refactor auth pkg into libraries

auth/api.go

@@ -1,92 +0,0 @@
-// Package auth provides JSON Web Token (JWT) authentication and authorization middleware.
-// It implements a passwordless authentication flow by sending login tokens vie email which are then exchanged for JWT access and refresh tokens.
-package auth
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/dhax/go-base/email"
-	"github.com/dhax/go-base/logging"
-	"github.com/go-chi/chi"
-	"github.com/go-chi/render"
-	"github.com/sirupsen/logrus"
-)
-
-// Storer defines database operations on account and token data.
-type Storer interface {
-	GetByID(id int) (*Account, error)
-	GetByEmail(email string) (*Account, error)
-	GetByRefreshToken(token string) (*Account, *Token, error)
-	UpdateAccount(a *Account) error
-	SaveRefreshToken(t *Token) error
-	DeleteRefreshToken(t *Token) error
-	PurgeExpiredToken() error
-}
-
-// Mailer defines methods to send account emails.
-type Mailer interface {
-	LoginToken(name, email string, c email.ContentLoginToken) error
-}
-
-// Resource implements passwordless token authentication against a database.
-type Resource struct {
-	Login  *LoginTokenAuth
-	Token  *TokenAuth
-	store  Storer
-	mailer Mailer
-}
-
-// NewResource returns a configured authentication resource.
-func NewResource(store Storer, mailer Mailer) (*Resource, error) {
-	loginAuth, err := NewLoginTokenAuth()
-	if err != nil {
-		return nil, err
-	}
-
-	tokenAuth, err := NewTokenAuth()
-	if err != nil {
-		return nil, err
-	}
-
-	resource := &Resource{
-		Login:  loginAuth,
-		Token:  tokenAuth,
-		store:  store,
-		mailer: mailer,
-	}
-
-	resource.cleanupTicker()
-
-	return resource, nil
-}
-
-// Router provides necessary routes for passwordless authentication flow.
-func (rs *Resource) Router() *chi.Mux {
-	r := chi.NewRouter()
-	r.Use(render.SetContentType(render.ContentTypeJSON))
-	r.Post("/login", rs.login)
-	r.Post("/token", rs.token)
-	r.Group(func(r chi.Router) {
-		r.Use(rs.Token.Verifier())
-		r.Use(AuthenticateRefreshJWT)
-		r.Post("/refresh", rs.refresh)
-		r.Post("/logout", rs.logout)
-	})
-	return r
-}
-
-func (rs *Resource) cleanupTicker() {
-	ticker := time.NewTicker(time.Hour * 1)
-	go func() {
-		for range ticker.C {
-			if err := rs.store.PurgeExpiredToken(); err != nil {
-				logging.Logger.WithField("auth", "cleanup").Error(err)
-			}
-		}
-	}()
-}
-
-func log(r *http.Request) logrus.FieldLogger {
-	return logging.GetLogEntry(r)
-}

auth/authorize/errors.go

@@ -0,0 +1,31 @@
+package authorize
+
+import (
+	"net/http"
+
+	"github.com/go-chi/render"
+)
+
+// ErrResponse renderer type for handling all sorts of errors.
+type ErrResponse struct {
+	Err            error `json:"-"` // low-level runtime error
+	HTTPStatusCode int   `json:"-"` // http response status code
+
+	StatusText string `json:"status"`          // user-level status message
+	AppCode    int64  `json:"code,omitempty"`  // application-specific error code
+	ErrorText  string `json:"error,omitempty"` // application-level error message, for debugging
+}
+
+// Render sets the application-specific error code in AppCode.
+func (e *ErrResponse) Render(w http.ResponseWriter, r *http.Request) error {
+	render.Status(r, e.HTTPStatusCode)
+	return nil
+}
+
+// The list of default error types without specific error message.
+var (
+	ErrForbidden = &ErrResponse{
+		HTTPStatusCode: http.StatusForbidden,
+		StatusText:     http.StatusText(http.StatusForbidden),
+	}
+)

auth/authorize/roles.go

@@ -1,16 +1,18 @@
-package auth
+package authorize
 
 import (
 	"net/http"
 
 	"github.com/go-chi/render"
+
+	"github.com/dhax/go-base/auth/jwt"
 )
 
 // RequiresRole middleware restricts access to accounts having role parameter in their jwt claims.
 func RequiresRole(role string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		hfn := func(w http.ResponseWriter, r *http.Request) {
-			claims := ClaimsFromCtx(r.Context())
+			claims := jwt.ClaimsFromCtx(r.Context())
 			if !hasRole(role, claims.Roles) {
 				render.Render(w, r, ErrForbidden)
 				return

auth/crypto.go

@@ -1,19 +0,0 @@
-package auth
-
-import (
-	"crypto/rand"
-)
-
-const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
-
-func randStringBytes(n int) string {
-	buf := make([]byte, n)
-	if _, err := rand.Read(buf); err != nil {
-		panic(err)
-	}
-
-	for k, v := range buf {
-		buf[k] = letterBytes[v%byte(len(letterBytes))]
-	}
-	return string(buf)
-}

auth/errors.go

@@ -1,64 +0,0 @@
-package auth
-
-import (
-	"net/http"
-
-	"github.com/go-chi/render"
-)
-
-// ErrResponse renderer type for handling all sorts of errors.
-type ErrResponse struct {
-	Err            error `json:"-"` // low-level runtime error
-	HTTPStatusCode int   `json:"-"` // http response status code
-
-	StatusText string `json:"status"`          // user-level status message
-	AppCode    int64  `json:"code,omitempty"`  // application-specific error code
-	ErrorText  string `json:"error,omitempty"` // application-level error message, for debugging
-}
-
-// Render sets the application-specific error code in AppCode.
-func (e *ErrResponse) Render(w http.ResponseWriter, r *http.Request) error {
-	render.Status(r, e.HTTPStatusCode)
-	return nil
-}
-
-// ErrUnauthorized renders status 401 Unauthorized with custom error message.
-func ErrUnauthorized(err error) render.Renderer {
-	return &ErrResponse{
-		Err:            err,
-		HTTPStatusCode: http.StatusUnauthorized,
-		StatusText:     http.StatusText(http.StatusUnauthorized),
-		ErrorText:      err.Error(),
-	}
-}
-
-// ErrRender returns status 422 Unprocessable Entity for invalid request body
-func ErrRender(err error) render.Renderer {
-	return &ErrResponse{
-		Err:            err,
-		HTTPStatusCode: http.StatusUnprocessableEntity,
-		StatusText:     http.StatusText(http.StatusUnprocessableEntity),
-		ErrorText:      err.Error(),
-	}
-}
-
-// ErrInvalidRequest returns status 422 Unprocessable Entity with validation errors
-func ErrInvalidRequest(err error) render.Renderer {
-	return &ErrResponse{
-		Err:            err,
-		HTTPStatusCode: http.StatusUnprocessableEntity,
-		StatusText:     http.StatusText(http.StatusUnprocessableEntity),
-		ErrorText:      err.Error(),
-	}
-}
-
-// The list of default error types without specific error message.
-var (
-	ErrBadRequest = &ErrResponse{HTTPStatusCode: http.StatusBadRequest, StatusText: http.StatusText(http.StatusBadRequest)}
-
-	ErrForbidden = &ErrResponse{HTTPStatusCode: http.StatusForbidden, StatusText: http.StatusText(http.StatusForbidden)}
-
-	ErrNotFound = &ErrResponse{HTTPStatusCode: http.StatusNotFound, StatusText: http.StatusText(http.StatusNotFound)}
-
-	ErrInternalServerError = &ErrResponse{HTTPStatusCode: http.StatusInternalServerError, StatusText: http.StatusText(http.StatusInternalServerError)}
-)

auth/jwt/authenticator.go

@@ -1,12 +1,13 @@
-package auth
+package jwt
 
 import (
 	"context"
-	"errors"
 	"net/http"
 
 	"github.com/go-chi/jwtauth"
 	"github.com/go-chi/render"
+
+	"github.com/dhax/go-base/logging"
 )
 
 type ctxKey int
@@ -16,13 +17,6 @@ const (
 	ctxRefreshToken
 )
 
-var (
-	errTokenUnauthorized   = errors.New("token unauthorized")
-	errTokenExpired        = errors.New("token expired")
-	errInvalidAccessToken  = errors.New("invalid access token")
-	errInvalidRefreshToken = errors.New("invalid refresh token")
-)
-
 // ClaimsFromCtx retrieves the parsed AppClaims from request context.
 func ClaimsFromCtx(ctx context.Context) AppClaims {
 	return ctx.Value(ctxClaims).(AppClaims)
@@ -41,23 +35,27 @@ func Authenticator(next http.Handler) http.Handler {
 		token, claims, err := jwtauth.FromContext(r.Context())
 
 		if err != nil {
-			log(r).Warn(err)
-			render.Render(w, r, ErrUnauthorized(errTokenUnauthorized))
+			logging.GetLogEntry(r).Warn(err)
+			render.Render(w, r, ErrUnauthorized(ErrTokenUnauthorized))
 			return
 		}
 
 		if !token.Valid {
-			render.Render(w, r, ErrUnauthorized(errTokenExpired))
+			render.Render(w, r, ErrUnauthorized(ErrTokenExpired))
 			return
 		}
 
 		// Token is authenticated, parse claims
-		pc, ok := parseClaims(claims)
-		if !ok {
-			render.Render(w, r, ErrUnauthorized(errInvalidAccessToken))
+		var c AppClaims
+		err = c.ParseClaims(claims)
+		if err != nil {
+			logging.GetLogEntry(r).Error(err)
+			render.Render(w, r, ErrUnauthorized(ErrInvalidAccessToken))
 			return
 		}
-		ctx := context.WithValue(r.Context(), ctxClaims, pc)
+
+		// Set AppClaims on context
+		ctx := context.WithValue(r.Context(), ctxClaims, c)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
@@ -67,21 +65,25 @@ func AuthenticateRefreshJWT(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		token, claims, err := jwtauth.FromContext(r.Context())
 		if err != nil {
-			log(r).Warn(err)
-			render.Render(w, r, ErrUnauthorized(errTokenUnauthorized))
+			logging.GetLogEntry(r).Warn(err)
+			render.Render(w, r, ErrUnauthorized(ErrTokenUnauthorized))
 			return
 		}
 		if !token.Valid {
-			render.Render(w, r, ErrUnauthorized(errTokenExpired))
+			render.Render(w, r, ErrUnauthorized(ErrTokenExpired))
 			return
 		}
-		refreshToken, ok := parseRefreshClaims(claims)
-		if !ok {
-			render.Render(w, r, ErrUnauthorized(errInvalidRefreshToken))
+
+		// Token is authenticated, parse refresh token string
+		var c RefreshClaims
+		err = c.ParseClaims(claims)
+		if err != nil {
+			logging.GetLogEntry(r).Error(err)
+			render.Render(w, r, ErrUnauthorized(ErrInvalidRefreshToken))
 			return
 		}
-		// Token is authenticated, set on context
-		ctx := context.WithValue(r.Context(), ctxRefreshToken, refreshToken)
+		// Set refresh token string on context
+		ctx := context.WithValue(r.Context(), ctxRefreshToken, c.Token)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }

auth/jwt/claims.go

@@ -0,0 +1,59 @@
+package jwt
+
+import (
+	"errors"
+
+	"github.com/go-chi/jwtauth"
+)
+
+// AppClaims represent the claims parsed from JWT access token.
+type AppClaims struct {
+	ID    int
+	Sub   string
+	Roles []string
+}
+
+// ParseClaims parses JWT claims into AppClaims.
+func (c *AppClaims) ParseClaims(claims jwtauth.Claims) error {
+	id, ok := claims.Get("id")
+	if !ok {
+		return errors.New("could not parse claim id")
+	}
+	c.ID = int(id.(float64))
+
+	sub, ok := claims.Get("sub")
+	if !ok {
+		return errors.New("could not parse claim sub")
+	}
+	c.Sub = sub.(string)
+
+	rl, ok := claims.Get("roles")
+	if !ok {
+		return errors.New("could not parse claims roles")
+	}
+
+	var roles []string
+	if rl != nil {
+		for _, v := range rl.([]interface{}) {
+			roles = append(roles, v.(string))
+		}
+	}
+	c.Roles = roles
+
+	return nil
+}
+
+// RefreshClaims represent the claims parsed from JWT refresh token.
+type RefreshClaims struct {
+	Token string
+}
+
+// ParseClaims parses the JWT claims into RefreshClaims.
+func (c *RefreshClaims) ParseClaims(claims jwtauth.Claims) error {
+	token, ok := claims.Get("token")
+	if !ok {
+		return errors.New("could not parse claim token")
+	}
+	c.Token = token.(string)
+	return nil
+}

auth/jwt/errors.go

@@ -0,0 +1,42 @@
+package jwt
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/go-chi/render"
+)
+
+// The list of jwt token errors presented to the end user.
+var (
+	ErrTokenUnauthorized   = errors.New("token unauthorized")
+	ErrTokenExpired        = errors.New("token expired")
+	ErrInvalidAccessToken  = errors.New("invalid access token")
+	ErrInvalidRefreshToken = errors.New("invalid refresh token")
+)
+
+// ErrResponse renderer type for handling all sorts of errors.
+type ErrResponse struct {
+	Err            error `json:"-"` // low-level runtime error
+	HTTPStatusCode int   `json:"-"` // http response status code
+
+	StatusText string `json:"status"`          // user-level status message
+	AppCode    int64  `json:"code,omitempty"`  // application-specific error code
+	ErrorText  string `json:"error,omitempty"` // application-level error message, for debugging
+}
+
+// Render sets the application-specific error code in AppCode.
+func (e *ErrResponse) Render(w http.ResponseWriter, r *http.Request) error {
+	render.Status(r, e.HTTPStatusCode)
+	return nil
+}
+
+// ErrUnauthorized renders status 401 Unauthorized with custom error message.
+func ErrUnauthorized(err error) render.Renderer {
+	return &ErrResponse{
+		Err:            err,
+		HTTPStatusCode: http.StatusUnauthorized,
+		StatusText:     http.StatusText(http.StatusUnauthorized),
+		ErrorText:      err.Error(),
+	}
+}

auth/jwt/token.go

@@ -1,4 +1,4 @@
-package auth
+package jwt
 
 import (
 	"time"

auth/jwt/tokenauth.go

@@ -1,6 +1,7 @@
-package auth
+package jwt
 
 import (
+	"crypto/rand"
 	"net/http"
 	"time"
 
@@ -8,18 +9,11 @@ import (
 	"github.com/spf13/viper"
 )
 
-// AppClaims represent the claims extracted from JWT token.
-type AppClaims struct {
-	ID    int
-	Sub   string
-	Roles []string
-}
-
 // TokenAuth implements JWT authentication flow.
 type TokenAuth struct {
 	JwtAuth          *jwtauth.JwtAuth
-	jwtExpiry        time.Duration
-	jwtRefreshExpiry time.Duration
+	JwtExpiry        time.Duration
+	JwtRefreshExpiry time.Duration
 }
 
 // NewTokenAuth configures and returns a JWT authentication instance.
@@ -31,8 +25,8 @@ func NewTokenAuth() (*TokenAuth, error) {
 
 	a := &TokenAuth{
 		JwtAuth:          jwtauth.New("HS256", []byte(secret), nil),
-		jwtExpiry:        viper.GetDuration("auth_jwt_expiry"),
-		jwtRefreshExpiry: viper.GetDuration("auth_jwt_refresh_expiry"),
+		JwtExpiry:        viper.GetDuration("auth_jwt_expiry"),
+		JwtRefreshExpiry: viper.GetDuration("auth_jwt_refresh_expiry"),
 	}
 
 	return a, nil
@@ -59,7 +53,7 @@ func (a *TokenAuth) GenTokenPair(ca jwtauth.Claims, cr jwtauth.Claims) (string,
 // CreateJWT returns an access token for provided account claims.
 func (a *TokenAuth) CreateJWT(c jwtauth.Claims) (string, error) {
 	c.SetIssuedNow()
-	c.SetExpiryIn(a.jwtExpiry)
+	c.SetExpiryIn(a.JwtExpiry)
 	_, tokenString, err := a.JwtAuth.Encode(c)
 	return tokenString, err
 }
@@ -67,46 +61,21 @@ func (a *TokenAuth) CreateJWT(c jwtauth.Claims) (string, error) {
 // CreateRefreshJWT returns a refresh token for provided token Claims.
 func (a *TokenAuth) CreateRefreshJWT(c jwtauth.Claims) (string, error) {
 	c.SetIssuedNow()
-	c.SetExpiryIn(a.jwtRefreshExpiry)
+	c.SetExpiryIn(a.JwtRefreshExpiry)
 	_, tokenString, err := a.JwtAuth.Encode(c)
 	return tokenString, err
 }
 
-func parseClaims(c jwtauth.Claims) (AppClaims, bool) {
-	var claims AppClaims
-	allOK := true
-	id, ok := c.Get("id")
-	if !ok {
-		allOK = false
-	}
-	claims.ID = int(id.(float64))
+const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
 
-	sub, ok := c.Get("sub")
-	if !ok {
-		allOK = false
-	}
-	claims.Sub = sub.(string)
-
-	rl, ok := c.Get("roles")
-	if !ok {
-		allOK = false
+func randStringBytes(n int) string {
+	buf := make([]byte, n)
+	if _, err := rand.Read(buf); err != nil {
+		panic(err)
 	}
 
-	var roles []string
-	if rl != nil {
-		for _, v := range rl.([]interface{}) {
-			roles = append(roles, v.(string))
-		}
+	for k, v := range buf {
+		buf[k] = letterBytes[v%byte(len(letterBytes))]
 	}
-	claims.Roles = roles
-
-	return claims, allOK
-}
-
-func parseRefreshClaims(c jwtauth.Claims) (string, bool) {
-	token, ok := c.Get("token")
-	if !ok {
-		return "", false
-	}
-	return token.(string), ok
+	return string(buf)
 }

auth/mockStorer.go

@@ -1,67 +0,0 @@
-package auth
-
-// MockStorer mocks Storer interface.
-type MockStorer struct {
-	GetByIDFn      func(id int) (*Account, error)
-	GetByIDInvoked bool
-
-	GetByEmailFn      func(email string) (*Account, error)
-	GetByEmailInvoked bool
-
-	GetByRefreshTokenFn      func(token string) (*Account, *Token, error)
-	GetByRefreshTokenInvoked bool
-
-	UpdateAccountFn      func(a *Account) error
-	UpdateAccountInvoked bool
-
-	SaveRefreshTokenFn      func(t *Token) error
-	SaveRefreshTokenInvoked bool
-
-	DeleteRefreshTokenFn      func(t *Token) error
-	DeleteRefreshTokenInvoked bool
-
-	PurgeExpiredTokenFn      func() error
-	PurgeExpiredTokenInvoked bool
-}
-
-// GetByID mock returns an account by ID.
-func (s *MockStorer) GetByID(id int) (*Account, error) {
-	s.GetByIDInvoked = true
-	return s.GetByIDFn(id)
-}
-
-// GetByEmail mock returns an account by email.
-func (s *MockStorer) GetByEmail(email string) (*Account, error) {
-	s.GetByEmailInvoked = true
-	return s.GetByEmailFn(email)
-}
-
-// GetByRefreshToken mock returns an account and refresh token by token identifier.
-func (s *MockStorer) GetByRefreshToken(token string) (*Account, *Token, error) {
-	s.GetByRefreshTokenInvoked = true
-	return s.GetByRefreshTokenFn(token)
-}
-
-// UpdateAccount mock upates account data related to authentication.
-func (s *MockStorer) UpdateAccount(a *Account) error {
-	s.UpdateAccountInvoked = true
-	return s.UpdateAccountFn(a)
-}
-
-// SaveRefreshToken mock creates or updates a refresh token.
-func (s *MockStorer) SaveRefreshToken(t *Token) error {
-	s.SaveRefreshTokenInvoked = true
-	return s.SaveRefreshTokenFn(t)
-}
-
-// DeleteRefreshToken mock deletes a refresh token.
-func (s *MockStorer) DeleteRefreshToken(t *Token) error {
-	s.DeleteRefreshTokenInvoked = true
-	return s.DeleteRefreshTokenFn(t)
-}
-
-// PurgeExpiredToken mock deletes expired refresh token.
-func (s *MockStorer) PurgeExpiredToken() error {
-	s.PurgeExpiredTokenInvoked = true
-	return s.PurgeExpiredTokenFn()
-}

auth/pwdless/account.go

@@ -1,10 +1,11 @@
-package auth
+package pwdless
 
 import (
 	"net/url"
 	"strings"
 	"time"
 
+	"github.com/dhax/go-base/auth/jwt"
 	"github.com/go-chi/jwtauth"
 	validation "github.com/go-ozzo/ozzo-validation"
 	"github.com/go-ozzo/ozzo-validation/is"
@@ -23,7 +24,7 @@ type Account struct {
 	Active bool     `sql:",notnull" json:"active"`
 	Roles  []string `pg:",array" json:"roles,omitempty"`
 
-	Token []Token `json:"token,omitempty"`
+	Token []jwt.Token `json:"token,omitempty"`
 }
 
 // BeforeInsert hook executed before database insert operation.
@@ -38,11 +39,8 @@ func (a *Account) BeforeInsert(db orm.DB) error {
 
 // BeforeUpdate hook executed before database update operation.
 func (a *Account) BeforeUpdate(db orm.DB) error {
-	if err := a.Validate(); err != nil {
-		return err
-	}
 	a.UpdatedAt = time.Now()
-	return nil
+	return a.Validate()
 }
 
 // BeforeDelete hook executed before database delete operation.

auth/pwdless/api.go

@@ -1,29 +1,93 @@
-package auth
+// Package pwdless provides JSON Web Token (JWT) authentication and authorization middleware.
+// It implements a passwordless authentication flow by sending login tokens vie email which are then exchanged for JWT access and refresh tokens.
+package pwdless
 
 import (
-	"errors"
 	"fmt"
 	"net/http"
 	"path"
 	"strings"
 	"time"
 
+	"github.com/dhax/go-base/auth/jwt"
+	"github.com/dhax/go-base/email"
+	"github.com/dhax/go-base/logging"
+	"github.com/go-chi/chi"
 	"github.com/go-chi/render"
 	validation "github.com/go-ozzo/ozzo-validation"
 	"github.com/go-ozzo/ozzo-validation/is"
 	"github.com/mssola/user_agent"
 	uuid "github.com/satori/go.uuid"
-
-	"github.com/dhax/go-base/email"
+	"github.com/sirupsen/logrus"
 )
 
-// The list of error types presented to the end user as error message.
-var (
-	ErrInvalidLogin  = errors.New("invalid email address")
-	ErrUnknownLogin  = errors.New("email not registered")
-	ErrLoginDisabled = errors.New("login for account disabled")
-	ErrLoginToken    = errors.New("invalid or expired login token")
-)
+// AuthStorer defines database operations on accounts and tokens.
+type AuthStorer interface {
+	GetAccount(id int) (*Account, error)
+	GetAccountByEmail(email string) (*Account, error)
+	UpdateAccount(a *Account) error
+
+	GetToken(token string) (*jwt.Token, error)
+	CreateOrUpdateToken(t *jwt.Token) error
+	DeleteToken(t *jwt.Token) error
+	PurgeExpiredToken() error
+}
+
+// Mailer defines methods to send account emails.
+type Mailer interface {
+	LoginToken(name, email string, c email.ContentLoginToken) error
+}
+
+// Resource implements passwordless account authentication against a database.
+type Resource struct {
+	LoginAuth *LoginTokenAuth
+	TokenAuth *jwt.TokenAuth
+	Store     AuthStorer
+	Mailer    Mailer
+}
+
+// NewResource returns a configured authentication resource.
+func NewResource(authStore AuthStorer, mailer Mailer) (*Resource, error) {
+	loginAuth, err := NewLoginTokenAuth()
+	if err != nil {
+		return nil, err
+	}
+
+	tokenAuth, err := jwt.NewTokenAuth()
+	if err != nil {
+		return nil, err
+	}
+
+	resource := &Resource{
+		LoginAuth: loginAuth,
+		TokenAuth: tokenAuth,
+		Store:     authStore,
+		Mailer:    mailer,
+	}
+
+	resource.choresTicker()
+
+	return resource, nil
+}
+
+// Router provides necessary routes for passwordless authentication flow.
+func (rs *Resource) Router() *chi.Mux {
+	r := chi.NewRouter()
+	r.Use(render.SetContentType(render.ContentTypeJSON))
+	r.Post("/login", rs.login)
+	r.Post("/token", rs.token)
+	r.Group(func(r chi.Router) {
+		r.Use(rs.TokenAuth.Verifier())
+		r.Use(jwt.AuthenticateRefreshJWT)
+		r.Post("/refresh", rs.refresh)
+		r.Post("/logout", rs.logout)
+	})
+	return r
+}
+
+func log(r *http.Request) logrus.FieldLogger {
+	return logging.GetLogEntry(r)
+}
 
 type loginRequest struct {
 	Email string
@@ -46,7 +110,7 @@ func (rs *Resource) login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	acc, err := rs.store.GetByEmail(body.Email)
+	acc, err := rs.Store.GetAccountByEmail(body.Email)
 	if err != nil {
 		log(r).WithField("email", body.Email).Warn(err)
 		render.Render(w, r, ErrUnauthorized(ErrUnknownLogin))
@@ -58,17 +122,17 @@ func (rs *Resource) login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	lt := rs.Login.CreateToken(acc.ID)
+	lt := rs.LoginAuth.CreateToken(acc.ID)
 
 	go func() {
 		content := email.ContentLoginToken{
 			Email:  acc.Email,
 			Name:   acc.Name,
-			URL:    path.Join(rs.Login.loginURL, lt.Token),
+			URL:    path.Join(rs.LoginAuth.loginURL, lt.Token),
 			Token:  lt.Token,
 			Expiry: lt.Expiry,
 		}
-		if err := rs.mailer.LoginToken(acc.Name, acc.Email, content); err != nil {
+		if err := rs.Mailer.LoginToken(acc.Name, acc.Email, content); err != nil {
 			log(r).WithField("module", "email").Error(err)
 		}
 	}()
@@ -101,13 +165,13 @@ func (rs *Resource) token(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	id, err := rs.Login.GetAccountID(body.Token)
+	id, err := rs.LoginAuth.GetAccountID(body.Token)
 	if err != nil {
 		render.Render(w, r, ErrUnauthorized(ErrLoginToken))
 		return
 	}
 
-	acc, err := rs.store.GetByID(id)
+	acc, err := rs.Store.GetAccount(id)
 	if err != nil {
 		// account deleted before login token expired
 		render.Render(w, r, ErrUnauthorized(ErrUnknownLogin))
@@ -122,22 +186,22 @@ func (rs *Resource) token(w http.ResponseWriter, r *http.Request) {
 	ua := user_agent.New(r.UserAgent())
 	browser, _ := ua.Browser()
 
-	token := &Token{
+	token := &jwt.Token{
 		Token:      uuid.NewV4().String(),
-		Expiry:     time.Now().Add(rs.Token.jwtRefreshExpiry),
+		Expiry:     time.Now().Add(rs.TokenAuth.JwtRefreshExpiry),
 		UpdatedAt:  time.Now(),
 		AccountID:  acc.ID,
 		Mobile:     ua.Mobile(),
 		Identifier: fmt.Sprintf("%s on %s", browser, ua.OS()),
 	}
 
-	if err := rs.store.SaveRefreshToken(token); err != nil {
+	if err := rs.Store.CreateOrUpdateToken(token); err != nil {
 		log(r).Error(err)
 		render.Render(w, r, ErrInternalServerError)
 		return
 	}
 
-	access, refresh, err := rs.Token.GenTokenPair(acc.Claims(), token.Claims())
+	access, refresh, err := rs.TokenAuth.GenTokenPair(acc.Claims(), token.Claims())
 	if err != nil {
 		log(r).Error(err)
 		render.Render(w, r, ErrInternalServerError)
@@ -145,7 +209,7 @@ func (rs *Resource) token(w http.ResponseWriter, r *http.Request) {
 	}
 
 	acc.LastLogin = time.Now()
-	if err := rs.store.UpdateAccount(acc); err != nil {
+	if err := rs.Store.UpdateAccount(acc); err != nil {
 		log(r).Error(err)
 		render.Render(w, r, ErrInternalServerError)
 		return
@@ -158,17 +222,23 @@ func (rs *Resource) token(w http.ResponseWriter, r *http.Request) {
 }
 
 func (rs *Resource) refresh(w http.ResponseWriter, r *http.Request) {
-	rt := RefreshTokenFromCtx(r.Context())
+	rt := jwt.RefreshTokenFromCtx(r.Context())
 
-	acc, token, err := rs.store.GetByRefreshToken(rt)
+	token, err := rs.Store.GetToken(rt)
 	if err != nil {
-		render.Render(w, r, ErrUnauthorized(errTokenExpired))
+		render.Render(w, r, ErrUnauthorized(jwt.ErrTokenExpired))
 		return
 	}
 
 	if time.Now().After(token.Expiry) {
-		rs.store.DeleteRefreshToken(token)
-		render.Render(w, r, ErrUnauthorized(errTokenExpired))
+		rs.Store.DeleteToken(token)
+		render.Render(w, r, ErrUnauthorized(jwt.ErrTokenExpired))
+		return
+	}
+
+	acc, err := rs.Store.GetAccount(token.AccountID)
+	if err != nil {
+		render.Render(w, r, ErrUnauthorized(ErrUnknownLogin))
 		return
 	}
 
@@ -178,24 +248,24 @@ func (rs *Resource) refresh(w http.ResponseWriter, r *http.Request) {
 	}
 
 	token.Token = uuid.NewV4().String()
-	token.Expiry = time.Now().Add(rs.Token.jwtRefreshExpiry)
+	token.Expiry = time.Now().Add(rs.TokenAuth.JwtRefreshExpiry)
 	token.UpdatedAt = time.Now()
 
-	access, refresh, err := rs.Token.GenTokenPair(acc.Claims(), token.Claims())
+	access, refresh, err := rs.TokenAuth.GenTokenPair(acc.Claims(), token.Claims())
 	if err != nil {
 		log(r).Error(err)
 		render.Render(w, r, ErrInternalServerError)
 		return
 	}
 
-	if err := rs.store.SaveRefreshToken(token); err != nil {
+	if err := rs.Store.CreateOrUpdateToken(token); err != nil {
 		log(r).Error(err)
 		render.Render(w, r, ErrInternalServerError)
 		return
 	}
 
 	acc.LastLogin = time.Now()
-	if err := rs.store.UpdateAccount(acc); err != nil {
+	if err := rs.Store.UpdateAccount(acc); err != nil {
 		log(r).Error(err)
 		render.Render(w, r, ErrInternalServerError)
 		return
@@ -208,13 +278,13 @@ func (rs *Resource) refresh(w http.ResponseWriter, r *http.Request) {
 }
 
 func (rs *Resource) logout(w http.ResponseWriter, r *http.Request) {
-	rt := RefreshTokenFromCtx(r.Context())
-	_, token, err := rs.store.GetByRefreshToken(rt)
+	rt := jwt.RefreshTokenFromCtx(r.Context())
+	token, err := rs.Store.GetToken(rt)
 	if err != nil {
-		render.Render(w, r, ErrUnauthorized(errTokenExpired))
+		render.Render(w, r, ErrUnauthorized(jwt.ErrTokenExpired))
 		return
 	}
-	rs.store.DeleteRefreshToken(token)
+	rs.Store.DeleteToken(token)
 
 	render.Respond(w, r, http.NoBody)
 }

auth/pwdless/api_test.go

@@ -1,9 +1,10 @@
-package auth
+package pwdless
 
 import (
 	"bytes"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -13,16 +14,18 @@ import (
 	"testing"
 	"time"
 
-	"github.com/dhax/go-base/email"
-	"github.com/dhax/go-base/logging"
 	"github.com/go-chi/chi"
 	"github.com/go-chi/jwtauth"
 	"github.com/spf13/viper"
+
+	"github.com/dhax/go-base/auth/jwt"
+	"github.com/dhax/go-base/email"
+	"github.com/dhax/go-base/logging"
 )
 
 var (
 	auth      *Resource
-	authstore MockStorer
+	authStore MockAuthStore
 	mailer    email.MockMailer
 	ts        *httptest.Server
 )
@@ -34,8 +37,9 @@ func TestMain(m *testing.M) {
 	viper.SetDefault("log_level", "error")
 
 	var err error
-	auth, err = NewResource(&authstore, &mailer)
+	auth, err = NewResource(&authStore, &mailer)
 	if err != nil {
+		fmt.Println(err)
 		os.Exit(1)
 	}
 
@@ -51,7 +55,7 @@ func TestMain(m *testing.M) {
 }
 
 func TestAuthResource_login(t *testing.T) {
-	authstore.GetByEmailFn = func(email string) (*Account, error) {
+	authStore.GetAccountByEmailFn = func(email string) (*Account, error) {
 		var err error
 		a := Account{
 			ID:    1,
@@ -100,20 +104,20 @@ func TestAuthResource_login(t *testing.T) {
 			if tc.err != nil && !strings.Contains(body, tc.err.Error()) {
 				t.Errorf(" got: %s, expected to contain: %s", body, tc.err.Error())
 			}
-			if tc.err == ErrInvalidLogin && authstore.GetByEmailInvoked {
+			if tc.err == ErrInvalidLogin && authStore.GetAccountByEmailInvoked {
 				t.Error("GetByLoginToken invoked for invalid email")
 			}
 			if tc.err == nil && !mailer.LoginTokenInvoked {
 				t.Error("emailService.LoginToken not invoked")
 			}
-			authstore.GetByEmailInvoked = false
+			authStore.GetAccountByEmailInvoked = false
 			mailer.LoginTokenInvoked = false
 		})
 	}
 }
 
 func TestAuthResource_token(t *testing.T) {
-	authstore.GetByIDFn = func(id int) (*Account, error) {
+	authStore.GetAccountFn = func(id int) (*Account, error) {
 		var err error
 		a := Account{
 			ID:     id,
@@ -130,11 +134,11 @@ func TestAuthResource_token(t *testing.T) {
 		}
 		return &a, err
 	}
-	authstore.UpdateAccountFn = func(a *Account) error {
+	authStore.UpdateAccountFn = func(a *Account) error {
 		a.LastLogin = time.Now()
 		return nil
 	}
-	authstore.SaveRefreshTokenFn = func(a *Token) error {
+	authStore.CreateOrUpdateTokenFn = func(a *jwt.Token) error {
 		return nil
 	}
 
@@ -154,7 +158,7 @@ func TestAuthResource_token(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			token := auth.Login.CreateToken(tc.id)
+			token := auth.LoginAuth.CreateToken(tc.id)
 			if tc.token != "" {
 				token.Token = tc.token
 			}
@@ -171,25 +175,37 @@ func TestAuthResource_token(t *testing.T) {
 			if tc.err != nil && !strings.Contains(body, tc.err.Error()) {
 				t.Errorf("got: %s, expected to contain: %s", body, tc.err.Error())
 			}
-			if tc.err == ErrLoginToken && authstore.SaveRefreshTokenInvoked {
-				t.Errorf("SaveRefreshToken invoked despite error %s", tc.err.Error())
+			if tc.err == ErrLoginToken && authStore.CreateOrUpdateTokenInvoked {
+				t.Errorf("CreateOrUpdate invoked despite error %s", tc.err.Error())
 			}
-			if tc.err == nil && !authstore.SaveRefreshTokenInvoked {
-				t.Error("SaveRefreshToken not invoked")
+			if tc.err == nil && !authStore.CreateOrUpdateTokenInvoked {
+				t.Error("CreateOrUpdate not invoked")
 			}
-			authstore.SaveRefreshTokenInvoked = false
+			authStore.CreateOrUpdateTokenInvoked = false
 		})
 	}
 }
 
 func TestAuthResource_refresh(t *testing.T) {
-	authstore.GetByRefreshTokenFn = func(token string) (*Account, *Token, error) {
-		var err error
+	authStore.GetAccountFn = func(id int) (*Account, error) {
 		a := Account{
 			Active: true,
 			Name:   "Test",
 		}
-		var t Token
+		switch id {
+		case 999:
+			a.Active = false
+		}
+		return &a, nil
+	}
+	authStore.UpdateAccountFn = func(a *Account) error {
+		a.LastLogin = time.Now()
+		return nil
+	}
+
+	authStore.GetTokenFn = func(token string) (*jwt.Token, error) {
+		var err error
+		var t jwt.Token
 		t.Expiry = time.Now().Add(1 * time.Minute)
 
 		switch token {
@@ -198,20 +214,14 @@ func TestAuthResource_refresh(t *testing.T) {
 		case "expired":
 			t.Expiry = time.Now().Add(-1 * time.Minute)
 		case "disabled":
-			a.Active = false
-		case "valid":
-			// unmodified
+			t.AccountID = 999
 		}
-		return &a, &t, err
+		return &t, err
 	}
-	authstore.UpdateAccountFn = func(a *Account) error {
-		a.LastLogin = time.Now()
+	authStore.CreateOrUpdateTokenFn = func(a *jwt.Token) error {
 		return nil
 	}
-	authstore.SaveRefreshTokenFn = func(a *Token) error {
-		return nil
-	}
-	authstore.DeleteRefreshTokenFn = func(t *Token) error {
+	authStore.DeleteTokenFn = func(t *jwt.Token) error {
 		return nil
 	}
 
@@ -222,8 +232,8 @@ func TestAuthResource_refresh(t *testing.T) {
 		status int
 		err    error
 	}{
-		{"notfound", "notfound", 1, http.StatusUnauthorized, errTokenExpired},
-		{"expired", "expired", -1, http.StatusUnauthorized, errTokenUnauthorized},
+		{"notfound", "notfound", 1, http.StatusUnauthorized, jwt.ErrTokenExpired},
+		{"expired", "expired", -1, http.StatusUnauthorized, jwt.ErrTokenUnauthorized},
 		{"disabled", "disabled", 1, http.StatusUnauthorized, ErrLoginDisabled},
 		{"valid", "valid", 1, http.StatusOK, nil},
 	}
@@ -238,32 +248,31 @@ func TestAuthResource_refresh(t *testing.T) {
 			if tc.err != nil && !strings.Contains(body, tc.err.Error()) {
 				t.Errorf("got: %s, expected error to contain: %s", body, tc.err.Error())
 			}
-			if tc.status == http.StatusUnauthorized && authstore.SaveRefreshTokenInvoked {
-				t.Errorf("SaveRefreshToken invoked for status %d", tc.status)
+			if tc.status == http.StatusUnauthorized && authStore.CreateOrUpdateTokenInvoked {
+				t.Errorf("CreateOrUpdate invoked for status %d", tc.status)
 			}
 			if tc.status == http.StatusOK {
-				if !authstore.GetByRefreshTokenInvoked {
-					t.Errorf("GetRefreshToken not invoked")
+				if !authStore.GetTokenInvoked {
+					t.Errorf("GetByToken not invoked")
 				}
-				if !authstore.SaveRefreshTokenInvoked {
-					t.Errorf("SaveRefreshToken not invoked")
+				if !authStore.CreateOrUpdateTokenInvoked {
+					t.Errorf("CreateOrUpdate not invoked")
 				}
-				if authstore.DeleteRefreshTokenInvoked {
-					t.Errorf("DeleteRefreshToken should not be invoked")
+				if authStore.DeleteTokenInvoked {
+					t.Errorf("Delete should not be invoked")
 				}
 			}
-			authstore.GetByRefreshTokenInvoked = false
-			authstore.SaveRefreshTokenInvoked = false
-			authstore.DeleteRefreshTokenInvoked = false
+			authStore.GetTokenInvoked = false
+			authStore.CreateOrUpdateTokenInvoked = false
+			authStore.DeleteTokenInvoked = false
 		})
 	}
 }
 
 func TestAuthResource_logout(t *testing.T) {
-	authstore.GetByRefreshTokenFn = func(token string) (*Account, *Token, error) {
+	authStore.GetTokenFn = func(token string) (*jwt.Token, error) {
 		var err error
-		var a Account
-		t := Token{
+		t := jwt.Token{
 			Expiry: time.Now().Add(1 * time.Minute),
 		}
 
@@ -271,9 +280,9 @@ func TestAuthResource_logout(t *testing.T) {
 		case "notfound":
 			err = errors.New("sql no rows")
 		}
-		return &a, &t, err
+		return &t, err
 	}
-	authstore.DeleteRefreshTokenFn = func(a *Token) error {
+	authStore.DeleteTokenFn = func(a *jwt.Token) error {
 		return nil
 	}
 
@@ -284,8 +293,8 @@ func TestAuthResource_logout(t *testing.T) {
 		status int
 		err    error
 	}{
-		{"notfound", "notfound", 1, http.StatusUnauthorized, errTokenExpired},
-		{"expired", "valid", -1, http.StatusUnauthorized, errTokenUnauthorized},
+		{"notfound", "notfound", 1, http.StatusUnauthorized, jwt.ErrTokenExpired},
+		{"expired", "valid", -1, http.StatusUnauthorized, jwt.ErrTokenUnauthorized},
 		{"valid", "valid", 1, http.StatusOK, nil},
 	}
 
@@ -299,10 +308,10 @@ func TestAuthResource_logout(t *testing.T) {
 			if tc.err != nil && !strings.Contains(body, tc.err.Error()) {
 				t.Errorf("got: %x, expected error to contain %s", body, tc.err.Error())
 			}
-			if tc.status == http.StatusUnauthorized && authstore.DeleteRefreshTokenInvoked {
-				t.Errorf("DeleteRefreshToken invoked for status %d", tc.status)
+			if tc.status == http.StatusUnauthorized && authStore.DeleteTokenInvoked {
+				t.Errorf("Delete invoked for status %d", tc.status)
 			}
-			authstore.DeleteRefreshTokenInvoked = false
+			authStore.DeleteTokenInvoked = false
 		})
 	}
 }
@@ -335,7 +344,7 @@ func testRequest(t *testing.T, ts *httptest.Server, method, path string, body io
 }
 
 func genJWT(c jwtauth.Claims) string {
-	_, tokenString, _ := auth.Token.JwtAuth.Encode(c)
+	_, tokenString, _ := auth.TokenAuth.JwtAuth.Encode(c)
 	return tokenString
 }
 

auth/pwdless/chores.go

@@ -0,0 +1,18 @@
+package pwdless
+
+import (
+	"time"
+
+	"github.com/dhax/go-base/logging"
+)
+
+func (rs *Resource) choresTicker() {
+	ticker := time.NewTicker(time.Hour * 1)
+	go func() {
+		for range ticker.C {
+			if err := rs.Store.PurgeExpiredToken(); err != nil {
+				logging.Logger.WithField("chore", "purgeExpiredToken").Error(err)
+			}
+		}
+	}()
+}

auth/pwdless/errors.go

@@ -0,0 +1,50 @@
+package pwdless
+
+import (
+	"errors"
+	"net/http"
+
+	"github.com/go-chi/render"
+)
+
+// The list of error types presented to the end user as error message.
+var (
+	ErrInvalidLogin  = errors.New("invalid email address")
+	ErrUnknownLogin  = errors.New("email not registered")
+	ErrLoginDisabled = errors.New("login for account disabled")
+	ErrLoginToken    = errors.New("invalid or expired login token")
+)
+
+// ErrResponse renderer type for handling all sorts of errors.
+type ErrResponse struct {
+	Err            error `json:"-"` // low-level runtime error
+	HTTPStatusCode int   `json:"-"` // http response status code
+
+	StatusText string `json:"status"`          // user-level status message
+	AppCode    int64  `json:"code,omitempty"`  // application-specific error code
+	ErrorText  string `json:"error,omitempty"` // application-level error message, for debugging
+}
+
+// Render sets the application-specific error code in AppCode.
+func (e *ErrResponse) Render(w http.ResponseWriter, r *http.Request) error {
+	render.Status(r, e.HTTPStatusCode)
+	return nil
+}
+
+// ErrUnauthorized renders status 401 Unauthorized with custom error message.
+func ErrUnauthorized(err error) render.Renderer {
+	return &ErrResponse{
+		Err:            err,
+		HTTPStatusCode: http.StatusUnauthorized,
+		StatusText:     http.StatusText(http.StatusUnauthorized),
+		ErrorText:      err.Error(),
+	}
+}
+
+// The list of default error types without specific error message.
+var (
+	ErrInternalServerError = &ErrResponse{
+		HTTPStatusCode: http.StatusInternalServerError,
+		StatusText:     http.StatusText(http.StatusInternalServerError),
+	}
+)

auth/pwdless/logintoken.go

@@ -1,6 +1,7 @@
-package auth
+package pwdless
 
 import (
+	"crypto/rand"
 	"errors"
 	"sync"
 	"time"
@@ -87,3 +88,17 @@ func (a *LoginTokenAuth) purgeExpired() {
 		}
 	}
 }
+
+const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+
+func randStringBytes(n int) string {
+	buf := make([]byte, n)
+	if _, err := rand.Read(buf); err != nil {
+		panic(err)
+	}
+
+	for k, v := range buf {
+		buf[k] = letterBytes[v%byte(len(letterBytes))]
+	}
+	return string(buf)
+}

auth/pwdless/mockAuthStore.go

@@ -0,0 +1,69 @@
+package pwdless
+
+import "github.com/dhax/go-base/auth/jwt"
+
+// MockAuthStore mocks AuthStorer interface.
+type MockAuthStore struct {
+	GetAccountFn      func(id int) (*Account, error)
+	GetAccountInvoked bool
+
+	GetAccountByEmailFn      func(email string) (*Account, error)
+	GetAccountByEmailInvoked bool
+
+	UpdateAccountFn      func(a *Account) error
+	UpdateAccountInvoked bool
+
+	GetTokenFn      func(token string) (*jwt.Token, error)
+	GetTokenInvoked bool
+
+	CreateOrUpdateTokenFn      func(t *jwt.Token) error
+	CreateOrUpdateTokenInvoked bool
+
+	DeleteTokenFn      func(t *jwt.Token) error
+	DeleteTokenInvoked bool
+
+	PurgeExpiredTokenFn      func() error
+	PurgeExpiredTokenInvoked bool
+}
+
+// GetAccount mock returns an account by ID.
+func (s *MockAuthStore) GetAccount(id int) (*Account, error) {
+	s.GetAccountInvoked = true
+	return s.GetAccountFn(id)
+}
+
+// GetAccountByEmail mock returns an account by email.
+func (s *MockAuthStore) GetAccountByEmail(email string) (*Account, error) {
+	s.GetAccountByEmailInvoked = true
+	return s.GetAccountByEmailFn(email)
+}
+
+// UpdateAccount mock upates account data related to authentication.
+func (s *MockAuthStore) UpdateAccount(a *Account) error {
+	s.UpdateAccountInvoked = true
+	return s.UpdateAccountFn(a)
+}
+
+// GetToken mock returns an account and refresh token by token identifier.
+func (s *MockAuthStore) GetToken(token string) (*jwt.Token, error) {
+	s.GetTokenInvoked = true
+	return s.GetTokenFn(token)
+}
+
+// CreateOrUpdateToken mock creates or updates a refresh token.
+func (s *MockAuthStore) CreateOrUpdateToken(t *jwt.Token) error {
+	s.CreateOrUpdateTokenInvoked = true
+	return s.CreateOrUpdateTokenFn(t)
+}
+
+// DeleteToken mock deletes a refresh token.
+func (s *MockAuthStore) DeleteToken(t *jwt.Token) error {
+	s.DeleteTokenInvoked = true
+	return s.DeleteTokenFn(t)
+}
+
+// PurgeExpiredToken mock deletes expired refresh token.
+func (s *MockAuthStore) PurgeExpiredToken() error {
+	s.PurgeExpiredTokenInvoked = true
+	return s.PurgeExpiredTokenFn()
+}