mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
forgejo-tickets/internal/auth/tokens.go

92 lines
2.9 KiB
Go
Raw Blame History

package auth
import (
"context"
"crypto/rand"
"crypto/sha256"
"encoding/hex"
"fmt"
"time"
"github.com/google/uuid"
"github.com/mattnite/forgejo-tickets/internal/models"
"golang.org/x/crypto/bcrypt"
)
func (s *Service) GenerateVerificationToken(ctx context.Context, userID uuid.UUID) (string, error) {
return s.generateToken(ctx, userID, models.TokenTypeVerifyEmail, 24*time.Hour)
}
func (s *Service) GeneratePasswordResetToken(ctx context.Context, userID uuid.UUID) (string, error) {
return s.generateToken(ctx, userID, models.TokenTypeResetPassword, 1*time.Hour)
}
func (s *Service) VerifyEmailToken(ctx context.Context, plainToken string) (*models.User, error) {
return s.redeemToken(ctx, plainToken, models.TokenTypeVerifyEmail, func(ctx context.Context, userID uuid.UUID) error {
return s.db.WithContext(ctx).Model(&models.User{}).Where("id = ?", userID).Update("email_verified", true).Error
})
}
func (s *Service) RedeemPasswordResetToken(ctx context.Context, plainToken, newPassword string) (*models.User, error) {
return s.redeemToken(ctx, plainToken, models.TokenTypeResetPassword, func(ctx context.Context, userID uuid.UUID) error {
hash, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
if err != nil {
return err
}
hashStr := string(hash)
return s.db.WithContext(ctx).Model(&models.User{}).Where("id = ?", userID).Update("password_hash", hashStr).Error
})
}
func (s *Service) generateToken(ctx context.Context, userID uuid.UUID, tokenType models.TokenType, ttl time.Duration) (string, error) {
tokenBytes := make([]byte, 32)
if _, err := rand.Read(tokenBytes); err != nil {
return "", err
}
plainToken := hex.EncodeToString(tokenBytes)
tokenHash := hashToken(plainToken)
emailToken := models.EmailToken{
UserID: userID,
TokenHash: tokenHash,
TokenType: tokenType,
ExpiresAt: time.Now().Add(ttl),
}
if err := s.db.WithContext(ctx).Create(&emailToken).Error; err != nil {
return "", fmt.Errorf("create token: %w", err)
}
return plainToken, nil
}
func (s *Service) redeemToken(ctx context.Context, plainToken string, tokenType models.TokenType, action func(context.Context, uuid.UUID) error) (*models.User, error) {
tokenHash := hashToken(plainToken)
var token models.EmailToken
if err := s.db.WithContext(ctx).Where("token_hash = ? AND token_type = ? AND expires_at > ? AND used_at IS NULL",
tokenHash, tokenType, time.Now()).First(&token).Error; err != nil {
return nil, fmt.Errorf("invalid or expired token")
}
if err := action(ctx, token.UserID); err != nil {
return nil, err
}
now := time.Now()
s.db.WithContext(ctx).Model(&token).Update("used_at", &now)
var user models.User
if err := s.db.WithContext(ctx).First(&user, "id = ?", token.UserID).Error; err != nil {
return nil, err
}
return &user, nil
}
func hashToken(plainToken string) string {
h := sha256.Sum256([]byte(plainToken))
return hex.EncodeToString(h[:])
}
Reference in New Issue View Git Blame Copy Permalink