package access import ( "database/sql" "strings" "github.com/pkg/errors" "github.com/Luzifer/go_helpers/v2/str" "github.com/Luzifer/twitch-bot/pkg/database" "github.com/Luzifer/twitch-bot/pkg/twitch" ) const ( coreMetaKeyBotToken = "bot_access_token" coreMetaKeyBotRefreshToken = "bot_refresh_token" //#nosec:G101 // That's a key, not a credential ) type ( ClientConfig struct { TwitchClient string TwitchClientSecret string FallbackToken string TokenUpdateHook func() } Service struct{ db database.Connector } ) func New(db database.Connector) *Service { return &Service{db} } func (s Service) GetBotTwitchClient(cfg ClientConfig) (*twitch.Client, error) { var botAccessToken, botRefreshToken string err := s.db.ReadEncryptedCoreMeta(coreMetaKeyBotToken, &botAccessToken) switch { case errors.Is(err, nil): // This is fine case errors.Is(err, database.ErrCoreMetaNotFound): botAccessToken = cfg.FallbackToken default: return nil, errors.Wrap(err, "getting bot access token from database") } if err = s.db.ReadEncryptedCoreMeta(coreMetaKeyBotRefreshToken, &botRefreshToken); err != nil && !errors.Is(err, database.ErrCoreMetaNotFound) { return nil, errors.Wrap(err, "getting bot refresh token from database") } twitchClient := twitch.New(cfg.TwitchClient, cfg.TwitchClientSecret, botAccessToken, botRefreshToken) twitchClient.SetTokenUpdateHook(s.SetBotTwitchCredentials) return twitchClient, nil } func (s Service) GetTwitchClientForChannel(channel string, cfg ClientConfig) (*twitch.Client, error) { var err error row := s.db.DB().QueryRow( `SELECT access_token, refresh_token, scopes FROM extended_permissions WHERE channel = $1`, channel, ) var accessToken, refreshToken, scopeStr string if err = row.Scan(&accessToken, &refreshToken, &scopeStr); err != nil { return nil, errors.Wrap(err, "getting twitch credentials from database") } if accessToken, err = s.db.DecryptField(accessToken); err != nil { return nil, errors.Wrap(err, "decrypting access token") } if refreshToken, err = s.db.DecryptField(refreshToken); err != nil { return nil, errors.Wrap(err, "decrypting refresh token") } scopes := strings.Split(scopeStr, " ") tc := twitch.New(cfg.TwitchClient, cfg.TwitchClientSecret, accessToken, refreshToken) tc.SetTokenUpdateHook(func(at, rt string) error { return errors.Wrap(s.SetExtendedTwitchCredentials(channel, at, rt, scopes), "updating extended permissions token") }) return tc, nil } func (s Service) HasAnyPermissionForChannel(channel string, scopes ...string) (bool, error) { row := s.db.DB().QueryRow( `SELECT scopes FROM extended_permissions WHERE channel = $1`, channel, ) var scopeStr string if err := row.Scan(&scopeStr); err != nil { if errors.Is(err, sql.ErrNoRows) { return false, nil } return false, errors.Wrap(err, "getting scopes from database") } storedScopes := strings.Split(scopeStr, " ") for _, scope := range scopes { if str.StringInSlice(scope, storedScopes) { return true, nil } } return false, nil } func (s Service) HasPermissionsForChannel(channel string, scopes ...string) (bool, error) { row := s.db.DB().QueryRow( `SELECT scopes FROM extended_permissions WHERE channel = $1`, channel, ) var scopeStr string if err := row.Scan(&scopeStr); err != nil { if errors.Is(err, sql.ErrNoRows) { return false, nil } return false, errors.Wrap(err, "getting scopes from database") } storedScopes := strings.Split(scopeStr, " ") for _, scope := range scopes { if !str.StringInSlice(scope, storedScopes) { return false, nil } } return true, nil } func (s Service) RemoveExendedTwitchCredentials(channel string) error { _, err := s.db.DB().Exec( `DELETE FROM extended_permissions WHERE channel = $1`, channel, ) return errors.Wrap(err, "deleting data from table") } func (s Service) SetBotTwitchCredentials(accessToken, refreshToken string) (err error) { if err = s.db.StoreEncryptedCoreMeta(coreMetaKeyBotToken, accessToken); err != nil { return errors.Wrap(err, "storing bot access token") } if err = s.db.StoreEncryptedCoreMeta(coreMetaKeyBotRefreshToken, refreshToken); err != nil { return errors.Wrap(err, "storing bot refresh token") } return nil } func (s Service) SetExtendedTwitchCredentials(channel, accessToken, refreshToken string, scope []string) (err error) { if accessToken, err = s.db.EncryptField(accessToken); err != nil { return errors.Wrap(err, "encrypting access token") } if refreshToken, err = s.db.EncryptField(refreshToken); err != nil { return errors.Wrap(err, "encrypting refresh token") } _, err = s.db.DB().Exec( `INSERT INTO extended_permissions (channel, access_token, refresh_token, scopes) VALUES ($1, $2, $3, $4) ON CONFLICT DO UPDATE SET access_token=excluded.access_token, refresh_token=excluded.refresh_token, scopes=excluded.scopes;`, channel, accessToken, refreshToken, strings.Join(scope, " "), ) return errors.Wrap(err, "inserting data into table") }