feat: add caldav tokens (#1065)

# Description

This PR adds API routes to create and manage caldav tokens. These tokens can be used instead of a user password - required for users who are using external auth providers and don't have a password.

Fixes #842

Frontend: https://kolaente.dev/vikunja/frontend/pulls/1186

Co-authored-by: kolaente <k@knt.li>
Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1065

pkg/routes/api/v1/user_caldav_token.go

@@ -0,0 +1,112 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2021 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package v1
+
+import (
+	"net/http"
+	"strconv"
+
+	"code.vikunja.io/api/pkg/models"
+
+	"code.vikunja.io/api/pkg/user"
+	"code.vikunja.io/web/handler"
+	"github.com/labstack/echo/v4"
+)
+
+// GenerateCaldavToken is the handler to create a caldav token
+// @Summary Generate a caldav token
+// @Description Generates a caldav token which can be used for the caldav api. It is not possible to see the token again after it was generated.
+// @tags user
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Success 200 {object} user.Token
+// @Failure 400 {object} web.HTTPError "Something's invalid."
+// @Failure 404 {object} web.HTTPError "User does not exist."
+// @Failure 500 {object} models.Message "Internal server error."
+// @Router /user/settings/token/caldav [put]
+func GenerateCaldavToken(c echo.Context) (err error) {
+
+	u, err := user.GetCurrentUser(c)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	token, err := user.GenerateNewCaldavToken(u)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	return c.JSON(http.StatusCreated, token)
+}
+
+// GetCaldavTokens is the handler to return a list of all caldav tokens for the current user
+// @Summary Returns the caldav tokens for the current user
+// @Description Return the IDs and created dates of all caldav tokens for the current user.
+// @tags user
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Success 200 {array} user.Token
+// @Failure 400 {object} web.HTTPError "Something's invalid."
+// @Failure 404 {object} web.HTTPError "User does not exist."
+// @Failure 500 {object} models.Message "Internal server error."
+// @Router /user/settings/token/caldav [get]
+func GetCaldavTokens(c echo.Context) error {
+	u, err := user.GetCurrentUser(c)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	tokens, err := user.GetCaldavTokens(u)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	return c.JSON(http.StatusCreated, tokens)
+}
+
+// DeleteCaldavToken is the handler to delete a caldv token
+// @Summary Delete a caldav token by id
+// @tags user
+// @Accept json
+// @Produce json
+// @Security JWTKeyAuth
+// @Param id path int true "Token ID"
+// @Success 200 {object} models.Message
+// @Failure 400 {object} web.HTTPError "Something's invalid."
+// @Failure 404 {object} web.HTTPError "User does not exist."
+// @Failure 500 {object} models.Message "Internal server error."
+// @Router /user/settings/token/caldav/{id} [get]
+func DeleteCaldavToken(c echo.Context) error {
+	u, err := user.GetCurrentUser(c)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	err = user.DeleteCaldavTokenByID(u, id)
+	if err != nil {
+		return handler.HandleHTTPError(err, c)
+	}
+
+	return c.JSON(http.StatusOK, &models.Message{Message: "The token was deleted successfully."})
+}

pkg/routes/caldav/auth.go

@@ -0,0 +1,70 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2021 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package caldav
+
+import (
+	"errors"
+
+	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/log"
+	"code.vikunja.io/api/pkg/user"
+
+	"github.com/labstack/echo/v4"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func BasicAuth(username, password string, c echo.Context) (bool, error) {
+	creds := &user.Login{
+		Username: username,
+		Password: password,
+	}
+	s := db.NewSession()
+	defer s.Close()
+	u, err := user.CheckUserCredentials(s, creds)
+	if err != nil && !user.IsErrWrongUsernameOrPassword(err) {
+		log.Errorf("Error during basic auth for caldav: %v", err)
+		return false, nil
+	}
+
+	if err == nil {
+		c.Set("userBasicAuth", u)
+		return true, nil
+	}
+
+	tokens, err := user.GetCaldavTokens(u)
+	if err != nil {
+		log.Errorf("Error while getting tokens for caldav auth: %v", err)
+		return false, nil
+	}
+
+	// Looping over all tokens until we find one that matches
+	for _, token := range tokens {
+		err = bcrypt.CompareHashAndPassword([]byte(token.Token), []byte(password))
+		if err != nil {
+			if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
+				continue
+			}
+			log.Errorf("Error while verifying tokens for caldav auth: %v", err)
+			return false, nil
+		}
+
+		c.Set("userBasicAuth", u)
+		return true, nil
+	}
+
+	return false, nil
+}

pkg/routes/routes.go

@@ -75,7 +75,6 @@ import (
 	apiv1 "code.vikunja.io/api/pkg/routes/api/v1"
 	"code.vikunja.io/api/pkg/routes/caldav"
 	_ "code.vikunja.io/api/pkg/swagger" // To generate swagger docs
-	"code.vikunja.io/api/pkg/user"
 	"code.vikunja.io/api/pkg/version"
 	"code.vikunja.io/web"
 	"code.vikunja.io/web/handler"
@@ -194,7 +193,7 @@ func RegisterRoutes(e *echo.Echo) {
 	if config.ServiceEnableCaldav.GetBool() {
 		// Caldav routes
 		wkg := e.Group("/.well-known")
-		wkg.Use(middleware.BasicAuth(caldavBasicAuth))
+		wkg.Use(middleware.BasicAuth(caldav.BasicAuth))
 		wkg.Any("/caldav", caldav.PrincipalHandler)
 		wkg.Any("/caldav/", caldav.PrincipalHandler)
 		c := e.Group("/dav")
@@ -323,6 +322,9 @@ func registerAPIRoutes(a *echo.Group) {
 	u.POST("/export/request", apiv1.RequestUserDataExport)
 	u.POST("/export/download", apiv1.DownloadUserDataExport)
 	u.GET("/timezones", apiv1.GetAvailableTimezones)
+	u.PUT("/settings/token/caldav", apiv1.GenerateCaldavToken)
+	u.GET("/settings/token/caldav", apiv1.GetCaldavTokens)
+	u.DELETE("/settings/token/caldav/:id", apiv1.DeleteCaldavToken)
 
 	if config.ServiceEnableTotp.GetBool() {
 		u.GET("/settings/totp", apiv1.UserTOTP)
@@ -663,7 +665,7 @@ func registerMigrations(m *echo.Group) {
 func registerCalDavRoutes(c *echo.Group) {
 
 	// Basic auth middleware
-	c.Use(middleware.BasicAuth(caldavBasicAuth))
+	c.Use(middleware.BasicAuth(caldav.BasicAuth))
 
 	// THIS is the entry point for caldav clients, otherwise lists will show up double
 	c.Any("", caldav.EntryHandler)
@@ -675,26 +677,3 @@ func registerCalDavRoutes(c *echo.Group) {
 	c.Any("/lists/:list/", caldav.ListHandler)
 	c.Any("/lists/:list/:task", caldav.TaskHandler) // Mostly used for editing
 }
-
-func caldavBasicAuth(username, password string, c echo.Context) (bool, error) {
-	creds := &user.Login{
-		Username: username,
-		Password: password,
-	}
-	s := db.NewSession()
-	defer s.Close()
-	u, err := user.CheckUserCredentials(s, creds)
-	if err != nil {
-		_ = s.Rollback()
-		log.Errorf("Error during basic auth for caldav: %v", err)
-		return false, nil
-	}
-
-	if err := s.Commit(); err != nil {
-		return false, err
-	}
-
-	// Save the user in echo context for later use
-	c.Set("userBasicAuth", u)
-	return true, nil
-}