diff --git a/auth/Gemfile b/auth/Gemfile index ede6601..fef4243 100644 --- a/auth/Gemfile +++ b/auth/Gemfile @@ -10,5 +10,6 @@ gem 'webrick' gem 'jwt' gem 'sqlite3' gem 'bcrypt' +gem 'securerandom' # bundle install \ No newline at end of file diff --git a/auth/Gemfile.lock b/auth/Gemfile.lock index 25e79a7..72ec7ca 100644 --- a/auth/Gemfile.lock +++ b/auth/Gemfile.lock @@ -9,6 +9,7 @@ GEM rack-protection (3.1.0) rack (~> 2.2, >= 2.2.4) ruby2_keywords (0.0.5) + securerandom (0.3.0) sinatra (3.1.0) mustermann (~> 3.0) rack (~> 2.2, >= 2.2.4) @@ -24,6 +25,7 @@ PLATFORMS DEPENDENCIES bcrypt jwt + securerandom sinatra sqlite3 webrick diff --git a/auth/auth.rb b/auth/auth.rb index 9cedaa2..1f61656 100644 --- a/auth/auth.rb +++ b/auth/auth.rb @@ -9,21 +9,23 @@ require 'json' require 'sqlite3' require 'jwt' -payload = { data: {time: 'now', help: 'no'}.to_json, test: 'hello' } -hmac_secret = 'my$ecretK3y' -token = JWT.encode payload, hmac_secret, 'HS256' -#puts token +#puts generate_random_string(256) -begin - decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' } - puts "Token is valid!" - puts "Decoded token: #{decoded_token}" - puts data_value = decoded_token.first['data'] - puts test_value = decoded_token.first['test'] -rescue JWT::DecodeError - puts "Invalid token or signature!" -end +# +#token = JWT.encode payload, hmac_secret, 'HS256' +##puts token +# +#begin +# decoded_token = JWT.decode token, hmac_secret, true, { algorithm: 'HS256' } +# puts "Token is valid!" +# puts "Decoded token: #{decoded_token}" +# +# puts data_value = decoded_token.first['data'] +# puts test_value = decoded_token.first['test'] +#rescue JWT::DecodeError +# puts "Invalid token or signature!" +#end #puts decoded_token @@ -38,7 +40,7 @@ post '/auth/login' do unless check_if_user_exists username status 401 - return { jwt: "Unuthorized Access" }.to_json + return { reply: "Unuthorized Access" }.to_json end user_id = get_user_id username @@ -46,26 +48,41 @@ post '/auth/login' do unless check_password_for_user(user_id, password) status 401 - return { jwt: "Unuthorized Access" }.to_json + return { reply: "Unuthorized Access" }.to_json end - { jwt: "Logged in" }.to_json + reauthJWT = get_reauth_jwt user_id + + return reauthJWT.to_json end -def get_jwt (username, expiry_time) - get_claims username +def get_reauth_jwt (user_id) + #claims = get_claims user_id + + payload = { + sub: 'reauthentication' , + admin: check_if_user_is_admin(user_id), + iss: 'roysathome.net', + uid: user_id, #Example id + iat: Time.now.to_i, + exp: Time.now.to_i + 3600 + } + + hmac_secret = 'WChX-tQWbGbj_pGJQREoFAZGC9JWh58KSk8O7KPj-P8Nd-J88g3eSFDVuNe6zddj0ZB3yxjm_IuPNPyLhiSnxlWHImqXR6ajh3OzrzYm0bNb3f5C4IAScphyEdAfYGMcM-HvYOXxxxp5u5mryfiV3JH1CTqL1CzGyO8df7zUpRKXEXZ5SKmUvhfLU0XKCR_28FAZUgPCAi3GywkDDsH0by68j33BU5cnMT8KiEkHOX4wVUVDQc85_AuE7fN3ji_WkhnDCSLXU9dBCcXM3ziFFeX0RbvIRDG0vKdzwt4TOr4Jws7NP9w11GrUGDFKARZqvT7FTxwxO3MM-mmjb2xyGg' + return JWT.encode payload, hmac_secret, 'HS256' +#data: {time: 'now', help: 'no'}.to_json end -def get_claims (username) - puts "Getting claims for #{username}" +def get_claims (user_id) + puts "Getting claims for #{user_id}" db = SQLite3::Database.new('./database/auth.db') results = db.execute(' SELECT C.claim FROM users U INNER JOIN user_claims UC ON U.id = UC.user_id INNER JOIN claims C ON UC.claim_id = U.id - WHERE u.username = ? - ', username) + WHERE u.id = ? + ', user_id) if results.empty? diff --git a/auth/cryptography.rb b/auth/cryptography.rb index e3f87db..f2c871a 100644 --- a/auth/cryptography.rb +++ b/auth/cryptography.rb @@ -1,4 +1,5 @@ require 'bcrypt' +require 'securerandom' def create_password_for_user(password) return BCrypt::Password.create(password) @@ -12,4 +13,8 @@ def check_password_for_user(user_id, entered_password) else return false end -end \ No newline at end of file +end + +def generate_random_string(length) + SecureRandom.urlsafe_base64(length) + end \ No newline at end of file diff --git a/auth/database_queries.rb b/auth/database_queries.rb index 99b9e69..d2669b1 100644 --- a/auth/database_queries.rb +++ b/auth/database_queries.rb @@ -1,13 +1,12 @@ require 'sqlite3' - -def create_new_user(username, password) +def create_new_user(username, password, is_admin) db = SQLite3::Database.new('./database/auth.db') db.execute(' - INSERT INTO users (username, hashed_password) - VALUES (?, ?) - ', [username.downcase, create_password_for_user(password)]) + INSERT INTO users (username, hashed_password, is_admin) + VALUES (?, ?, ?) + ', [username.downcase, create_password_for_user(password), is_admin]) end def check_if_user_exists(username) @@ -22,6 +21,19 @@ def check_if_user_exists(username) end end +def check_if_user_is_admin(user_id) + db = SQLite3::Database.new('./database/auth.db') + + result = db.get_first_value('SELECT is_admin FROM users WHERE id = ?', user_id) + + if result == 1 + return true + else + return false + end +end + + def get_user_id(username) db = SQLite3::Database.new('./database/auth.db') diff --git a/auth/initialize_database.rb b/auth/initialize_database.rb index 63c9c89..9b31e7a 100644 --- a/auth/initialize_database.rb +++ b/auth/initialize_database.rb @@ -16,7 +16,7 @@ def initialize_database db = SQLite3::Database.new('./database/auth.db') puts 'Creating tables if necessary.' - db.execute('CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, hashed_password TEXT, salt TEXT)') + db.execute('CREATE TABLE IF NOT EXISTS users (id INTEGER PRIMARY KEY, username TEXT, hashed_password TEXT, is_admin INTEGER)') db.execute('CREATE TABLE IF NOT EXISTS claims (id INTEGER PRIMARY KEY, claim TEXT)') db.execute('CREATE TABLE IF NOT EXISTS user_claims (id INTEGER PRIMARY KEY, user_id INTEGER, claim_id INTEGER)') @@ -25,7 +25,7 @@ def initialize_database if result == 0 puts 'Default admin user added.' - create_new_user('admin', 'pass123') + create_new_user('admin', 'pass123', 1) else puts 'Table already contains data. Skipping default user creation.' end @@ -36,6 +36,10 @@ def initialize_database db.execute('INSERT INTO claims (claim) VALUES (?)', ['add_user']) db.execute('INSERT INTO claims (claim) VALUES (?)', ['remove_user']) db.execute('INSERT INTO claims (claim) VALUES (?)', ['add_claim_to_user']) + db.execute('INSERT INTO claims (claim) VALUES (?)', ['is_machine']) + db.execute('INSERT INTO claims (claim) VALUES (?)', ['is_user']) + db.execute('INSERT INTO claims (claim) VALUES (?)', ['remove_claim_from_user']) + db.execute('INSERT INTO claims (claim) VALUES (?)', ['remove_claim_from_user']) db.execute('INSERT INTO claims (claim) VALUES (?)', ['remove_claim_from_user']) end