[WIP] User Accounts

.github/workflows/build_pull_request.yml

@@ -34,7 +34,7 @@ jobs:
           path: master
           fetch-depth: 0
 
-      - name: Set up JDK 1.8
+      - name: Set up JDK
         uses: actions/setup-java@v1
         with:
           java-version: 1.8

.github/workflows/build_push.yml

@@ -34,7 +34,7 @@ jobs:
           path: master
           fetch-depth: 0
 
-      - name: Set up JDK 1.8
+      - name: Set up JDK
         uses: actions/setup-java@v1
         with:
           java-version: 1.8

.github/workflows/publish.yml

@@ -34,7 +34,7 @@ jobs:
           path: master
           fetch-depth: 0
 
-      - name: Set up JDK 1.8
+      - name: Set up JDK
         uses: actions/setup-java@v1
         with:
           java-version: 1.8

gradle/libs.versions.toml

@@ -145,6 +145,10 @@ cron4j = "it.sauronsoftware.cron4j:cron4j:2.2.5"
 # cron-utils
 cronUtils = "com.cronutils:cron-utils:9.2.1"
 
+# User
+bcrypt = "at.favre.lib:bcrypt:0.10.2"
+jwt = "com.auth0:java-jwt:4.4.0"
+
 [plugins]
 # Kotlin
 kotlin-jvm = { id = "org.jetbrains.kotlin.jvm", version.ref = "kotlin"}

server/build.gradle.kts

@@ -78,6 +78,9 @@ dependencies {
     implementation(libs.cron4j)
 
     implementation(libs.cronUtils)
+
+    implementation(libs.bcrypt)
+    implementation(libs.jwt)
 }
 
 application {

server/src/main/kotlin/suwayomi/tachidesk/global/controller/GlobalMetaController.kt

@@ -9,6 +9,9 @@ package suwayomi.tachidesk.global.controller
 
 import io.javalin.http.HttpCode
 import suwayomi.tachidesk.global.impl.GlobalMeta
+import suwayomi.tachidesk.server.JavalinSetup.Attribute
+import suwayomi.tachidesk.server.JavalinSetup.getAttribute
+import suwayomi.tachidesk.server.user.requireUser
 import suwayomi.tachidesk.server.util.formParam
 import suwayomi.tachidesk.server.util.handler
 import suwayomi.tachidesk.server.util.withOperation
@@ -24,7 +27,8 @@ object GlobalMetaController {
                 }
             },
             behaviorOf = { ctx ->
-                ctx.json(GlobalMeta.getMetaMap())
+                val userId = ctx.getAttribute(Attribute.TachideskUser).requireUser()
+                ctx.json(GlobalMeta.getMetaMap(userId))
                 ctx.status(200)
             },
             withResults = {
@@ -44,7 +48,8 @@ object GlobalMetaController {
                 }
             },
             behaviorOf = { ctx, key, value ->
-                GlobalMeta.modifyMeta(key, value)
+                val userId = ctx.getAttribute(Attribute.TachideskUser).requireUser()
+                GlobalMeta.modifyMeta(userId, key, value)
                 ctx.status(200)
             },
             withResults = {

server/src/main/kotlin/suwayomi/tachidesk/global/controller/SettingsController.kt

@@ -12,7 +12,10 @@ import suwayomi.tachidesk.global.impl.About
 import suwayomi.tachidesk.global.impl.AboutDataClass
 import suwayomi.tachidesk.global.impl.AppUpdate
 import suwayomi.tachidesk.global.impl.UpdateDataClass
+import suwayomi.tachidesk.server.JavalinSetup.Attribute
 import suwayomi.tachidesk.server.JavalinSetup.future
+import suwayomi.tachidesk.server.JavalinSetup.getAttribute
+import suwayomi.tachidesk.server.user.requireUser
 import suwayomi.tachidesk.server.util.handler
 import suwayomi.tachidesk.server.util.withOperation
 
@@ -28,6 +31,7 @@ object SettingsController {
                 }
             },
             behaviorOf = { ctx ->
+                ctx.getAttribute(Attribute.TachideskUser).requireUser()
                 ctx.json(About.getAbout())
             },
             withResults = {
@@ -45,6 +49,7 @@ object SettingsController {
                 }
             },
             behaviorOf = { ctx ->
+                ctx.getAttribute(Attribute.TachideskUser).requireUser()
                 ctx.future(
                     future { AppUpdate.checkUpdate() },
                 )

server/src/main/kotlin/suwayomi/tachidesk/global/impl/GlobalMeta.kt

@@ -1,8 +1,8 @@
 package suwayomi.tachidesk.global.impl
 
+import org.jetbrains.exposed.sql.and
 import org.jetbrains.exposed.sql.insert
 import org.jetbrains.exposed.sql.select
-import org.jetbrains.exposed.sql.selectAll
 import org.jetbrains.exposed.sql.transactions.transaction
 import org.jetbrains.exposed.sql.update
 import suwayomi.tachidesk.global.model.table.GlobalMetaTable
@@ -16,31 +16,33 @@ import suwayomi.tachidesk.global.model.table.GlobalMetaTable
 
 object GlobalMeta {
     fun modifyMeta(
+        userId: Int,
         key: String,
         value: String,
     ) {
         transaction {
             val meta =
                 transaction {
-                    GlobalMetaTable.select { GlobalMetaTable.key eq key }
+                    GlobalMetaTable.select { GlobalMetaTable.key eq key and (GlobalMetaTable.user eq userId) }
                 }.firstOrNull()
 
             if (meta == null) {
                 GlobalMetaTable.insert {
                     it[GlobalMetaTable.key] = key
                     it[GlobalMetaTable.value] = value
+                    it[GlobalMetaTable.user] = userId
                 }
             } else {
-                GlobalMetaTable.update({ GlobalMetaTable.key eq key }) {
+                GlobalMetaTable.update({ GlobalMetaTable.key eq key and (GlobalMetaTable.user eq userId) }) {
                     it[GlobalMetaTable.value] = value
                 }
             }
         }
     }
 
-    fun getMetaMap(): Map<String, String> {
+    fun getMetaMap(userId: Int): Map<String, String> {
         return transaction {
-            GlobalMetaTable.selectAll()
+            GlobalMetaTable.select { GlobalMetaTable.user eq userId }
                 .associate { it[GlobalMetaTable.key] to it[GlobalMetaTable.value] }
         }
     }

server/src/main/kotlin/suwayomi/tachidesk/global/impl/util/Bcrypt.kt

@@ -0,0 +1,19 @@
+package suwayomi.tachidesk.global.impl.util
+
+import at.favre.lib.crypto.bcrypt.BCrypt
+
+object Bcrypt {
+    private val hasher = BCrypt.with(BCrypt.Version.VERSION_2B)
+    private val verifyer = BCrypt.verifyer(BCrypt.Version.VERSION_2B)
+
+    fun encryptPassword(password: String): String {
+        return hasher.hashToString(12, password.toCharArray())
+    }
+
+    fun verify(
+        hash: String,
+        password: String,
+    ): Boolean {
+        return verifyer.verify(password.toCharArray(), hash.toCharArray()).verified
+    }
+}

server/src/main/kotlin/suwayomi/tachidesk/global/impl/util/Jwt.kt

@@ -0,0 +1,128 @@
+package suwayomi.tachidesk.global.impl.util
+
+import com.auth0.jwt.JWT
+import com.auth0.jwt.JWTVerifier
+import com.auth0.jwt.algorithms.Algorithm
+import com.auth0.jwt.exceptions.JWTVerificationException
+import org.jetbrains.exposed.sql.select
+import org.jetbrains.exposed.sql.transactions.transaction
+import suwayomi.tachidesk.global.model.table.UserPermissionsTable
+import suwayomi.tachidesk.global.model.table.UserRolesTable
+import suwayomi.tachidesk.server.user.Permissions
+import suwayomi.tachidesk.server.user.UserType
+import java.security.SecureRandom
+import java.time.Instant
+import javax.crypto.spec.SecretKeySpec
+import kotlin.io.encoding.Base64
+import kotlin.io.encoding.ExperimentalEncodingApi
+import kotlin.time.Duration.Companion.days
+import kotlin.time.Duration.Companion.hours
+
+object Jwt {
+    private const val ALGORITHM = "HmacSHA256"
+    private val accessTokenExpiry = 1.hours
+    private val refreshTokenExpiry = 60.days
+    private const val ISSUER = "tachidesk"
+    private const val AUDIENCE = "" // todo audience
+
+    @OptIn(ExperimentalEncodingApi::class)
+    fun generateSecret(): String {
+        val keyBytes = ByteArray(32)
+        SecureRandom().nextBytes(keyBytes)
+
+        val secretKey = SecretKeySpec(keyBytes, ALGORITHM)
+
+        return Base64.encode(secretKey.encoded)
+    }
+
+    private val algorithm: Algorithm = Algorithm.HMAC256(generateSecret()) // todo store secret
+    private val verifier: JWTVerifier = JWT.require(algorithm).build()
+
+    class JwtTokens(
+        val accessToken: String,
+        val refreshToken: String,
+    )
+
+    fun generateJwt(userId: Int): JwtTokens {
+        val accessToken = createAccessToken(userId)
+        val refreshToken = createRefreshToken(userId)
+
+        return JwtTokens(
+            accessToken = accessToken,
+            refreshToken = refreshToken,
+        )
+    }
+
+    fun refreshJwt(refreshToken: String): JwtTokens {
+        val jwt = verifier.verify(refreshToken)
+        require(jwt.getClaim("token_type").asString() == "refresh") {
+            "Cannot use access token to refresh"
+        }
+        return generateJwt(jwt.subject.toInt())
+    }
+
+    fun verifyJwt(jwt: String): UserType {
+        try {
+            val decodedJWT = verifier.verify(jwt)
+
+            require(decodedJWT.getClaim("token_type").asString() == "access") {
+                "Cannot use refresh token to access"
+            }
+
+            val user = decodedJWT.subject.toInt()
+            val roles: List<String> = decodedJWT.getClaim("roles").asList(String::class.java)
+            val permissions: List<String> = decodedJWT.getClaim("permissions").asList(String::class.java)
+
+            return if (roles.any { it.equals("admin", ignoreCase = true) }) {
+                UserType.Admin(user)
+            } else {
+                UserType.User(
+                    id = user,
+                    permissions =
+                        permissions.mapNotNull { permission ->
+                            Permissions.entries.find { it.name == permission }
+                        },
+                )
+            }
+        } catch (e: JWTVerificationException) {
+            return UserType.Visitor
+        }
+    }
+
+    private fun createAccessToken(userId: Int): String {
+        val jwt =
+            JWT.create()
+                .withIssuer(ISSUER)
+                .withAudience(AUDIENCE)
+                .withSubject(userId.toString())
+                .withClaim("token_type", "access")
+                .withExpiresAt(Instant.now().plusSeconds(accessTokenExpiry.inWholeSeconds))
+
+        val roles =
+            transaction {
+                UserRolesTable.select { UserRolesTable.user eq userId }.toList()
+                    .map { it[UserRolesTable.role] }
+            }
+        val permissions =
+            transaction {
+                UserPermissionsTable.select { UserPermissionsTable.user eq userId }.toList()
+                    .map { it[UserPermissionsTable.permission] }
+            }
+
+        jwt.withClaim("roles", roles)
+
+        jwt.withClaim("permissions", permissions)
+
+        return jwt.sign(algorithm)
+    }
+
+    private fun createRefreshToken(userId: Int): String {
+        return JWT.create()
+            .withIssuer(ISSUER)
+            .withAudience(AUDIENCE)
+            .withSubject(userId.toString())
+            .withClaim("token_type", "refresh")
+            .withExpiresAt(Instant.now().plusSeconds(refreshTokenExpiry.inWholeSeconds))
+            .sign(algorithm)
+    }
+}

server/src/main/kotlin/suwayomi/tachidesk/global/model/table/GlobalMetaTable.kt

@@ -8,11 +8,13 @@ package suwayomi.tachidesk.global.model.table
  * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
 
 import org.jetbrains.exposed.dao.id.IntIdTable
+import org.jetbrains.exposed.sql.ReferenceOption
 
 /**
  * Metadata storage for clients, server/global level.
  */
 object GlobalMetaTable : IntIdTable() {
     val key = varchar("key", 256)
     val value = varchar("value", 4096)
+    val user = reference("user", UserTable, ReferenceOption.CASCADE)
 }

server/src/main/kotlin/suwayomi/tachidesk/global/model/table/UserPermissionsTable.kt

@@ -0,0 +1,19 @@
+package suwayomi.tachidesk.global.model.table
+
+/*
+ * Copyright (C) Contributors to the Suwayomi project
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+import org.jetbrains.exposed.sql.ReferenceOption
+import org.jetbrains.exposed.sql.Table
+
+/**
+ * Users registered in Tachidesk.
+ */
+object UserPermissionsTable : Table() {
+    val user = reference("user", UserTable, ReferenceOption.CASCADE)
+    val permission = varchar("permission", 128)
+}

server/src/main/kotlin/suwayomi/tachidesk/global/model/table/UserRolesTable.kt

@@ -0,0 +1,19 @@
+package suwayomi.tachidesk.global.model.table
+
+/*
+ * Copyright (C) Contributors to the Suwayomi project
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+import org.jetbrains.exposed.sql.ReferenceOption
+import org.jetbrains.exposed.sql.Table
+
+/**
+ * Users registered in Tachidesk.
+ */
+object UserRolesTable : Table() {
+    val user = reference("user", UserTable, ReferenceOption.CASCADE)
+    val role = varchar("role", 24)
+}

server/src/main/kotlin/suwayomi/tachidesk/global/model/table/UserTable.kt

@@ -0,0 +1,18 @@
+package suwayomi.tachidesk.global.model.table
+
+/*
+ * Copyright (C) Contributors to the Suwayomi project
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+import org.jetbrains.exposed.dao.id.IntIdTable
+
+/**
+ * Users registered in Tachidesk.
+ */
+object UserTable : IntIdTable() {
+    val username = varchar("username", 64)
+    val password = varchar("password", 90)
+}