access-handler/handlers/login.go

package handlers

import (
	"fmt"
	"net/http"
	"os"
	"time"

	"gitea.tecamino.com/paadi/access-handler/internal/utils"
	"gitea.tecamino.com/paadi/access-handler/models"

	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt/v5"
)

// -----------------------------
// 🔐 AUTHENTICATION CONSTANTS
// -----------------------------

// JWT secrets
var ACCESS_SECRET = []byte(os.Getenv("ACCESS_SECRET"))
var REFRESH_SECRET = []byte(os.Getenv("REFRESH_SECRET"))

// DOMAIN defines where cookies are valid. Change this in production.
var DOMAIN = os.Getenv("DOMAIN")

// ACCESS_TOKEN_TIME defines how long access tokens are valid.
var ACCESS_TOKEN_TIME = 15 * time.Minute

// REFRESH_TOKEN_TIME defines how long refresh tokens are valid.
var REFRESH_TOKEN_TIME = 72 * time.Hour

// -----------------------------
// 🧠 HANDLERS
// -----------------------------

// Login authenticates a user and returns JWT tokens (access + refresh).
func (aH *AccessHandler) Login(c *gin.Context) {
	var user models.User

	aH.logger.Debug("Login", "bind JSON request")
	if err := c.BindJSON(&user); err != nil {
		aH.logger.Error("Login", err)
		c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
		return
	}

	// Validate input
	if !user.IsValid() {
		aH.logger.Error("Login", "user empty")
		c.JSON(http.StatusBadRequest, models.NewJsonMessageResponse("user empty"))
		return
	}

	// Fetch user record from DB
	dbUser, hasError := aH.getUserFromDB(c, user.Name)
	if hasError {
		return
	}

	// Check password
	if !utils.CheckPassword(user.Password, dbUser.Password) {
		aH.logger.Error("Login", "invalid password")
		c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
		return
	}
	user = dbUser

	// -----------------------------
	// 🔑 TOKEN CREATION
	// -----------------------------
	aH.logger.Debug("Login", "create tokens")

	accessTokenExp := time.Now().Add(ACCESS_TOKEN_TIME)
	refreshTokenExp := time.Now().Add(REFRESH_TOKEN_TIME)

	// Create access token
	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"id":       user.Id,
		"username": user.Name,
		"role":     user.Role.Role,
		"type":     "access",
		"exp":      accessTokenExp.Unix(),
	})

	// Create refresh token
	refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"id":       user.Id,
		"username": user.Name,
		"role":     user.Role.Role,
		"type":     "refresh",
		"exp":      refreshTokenExp.Unix(),
	})

	// Sign tokens
	accessString, err := accessToken.SignedString(ACCESS_SECRET)
	if err != nil {
		aH.logger.Error("Login", "failed to sign access token")
		c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("could not create access token"))
		return
	}

	refreshString, err := refreshToken.SignedString(REFRESH_SECRET)
	if err != nil {
		aH.logger.Error("Login", "failed to sign refresh token")
		c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("could not create refresh token"))
		return
	}

	// -----------------------------
	// 🍪 SET COOKIES
	// -----------------------------
	aH.logger.Debug("Login", "set cookies")

	secure := gin.Mode() == gin.ReleaseMode

	c.SetCookie("access_token", accessString, int(time.Until(accessTokenExp).Seconds()),
		"/", "", secure, true)
	c.SetCookie("refresh_token", refreshString, int(time.Until(refreshTokenExp).Seconds()),
		"/", "", secure, true)

	aH.logger.Info("Login", "user "+user.Name+" logged in successfully")

	c.JSON(http.StatusOK, gin.H{
		"message":  "login successful",
		"id":       user.Id,
		"user":     user.Name,
		"role":     user.Role.Role,
		"settings": user.Settings,
	})
}

// Refresh generates a new access token from a valid refresh token.
func (aH *AccessHandler) Refresh(c *gin.Context) {
	aH.logger.Debug("Refresh", "get refresh cookie")

	refreshCookie, err := c.Cookie("refresh_token")
	if err != nil {
		aH.logger.Error("Refresh", "no refresh token")
		c.JSON(http.StatusUnauthorized, gin.H{"message": "no refresh token"})
		return
	}

	// Validate token
	aH.logger.Debug("Refresh", "parse token")
	token, err := jwt.Parse(refreshCookie, func(token *jwt.Token) (any, error) {
		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
		}
		return REFRESH_SECRET, nil
	})
	if err != nil || !token.Valid {
		aH.logger.Error("Refresh", err)
		c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid refresh token"})
		return
	}

	// Extract claims
	claims, ok := token.Claims.(jwt.MapClaims)
	if !ok || claims["type"] != "refresh" {
		aH.logger.Error("Refresh", "invalid token type")
		c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid token type"})
		return
	}

	username := claims["username"].(string)
	id := int(claims["id"].(float64))

	user, hasError := aH.getUserFromDB(c, username)
	if hasError {
		return
	}

	// Create new access token
	aH.logger.Debug("Refresh", "create new access token")
	accessExp := time.Now().Add(ACCESS_TOKEN_TIME)
	newAccess := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
		"id":       id,
		"username": username,
		"role":     user.Role.Role,
		"exp":      accessExp.Unix(),
	})
	accessString, _ := newAccess.SignedString(ACCESS_SECRET)

	// Set new access cookie
	aH.logger.Debug("Refresh", "set new access cookie")
	c.SetCookie("access_token", accessString, int(time.Until(accessExp).Seconds()),
		"/", DOMAIN, gin.Mode() == gin.ReleaseMode, true)

	c.JSON(http.StatusOK, gin.H{"message": "token refreshed"})
}

// Me returns information about the currently authenticated user.
func (aH *AccessHandler) Me(c *gin.Context) {
	aH.logger.Debug("Me", "get access cookie")

	cookie, err := c.Cookie("access_token")
	if err != nil {
		aH.logger.Error("Me", err)
		c.JSON(http.StatusUnauthorized, gin.H{"message": "not logged in"})
		return
	}

	// Parse and validate access token
	aH.logger.Debug("Me", "parse token")
	token, err := jwt.Parse(cookie, func(t *jwt.Token) (any, error) {
		if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok {
			return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
		}
		return ACCESS_SECRET, nil
	})
	if err != nil || !token.Valid {
		aH.logger.Error("Me", err)
		c.JSON(http.StatusUnauthorized, gin.H{"message": "invalid token"})
		return
	}

	claims := token.Claims.(jwt.MapClaims)
	c.JSON(http.StatusOK, gin.H{
		"id":   claims["id"],
		"user": claims["username"],
		"role": claims["role"],
	})
}

// Logout clears authentication cookies and ends the session.
func (aH *AccessHandler) Logout(c *gin.Context) {
	aH.logger.Info("Logout", "logout user")

	secure := gin.Mode() == gin.ReleaseMode
	aH.logger.Debug("Logout", fmt.Sprintf("domain=%s secure=%t", DOMAIN, secure))

	// Clear cookies
	c.SetCookie("access_token", "", -1, "/", DOMAIN, secure, true)
	c.SetCookie("refresh_token", "", -1, "/", DOMAIN, secure, true)

	c.JSON(http.StatusOK, gin.H{"message": "logged out"})
}

func (aH *AccessHandler) getUserFromDB(c *gin.Context, userName string) (user models.User, hasError bool) {
	hasError = true
	// Fetch user record from DB
	var dbRecord []models.User

	err := aH.dbHandler.GetByKey(&dbRecord, "user_name", userName, false, "Role")
	if err != nil {
		aH.logger.Error("Login", err)
		c.JSON(http.StatusBadRequest, models.NewJsonErrorResponse(err))
		return
	}

	if len(dbRecord) == 0 {
		aH.logger.Error("Login", "no user "+userName+" found")
		c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("invalid credentials"))
		return
	}

	if len(dbRecord) > 1 {
		aH.logger.Error("Login", "more than one record found")
		c.JSON(http.StatusInternalServerError, models.NewJsonMessageResponse("internal error"))
		return
	}

	if !dbRecord[0].ExpirationIsValid() {
		aH.logger.Error("Login", fmt.Sprintf("user %s is expired", userName))
		c.JSON(http.StatusUnauthorized, models.NewJsonMessageResponse("user "+userName+" is expired"))
		return
	}
	return dbRecord[0], false
}