Broken Version

GenerateNU · May 20, 2024 · 52e67e5 · 52e67e5
1 parent 682256a
commit 52e67e5
Show file tree

Hide file tree

Showing 33 changed files with 6,912 additions and 244 deletions.
diff --git a/backend/auth/jwt.go b/backend/auth/jwt.go
@@ -1,6 +1,7 @@
 package auth
 
 import (
+	"errors"
 	"fmt"
 	"time"
 
@@ -39,6 +40,7 @@ type JWTType string
 const (
 	AccessToken  JWTType = "access"
 	RefreshToken JWTType = "refresh"
+	CSRFToken	 JWTType = "csrf"
 )
 
 type Token struct {
@@ -63,8 +65,10 @@ type JWTClientInterface interface {
 type JWTClient struct {
 	RefreshExp    time.Duration
 	AccessExp     time.Duration
+	CSRFExp 	  time.Duration
 	RefreshKey    *m.Secret[string]
 	AccessKey     *m.Secret[string]
+	CSRFKey 	  *m.Secret[string]
 	SigningMethod jwt.SigningMethod
 }
 
@@ -74,13 +78,14 @@ func NewJWTClient(authSettings config.AuthSettings, signingMethod jwt.SigningMet
 		AccessExp:     constants.ACCESS_TOKEN_EXPIRY,
 		RefreshKey:    authSettings.RefreshKey,
 		AccessKey:     authSettings.AccessKey,
+		CSRFKey: 	   authSettings.CSRFKey,
 		SigningMethod: signingMethod,
 	}
 }
 
 func (j *JWTClient) GenerateTokenPair(accessClaims, refreshClaims Claims) (*Token, error) {
 	accessToken, err := j.GenerateToken(accessClaims, AccessToken)
-	if err != nil {
+	if err != nil{
 		return nil, err
 	}
 
@@ -89,6 +94,10 @@ func (j *JWTClient) GenerateTokenPair(accessClaims, refreshClaims Claims) (*Toke
 		return nil, err
 	}
 
+	if accessToken == nil || refreshToken == nil {
+		return nil, errors.New("failed to generate token pair")
+	}
+
 	return &Token{
 		AccessToken:  accessToken,
 		RefreshToken: refreshToken,
@@ -228,6 +237,8 @@ func (j *JWTClient) getExpiry(tokenType JWTType) time.Duration {
 		return j.AccessExp
 	case RefreshToken:
 		return j.RefreshExp
+	case CSRFToken:
+		return j.CSRFExp
 	}
 
 	return 0
@@ -302,10 +313,12 @@ func GenerateRefreshCookie(value string) *fiber.Cookie {
 }
 
 func SetResponseTokens(c *fiber.Ctx, tokens *Token) error {
+	if tokens == nil {
+		return errors.New("tokens are nil")
+	}
 	// Set the tokens in the response
 	// should also blacklist the old refresh and access tokens
-
-	c.Set("Authorization", fmt.Sprintf("Bearer %s", tokens.AccessToken))
+	c.Set("Authorization", fmt.Sprintf("Bearer %s", &tokens.AccessToken))
 	c.Cookie(&fiber.Cookie{
 		Name:     "refresh_token",
 		Value:    string(tokens.RefreshToken),

diff --git a/backend/config/auth.go b/backend/config/auth.go
@@ -9,11 +9,13 @@ import (
 type AuthSettings struct {
 	AccessKey  *m.Secret[string]
 	RefreshKey *m.Secret[string]
+	CSRFKey    *m.Secret[string]
 }
 
 type intermediateAuthSettings struct {
 	AccessKey  string `yaml:"accesskey"`
 	RefreshKey string `yaml:"refreshkey"`
+	CSRFKey	   string `yaml:"csrfkey"`
 }
 
 func (int *intermediateAuthSettings) into() (*AuthSettings, error) {
@@ -27,8 +29,14 @@ func (int *intermediateAuthSettings) into() (*AuthSettings, error) {
 		return nil, errors.New("failed to create secret from refresh key")
 	}
 
+	csrfToken, err := m.NewSecret(int.CSRFKey)
+	if err != nil {
+		return nil, errors.New("failed to create secret from csrf key")
+	}
+
 	return &AuthSettings{
 		AccessKey:  accessToken,
 		RefreshKey: refreshToken,
+		CSRFKey:    csrfToken,
 	}, nil
 }
diff --git a/backend/config/config.go b/backend/config/config.go
@@ -16,8 +16,8 @@ type Settings struct {
 	PineconeSettings PineconeSettings
 	OpenAISettings   OpenAISettings
 	ResendSettings   ResendSettings
-	GoogleClientSettings     *GoogleClientSettings
-	OutlookClientSettings	 *OutlookClientSettings
+	GoogleClientSettings     *OAuthConfig
+	OutlookClientSettings	 *OAuthConfig
 }
 
 type intermediateSettings struct {

diff --git a/backend/config/calendar.go → backend/config/oauth.go b/backend/config/calendar.go → backend/config/oauth.go
@@ -7,33 +7,25 @@ import (
 	m "github.com/garrettladley/mattress"
 )
 
-type CalendarSettings struct {
-	GoogleClientSettings 	*GoogleClientSettings
-	OutlookClientSettings 	*OutlookClientSettings
-}
-
-type GoogleClientSettings struct {
-	ClientID				*m.Secret[string]
+type OAuthConfig struct {
+	BaseURL 				string
+	ClientID 				*m.Secret[string]
 	ClientSecret 			*m.Secret[string]
-	ResponseType 			string
-	Scopes 					[]string
+	Scopes 					string
 	RedirectURI 			string
-	IncludeGrantedScopes 	string
+	ResponseType			string
+	ResponseMode    		string
 	AccessType 				string
+	IncludeGrantedScopes 	string
 	Prompt 					string
 }
 
-type OutlookClientSettings struct {
-	ClientID 				string
-	ResponseType 			string
-	Scopes 					string
-	RedirectURI 			string
-	Tenant 					string
-	ResponseMode 			string
-	Prompt 					string
+type OAuthSettings struct {
+	GoogleOAuthSettings 	*OAuthConfig
+	OutlookOAuthSettings 	*OAuthConfig
 }
 
-func readGoogleOAuthSettings() (*GoogleClientSettings, error) {
+func readGoogleOAuthSettings() (*OAuthConfig, error) {
 	clientID := os.Getenv("GOOGLE_OAUTH_CLIENT_ID")
 	if clientID == "" {
 		return nil, errors.New("GOOGLE_OAUTH_CLIENT_ID is not set")
@@ -54,36 +46,47 @@ func readGoogleOAuthSettings() (*GoogleClientSettings, error) {
 		return nil, errors.New("failed to create secret from client secret")
 	}
 
-	return &GoogleClientSettings{
+	return &OAuthConfig{
+		BaseURL: "https://accounts.google.com/o/oauth2/v2",
 		ClientID: secretClientID,
 		ClientSecret: secretClientSecret,
-		Scopes: []string{
-			"https://www.googleapis.com/auth/calendar.events",
-			"https://www.googleapis.com/auth/calendar.readonly",
-		},
+		Scopes: "https://www.googleapis.com/auth/calendar.events https://www.googleapis.com/auth/calendar.readonly",
+		ResponseType: "code",
 		RedirectURI: "http://localhost:3000",
 		IncludeGrantedScopes: "true",
 		AccessType: "offline",
+		Prompt: "consent",
 	}, nil
 }
 
-func readOutlookOAuthSettings() (*OutlookClientSettings, error) {
+func readOutlookOAuthSettings() (*OAuthConfig, error) {
 	clientID := os.Getenv("OUTLOOK_OAUTH_CLIENT_ID")
 	if clientID == "" {
 		return nil, errors.New("OUTLOOK_OAUTH_CLIENT_ID is not set")
 	}
 
+	secretClientID, err := m.NewSecret(clientID)
+	if err != nil {
+		return nil, errors.New("failed to create secret from client ID")
+	}
+
 	clientSecret := os.Getenv("OUTLOOK_OAUTH_CLIENT_SECRET")
 	if clientSecret == "" {
 		return nil, errors.New("OUTLOOK_OAUTH_CLIENT_SECRET is not set")
 	}
 
-	return &OutlookClientSettings{
-		ClientID: clientID,
+	secretClientSecret, err := m.NewSecret(clientSecret)
+	if err != nil {
+		return nil, errors.New("failed to create secret from client secret")
+	}
+
+	return &OAuthConfig{
+		BaseURL: "https://login.microsoftonline.com/common/oauth2/v2.0",
+		ClientID: secretClientID,
+		ClientSecret: secretClientSecret,
+		Scopes: "offline_access user.read mail.read",
 		ResponseType: "code",
 		RedirectURI: "http://localhost:3000",
-		Scopes: "offline_access user.read mail.read",
-		Tenant: "common",
 		ResponseMode: "query",
 		Prompt: "consent",
 	}, nil

diff --git a/backend/config/production.go b/backend/config/production.go
@@ -77,6 +77,11 @@ func readProd(v *viper.Viper) (*Settings, error) {
 		return nil, errors.New("failed to create secret from refresh token")
 	}
 
+	authCSRFKey, err := m.NewSecret(os.Getenv(fmt.Sprintf("%sCSRF_TOKEN", authSecretPrefix)))
+	if err != nil {
+		return nil, errors.New("failed to create secret from csrf token")
+	}
+
 	pineconeSettings, err := readPineconeSettings()
 	if err != nil {
 		return nil, fmt.Errorf("failed to read Pinecone settings: %w", err)
@@ -127,6 +132,7 @@ func readProd(v *viper.Viper) (*Settings, error) {
 		Auth: AuthSettings{
 			AccessKey:  authAccessKey,
 			RefreshKey: authRefreshKey,
+			CSRFKey:    authCSRFKey,
 		},
 		PineconeSettings: 		*pineconeSettings,
 		OpenAISettings:   		*openAISettings,

diff --git a/backend/constants/auth.go b/backend/constants/auth.go
@@ -5,6 +5,7 @@ import "time"
 const (
 	ACCESS_TOKEN_EXPIRY  time.Duration = time.Minute * 24 * 30 // temporary TODO: change to 60 minutes
 	REFRESH_TOKEN_EXPIRY time.Duration = time.Minute * 24 * 30
+	CSRF_TOKEN_EXPIRY    time.Duration = time.Minute * 5
 )
 
 var SPECIAL_CHARACTERS = []rune{' ', '!', '"', '#', '$', '%', '&', '\'', '(', ')', '*', '+', ',', '-', '.', '/', ':', ';', '<', '=', '>', '?', '@', '[', '\\', ']', '^', '_', '`', '{', '|', '}', '~'} // see https://owasp.org/www-community/password-special-characters
diff --git a/backend/entities/calendar/base/controller.go b/backend/entities/calendar/base/controller.go
diff --git a/backend/entities/calendar/base/routes.go b/backend/entities/calendar/base/routes.go
diff --git a/backend/entities/models/calendar.go b/backend/entities/models/calendar.go
diff --git a/backend/entities/models/oauth.go b/backend/entities/models/oauth.go
@@ -0,0 +1,21 @@
+package models
+
+import "github.com/google/uuid"
+
+type GrantType string
+
+const (
+	AuthorizationCode   ContactType = "authorization_code"
+	RefreshToken  ContactType = "refresh_token"
+)
+
+type OAuthTokenRequestBody struct {
+	Code	  	string    `json:"code" validate:"omitempty"`
+	State 		string    `json:"state" validate:"omitempty"`
+}
+
+type OAuthToken struct {
+	UserID 			uuid.UUID 	`json:"user_id" validate:"required,uuid4"`
+	RefreshToken    string		`json:"refresh_token" validate:"max=255"`
+	CSRFToken     	string		`json:"csrf_token" validate:"max=255"`
+}
diff --git a/backend/entities/models/user.go b/backend/entities/models/user.go
@@ -158,6 +158,7 @@ type User struct {
 	GraduationCycle GraduationCycle `json:"graduation_cycle" validate:"required,max=255,oneof=december may"`
 	GraduationYear  int16           `json:"graduation_year" validate:"required"`
 	IsVerified      bool            `json:"is_verified"`
+	CalendarToken 	string          `json:"calendar_token" validate:"omitempty,max=255"`	
 
 	Tag               []Tag     `gorm:"many2many:user_tags;" json:"-" validate:"-"`
 	Admin             []Club    `gorm:"many2many:user_club_admins;" json:"-" validate:"-"`