netbird/management/server/personal_access_token.go

package server

import (
	"crypto/sha256"
	b64 "encoding/base64"
	"fmt"
	"hash/crc32"
	"time"

	b "github.com/hashicorp/go-secure-stdlib/base62"
	"github.com/rs/xid"

	"github.com/netbirdio/netbird/base62"
)

const (
	// PATPrefix is the globally used, 4 char prefix for personal access tokens
	PATPrefix = "nbp_"
	// PATSecretLength number of characters used for the secret inside the token
	PATSecretLength = 30
	// PATChecksumLength number of characters used for the encoded checksum of the secret inside the token
	PATChecksumLength = 6
	// PATLength total number of characters used for the token
	PATLength = 40
)

// PersonalAccessToken holds all information about a PAT including a hashed version of it for verification
type PersonalAccessToken struct {
	ID string `gorm:"primaryKey"`
	// User is a reference to Account that this object belongs
	UserID         string `gorm:"index"`
	Name           string
	HashedToken    string
	ExpirationDate time.Time
	// scope could be added in future
	CreatedBy string
	CreatedAt time.Time
	LastUsed  time.Time
}

func (t *PersonalAccessToken) Copy() *PersonalAccessToken {
	return &PersonalAccessToken{
		ID:             t.ID,
		Name:           t.Name,
		HashedToken:    t.HashedToken,
		ExpirationDate: t.ExpirationDate,
		CreatedBy:      t.CreatedBy,
		CreatedAt:      t.CreatedAt,
		LastUsed:       t.LastUsed,
	}
}

// PersonalAccessTokenGenerated holds the new PersonalAccessToken and the plain text version of it
type PersonalAccessTokenGenerated struct {
	PlainToken string
	PersonalAccessToken
}

// CreateNewPAT will generate a new PersonalAccessToken that can be assigned to a User.
// Additionally, it will return the token in plain text once, to give to the user and only save a hashed version
func CreateNewPAT(name string, expirationInDays int, createdBy string) (*PersonalAccessTokenGenerated, error) {
	hashedToken, plainToken, err := generateNewToken()
	if err != nil {
		return nil, err
	}
	currentTime := time.Now()
	return &PersonalAccessTokenGenerated{
		PersonalAccessToken: PersonalAccessToken{
			ID:             xid.New().String(),
			Name:           name,
			HashedToken:    hashedToken,
			ExpirationDate: currentTime.AddDate(0, 0, expirationInDays),
			CreatedBy:      createdBy,
			CreatedAt:      currentTime,
			LastUsed:       time.Time{},
		},
		PlainToken: plainToken,
	}, nil

}

func generateNewToken() (string, string, error) {
	secret, err := b.Random(PATSecretLength)
	if err != nil {
		return "", "", err
	}

	checksum := crc32.ChecksumIEEE([]byte(secret))
	encodedChecksum := base62.Encode(checksum)
	paddedChecksum := fmt.Sprintf("%06s", encodedChecksum)
	plainToken := PATPrefix + secret + paddedChecksum
	hashedToken := sha256.Sum256([]byte(plainToken))
	encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])
	return encodedHashedToken, plainToken, nil
}
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`package server`

			`import (`
			`"crypto/sha256"`
store hashed token base64 encoded 2023-03-29 15:21:53 +02:00			`b64 "encoding/base64"`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`"fmt"`
			`"hash/crc32"`
			`"time"`

switch secret generation to use lib 2023-03-08 11:36:03 +01:00			`b "github.com/hashicorp/go-secure-stdlib/base62"`
add id to the PAT 2023-03-02 16:19:31 +01:00			`"github.com/rs/xid"`
remove dependency to external base62 package and create own methods in utils 2023-05-16 12:44:26 +02:00
move into separate package 2023-05-16 12:57:56 +02:00			`"github.com/netbirdio/netbird/base62"`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`)`

use const and do array copy 2023-03-08 11:54:10 +01:00			`const (`
add comment for exported const 2023-03-08 12:09:22 +01:00			`// PATPrefix is the globally used, 4 char prefix for personal access tokens`
codacy and lint hints 2023-03-20 11:44:12 +01:00			`PATPrefix = "nbp_"`
			`// PATSecretLength number of characters used for the secret inside the token`
			`PATSecretLength = 30`
			`// PATChecksumLength number of characters used for the encoded checksum of the secret inside the token`
fix PAT array split 2023-03-16 16:59:32 +01:00			`PATChecksumLength = 6`
codacy and lint hints 2023-03-20 11:44:12 +01:00			`// PATLength total number of characters used for the token`
			`PATLength = 40`
use const and do array copy 2023-03-08 11:54:10 +01:00			`)`

add comments for exported functions 2023-03-06 14:46:04 +01:00			`// PersonalAccessToken holds all information about a PAT including a hashed version of it for verification`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`type PersonalAccessToken struct {`
Implement SQLite Store using gorm and relational approach (#1065) Restructure data handling for improved performance and flexibility. Introduce 'G'-prefixed fields to represent Gorm relations, simplifying resource management. Eliminate complexity in lookup tables for enhanced query and write speed. Enable independent operations on data structures, requiring adjustments in the Store interface and Account Manager. 2023-10-12 15:42:36 +02:00			ID string `gorm:"primaryKey"`
			`// User is a reference to Account that this object belongs`
			UserID string `gorm:"index"`
refactor to use name instead of description 2023-03-27 16:28:49 +02:00			`Name string`
store hashedToken as string 2023-03-08 11:30:09 +01:00			`HashedToken string`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`ExpirationDate time.Time`
			`// scope could be added in future`
updated PAT struct to only use user id instead of user 2023-03-03 16:37:39 +01:00			`CreatedBy string`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`CreatedAt time.Time`
			`LastUsed time.Time`
			`}`

Improve account copying (#1069) With this fix, all nested slices and pointers will be copied by value. Also, this fixes tests to compare the original and copy account by their values by marshaling them to JSON strings. Before that, they were copying the pointers that also passed the simple `=` compassion (as the addresses match). 2023-08-22 17:56:39 +02:00			`func (t PersonalAccessToken) Copy() PersonalAccessToken {`
			`return &PersonalAccessToken{`
			`ID: t.ID,`
			`Name: t.Name,`
			`HashedToken: t.HashedToken,`
			`ExpirationDate: t.ExpirationDate,`
			`CreatedBy: t.CreatedBy,`
			`CreatedAt: t.CreatedAt,`
			`LastUsed: t.LastUsed,`
			`}`
			`}`

use object instead of plain token for create response + handler test 2023-03-28 14:47:15 +02:00			`// PersonalAccessTokenGenerated holds the new PersonalAccessToken and the plain text version of it`
			`type PersonalAccessTokenGenerated struct {`
			`PlainToken string`
			`PersonalAccessToken`
			`}`

add comments for exported functions 2023-03-06 14:46:04 +01:00			`// CreateNewPAT will generate a new PersonalAccessToken that can be assigned to a User.`
			`// Additionally, it will return the token in plain text once, to give to the user and only save a hashed version`
use object instead of plain token for create response + handler test 2023-03-28 14:47:15 +02:00			`func CreateNewPAT(name string, expirationInDays int, createdBy string) (*PersonalAccessTokenGenerated, error) {`
switch secret generation to use lib 2023-03-08 11:36:03 +01:00			`hashedToken, plainToken, err := generateNewToken()`
			`if err != nil {`
use object instead of plain token for create response + handler test 2023-03-28 14:47:15 +02:00			`return nil, err`
switch secret generation to use lib 2023-03-08 11:36:03 +01:00			`}`
do not use UTC for time to stay consistent 2023-04-03 12:44:55 +02:00			`currentTime := time.Now()`
use object instead of plain token for create response + handler test 2023-03-28 14:47:15 +02:00			`return &PersonalAccessTokenGenerated{`
			`PersonalAccessToken: PersonalAccessToken{`
			`ID: xid.New().String(),`
			`Name: name,`
			`HashedToken: hashedToken,`
			`ExpirationDate: currentTime.AddDate(0, 0, expirationInDays),`
			`CreatedBy: createdBy,`
			`CreatedAt: currentTime,`
last_used can be nil 2023-03-29 17:46:09 +02:00			`LastUsed: time.Time{},`
use object instead of plain token for create response + handler test 2023-03-28 14:47:15 +02:00			`},`
			`PlainToken: plainToken,`
			`}, nil`

add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`}`

switch secret generation to use lib 2023-03-08 11:36:03 +01:00			`func generateNewToken() (string, string, error) {`
codacy and lint hints 2023-03-20 11:44:12 +01:00			`secret, err := b.Random(PATSecretLength)`
switch secret generation to use lib 2023-03-08 11:36:03 +01:00			`if err != nil {`
			`return "", "", err`
			`}`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00
fixed some namings 2023-03-06 13:51:32 +01:00			`checksum := crc32.ChecksumIEEE([]byte(secret))`
move into separate package 2023-05-16 12:57:56 +02:00			`encodedChecksum := base62.Encode(checksum)`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`paddedChecksum := fmt.Sprintf("%06s", encodedChecksum)`
use const and do array copy 2023-03-08 11:54:10 +01:00			`plainToken := PATPrefix + secret + paddedChecksum`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`hashedToken := sha256.Sum256([]byte(plainToken))`
store hashed token base64 encoded 2023-03-29 15:21:53 +02:00			`encodedHashedToken := b64.StdEncoding.EncodeToString(hashedToken[:])`
			`return encodedHashedToken, plainToken, nil`
add generating token (only frame for now, actual token is only dummy) 2023-03-01 20:12:04 +01:00			`}`