373 lines
9.1 KiB
Go
373 lines
9.1 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"database/sql"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"io/ioutil"
|
|
"log"
|
|
"math/big"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/dgrijalva/jwt-go"
|
|
"github.com/go-redis/redis"
|
|
"github.com/joho/godotenv"
|
|
"github.com/julienschmidt/httprouter"
|
|
_ "github.com/lib/pq"
|
|
"github.com/ttacon/libphonenumber"
|
|
)
|
|
|
|
var listen string
|
|
var postgres string
|
|
var redisHost string
|
|
var ttl time.Duration
|
|
var messagingSID string
|
|
|
|
var privateKey *rsa.PrivateKey
|
|
|
|
var dummyToken string
|
|
var coreURL string
|
|
|
|
var twilioSID string
|
|
var twilioToken string
|
|
|
|
var db *sql.DB
|
|
var redisClient *redis.Client
|
|
|
|
func main() {
|
|
// Load .env
|
|
err := godotenv.Load()
|
|
if err != nil {
|
|
log.Fatal("Error loading .env file")
|
|
}
|
|
listen = os.Getenv("LISTEN")
|
|
postgres = os.Getenv("POSTGRES")
|
|
redisHost = os.Getenv("REDIS")
|
|
|
|
ttl, err = time.ParseDuration(os.Getenv("TTL"))
|
|
if err != nil {
|
|
log.Fatal("Error parsing ttl")
|
|
}
|
|
|
|
messagingSID = os.Getenv("MESSAGING_SID")
|
|
twilioSID = os.Getenv("TWILIO_SID")
|
|
twilioToken = os.Getenv("TWILIO_TOKEN")
|
|
|
|
dummyToken = "{\"userid\":\"dummy\",\"clientid\":\"dummy\"}"
|
|
coreURL = os.Getenv("CORE_URL")
|
|
|
|
// Load RSA private key
|
|
privateKeyBytes, err := ioutil.ReadFile("key")
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
privateKey, err = jwt.ParseRSAPrivateKeyFromPEM(privateKeyBytes)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
|
|
// Postgres
|
|
log.Printf("connecting to postgres %s", postgres)
|
|
db, err = sql.Open("postgres", postgres)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
defer db.Close()
|
|
|
|
// Redis
|
|
redisClient = redis.NewClient(&redis.Options{
|
|
Addr: redisHost,
|
|
Password: "",
|
|
DB: 1,
|
|
})
|
|
|
|
// Routes
|
|
router := httprouter.New()
|
|
|
|
router.POST("/init", InitRequest)
|
|
router.POST("/init/bypass", InitRequestBypass)
|
|
router.POST("/verify", VerifyCode)
|
|
router.POST("/register/:code/:nonce", CreateUser)
|
|
|
|
// Start server
|
|
log.Printf("starting server on %s", listen)
|
|
log.Fatal(http.ListenAndServe(listen, router))
|
|
}
|
|
|
|
func ParsePhone(phone string) (string, error) {
|
|
num, err := libphonenumber.Parse(phone, "")
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return libphonenumber.Format(num, libphonenumber.INTERNATIONAL), nil
|
|
}
|
|
|
|
func RandomHex() (string, error) {
|
|
b := make([]byte, 16)
|
|
_, err := rand.Read(b)
|
|
return hex.EncodeToString(b), err
|
|
}
|
|
|
|
type InitRequestBody struct {
|
|
PhoneNumber string `json:"phone_number"`
|
|
}
|
|
|
|
func InitRequest(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
|
// Get request body
|
|
req := InitRequestBody{}
|
|
decoder := json.NewDecoder(r.Body)
|
|
err := decoder.Decode(&req)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Make sure phone number is legitimate
|
|
phone, err := ParsePhone(req.PhoneNumber)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Generate OTP code
|
|
c, err := rand.Int(rand.Reader, big.NewInt(1000000))
|
|
code := fmt.Sprintf("%06d", c)
|
|
|
|
// Generate nonce
|
|
b := make([]byte, 16)
|
|
_, err = rand.Read(b)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
bytes := hex.EncodeToString(b)
|
|
|
|
// Set code-nonce pair in redis first
|
|
redisClient.Set(code+"nonce", bytes, ttl)
|
|
// Set code-phone_number pair
|
|
redisClient.Set(code+"phone", phone, ttl)
|
|
|
|
// Send SMS via Twilio
|
|
data := url.Values{}
|
|
data.Set("MessagingServiceSid", messagingSID)
|
|
data.Set("To", phone)
|
|
data.Set("Body", fmt.Sprintf("Your OTP for Beep is %s", code))
|
|
|
|
url := fmt.Sprintf("https://api.twilio.com/2010-04-01/Accounts/%s/Messages.json", twilioSID)
|
|
twilioReq, err := http.NewRequest("POST", url, strings.NewReader(data.Encode()))
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
twilioReq.SetBasicAuth(twilioSID, twilioToken)
|
|
twilioReq.Header.Add("Content-Type", "application/x-www-form-urlencoded")
|
|
|
|
client := &http.Client{}
|
|
resp, err := client.Do(twilioReq)
|
|
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Return nonce
|
|
w.Write([]byte(bytes))
|
|
}
|
|
|
|
func InitRequestBypass(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
|
// Get request body
|
|
req := InitRequestBody{}
|
|
decoder := json.NewDecoder(r.Body)
|
|
err := decoder.Decode(&req)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Make sure phone number is legitimate
|
|
phone, err := ParsePhone(req.PhoneNumber)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Generate nonce
|
|
b := make([]byte, 16)
|
|
_, err = rand.Read(b)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
bytes := hex.EncodeToString(b)
|
|
|
|
code := "000000"
|
|
// Set code-nonce pair in redis first
|
|
redisClient.Set(code+"nonce", bytes, ttl)
|
|
// Set code-phone_number pair
|
|
redisClient.Set(code+"phone", phone, ttl)
|
|
|
|
// Return nonce
|
|
w.Write([]byte(bytes))
|
|
}
|
|
|
|
type VerifyRequestBody struct {
|
|
Code string `json:"code"`
|
|
Nonce string `json:"nonce"`
|
|
ClientId string `json:"clientid"`
|
|
}
|
|
|
|
func VerifyCode(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
|
// Get request body
|
|
req := VerifyRequestBody{}
|
|
decoder := json.NewDecoder(r.Body)
|
|
err := decoder.Decode(&req)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Get nonce
|
|
storedNonce, err := redisClient.Get(req.Code + "nonce").Result()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Delete nonce
|
|
_, err = redisClient.Del(req.Code + "nonce").Result()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Check nonce
|
|
if req.Nonce != storedNonce {
|
|
http.Error(w, http.StatusText(http.StatusNotFound), http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
// Get stored phone number
|
|
phoneNumber, err := redisClient.Get(req.Code + "phone").Result()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Delete stored phone number
|
|
_, err = redisClient.Del(req.Code + "phone").Result()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Generate (potential) User ID
|
|
userHex, err := RandomHex()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
userIDPotential := "u-" + userHex
|
|
|
|
// Check for existing user
|
|
var userID string
|
|
err = db.QueryRow(`
|
|
INSERT INTO "user" (id, first_name, last_name, phone_number)
|
|
VALUES ($1, '', '', $2)
|
|
ON CONFLICT(phone_number)
|
|
DO UPDATE SET phone_number=EXCLUDED.phone_number
|
|
RETURNING id
|
|
`, userIDPotential, phoneNumber).Scan(&userID)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
log.Println(err)
|
|
return
|
|
}
|
|
|
|
// Generate JWT
|
|
token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
|
|
"userid": userID,
|
|
"clientid": req.ClientId,
|
|
})
|
|
|
|
tokenString, err := token.SignedString(privateKey)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
w.Write([]byte(tokenString))
|
|
}
|
|
|
|
func CreateUser(w http.ResponseWriter, r *http.Request, p httprouter.Params) {
|
|
code := p.ByName("code")
|
|
nonce := p.ByName("nonce")
|
|
|
|
// Get nonce
|
|
storedNonce, err := redisClient.Get(code + "nonce").Result()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Delete nonce
|
|
_, err = redisClient.Del(code + "nonce").Result()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Check nonce
|
|
if nonce != storedNonce {
|
|
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
// Delete phone number
|
|
_, err = redisClient.Del(code + "phone").Result()
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
proxyReq, err := http.NewRequest(r.Method, coreURL, r.Body)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
proxyReq.Header.Set("X-User-Claim", dummyToken)
|
|
for header, values := range r.Header {
|
|
for _, value := range values {
|
|
proxyReq.Header.Add(header, value)
|
|
}
|
|
}
|
|
|
|
client := &http.Client{}
|
|
proxyRes, err := client.Do(proxyReq)
|
|
if err != nil {
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
for header, values := range proxyRes.Header {
|
|
for _, value := range values {
|
|
w.Header().Add(header, value)
|
|
}
|
|
}
|
|
io.Copy(w, proxyRes.Body)
|
|
proxyRes.Body.Close()
|
|
}
|