/
users.go
352 lines (321 loc) · 10.6 KB
/
users.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
package api
import (
"errors"
"fmt"
"math/rand"
"net/http"
"strings"
"time"
"golang.org/x/crypto/bcrypt"
jwt "github.com/dgrijalva/jwt-go"
)
const (
UserStatusActive = "active"
UserStatusPending = "pending"
UserStatusLocked = "locked"
UserStatusDisabled = "disabled"
UserSystemRoleUser = "user"
UserSystemRoleAdmin = "admin"
UserSystemRoleParticipant = "participant"
)
// User is a person with a login that has permission to "do stuff". This is for researchers, site admins, and participants
type User struct {
ID int64 `json:"id" db:"id"`
Title string `json:"title" db:"title"`
FirstName string `json:"firstName" db:"firstName"`
LastName string `json:"lastName" db:"lastName"`
Pronouns string `json:"pronouns" db:"pronouns"`
Email string `json:"email" db:"email"`
Password string `json:"password,omitempty" db:"password"`
DateOfBirth string `json:"dateOfBirth" db:"dateOfBirth"`
ParticipantCode string `json:"participantCode" db:"participantCode"`
Status string `json:"status" db:"status"`
SystemRole string `json:"systemRole" db:"systemRole"`
CreatedOn string `json:"createdOn" db:"createdOn"`
LastLoginOn string `json:"lastLoginOn" db:"lastLoginOn"`
Access string `json:"access,omitempty"`
Refresh string `json:"refresh,omitempty"` // web clients should not store this in local storage and should instead use the cookies!
Expires string `json:"expires,omitempty"`
// these are used for the admin reports
ProjectCount int64 `json:"projectCount,omitempty" db:"projectCount"`
Projects []Project `json:"projects,omitempty" db:"projects"`
ProjectStatus string `json:"projectStatus,omitempty" db:"projectStatus"`
}
// CreateUser creates a new user in the db
func CreateUser(input *User) error {
input.processForDB()
defer input.processForAPI()
res, err := config.DBConnection.NamedExec(`INSERT INTO Users (title, firstName, lastName, pronouns, email, password, dateOfBirth, participantCode, status, systemRole, createdOn, lastLoginOn)
VALUES
(:title, :firstName, :lastName, :pronouns, :email, :password, :dateOfBirth, :participantCode, :status, :systemRole, :createdOn, :lastLoginOn)`, input)
if err != nil {
return err
}
input.ID, _ = res.LastInsertId()
return nil
}
// UpdateUser updates a user
func UpdateUser(input *User) error {
input.processForDB()
defer input.processForAPI()
_, err := config.DBConnection.NamedExec(`UPDATE Users SET
title = :title,
firstName = :firstName,
lastName = :lastName,
pronouns = :pronouns,
email = :email,
password = :password,
dateOfBirth = :dateOfBirth,
participantCode = :participantCode,
status = :status,
systemRole = :systemRole,
createdOn = :createdOn,
lastLoginOn = :lastLoginOn
WHERE id = :id`, input)
return err
}
// DeleteUser completely deletes a user, and should really only be used in tests
func DeleteUser(userID int64) error {
// TODO: as we add other user entries, we should delete them here (things like progress, etc)
_, err := config.DBConnection.Exec("DELETE FROM Users WHERE id = ?", userID)
if err != nil {
return err
}
_, err = config.DBConnection.Exec("DELETE FROM Tokens WHERE userId = ?", userID)
return err
}
// GetUserByID gets a user by the id
func GetUserByID(userID int64) (*User, error) {
user := &User{}
defer user.processForAPI()
err := config.DBConnection.Get(user, `SELECT * FROM Users WHERE id = ?`, userID)
return user, err
}
// GetUserByEmail gets a user by an email
func GetUserByEmail(email string) (*User, error) {
user := &User{}
defer user.processForAPI()
err := config.DBConnection.Get(user, `SELECT * FROM Users WHERE email = ?`, email)
return user, err
}
// GetUserByParticipantCode gets a user by the participant code
func GetUserByParticipantCode(participantCode string) (*User, error) {
user := &User{}
defer user.processForAPI()
err := config.DBConnection.Get(user, `SELECT * FROM Users WHERE participantCode = ?`, participantCode)
return user, err
}
// GetAllUsersOnPlatform gets all the users on the platform
func GetAllUsersOnPlatform() ([]User, error) {
users := []User{}
err := config.DBConnection.Select(&users, `SELECT u.*,
(SELECT COUNT(*) FROM ProjectUserLinks p WHERE p.userId = u.id) AS projectCount
FROM Users u
ORDER BY u.lastName, u.firstName, u.participantCode`)
for i := range users {
users[i].processForAPI()
}
return users, err
}
// GetAllUsersInProject gets all the users in a project along with their status
func GetAllUsersInProject(projectID int64) ([]User, error) {
users := []User{}
err := config.DBConnection.Select(&users, `SELECT u.*, p.status AS projectStatus
FROM Users u
LEFT JOIN ProjectUserLinks p ON u.id = p.userId
WHERE p.projectId = ?
ORDER BY u.lastName, u.firstName, u.participantCode`, projectID)
for i := range users {
users[i].processForAPI()
}
return users, err
}
func AttemptLoginForUser(emailOrCode, password string) (*User, error) {
// if the user value contains an @ we assume and email, otherwise, we assume it's
// a participant
user := &User{}
var err error
if strings.Contains(emailOrCode, "@") {
err = config.DBConnection.Get(user, `SELECT * FROM Users WHERE email = ?`, emailOrCode)
} else {
err = config.DBConnection.Get(user, `SELECT * FROM Users WHERE participantCode = ?`, emailOrCode)
}
if err != nil {
return user, err
}
isValid := checkEncryptedPassword(password, user.Password)
if !isValid {
return user, errors.New("password did not match")
}
user.processForAPI()
return user, nil
}
func LogOutUser(userID int64) error {
// delete the refresh token so that when the access expires, it won't work
// for now, that's it
return deleteTokenForUser(userID, tokenTypeRefresh)
}
func userGenerateTokens(user *User, generateRefreshToken bool) (accessToken *Token, accessExpires string, refreshToken *Token, err error) {
accessTokenString, accessExpires, err := generateJWT(user)
if err != nil {
return
}
accessToken = &Token{}
accessToken.CreatedOn = time.Now().Format(timeFormatAPI)
accessToken.ExpiresOn = accessExpires
accessToken.TokenType = tokenTypeAccess
accessToken.UserID = user.ID
accessToken.Token = accessTokenString
if generateRefreshToken {
refreshToken, err = generateToken(user, tokenTypeRefresh)
if err != nil {
return
}
err = saveTokenForUser(refreshToken)
if err != nil {
return
}
}
return
}
func createTestUser(defaults *User) error {
if defaults.Password == "" {
defaults.Password = fmt.Sprintf("test_P@%d!!", rand.Int63n(99999999999999))
}
if defaults.FirstName == "" {
defaults.FirstName = "User"
}
if defaults.LastName == "" {
defaults.LastName = "User"
}
if defaults.Email == "" {
defaults.Email = fmt.Sprintf("test_%d@kesplora.com", rand.Int63n(99999999999999))
}
if defaults.Status == "" {
defaults.Status = UserStatusActive
}
if defaults.SystemRole == "" {
defaults.SystemRole = UserSystemRoleUser
}
err := CreateUser(defaults)
if err != nil {
return err
}
access, expires, refresh, err := userGenerateTokens(defaults, true)
if err != nil {
return err
}
err = saveTokenForUser(refresh)
if err != nil {
return err
}
defaults.Access = access.Token
defaults.Expires = expires
defaults.Refresh = refresh.Token
return err
}
// jwtUser is a stripped down user for encoding into a jwt
type jwtUser struct {
ID int64 `json:"id" `
Title string `json:"title" `
FirstName string `json:"firstName" `
LastName string `json:"lastName"`
Pronouns string `json:"pronouns" `
Email string `json:"email" `
DateOfBirth string `json:"dateOfBirth" `
ParticipantCode string `json:"participantCode" `
Status string `json:"status" `
SystemRole string `json:"systemRole"`
Expires string `json:"expires"`
}
type jwtClaims struct {
User jwtUser `json:"user"`
Expires string `json:"exp"`
jwt.StandardClaims
}
func generateJWT(input *User) (string, string, error) {
expires := time.Now().Add(tokenExpiresMinutesAccess * time.Minute).Format(timeFormatAPI)
user := jwtUser{
ID: input.ID,
Title: input.Title,
FirstName: input.FirstName,
LastName: input.LastName,
Pronouns: input.Pronouns,
Email: input.Email,
DateOfBirth: input.DateOfBirth,
ParticipantCode: input.ParticipantCode,
Status: input.Status,
SystemRole: input.SystemRole,
Expires: expires,
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"user": user,
"exp": expires,
})
tokenString, err := token.SignedString([]byte(config.JWTSigningString))
return tokenString, expires, err
}
func parseJWT(input string) (jwtUser, error) {
token, err := jwt.ParseWithClaims(input, &jwtClaims{}, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, nil
}
return []byte(config.JWTSigningString), nil
})
if err != nil {
return jwtUser{}, errors.New("could not parse jwt")
}
if claims, ok := token.Claims.(*jwtClaims); ok && token.Valid {
u := claims.User
return u, nil
}
return jwtUser{}, errors.New("could not parse jwt")
}
func encryptPassword(password string) (string, error) {
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
return string(bytes), err
}
func checkEncryptedPassword(plainPassword, encrypted string) bool {
err := bcrypt.CompareHashAndPassword([]byte(encrypted), []byte(plainPassword))
return err == nil
}
func (input *User) processForDB() {
if input.Status == "" {
input.Status = UserStatusPending
}
if input.SystemRole == "" {
input.SystemRole = UserSystemRoleUser
}
if input.DateOfBirth == "" {
input.DateOfBirth = "1970-01-01"
} else {
input.DateOfBirth, _ = parseTimeToTimeFormat(input.DateOfBirth, dateFormat)
}
if input.CreatedOn == "" {
input.CreatedOn = time.Now().Format(timeFormatDB)
} else {
input.CreatedOn, _ = parseTimeToTimeFormat(input.CreatedOn, timeFormatDB)
}
if input.LastLoginOn == "" {
input.LastLoginOn = time.Now().Format(timeFormatDB)
} else {
input.LastLoginOn, _ = parseTimeToTimeFormat(input.LastLoginOn, timeFormatDB)
}
// check if we need to change the password
if input.Password != "" && !strings.HasPrefix(input.Password, "$2a$") {
// we have a plaintext password, so hash it
hashed, err := encryptPassword(input.Password)
if err == nil {
input.Password = hashed
}
}
}
func (input *User) processForAPI() {
input.CreatedOn, _ = parseTimeToTimeFormat(input.CreatedOn, timeFormatAPI)
input.LastLoginOn, _ = parseTimeToTimeFormat(input.LastLoginOn, timeFormatAPI)
input.Password = ""
}
// Bind binds the data for the HTTP
func (data *User) Bind(r *http.Request) error {
return nil
}