Merge pull request 'Add custom claims' (#5) from feature/4-custom-claims into master

Reviewed-on: #5

api/http.go

@@ -1,4 +1,4 @@
-package gpaste
+package api
 
 import (
 	"encoding/json"
@@ -6,6 +6,9 @@ import (
 	"net/http"
 	"strings"
 
+	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/files"
+	"git.t-juice.club/torjus/gpaste/users"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/google/uuid"
@@ -13,28 +16,28 @@ import (
 )
 
 type HTTPServer struct {
-	Files        FileStore
-	Users        UserStore
-	Auth         *AuthService
-	config       *ServerConfig
+	Files        files.FileStore
+	Users        users.UserStore
+	Auth         *gpaste.AuthService
+	config       *gpaste.ServerConfig
 	Logger       *zap.SugaredLogger
 	AccessLogger *zap.SugaredLogger
 	http.Server
 }
 
-func NewHTTPServer(cfg *ServerConfig) *HTTPServer {
+func NewHTTPServer(cfg *gpaste.ServerConfig) *HTTPServer {
 	srv := &HTTPServer{
 		config:       cfg,
 		Logger:       zap.NewNop().Sugar(),
 		AccessLogger: zap.NewNop().Sugar(),
 	}
-	srv.Files = NewMemoryFileStore()
-	srv.Users = NewMemoryUserStore()
-	srv.Auth = NewAuthService(srv.Users, []byte(srv.config.SigningSecret))
+	srv.Files = files.NewMemoryFileStore()
+	srv.Users = users.NewMemoryUserStore()
+	srv.Auth = gpaste.NewAuthService(srv.Users, []byte(srv.config.SigningSecret))
 
 	// Create initial user
 	// TODO: Do properly
-	user := &User{Username: "admin"}
+	user := &users.User{Username: "admin"}
 	user.SetPassword("admin")
 	srv.Users.Store(user)
 
@@ -42,10 +45,12 @@ func NewHTTPServer(cfg *ServerConfig) *HTTPServer {
 	r.Use(middleware.RealIP)
 	r.Use(middleware.RequestID)
 	r.Use(srv.MiddlewareAccessLogger)
+	r.Use(srv.MiddlewareAuthentication)
 	r.Get("/", srv.HandlerIndex)
 	r.Post("/api/file", srv.HandlerAPIFilePost)
 	r.Get("/api/file/{id}", srv.HandlerAPIFileGet)
 	r.Post("/api/login", srv.HandlerAPILogin)
+	r.Post("/api/user", srv.HandlerAPIUserCreate)
 	srv.Handler = r
 
 	return srv
@@ -56,7 +61,7 @@ func (s *HTTPServer) HandlerIndex(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *HTTPServer) HandlerAPIFilePost(w http.ResponseWriter, r *http.Request) {
-	f := &File{
+	f := &files.File{
 		ID:   uuid.Must(uuid.NewRandom()).String(),
 		Body: r.Body,
 	}
@@ -131,7 +136,7 @@ func (s *HTTPServer) processMultiPartFormUpload(w http.ResponseWriter, r *http.R
 			s.Logger.Warnw("Error reading file from multipart form.", "req_id", reqID, "error", err)
 			return
 		}
-		f := &File{
+		f := &files.File{
 			ID:               uuid.Must(uuid.NewRandom()).String(),
 			OriginalFilename: fh.Filename,
 			Body:             ff,
@@ -187,3 +192,42 @@ func (s *HTTPServer) HandlerAPILogin(w http.ResponseWriter, r *http.Request) {
 		s.Logger.Infow("Error encoding json response to client.", "req_id", reqID, "error", err, "remote_addr", r.RemoteAddr)
 	}
 }
+
+type RequestAPIUserCreate struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+func (s *HTTPServer) HandlerAPIUserCreate(w http.ResponseWriter, r *http.Request) {
+	reqID := middleware.GetReqID(r.Context())
+	defer r.Body.Close()
+
+	level, err := AuthLevelFromRequest(r)
+	if err != nil || level < gpaste.AuthLevelAdmin {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	var req RequestAPIUserCreate
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&req); err != nil {
+		s.Logger.Debugw("Error parsing request.", "req_id", reqID, "error", err, "remote_addr", r.RemoteAddr)
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	// TODO: Ensure user does not already exist
+	user := &users.User{Username: req.Username}
+	if err := user.SetPassword(req.Password); err != nil {
+		s.Logger.Warnw("Error setting user password.", "req_id", reqID, "error", err, "remote_addr", r.RemoteAddr)
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	if err := s.Users.Store(user); err != nil {
+		s.Logger.Warnw("Error setting user password.", "req_id", reqID, "error", err, "remote_addr", r.RemoteAddr)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	s.Logger.Infow("Created user.", "req_id", reqID, "remote_addr", r.RemoteAddr, "username", req.Username)
+}

api/http_test.go

@@ -1,4 +1,4 @@
-package gpaste_test
+package api_test
 
 import (
 	"bytes"
@@ -11,6 +11,8 @@ import (
 	"testing"
 
 	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/api"
+	"git.t-juice.club/torjus/gpaste/users"
 )
 
 func TestHandlers(t *testing.T) {
@@ -21,7 +23,7 @@ func TestHandlers(t *testing.T) {
 		},
 		URL: "http://localhost:8080",
 	}
-	hs := gpaste.NewHTTPServer(cfg)
+	hs := api.NewHTTPServer(cfg)
 
 	t.Run("HandlerIndex", func(t *testing.T) {
 		rr := httptest.NewRecorder()
@@ -101,7 +103,7 @@ func TestHandlers(t *testing.T) {
 		// TODO: Add test
 		username := "admin"
 		password := "admin"
-		user := &gpaste.User{Username: username}
+		user := &users.User{Username: username}
 		if err := user.SetPassword(password); err != nil {
 			t.Fatalf("Error setting user password: %s", err)
 		}
@@ -137,7 +139,7 @@ func TestHandlers(t *testing.T) {
 			t.Fatalf("Error decoding response: %s", err)
 		}
 
-		if err := hs.Auth.ValidateToken(responseData.Token); err != nil {
+		if _, err := hs.Auth.ValidateToken(responseData.Token); err != nil {
 			t.Fatalf("Unable to validate received token: %s", err)
 		}
 	})

api/middleware.go

@@ -0,0 +1,115 @@
+package api
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"git.t-juice.club/torjus/gpaste"
+	"github.com/go-chi/chi/v5/middleware"
+)
+
+type authCtxKey int
+
+const (
+	authCtxUsername authCtxKey = iota
+	authCtxAuthLevel
+	authCtxClaims
+)
+
+func (s *HTTPServer) MiddlewareAccessLogger(next http.Handler) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		ww := middleware.NewWrapResponseWriter(w, r.ProtoMajor)
+		t1 := time.Now()
+
+		reqID := middleware.GetReqID(r.Context())
+
+		defer func() {
+			s.AccessLogger.Infow(r.Method,
+				"path", r.URL.Path,
+				"status", ww.Status(),
+				"written", ww.BytesWritten(),
+				"remote_addr", r.RemoteAddr,
+				"processing_time_ms", time.Since(t1).Milliseconds(),
+				"req_id", reqID)
+		}()
+
+		next.ServeHTTP(ww, r)
+	}
+	return http.HandlerFunc(fn)
+}
+
+func (s *HTTPServer) MiddlewareAuthentication(next http.Handler) http.Handler {
+	fn := func(w http.ResponseWriter, r *http.Request) {
+		reqID := middleware.GetReqID(r.Context())
+		header := r.Header.Get("Authorization")
+		if header == "" {
+			s.Logger.Debugw("Request has no auth header.", "req_id", reqID)
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		splitHeader := strings.Split(header, "Bearer ")
+		if len(splitHeader) != 2 {
+			s.Logger.Debugw("Request has invalid token.", "req_id", reqID)
+			next.ServeHTTP(w, r)
+			return
+		}
+		token := splitHeader[1]
+
+		claims, err := s.Auth.ValidateToken(token)
+		if err != nil {
+			s.Logger.Debugw("Request has invalid token.", "req_id", reqID)
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		ctx := context.WithValue(r.Context(), authCtxUsername, claims.Subject)
+		ctx = context.WithValue(ctx, authCtxAuthLevel, claims.Role)
+		ctx = context.WithValue(ctx, authCtxClaims, claims)
+		withCtx := r.WithContext(ctx)
+		s.Logger.Debugw("Request is authenticated.", "req_id", reqID, "username", claims.Subject)
+
+		next.ServeHTTP(w, withCtx)
+	}
+
+	return http.HandlerFunc(fn)
+}
+
+func UsernameFromRequest(r *http.Request) (string, error) {
+	rawUsername := r.Context().Value(authCtxUsername)
+	if rawUsername == nil {
+		return "", fmt.Errorf("no username")
+	}
+	username, ok := rawUsername.(string)
+	if !ok {
+		return "", fmt.Errorf("no username")
+	}
+	return username, nil
+}
+
+func AuthLevelFromRequest(r *http.Request) (gpaste.AuthLevel, error) {
+	rawLevel := r.Context().Value(authCtxAuthLevel)
+	if rawLevel == nil {
+		return gpaste.AuthLevelUnset, fmt.Errorf("no username")
+	}
+	level, ok := rawLevel.(gpaste.AuthLevel)
+	if !ok {
+		return gpaste.AuthLevelUnset, fmt.Errorf("no username")
+	}
+	return level, nil
+}
+
+func ClaimsFromRequest(r *http.Request) *gpaste.Claims {
+	rawClaims := r.Context().Value(authCtxAuthLevel)
+	if rawClaims == nil {
+		return nil
+	}
+	claims, ok := rawClaims.(*gpaste.Claims)
+	if !ok {
+		return nil
+	}
+	return claims
+}

auth.go

@@ -4,16 +4,31 @@ import (
 	"fmt"
 	"time"
 
+	"git.t-juice.club/torjus/gpaste/users"
 	"github.com/golang-jwt/jwt"
 	"github.com/google/uuid"
 )
 
+type AuthLevel int
+
+const (
+	AuthLevelUnset AuthLevel = iota
+	AuthLevelUser
+	AuthLevelAdmin
+)
+
 type AuthService struct {
-	users      UserStore
+	users      users.UserStore
 	hmacSecret []byte
 }
 
-func NewAuthService(store UserStore, signingSecret []byte) *AuthService {
+type Claims struct {
+	Role users.Role `json:"role,omitempty"`
+
+	jwt.StandardClaims
+}
+
+func NewAuthService(store users.UserStore, signingSecret []byte) *AuthService {
 	return &AuthService{users: store, hmacSecret: signingSecret}
 }
 
@@ -28,13 +43,13 @@ func (as *AuthService) Login(username, password string) (string, error) {
 	}
 
 	// TODO: Set iss and aud
-	claims := jwt.StandardClaims{
-		Subject:   user.Username,
-		ExpiresAt: time.Now().Add(7 * 24 * time.Hour).Unix(),
-		NotBefore: time.Now().Unix(),
-		IssuedAt:  time.Now().Unix(),
-		Id:        uuid.NewString(),
-	}
+	claims := new(Claims)
+	claims.Subject = user.Username
+	claims.ExpiresAt = time.Now().Add(7 * 24 * time.Hour).Unix()
+	claims.NotBefore = time.Now().Unix()
+	claims.IssuedAt = time.Now().Unix()
+	claims.Id = uuid.NewString()
+	claims.Role = user.Role
 
 	token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
 	signed, err := token.SignedString(as.hmacSecret)
@@ -45,17 +60,17 @@ func (as *AuthService) Login(username, password string) (string, error) {
 	return signed, nil
 }
 
-func (as *AuthService) ValidateToken(rawToken string) error {
-	claims := &jwt.StandardClaims{}
+func (as *AuthService) ValidateToken(rawToken string) (*Claims, error) {
+	claims := &Claims{}
 	token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) {
 		return as.hmacSecret, nil
 	})
 	if err != nil {
-		return err
+		return nil, err
 	}
 	if !token.Valid {
-		return fmt.Errorf("invalid token")
+		return nil, fmt.Errorf("invalid token")
 	}
 
-	return nil
+	return claims, nil
 }

auth_test.go

@@ -1,21 +1,24 @@
 package gpaste_test
 
 import (
+	"math/rand"
 	"testing"
 
 	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/users"
+	"github.com/google/go-cmp/cmp"
 )
 
 func TestAuth(t *testing.T) {
 	t.Run("Token", func(t *testing.T) {
-		us := gpaste.NewMemoryUserStore()
+		us := users.NewMemoryUserStore()
 		secret := []byte(randomString(16))
 		as := gpaste.NewAuthService(us, secret)
 
 		username := randomString(8)
 		password := randomString(16)
 
-		user := &gpaste.User{Username: username}
+		user := &users.User{Username: username, Role: users.RoleAdmin}
 		if err := user.SetPassword(password); err != nil {
 			t.Fatalf("error setting user password: %s", err)
 		}
@@ -28,12 +31,26 @@ func TestAuth(t *testing.T) {
 			t.Fatalf("Error creating token: %s", err)
 		}
 
-		if err := as.ValidateToken(token); err != nil {
+		claims, err := as.ValidateToken(token)
+		if err != nil {
 			t.Fatalf("Error validating token: %s", err)
 		}
+		if claims.Role != user.Role {
+			t.Fatalf("Token role is not correct: %s", cmp.Diff(claims.Role, user.Role))
+		}
 		invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8`
-		if err := as.ValidateToken(invalidToken); err == nil {
+		if _, err := as.ValidateToken(invalidToken); err == nil {
 			t.Fatalf("Invalid token passed validation")
 		}
 	})
 }
+
+func randomString(length int) string {
+	const charset = "abcdefghijklmnopqrstabcdefghijklmnopqrstuvwxyz" +
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	b := make([]byte, length)
+	for i := range b {
+		b[i] = charset[rand.Intn(len(charset))]
+	}
+	return string(b)
+}

cmd/client/actions/actions.go

@@ -0,0 +1,188 @@
+package actions
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"mime/multipart"
+	"net/http"
+	"os"
+	"strings"
+	"syscall"
+	"time"
+
+	"git.t-juice.club/torjus/gpaste/api"
+	"github.com/google/uuid"
+	"github.com/urfave/cli/v2"
+	"golang.org/x/term"
+)
+
+func ActionUpload(c *cli.Context) error {
+	url := fmt.Sprintf("%s/api/file", c.String("url"))
+	client := &http.Client{}
+	// TODO: Change timeout
+	ctx, cancel := context.WithTimeout(c.Context, 10*time.Minute)
+	defer cancel()
+
+	buf := &bytes.Buffer{}
+	mw := multipart.NewWriter(buf)
+
+	for _, arg := range c.Args().Slice() {
+		f, err := os.Open(arg)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+		fw, err := mw.CreateFormFile(uuid.Must(uuid.NewRandom()).String(), arg)
+		if err != nil {
+			return err
+		}
+		if _, err := io.Copy(fw, f); err != nil {
+			return err
+		}
+	}
+	mw.Close()
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, buf)
+	if err != nil {
+		return err
+	}
+	req.Header.Add("Content-Type", mw.FormDataContentType())
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+
+	var expectedResp []struct {
+		Message string `json:"message"`
+		ID      string `json:"id"`
+		URL     string `json:"url"`
+	}
+
+	decoder := json.NewDecoder(resp.Body)
+	if err := decoder.Decode(&expectedResp); err != nil {
+		return fmt.Errorf("error decoding response: %w", err)
+	}
+
+	for _, r := range expectedResp {
+		fmt.Printf("Uploaded file %s\n", r.ID)
+	}
+	return nil
+}
+
+func ActionLogin(c *cli.Context) error {
+	username := c.Args().First()
+	if username == "" {
+		return cli.Exit("USERNAME not supplied.", 1)
+	}
+	password, err := readPassword()
+	if err != nil {
+		return fmt.Errorf("error reading password: %w", err)
+	}
+
+	url := fmt.Sprintf("%s/api/login", c.String("url"))
+	client := &http.Client{}
+	// TODO: Change timeout
+	ctx, cancel := context.WithTimeout(c.Context, 10*time.Second)
+	defer cancel()
+
+	body := new(bytes.Buffer)
+	requestData := struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}{
+		Username: username,
+		Password: password,
+	}
+	encoder := json.NewEncoder(body)
+	if err := encoder.Encode(&requestData); err != nil {
+		return fmt.Errorf("error encoding response: %w", err)
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, body)
+	if err != nil {
+		return fmt.Errorf("error creating request: %w", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("unable to perform request: %s", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return cli.Exit("got non-ok response from server", 0)
+	}
+
+	responseData := struct {
+		Token string `json:"token"`
+	}{}
+
+	decoder := json.NewDecoder(resp.Body)
+	if err := decoder.Decode(&responseData); err != nil {
+		return fmt.Errorf("unable to parse response: %s", err)
+	}
+
+	fmt.Printf("Token: %s", responseData.Token)
+
+	return nil
+}
+
+func ActionUserCreate(c *cli.Context) error {
+	// TODO: Needs to supply auth token to actually work
+	username := c.Args().First()
+	if username == "" {
+		return cli.Exit("USERNAME not supplied.", 1)
+	}
+	password, err := readPassword()
+	if err != nil {
+		return fmt.Errorf("error reading password: %w", err)
+	}
+
+	url := fmt.Sprintf("%s/api/user", c.String("url"))
+	client := &http.Client{}
+	// TODO: Change timeout
+	ctx, cancel := context.WithTimeout(c.Context, 10*time.Second)
+	defer cancel()
+
+	body := new(bytes.Buffer)
+	requestData := &api.RequestAPIUserCreate{
+		Username: username,
+		Password: password,
+	}
+	encoder := json.NewEncoder(body)
+	if err := encoder.Encode(requestData); err != nil {
+		return fmt.Errorf("error encoding response: %w", err)
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, body)
+	if err != nil {
+		return fmt.Errorf("error creating request: %w", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("unable to perform request: %s", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusAccepted {
+		return cli.Exit("got non-ok response from server", 0)
+	}
+
+	fmt.Printf("Created user %s\n", username)
+
+	return nil
+}
+
+func readPassword() (string, error) {
+	fmt.Print("Enter Password: ")
+	bytePassword, err := term.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", err
+	}
+
+	password := string(bytePassword)
+	return strings.TrimSpace(password), nil
+}

cmd/client/client.go

@@ -1,21 +1,11 @@
 package main
 
 import (
-	"bytes"
-	"context"
-	"encoding/json"
 	"fmt"
-	"io"
-	"mime/multipart"
-	"net/http"
 	"os"
-	"strings"
-	"syscall"
-	"time"
 
-	"github.com/google/uuid"
+	"git.t-juice.club/torjus/gpaste/cmd/client/actions"
 	"github.com/urfave/cli/v2"
-	"golang.org/x/term"
 )
 
 var (
@@ -45,138 +35,28 @@ func main() {
 				Name:      "upload",
 				Usage:     "Upload file(s)",
 				ArgsUsage: "FILE [FILE]...",
-				Action:    ActionUpload,
+				Action:    actions.ActionUpload,
 			},
 			{
 				Name:      "login",
 				Usage:     "Login to gpaste server",
 				ArgsUsage: "USERNAME",
-				Action:    ActionLogin,
+				Action:    actions.ActionLogin,
+			},
+			{
+				Name:  "admin",
+				Usage: "Admin related commands",
+				Subcommands: []*cli.Command{
+					{
+						Name:      "create-user",
+						Usage:     "Create a new user",
+						ArgsUsage: "USERNAME",
+						Action:    actions.ActionUserCreate,
+					},
+				},
 			},
 		},
 	}
 
 	app.Run(os.Args)
 }
-
-func ActionUpload(c *cli.Context) error {
-	url := fmt.Sprintf("%s/api/file", c.String("url"))
-	client := &http.Client{}
-	// TODO: Change timeout
-	ctx, cancel := context.WithTimeout(c.Context, 10*time.Minute)
-	defer cancel()
-
-	buf := &bytes.Buffer{}
-	mw := multipart.NewWriter(buf)
-
-	for _, arg := range c.Args().Slice() {
-		f, err := os.Open(arg)
-		if err != nil {
-			return err
-		}
-		defer f.Close()
-		fw, err := mw.CreateFormFile(uuid.Must(uuid.NewRandom()).String(), arg)
-		if err != nil {
-			return err
-		}
-		if _, err := io.Copy(fw, f); err != nil {
-			return err
-		}
-	}
-	mw.Close()
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, buf)
-	if err != nil {
-		return err
-	}
-	req.Header.Add("Content-Type", mw.FormDataContentType())
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	var expectedResp []struct {
-		Message string `json:"message"`
-		ID      string `json:"id"`
-		URL     string `json:"url"`
-	}
-
-	decoder := json.NewDecoder(resp.Body)
-	if err := decoder.Decode(&expectedResp); err != nil {
-		return fmt.Errorf("error decoding response: %w", err)
-	}
-
-	for _, r := range expectedResp {
-		fmt.Printf("Uploaded file %s\n", r.ID)
-	}
-	return nil
-}
-
-func ActionLogin(c *cli.Context) error {
-	username := c.Args().First()
-	if username == "" {
-		return cli.Exit("USERNAME not supplied.", 1)
-	}
-	password, err := readPassword()
-	if err != nil {
-		return fmt.Errorf("error reading password: %w", err)
-	}
-
-	url := fmt.Sprintf("%s/api/login", c.String("url"))
-	client := &http.Client{}
-	// TODO: Change timeout
-	ctx, cancel := context.WithTimeout(c.Context, 10*time.Second)
-	defer cancel()
-
-	body := new(bytes.Buffer)
-	requestData := struct {
-		Username string `json:"username"`
-		Password string `json:"password"`
-	}{
-		Username: username,
-		Password: password,
-	}
-	encoder := json.NewEncoder(body)
-	if err := encoder.Encode(&requestData); err != nil {
-		return fmt.Errorf("error encoding response: %w", err)
-	}
-	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, body)
-	if err != nil {
-		return fmt.Errorf("error creating request: %w", err)
-	}
-
-	resp, err := client.Do(req)
-	if err != nil {
-		return fmt.Errorf("unable to perform request: %s", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return cli.Exit("got non-ok response from server", 0)
-	}
-
-	responseData := struct {
-		Token string `json:"token"`
-	}{}
-
-	decoder := json.NewDecoder(resp.Body)
-	if err := decoder.Decode(&responseData); err != nil {
-		return fmt.Errorf("unable to parse response: %s", err)
-	}
-
-	fmt.Printf("Token: %s", responseData.Token)
-
-	return nil
-}
-
-func readPassword() (string, error) {
-	fmt.Print("Enter Password: ")
-	bytePassword, err := term.ReadPassword(int(syscall.Stdin))
-	if err != nil {
-		return "", err
-	}
-
-	password := string(bytePassword)
-	return strings.TrimSpace(password), nil
-}

cmd/server/actions/actions.go

@@ -0,0 +1,105 @@
+package actions
+
+import (
+	"context"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+	"time"
+
+	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/api"
+	"github.com/urfave/cli/v2"
+	"go.uber.org/zap"
+	"go.uber.org/zap/zapcore"
+)
+
+func ActionServe(c *cli.Context) error {
+	configPath := "gpaste-server.toml"
+	if c.IsSet("config") {
+		configPath = c.String("config")
+	}
+
+	f, err := os.Open(configPath)
+	if err != nil {
+		return cli.Exit(err, 1)
+	}
+	defer f.Close()
+	cfg, err := gpaste.ServerConfigFromReader(f)
+	if err != nil {
+		return cli.Exit(err, 1)
+	}
+	// Setup loggers
+	rootLogger := getRootLogger(cfg.LogLevel)
+	serverLogger := rootLogger.Named("SERV")
+	accessLogger := rootLogger.Named("ACCS")
+
+	// Setup contexts for clean shutdown
+	rootCtx, rootCancel := signal.NotifyContext(context.Background(), os.Interrupt)
+	defer rootCancel()
+	httpCtx, httpCancel := context.WithCancel(rootCtx)
+	defer httpCancel()
+	httpShutdownCtx, httpShutdownCancel := context.WithCancel(context.Background())
+	defer httpShutdownCancel()
+
+	go func() {
+		srv := api.NewHTTPServer(cfg)
+		srv.Addr = cfg.ListenAddr
+		srv.Logger = serverLogger
+		srv.AccessLogger = accessLogger
+
+		// Wait for cancel
+		go func() {
+			<-httpCtx.Done()
+			timeoutCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+			srv.Shutdown(timeoutCtx)
+		}()
+		serverLogger.Infow("Starting HTTP server.", "addr", cfg.ListenAddr)
+		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			serverLogger.Errorw("Error during shutdown.", "error", err)
+		}
+		serverLogger.Infow("HTTP server shutdown complete.", "addr", cfg.ListenAddr)
+		httpShutdownCancel()
+	}()
+	<-httpShutdownCtx.Done()
+
+	return nil
+}
+
+func getRootLogger(level string) *zap.SugaredLogger {
+	logEncoderConfig := zap.NewProductionEncoderConfig()
+	logEncoderConfig.EncodeCaller = zapcore.ShortCallerEncoder
+	logEncoderConfig.EncodeLevel = zapcore.CapitalColorLevelEncoder
+	logEncoderConfig.EncodeTime = zapcore.ISO8601TimeEncoder
+	logEncoderConfig.EncodeDuration = zapcore.StringDurationEncoder
+
+	rootLoggerConfig := &zap.Config{
+		Level:            zap.NewAtomicLevelAt(zap.DebugLevel),
+		OutputPaths:      []string{"stdout"},
+		ErrorOutputPaths: []string{"stdout"},
+		Encoding:         "console",
+		EncoderConfig:    logEncoderConfig,
+		DisableCaller:    true,
+	}
+
+	switch strings.ToUpper(level) {
+	case "DEBUG":
+		rootLoggerConfig.DisableCaller = false
+		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.DebugLevel)
+	case "INFO":
+		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.InfoLevel)
+	case "WARN", "WARNING":
+		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.WarnLevel)
+	case "ERR", "ERROR":
+		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.ErrorLevel)
+	}
+
+	rootLogger, err := rootLoggerConfig.Build()
+	if err != nil {
+		panic(err)
+	}
+
+	return rootLogger.Sugar()
+}

cmd/server/server.go

@@ -1,18 +1,11 @@
 package main
 
 import (
-	"context"
 	"fmt"
-	"net/http"
 	"os"
-	"os/signal"
-	"strings"
-	"time"
 
-	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/cmd/server/actions"
 	"github.com/urfave/cli/v2"
-	"go.uber.org/zap"
-	"go.uber.org/zap/zapcore"
 )
 
 var (
@@ -33,97 +26,8 @@ func main() {
 				Usage: "Path to config-file.",
 			},
 		},
-		Action: ActionServe,
+		Action: actions.ActionServe,
 	}
 
 	app.Run(os.Args)
 }
-
-func ActionServe(c *cli.Context) error {
-	configPath := "gpaste-server.toml"
-	if c.IsSet("config") {
-		configPath = c.String("config")
-	}
-
-	f, err := os.Open(configPath)
-	if err != nil {
-		return cli.Exit(err, 1)
-	}
-	defer f.Close()
-	cfg, err := gpaste.ServerConfigFromReader(f)
-	if err != nil {
-		return cli.Exit(err, 1)
-	}
-	// Setup loggers
-	rootLogger := getRootLogger(cfg.LogLevel)
-	serverLogger := rootLogger.Named("SERV")
-	accessLogger := rootLogger.Named("ACCS")
-
-	// Setup contexts for clean shutdown
-	rootCtx, rootCancel := signal.NotifyContext(context.Background(), os.Interrupt)
-	defer rootCancel()
-	httpCtx, httpCancel := context.WithCancel(rootCtx)
-	defer httpCancel()
-	httpShutdownCtx, httpShutdownCancel := context.WithCancel(context.Background())
-	defer httpShutdownCancel()
-
-	go func() {
-		srv := gpaste.NewHTTPServer(cfg)
-		srv.Addr = cfg.ListenAddr
-		srv.Logger = serverLogger
-		srv.AccessLogger = accessLogger
-
-		// Wait for cancel
-		go func() {
-			<-httpCtx.Done()
-			timeoutCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			defer cancel()
-			srv.Shutdown(timeoutCtx)
-		}()
-		serverLogger.Infow("Starting HTTP server.", "addr", cfg.ListenAddr)
-		if err := srv.ListenAndServe(); err != nil && err != http.ErrServerClosed {
-			serverLogger.Errorw("Error during shutdown.", "error", err)
-		}
-		serverLogger.Infow("HTTP server shutdown complete.", "addr", cfg.ListenAddr)
-		httpShutdownCancel()
-	}()
-	<-httpShutdownCtx.Done()
-
-	return nil
-}
-
-func getRootLogger(level string) *zap.SugaredLogger {
-	logEncoderConfig := zap.NewProductionEncoderConfig()
-	logEncoderConfig.EncodeCaller = zapcore.ShortCallerEncoder
-	logEncoderConfig.EncodeLevel = zapcore.CapitalColorLevelEncoder
-	logEncoderConfig.EncodeTime = zapcore.ISO8601TimeEncoder
-	logEncoderConfig.EncodeDuration = zapcore.StringDurationEncoder
-
-	rootLoggerConfig := &zap.Config{
-		Level:            zap.NewAtomicLevelAt(zap.DebugLevel),
-		OutputPaths:      []string{"stdout"},
-		ErrorOutputPaths: []string{"stdout"},
-		Encoding:         "console",
-		EncoderConfig:    logEncoderConfig,
-		DisableCaller:    true,
-	}
-
-	switch strings.ToUpper(level) {
-	case "DEBUG":
-		rootLoggerConfig.DisableCaller = false
-		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.DebugLevel)
-	case "INFO":
-		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.InfoLevel)
-	case "WARN", "WARNING":
-		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.WarnLevel)
-	case "ERR", "ERROR":
-		rootLoggerConfig.Level = zap.NewAtomicLevelAt(zap.ErrorLevel)
-	}
-
-	rootLogger, err := rootLoggerConfig.Build()
-	if err != nil {
-		panic(err)
-	}
-
-	return rootLogger.Sugar()
-}

files/filestore.go

@@ -1,4 +1,4 @@
-package gpaste
+package files
 
 import (
 	"io"

files/filestore_fs.go

@@ -1,4 +1,4 @@
-package gpaste
+package files
 
 import (
 	"encoding/json"

files/filestore_fs_test.go

@@ -1,22 +1,22 @@
-package gpaste_test
+package files_test
 
 import (
 	"testing"
 
-	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/files"
 )
 
 func TestFSFileStore(t *testing.T) {
 	dir := t.TempDir()
-	s, err := gpaste.NewFSFileStore(dir)
+	s, err := files.NewFSFileStore(dir)
 	if err != nil {
 		t.Fatalf("Error creating store: %s", err)
 	}
 
 	RunFilestoreTest(s, t)
 	persistentDir := t.TempDir()
-	newFunc := func() gpaste.FileStore {
-		s, err := gpaste.NewFSFileStore(persistentDir)
+	newFunc := func() files.FileStore {
+		s, err := files.NewFSFileStore(persistentDir)
 		if err != nil {
 			t.Fatalf("Error creating store: %s", err)
 		}

files/filestore_memory.go

@@ -1,4 +1,4 @@
-package gpaste
+package files
 
 import (
 	"bytes"

files/filestore_memory_test.go

@@ -1,13 +1,13 @@
-package gpaste_test
+package files_test
 
 import (
 	"testing"
 
-	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/files"
 )
 
 func TestMemoryFileStore(t *testing.T) {
-	s := gpaste.NewMemoryFileStore()
+	s := files.NewMemoryFileStore()
 
 	RunFilestoreTest(s, t)
 }

files/filestore_test.go

@@ -1,4 +1,4 @@
-package gpaste_test
+package files_test
 
 import (
 	"bytes"
@@ -7,12 +7,12 @@ import (
 	"testing"
 	"time"
 
-	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/files"
 	"github.com/google/go-cmp/cmp"
 	"github.com/google/uuid"
 )
 
-func RunFilestoreTest(s gpaste.FileStore, t *testing.T) {
+func RunFilestoreTest(s files.FileStore, t *testing.T) {
 	t.Run("Basic", func(t *testing.T) {
 		// Create
 		dataString := "TEST_LOL_OMG"
@@ -20,7 +20,7 @@ func RunFilestoreTest(s gpaste.FileStore, t *testing.T) {
 		bodyBuf := &bytes.Buffer{}
 		bodyBuf.Write([]byte(dataString))
 		body := io.NopCloser(bodyBuf)
-		f := &gpaste.File{
+		f := &files.File{
 			ID:       id,
 			MaxViews: 0,
 			Body:     body,
@@ -78,15 +78,15 @@ func RunFilestoreTest(s gpaste.FileStore, t *testing.T) {
 	})
 }
 
-func RunPersistentFilestoreTest(newStoreFunc func() gpaste.FileStore, t *testing.T) {
+func RunPersistentFilestoreTest(newStoreFunc func() files.FileStore, t *testing.T) {
 	s := newStoreFunc()
 
 	files := []struct {
-		File         *gpaste.File
+		File         *files.File
 		ExpectedData string
 	}{
 		{
-			File: &gpaste.File{
+			File: &files.File{
 				ID:               uuid.NewString(),
 				OriginalFilename: "testfile.txt",
 				MaxViews:         5,
@@ -96,7 +96,7 @@ func RunPersistentFilestoreTest(newStoreFunc func() gpaste.FileStore, t *testing
 			ExpectedData: "cocks!",
 		},
 		{
-			File: &gpaste.File{
+			File: &files.File{
 				ID:               uuid.NewString(),
 				OriginalFilename: "testfile2.txt",
 				MaxViews:         5,

gpaste-server.toml

@@ -1,4 +1,4 @@
-LogLevel = "INFO"
+LogLevel = "DEBUG"
 URL = "http://paste.example.org"
 ListenAddr = ":8080"
 

middleware.go

@@ -1,30 +0,0 @@
-package gpaste
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/go-chi/chi/v5/middleware"
-)
-
-func (s *HTTPServer) MiddlewareAccessLogger(next http.Handler) http.Handler {
-	fn := func(w http.ResponseWriter, r *http.Request) {
-		ww := middleware.NewWrapResponseWriter(w, r.ProtoMajor)
-		t1 := time.Now()
-
-		reqID := middleware.GetReqID(r.Context())
-
-		defer func() {
-			s.AccessLogger.Infow(r.Method,
-				"path", r.URL.Path,
-				"status", ww.Status(),
-				"written", ww.BytesWritten(),
-				"remote_addr", r.RemoteAddr,
-				"processing_time_ms", time.Since(t1).Milliseconds(),
-				"req_id", reqID)
-		}()
-
-		next.ServeHTTP(ww, r)
-	}
-	return http.HandlerFunc(fn)
-}

users/user.go

@@ -1,10 +1,19 @@
-package gpaste
+package users
 
 import "golang.org/x/crypto/bcrypt"
 
+type Role string
+
+const (
+	RoleUnset Role = ""
+	RoleUser  Role = "user"
+	RoleAdmin Role = "admin"
+)
+
 type User struct {
 	Username       string `json:"username"`
 	HashedPassword []byte `json:"hashed_password"`
+	Role           Role   `json:"role"`
 }
 
 type UserStore interface {

users/user_test.go

@@ -1,10 +1,10 @@
-package gpaste_test
+package users_test
 
 import (
 	"math/rand"
 	"testing"
 
-	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/users"
 )
 
 func TestUser(t *testing.T) {
@@ -15,7 +15,7 @@ func TestUser(t *testing.T) {
 		}
 
 		for username, password := range userMap {
-			user := &gpaste.User{Username: username}
+			user := &users.User{Username: username}
 			if err := user.SetPassword(password); err != nil {
 				t.Fatalf("Error setting password: %s", err)
 			}

users/userstore_bolt.go

@@ -1,4 +1,4 @@
-package gpaste
+package users
 
 import (
 	"encoding/json"

users/userstore_bolt_test.go

@@ -1,18 +1,18 @@
-package gpaste_test
+package users_test
 
 import (
 	"path/filepath"
 	"testing"
 
-	"git.t-juice.club/torjus/gpaste"
+	"git.t-juice.club/torjus/gpaste/users"
 )
 
 func TestBoltUserStore(t *testing.T) {
 	tmpDir := t.TempDir()
-	newFunc := func() (func(), gpaste.UserStore) {
+	newFunc := func() (func(), users.UserStore) {
 		tmpFile := filepath.Join(tmpDir, randomString(8))
 
-		store, err := gpaste.NewBoltUserStore(tmpFile)
+		store, err := users.NewBoltUserStore(tmpFile)
 		if err != nil {
 			t.Fatalf("Error creating store: %s", err)
 		}

users/userstore_memory.go

@@ -1,4 +1,4 @@
-package gpaste
+package users
 
 import (
 	"fmt"

users/userstore_memory_test.go

@@ -0,0 +1,15 @@
+package users_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste/users"
+)
+
+func TestMemoryUserStore(t *testing.T) {
+	newFunc := func() (func(), users.UserStore) {
+		return func() {}, users.NewMemoryUserStore()
+	}
+
+	RunUserStoreTest(newFunc, t)
+}

users/userstore_test.go

@@ -0,0 +1,51 @@
+package users_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste/users"
+	"github.com/google/go-cmp/cmp"
+)
+
+func RunUserStoreTest(newFunc func() (func(), users.UserStore), t *testing.T) {
+	t.Run("Basics", func(t *testing.T) {
+		cleanup, s := newFunc()
+		t.Cleanup(cleanup)
+
+		userMap := make(map[string]*users.User)
+		passwordMap := make(map[string]string)
+		for i := 0; i < 10; i++ {
+			username := randomString(8)
+			password := randomString(16)
+			passwordMap[username] = password
+			user := &users.User{
+				Username: username,
+				Role:     users.RoleAdmin,
+			}
+			if err := user.SetPassword(password); err != nil {
+				t.Fatalf("Error setting password: %s", err)
+			}
+			userMap[username] = user
+		}
+
+		for _, user := range userMap {
+			if err := s.Store(user); err != nil {
+				t.Fatalf("Error storing user: %s", err)
+			}
+		}
+
+		for k := range userMap {
+			user, err := s.Get(k)
+			if err != nil {
+				t.Errorf("Error getting user: %s", err)
+			}
+			if err := user.ValidatePassword(passwordMap[user.Username]); err != nil {
+				t.Errorf("Error verifying password: %s", err)
+			}
+
+			if !cmp.Equal(user, userMap[k]) {
+				t.Errorf("User mismatch: %s", cmp.Diff(user, userMap[k]))
+			}
+		}
+	})
+}

userstore_memory_test.go

@@ -1,15 +0,0 @@
-package gpaste_test
-
-import (
-	"testing"
-
-	"git.t-juice.club/torjus/gpaste"
-)
-
-func TestMemoryUserStore(t *testing.T) {
-	newFunc := func() (func(), gpaste.UserStore) {
-		return func() {}, gpaste.NewMemoryUserStore()
-	}
-
-	RunUserStoreTest(newFunc, t)
-}

userstore_test.go

@@ -1,41 +0,0 @@
-package gpaste_test
-
-import (
-	"testing"
-
-	"git.t-juice.club/torjus/gpaste"
-)
-
-func RunUserStoreTest(newFunc func() (func(), gpaste.UserStore), t *testing.T) {
-	t.Run("Basics", func(t *testing.T) {
-		cleanup, s := newFunc()
-		t.Cleanup(cleanup)
-
-		userMap := make(map[string]string)
-		for i := 0; i < 10; i++ {
-			userMap[randomString(8)] = randomString(16)
-		}
-
-		for k, v := range userMap {
-			user := &gpaste.User{
-				Username: k,
-			}
-			if err := user.SetPassword(v); err != nil {
-				t.Fatalf("Error setting password: %s", err)
-			}
-			if err := s.Store(user); err != nil {
-				t.Fatalf("Error storing user: %s", err)
-			}
-		}
-
-		for k, v := range userMap {
-			user, err := s.Get(k)
-			if err != nil {
-				t.Errorf("Error getting user: %s", err)
-			}
-			if err := user.ValidatePassword(v); err != nil {
-				t.Errorf("Error verifying password: %s", err)
-			}
-		}
-	})
-}