github.com/keybase/client/go@v0.0.0-20241007131713-f10651d043c8/kbfs/kbfscrypto/auth_token.go (about)

     1  // Copyright 2016 Keybase Inc. All rights reserved.
     2  // Use of this source code is governed by a BSD
     3  // license that can be found in the LICENSE file.
     4  
     5  package kbfscrypto
     6  
     7  import (
     8  	"fmt"
     9  	"runtime"
    10  	"sync"
    11  	"time"
    12  
    13  	"github.com/keybase/client/go/auth"
    14  	kbname "github.com/keybase/client/go/kbun"
    15  	"github.com/keybase/client/go/libkb"
    16  	"github.com/keybase/client/go/protocol/keybase1"
    17  	"github.com/pkg/errors"
    18  	"golang.org/x/net/context"
    19  )
    20  
    21  // AuthTokenMinRefreshSeconds is the minimum number of seconds between refreshes.
    22  const AuthTokenMinRefreshSeconds = 60
    23  
    24  // AuthTokenRefreshHandler defines a callback to be called when an auth token refresh
    25  // is needed.
    26  type AuthTokenRefreshHandler interface {
    27  	RefreshAuthToken(context.Context)
    28  }
    29  
    30  // AuthToken encapsulates a timed authentication token.
    31  type AuthToken struct {
    32  	signer         Signer
    33  	tokenType      string
    34  	expireIn       int
    35  	clientName     string
    36  	clientVersion  string
    37  	refreshHandler AuthTokenRefreshHandler
    38  	tickerCancel   context.CancelFunc
    39  	tickerMu       sync.Mutex // protects the ticker cancel function
    40  }
    41  
    42  // NewAuthToken creates a new authentication token.
    43  func NewAuthToken(signer Signer, tokenType string, expireIn int,
    44  	submoduleName, version string, rh AuthTokenRefreshHandler) *AuthToken {
    45  	clientName := fmt.Sprintf("go %s %s %s",
    46  		submoduleName, libkb.GetPlatformString(), runtime.GOARCH)
    47  	authToken := &AuthToken{
    48  		signer:         signer,
    49  		tokenType:      tokenType,
    50  		expireIn:       expireIn,
    51  		clientName:     clientName,
    52  		clientVersion:  version,
    53  		refreshHandler: rh,
    54  	}
    55  	return authToken
    56  }
    57  
    58  // Sign is called to create a new signed authentication token.
    59  func (a *AuthToken) signWithUserAndKeyInfo(ctx context.Context,
    60  	challengeInfo keybase1.ChallengeInfo, uid keybase1.UID,
    61  	username kbname.NormalizedUsername, key VerifyingKey) (string, error) {
    62  	// create the token
    63  	token := auth.NewToken(uid, username, key.KID(), a.tokenType,
    64  		challengeInfo.Challenge, challengeInfo.Now, a.expireIn,
    65  		a.clientName, a.clientVersion)
    66  
    67  	// sign the token
    68  	signature, err := a.signer.SignToString(ctx, token.Bytes())
    69  	if err != nil {
    70  		return "", err
    71  	}
    72  
    73  	// reset the ticker
    74  	refreshSeconds := a.expireIn / 2
    75  	if refreshSeconds < AuthTokenMinRefreshSeconds {
    76  		refreshSeconds = AuthTokenMinRefreshSeconds
    77  	}
    78  	a.startTicker(refreshSeconds)
    79  
    80  	return signature, nil
    81  }
    82  
    83  // Sign is called to create a new signed authentication token,
    84  // including a challenge and username/uid/kid identifiers.
    85  func (a *AuthToken) Sign(ctx context.Context,
    86  	currentUsername kbname.NormalizedUsername, currentUID keybase1.UID,
    87  	currentVerifyingKey VerifyingKey,
    88  	challengeInfo keybase1.ChallengeInfo) (string, error) {
    89  	// make sure we're being asked to sign a legit challenge
    90  	if !auth.IsValidChallenge(challengeInfo.Challenge) {
    91  		return "", errors.New("Invalid challenge")
    92  	}
    93  
    94  	return a.signWithUserAndKeyInfo(
    95  		ctx, challengeInfo, currentUID,
    96  		currentUsername, currentVerifyingKey)
    97  }
    98  
    99  // SignUserless signs the token without a username, UID, or challenge.
   100  // This is useful for server-to-server communication where identity is
   101  // established using only the KID.  Assume the client and server
   102  // clocks are roughly synchronized.
   103  func (a *AuthToken) SignUserless(
   104  	ctx context.Context, key VerifyingKey) (
   105  	string, error) {
   106  	// Pass in a reserved, meaningless UID.
   107  	return a.signWithUserAndKeyInfo(ctx,
   108  		keybase1.ChallengeInfo{Now: time.Now().Unix()},
   109  		keybase1.PublicUID, "", key)
   110  }
   111  
   112  // Shutdown is called to stop the refresh ticker.
   113  func (a *AuthToken) Shutdown() {
   114  	a.stopTicker()
   115  }
   116  
   117  // Helper to start the ticker (if not started.)
   118  func (a *AuthToken) startTicker(intervalSeconds int) {
   119  	a.tickerMu.Lock()
   120  	defer a.tickerMu.Unlock()
   121  
   122  	if a.tickerCancel != nil {
   123  		return
   124  	}
   125  
   126  	var ctx context.Context
   127  	ctx, a.tickerCancel = context.WithCancel(context.Background())
   128  	go func() {
   129  		ticker := time.NewTicker(time.Duration(intervalSeconds) * time.Second)
   130  		for {
   131  			select {
   132  			case <-ticker.C:
   133  				a.refreshHandler.RefreshAuthToken(ctx)
   134  			case <-ctx.Done():
   135  				ticker.Stop()
   136  				return
   137  			}
   138  		}
   139  	}()
   140  }
   141  
   142  // Helper to stop the refresh ticker.
   143  func (a *AuthToken) stopTicker() {
   144  	a.tickerMu.Lock()
   145  	defer a.tickerMu.Unlock()
   146  
   147  	if a.tickerCancel != nil {
   148  		a.tickerCancel()
   149  		a.tickerCancel = nil
   150  	}
   151  }