twitch-bot/writeAuth.go

package main

import (
	"crypto/rand"
	"encoding/base64"
	"fmt"
	"net/http"

	"github.com/gofrs/uuid/v3"
	"github.com/pkg/errors"
	"golang.org/x/crypto/argon2"

	"github.com/Luzifer/go_helpers/v2/str"
	"github.com/Luzifer/twitch-bot/v3/pkg/twitch"
)

const (
	// OWASP recommendations - 2023-07-07
	// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
	argonFmt        = "$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s"
	argonHashLen    = 16
	argonMemory     = 46 * 1024
	argonSaltLength = 8
	argonThreads    = 1
	argonTime       = 1
)

func fillAuthToken(token *configAuthToken) error {
	token.Token = uuid.Must(uuid.NewV4()).String()

	salt := make([]byte, argonSaltLength)
	if _, err := rand.Read(salt); err != nil {
		return errors.Wrap(err, "reading salt")
	}

	token.Hash = fmt.Sprintf(
		argonFmt,
		argon2.Version,
		argonMemory, argonTime, argonThreads,
		base64.RawStdEncoding.EncodeToString(salt),
		base64.RawStdEncoding.EncodeToString(argon2.IDKey([]byte(token.Token), salt, argonTime, argonMemory, argonThreads, argonHashLen)),
	)

	return nil
}

func writeAuthMiddleware(h http.Handler, module string) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		token := r.Header.Get("Authorization")
		if token == "" {
			http.Error(w, "auth not successful", http.StatusForbidden)
			return
		}

		for _, fn := range []func() error{
			// First try to validate against internal token management
			func() error { return validateAuthToken(token, module) },
			// If not successful validate against Twitch and check for bot-editors
			func() error { return validateTwitchBotEditorAuthToken(token) },
		} {
			if err := fn(); err != nil {
				continue
			}

			h.ServeHTTP(w, r)
			return
		}

		http.Error(w, "auth not successful", http.StatusForbidden)
	})
}

func validateAuthToken(token string, modules ...string) error {
	for _, auth := range config.AuthTokens {
		if auth.validate(token) != nil {
			continue
		}

		for _, reqMod := range modules {
			if !str.StringInSlice(reqMod, auth.Modules) && !str.StringInSlice("*", auth.Modules) {
				return errors.New("missing module in auth")
			}
		}

		return nil // We found a matching token and it has all required tokens
	}

	return errors.New("no matching token")
}

func validateTwitchBotEditorAuthToken(token string) error {
	tc := twitch.New(cfg.TwitchClient, cfg.TwitchClientSecret, token, "")

	id, user, err := tc.GetAuthorizedUser()
	if err != nil {
		return errors.Wrap(err, "getting authorized user")
	}

	if !str.StringInSlice(user, config.BotEditors) && !str.StringInSlice(id, config.BotEditors) {
		return errors.New("user is not an bot-edtior")
	}

	return nil
}
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00			`package main`

			`import (`
[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`"crypto/rand"`
			`"encoding/base64"`
			`"fmt"`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00			`"net/http"`

			`"github.com/gofrs/uuid/v3"`
			`"github.com/pkg/errors"`
[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`"golang.org/x/crypto/argon2"`
[lint] Properly format inputs Signed-off-by: Knut Ahlers <knut@ahlers.me> 2021-11-25 22:48:16 +00:00
			`"github.com/Luzifer/go_helpers/v2/str"`
[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`"github.com/Luzifer/twitch-bot/v3/pkg/twitch"`
			`)`

			`const (`
			`// OWASP recommendations - 2023-07-07`
			`// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html`
			`argonFmt = "$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s"`
			`argonHashLen = 16`
			`argonMemory = 46 * 1024`
			`argonSaltLength = 8`
			`argonThreads = 1`
			`argonTime = 1`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00			`)`

			`func fillAuthToken(token *configAuthToken) error {`
			`token.Token = uuid.Must(uuid.NewV4()).String()`

[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`salt := make([]byte, argonSaltLength)`
			`if _, err := rand.Read(salt); err != nil {`
			`return errors.Wrap(err, "reading salt")`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00			`}`

[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`token.Hash = fmt.Sprintf(`
			`argonFmt,`
			`argon2.Version,`
			`argonMemory, argonTime, argonThreads,`
			`base64.RawStdEncoding.EncodeToString(salt),`
			`base64.RawStdEncoding.EncodeToString(argon2.IDKey([]byte(token.Token), salt, argonTime, argonMemory, argonThreads, argonHashLen)),`
			`)`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00
			`return nil`
			`}`

			`func writeAuthMiddleware(h http.Handler, module string) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`token := r.Header.Get("Authorization")`
			`if token == "" {`
			`http.Error(w, "auth not successful", http.StatusForbidden)`
			`return`
			`}`

[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`for _, fn := range []func() error{`
			`// First try to validate against internal token management`
			`func() error { return validateAuthToken(token, module) },`
			`// If not successful validate against Twitch and check for bot-editors`
			`func() error { return validateTwitchBotEditorAuthToken(token) },`
			`} {`
			`if err := fn(); err != nil {`
			`continue`
			`}`

			`h.ServeHTTP(w, r)`
[overlays] Add overlays server capability (#14) 2022-02-08 18:58:19 +00:00			`return`
			`}`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00
[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`http.Error(w, "auth not successful", http.StatusForbidden)`
[overlays] Add overlays server capability (#14) 2022-02-08 18:58:19 +00:00			`})`
			`}`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00
[overlays] Add overlays server capability (#14) 2022-02-08 18:58:19 +00:00			`func validateAuthToken(token string, modules ...string) error {`
			`for _, auth := range config.AuthTokens {`
[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00			`if auth.validate(token) != nil {`
[overlays] Add overlays server capability (#14) 2022-02-08 18:58:19 +00:00			`continue`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00			`}`

[overlays] Add overlays server capability (#14) 2022-02-08 18:58:19 +00:00			`for _, reqMod := range modules {`
			`if !str.StringInSlice(reqMod, auth.Modules) && !str.StringInSlice("*", auth.Modules) {`
			`return errors.New("missing module in auth")`
			`}`
			`}`

			`return nil // We found a matching token and it has all required tokens`
			`}`

			`return errors.New("no matching token")`
[core] Implement write authorization for APIs (#9) 2021-10-23 15:22:58 +00:00			`}`
[#16] Implement Raffle module (#47) 2023-07-14 14:15:58 +00:00
			`func validateTwitchBotEditorAuthToken(token string) error {`
			`tc := twitch.New(cfg.TwitchClient, cfg.TwitchClientSecret, token, "")`

			`id, user, err := tc.GetAuthorizedUser()`
			`if err != nil {`
			`return errors.Wrap(err, "getting authorized user")`
			`}`

			`if !str.StringInSlice(user, config.BotEditors) && !str.StringInSlice(id, config.BotEditors) {`
			`return errors.New("user is not an bot-edtior")`
			`}`

			`return nil`
			`}`