diff --git a/backend/go.mod b/backend/go.mod index 3cea35d..d3e5499 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -6,6 +6,8 @@ require ( github.com/go-chi/chi/v5 v5.1.0 github.com/go-git/go-git/v5 v5.12.0 github.com/go-playground/validator/v10 v10.22.1 + github.com/golang-jwt/jwt/v5 v5.2.1 + github.com/google/uuid v1.6.0 github.com/mattn/go-sqlite3 v1.14.23 golang.org/x/crypto v0.21.0 ) diff --git a/backend/go.sum b/backend/go.sum index c5af50e..b2b586e 100644 --- a/backend/go.sum +++ b/backend/go.sum @@ -44,10 +44,14 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY= github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA= github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM= +github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= +github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= diff --git a/backend/internal/api/auth_handlers.go b/backend/internal/api/auth_handlers.go new file mode 100644 index 0000000..9ca495e --- /dev/null +++ b/backend/internal/api/auth_handlers.go @@ -0,0 +1,148 @@ +package api + +import ( + "encoding/json" + "net/http" + "novamd/internal/auth" + "novamd/internal/db" + "novamd/internal/models" + + "golang.org/x/crypto/bcrypt" +) + +type LoginRequest struct { + Email string `json:"email"` + Password string `json:"password"` +} + +type LoginResponse struct { + AccessToken string `json:"accessToken"` + RefreshToken string `json:"refreshToken"` + User *models.User `json:"user"` + Session *auth.Session `json:"session"` +} + +type RefreshRequest struct { + RefreshToken string `json:"refreshToken"` +} + +type RefreshResponse struct { + AccessToken string `json:"accessToken"` +} + +// Login handles user authentication and returns JWT tokens +func Login(authService *auth.SessionService, db *db.DB) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + var req LoginRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + http.Error(w, "Invalid request body", http.StatusBadRequest) + return + } + + // Validate request + if req.Email == "" || req.Password == "" { + http.Error(w, "Email and password are required", http.StatusBadRequest) + return + } + + // Get user from database + user, err := db.GetUserByEmail(req.Email) + if err != nil { + http.Error(w, "Invalid credentials", http.StatusUnauthorized) + return + } + + // Verify password + err = bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(req.Password)) + if err != nil { + http.Error(w, "Invalid credentials", http.StatusUnauthorized) + return + } + + // Create session and generate tokens + session, accessToken, err := authService.CreateSession(user.ID, string(user.Role)) + if err != nil { + http.Error(w, "Failed to create session", http.StatusInternalServerError) + return + } + + // Prepare response + response := LoginResponse{ + AccessToken: accessToken, + RefreshToken: session.RefreshToken, + User: user, + Session: session, + } + + respondJSON(w, response) + } +} + +// Logout invalidates the user's session +func Logout(authService *auth.SessionService) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + sessionID := r.Header.Get("X-Session-ID") + if sessionID == "" { + http.Error(w, "Session ID required", http.StatusBadRequest) + return + } + + err := authService.InvalidateSession(sessionID) + if err != nil { + http.Error(w, "Failed to logout", http.StatusInternalServerError) + return + } + + w.WriteHeader(http.StatusOK) + } +} + +// RefreshToken generates a new access token using a refresh token +func RefreshToken(authService *auth.SessionService) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + var req RefreshRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + http.Error(w, "Invalid request body", http.StatusBadRequest) + return + } + + if req.RefreshToken == "" { + http.Error(w, "Refresh token required", http.StatusBadRequest) + return + } + + // Generate new access token + accessToken, err := authService.RefreshSession(req.RefreshToken) + if err != nil { + http.Error(w, "Invalid refresh token", http.StatusUnauthorized) + return + } + + response := RefreshResponse{ + AccessToken: accessToken, + } + + respondJSON(w, response) + } +} + +// GetCurrentUser returns the currently authenticated user +func GetCurrentUser(db *db.DB) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + // Get user claims from context (set by auth middleware) + claims, err := auth.GetUserFromContext(r.Context()) + if err != nil { + http.Error(w, "Unauthorized", http.StatusUnauthorized) + return + } + + // Get user from database + user, err := db.GetUserByID(claims.UserID) + if err != nil { + http.Error(w, "User not found", http.StatusNotFound) + return + } + + respondJSON(w, user) + } +} diff --git a/backend/internal/api/routes.go b/backend/internal/api/routes.go index 3682ca3..62231b4 100644 --- a/backend/internal/api/routes.go +++ b/backend/internal/api/routes.go @@ -1,14 +1,30 @@ package api import ( + "novamd/internal/auth" "novamd/internal/db" "novamd/internal/filesystem" + "novamd/internal/models" "github.com/go-chi/chi/v5" ) -func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem) { - r.Route("/", func(r chi.Router) { +func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem, authMiddleware *auth.Middleware, sessionService *auth.SessionService) { + // Public routes (no authentication required) + r.Group(func(r chi.Router) { + r.Post("/auth/login", Login(sessionService, db)) + r.Post("/auth/refresh", RefreshToken(sessionService)) + }) + + // Protected routes (authentication required) + r.Group(func(r chi.Router) { + // Apply authentication middleware to all routes in this group + r.Use(authMiddleware.Authenticate) + + // Auth routes + r.Post("/auth/logout", Logout(sessionService)) + r.Get("/auth/me", GetCurrentUser(db)) + // User routes r.Route("/users/{userId}", func(r chi.Router) { r.Get("/", GetUser(db)) @@ -30,12 +46,11 @@ func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem) { r.Get("/", ListFiles(fs)) r.Get("/last", GetLastOpenedFile(db)) r.Put("/last", UpdateLastOpenedFile(db, fs)) - r.Get("/lookup", LookupFileByName(fs)) // Moved here + r.Get("/lookup", LookupFileByName(fs)) r.Post("/*", SaveFile(fs)) r.Get("/*", GetFileContent(fs)) r.Delete("/*", DeleteFile(fs)) - }) // Git routes @@ -46,5 +61,11 @@ func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem) { }) }) }) + + // Admin-only routes + r.Group(func(r chi.Router) { + r.Use(authMiddleware.RequireRole(string(models.RoleAdmin))) + // Admin-only endpoints + }) }) }