523 lines
16 KiB
Go
523 lines
16 KiB
Go
/*
|
|
* Amsterdam Web Communities System
|
|
* Copyright (c) 2025 Erbosoft Metaverse Design Solutions, All Rights Reserved
|
|
*
|
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at https://mozilla.org/MPL/2.0/.
|
|
*/
|
|
// The database package contains database management and storage logic.
|
|
package database
|
|
|
|
import (
|
|
"crypto/sha1"
|
|
"encoding/hex"
|
|
"errors"
|
|
"fmt"
|
|
"hash/crc32"
|
|
"strconv"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"git.erbosoft.com/amy/amsterdam/util"
|
|
lru "github.com/hashicorp/golang-lru"
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// PasswordChangeRequest represents a temporary password change request.
|
|
type PasswordChangeRequest struct {
|
|
Uid int32
|
|
Username string
|
|
Email string
|
|
Authentication int32
|
|
Expires time.Time
|
|
}
|
|
|
|
// passwordRequests contains a map of password change requests currently managed.
|
|
var passwordRequests map[int32]*PasswordChangeRequest = make(map[int32]*PasswordChangeRequest)
|
|
|
|
/* AmNewPasswordChangeRequest creates a new password change request and enrolls it.
|
|
* Parameters:
|
|
* uid - The UID of the user.
|
|
* username - The user name of the user.
|
|
* email - The E-mail address of the user.
|
|
* Returns:
|
|
* Pointer to the new PasswordChangeRequest.
|
|
*/
|
|
func AmNewPasswordChangeRequest(uid int32, username string, email string) *PasswordChangeRequest {
|
|
rc := PasswordChangeRequest{Uid: uid, Username: username, Email: email,
|
|
Authentication: util.GenerateRandomConfirmationNumber(), Expires: time.Now().Add(time.Hour)}
|
|
passwordRequests[uid] = &rc
|
|
return &rc
|
|
}
|
|
|
|
/* AmGetPasswordChangeRequest retrieves the password change request for a UID.
|
|
* Parameters:
|
|
* uid - The UID to retrieve the request for.
|
|
* Returns:
|
|
* The PasswordChangeRequest pointer, or nil.
|
|
*/
|
|
func AmGetPasswordChangeRequest(uid int32) *PasswordChangeRequest {
|
|
rc := passwordRequests[uid]
|
|
if rc != nil {
|
|
delete(passwordRequests, uid)
|
|
}
|
|
return rc
|
|
}
|
|
|
|
// User represents a user in the Amsterdam database.
|
|
type User struct {
|
|
Mutex sync.RWMutex
|
|
Uid int32 `db:"uid"`
|
|
Username string `db:"username"`
|
|
Passhash string `db:"passhash"`
|
|
Tokenauth *string `db:"tokenauth"`
|
|
ContactID int32 `db:"contactid"`
|
|
IsAnon bool `db:"is_anon"`
|
|
VerifyEMail bool `db:"verify_email"`
|
|
Lockout bool `db:"lockout"`
|
|
AccessTries int16 `db:"access_tries"`
|
|
EmailConfNum int32 `db:"email_confnum"`
|
|
BaseLevel uint16 `db:"base_lvl"`
|
|
Created time.Time `db:"created"`
|
|
LastAccess *time.Time `db:"lastaccess"`
|
|
PassReminder string `db:"passreminder"`
|
|
Description *string `db:"description"`
|
|
DOB *time.Time `db:"dob"`
|
|
}
|
|
|
|
// UserProperties represents a property entry for a user.
|
|
type UserProperties struct {
|
|
Uid int32 `db:"uid"`
|
|
Index int32 `db:"ndx"`
|
|
Data *string `db:"data"`
|
|
}
|
|
|
|
// userCache is the cache for User objects.
|
|
var userCache *lru.TwoQueueCache = nil
|
|
|
|
// getUserMutex is a mutex on AmGetUser.
|
|
var getUserMutex sync.Mutex
|
|
|
|
// anonUid is the UID of the "anonymous" user.
|
|
var anonUid int32 = -1
|
|
|
|
// init initializes the user cache.
|
|
func init() {
|
|
var err error
|
|
userCache, err = lru.New2Q(100)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
// ContactInfo returns the contact info structure for the user.
|
|
func (u *User) ContactInfo() (*ContactInfo, error) {
|
|
if u.ContactID < 0 {
|
|
return nil, nil
|
|
}
|
|
return AmGetContactInfo(u.ContactID)
|
|
}
|
|
|
|
/* NewAuthToken generates and returns a new authentication token for the user.
|
|
* Returns:
|
|
* Authentication token value
|
|
* Standard Go error status.
|
|
*/
|
|
func (u *User) NewAuthToken() (string, error) {
|
|
if u.IsAnon {
|
|
return "", errors.New("cannot generate token for anonymous user")
|
|
}
|
|
u.Mutex.Lock()
|
|
defer u.Mutex.Unlock()
|
|
newToken := util.GenerateRandomAuthString()
|
|
if _, err := amdb.Exec("UPDATE users SET tokenauth = ? WHERE uid = ?", newToken, u.Uid); err != nil {
|
|
return "", err
|
|
}
|
|
u.Tokenauth = &newToken
|
|
checkValue := uint32(u.Uid) ^ crc32.ChecksumIEEE([]byte(newToken))
|
|
return fmt.Sprintf("AQAT:%d|%s|%d|", u.Uid, newToken, checkValue), nil
|
|
}
|
|
|
|
/* ConfirmEMailAddress checks the E-mail confirmation number and sets "verified" status if it's OK.
|
|
* Parameters:
|
|
* confnum - The entered confirmation number.
|
|
* remoteIP - The remote IP address for audit messages.
|
|
* Returns:
|
|
* Standard Go error status.
|
|
*/
|
|
func (u *User) ConfirmEMailAddress(confnum int32, remoteIP string) error {
|
|
var ar *AuditRecord = nil
|
|
defer func() {
|
|
AmStoreAudit(ar)
|
|
}()
|
|
|
|
log.Debugf("ConfirmEMailAddress for UID %d", u.Uid)
|
|
u.Mutex.Lock()
|
|
defer u.Mutex.Unlock()
|
|
if u.VerifyEMail || AmTestPermission("Global.NoEmailVerify", u.BaseLevel) {
|
|
log.Debug("...user has either already confirmed or is exempt")
|
|
return nil
|
|
}
|
|
if confnum != u.EmailConfNum {
|
|
log.Warn("...confirmation number incorrect")
|
|
ar = AmNewAudit(AuditVerifyEmailFail, u.Uid, remoteIP, "Invalid confirmation number")
|
|
return errors.New("confirmation number is incorrect. Please try again")
|
|
}
|
|
_, err := amdb.Exec("UPDATE users SET verify_email = 1, base_lvl = ? WHERE uid = ?",
|
|
AmDefaultRole("Global.AfterVerify").Level(), u.Uid)
|
|
if err == nil {
|
|
u.VerifyEMail = true
|
|
u.BaseLevel = AmDefaultRole("Global.AfterVerify").Level()
|
|
// TODO: auto-join communities if necessary
|
|
ar = AmNewAudit(AuditVerifyEmailOK, u.Uid, remoteIP)
|
|
}
|
|
return err
|
|
}
|
|
|
|
// NewEmailConfirmationNumber creates a new confirmation number for a user and saves it off.
|
|
func (u *User) NewEmailConfirmationNumber() error {
|
|
u.Mutex.Lock()
|
|
defer u.Mutex.Unlock()
|
|
newnum := util.GenerateRandomConfirmationNumber()
|
|
_, err := amdb.Exec("UPDATE users SET email_confnum = ? WHERE uid = ?", newnum, u.Uid)
|
|
if err != nil {
|
|
u.EmailConfNum = newnum
|
|
}
|
|
return err
|
|
}
|
|
|
|
// ChangePassword resets a user's password.
|
|
func (u *User) ChangePassword(password string, remoteIP string) error {
|
|
var ar *AuditRecord = nil
|
|
defer func() {
|
|
AmStoreAudit(ar)
|
|
}()
|
|
|
|
u.Mutex.Lock()
|
|
defer u.Mutex.Unlock()
|
|
pval := hashPassword(password)
|
|
_, err := amdb.Exec("UPDATE users SET passhash = ? WHERE uid = ?", pval, u.Uid)
|
|
if err == nil {
|
|
u.Passhash = pval
|
|
ar = AmNewAudit(AuditChangePassword, u.Uid, remoteIP, "via password change request")
|
|
}
|
|
return err
|
|
}
|
|
|
|
/* AmGetUser returns a reference to the specified user.
|
|
* Parameters:
|
|
* uid - The UID of the user.
|
|
* Returns:
|
|
* Pointer to User containing user data, or nil
|
|
* Standard Go error status
|
|
*/
|
|
func AmGetUser(uid int32) (*User, error) {
|
|
var err error = nil
|
|
getUserMutex.Lock()
|
|
defer getUserMutex.Unlock()
|
|
rc, ok := userCache.Get(uid)
|
|
if !ok {
|
|
var dbdata []User
|
|
err = amdb.Select(&dbdata, "SELECT * from users WHERE uid = ?", uid)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(dbdata) > 1 {
|
|
return nil, fmt.Errorf("AmGetUser(%d): too many responses(%d)", uid, len(dbdata))
|
|
}
|
|
rc = &(dbdata[0])
|
|
userCache.Add(uid, rc)
|
|
}
|
|
return rc.(*User), err
|
|
}
|
|
|
|
/* AmGetUserByName returns a reference to the specified user.
|
|
* Parameters:
|
|
* name - The username of the user.
|
|
* Returns:
|
|
* Pointer to User containing user data, or nil
|
|
* Standard Go error status
|
|
*/
|
|
func AmGetUserByName(name string) (*User, error) {
|
|
var dbdata []User
|
|
err := amdb.Select(&dbdata, "SELECT * FROM users WHERE username = ?", name)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if len(dbdata) > 1 {
|
|
return nil, fmt.Errorf("AmGetUserByName(\"%s\"): too many responses(%d)", name, len(dbdata))
|
|
}
|
|
getUserMutex.Lock()
|
|
defer getUserMutex.Unlock()
|
|
rc, ok := userCache.Get(dbdata[0].Uid)
|
|
if !ok {
|
|
rc = &(dbdata[0])
|
|
userCache.Add(dbdata[0].Uid, rc)
|
|
}
|
|
return rc.(*User), nil
|
|
}
|
|
|
|
// getAnonUserID retrieves the UID of the "anonymous" user from the database.
|
|
func getAnonUserID() (int32, error) {
|
|
if anonUid < 0 {
|
|
rows, err := amdb.Query("SELECT uid FROM users WHERE is_anon = 1")
|
|
if err == nil {
|
|
defer rows.Close()
|
|
if rows.Next() {
|
|
err = rows.Scan(&anonUid)
|
|
if err == nil && rows.Next() {
|
|
err = fmt.Errorf("should be only one anonymous user in Amsterdam database")
|
|
}
|
|
} else {
|
|
err = fmt.Errorf("no anonymous user in Amsterdam database")
|
|
}
|
|
}
|
|
if err != nil {
|
|
return -1, err
|
|
}
|
|
}
|
|
return anonUid, nil
|
|
}
|
|
|
|
/* AmIsUserAnon returns true if the specified user ID is the anonymous one.
|
|
* Parameters:
|
|
* uid = The user ID to test.
|
|
* Returns:
|
|
* true if the user is anonymous, false if not
|
|
* Standard Go error status
|
|
*/
|
|
func AmIsUserAnon(uid int32) (bool, error) {
|
|
auid, err := getAnonUserID()
|
|
return (uid == auid), err
|
|
}
|
|
|
|
/* AmGetAnonUser returns a reference to the anonymous user.
|
|
* Returns:
|
|
* Pointer to User containing anonymous user data, or nil
|
|
* Standard Go error status
|
|
*/
|
|
func AmGetAnonUser() (*User, error) {
|
|
var rc *User = nil
|
|
auid, err := getAnonUserID()
|
|
if err == nil {
|
|
rc, err = AmGetUser(auid)
|
|
}
|
|
return rc, err
|
|
}
|
|
|
|
// hashPassword hashes the password value.
|
|
func hashPassword(password string) string {
|
|
if len(password) == 0 {
|
|
return ""
|
|
}
|
|
hasher := sha1.New()
|
|
hasher.Write([]byte(password))
|
|
hashBytes := hasher.Sum(nil)
|
|
return hex.EncodeToString(hashBytes)
|
|
}
|
|
|
|
// touchUser updates the last access time for the user.
|
|
func touchUser(user *User) {
|
|
user.Mutex.Lock()
|
|
defer user.Mutex.Unlock()
|
|
moment := time.Now()
|
|
_, _ = amdb.Exec("UPDATE user SET lastaccess = ? WHERE uid = ?", moment, user.Uid)
|
|
user.LastAccess = &moment
|
|
}
|
|
|
|
/* AmAuthenticateUser authenticates a user by name and password.
|
|
* Parameters:
|
|
* name - The user name to try.
|
|
* password - The password to try.
|
|
* remote_ip - The remote IP address, for audit records.
|
|
* Returns:
|
|
* The User pointer if authenticated, or nil if not.
|
|
* Standard Go error status.
|
|
*/
|
|
func AmAuthenticateUser(name string, password string, remoteIP string) (*User, error) {
|
|
log.Debugf("AmAuthenicate() authenticating user %s...", name)
|
|
var ar *AuditRecord = nil
|
|
defer func() {
|
|
AmStoreAudit(ar)
|
|
}()
|
|
|
|
user, err := AmGetUserByName(name)
|
|
if err != nil {
|
|
log.Error("...user not found")
|
|
ar = AmNewAudit(AuditLoginFail, 0, remoteIP, fmt.Sprintf("Bad username: %s", name))
|
|
return nil, errors.New("the user account you have specified does not exist; please try again")
|
|
}
|
|
if user.IsAnon {
|
|
log.Error("...user is the Anonymous Honyak, can't explicitly log in")
|
|
ar = AmNewAudit(AuditLoginFail, user.Uid, remoteIP, "Anonymous user")
|
|
return nil, errors.New("this account cannot be explicitly logged into; please try again")
|
|
}
|
|
if user.Lockout {
|
|
log.Error("...user is locked out by the admin")
|
|
ar = AmNewAudit(AuditLoginFail, user.Uid, remoteIP, "Account locked out")
|
|
return nil, errors.New("this account has been administratively locked; please contact the system administrator for assistance")
|
|
}
|
|
h := hashPassword(password)
|
|
if h != user.Passhash {
|
|
log.Warn("...invalid password")
|
|
ar = AmNewAudit(AuditLoginFail, user.Uid, remoteIP, "Bad password")
|
|
return nil, errors.New("the password you have specified is incorrect; please try again")
|
|
}
|
|
log.Debug("...authenticated")
|
|
touchUser(user)
|
|
ar = AmNewAudit(AuditLoginOK, user.Uid, remoteIP)
|
|
return user, nil
|
|
}
|
|
|
|
// crackAuthString validates an auth string and returns its UID and auth token.
|
|
func crackAuthString(authString string) (int32, string, error) {
|
|
log.Debug("Decoding authString " + authString)
|
|
if !strings.HasPrefix(authString, "AQAT:") {
|
|
return 0, "", errors.New("prefix not valid")
|
|
}
|
|
parms := strings.Split(authString[5:], "|")
|
|
n1, err := strconv.ParseInt(parms[0], 10, 32)
|
|
if err != nil {
|
|
return 0, "", fmt.Errorf("invalid UID field: %v", err)
|
|
}
|
|
uid := int32(n1)
|
|
n2, err2 := strconv.ParseUint(parms[2], 10, 32)
|
|
if err2 != nil {
|
|
return 0, "", fmt.Errorf("invalid checkvalue field: %v", err2)
|
|
}
|
|
cv1 := uint32(n2)
|
|
cv2 := uint32(uid) ^ crc32.ChecksumIEEE([]byte(parms[1]))
|
|
if cv1 != cv2 {
|
|
return 0, "", errors.New("checkvalues do not match")
|
|
}
|
|
return uid, parms[1], nil
|
|
}
|
|
|
|
/* AmAuthenticateUserByToken authenticates a user via the stored cookie authentication string.
|
|
* Parameters:
|
|
* authString - The stored cookie authentication string.
|
|
* remoteIP - The remote IP address wheter trhe user is logging in from.
|
|
* Returns:
|
|
* Pointer to the authenticated User, or nil.
|
|
* Standard Go error status.
|
|
*/
|
|
func AmAuthenticateUserByToken(authString string, remoteIP string) (*User, error) {
|
|
var ar *AuditRecord = nil
|
|
defer func() {
|
|
AmStoreAudit(ar)
|
|
}()
|
|
|
|
uid, token, err := crackAuthString(authString)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("authString not valid, ignored: %v", err)
|
|
}
|
|
var user *User
|
|
user, err = AmGetUser(uid)
|
|
if err != nil {
|
|
log.Error("...user not found")
|
|
ar = AmNewAudit(AuditLoginFail, 0, remoteIP, fmt.Sprintf("Bad uid: %d", uid))
|
|
return nil, fmt.Errorf("uid %d not found, ignore: %v", uid, err)
|
|
}
|
|
log.Debugf("AmAuthenicateUserByToken() authenticating user %d...", uid)
|
|
if user.IsAnon {
|
|
log.Error("...user is the Anonymous Honyak, can't explicitly log in")
|
|
ar = AmNewAudit(AuditLoginFail, user.Uid, remoteIP, "Anonymous user")
|
|
return nil, errors.New("this account cannot be explicitly logged into; please try again")
|
|
}
|
|
if user.Lockout {
|
|
log.Error("...user is locked out by the admin")
|
|
ar = AmNewAudit(AuditLoginFail, user.Uid, remoteIP, "Account locked out")
|
|
return nil, errors.New("this account has been administratively locked; please contact the system administrator for assistance")
|
|
}
|
|
if user.Tokenauth == nil || *(user.Tokenauth) != token {
|
|
log.Error("...token mismatch")
|
|
ar = AmNewAudit(AuditLoginFail, user.Uid, remoteIP, "Token mismatch")
|
|
return nil, errors.New("token mismatch")
|
|
}
|
|
log.Debug("...authenticated")
|
|
touchUser(user)
|
|
ar = AmNewAudit(AuditLoginOK, user.Uid, remoteIP)
|
|
return user, nil
|
|
}
|
|
|
|
/* AmCreateNewUser creates a new user record in the database.
|
|
* Parameters:
|
|
* username - New user name.
|
|
* password - New password.
|
|
* reminder - Password reminder string.
|
|
* dob - User date of birth.
|
|
* remoteIP - Remote IP address for audit record.
|
|
* Returns:
|
|
* Pointer to new user record.
|
|
* Standard Go error status.
|
|
*/
|
|
func AmCreateNewUser(username string, password string, reminder string, dob *time.Time, remoteIP string) (*User, error) {
|
|
var ar *AuditRecord = nil
|
|
defer func() {
|
|
AmStoreAudit(ar)
|
|
}()
|
|
|
|
amdb.Exec("LOCK TABLES users WRITE, userprefs WRITE, propuser WRITE, commmember WRITE, sideboxes WRITE, confhotlist WRITE;")
|
|
defer amdb.Exec("UNLOCK TABLES;")
|
|
|
|
// Test if the user name is already taken.
|
|
rs, err := amdb.Query("SELECT uid FROM users WHERE username = ?", username)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if rs.Next() {
|
|
log.Warnf("username \"%s\" already exists", username)
|
|
return nil, errors.New("that user name already exists. Please try again")
|
|
}
|
|
|
|
// Insert the user record.
|
|
_, err2 := amdb.Exec(`INSERT INTO users (username, passhash, verify_email, lockout, email_confnum,
|
|
base_lvl, created, lastaccess, passreminder, description, dob) VALUES (?, ?, 0, 0, ?, ?, NOW(), NOW(), ?, '', ?)`,
|
|
username, hashPassword(password), util.GenerateRandomConfirmationNumber(), AmDefaultRole("Global.NewUser").Level(),
|
|
reminder, *dob)
|
|
if err2 != nil {
|
|
return nil, err2
|
|
}
|
|
// Read back the user, which also puts it in the cache.
|
|
user, err3 := AmGetUserByName(username)
|
|
if err3 != nil {
|
|
return nil, err3
|
|
}
|
|
log.Debugf("...created new user \"%s\" with UID %d", username, user.Uid)
|
|
|
|
// add user preferences
|
|
_, err = amdb.Exec("INSERT INTO userprefs (uid) VALUES (?)", user.Uid)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// add user properties
|
|
props := make([]UserProperties, 0)
|
|
anon, _ := getAnonUserID()
|
|
err = amdb.Select(props, "SELECT * FROM propuser WHERE uid = ?", anon)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
for _, p := range props {
|
|
_, err := amdb.Exec("INSTERT INTO propuser (uid, ndx, data) VALUES (?, ?, ?)", user.Uid, p.Index, p.Data)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
// add user sideboxes
|
|
err = copySideboxes(user.Uid, anon)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// TODO: auto-join communities
|
|
|
|
// TODO: copy conference hotlists
|
|
|
|
// operation was a success - add an audit record
|
|
ar = AmNewAudit(AuditAccountCreated, user.Uid, remoteIP)
|
|
return user, nil
|
|
}
|