Add configuration files, database migrations, and authentication implementation scaffolding

2026-04-30 19:08:07 +02:00
commit 331d60581e
83 changed files with 222264 additions and 0 deletions
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -0,0 +1,109 @@
+package auth
+
+import (
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"time"
+)
+
+// Claims represents JWT payload
+type Claims struct {
+	UserID      string `json:"user_id"`
+	CommunityID string `json:"community_id"`
+	Username    string `json:"username"`
+	IssuedAt    int64  `json:"iat"`
+	ExpiresAt   int64  `json:"exp"`
+}
+
+var jwtSecret = []byte("CHANGE-THIS-IN-PRODUCTION-USE-ENV-VAR") // TODO: Load from env
+
+// GenerateJWT creates a signed JWT token
+func GenerateJWT(userID, communityID, username string, duration time.Duration) (string, error) {
+	now := time.Now()
+	claims := Claims{
+		UserID:      userID,
+		CommunityID: communityID,
+		Username:    username,
+		IssuedAt:    now.Unix(),
+		ExpiresAt:   now.Add(duration).Unix(),
+	}
+
+	// Create header
+	header := map[string]string{
+		"alg": "HS256",
+		"typ": "JWT",
+	}
+
+	headerJSON, _ := json.Marshal(header)
+	claimsJSON, _ := json.Marshal(claims)
+
+	// Base64URL encode
+	headerB64 := base64.RawURLEncoding.EncodeToString(headerJSON)
+	claimsB64 := base64.RawURLEncoding.EncodeToString(claimsJSON)
+
+	// Create signature
+	message := headerB64 + "." + claimsB64
+	signature := createSignature(message)
+
+	return message + "." + signature, nil
+}
+
+// VerifyJWT validates and parses a JWT token
+func VerifyJWT(token string) (*Claims, error) {
+	parts := strings.Split(token, ".")
+	if len(parts) != 3 {
+		return nil, fmt.Errorf("invalid token format")
+	}
+
+	// Verify signature
+	message := parts[0] + "." + parts[1]
+	expectedSig := createSignature(message)
+	if parts[2] != expectedSig {
+		return nil, fmt.Errorf("invalid signature")
+	}
+
+	// Decode claims
+	claimsJSON, err := base64.RawURLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode claims: %w", err)
+	}
+
+	var claims Claims
+	if err := json.Unmarshal(claimsJSON, &claims); err != nil {
+		return nil, fmt.Errorf("failed to parse claims: %w", err)
+	}
+
+	// Check expiration
+	if time.Now().Unix() > claims.ExpiresAt {
+		return nil, fmt.Errorf("token expired")
+	}
+
+	return &claims, nil
+}
+
+// createSignature generates HMAC-SHA256 signature
+func createSignature(message string) string {
+	h := hmac.New(sha256.New, jwtSecret)
+	h.Write([]byte(message))
+	return base64.RawURLEncoding.EncodeToString(h.Sum(nil))
+}
+
+// GenerateSessionToken creates a cryptographically secure session token
+func GenerateSessionToken() (string, error) {
+	token := make([]byte, 32)
+	if _, err := rand.Read(token); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(token), nil
+}
+
+// HashToken creates SHA256 hash for database storage
+func HashToken(token string) string {
+	hash := sha256.Sum256([]byte(token))
+	return base64.RawURLEncoding.EncodeToString(hash[:])
+}
--- a/internal/auth/password.go
+++ b/internal/auth/password.go
@@ -0,0 +1,100 @@
+package auth
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"fmt"
+	"strings"
+
+	"golang.org/x/crypto/argon2"
+)
+
+const (
+	// Argon2 parameters (OWASP recommended)
+	argonTime    = 3
+	argonMemory  = 64 * 1024 // 64 MB
+	argonThreads = 4
+	argonKeyLen  = 32
+	saltLen      = 16
+)
+
+// HashPassword creates a secure hash using Argon2id
+func HashPassword(password string) (string, error) {
+	// Generate random salt
+	salt := make([]byte, saltLen)
+	if _, err := rand.Read(salt); err != nil {
+		return "", err
+	}
+
+	// Hash password
+	hash := argon2.IDKey([]byte(password), salt, argonTime, argonMemory, argonThreads, argonKeyLen)
+
+	// Encode as: $argon2id$v=19$m=65536,t=3,p=4$salt$hash
+	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
+	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
+
+	return fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
+		argonMemory, argonTime, argonThreads, b64Salt, b64Hash), nil
+}
+
+// VerifyPassword checks if password matches hash (constant-time comparison)
+func VerifyPassword(password, encodedHash string) (bool, error) {
+	// Parse hash format
+	parts := strings.Split(encodedHash, "$")
+	if len(parts) != 6 || parts[1] != "argon2id" {
+		return false, fmt.Errorf("invalid hash format")
+	}
+
+	// Parse parameters
+	var memory, time uint32
+	var threads uint8
+	_, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &time, &threads)
+	if err != nil {
+		return false, err
+	}
+
+	// Decode salt and hash
+	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
+	if err != nil {
+		return false, err
+	}
+	expectedHash, err := base64.RawStdEncoding.DecodeString(parts[5])
+	if err != nil {
+		return false, err
+	}
+
+	// Hash input password with same parameters
+	hash := argon2.IDKey([]byte(password), salt, time, memory, threads, uint32(len(expectedHash)))
+
+	// Constant-time comparison
+	return subtle.ConstantTimeCompare(hash, expectedHash) == 1, nil
+}
+
+// ValidatePasswordStrength checks password meets minimum requirements
+func ValidatePasswordStrength(password string) error {
+	if len(password) < 12 {
+		return fmt.Errorf("password must be at least 12 characters")
+	}
+
+	hasUpper := false
+	hasLower := false
+	hasDigit := false
+
+	for _, char := range password {
+		switch {
+		case 'A' <= char && char <= 'Z':
+			hasUpper = true
+		case 'a' <= char && char <= 'z':
+			hasLower = true
+		case '0' <= char && char <= '9':
+			hasDigit = true
+		}
+	}
+
+	if !hasUpper || !hasLower || !hasDigit {
+		return fmt.Errorf("password must contain uppercase, lowercase, and digits")
+	}
+
+	return nil
+}