete refresh token)
|
|
// CRITICAL: Store refresh token before deleting challenge to prevent login failure
|
|
// SECURITY: Hash refresh token to prevent token leakage via cache key inspection
|
|
refreshTokenHash := hash.HashToken(refreshToken)
|
|
refreshKey := fmt.Sprintf("refresh:%s", refreshTokenHash)
|
|
if err := s.cache.SetWithExpiry(ctx, refreshKey, []byte(user.ID.String()), s.config.JWT.RefreshTokenDuration); err != nil {
|
|
s.logger.Error("Failed to store refresh token", zap.Error(err))
|
|
return nil, httperror.NewInternalServerError("Failed to store authentication session. Please try again.")
|
|
}
|
|
|
|
// Register compensation: delete refresh token if challenge deletion fails
|
|
refreshKeyCaptured := refreshKey
|
|
saga.AddCompensation(func(ctx context.Context) error {
|
|
s.logger.Info("compensating: deleting refresh token",
|
|
zap.String("refresh_key", refreshKeyCaptured))
|
|
return s.cache.Delete(ctx, refreshKeyCaptured)
|
|
})
|
|
|
|
// Step 7: Clear challenge from cache (one-time use) (compensate: restore challenge)
|
|
challengeKeyCaptured := challengeKey
|
|
originalChallengeCaptured := originalChallenge
|
|
if err := s.cache.Delete(ctx, challengeKey); err != nil {
|
|
s.logger.Error("Failed to delete challenge",
|
|
zap.String("challenge_key", challengeKey),
|
|
zap.Error(err))
|
|
|
|
// Trigger compensation: Delete refresh token
|
|
saga.Rollback(ctx)
|
|
return nil, httperror.NewInternalServerError("Login failed. Please try again.")
|
|
}
|
|
|
|
// Register compensation: restore challenge with reduced TTL (5 minutes for retry)
|
|
saga.AddCompensation(func(ctx context.Context) error {
|
|
s.logger.Info("compensating: restoring challenge",
|
|
zap.String("challenge_key", challengeKeyCaptured))
|
|
// Restore with reduced TTL (5 minutes) to allow user retry
|
|
return s.cache.SetWithExpiry(ctx, challengeKeyCaptured, originalChallengeCaptured, 5*time.Minute)
|
|
})
|
|
|
|
s.logger.Info("Login completed successfully",
|
|
zap.String("user_id", user.ID.String()),
|
|
zap.String("email", validation.MaskEmail(email)),
|
|
zap.String("refresh_token", refreshToken[:16]+"...")) // Log prefix for security
|
|
|
|
// Audit log successful login
|
|
s.auditLogger.LogAuth(ctx, auditlog.EventTypeLoginSuccess, auditlog.OutcomeSuccess,
|
|
validation.MaskEmail(email), "", map[string]string{
|
|
"user_id": user.ID.String(),
|
|
})
|
|
|
|
return &CompleteLoginResponseDTO{
|
|
Message: "Login successful",
|
|
AccessToken: accessToken,
|
|
RefreshToken: refreshToken,
|
|
AccessTokenExpiryDate: accessExpiry.Format(time.RFC3339),
|
|
RefreshTokenExpiryDate: refreshExpiry.Format(time.RFC3339),
|
|
Username: user.Email,
|
|
}, nil
|
|
}
|
|
|
|
// validateCompleteLoginRequest validates the complete login request.
|
|
// Returns RFC 9457 ProblemDetail error with field-specific errors.
|
|
func (s *completeLoginServiceImpl) validateCompleteLoginRequest(req *CompleteLoginRequestDTO) error {
|
|
errors := make(map[string]string)
|
|
|
|
// Validate email using shared validation utility
|
|
if errMsg := validation.ValidateEmail(req.Email); errMsg != "" {
|
|
errors["email"] = errMsg
|
|
}
|
|
|
|
// Validate challengeId
|
|
challengeId := strings.TrimSpace(req.ChallengeID)
|
|
if challengeId == "" {
|
|
errors["challengeId"] = "Challenge ID is required"
|
|
}
|
|
|
|
// Validate decryptedData
|
|
decryptedData := strings.TrimSpace(req.DecryptedData)
|
|
if decryptedData == "" {
|
|
errors["decryptedData"] = "Decrypted challenge data is required"
|
|
}
|
|
|
|
// If there are validation errors, return RFC 9457 error
|
|
if len(errors) > 0 {
|
|
return httperror.NewValidationError(errors)
|
|
}
|
|
|
|
return nil
|
|
}
|