feat(backend): rework for 2024 (#84)

* feat(backend): nocodb client

* feat(backend): realign structure, move to chi

* feat(backend): implement UpdateTableRecords for nocodb

* feat(backend): start to move database implementation to nocodb

* feat(backend): rework ticketing to use nocodb

* feat(backend): rework mail blast model

* ci: move trufflehog as separate job

* chore(backend): update lock file

* fix(backend): wrong sprintf format

* test(backend): fix test for nocodb related

.github/workflows/ci.yml

@@ -7,45 +7,37 @@ on:
       - master
 
 jobs:
+  scan:
+    name: Secret scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: TruffleHog OSS
+        uses: trufflesecurity/trufflehog@main
+        with:
+          extra_args: --debug --only-verified
+
   ci-backend:
     name: Backend
     runs-on: ubuntu-latest
     timeout-minutes: 20
-    container: golang:1.21-bookworm
+    container: golang:1-bookworm
     defaults:
       run:
         working-directory: ./backend
     services:
-      db:
-        image: postgres:15-bookworm
-        ports:
-          - 5432:5432
-        env:
-          POSTGRES_PASSWORD: password
-          POSTGRES_USER: postgres
-          POSTGRES_DB: conf
-        options: >-
-          --health-cmd "pg_isready -U postgres -d conf"
-          --health-interval 10s
-          --health-timeout 5s
-          --health-retries 5
       smtp:
         image: marlonb/mailcrab:latest
         ports:
           - 1025:1025
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@main
-        with:
-          path: ./
-          base: ${{ github.event.repository.default_branch }}
-          head: HEAD
-          extra_args: --debug --only-verified
 
       - name: Build
         run: go build -buildvcs=false .
@@ -74,16 +66,6 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@main
-        with:
-          path: ./
-          base: ${{ github.event.repository.default_branch }}
-          head: HEAD
-          extra_args: --debug --only-verified
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v2

backend/Dockerfile

@@ -10,9 +10,7 @@ FROM debian:bookworm-slim AS runtime
 
 WORKDIR /app
 
-RUN apt-get update && \
-    apt-get install -y curl && \
-    apt-get clean && \
+RUN apt-get clean && \
     rm -rf /var/lib/apt/lists/* && \
     mkdir -p /app/csv && \
     mkdir -p /data
@@ -22,7 +20,7 @@ ARG PORT=8080
 COPY --from=build /app/ .
 
 HEALTHCHECK --interval=60s --timeout=40s \
-    CMD curl -f http://localhost:8080/ping || exit 1
+    CMD /app/conf-backend --port ${PORT}
 
 EXPOSE ${PORT}
 

backend/administrator/administrator.go

@@ -0,0 +1,60 @@
+package administrator
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"encoding/hex"
+	"fmt"
+
+	"conf/administrator/jwt"
+	"github.com/pquerna/otp/totp"
+)
+
+type Administrator struct {
+	Username       string `yaml:"username"`
+	HashedPassword string `yaml:"hashed_password"`
+	TotpSecret     string `yaml:"totp_secret"`
+}
+
+func GenerateSecret(username string) (secret string, url string, err error) {
+	generate, err := totp.Generate(totp.GenerateOpts{Issuer: "teknumconf", AccountName: username, Rand: rand.Reader})
+	if err != nil {
+		return "", "", err
+	}
+
+	return generate.Secret(), generate.URL(), nil
+}
+
+type AdministratorDomain struct {
+	jwt            *jwt.JsonWebToken
+	administrators []Administrator
+}
+
+func NewAdministratorDomain(administrators []Administrator) (*AdministratorDomain, error) {
+	// Generate ed25519 key pairs for access and refresh tokens
+	accessPublicKey, accessPrivateKey, err := ed25519.GenerateKey(nil)
+	if err != nil {
+		return nil, fmt.Errorf("generating fresh access key pair: %w", err)
+	}
+
+	refreshPublicKey, refreshPrivateKey, err := ed25519.GenerateKey(nil)
+	if err != nil {
+		return nil, fmt.Errorf("generating fresh refresh key pair: %w", err)
+	}
+
+	var randomIssuer = make([]byte, 18)
+	_, _ = rand.Read(randomIssuer)
+
+	var randomSubject = make([]byte, 16)
+	_, _ = rand.Read(randomSubject)
+
+	var randomAudience = make([]byte, 32)
+	_, _ = rand.Read(randomAudience)
+
+	authJwt := jwt.NewJwt(accessPrivateKey, accessPublicKey, refreshPrivateKey, refreshPublicKey, hex.EncodeToString(randomIssuer), hex.EncodeToString(randomSubject), hex.EncodeToString(randomAudience))
+
+	return &AdministratorDomain{
+		jwt:            authJwt,
+		administrators: administrators,
+	}, nil
+}

backend/administrator/authenticate.go

@@ -0,0 +1,55 @@
+package administrator
+
+import (
+	"context"
+	"encoding/hex"
+	"errors"
+	"fmt"
+
+	"github.com/getsentry/sentry-go"
+	"github.com/pquerna/otp/totp"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func (a *AdministratorDomain) Authenticate(ctx context.Context, username string, plainPassword string, otpCode string) (string, bool, error) {
+	span := sentry.StartSpan(ctx, "administrator.authenticate", sentry.WithTransactionName("Authenticate"))
+	defer span.Finish()
+
+	var administrator Administrator
+	for _, adm := range a.administrators {
+		if adm.Username == username {
+			administrator = adm
+			break
+		}
+	}
+
+	if administrator.Username == "" {
+		return "", false, nil
+	}
+
+	hashedPassword, err := hex.DecodeString(administrator.HashedPassword)
+	if err != nil {
+		return "", false, fmt.Errorf("invalid hex string")
+	}
+
+	err = bcrypt.CompareHashAndPassword(hashedPassword, []byte(plainPassword))
+	if err != nil {
+		if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
+			return "", false, nil
+		}
+
+		return "", false, fmt.Errorf("password: %w", err)
+	}
+
+	ok := totp.Validate(otpCode, administrator.TotpSecret)
+	if !ok {
+		return "", false, nil
+	}
+
+	token, err := a.jwt.Sign(username)
+	if err != nil {
+		return "", false, fmt.Errorf("signing token: %w", err)
+	}
+
+	return token, true, nil
+}

backend/administrator/jwt/jwt.go

@@ -0,0 +1,137 @@
+package jwt
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+type JsonWebToken struct {
+	accessPrivateKey  ed25519.PrivateKey
+	accessPublicKey   ed25519.PublicKey
+	refreshPrivateKey ed25519.PrivateKey
+	refreshPublicKey  ed25519.PublicKey
+	issuer            string
+	subject           string
+	audience          string
+}
+
+func NewJwt(accessPrivateKey []byte, accessPublicKey []byte, refreshPrivateKey []byte, refreshPublicKey []byte, issuer string, subject string, audience string) *JsonWebToken {
+	return &JsonWebToken{
+		accessPrivateKey:  accessPrivateKey,
+		accessPublicKey:   accessPublicKey,
+		refreshPrivateKey: refreshPrivateKey,
+		refreshPublicKey:  refreshPublicKey,
+		issuer:            issuer,
+		subject:           subject,
+		audience:          audience,
+	}
+}
+
+func (j *JsonWebToken) Sign(userId string) (accessToken string, err error) {
+	accessRandId := make([]byte, 32)
+	_, _ = rand.Read(accessRandId)
+
+	accessClaims := jwt.MapClaims{
+		"iss": j.issuer,
+		"sub": j.subject,
+		"aud": j.audience,
+		"exp": time.Now().Add(time.Hour * 1).Unix(),
+		"nbf": time.Now().Unix(),
+		"iat": time.Now().Unix(),
+		"jti": string(accessRandId),
+		"uid": userId,
+	}
+
+	accessToken, err = jwt.NewWithClaims(jwt.SigningMethodEdDSA, accessClaims).SignedString(j.accessPrivateKey)
+	if err != nil {
+		return "", fmt.Errorf("failed to sign access token: %w", err)
+	}
+
+	return accessToken, nil
+}
+
+var ErrInvalidSigningMethod = errors.New("invalid signing method")
+var ErrExpired = errors.New("token expired")
+var ErrInvalid = errors.New("token invalid")
+var ErrClaims = errors.New("token claims invalid")
+
+func (j *JsonWebToken) VerifyAccessToken(token string) (userId string, err error) {
+	if token == "" {
+		return "", ErrInvalid
+	}
+
+	parsedToken, err := jwt.Parse(token, func(t *jwt.Token) (interface{}, error) {
+		_, ok := t.Method.(*jwt.SigningMethodEd25519)
+		if !ok {
+			return nil, ErrInvalidSigningMethod
+		}
+		return j.accessPublicKey, nil
+	})
+	if err != nil {
+		if parsedToken != nil && !parsedToken.Valid {
+			// Check if the error is a type of jwt.ValidationError
+			validationError, ok := err.(*jwt.ValidationError)
+			if ok {
+				if validationError.Errors&jwt.ValidationErrorExpired != 0 {
+					return "", ErrExpired
+				}
+
+				if validationError.Errors&jwt.ValidationErrorSignatureInvalid != 0 {
+					return "", ErrInvalid
+				}
+
+				if validationError.Errors&jwt.ValidationErrorClaimsInvalid != 0 {
+					return "", ErrClaims
+				}
+
+				return "", fmt.Errorf("failed to parse access token: %w", err)
+			}
+
+			return "", fmt.Errorf("non-validation error during parsing token: %w", err)
+		}
+
+		return "", fmt.Errorf("token is valid or parsedToken is not nil: %w", err)
+	}
+
+	claims, ok := parsedToken.Claims.(jwt.MapClaims)
+	if !ok {
+		return "", ErrClaims
+	}
+
+	if !claims.VerifyAudience(j.audience, true) {
+		return "", ErrInvalid
+	}
+
+	if !claims.VerifyExpiresAt(time.Now().Unix(), true) {
+		return "", ErrExpired
+	}
+
+	if !claims.VerifyIssuer(j.issuer, true) {
+		return "", ErrInvalid
+	}
+
+	if !claims.VerifyNotBefore(time.Now().Unix(), true) {
+		return "", ErrInvalid
+	}
+
+	jwtId, ok := claims["jti"].(string)
+	if !ok {
+		return "", ErrClaims
+	}
+
+	if jwtId == "" {
+		return "", ErrClaims
+	}
+
+	userId, ok = claims["uid"].(string)
+	if !ok {
+		return "", ErrClaims
+	}
+
+	return userId, nil
+}