server.go 20.9 KB
Newer Older
1
package keyshareserver
2
3

import (
4
	"bytes"
5
	"context"
6
7
8
9
10
11
12
13
	"crypto/rand"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"io/ioutil"
	"net/http"
	"strings"
	"sync"
14
	"time"
15

16
	"github.com/jasonlvhit/gocron"
17
18
19
20
21
	"github.com/privacybydesign/gabi"
	"github.com/privacybydesign/gabi/big"
	irma "github.com/privacybydesign/irmago"
	"github.com/sirupsen/logrus"

22
	"github.com/privacybydesign/irmago/internal/common"
23
	"github.com/privacybydesign/irmago/internal/keysharecore"
24
25
26
27
28
29
30
	"github.com/privacybydesign/irmago/server"
	"github.com/privacybydesign/irmago/server/irmaserver"

	"github.com/go-chi/chi"
)

type SessionData struct {
31
	LastKeyID    irma.PublicKeyIdentifier // last used key, used in signing the issuance message
32
	LastCommitID uint64
33
	expiry       time.Time
34
35
36
}

type Server struct {
37
	// configuration
38
39
	conf *Configuration

40
	// external components
41
	core          *keysharecore.Core
42
43
	sessionserver *irmaserver.Server
	db            KeyshareDB
44
45

	// Scheduler used to clean sessions
46
47
	scheduler     *gocron.Scheduler
	stopScheduler chan<- bool
48

49
	// Session data, keeping track of current keyshare protocol session state for each user
50
51
52
53
54
55
56
	sessions    map[string]*SessionData
	sessionLock sync.Mutex
}

func New(conf *Configuration) (*Server, error) {
	var err error
	s := &Server{
57
58
59
		conf:      conf,
		sessions:  map[string]*SessionData{},
		scheduler: gocron.NewScheduler(),
60
61
	}

62
63
	// Setup IRMA session server
	s.sessionserver, err = irmaserver.New(conf.Configuration)
64
65
66
67
	if err != nil {
		return nil, err
	}

68
69
	// Process configuration and create keyshare core
	s.core, err = processConfiguration(conf)
70
71
72
73
	if err != nil {
		return nil, err
	}

74
75
76
77
78
79
	// Load neccessary idemix keys into core, and ensure that future updates
	// to them are processed
	s.LoadIdemixKeys(conf.IrmaConfiguration)
	conf.IrmaConfiguration.UpdateListeners = append(
		conf.IrmaConfiguration.UpdateListeners, s.LoadIdemixKeys)

80
81
	// Setup DB
	s.db = conf.DB
82

83
84
85
86
	// Setup session cache clearing
	s.scheduler.Every(10).Seconds().Do(s.clearSessions)
	s.stopScheduler = s.scheduler.Start()

87
88
89
	return s, nil
}

90
91
92
93
94
func (s *Server) Stop() {
	s.stopScheduler <- true
	s.sessionserver.Stop()
}

95
// clean up any expired sessions
96
97
98
99
100
101
102
103
104
105
106
func (s *Server) clearSessions() {
	now := time.Now()
	s.sessionLock.Lock()
	defer s.sessionLock.Unlock()
	for k, v := range s.sessions {
		if now.After(v.expiry) {
			delete(s.sessions, k)
		}
	}
}

107
108
func (s *Server) Handler() http.Handler {
	router := chi.NewRouter()
109
110
111

	if s.conf.Verbose >= 2 {
		opts := server.LogOptions{Response: true, Headers: true, From: false, EncodeBinary: true}
112
		router.Use(server.LogMiddleware("keyshareserver", opts))
113
114
	}

115
	// Registration
116
	router.Post("/client/register", s.handleRegister)
117

118
	// Pin logic
119
120
	router.Post("/users/verify/pin", s.handleVerifyPin)
	router.Post("/users/change/pin", s.handleChangePin)
121
122

	// Keyshare sessions
123
124
125
126
127
128
129
	router.Group(func(router chi.Router) {
		router.Use(s.userMiddleware)
		router.Use(s.authorizationMiddleware)
		router.Post("/users/isAuthorized", s.handleValidate)
		router.Post("/prove/getCommitments", s.handleCommitments)
		router.Post("/prove/getResponse", s.handleResponse)
	})
130

131
	// IRMA server for issuing myirma credential during registration
132
133
134
135
	router.Mount("/irma/", s.sessionserver.HandlerFunc())
	return router
}

136
// On configuration changes, inform the keyshare core of any
137
// new IRMA issuer public keys.
138
139
func (s *Server) LoadIdemixKeys(conf *irma.Configuration) {
	for _, issuer := range conf.Issuers {
140
		keyIDs, err := conf.PublicKeyIndices(issuer.Identifier())
141
		if err != nil {
142
			s.conf.Logger.WithFields(logrus.Fields{"issuer": issuer, "error": err}).Warn("Could not find keyIDs for issuer")
143
144
			continue
		}
145
		for _, id := range keyIDs {
146
147
			key, err := conf.PublicKey(issuer.Identifier(), id)
			if err != nil {
148
				s.conf.Logger.WithFields(logrus.Fields{"keyID": id, "error": err}).Warn("Could not fetch public key for issuer")
149
150
151
152
153
154
155
				continue
			}
			s.core.DangerousAddTrustedPublicKey(irma.PublicKeyIdentifier{Issuer: issuer.Identifier(), Counter: uint(id)}, key)
		}
	}
}

156
// /prove/getCommitments
157
func (s *Server) handleCommitments(w http.ResponseWriter, r *http.Request) {
158
	// Fetch from context
159
	user := r.Context().Value("user").(*KeyshareUser)
160
161
	authorization := r.Context().Value("authorization").(string)

162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
	// Read keys
	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not read request body")
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}
	var keys []irma.PublicKeyIdentifier
	err = json.Unmarshal(body, &keys)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not parse request body")
		s.conf.Logger.WithField("body", body).Debug("Malformed request data")
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}
	if len(keys) == 0 {
		s.conf.Logger.Info("Malformed request: no keys over which to commit specified")
		server.WriteError(w, server.ErrorInvalidRequest, "No key specified")
		return
	}

183
184
185
186
	commitments, err := s.generateCommitments(user, authorization, keys)
	if err == keysharecore.ErrInvalidChallenge || err == keysharecore.ErrInvalidJWT {
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
187
	}
188
	if err != nil {
189
190
		// already logged
		server.WriteError(w, server.ErrorInternal, err.Error())
191
192
193
		return
	}

194
195
196
	server.WriteJson(w, commitments)
}

197
func (s *Server) generateCommitments(user *KeyshareUser, authorization string, keys []irma.PublicKeyIdentifier) (*irma.ProofPCommitmentMap, error) {
198
	// Generate commitments
199
	commitments, commitID, err := s.core.GenerateCommitments(user.Coredata, authorization, keys)
200
201
	if err != nil {
		s.conf.Logger.WithField("error", err).Warn("Could not generate commitments for request")
202
		return nil, err
203
204
205
	}

	// Prepare output message format
206
	mappedCommitments := map[irma.PublicKeyIdentifier]*gabi.ProofPCommitment{}
207
	for i, keyID := range keys {
208
		if err != nil {
209
			s.conf.Logger.WithFields(logrus.Fields{"keyid": keyID, "error": err}).Error("Could not convert key identifier to string")
210
			return nil, err
211
		}
212
		mappedCommitments[keyID] = commitments[i]
213
214
215
	}

	// Store needed data for later requests.
216
	username := user.Username
217
218
219
220
	s.sessionLock.Lock()
	if _, ok := s.sessions[username]; !ok {
		s.sessions[username] = &SessionData{}
	}
221
222
223
224
	// Of all keys involved in the current session, store the ID of the first one to be used when
	// the user comes back later to retrieve her response. gabi.ProofP.P will depend on this public
	// key, which is used only during issuance. Thus, this assumes that during issuance, the user
	// puts the key ID of the credential(s) being issued at index 0.
225
	s.sessions[username].LastKeyID = keys[0]
226
	s.sessions[username].LastCommitID = commitID
227
	s.sessions[username].expiry = time.Now().Add(10 * time.Second)
228
229
230
	s.sessionLock.Unlock()

	// And send response
231
	return &irma.ProofPCommitmentMap{Commitments: mappedCommitments}, nil
232
233
}

234
// /prove/getResponse
235
func (s *Server) handleResponse(w http.ResponseWriter, r *http.Request) {
236
	// Fetch from context
237
238
	user := r.Context().Value("user").(*KeyshareUser)
	username := user.Username
239
240
	authorization := r.Context().Value("authorization").(string)

241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
	// Read challenge
	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not read request body")
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}
	challenge := new(big.Int)
	err = json.Unmarshal(body, challenge)
	if err != nil {
		s.conf.Logger.Info("Malformed request: could not parse challenge")
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}

256
257
258
259
260
	// verify access (avoids leaking whether there is a session ongoing to unauthorized callers)
	if !r.Context().Value("hasValidAuthorization").(bool) {
		s.conf.Logger.Warn("Could not generate keyshare response due to invalid authorization")
		server.WriteError(w, server.ErrorInvalidRequest, "Invalid authorization")
		return
261
	}
262

263
264
265
266
267
268
269
	// Get data from session
	s.sessionLock.Lock()
	sessionData, ok := s.sessions[username]
	s.sessionLock.Unlock()
	if !ok {
		s.conf.Logger.Warn("Request for response without previous call to get commitments")
		server.WriteError(w, server.ErrorInvalidRequest, "Missing previous call to getCommitments")
270
271
272
		return
	}

273
274
275
	// And do the actual responding
	proofResponse, err := s.doGenerateResponses(user, authorization, challenge, sessionData.LastCommitID, sessionData.LastKeyID)
	if err == keysharecore.ErrInvalidChallenge || err == keysharecore.ErrInvalidJWT {
276
277
278
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}
279
280
281
282
283
284
285
286
	if err != nil {
		// already logged
		server.WriteError(w, server.ErrorInternal, err.Error())
		return
	}

	server.WriteString(w, proofResponse)
}
287

288
func (s *Server) doGenerateResponses(user *KeyshareUser, authorization string, challenge *big.Int, commitID uint64, keyID irma.PublicKeyIdentifier) (string, error) {
David Venhoek's avatar
David Venhoek committed
289
	// Indicate activity on user account
290
	err := s.db.SetSeen(user)
David Venhoek's avatar
David Venhoek committed
291
292
293
294
295
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not mark user as seen recently")
		// Do not send to user
	}

296
297
298
299
	// Make log entry
	err = s.db.AddLog(user, IrmaSession, nil)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not add log entry for user")
300
		return "", err
301
302
	}

303
	proofResponse, err := s.core.GenerateResponse(user.Coredata, authorization, commitID, challenge, keyID)
304
305
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not generate response for request")
306
		return "", err
307
308
	}

309
	return proofResponse, nil
310
311
}

312
// /users/isAuthorized
313
func (s *Server) handleValidate(w http.ResponseWriter, r *http.Request) {
314
	if r.Context().Value("hasValidAuthorization").(bool) {
315
		server.WriteJson(w, &irma.KeyshareAuthorization{Status: "authorized", Candidates: []string{"pin"}})
316
	} else {
317
		server.WriteJson(w, &irma.KeyshareAuthorization{Status: "expired", Candidates: []string{"pin"}})
318
319
320
	}
}

321
// /users/verify/pin
322
323
324
325
326
327
328
329
func (s *Server) handleVerifyPin(w http.ResponseWriter, r *http.Request) {
	// Extract request
	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not read request body")
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}
330
	var msg irma.KeysharePinMessage
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
	err = json.Unmarshal(body, &msg)
	if err != nil {
		s.conf.Logger.WithFields(logrus.Fields{"error": err}).Info("Malformed request: could not parse request body")
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}

	// Fetch user
	user, err := s.db.User(msg.Username)
	if err != nil {
		s.conf.Logger.WithFields(logrus.Fields{"username": msg.Username, "error": err}).Warn("Could not find user in db")
		server.WriteError(w, server.ErrorUserNotRegistered, "")
		return
	}

346
347
	// and verify pin
	result, err := s.doVerifyPin(user, msg.Username, msg.Pin)
348
	if err != nil {
349
		// already logged
350
351
352
		server.WriteError(w, server.ErrorInternal, err.Error())
		return
	}
353
354
355
356

	server.WriteJson(w, result)
}

357
func (s *Server) doVerifyPin(user *KeyshareUser, username, pin string) (irma.KeysharePinStatus, error) {
358
359
360
361
	// Check whether timing allows this pin to be checked
	ok, tries, wait, err := s.db.ReservePincheck(user)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not reserve pin check slot")
362
		return irma.KeysharePinStatus{}, nil
363
	}
364
	if !ok {
365
366
367
		err = s.db.AddLog(user, PinCheckRefused, nil)
		if err != nil {
			s.conf.Logger.WithField("error", err).Error("Could not add log entry for user")
368
			return irma.KeysharePinStatus{}, err
369
		}
370
		return irma.KeysharePinStatus{Status: "error", Message: fmt.Sprintf("%v", wait)}, nil
371
372
	}
	// At this point, we are allowed to do an actual check (we have successfully reserved a spot for it), so do it.
373
	jwtt, err := s.core.ValidatePin(user.Coredata, pin, username)
374
375
376
	if err != nil && err != keysharecore.ErrInvalidPin {
		// Errors other than invalid pin are real errors
		s.conf.Logger.WithField("error", err).Error("Could not validate pin")
377
		return irma.KeysharePinStatus{}, err
378
	}
379

380
	if err == keysharecore.ErrInvalidPin {
381
		// Handle invalid pin
382
383
384
		err = s.db.AddLog(user, PinCheckFailed, tries)
		if err != nil {
			s.conf.Logger.WithField("error", err).Error("Could not add log entry for user")
385
			return irma.KeysharePinStatus{}, err
386
		}
387
		if tries == 0 {
388
389
390
			err = s.db.AddLog(user, PinCheckBlocked, wait)
			if err != nil {
				s.conf.Logger.WithField("error", err).Error("Could not add log entry for user")
391
				return irma.KeysharePinStatus{}, err
392
			}
393
			return irma.KeysharePinStatus{Status: "error", Message: fmt.Sprintf("%v", wait)}, nil
394
		} else {
395
			return irma.KeysharePinStatus{Status: "failure", Message: fmt.Sprintf("%v", tries)}, nil
396
		}
397
	}
398

399
400
401
402
403
404
405
406
407
408
409
410
411
412
	// Handle success
	err = s.db.ClearPincheck(user)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not reset users pin check logic")
		// Do not send to user
	}
	err = s.db.SetSeen(user)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not indicate user activity")
		// Do not send to user
	}
	err = s.db.AddLog(user, PinCheckSuccess, nil)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not add log entry for user")
413
		return irma.KeysharePinStatus{}, err
414
	}
415

416
	return irma.KeysharePinStatus{Status: "success", Message: jwtt}, err
417
418
}

419
// /users/change/pin
420
421
422
423
424
425
426
427
func (s *Server) handleChangePin(w http.ResponseWriter, r *http.Request) {
	// Extract request
	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not read request body")
		server.WriteError(w, server.ErrorInvalidRequest, "could not read request body")
		return
	}
428
	var msg irma.KeyshareChangePin
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
	err = json.Unmarshal(body, &msg)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not parse request body")
		server.WriteError(w, server.ErrorInvalidRequest, "Invalid request")
		return
	}

	// Fetch user
	user, err := s.db.User(msg.Username)
	if err != nil {
		s.conf.Logger.WithFields(logrus.Fields{"username": msg.Username, "error": err}).Warn("Could not find user in db")
		server.WriteError(w, server.ErrorUserNotRegistered, "")
		return
	}

444
	result, err := s.doUpdatePin(user, msg.OldPin, msg.NewPin)
445
	if err != nil {
446
		// already logged
447
		server.WriteError(w, server.ErrorInternal, err.Error())
448
449
		return
	}
450
451
452
	server.WriteJson(w, result)
}

453
func (s *Server) doUpdatePin(user *KeyshareUser, oldPin, newPin string) (irma.KeysharePinStatus, error) {
454
455
456
457
	// Check whether pin check is currently allowed
	ok, tries, wait, err := s.db.ReservePincheck(user)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not reserve pin check slot")
458
		return irma.KeysharePinStatus{}, err
459
	}
460
	if !ok {
461
		return irma.KeysharePinStatus{Status: "error", Message: fmt.Sprintf("%v", wait)}, nil
462
	}
463
464

	// Try to do the update
465
	user.Coredata, err = s.core.ChangePin(user.Coredata, oldPin, newPin)
466
	if err == keysharecore.ErrInvalidPin {
467
		if tries == 0 {
468
			return irma.KeysharePinStatus{Status: "error", Message: fmt.Sprintf("%v", wait)}, nil
469
		} else {
470
			return irma.KeysharePinStatus{Status: "failure", Message: fmt.Sprintf("%v", tries)}, nil
471
472
473
		}
	} else if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not change pin")
474
		return irma.KeysharePinStatus{}, nil
475
	}
476
477

	// Mark pincheck as success, resetting users wait and count
478
479
480
481
482
	err = s.db.ClearPincheck(user)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not reset users pin check logic")
		// Do not send to user
	}
483
484
485
486
487

	// Write user back
	err = s.db.UpdateUser(user)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not write updated user to database")
488
		return irma.KeysharePinStatus{}, err
489
490
	}

491
	return irma.KeysharePinStatus{Status: "success"}, nil
492
493
}

494
// /client/register
495
496
497
498
499
500
501
502
func (s *Server) handleRegister(w http.ResponseWriter, r *http.Request) {
	// Extract request
	body, err := ioutil.ReadAll(r.Body)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not read request body")
		server.WriteError(w, server.ErrorInvalidRequest, "could not read request body")
		return
	}
503
	var msg irma.KeyshareEnrollment
504
505
506
507
508
509
510
	err = json.Unmarshal(body, &msg)
	if err != nil {
		s.conf.Logger.WithField("error", err).Info("Malformed request: could not parse request body")
		server.WriteError(w, server.ErrorInvalidRequest, "Invalid request")
		return
	}

511
512
513
514
515
516
517
518
519
520
521
522
523
524
	sessionptr, err := s.doRegistration(msg)
	if err == keysharecore.ErrPinTooLong {
		// Too long pin is not an internal error
		server.WriteError(w, server.ErrorInvalidRequest, err.Error())
		return
	}
	if err != nil {
		// Already logged
		server.WriteError(w, server.ErrorInternal, err.Error())
		return
	}
	server.WriteJson(w, sessionptr)
}

525
func (s *Server) doRegistration(msg irma.KeyshareEnrollment) (*irma.Qr, error) {
526
527
528
529
530
	// Generate keyshare server account
	username := generateUsername()
	coredata, err := s.core.GenerateKeyshareSecret(msg.Pin)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not register user")
531
		return nil, err
532
	}
533
534
	user := &KeyshareUser{Username: username, Language: msg.Language, Coredata: coredata}
	err = s.db.NewUser(user)
535
536
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not store new user in database")
537
		return nil, err
538
539
	}

540
	// Send email if user specified email address
541
	if msg.Email != nil && *msg.Email != "" && s.conf.EmailServer != "" {
542
		err = s.sendRegistrationEmail(user, msg.Language, *msg.Email)
543
		if err != nil {
544
545
			// already logged in sendRegistrationEmail
			return nil, err
546
		}
547
548
	}

549
550
551
552
553
554
555
556
557
558
559
	// Setup and return issuance session for keyshare credential.
	request := irma.NewIssuanceRequest([]*irma.CredentialRequest{
		{
			CredentialTypeID: irma.NewCredentialTypeIdentifier(s.conf.KeyshareCredential),
			Attributes: map[string]string{
				s.conf.KeyshareAttribute: username,
			},
		}})
	sessionptr, _, err := s.sessionserver.StartSession(request, nil)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not start keyshare credential issuance sessions")
560
		return nil, err
561
	}
562
563
564
	return sessionptr, nil
}

565
func (s *Server) sendRegistrationEmail(user *KeyshareUser, language, email string) error {
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
	// Fetch template and configuration data for users language, falling back if needed
	template, ok := s.conf.RegistrationEmailTemplates[language]
	if !ok {
		template = s.conf.RegistrationEmailTemplates[s.conf.DefaultLanguage]
	}
	verificationBaseURL, ok := s.conf.VerificationURL[language]
	if !ok {
		verificationBaseURL = s.conf.VerificationURL[s.conf.DefaultLanguage]
	}
	subject, ok := s.conf.RegistrationEmailSubject[language]
	if !ok {
		subject = s.conf.RegistrationEmailSubject[s.conf.DefaultLanguage]
	}

	// Generate token
	token := common.NewSessionToken()

	// Add it to the database
	err := s.db.AddEmailVerification(user, email, token)
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not generate email verifiation mail record")
		return err
	}

	// Build message
	var msg bytes.Buffer
	err = template.Execute(&msg, map[string]string{"VerificationURL": verificationBaseURL + token})
	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not generate email verifiation mail")
		return err
	}

	// And send it
	err = server.SendHTMLMail(
		s.conf.EmailServer,
		s.conf.EmailAuth,
		s.conf.EmailFrom,
		email,
		subject,
		msg.Bytes())

	if err != nil {
		s.conf.Logger.WithField("error", err).Error("Could not send email verifiation mail")
		return err
	}

	return nil
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
}

// Generate a base62 "username".
//  this is a direct port of what the old java server uses.
func generateUsername() string {
	bts := make([]byte, 8)
	_, err := rand.Read(bts)
	if err != nil {
		panic(err)
	}
	raw := make([]byte, 12)
	base64.StdEncoding.Encode(raw, bts)
	return strings.ReplaceAll(
		strings.ReplaceAll(
			strings.ReplaceAll(
				string(raw),
				"+",
				""),
			"/",
			""),
		"=",
		"")
}
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663

func (s *Server) userMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Extract username from request
		username := r.Header.Get("X-IRMA-Keyshare-Username")

		// and fetch its information
		user, err := s.db.User(username)
		if err != nil {
			s.conf.Logger.WithFields(logrus.Fields{"username": username, "error": err}).Warn("Could not find user in db")
			server.WriteError(w, server.ErrorUserNotRegistered, err.Error())
			return
		}

		next.ServeHTTP(w, r.WithContext(context.WithValue(r.Context(), "user", user)))
	})
}

func (s *Server) authorizationMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		// Extract authorization from request
		authorization := r.Header.Get("Authorization")
		if strings.HasPrefix(authorization, "Bearer ") {
			authorization = authorization[7:]
		}

		// verify access
		ctx := r.Context()
664
		err := s.core.ValidateJWT(ctx.Value("user").(*KeyshareUser).Coredata, authorization)
665
666
667
668
669
670
671
672
673
674
		hasValidAuthorization := (err == nil)

		// Construct new context with both authorization and its validity
		nextContext := context.WithValue(
			context.WithValue(ctx, "authorization", authorization),
			"hasValidAuthorization", hasValidAuthorization)

		next.ServeHTTP(w, r.WithContext(nextContext))
	})
}