memos/server/router/api/v1/auth_service.go

package v1

import (
	"context"
	"fmt"
	"log/slog"
	"regexp"
	"strings"
	"time"

	"github.com/pkg/errors"
	"golang.org/x/crypto/bcrypt"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"
	"google.golang.org/protobuf/types/known/emptypb"

	"github.com/usememos/memos/internal/util"
	"github.com/usememos/memos/plugin/idp"
	"github.com/usememos/memos/plugin/idp/oauth2"
	v1pb "github.com/usememos/memos/proto/gen/api/v1"
	storepb "github.com/usememos/memos/proto/gen/store"
	"github.com/usememos/memos/store"
)

const (
	unmatchedEmailAndPasswordError = "unmatched email and password"
)

func (s *APIV1Service) GetAuthStatus(ctx context.Context, _ *v1pb.GetAuthStatusRequest) (*v1pb.User, error) {
	user, err := s.GetCurrentUser(ctx)
	if err != nil {
		return nil, status.Errorf(codes.Unauthenticated, "failed to get current user: %v", err)
	}
	if user == nil {
		// Set the cookie header to expire access token.
		if err := s.clearAccessTokenCookie(ctx); err != nil {
			return nil, status.Errorf(codes.Internal, "failed to set grpc header: %v", err)
		}
		return nil, status.Errorf(codes.Unauthenticated, "user not found")
	}
	return convertUserFromStore(user), nil
}

func (s *APIV1Service) SignIn(ctx context.Context, request *v1pb.SignInRequest) (*v1pb.User, error) {
	user, err := s.Store.GetUser(ctx, &store.FindUser{
		Username: &request.Username,
	})
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by username %s", request.Username))
	}
	if user == nil {
		return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)
	}
	// Compare the stored hashed password, with the hashed version of the password that was received.
	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(request.Password)); err != nil {
		return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)
	}

	workspaceGeneralSetting, err := s.Store.GetWorkspaceGeneralSetting(ctx)
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get workspace general setting, err: %s", err))
	}
	// Check if the password sign in is allowed.
	if workspaceGeneralSetting.DisallowPasswordSignin && user.Role == store.RoleUser {
		return nil, status.Errorf(codes.PermissionDenied, "password signin is not allowed")
	}
	if user.RowStatus == store.Archived {
		return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", request.Username))
	}

	expireTime := time.Now().Add(AccessTokenDuration)
	if request.NeverExpire {
		// Set the expire time to 100 years.
		expireTime = time.Now().Add(100 * 365 * 24 * time.Hour)
	}
	if err := s.doSignIn(ctx, user, expireTime); err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))
	}
	return convertUserFromStore(user), nil
}

func (s *APIV1Service) SignInWithSSO(ctx context.Context, request *v1pb.SignInWithSSORequest) (*v1pb.User, error) {
	identityProvider, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProvider{
		ID: &request.IdpId,
	})
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get identity provider, err: %s", err))
	}
	if identityProvider == nil {
		return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("identity provider not found with id %d", request.IdpId))
	}

	var userInfo *idp.IdentityProviderUserInfo
	if identityProvider.Type == storepb.IdentityProvider_OAUTH2 {
		oauth2IdentityProvider, err := oauth2.NewIdentityProvider(identityProvider.Config.GetOauth2Config())
		if err != nil {
			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create oauth2 identity provider, err: %s", err))
		}
		token, err := oauth2IdentityProvider.ExchangeToken(ctx, request.RedirectUri, request.Code)
		if err != nil {
			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to exchange token, err: %s", err))
		}
		userInfo, err = oauth2IdentityProvider.UserInfo(token)
		if err != nil {
			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get user info, err: %s", err))
		}
	}

	identifierFilter := identityProvider.IdentifierFilter
	if identifierFilter != "" {
		identifierFilterRegex, err := regexp.Compile(identifierFilter)
		if err != nil {
			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to compile identifier filter regex, err: %s", err))
		}
		if !identifierFilterRegex.MatchString(userInfo.Identifier) {
			return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("identifier %s is not allowed", userInfo.Identifier))
		}
	}

	user, err := s.Store.GetUser(ctx, &store.FindUser{
		Username: &userInfo.Identifier,
	})
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by username %s", userInfo.Identifier))
	}
	if user == nil {
		userCreate := &store.User{
			Username: userInfo.Identifier,
			// The new signup user should be normal user by default.
			Role:     store.RoleUser,
			Nickname: userInfo.DisplayName,
			Email:    userInfo.Email,
		}
		password, err := util.RandomString(20)
		if err != nil {
			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate random password, err: %s", err))
		}
		passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
		if err != nil {
			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate password hash, err: %s", err))
		}
		userCreate.PasswordHash = string(passwordHash)
		user, err = s.Store.CreateUser(ctx, userCreate)
		if err != nil {
			return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))
		}
	}
	if user.RowStatus == store.Archived {
		return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", userInfo.Identifier))
	}

	if err := s.doSignIn(ctx, user, time.Now().Add(AccessTokenDuration)); err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))
	}
	return convertUserFromStore(user), nil
}

func (s *APIV1Service) doSignIn(ctx context.Context, user *store.User, expireTime time.Time) error {
	accessToken, err := GenerateAccessToken(user.Email, user.ID, expireTime, []byte(s.Secret))
	if err != nil {
		return status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err))
	}
	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken, "user login"); err != nil {
		return status.Errorf(codes.Internal, fmt.Sprintf("failed to upsert access token to store, err: %s", err))
	}

	cookie, err := s.buildAccessTokenCookie(ctx, accessToken, expireTime)
	if err != nil {
		return status.Errorf(codes.Internal, fmt.Sprintf("failed to build access token cookie, err: %s", err))
	}
	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
		"Set-Cookie": cookie,
	})); err != nil {
		return status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
	}

	return nil
}

func (s *APIV1Service) SignUp(ctx context.Context, request *v1pb.SignUpRequest) (*v1pb.User, error) {
	workspaceGeneralSetting, err := s.Store.GetWorkspaceGeneralSetting(ctx)
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get workspace general setting, err: %s", err))
	}
	if workspaceGeneralSetting.DisallowSignup {
		return nil, status.Errorf(codes.PermissionDenied, "sign up is not allowed")
	}

	passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.Password), bcrypt.DefaultCost)
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate password hash, err: %s", err))
	}

	create := &store.User{
		Username:     request.Username,
		Nickname:     request.Username,
		PasswordHash: string(passwordHash),
	}
	if !util.UIDMatcher.MatchString(strings.ToLower(create.Username)) {
		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", create.Username)
	}

	hostUserType := store.RoleHost
	existedHostUsers, err := s.Store.ListUsers(ctx, &store.FindUser{
		Role: &hostUserType,
	})
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to list users, err: %s", err))
	}
	if len(existedHostUsers) == 0 {
		// Change the default role to host if there is no host user.
		create.Role = store.RoleHost
	} else {
		create.Role = store.RoleUser
	}

	user, err := s.Store.CreateUser(ctx, create)
	if err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))
	}

	if err := s.doSignIn(ctx, user, time.Now().Add(AccessTokenDuration)); err != nil {
		return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))
	}
	return convertUserFromStore(user), nil
}

func (s *APIV1Service) SignOut(ctx context.Context, _ *v1pb.SignOutRequest) (*emptypb.Empty, error) {
	accessToken, ok := ctx.Value(accessTokenContextKey).(string)
	// Try to delete the access token from the store.
	if ok {
		user, _ := s.GetCurrentUser(ctx)
		if user != nil {
			if _, err := s.DeleteUserAccessToken(ctx, &v1pb.DeleteUserAccessTokenRequest{
				Name:        fmt.Sprintf("%s%d", UserNamePrefix, user.ID),
				AccessToken: accessToken,
			}); err != nil {
				slog.Error("failed to delete access token", "error", err)
			}
		}
	}

	if err := s.clearAccessTokenCookie(ctx); err != nil {
		return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)
	}
	return &emptypb.Empty{}, nil
}

func (s *APIV1Service) clearAccessTokenCookie(ctx context.Context) error {
	cookie, err := s.buildAccessTokenCookie(ctx, "", time.Time{})
	if err != nil {
		return errors.Wrap(err, "failed to build access token cookie")
	}
	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
		"Set-Cookie": cookie,
	})); err != nil {
		return errors.Wrap(err, "failed to set grpc header")
	}
	return nil
}

func (*APIV1Service) buildAccessTokenCookie(ctx context.Context, accessToken string, expireTime time.Time) (string, error) {
	attrs := []string{
		fmt.Sprintf("%s=%s", AccessTokenCookieName, accessToken),
		"Path=/",
		"HttpOnly",
	}
	if expireTime.IsZero() {
		attrs = append(attrs, "Expires=Thu, 01 Jan 1970 00:00:00 GMT")
	} else {
		attrs = append(attrs, "Expires="+expireTime.Format(time.RFC1123))
	}

	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return "", errors.New("failed to get metadata from context")
	}
	var origin string
	for _, v := range md.Get("origin") {
		origin = v
	}
	isHTTPS := strings.HasPrefix(origin, "https://")
	if isHTTPS {
		attrs = append(attrs, "SameSite=None")
		attrs = append(attrs, "Secure")
	} else {
		attrs = append(attrs, "SameSite=Strict")
	}
	return strings.Join(attrs, "; "), nil
}

func (s *APIV1Service) GetCurrentUser(ctx context.Context) (*store.User, error) {
	username, ok := ctx.Value(usernameContextKey).(string)
	if !ok {
		return nil, nil
	}
	user, err := s.Store.GetUser(ctx, &store.FindUser{
		Username: &username,
	})
	if err != nil {
		return nil, err
	}
	return user, nil
}
refactor: api version 2024-04-28 00:44:29 +08:00			`package v1`
fix: add auth status checks 2023-11-30 20:58:36 +08:00
			`import (`
			`"context"`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`"fmt"`
chore: remove access token after sign out 2024-05-20 08:53:29 +08:00			`"log/slog"`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`"regexp"`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`"strings"`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`"time"`
fix: add auth status checks 2023-11-30 20:58:36 +08:00
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`"github.com/pkg/errors"`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`"golang.org/x/crypto/bcrypt"`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`"google.golang.org/grpc"`
fix: check auth status 2023-11-30 21:52:02 +08:00			`"google.golang.org/grpc/codes"`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`"google.golang.org/grpc/metadata"`
fix: check auth status 2023-11-30 21:52:02 +08:00			`"google.golang.org/grpc/status"`
chore: tweak api definition 2024-04-27 22:02:15 +08:00			`"google.golang.org/protobuf/types/known/emptypb"`
fix: check auth status 2023-11-30 21:52:02 +08:00
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`"github.com/usememos/memos/internal/util"`
			`"github.com/usememos/memos/plugin/idp"`
			`"github.com/usememos/memos/plugin/idp/oauth2"`
refactor: api version 2024-04-28 00:44:29 +08:00			`v1pb "github.com/usememos/memos/proto/gen/api/v1"`
chore: migrate idp service 2024-04-13 10:50:25 +08:00			`storepb "github.com/usememos/memos/proto/gen/store"`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`"github.com/usememos/memos/store"`
fix: add auth status checks 2023-11-30 20:58:36 +08:00			`)`

chore: update auth service 2024-08-29 00:06:15 +08:00			`const (`
			`unmatchedEmailAndPasswordError = "unmatched email and password"`
			`)`

refactor: api version 2024-04-28 00:44:29 +08:00			`func (s APIV1Service) GetAuthStatus(ctx context.Context, _ v1pb.GetAuthStatusRequest) (*v1pb.User, error) {`
chore: tweak common function 2024-05-26 11:02:23 +08:00			`user, err := s.GetCurrentUser(ctx)`
fix: check auth status 2023-11-30 21:52:02 +08:00			`if err != nil {`
			`return nil, status.Errorf(codes.Unauthenticated, "failed to get current user: %v", err)`
fix: add auth status checks 2023-11-30 20:58:36 +08:00			`}`
chore: fix auth status checks 2023-12-06 23:03:24 +08:00			`if user == nil {`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`// Set the cookie header to expire access token.`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`if err := s.clearAccessTokenCookie(ctx); err != nil {`
chore: tweak error message 2024-04-07 22:35:02 +08:00			`return nil, status.Errorf(codes.Internal, "failed to set grpc header: %v", err)`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`}`
chore: fix auth status checks 2023-12-06 23:03:24 +08:00			`return nil, status.Errorf(codes.Unauthenticated, "user not found")`
			`}`
chore: tweak api definition 2024-04-27 22:02:15 +08:00			`return convertUserFromStore(user), nil`
fix: add auth status checks 2023-11-30 20:58:36 +08:00			`}`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00
refactor: api version 2024-04-28 00:44:29 +08:00			`func (s APIV1Service) SignIn(ctx context.Context, request v1pb.SignInRequest) (*v1pb.User, error) {`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`user, err := s.Store.GetUser(ctx, &store.FindUser{`
			`Username: &request.Username,`
			`})`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by username %s", request.Username))`
			`}`
			`if user == nil {`
chore: update auth service 2024-08-29 00:06:15 +08:00			`return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`
			`// Compare the stored hashed password, with the hashed version of the password that was received.`
			`if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(request.Password)); err != nil {`
chore: update auth service 2024-08-29 00:06:15 +08:00			`return nil, status.Errorf(codes.InvalidArgument, unmatchedEmailAndPasswordError)`
			`}`

			`workspaceGeneralSetting, err := s.Store.GetWorkspaceGeneralSetting(ctx)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get workspace general setting, err: %s", err))`
			`}`
			`// Check if the password sign in is allowed.`
			`if workspaceGeneralSetting.DisallowPasswordSignin && user.Role == store.RoleUser {`
			`return nil, status.Errorf(codes.PermissionDenied, "password signin is not allowed")`
			`}`
			`if user.RowStatus == store.Archived {`
			`return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", request.Username))`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`

chore: migrate auth package 2024-05-01 10:26:46 +08:00			`expireTime := time.Now().Add(AccessTokenDuration)`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`if request.NeverExpire {`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`// Set the expire time to 100 years.`
			`expireTime = time.Now().Add(100 * 365 * 24 * time.Hour)`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`
			`if err := s.doSignIn(ctx, user, expireTime); err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))`
			`}`
chore: tweak api definition 2024-04-27 22:02:15 +08:00			`return convertUserFromStore(user), nil`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`

refactor: api version 2024-04-28 00:44:29 +08:00			`func (s APIV1Service) SignInWithSSO(ctx context.Context, request v1pb.SignInWithSSORequest) (*v1pb.User, error) {`
chore: tweak store methods name 2024-04-17 08:56:52 +08:00			`identityProvider, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProvider{`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`ID: &request.IdpId,`
			`})`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get identity provider, err: %s", err))`
			`}`
			`if identityProvider == nil {`
			`return nil, status.Errorf(codes.InvalidArgument, fmt.Sprintf("identity provider not found with id %d", request.IdpId))`
			`}`

			`var userInfo *idp.IdentityProviderUserInfo`
chore: migrate idp service 2024-04-13 10:50:25 +08:00			`if identityProvider.Type == storepb.IdentityProvider_OAUTH2 {`
			`oauth2IdentityProvider, err := oauth2.NewIdentityProvider(identityProvider.Config.GetOauth2Config())`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create oauth2 identity provider, err: %s", err))`
			`}`
			`token, err := oauth2IdentityProvider.ExchangeToken(ctx, request.RedirectUri, request.Code)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to exchange token, err: %s", err))`
			`}`
			`userInfo, err = oauth2IdentityProvider.UserInfo(token)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get user info, err: %s", err))`
			`}`
			`}`

			`identifierFilter := identityProvider.IdentifierFilter`
			`if identifierFilter != "" {`
			`identifierFilterRegex, err := regexp.Compile(identifierFilter)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to compile identifier filter regex, err: %s", err))`
			`}`
			`if !identifierFilterRegex.MatchString(userInfo.Identifier) {`
			`return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("identifier %s is not allowed", userInfo.Identifier))`
			`}`
			`}`

			`user, err := s.Store.GetUser(ctx, &store.FindUser{`
			`Username: &userInfo.Identifier,`
			`})`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to find user by username %s", userInfo.Identifier))`
			`}`
			`if user == nil {`
			`userCreate := &store.User{`
			`Username: userInfo.Identifier,`
			`// The new signup user should be normal user by default.`
			`Role: store.RoleUser,`
			`Nickname: userInfo.DisplayName,`
			`Email: userInfo.Email,`
			`}`
			`password, err := util.RandomString(20)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate random password, err: %s", err))`
			`}`
			`passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate password hash, err: %s", err))`
			`}`
			`userCreate.PasswordHash = string(passwordHash)`
			`user, err = s.Store.CreateUser(ctx, userCreate)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))`
			`}`
			`}`
			`if user.RowStatus == store.Archived {`
			`return nil, status.Errorf(codes.PermissionDenied, fmt.Sprintf("user has been archived with username %s", userInfo.Identifier))`
			`}`

chore: migrate auth package 2024-05-01 10:26:46 +08:00			`if err := s.doSignIn(ctx, user, time.Now().Add(AccessTokenDuration)); err != nil {`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))`
			`}`
chore: tweak api definition 2024-04-27 22:02:15 +08:00			`return convertUserFromStore(user), nil`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`

refactor: api version 2024-04-28 00:44:29 +08:00			`func (s APIV1Service) doSignIn(ctx context.Context, user store.User, expireTime time.Time) error {`
chore: migrate auth package 2024-05-01 10:26:46 +08:00			`accessToken, err := GenerateAccessToken(user.Email, user.ID, expireTime, []byte(s.Secret))`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`if err != nil {`
			`return status.Errorf(codes.Internal, fmt.Sprintf("failed to generate tokens, err: %s", err))`
			`}`
			`if err := s.UpsertAccessTokenToStore(ctx, user, accessToken, "user login"); err != nil {`
			`return status.Errorf(codes.Internal, fmt.Sprintf("failed to upsert access token to store, err: %s", err))`
			`}`

chore: add cookie builder 2024-02-05 23:28:29 +08:00			`cookie, err := s.buildAccessTokenCookie(ctx, accessToken, expireTime)`
			`if err != nil {`
			`return status.Errorf(codes.Internal, fmt.Sprintf("failed to build access token cookie, err: %s", err))`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`
			`if err := grpc.SetHeader(ctx, metadata.New(map[string]string{`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`"Set-Cookie": cookie,`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`})); err != nil {`
			`return status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)`
			`}`

			`return nil`
			`}`

refactor: api version 2024-04-28 00:44:29 +08:00			`func (s APIV1Service) SignUp(ctx context.Context, request v1pb.SignUpRequest) (*v1pb.User, error) {`
feat: add security related settings 2024-08-28 23:46:06 +08:00			`workspaceGeneralSetting, err := s.Store.GetWorkspaceGeneralSetting(ctx)`
chore: tweak signup checks 2024-07-24 23:38:51 +08:00			`if err != nil {`
feat: add security related settings 2024-08-28 23:46:06 +08:00			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to get workspace general setting, err: %s", err))`
chore: tweak signup checks 2024-07-24 23:38:51 +08:00			`}`
feat: add security related settings 2024-08-28 23:46:06 +08:00			`if workspaceGeneralSetting.DisallowSignup {`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`return nil, status.Errorf(codes.PermissionDenied, "sign up is not allowed")`
			`}`

			`passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.Password), bcrypt.DefaultCost)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to generate password hash, err: %s", err))`
			`}`

			`create := &store.User{`
			`Username: request.Username,`
			`Nickname: request.Username,`
			`PasswordHash: string(passwordHash),`
			`}`
refactor: update resource id naming 2024-03-20 20:39:16 +08:00			`if !util.UIDMatcher.MatchString(strings.ToLower(create.Username)) {`
fix: check username in signup 2024-03-15 08:37:58 +08:00			`return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", create.Username)`
			`}`
fix: role error in api/v2 when the first user registers (#2875) Fix role error in api/v2 when the first user registers 2024-01-31 19:55:52 +08:00
			`hostUserType := store.RoleHost`
			`existedHostUsers, err := s.Store.ListUsers(ctx, &store.FindUser{`
			`Role: &hostUserType,`
			`})`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to list users, err: %s", err))`
			`}`
fix: role error in api/v2 when the first user registers (#2875) Fix role error in api/v2 when the first user registers 2024-01-31 19:55:52 +08:00			`if len(existedHostUsers) == 0 {`
			`// Change the default role to host if there is no host user.`
			`create.Role = store.RoleHost`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`} else {`
			`create.Role = store.RoleUser`
			`}`

			`user, err := s.Store.CreateUser(ctx, create)`
			`if err != nil {`
			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to create user, err: %s", err))`
			`}`

chore: migrate auth package 2024-05-01 10:26:46 +08:00			`if err := s.doSignIn(ctx, user, time.Now().Add(AccessTokenDuration)); err != nil {`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`return nil, status.Errorf(codes.Internal, fmt.Sprintf("failed to sign in, err: %s", err))`
			`}`
chore: tweak api definition 2024-04-27 22:02:15 +08:00			`return convertUserFromStore(user), nil`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`

refactor: api version 2024-04-28 00:44:29 +08:00			`func (s APIV1Service) SignOut(ctx context.Context, _ v1pb.SignOutRequest) (*emptypb.Empty, error) {`
chore: remove access token after sign out 2024-05-20 08:53:29 +08:00			`accessToken, ok := ctx.Value(accessTokenContextKey).(string)`
			`// Try to delete the access token from the store.`
			`if ok {`
fix: delete access token when sign out 2024-07-13 11:18:29 +08:00			`user, _ := s.GetCurrentUser(ctx)`
			`if user != nil {`
			`if _, err := s.DeleteUserAccessToken(ctx, &v1pb.DeleteUserAccessTokenRequest{`
			`Name: fmt.Sprintf("%s%d", UserNamePrefix, user.ID),`
			`AccessToken: accessToken,`
			`}); err != nil {`
feat: add password auth flag 2024-07-27 19:24:37 +08:00			`slog.Error("failed to delete access token", "error", err)`
fix: delete access token when sign out 2024-07-13 11:18:29 +08:00			`}`
chore: remove access token after sign out 2024-05-20 08:53:29 +08:00			`}`
			`}`

chore: add cookie builder 2024-02-05 23:28:29 +08:00			`if err := s.clearAccessTokenCookie(ctx); err != nil {`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`return nil, status.Errorf(codes.Internal, "failed to set grpc header, error: %v", err)`
			`}`
chore: tweak api definition 2024-04-27 22:02:15 +08:00			`return &emptypb.Empty{}, nil`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`

refactor: api version 2024-04-28 00:44:29 +08:00			`func (s *APIV1Service) clearAccessTokenCookie(ctx context.Context) error {`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`cookie, err := s.buildAccessTokenCookie(ctx, "", time.Time{})`
			`if err != nil {`
			`return errors.Wrap(err, "failed to build access token cookie")`
			`}`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`if err := grpc.SetHeader(ctx, metadata.New(map[string]string{`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`"Set-Cookie": cookie,`
chore: clear access token when user not found 2023-12-20 07:42:02 +08:00			`})); err != nil {`
			`return errors.Wrap(err, "failed to set grpc header")`
			`}`
			`return nil`
			`}`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00
refactor: api version 2024-04-28 00:44:29 +08:00			`func (*APIV1Service) buildAccessTokenCookie(ctx context.Context, accessToken string, expireTime time.Time) (string, error) {`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`attrs := []string{`
chore: migrate auth package 2024-05-01 10:26:46 +08:00			`fmt.Sprintf("%s=%s", AccessTokenCookieName, accessToken),`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`"Path=/",`
			`"HttpOnly",`
			`}`
			`if expireTime.IsZero() {`
			`attrs = append(attrs, "Expires=Thu, 01 Jan 1970 00:00:00 GMT")`
			`} else {`
			`attrs = append(attrs, "Expires="+expireTime.Format(time.RFC1123))`
			`}`
chore: update get request origin 2024-03-03 14:10:48 +08:00
			`md, ok := metadata.FromIncomingContext(ctx)`
			`if !ok {`
			`return "", errors.New("failed to get metadata from context")`
			`}`
			`var origin string`
			`for _, v := range md.Get("origin") {`
			`origin = v`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`
chore: update get request origin 2024-03-03 14:10:48 +08:00			`isHTTPS := strings.HasPrefix(origin, "https://")`
			`if isHTTPS {`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`attrs = append(attrs, "SameSite=None")`
			`attrs = append(attrs, "Secure")`
			`} else {`
			`attrs = append(attrs, "SameSite=Strict")`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`
chore: add cookie builder 2024-02-05 23:28:29 +08:00			`return strings.Join(attrs, "; "), nil`
refactor: migrate auth service 2024-01-29 23:12:02 +08:00			`}`
chore: tweak common function 2024-05-26 11:02:23 +08:00
			`func (s APIV1Service) GetCurrentUser(ctx context.Context) (store.User, error) {`
			`username, ok := ctx.Value(usernameContextKey).(string)`
			`if !ok {`
			`return nil, nil`
			`}`
			`user, err := s.Store.GetUser(ctx, &store.FindUser{`
			`Username: &username,`
			`})`
			`if err != nil {`
			`return nil, err`
			`}`
			`return user, nil`
			`}`