Add user auth

kylecarbs · kylecarbs · commit c652f7372a6c · 2022-01-19T18:28:57.000Z
diff --git a/coderd/authentication.go b/coderd/authentication.go
diff --git a/coderd/coderd.go b/coderd/coderd.go
@@ -26,13 +26,13 @@ func New(options *Options) http.Handler {
 
 	r := chi.NewRouter()
 	r.Route("/api/v2", func(r chi.Router) {
-		// The base route!
 		r.Get("/", func(w http.ResponseWriter, r *http.Request) {
 			httpapi.Write(w, http.StatusOK, httpapi.Response{
 				Message: "👋",
 			})
 		})
 		r.Post("/user", users.createInitialUser)
+		r.Post("/login", users.loginWithPassword)
 		// Require an API key and authenticated user for this group.
 		r.Group(func(r chi.Router) {
 			r.Use(
diff --git a/coderd/coderdtest/coderdtest.go b/coderd/coderdtest/coderdtest.go
@@ -11,16 +11,19 @@ import (
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/codersdk"
-	"github.com/coder/coder/database"
 	"github.com/coder/coder/database/databasefake"
 )
 
+// Server represents a test instance of coderd.
+// The database is intentionally omitted from
+// this struct to promote data being exposed via
+// the API.
 type Server struct {
-	Client   *codersdk.Client
-	Database database.Store
-	URL      *url.URL
+	Client *codersdk.Client
+	URL    *url.URL
 }
 
+// New constructs a new coderd test instance.
 func New(t *testing.T) Server {
 	// This can be hotswapped for a live database instance.
 	db := databasefake.New()
@@ -41,9 +44,14 @@ func New(t *testing.T) Server {
 	})
 	require.NoError(t, err)
 
+	err = client.LoginWithPassword(context.Background(), coderd.LoginWithPasswordRequest{
+		Email:    "testuser@coder.com",
+		Password: "testpassword",
+	})
+	require.NoError(t, err)
+
 	return Server{
-		Client:   client,
-		Database: db,
-		URL:      u,
+		Client: client,
+		URL:    u,
 	}
 }
diff --git a/coderd/userpassword/userpassword_test.go b/coderd/userpassword/userpassword_test.go
@@ -3,8 +3,9 @@ package userpassword_test
 import (
 	"testing"
 
-	"github.com/coder/coder/coderd/userpassword"
 	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/coderd/userpassword"
 )
 
 func TestUserPassword(t *testing.T) {
diff --git a/coderd/users.go b/coderd/users.go
@@ -2,6 +2,7 @@ package coderd
 
 import (
 	"context"
+	"crypto/sha256"
 	"database/sql"
 	"errors"
 	"fmt"
@@ -12,6 +13,7 @@ import (
 	"github.com/google/uuid"
 
 	"github.com/coder/coder/coderd/userpassword"
+	"github.com/coder/coder/cryptorand"
 	"github.com/coder/coder/database"
 	"github.com/coder/coder/httpapi"
 	"github.com/coder/coder/httpmw"
@@ -57,7 +59,7 @@ func (users *users) createInitialUser(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if userCount != 0 {
-		httpapi.Write(rw, http.StatusForbidden, httpapi.Response{
+		httpapi.Write(rw, http.StatusConflict, httpapi.Response{
 			Message: "the initial user has already been created",
 		})
 		return
@@ -116,7 +118,7 @@ func (users *users) getAuthenticatedUser(rw http.ResponseWriter, r *http.Request
 
 func (users *users) loginWithPassword(rw http.ResponseWriter, r *http.Request) {
 	var loginWithPassword LoginWithPasswordRequest
-	if !httpapi.Read(rw, r, loginWithPassword) {
+	if !httpapi.Read(rw, r, &loginWithPassword) {
 		return
 	}
 	user, err := users.Database.GetUserByEmailOrUsername(r.Context(), database.GetUserByEmailOrUsernameParams{
@@ -149,25 +151,50 @@ func (users *users) loginWithPassword(rw http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// key, secret := (&database.APIKey{
-	// 	UserID:           actor.ID,
-	// 	ExpiresAt:        expiresAt,
-	// 	LoginType:        actor.LoginType,
-	// 	OIDCAccessToken:  oidcCfg.AccessToken,
-	// 	OIDCRefreshToken: oidcCfg.RefreshToken,
-	// 	OIDCIDToken:      oidcCfg.IDToken,
-	// 	// OIDCExpiry indicates when we need to fetch a new OIDC token.
-	// 	OIDCExpiry:  oidcCfg.Expiry,
-	// 	DevurlToken: devurlToken,
-	// }).Fill()
-
-	users.Database.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
-		ID:           uuid.NewString(),
+	id, secret, err := generateAPIKeyIDSecret()
+	hashed := sha256.Sum256([]byte(secret))
+
+	_, err = users.Database.InsertAPIKey(r.Context(), database.InsertAPIKeyParams{
+		ID:           id,
 		UserID:       user.ID,
 		ExpiresAt:    database.Now().Add(24 * time.Hour),
 		CreatedAt:    database.Now(),
 		UpdatedAt:    database.Now(),
-		HashedSecret: []byte(""),
+		HashedSecret: hashed[:],
 		LoginType:    database.LoginTypeBuiltIn,
 	})
+	if err != nil {
+		httpapi.Write(rw, http.StatusInternalServerError, httpapi.Response{
+			Message: fmt.Sprintf("insert api key: %s", err.Error()),
+		})
+		return
+	}
+
+	sessionToken := fmt.Sprintf("%s-%s", id, secret)
+	http.SetCookie(rw, &http.Cookie{
+		Name:     httpmw.AuthCookie,
+		Value:    sessionToken,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+
+	render.Status(r, http.StatusCreated)
+	render.JSON(rw, r, LoginWithPasswordResponse{
+		SessionToken: sessionToken,
+	})
+}
+
+func generateAPIKeyIDSecret() (string, string, error) {
+	// Length of an API Key ID.
+	id, err := cryptorand.String(10)
+	if err != nil {
+		return "", "", err
+	}
+	// Length of an API Key secret.
+	secret, err := cryptorand.String(22)
+	if err != nil {
+		return "", "", err
+	}
+	return id, secret, nil
 }
diff --git a/coderd/users_test.go b/coderd/users_test.go
@@ -1,33 +1,55 @@
 package coderd_test
 
 import (
-	"bytes"
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/base64"
-	"fmt"
+	"context"
 	"testing"
 
-	"golang.org/x/crypto/pbkdf2"
+	"github.com/coder/coder/coderd"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/stretchr/testify/require"
 )
 
 func TestUsers(t *testing.T) {
-	// t.Run("AuthenticatedUser", func(t *testing.T) {
-	// 	_ = coderdtest.New(t)
-	// })
-
-	t.Run("Pass", func(t *testing.T) {
-		salt := make([]byte, 16)
-		_, err := rand.Read(salt)
-		if err != nil {
-			panic("unexpected: crypto/rand.Read returned an error: " + err.Error())
-		}
-		hash := pbkdf2.Key([]byte("hello"), salt, 65535, 64, sha256.New)
-		str := base64.StdEncoding.EncodeToString(hash)
-
-		parts := bytes.Split(hash, []byte("$"))
-		fmt.Printf("Parts: %+v\n", len(parts))
-
-		fmt.Printf("Hash: %s %s\n", hash, str)
+	t.Parallel()
+
+	t.Run("Authenticated", func(t *testing.T) {
+		t.Parallel()
+		server := coderdtest.New(t)
+		_, err := server.Client.User(context.Background(), "")
+		require.NoError(t, err)
+	})
+
+	t.Run("CreateMultipleInitial", func(t *testing.T) {
+		t.Parallel()
+		server := coderdtest.New(t)
+		_, err := server.Client.CreateInitialUser(context.Background(), coderd.CreateUserRequest{
+			Email:    "dummy@coder.com",
+			Username: "fake",
+			Password: "password",
+		})
+		require.Error(t, err)
+	})
+
+	t.Run("LoginNoEmail", func(t *testing.T) {
+		t.Parallel()
+		server := coderdtest.New(t)
+		err := server.Client.LoginWithPassword(context.Background(), coderd.LoginWithPasswordRequest{
+			Email:    "hello@io.io",
+			Password: "wowie",
+		})
+		require.Error(t, err)
+	})
+
+	t.Run("LoginBadPassword", func(t *testing.T) {
+		t.Parallel()
+		server := coderdtest.New(t)
+		user, err := server.Client.User(context.Background(), "")
+		require.NoError(t, err)
+
+		err = server.Client.LoginWithPassword(context.Background(), coderd.LoginWithPasswordRequest{
+			Email:    user.Email,
+			Password: "bananas",
+		})
+		require.Error(t, err)
 	})
 }
diff --git a/codersdk/authentication.go b/codersdk/authentication.go
diff --git a/codersdk/client.go b/codersdk/client.go
@@ -44,19 +44,20 @@ type Client struct {
 	httpClient   *http.Client
 }
 
-func (c *Client) SessionToken() string {
-	return c.sessionToken
-}
-
-func (c *Client) setSessionToken(token string) {
+func (c *Client) setSessionToken(token string) error {
 	if c.httpClient.Jar == nil {
-		c.httpClient.Jar = &cookiejar.Jar{}
+		var err error
+		c.httpClient.Jar, err = cookiejar.New(nil)
+		if err != nil {
+			return err
+		}
 	}
 	c.httpClient.Jar.SetCookies(c.url, []*http.Cookie{{
 		Name:  httpmw.AuthCookie,
 		Value: token,
 	}})
 	c.sessionToken = token
+	return nil
 }
 
 func (c *Client) request(ctx context.Context, method, path string, body interface{}) (*http.Response, error) {
@@ -102,9 +103,6 @@ func readBodyAsError(res *http.Response) error {
 		}
 		return xerrors.Errorf("decode body: %w", err)
 	}
-	for _, er := range m.Errors {
-		fmt.Printf("WE GOT THIS: %q %q\n", er.Field, er.Code)
-	}
 	return &Error{
 		Response:   m,
 		statusCode: res.StatusCode,
@@ -122,5 +120,5 @@ func (e *Error) StatusCode() int {
 }
 
 func (e *Error) Error() string {
-	return fmt.Sprintf("")
+	return fmt.Sprintf("status code %d: %s", e.statusCode, e.Message)
 }
diff --git a/codersdk/users.go b/codersdk/users.go
@@ -3,33 +3,54 @@ package codersdk
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 
 	"github.com/coder/coder/coderd"
 )
 
-func (c *Client) User(ctx context.Context, id string) (coderd.User, error) {
-	res, err := c.request(ctx, http.MethodGet, "/api/v2/user", nil)
+func (c *Client) CreateInitialUser(ctx context.Context, req coderd.CreateUserRequest) (coderd.User, error) {
+	res, err := c.request(ctx, http.MethodPost, "/api/v2/user", req)
 	if err != nil {
 		return coderd.User{}, err
 	}
 	defer res.Body.Close()
-	if res.StatusCode > http.StatusOK {
+	if res.StatusCode != http.StatusCreated {
 		return coderd.User{}, readBodyAsError(res)
 	}
 	var user coderd.User
 	return user, json.NewDecoder(res.Body).Decode(&user)
 }
 
-func (c *Client) CreateInitialUser(ctx context.Context, req coderd.CreateUserRequest) (coderd.User, error) {
-	res, err := c.request(ctx, http.MethodPost, "/api/v2/user", req)
+// User returns a user for the ID provided.
+// If the ID string is empty, the current user will be returned.
+func (c *Client) User(ctx context.Context, id string) (coderd.User, error) {
+	res, err := c.request(ctx, http.MethodGet, "/api/v2/user", nil)
 	if err != nil {
 		return coderd.User{}, err
 	}
 	defer res.Body.Close()
-	if res.StatusCode != http.StatusCreated {
+	if res.StatusCode > http.StatusOK {
 		return coderd.User{}, readBodyAsError(res)
 	}
 	var user coderd.User
 	return user, json.NewDecoder(res.Body).Decode(&user)
 }
+
+func (c *Client) LoginWithPassword(ctx context.Context, req coderd.LoginWithPasswordRequest) error {
+	res, err := c.request(ctx, http.MethodPost, "/api/v2/login", req)
+	if err != nil {
+		return err
+	}
+	defer res.Body.Close()
+	if res.StatusCode != http.StatusCreated {
+		fmt.Printf("Are we reading here?\n")
+		return readBodyAsError(res)
+	}
+	var resp coderd.LoginWithPasswordResponse
+	err = json.NewDecoder(res.Body).Decode(&resp)
+	if err != nil {
+		return err
+	}
+	return c.setSessionToken(resp.SessionToken)
+}
diff --git a/codersdk/users_test.go b/codersdk/users_test.go
@@ -1,14 +1,33 @@
 package codersdk_test
 
 import (
+	"context"
+	"net/http"
 	"testing"
 
+	"github.com/coder/coder/coderd"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/stretchr/testify/require"
 )
 
 func TestUsers(t *testing.T) {
-	t.Run("Personal", func(t *testing.T) {
-		_ = coderdtest.New(t)
+	t.Run("MultipleInitial", func(t *testing.T) {
+		server := coderdtest.New(t)
+		_, err := server.Client.CreateInitialUser(context.Background(), coderd.CreateUserRequest{
+			Email:    "wowie@coder.com",
+			Username: "tester",
+			Password: "moo",
+		})
+		var cerr *codersdk.Error
+		require.ErrorAs(t, err, &cerr)
+		require.Equal(t, cerr.StatusCode(), http.StatusConflict)
+		require.Greater(t, 0, cerr.Error())
+	})
 
+	t.Run("Get", func(t *testing.T) {
+		server := coderdtest.New(t)
+		_, err := server.Client.User(context.Background(), "")
+		require.NoError(t, err)
 	})
 }
diff --git a/httpmw/apikey_test.go b/httpmw/apikey_test.go

Original file line number	Diff line number	Diff line change
`@@ -3,8 +3,9 @@ package userpassword_test`
`3`	`3`	`import (`
`4`	`4`	`"testing"`
`5`	`5`
`6`		`- "github.com/coder/coder/coderd/userpassword"`
`7`	`6`	`"github.com/stretchr/testify/require"`
	`7`	`+`
	`8`	`+ "github.com/coder/coder/coderd/userpassword"`
`8`	`9`	`)`
`9`	`10`
`10`	`11`	`func TestUserPassword(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -44,19 +44,20 @@ type Client struct {`
`44`	`44`	`httpClient *http.Client`
`45`	`45`	`}`
`46`	`46`
`47`		`-func (c *Client) SessionToken() string {`
`48`		`- return c.sessionToken`
`49`		`-}`
`50`		`-`
`51`		`-func (c *Client) setSessionToken(token string) {`
	`47`	`+func (c *Client) setSessionToken(token string) error {`
`52`	`48`	`if c.httpClient.Jar == nil {`
`53`		`- c.httpClient.Jar = &cookiejar.Jar{}`
	`49`	`+ var err error`
	`50`	`+ c.httpClient.Jar, err = cookiejar.New(nil)`
	`51`	`+ if err != nil {`
	`52`	`+ return err`
	`53`	`+ }`
`54`	`54`	`}`
`55`	`55`	`c.httpClient.Jar.SetCookies(c.url, []*http.Cookie{{`
`56`	`56`	`Name: httpmw.AuthCookie,`
`57`	`57`	`Value: token,`
`58`	`58`	`}})`
`59`	`59`	`c.sessionToken = token`
	`60`	`+ return nil`
`60`	`61`	`}`
`61`	`62`
`62`	`63`	`func (c Client) request(ctx context.Context, method, path string, body interface{}) (http.Response, error) {`
`@@ -102,9 +103,6 @@ func readBodyAsError(res *http.Response) error {`
`102`	`103`	`}`
`103`	`104`	`return xerrors.Errorf("decode body: %w", err)`
`104`	`105`	`}`
`105`		`- for _, er := range m.Errors {`
`106`		`- fmt.Printf("WE GOT THIS: %q %q\n", er.Field, er.Code)`
`107`		`- }`
`108`	`106`	`return &Error{`
`109`	`107`	`Response: m,`
`110`	`108`	`statusCode: res.StatusCode,`
`@@ -122,5 +120,5 @@ func (e *Error) StatusCode() int {`
`122`	`120`	`}`
`123`	`121`
`124`	`122`	`func (e *Error) Error() string {`
`125`		`- return fmt.Sprintf("")`
	`123`	`+ return fmt.Sprintf("status code %d: %s", e.statusCode, e.Message)`
`126`	`124`	`}`