/
api_auth.go
126 lines (94 loc) · 2.84 KB
/
api_auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package backend
import (
"encoding/base64"
"fmt"
"github.com/ProtonMail/go-proton-api"
"github.com/ProtonMail/go-srp"
"github.com/google/uuid"
)
func (b *Backend) NewAuthInfo(username string) (proton.AuthInfo, error) {
return withAccName(b, username, func(acc *account) (proton.AuthInfo, error) {
server, err := srp.NewServerFromSigned(modulus, acc.verifier, 2048)
if err != nil {
return proton.AuthInfo{}, nil
}
challenge, err := server.GenerateChallenge()
if err != nil {
return proton.AuthInfo{}, nil
}
session := uuid.NewString()
b.srpLock.Lock()
defer b.srpLock.Unlock()
b.srp[session] = server
return proton.AuthInfo{
Version: 4,
Modulus: modulus,
ServerEphemeral: base64.StdEncoding.EncodeToString(challenge),
Salt: base64.StdEncoding.EncodeToString(acc.salt),
SRPSession: session,
}, nil
})
}
func (b *Backend) NewAuth(username string, ephemeral, proof []byte, session string) (proton.Auth, error) {
return withAccName(b, username, func(acc *account) (proton.Auth, error) {
b.srpLock.Lock()
defer b.srpLock.Unlock()
server, ok := b.srp[session]
if !ok {
return proton.Auth{}, fmt.Errorf("invalid session")
}
delete(b.srp, session)
serverProof, err := server.VerifyProofs(ephemeral, proof)
if !ok {
return proton.Auth{}, fmt.Errorf("invalid proof: %w", err)
}
authUID, auth := uuid.NewString(), newAuth(b.authLife)
acc.authLock.Lock()
defer acc.authLock.Unlock()
acc.auth[authUID] = auth
return auth.toAuth(acc.userID, authUID, serverProof), nil
})
}
func (b *Backend) NewAuthRef(authUID, authRef string) (proton.Auth, error) {
b.accLock.RLock()
defer b.accLock.RUnlock()
for _, acc := range b.accounts {
acc.authLock.Lock()
defer acc.authLock.Unlock()
auth, ok := acc.auth[authUID]
if !ok {
continue
}
if auth.ref != authRef {
return proton.Auth{}, fmt.Errorf("invalid auth ref")
}
newAuth := newAuth(b.authLife)
acc.auth[authUID] = newAuth
return newAuth.toAuth(acc.userID, authUID, nil), nil
}
return proton.Auth{}, fmt.Errorf("invalid auth")
}
func (b *Backend) VerifyAuth(authUID, authAcc string) (string, error) {
return withAccAuth(b, authUID, authAcc, func(acc *account) (string, error) {
return acc.userID, nil
})
}
func (b *Backend) GetSessions(userID string) ([]proton.AuthSession, error) {
return withAcc(b, userID, func(acc *account) ([]proton.AuthSession, error) {
acc.authLock.RLock()
defer acc.authLock.RUnlock()
var sessions []proton.AuthSession
for authUID, auth := range acc.auth {
sessions = append(sessions, auth.toAuthSession(authUID))
}
return sessions, nil
})
}
func (b *Backend) DeleteSession(userID, authUID string) error {
return b.withAcc(userID, func(acc *account) error {
acc.authLock.Lock()
defer acc.authLock.Unlock()
delete(acc.auth, authUID)
return nil
})
}