navidrome/server/app/auth.go

package app

import (
	"context"
	"encoding/json"
	"errors"
	"net/http"
	"strings"
	"time"

	"github.com/deluan/rest"
	"github.com/dgrijalva/jwt-go"
	"github.com/go-chi/jwtauth"
	"github.com/google/uuid"
	"github.com/navidrome/navidrome/conf"
	"github.com/navidrome/navidrome/consts"
	"github.com/navidrome/navidrome/core/auth"
	"github.com/navidrome/navidrome/log"
	"github.com/navidrome/navidrome/model"
	"github.com/navidrome/navidrome/model/request"
	"github.com/navidrome/navidrome/utils/gravatar"
)

var (
	ErrFirstTime = errors.New("no users created")
)

func Login(ds model.DataStore) func(w http.ResponseWriter, r *http.Request) {
	auth.InitTokenAuth(ds)

	return func(w http.ResponseWriter, r *http.Request) {
		username, password, err := getCredentialsFromBody(r)
		if err != nil {
			log.Error(r, "Parsing request body", err)
			_ = rest.RespondWithError(w, http.StatusUnprocessableEntity, err.Error())
			return
		}

		handleLogin(ds, username, password, w, r)
	}
}

func handleLogin(ds model.DataStore, username string, password string, w http.ResponseWriter, r *http.Request) {
	user, err := validateLogin(ds.User(r.Context()), username, password)
	if err != nil {
		_ = rest.RespondWithError(w, http.StatusInternalServerError, "Unknown error authentication user. Please try again")
		return
	}
	if user == nil {
		log.Warn(r, "Unsuccessful login", "username", username, "request", r.Header)
		_ = rest.RespondWithError(w, http.StatusUnauthorized, "Invalid username or password")
		return
	}

	tokenString, err := auth.CreateToken(user)
	if err != nil {
		_ = rest.RespondWithError(w, http.StatusInternalServerError, "Unknown error authenticating user. Please try again")
		return
	}
	payload := map[string]interface{}{
		"message":  "User '" + username + "' authenticated successfully",
		"token":    tokenString,
		"id":       user.ID,
		"name":     user.Name,
		"username": username,
		"isAdmin":  user.IsAdmin,
	}
	if conf.Server.EnableGravatar && user.Email != "" {
		payload["avatar"] = gravatar.Url(user.Email, 50)
	}
	_ = rest.RespondWithJSON(w, http.StatusOK, payload)
}

func getCredentialsFromBody(r *http.Request) (username string, password string, err error) {
	data := make(map[string]string)
	decoder := json.NewDecoder(r.Body)
	if err = decoder.Decode(&data); err != nil {
		log.Error(r, "parsing request body", err)
		err = errors.New("invalid request payload")
		return
	}
	username = data["username"]
	password = data["password"]
	return username, password, nil
}

func CreateAdmin(ds model.DataStore) func(w http.ResponseWriter, r *http.Request) {
	auth.InitTokenAuth(ds)

	return func(w http.ResponseWriter, r *http.Request) {
		username, password, err := getCredentialsFromBody(r)
		if err != nil {
			log.Error(r, "parsing request body", err)
			_ = rest.RespondWithError(w, http.StatusUnprocessableEntity, err.Error())
			return
		}
		c, err := ds.User(r.Context()).CountAll()
		if err != nil {
			_ = rest.RespondWithError(w, http.StatusInternalServerError, err.Error())
			return
		}
		if c > 0 {
			_ = rest.RespondWithError(w, http.StatusForbidden, "Cannot create another first admin")
			return
		}
		err = createDefaultUser(r.Context(), ds, username, password)
		if err != nil {
			_ = rest.RespondWithError(w, http.StatusInternalServerError, err.Error())
			return
		}
		handleLogin(ds, username, password, w, r)
	}
}

func createDefaultUser(ctx context.Context, ds model.DataStore, username, password string) error {
	log.Warn("Creating initial user", "user", username)
	now := time.Now()
	initialUser := model.User{
		ID:          uuid.NewString(),
		UserName:    username,
		Name:        strings.Title(username),
		Email:       "",
		NewPassword: password,
		IsAdmin:     true,
		LastLoginAt: &now,
	}
	err := ds.User(ctx).Put(&initialUser)
	if err != nil {
		log.Error("Could not create initial user", "user", initialUser, err)
	}
	return nil
}

func validateLogin(userRepo model.UserRepository, userName, password string) (*model.User, error) {
	u, err := userRepo.FindByUsername(userName)
	if err == model.ErrNotFound {
		return nil, nil
	}
	if err != nil {
		return nil, err
	}
	if u.Password != password {
		return nil, nil
	}
	err = userRepo.UpdateLastLoginAt(u.ID)
	if err != nil {
		log.Error("Could not update LastLoginAt", "user", userName)
	}
	return u, nil
}

func contextWithUser(ctx context.Context, ds model.DataStore, claims jwt.MapClaims) context.Context {
	userName := claims["sub"].(string)
	user, _ := ds.User(ctx).FindByUsername(userName)
	return request.WithUser(ctx, *user)
}

func getToken(ds model.DataStore, ctx context.Context) (*jwt.Token, error) {
	token, claims, err := jwtauth.FromContext(ctx)

	valid := err == nil && token != nil && token.Valid
	valid = valid && claims["sub"] != nil
	if valid {
		return token, nil
	}

	c, err := ds.User(ctx).CountAll()
	firstTime := c == 0 && err == nil
	if firstTime {
		return nil, ErrFirstTime
	}
	return nil, errors.New("invalid authentication")
}

// This method maps the custom authorization header to the default 'Authorization', used by the jwtauth library
func mapAuthHeader() func(next http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			bearer := r.Header.Get(consts.UIAuthorizationHeader)
			r.Header.Set("Authorization", bearer)
			next.ServeHTTP(w, r)
		})
	}
}

func authenticator(ds model.DataStore) func(next http.Handler) http.Handler {
	auth.InitTokenAuth(ds)

	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			token, err := getToken(ds, r.Context())
			if err == ErrFirstTime {
				_ = rest.RespondWithJSON(w, http.StatusUnauthorized, map[string]string{"message": ErrFirstTime.Error()})
				return
			}
			if err != nil {
				_ = rest.RespondWithError(w, http.StatusUnauthorized, "Not authenticated")
				return
			}

			claims := token.Claims.(jwt.MapClaims)

			newCtx := contextWithUser(r.Context(), ds, claims)
			newTokenString, err := auth.TouchToken(token)
			if err != nil {
				log.Error(r, "signing new token", err)
				_ = rest.RespondWithError(w, http.StatusUnauthorized, "Not authenticated")
				return
			}

			w.Header().Set(consts.UIAuthorizationHeader, newTokenString)
			next.ServeHTTP(w, r.WithContext(newCtx))
		})
	}
}
Authenticate UI 2020-01-20 15:54:29 +01:00			`package app`

			`import (`
			`"context"`
			`"encoding/json"`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`"errors"`
Authenticate UI 2020-01-20 15:54:29 +01:00			`"net/http"`
			`"strings"`
			`"time"`

			`"github.com/deluan/rest"`
			`"github.com/dgrijalva/jwt-go"`
			`"github.com/go-chi/jwtauth"`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`"github.com/google/uuid"`
Redesign UserMenu, now with support for Gravatar 2020-11-13 06:40:01 +01:00			`"github.com/navidrome/navidrome/conf"`
Rename project to Navidrome 2020-01-24 01:44:08 +01:00			`"github.com/navidrome/navidrome/consts"`
Started the big refactor to extract common logic from `engine` package (Subsonic only) to `core` package (more generic) 2020-07-10 18:45:58 +02:00			`"github.com/navidrome/navidrome/core/auth"`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`"github.com/navidrome/navidrome/log"`
Rename project to Navidrome 2020-01-24 01:44:08 +01:00			`"github.com/navidrome/navidrome/model"`
Fix staticcheck's SA1029 2020-05-13 22:49:55 +02:00			`"github.com/navidrome/navidrome/model/request"`
Move utilitarian/generic packages to utils: lastfm, spotify, gravatar, cache, and pool 2021-02-09 17:33:26 +01:00			`"github.com/navidrome/navidrome/utils/gravatar"`
Authenticate UI 2020-01-20 15:54:29 +01:00			`)`

			`var (`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`ErrFirstTime = errors.New("no users created")`
Authenticate UI 2020-01-20 15:54:29 +01:00			`)`

			`func Login(ds model.DataStore) func(w http.ResponseWriter, r *http.Request) {`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`auth.InitTokenAuth(ds)`
Created InitialSetup method that handles all steps required for starting the server for the first time 2020-01-20 21:17:43 +01:00
Authenticate UI 2020-01-20 15:54:29 +01:00			`return func(w http.ResponseWriter, r *http.Request) {`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`username, password, err := getCredentialsFromBody(r)`
			`if err != nil {`
			`log.Error(r, "Parsing request body", err)`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusUnprocessableEntity, err.Error())`
Authenticate UI 2020-01-20 15:54:29 +01:00			`return`
			`}`

feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`handleLogin(ds, username, password, w, r)`
			`}`
			`}`

			`func handleLogin(ds model.DataStore, username string, password string, w http.ResponseWriter, r *http.Request) {`
refactor: add Context to the persistence layer 2020-01-27 15:41:33 +01:00			`user, err := validateLogin(ds.User(r.Context()), username, password)`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`if err != nil {`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusInternalServerError, "Unknown error authentication user. Please try again")`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`
			`if user == nil {`
			`log.Warn(r, "Unsuccessful login", "username", username, "request", r.Header)`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusUnauthorized, "Invalid username or password")`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`

feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`tokenString, err := auth.CreateToken(user)`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`if err != nil {`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusInternalServerError, "Unknown error authenticating user. Please try again")`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`
Redesign UserMenu, now with support for Gravatar 2020-11-13 06:40:01 +01:00			`payload := map[string]interface{}{`
			`"message": "User '" + username + "' authenticated successfully",`
			`"token": tokenString,`
Allow regular users to change their info, including password. Should fix #199 2021-04-29 04:35:25 +02:00			`"id": user.ID,`
Redesign UserMenu, now with support for Gravatar 2020-11-13 06:40:01 +01:00			`"name": user.Name,`
			`"username": username,`
			`"isAdmin": user.IsAdmin,`
			`}`
			`if conf.Server.EnableGravatar && user.Email != "" {`
			`payload["avatar"] = gravatar.Url(user.Email, 50)`
			`}`
			`_ = rest.RespondWithJSON(w, http.StatusOK, payload)`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`}`

			`func getCredentialsFromBody(r *http.Request) (username string, password string, err error) {`
			`data := make(map[string]string)`
			`decoder := json.NewDecoder(r.Body)`
			`if err = decoder.Decode(&data); err != nil {`
			`log.Error(r, "parsing request body", err)`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`err = errors.New("invalid request payload")`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`
			`username = data["username"]`
			`password = data["password"]`
			`return username, password, nil`
			`}`

			`func CreateAdmin(ds model.DataStore) func(w http.ResponseWriter, r *http.Request) {`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`auth.InitTokenAuth(ds)`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00
			`return func(w http.ResponseWriter, r *http.Request) {`
			`username, password, err := getCredentialsFromBody(r)`
Authenticate UI 2020-01-20 15:54:29 +01:00			`if err != nil {`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`log.Error(r, "parsing request body", err)`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusUnprocessableEntity, err.Error())`
Authenticate UI 2020-01-20 15:54:29 +01:00			`return`
			`}`
refactor: add Context to the persistence layer 2020-01-27 15:41:33 +01:00			`c, err := ds.User(r.Context()).CountAll()`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`if err != nil {`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusInternalServerError, err.Error())`
Authenticate UI 2020-01-20 15:54:29 +01:00			`return`
			`}`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`if c > 0 {`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusForbidden, "Cannot create another first admin")`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`
refactor: add Context to the persistence layer 2020-01-27 15:41:33 +01:00			`err = createDefaultUser(r.Context(), ds, username, password)`
Authenticate UI 2020-01-20 15:54:29 +01:00			`if err != nil {`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusInternalServerError, err.Error())`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
Authenticate UI 2020-01-20 15:54:29 +01:00			`}`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`handleLogin(ds, username, password, w, r)`
			`}`
			`}`

refactor: add Context to the persistence layer 2020-01-27 15:41:33 +01:00			`func createDefaultUser(ctx context.Context, ds model.DataStore, username, password string) error {`
feat: add server name and version to all responses This is inline with other Subsonic compatible servers, like funkwhale, madsonic, ampache... 2020-01-30 20:43:24 +01:00			`log.Warn("Creating initial user", "user", username)`
refactor: new persistence, more SQL, less ORM 2020-01-28 14:22:17 +01:00			`now := time.Now()`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`initialUser := model.User{`
Use new simplified `uuid.NewString()` syntax 2021-02-01 07:22:31 +01:00			`ID: uuid.NewString(),`
refactor: new persistence, more SQL, less ORM 2020-01-28 14:22:17 +01:00			`UserName: username,`
			`Name: strings.Title(username),`
			`Email: "",`
Fix create first login 2021-05-02 20:13:17 +02:00			`NewPassword: password,`
refactor: new persistence, more SQL, less ORM 2020-01-28 14:22:17 +01:00			`IsAdmin: true,`
			`LastLoginAt: &now,`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`}`
refactor: add Context to the persistence layer 2020-01-27 15:41:33 +01:00			`err := ds.User(ctx).Put(&initialUser)`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`if err != nil {`
			`log.Error("Could not create initial user", "user", initialUser, err)`
Authenticate UI 2020-01-20 15:54:29 +01:00			`}`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return nil`
Authenticate UI 2020-01-20 15:54:29 +01:00			`}`
Created InitialSetup method that handles all steps required for starting the server for the first time 2020-01-20 21:17:43 +01:00
Authenticate UI 2020-01-20 15:54:29 +01:00			`func validateLogin(userRepo model.UserRepository, userName, password string) (*model.User, error) {`
			`u, err := userRepo.FindByUsername(userName)`
			`if err == model.ErrNotFound {`
			`return nil, nil`
			`}`
			`if err != nil {`
			`return nil, err`
			`}`
			`if u.Password != password {`
			`return nil, nil`
			`}`
			`err = userRepo.UpdateLastLoginAt(u.ID)`
			`if err != nil {`
			`log.Error("Could not update LastLoginAt", "user", userName)`
			`}`
			`return u, nil`
			`}`

feat: allow regular users to login to the UI 2020-02-06 04:22:44 +01:00			`func contextWithUser(ctx context.Context, ds model.DataStore, claims jwt.MapClaims) context.Context {`
			`userName := claims["sub"].(string)`
			`user, _ := ds.User(ctx).FindByUsername(userName)`
Fix staticcheck's SA1029 2020-05-13 22:49:55 +02:00			`return request.WithUser(ctx, *user)`
Authenticate UI 2020-01-20 15:54:29 +01:00			`}`

feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`func getToken(ds model.DataStore, ctx context.Context) (*jwt.Token, error) {`
			`token, claims, err := jwtauth.FromContext(ctx)`
Authenticate UI 2020-01-20 15:54:29 +01:00
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`valid := err == nil && token != nil && token.Valid`
			`valid = valid && claims["sub"] != nil`
			`if valid {`
			`return token, nil`
			`}`
Authenticate UI 2020-01-20 15:54:29 +01:00
refactor: add Context to the persistence layer 2020-01-27 15:41:33 +01:00			`c, err := ds.User(ctx).CountAll()`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`firstTime := c == 0 && err == nil`
			`if firstTime {`
			`return nil, ErrFirstTime`
			`}`
			`return nil, errors.New("invalid authentication")`
			`}`
Authenticate UI 2020-01-20 15:54:29 +01:00
Use a custom authorization header, to avoid conflicts with proxies using basic auth (fixes #146) 2020-04-06 22:03:20 +02:00			`// This method maps the custom authorization header to the default 'Authorization', used by the jwtauth library`
			`func mapAuthHeader() func(next http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`bearer := r.Header.Get(consts.UIAuthorizationHeader)`
			`r.Header.Set("Authorization", bearer)`
			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`

			`func authenticator(ds model.DataStore) func(next http.Handler) http.Handler {`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`auth.InitTokenAuth(ds)`
Authenticate UI 2020-01-20 15:54:29 +01:00
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`token, err := getToken(ds, r.Context())`
			`if err == ErrFirstTime {`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithJSON(w, http.StatusUnauthorized, map[string]string{"message": ErrFirstTime.Error()})`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`
			`if err != nil {`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusUnauthorized, "Not authenticated")`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`

			`claims := token.Claims.(jwt.MapClaims)`

feat: allow regular users to login to the UI 2020-02-06 04:22:44 +01:00			`newCtx := contextWithUser(r.Context(), ds, claims)`
feat: add authentication via JWT token 2020-02-06 22:48:35 +01:00			`newTokenString, err := auth.TouchToken(token)`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`if err != nil {`
			`log.Error(r, "signing new token", err)`
Fix all `errcheck` warnings 2020-04-26 18:35:26 +02:00			`_ = rest.RespondWithError(w, http.StatusUnauthorized, "Not authenticated")`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`return`
			`}`

Use a custom authorization header, to avoid conflicts with proxies using basic auth (fixes #146) 2020-04-06 22:03:20 +02:00			`w.Header().Set(consts.UIAuthorizationHeader, newTokenString)`
feat: first time admin user creation through the ui 2020-01-25 23:10:16 +01:00			`next.ServeHTTP(w, r.WithContext(newCtx))`
			`})`
			`}`
Authenticate UI 2020-01-20 15:54:29 +01:00			`}`