feat: add caldav tokens (#1065)

# Description This PR adds API routes to create and manage caldav tokens. These tokens can be used instead of a user password - required for users who are using external auth providers and don't have a password. Fixes #842 Frontend: https://kolaente.dev/vikunja/frontend/pulls/1186 Co-authored-by: kolaente <k@knt.li> Reviewed-on: https://kolaente.dev/vikunja/api/pulls/1065
2022-03-30 18:25:56 +00:00
parent 726a517bec
commit e4b50e84a4
13 changed files with 697 additions and 38 deletions
--- a/pkg/user/caldav_token.go
+++ b/pkg/user/caldav_token.go
@ -0,0 +1,40 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-2021 Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public Licensee as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public Licensee for more details.
+//
+// You should have received a copy of the GNU Affero General Public Licensee
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package user
+
+import "code.vikunja.io/api/pkg/db"
+
+func GenerateNewCaldavToken(u *User) (token *Token, err error) {
+	s := db.NewSession()
+	defer s.Close()
+
+	return generateHashedToken(s, u, TokenCaldavAuth)
+}
+
+func GetCaldavTokens(u *User) (tokens []*Token, err error) {
+	s := db.NewSession()
+	defer s.Close()
+
+	return getTokensForKind(s, u, TokenCaldavAuth)
+}
+
+func DeleteCaldavTokenByID(u *User, id int64) error {
+	s := db.NewSession()
+	defer s.Close()
+
+	return removeTokenByID(s, u, TokenCaldavAuth, id)
+}
--- a/pkg/user/delete.go
+++ b/pkg/user/delete.go
@ -87,7 +87,7 @@ func notifyUsersScheduledForDeletion() {

 // RequestDeletion creates a user deletion confirm token and sends a notification to the user
 func RequestDeletion(s *xorm.Session, user *User) (err error) {
-	token, err := generateNewToken(s, user, TokenAccountDeletion)
+	token, err := generateToken(s, user, TokenAccountDeletion)
 	if err != nil {
 		return err
 	}
--- a/pkg/user/token.go
+++ b/pkg/user/token.go
@ -34,17 +34,19 @@ const (
 	TokenPasswordReset
 	TokenEmailConfirm
 	TokenAccountDeletion
+	TokenCaldavAuth

 	tokenSize = 64
 )

 // Token is a token a user can use to do things like verify their email or resetting their password
 type Token struct {
-	ID      int64     `xorm:"bigint autoincr not null unique pk"`
-	UserID  int64     `xorm:"not null"`
-	Token   string    `xorm:"varchar(450) not null index"`
-	Kind    TokenKind `xorm:"not null"`
-	Created time.Time `xorm:"created not null"`
+	ID             int64     `xorm:"bigint autoincr not null unique pk" json:"id"`
+	UserID         int64     `xorm:"not null" json:"-"`
+	Token          string    `xorm:"varchar(450) not null index" json:"-"`
+	ClearTextToken string    `xorm:"-" json:"token"`
+	Kind           TokenKind `xorm:"not null" json:"-"`
+	Created        time.Time `xorm:"created not null" json:"created"`
 }

 // TableName returns the real table name for user tokens
@ -52,12 +54,28 @@ func (t *Token) TableName() string {
 	return "user_tokens"
 }

-func generateNewToken(s *xorm.Session, u *User, kind TokenKind) (token *Token, err error) {
-	token = &Token{
+func genToken(u *User, kind TokenKind) *Token {
+	return &Token{
 		UserID: u.ID,
 		Kind:   kind,
 		Token:  utils.MakeRandomString(tokenSize),
 	}
+}
+
+func generateToken(s *xorm.Session, u *User, kind TokenKind) (token *Token, err error) {
+	token = genToken(u, kind)
+
+	_, err = s.Insert(token)
+	return
+}
+
+func generateHashedToken(s *xorm.Session, u *User, kind TokenKind) (token *Token, err error) {
+	token = genToken(u, kind)
+	token.ClearTextToken = token.Token
+	token.Token, err = HashPassword(token.ClearTextToken)
+	if err != nil {
+		return nil, err
+	}

 	_, err = s.Insert(token)
 	return
@ -74,12 +92,26 @@ func getToken(s *xorm.Session, token string, kind TokenKind) (t *Token, err erro
 	return
 }

+func getTokensForKind(s *xorm.Session, u *User, kind TokenKind) (tokens []*Token, err error) {
+	tokens = []*Token{}
+
+	err = s.Where("kind = ? AND user_id = ?", kind, u.ID).
+		Find(&tokens)
+	return
+}
+
 func removeTokens(s *xorm.Session, u *User, kind TokenKind) (err error) {
 	_, err = s.Where("user_id = ? AND kind = ?", u.ID, kind).
 		Delete(&Token{})
 	return
 }

+func removeTokenByID(s *xorm.Session, u *User, kind TokenKind, id int64) (err error) {
+	_, err = s.Where("id = ? AND user_id = ? AND kind = ?", id, u.ID, kind).
+		Delete(&Token{})
+	return
+}
+
 // RegisterTokenCleanupCron registers a cron function to clean up all password reset tokens older than 24 hours
 func RegisterTokenCleanupCron() {
 	const logPrefix = "[User Token Cleanup Cron] "
--- a/pkg/user/update_email.go
+++ b/pkg/user/update_email.go
@ -63,7 +63,7 @@ func UpdateEmail(s *xorm.Session, update *EmailUpdate) (err error) {
 	}

 	update.User.Status = StatusEmailConfirmationRequired
-	token, err := generateNewToken(s, update.User, TokenEmailConfirm)
+	token, err := generateToken(s, update.User, TokenEmailConfirm)
 	if err != nil {
 		return
 	}
--- a/pkg/user/user.go
+++ b/pkg/user/user.go
@ -324,7 +324,7 @@ func CheckUserCredentials(s *xorm.Session, u *Login) (*User, error) {
 		if IsErrWrongUsernameOrPassword(err) {
 			handleFailedPassword(user)
 		}
-		return nil, err
+		return user, err
 	}

 	return user, nil
--- a/pkg/user/user_create.go
+++ b/pkg/user/user_create.go
@ -81,7 +81,7 @@ func CreateUser(s *xorm.Session, user *User) (newUser *User, err error) {
 	}

 	user.Status = StatusEmailConfirmationRequired
-	token, err := generateNewToken(s, user, TokenEmailConfirm)
+	token, err := generateToken(s, user, TokenEmailConfirm)
 	if err != nil {
 		return nil, err
 	}
--- a/pkg/user/user_password_reset.go
+++ b/pkg/user/user_password_reset.go
@ -112,7 +112,7 @@ func RequestUserPasswordResetTokenByEmail(s *xorm.Session, tr *PasswordTokenRequ

 // RequestUserPasswordResetToken sends a user a password reset email.
 func RequestUserPasswordResetToken(s *xorm.Session, user *User) (err error) {
-	token, err := generateNewToken(s, user, TokenPasswordReset)
+	token, err := generateToken(s, user, TokenPasswordReset)
 	if err != nil {
 		return
 	}