navidrome/core/auth/auth.go

package auth

import (
	"context"
	"sync"
	"time"

	"github.com/go-chi/jwtauth/v5"
	"github.com/google/uuid"
	"github.com/lestrrat-go/jwx/v2/jwt"
	"github.com/navidrome/navidrome/conf"
	"github.com/navidrome/navidrome/consts"
	"github.com/navidrome/navidrome/log"
	"github.com/navidrome/navidrome/model"
	"github.com/navidrome/navidrome/model/request"
)

var (
	once      sync.Once
	Secret    []byte
	TokenAuth *jwtauth.JWTAuth
)

func Init(ds model.DataStore) {
	once.Do(func() {
		log.Info("Setting Session Timeout", "value", conf.Server.SessionTimeout)
		secret, err := ds.Property(context.TODO()).Get(consts.JWTSecretKey)
		if err != nil || secret == "" {
			log.Error("No JWT secret found in DB. Setting a temp one, but please report this error", err)
			secret = uuid.NewString()
		}
		Secret = []byte(secret)
		TokenAuth = jwtauth.New("HS256", Secret, nil)
	})
}

func createBaseClaims() map[string]any {
	tokenClaims := map[string]any{}
	tokenClaims[jwt.IssuerKey] = consts.JWTIssuer
	return tokenClaims
}

func CreatePublicToken(claims map[string]any) (string, error) {
	tokenClaims := createBaseClaims()
	for k, v := range claims {
		tokenClaims[k] = v
	}
	_, token, err := TokenAuth.Encode(tokenClaims)

	return token, err
}

func CreateExpiringPublicToken(exp time.Time, claims map[string]any) (string, error) {
	tokenClaims := createBaseClaims()
	if !exp.IsZero() {
		tokenClaims[jwt.ExpirationKey] = exp.UTC().Unix()
	}
	for k, v := range claims {
		tokenClaims[k] = v
	}
	_, token, err := TokenAuth.Encode(tokenClaims)

	return token, err
}

func CreateToken(u *model.User) (string, error) {
	claims := createBaseClaims()
	claims[jwt.SubjectKey] = u.UserName
	claims[jwt.IssuedAtKey] = time.Now().UTC().Unix()
	claims["uid"] = u.ID
	claims["adm"] = u.IsAdmin
	token, _, err := TokenAuth.Encode(claims)
	if err != nil {
		return "", err
	}

	return TouchToken(token)
}

func TouchToken(token jwt.Token) (string, error) {
	claims, err := token.AsMap(context.Background())
	if err != nil {
		return "", err
	}

	claims[jwt.ExpirationKey] = time.Now().UTC().Add(conf.Server.SessionTimeout).Unix()
	_, newToken, err := TokenAuth.Encode(claims)

	return newToken, err
}

func Validate(tokenStr string) (map[string]interface{}, error) {
	token, err := jwtauth.VerifyToken(TokenAuth, tokenStr)
	if err != nil {
		return nil, err
	}
	return token.AsMap(context.Background())
}

func WithAdminUser(ctx context.Context, ds model.DataStore) context.Context {
	u, err := ds.User(ctx).FindFirstAdmin()
	if err != nil {
		c, err := ds.User(ctx).CountAll()
		if c == 0 && err == nil {
			log.Debug(ctx, "Scanner: No admin user yet!", err)
		} else {
			log.Error(ctx, "Scanner: No admin user found!", err)
		}
		u = &model.User{}
	}

	ctx = request.WithUsername(ctx, u.UserName)
	return request.WithUser(ctx, *u)
}
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`package auth`

			`import (`
Fixing static checks about passing nil context 2020-04-26 18:06:38 +02:00			`"context"`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`"sync"`
			`"time"`

Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`"github.com/go-chi/jwtauth/v5"`
Fix possible authentication bypass 2023-12-12 01:32:03 +01:00			`"github.com/google/uuid"`
Bump github.com/go-chi/jwtauth/v5 from 5.0.2 to 5.1.0 2022-12-02 23:58:38 +01:00			`"github.com/lestrrat-go/jwx/v2/jwt"`
feat: allow session timeout to be configurable. closes #101 2020-03-19 01:16:18 +01:00			`"github.com/navidrome/navidrome/conf"`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`"github.com/navidrome/navidrome/consts"`
			`"github.com/navidrome/navidrome/log"`
			`"github.com/navidrome/navidrome/model"`
Add command line M3U exporter. Closes #1914 2022-12-21 20:37:08 +01:00			`"github.com/navidrome/navidrome/model/request"`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`)`

			`var (`
Removed unnecessary code 2021-05-12 00:55:58 +02:00			`once sync.Once`
			`Secret []byte`
			`TokenAuth *jwtauth.JWTAuth`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`)`

Removed unnecessary code 2021-05-12 00:55:58 +02:00			`func Init(ds model.DataStore) {`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`once.Do(func() {`
Removed unnecessary code 2021-05-12 00:55:58 +02:00			`log.Info("Setting Session Timeout", "value", conf.Server.SessionTimeout)`
Fix possible authentication bypass 2023-12-12 01:32:03 +01:00			`secret, err := ds.Property(context.TODO()).Get(consts.JWTSecretKey)`
			`if err != nil \|\| secret == "" {`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`log.Error("No JWT secret found in DB. Setting a temp one, but please report this error", err)`
Fix possible authentication bypass 2023-12-12 01:32:03 +01:00			`secret = uuid.NewString()`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`}`
More auth tests 2021-04-30 16:00:03 +02:00			`Secret = []byte(secret)`
			`TokenAuth = jwtauth.New("HS256", Secret, nil)`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`})`
			`}`

Add public endpoint to expose images 2022-12-31 04:34:00 +01:00			`func createBaseClaims() map[string]any {`
			`tokenClaims := map[string]any{}`
			`tokenClaims[jwt.IssuerKey] = consts.JWTIssuer`
			`return tokenClaims`
			`}`

			`func CreatePublicToken(claims map[string]any) (string, error) {`
			`tokenClaims := createBaseClaims()`
			`for k, v := range claims {`
			`tokenClaims[k] = v`
			`}`
			`_, token, err := TokenAuth.Encode(tokenClaims)`

			`return token, err`
			`}`

Initial work on Shares 2023-01-20 04:52:55 +01:00			`func CreateExpiringPublicToken(exp time.Time, claims map[string]any) (string, error) {`
			`tokenClaims := createBaseClaims()`
			`if !exp.IsZero() {`
			`tokenClaims[jwt.ExpirationKey] = exp.UTC().Unix()`
			`}`
			`for k, v := range claims {`
			`tokenClaims[k] = v`
			`}`
			`_, token, err := TokenAuth.Encode(tokenClaims)`

			`return token, err`
			`}`

feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`func CreateToken(u *model.User) (string, error) {`
Add public endpoint to expose images 2022-12-31 04:34:00 +01:00			`claims := createBaseClaims()`
Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`claims[jwt.SubjectKey] = u.UserName`
Implement `updateShare` and `deleteShare` Subsonic endpoints 2023-01-23 02:21:06 +01:00			`claims[jwt.IssuedAtKey] = time.Now().UTC().Unix()`
Allow regular users to change their info, including password. Should fix #199 2021-04-29 04:35:25 +02:00			`claims["uid"] = u.ID`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`claims["adm"] = u.IsAdmin`
Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`token, _, err := TokenAuth.Encode(claims)`
			`if err != nil {`
			`return "", err`
			`}`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00
			`return TouchToken(token)`
			`}`

Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`func TouchToken(token jwt.Token) (string, error) {`
			`claims, err := token.AsMap(context.Background())`
			`if err != nil {`
			`return "", err`
More auth tests 2021-04-30 16:00:03 +02:00			`}`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00
Removed unnecessary code 2021-05-12 00:55:58 +02:00			`claims[jwt.ExpirationKey] = time.Now().UTC().Add(conf.Server.SessionTimeout).Unix()`
Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`_, newToken, err := TokenAuth.Encode(claims)`

			`return newToken, err`
More auth tests 2021-04-30 16:00:03 +02:00			`}`

Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`func Validate(tokenStr string) (map[string]interface{}, error) {`
			`token, err := jwtauth.VerifyToken(TokenAuth, tokenStr)`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`if err != nil {`
			`return nil, err`
			`}`
Upgrade to go-chi 5 2021-05-11 23:21:18 +02:00			`return token.AsMap(context.Background())`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`}`
Add command line M3U exporter. Closes #1914 2022-12-21 20:37:08 +01:00
			`func WithAdminUser(ctx context.Context, ds model.DataStore) context.Context {`
			`u, err := ds.User(ctx).FindFirstAdmin()`
			`if err != nil {`
			`c, err := ds.User(ctx).CountAll()`
			`if c == 0 && err == nil {`
			`log.Debug(ctx, "Scanner: No admin user yet!", err)`
			`} else {`
			`log.Error(ctx, "Scanner: No admin user found!", err)`
			`}`
			`u = &model.User{}`
			`}`

			`ctx = request.WithUsername(ctx, u.UserName)`
			`return request.WithUser(ctx, *u)`
			`}`