feat: add admin/auth api (#22)

* feat: add admin/auth api

- jwt cookie based auth
- /auth
- admin/*

* add: meta proxy

* fix: remove ussd account status from syncer

* add: cookie defaults and nuxt init check route

* add: pin and address handlers
This commit is contained in:
Mohamed Sohail 2022-06-02 11:24:58 +03:00 committed by GitHub
parent 861af1761d
commit 77f127e14a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 369 additions and 5 deletions

View File

@ -6,6 +6,7 @@ import (
"strings" "strings"
batch_balance "github.com/grassrootseconomics/cic-go/batch_balance" batch_balance "github.com/grassrootseconomics/cic-go/batch_balance"
"github.com/grassrootseconomics/cic-go/meta"
cic_net "github.com/grassrootseconomics/cic-go/net" cic_net "github.com/grassrootseconomics/cic-go/net"
"github.com/ethereum/go-ethereum/common" "github.com/ethereum/go-ethereum/common"
@ -40,12 +41,19 @@ type config struct {
Enabled bool `koan:"enabled"` Enabled bool `koan:"enabled"`
} }
Syncers map[string]string `koanf:"syncers"` Syncers map[string]string `koanf:"syncers"`
Meta struct {
Endpoint string `koanf:"meta"`
}
Jwt struct {
Secret string `koanf:"secret"`
}
} }
type queries struct { type queries struct {
core goyesql.Queries core goyesql.Queries
dashboard goyesql.Queries dashboard goyesql.Queries
public goyesql.Queries public goyesql.Queries
admin goyesql.Queries
} }
func loadConfig(configFilePath string, k *koanf.Koanf) error { func loadConfig(configFilePath string, k *koanf.Koanf) error {
@ -110,6 +118,10 @@ func loadCicNet(tokenIndex common.Address) error {
return nil return nil
} }
func loadCicMeta(metaEndpoint string) {
metaClient = meta.NewCicMeta(metaEndpoint)
}
func loadBatchBalance(balanceResolver common.Address) error { func loadBatchBalance(balanceResolver common.Address) error {
var err error var err error
@ -137,10 +149,16 @@ func loadQueries(sqlFilesPath string) error {
return err return err
} }
adminQueries, err := goyesql.ParseFile(fmt.Sprintf("%s/admin.sql", sqlFilesPath))
if err != nil {
return err
}
preparedQueries = &queries{ preparedQueries = &queries{
core: coreQueries, core: coreQueries,
dashboard: dashboardQueries, dashboard: dashboardQueries,
public: publicQueries, public: publicQueries,
admin: adminQueries,
} }
return nil return nil

View File

@ -8,6 +8,7 @@ import (
"time" "time"
batch_balance "github.com/grassrootseconomics/cic-go/batch_balance" batch_balance "github.com/grassrootseconomics/cic-go/batch_balance"
"github.com/grassrootseconomics/cic-go/meta"
cic_net "github.com/grassrootseconomics/cic-go/net" cic_net "github.com/grassrootseconomics/cic-go/net"
"github.com/grassrootseconomics/cic-go/provider" "github.com/grassrootseconomics/cic-go/provider"
"github.com/hibiken/asynq" "github.com/hibiken/asynq"
@ -28,6 +29,7 @@ var (
rpcProvider *provider.Provider rpcProvider *provider.Provider
cicnetClient *cic_net.CicNet cicnetClient *cic_net.CicNet
batchBalance *batch_balance.BatchBalance batchBalance *batch_balance.BatchBalance
metaClient *meta.CicMeta
rClient asynq.RedisConnOpt rClient asynq.RedisConnOpt
) )
@ -59,9 +61,10 @@ func init() {
} }
if err := parseRedis(conf.Db.Redis); err != nil { if err := parseRedis(conf.Db.Redis); err != nil {
log.Fatal().Err(err).Msg("could not parse redis connection string") log.Fatal().Err(err).Msg("could not parse redis connection string")
} }
loadCicMeta(conf.Meta.Endpoint)
} }
func main() { func main() {

View File

@ -1,6 +1,7 @@
package main package main
import ( import (
"cic-dw/internal/admin"
"cic-dw/internal/dashboard" "cic-dw/internal/dashboard"
"cic-dw/internal/public" "cic-dw/internal/public"
@ -21,6 +22,7 @@ func initHTTPServer() *echo.Echo {
dashboard.InitDashboardApi(server, db, preparedQueries.dashboard) dashboard.InitDashboardApi(server, db, preparedQueries.dashboard)
public.InitPublicApi(server, db, batchBalance, cicnetClient, preparedQueries.public) public.InitPublicApi(server, db, batchBalance, cicnetClient, preparedQueries.public)
admin.InitAdminApi(server, db, preparedQueries.admin, metaClient, conf.Jwt.Secret)
return server return server
} }

View File

@ -26,3 +26,9 @@ enabled = true
cache = "@every 20s" cache = "@every 20s"
ussd = "@every 30s" ussd = "@every 30s"
token = "@every 1m" token = "@every 1m"
[meta]
endpoint = "http://cic-meta-server:8000"
[jwt]
secret = "0xd34db33f"

View File

@ -4,7 +4,7 @@ The data warehouse additionally exposes a couple of REST API's (GraphQL planned)
1. Dashboard API (`/dashboard`) - Exposes data for [`cic-dashboard`](https://github.com/grassrootseconomics/cic-dashboard). Most data is expected to be chart/table API specific and usually not human readable. 1. Dashboard API (`/dashboard`) - Exposes data for [`cic-dashboard`](https://github.com/grassrootseconomics/cic-dashboard). Most data is expected to be chart/table API specific and usually not human readable.
2. Public API (`/public`) - Exposes public (on-chain only/non-sensitive) data. 2. Public API (`/public`) - Exposes public (on-chain only/non-sensitive) data.
3. Internal API (planned) 3. Internal Admin API - back office operations
Each API is domain separated i.e. separate SQL query files and router control. Each API is domain separated i.e. separate SQL query files and router control.

2
go.mod
View File

@ -29,6 +29,7 @@ require (
github.com/go-redis/redis/v8 v8.11.2 // indirect github.com/go-redis/redis/v8 v8.11.2 // indirect
github.com/go-stack/stack v1.8.0 // indirect github.com/go-stack/stack v1.8.0 // indirect
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
github.com/golang/protobuf v1.4.3 // indirect github.com/golang/protobuf v1.4.3 // indirect
github.com/google/uuid v1.2.0 // indirect github.com/google/uuid v1.2.0 // indirect
github.com/gorilla/websocket v1.4.2 // indirect github.com/gorilla/websocket v1.4.2 // indirect
@ -41,6 +42,7 @@ require (
github.com/jackc/pgtype v1.11.0 // indirect github.com/jackc/pgtype v1.11.0 // indirect
github.com/jackc/puddle v1.2.1 // indirect github.com/jackc/puddle v1.2.1 // indirect
github.com/labstack/gommon v0.3.1 // indirect github.com/labstack/gommon v0.3.1 // indirect
github.com/mapaiva/vcard-go v1.2.0 // indirect
github.com/mattn/go-colorable v0.1.12 // indirect github.com/mattn/go-colorable v0.1.12 // indirect
github.com/mattn/go-isatty v0.0.14 // indirect github.com/mattn/go-isatty v0.0.14 // indirect
github.com/mitchellh/copystructure v1.2.0 // indirect github.com/mitchellh/copystructure v1.2.0 // indirect

4
go.sum
View File

@ -169,6 +169,8 @@ github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXP
github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY= github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I= github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.3.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
github.com/golang-jwt/jwt/v4 v4.4.1 h1:pC5DB52sCeK48Wlb9oPcdhnjkz1TKt1D/P7WKJ0kUcQ=
github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
github.com/golang-module/carbon/v2 v2.1.6 h1:PL7wjvWG+NfUL2hIYOUX68yMi0A9rrCVlJxozldJ1lU= github.com/golang-module/carbon/v2 v2.1.6 h1:PL7wjvWG+NfUL2hIYOUX68yMi0A9rrCVlJxozldJ1lU=
github.com/golang-module/carbon/v2 v2.1.6/go.mod h1:NF5unWf838+pyRY0o+qZdIwBMkFf7w0hmLIguLiEpzU= github.com/golang-module/carbon/v2 v2.1.6/go.mod h1:NF5unWf838+pyRY0o+qZdIwBMkFf7w0hmLIguLiEpzU=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k= github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
@ -391,6 +393,8 @@ github.com/lmittmann/w3 v0.7.0 h1:z3Z7OeLAQ/oHWK8k5U5SH+G2BD6ZbsdrBktUytDzG78=
github.com/lmittmann/w3 v0.7.0/go.mod h1:8F9LNaa0D/k68rnCdTtBsMon8ucpvlS9fmPVXp7Uz7M= github.com/lmittmann/w3 v0.7.0/go.mod h1:8F9LNaa0D/k68rnCdTtBsMon8ucpvlS9fmPVXp7Uz7M=
github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc= github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
github.com/mapaiva/vcard-go v1.2.0 h1:w/Jmdow8CDE3T/6SBSTt1HBTDxZmQ39a415hCzElAN8=
github.com/mapaiva/vcard-go v1.2.0/go.mod h1:OedyhOJ8gUHmfp6iI3+2bf0kzQetFRpD625G9NCEB6Y=
github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ= github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ=
github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ= github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=

82
internal/admin/api.go Normal file
View File

@ -0,0 +1,82 @@
package admin
import (
"net/http"
"github.com/golang-jwt/jwt"
"github.com/grassrootseconomics/cic-go/meta"
"github.com/jackc/pgx/v4/pgxpool"
"github.com/labstack/echo/v4"
"github.com/nleof/goyesql"
)
type api struct {
db *pgxpool.Pool
q goyesql.Queries
m *meta.CicMeta
jwtKey []byte
}
func InitAdminApi(e *echo.Echo, db *pgxpool.Pool, queries goyesql.Queries, metaClient *meta.CicMeta, jwtKey string) {
api := newApi(db, queries, metaClient, jwtKey)
auth := e.Group(("/auth"))
g := e.Group("/admin")
auth.Use(api.dwCoreMiddleware)
auth.POST("/login", sendLoginJwtCookie)
auth.POST("/logout", sendLogoutCookie)
g.Use(api.dwCoreMiddleware)
g.Use(api.verifyAuthMiddleware)
g.GET("/check", isLoggedIn)
g.GET("/meta-proxy/:address", handleMetaProxy)
g.GET("/pin-status", handlePinStatus)
g.GET("/phone-2-address/:phone", handlePhone2Address)
g.GET("/address-2-phone/:address", handleAddress2Phone)
}
func newApi(db *pgxpool.Pool, queries goyesql.Queries, metaClient *meta.CicMeta, jwtKey string) *api {
return &api{
db: db,
q: queries,
m: metaClient,
jwtKey: []byte(jwtKey),
}
}
func (a *api) dwCoreMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
c.Set("api", &api{
db: a.db,
q: a.q,
m: a.m,
jwtKey: a.jwtKey,
})
return next(c)
}
}
func (a *api) verifyAuthMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
return func(c echo.Context) error {
cookie, err := c.Cookie("_ge_auth")
if err != nil {
return c.String(http.StatusForbidden, "auth cookie missing")
}
claims := &jwtClaims{}
token, err := jwt.ParseWithClaims(cookie.Value, claims, func(token *jwt.Token) (interface{}, error) {
return a.jwtKey, nil
})
if err != nil {
return c.String(http.StatusUnauthorized, "jwt validation failed")
}
if !token.Valid {
return c.String(http.StatusUnauthorized, "jwt invalid")
}
return next(c)
}
}

88
internal/admin/auth.go Normal file
View File

@ -0,0 +1,88 @@
package admin
import (
"context"
"net/http"
"time"
"github.com/golang-jwt/jwt"
"github.com/labstack/echo/v4"
"golang.org/x/crypto/bcrypt"
)
type staff struct {
Username string `json:"username"`
Password string `json:"password"`
}
type jwtClaims struct {
Username string `json:"username"`
jwt.StandardClaims
}
func isLoggedIn(c echo.Context) error {
return c.String(http.StatusOK, "ok")
}
func sendLoginJwtCookie(c echo.Context) error {
var (
api = c.Get("api").(*api)
passwordHash string
)
u := new(staff)
if err := c.Bind(u); err != nil {
return err
}
if err := api.db.QueryRow(context.Background(), api.q["get-password-hash"], u.Username).Scan(&passwordHash); err != nil {
return c.String(http.StatusNotFound, "username not found")
}
if err := bcrypt.CompareHashAndPassword([]byte(passwordHash), []byte(u.Password)); err != nil {
return c.String(http.StatusForbidden, "login failed")
}
expiration := time.Now().Add(24 * 7 * time.Hour)
claims := &jwtClaims{
Username: u.Username,
StandardClaims: jwt.StandardClaims{
ExpiresAt: expiration.Unix(),
},
}
jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := jwtToken.SignedString(api.jwtKey)
if err != nil {
return err
}
cookie := cookieDefaults()
cookie.Value = tokenString
cookie.Expires = expiration
c.SetCookie(cookie)
return c.String(http.StatusOK, "login successful")
}
func sendLogoutCookie(c echo.Context) error {
cookie := cookieDefaults()
cookie.MaxAge = -1
c.SetCookie(cookie)
return c.String(http.StatusOK, "logout successful")
}
func cookieDefaults() *http.Cookie {
cookie := new(http.Cookie)
cookie.Name = "_ge_auth"
cookie.Path = "/"
cookie.SameSite = 3
cookie.HttpOnly = true
cookie.Secure = false
return cookie
}

33
internal/admin/pins.go Normal file
View File

@ -0,0 +1,33 @@
package admin
import (
"context"
"net/http"
"github.com/georgysavva/scany/pgxscan"
"github.com/labstack/echo/v4"
)
type pinStatusResponse struct {
PhoneNumber string `db:"phone_number" json:"phone_number"`
FailedPinAttempts int `db:"failed_pin_attempts" json:"failed_pin_attempts"`
AccountStatus string `db:"account_status" json:"account_status"`
}
func handlePinStatus(c echo.Context) error {
var (
api = c.Get("api").(*api)
res []pinStatusResponse
)
rows, err := api.db.Query(context.Background(), api.q["pin-status"])
if err != nil {
return err
}
if err := pgxscan.ScanAll(&res, rows); err != nil {
return err
}
return c.JSON(http.StatusOK, res)
}

95
internal/admin/user.go Normal file
View File

@ -0,0 +1,95 @@
package admin
import (
"bytes"
"cic-dw/pkg/address"
"context"
"encoding/base64"
"net/http"
"strings"
"github.com/grassrootseconomics/cic-go/meta"
"github.com/labstack/echo/v4"
"github.com/mapaiva/vcard-go"
)
type metaRes struct {
Person meta.PersonResponse `json:"person"`
Name string `json:"name"`
}
func handlePhone2Address(c echo.Context) error {
var (
api = c.Get("api").(*api)
phone = c.Param("phone")
address string
)
if err := api.db.QueryRow(context.Background(), api.q["phone-2-address"], phone).Scan(&address); err != nil {
return c.String(http.StatusNotFound, "phone not found")
}
return c.String(http.StatusOK, address)
}
func handleAddress2Phone(c echo.Context) error {
var (
api = c.Get("api").(*api)
phone string
)
sarafuAddress, err := address.SarafuAddress(c.Param("address"))
if err != nil {
return err
}
if err := api.db.QueryRow(context.Background(), api.q["address-2-phone"], sarafuAddress).Scan(&phone); err != nil {
return c.String(http.StatusNotFound, "address not found")
}
return c.String(http.StatusOK, phone)
}
func handleMetaProxy(c echo.Context) error {
var (
api = c.Get("api").(*api)
address = c.Param("address")
)
person, err := api.m.GetPersonMetadata(address)
if err != nil {
if strings.Contains(err.Error(), "404") {
return c.String(http.StatusNotFound, "meta resource not found")
} else {
return err
}
}
vCard, err := parseVCard(person.VCard)
if err != nil {
return err
}
return c.JSON(http.StatusOK, &metaRes{
Person: person,
Name: vCard.FormattedName,
})
}
func parseVCard(encodedVCard string) (vcard.VCard, error) {
data, err := base64.StdEncoding.DecodeString(encodedVCard)
if err != nil {
return vcard.VCard{}, err
}
reader := bytes.NewReader(data)
vCards, err := vcard.GetVCardsByReader(reader)
if err != nil {
return vcard.VCard{}, nil
}
return vCards[0], nil
}

13
migrations/004_auth.sql Normal file
View File

@ -0,0 +1,13 @@
-- Drop static columns on user table
ALTER TABLE users DROP COLUMN failed_pin_attempts, DROP COLUMN ussd_account_status;
-- Staff dashboard auth
CREATE TABLE IF NOT EXISTS staff (
id INT GENERATED ALWAYS AS IDENTITY PRIMARY KEY,
username VARCHAR(16) NOT NULL UNIQUE,
password_hash VARCHAR(76) NOT NULL
)
---- create above / drop below ----
DROP TABLE IF EXISTS staff;

18
queries/admin.sql Normal file
View File

@ -0,0 +1,18 @@
-- name: get-password-hash
SELECT password_hash FROM staff WHERE username = $1;
-- name: pin-status
SELECT phone_number, failed_pin_attempts,
CASE STATUS
WHEN 1 THEN 'PENDING'
WHEN 2 THEN 'ACTIVE'
WHEN 3 THEN 'LOCKED'
WHEN 4 THEN 'RESET' END AS account_status
FROM cic_ussd.account WHERE
failed_pin_attempts > 0 OR STATUS = 4;
--name: phone-2-address
SELECT blockchain_address FROM users WHERE phone_number = $1;
--name: address-2-phone
SELECT phone_number FROM users WHERE blockchain_address = $1;

View File

@ -7,8 +7,8 @@ WITH current_ussd_cursor AS (
SELECT id FROM cic_ussd.account WHERE blockchain_address = (SELECT cursor_pos FROM cursors WHERE id = 1) SELECT id FROM cic_ussd.account WHERE blockchain_address = (SELECT cursor_pos FROM cursors WHERE id = 1)
) )
INSERT INTO users (phone_number, blockchain_address, date_registered, failed_pin_attempts, ussd_account_status) INSERT INTO users (phone_number, blockchain_address, date_registered)
SELECT cic_ussd.account.phone_number, cic_ussd.account.blockchain_address, cic_ussd.account.created, cic_ussd.account.failed_pin_attempts, cic_ussd.account.status SELECT cic_ussd.account.phone_number, cic_ussd.account.blockchain_address, cic_ussd.account.created
FROM cic_ussd.account WHERE cic_ussd.account.id > (SELECT id FROM current_ussd_cursor) ORDER BY cic_ussd.account.id ASC LIMIT 300; FROM cic_ussd.account WHERE cic_ussd.account.id > (SELECT id FROM current_ussd_cursor) ORDER BY cic_ussd.account.id ASC LIMIT 300;
UPDATE cursors SET cursor_pos = (SELECT blockchain_address FROM users ORDER BY id DESC LIMIT 1) WHERE cursors.id = 1; UPDATE cursors SET cursor_pos = (SELECT blockchain_address FROM users ORDER BY id DESC LIMIT 1) WHERE cursors.id = 1;