2022-01-19 21:45:47 +00:00
16 changed files with 575 additions and 27 deletions
--- a/auth.go
+++ b/auth.go
@ -0,0 +1,61 @@
+package gpaste
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/google/uuid"
+)
+
+type AuthService struct {
+	users      UserStore
+	hmacSecret []byte
+}
+
+func NewAuthService(store UserStore, signingSecret []byte) *AuthService {
+	return &AuthService{users: store, hmacSecret: signingSecret}
+}
+
+func (as *AuthService) Login(username, password string) (string, error) {
+	user, err := as.users.Get(username)
+	if err != nil {
+		return "", err
+	}
+
+	if err := user.ValidatePassword(password); err != nil {
+		return "", err
+	}
+
+	// TODO: Set iss and aud
+	claims := jwt.StandardClaims{
+		Subject:   user.Username,
+		ExpiresAt: time.Now().Add(7 * 24 * time.Hour).Unix(),
+		NotBefore: time.Now().Unix(),
+		IssuedAt:  time.Now().Unix(),
+		Id:        uuid.NewString(),
+	}
+
+	token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
+	signed, err := token.SignedString(as.hmacSecret)
+	if err != nil {
+		return "", err
+	}
+
+	return signed, nil
+}
+
+func (as *AuthService) ValidateToken(rawToken string) error {
+	claims := &jwt.StandardClaims{}
+	token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) {
+		return as.hmacSecret, nil
+	})
+	if err != nil {
+		return err
+	}
+	if !token.Valid {
+		return fmt.Errorf("invalid token")
+	}
+
+	return nil
+}
--- a/auth_test.go
+++ b/auth_test.go
@ -0,0 +1,39 @@
+package gpaste_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestAuth(t *testing.T) {
+	t.Run("Token", func(t *testing.T) {
+		us := gpaste.NewMemoryUserStore()
+		secret := []byte(randomString(16))
+		as := gpaste.NewAuthService(us, secret)
+
+		username := randomString(8)
+		password := randomString(16)
+
+		user := &gpaste.User{Username: username}
+		if err := user.SetPassword(password); err != nil {
+			t.Fatalf("error setting user password: %s", err)
+		}
+		if err := us.Store(user); err != nil {
+			t.Fatalf("Error storing user: %s", err)
+		}
+
+		token, err := as.Login(username, password)
+		if err != nil {
+			t.Fatalf("Error creating token: %s", err)
+		}
+
+		if err := as.ValidateToken(token); err != nil {
+			t.Fatalf("Error validating token: %s", err)
+		}
+		invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8`
+		if err := as.ValidateToken(invalidToken); err == nil {
+			t.Fatalf("Invalid token passed validation")
+		}
+	})
+}
--- a/cmd/client/client.go
+++ b/cmd/client/client.go
@ -9,10 +9,13 @@ import (
 	"mime/multipart"
 	"net/http"
 	"os"
+	"strings"
+	"syscall"
 	"time"

 	"github.com/google/uuid"
 	"github.com/urfave/cli/v2"
+	"golang.org/x/term"
 )

 var (
@ -32,20 +35,24 @@ func main() {
 				Name:  "config",
 				Usage: "Path to config-file.",
 			},
+			&cli.StringFlag{
+				Name:  "url",
+				Usage: "Base url of gpaste server",
+			},
 		},
 		Commands: []*cli.Command{
 			{
 				Name:      "upload",
 				Usage:     "Upload file(s)",
 				ArgsUsage: "FILE [FILE]...",
-				Flags: []cli.Flag{
-					&cli.StringFlag{
-						Name:  "url",
-						Usage: "Base url of gpaste server",
-					},
-				},
 				Action:    ActionUpload,
 			},
+			{
+				Name:      "login",
+				Usage:     "Login to gpaste server",
+				ArgsUsage: "USERNAME",
+				Action:    ActionLogin,
+			},
 		},
 	}

@ -105,3 +112,71 @@ func ActionUpload(c *cli.Context) error {
 	}
 	return nil
 }
+
+func ActionLogin(c *cli.Context) error {
+	username := c.Args().First()
+	if username == "" {
+		return cli.Exit("USERNAME not supplied.", 1)
+	}
+	password, err := readPassword()
+	if err != nil {
+		return fmt.Errorf("error reading password: %w", err)
+	}
+
+	url := fmt.Sprintf("%s/api/login", c.String("url"))
+	client := &http.Client{}
+	// TODO: Change timeout
+	ctx, cancel := context.WithTimeout(c.Context, 10*time.Second)
+	defer cancel()
+
+	body := new(bytes.Buffer)
+	requestData := struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}{
+		Username: username,
+		Password: password,
+	}
+	encoder := json.NewEncoder(body)
+	if err := encoder.Encode(&requestData); err != nil {
+		return fmt.Errorf("error encoding response: %w", err)
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, url, body)
+	if err != nil {
+		return fmt.Errorf("error creating request: %w", err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return fmt.Errorf("unable to perform request: %s", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return cli.Exit("got non-ok response from server", 0)
+	}
+
+	responseData := struct {
+		Token string `json:"token"`
+	}{}
+
+	decoder := json.NewDecoder(resp.Body)
+	if err := decoder.Decode(&responseData); err != nil {
+		return fmt.Errorf("unable to parse response: %s", err)
+	}
+
+	fmt.Printf("Token: %s", responseData.Token)
+
+	return nil
+}
+
+func readPassword() (string, error) {
+	fmt.Print("Enter Password: ")
+	bytePassword, err := term.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		return "", err
+	}
+
+	password := string(bytePassword)
+	return strings.TrimSpace(password), nil
+}
--- a/config.go
+++ b/config.go
@ -13,6 +13,7 @@ type ServerConfig struct {
 	LogLevel      string             `toml:"LogLevel"`
 	URL           string             `toml:"URL"`
 	ListenAddr    string             `toml:"ListenAddr"`
+	SigningSecret string             `toml:"SigningSecret"`
 	Store         *ServerStoreConfig `toml:"Store"`
 }

@ -54,6 +55,10 @@ func (sc *ServerConfig) updateFromEnv() {
 		sc.ListenAddr = value
 	}

+	if value, ok := os.LookupEnv("GPASTE_SIGNINGSECRET"); ok {
+		sc.SigningSecret = value
+	}
+
 	if value, ok := os.LookupEnv("GPASTE_STORE_TYPE"); ok {
 		sc.Store.Type = value
 	}
--- a/config_test.go
+++ b/config_test.go
@ -16,6 +16,7 @@ func TestServerConfig(t *testing.T) {
 LogLevel = "INFO"
 URL = "http://paste.example.org"
 ListenAddr = ":8080"
+SigningSecret = "abc999"

 [Store]
 Type = "fs"
@ -26,6 +27,7 @@ Dir = "/tmp"
 			LogLevel:      "INFO",
 			URL:           "http://paste.example.org",
 			ListenAddr:    ":8080",
+			SigningSecret: "abc999",
 			Store: &gpaste.ServerStoreConfig{
 				Type: "fs",
 				FS: &gpaste.ServerStoreFSStoreConfig{
@ -52,12 +54,14 @@ Dir = "/tmp"
 			"GPASTE_URL":           "http://gpaste.example.org",
 			"GPASTE_STORE_TYPE":    "fs",
 			"GPASTE_LISTENADDR":    ":8000",
+			"GPASTE_SIGNINGSECRET": "test1345",
 			"GPASTE_STORE_FS_DIR":  "/tmp",
 		}
 		expected := &gpaste.ServerConfig{
 			LogLevel:      "DEBUG",
 			URL:           "http://gpaste.example.org",
 			ListenAddr:    ":8000",
+			SigningSecret: "test1345",
 			Store: &gpaste.ServerStoreConfig{
 				Type: "fs",
 				FS: &gpaste.ServerStoreFSStoreConfig{
--- a/go.mod
+++ b/go.mod
@ -7,10 +7,14 @@ require github.com/google/uuid v1.3.0
 require github.com/go-chi/chi/v5 v5.0.7

 require (
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/go-cmp v0.5.6
 	github.com/pelletier/go-toml v1.9.4
 	github.com/urfave/cli/v2 v2.3.0
+	go.etcd.io/bbolt v1.3.6
 	go.uber.org/zap v1.20.0
+	golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
 )

 require (
@ -18,4 +22,5 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -9,6 +9,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
 github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
@ -33,6 +35,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
+go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@ -45,22 +49,33 @@ go.uber.org/zap v1.20.0 h1:N4oPlghZwYG55MlU6LXk/Zp00FVNE9X9wrYO8CEs4lc=
 go.uber.org/zap v1.20.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce h1:Roh6XWxHFKrPgC/EQhVubSAGQ6Ozk6IdxHSzt1mR0EI=
+golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
--- a/http.go
+++ b/http.go
@ -13,7 +13,9 @@ import (
 )

 type HTTPServer struct {
-	store        FileStore
+	Files        FileStore
+	Users        UserStore
+	Auth         *AuthService
 	config       *ServerConfig
 	Logger       *zap.SugaredLogger
 	AccessLogger *zap.SugaredLogger
@ -26,7 +28,15 @@ func NewHTTPServer(cfg *ServerConfig) *HTTPServer {
 		Logger:       zap.NewNop().Sugar(),
 		AccessLogger: zap.NewNop().Sugar(),
 	}
-	srv.store = NewMemoryFileStore()
+	srv.Files = NewMemoryFileStore()
+	srv.Users = NewMemoryUserStore()
+	srv.Auth = NewAuthService(srv.Users, []byte(srv.config.SigningSecret))
+
+	// Create initial user
+	// TODO: Do properly
+	user := &User{Username: "admin"}
+	user.SetPassword("admin")
+	srv.Users.Store(user)

 	r := chi.NewRouter()
 	r.Use(middleware.RealIP)
@ -35,6 +45,7 @@ func NewHTTPServer(cfg *ServerConfig) *HTTPServer {
 	r.Get("/", srv.HandlerIndex)
 	r.Post("/api/file", srv.HandlerAPIFilePost)
 	r.Get("/api/file/{id}", srv.HandlerAPIFileGet)
+	r.Post("/api/login", srv.HandlerAPILogin)
 	srv.Handler = r

 	return srv
@ -57,7 +68,7 @@ func (s *HTTPServer) HandlerAPIFilePost(w http.ResponseWriter, r *http.Request)
 		s.processMultiPartFormUpload(w, r)
 		return
 	}
-	err := s.store.Store(f)
+	err := s.Files.Store(f)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		s.Logger.Warnw("Error storing file.", "req_id", reqID, "error", err, "id", f.ID, "remote_addr", r.RemoteAddr)
@ -87,7 +98,7 @@ func (s *HTTPServer) HandlerAPIFileGet(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	f, err := s.store.Get(id)
+	f, err := s.Files.Get(id)
 	if err != nil {
 		// TODO: LOG
 		w.WriteHeader(http.StatusInternalServerError)
@ -126,7 +137,7 @@ func (s *HTTPServer) processMultiPartFormUpload(w http.ResponseWriter, r *http.R
 			Body:             ff,
 		}

-		if err := s.store.Store(f); err != nil {
+		if err := s.Files.Store(f); err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			s.Logger.Warnw("Error storing file.", "req_id", reqID, "error", err, "id", f.ID, "remote_addr", r.RemoteAddr)
 			return
@ -143,3 +154,36 @@ func (s *HTTPServer) processMultiPartFormUpload(w http.ResponseWriter, r *http.R
 		s.Logger.Warnw("Error encoding response to client.", "req_id", reqID, "error", err, "remote_addr", r.RemoteAddr)
 	}
 }
+
+func (s *HTTPServer) HandlerAPILogin(w http.ResponseWriter, r *http.Request) {
+	reqID := middleware.GetReqID(r.Context())
+	expectedRequest := struct {
+		Username string `json:"username"`
+		Password string `json:"password"`
+	}{}
+	decoder := json.NewDecoder(r.Body)
+	defer r.Body.Close()
+	if err := decoder.Decode(&expectedRequest); err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	token, err := s.Auth.Login(expectedRequest.Username, expectedRequest.Password)
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	response := struct {
+		Token string `json:"token"`
+	}{
+		Token: token,
+	}
+
+	s.Logger.Infow("User logged in.", "req_id", reqID, "username", expectedRequest.Username)
+
+	encoder := json.NewEncoder(w)
+	if err := encoder.Encode(&response); err != nil {
+		s.Logger.Infow("Error encoding json response to client.", "req_id", reqID, "error", err, "remote_addr", r.RemoteAddr)
+	}
+}
--- a/http_test.go
+++ b/http_test.go
@ -15,6 +15,7 @@ import (

 func TestHandlers(t *testing.T) {
 	cfg := &gpaste.ServerConfig{
+		SigningSecret: "abc123",
 		Store: &gpaste.ServerStoreConfig{
 			Type: "memory",
 		},
@ -96,4 +97,48 @@ func TestHandlers(t *testing.T) {
 			}
 		})
 	})
+	t.Run("HandlerAPILogin", func(t *testing.T) {
+		// TODO: Add test
+		username := "admin"
+		password := "admin"
+		user := &gpaste.User{Username: username}
+		if err := user.SetPassword(password); err != nil {
+			t.Fatalf("Error setting user password: %s", err)
+		}
+		if err := hs.Users.Store(user); err != nil {
+			t.Fatalf("Error storing user: %s", err)
+		}
+
+		requestData := struct {
+			Username string `json:"username"`
+			Password string `json:"password"`
+		}{
+			Username: username,
+			Password: password,
+		}
+
+		body := new(bytes.Buffer)
+		encoder := json.NewEncoder(body)
+		if err := encoder.Encode(&requestData); err != nil {
+			t.Fatalf("Error encoding request body: %s", err)
+		}
+
+		rr := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodPost, "/api/login", body)
+
+		hs.Handler.ServeHTTP(rr, req)
+
+		responseData := struct {
+			Token string `json:"token"`
+		}{}
+
+		decoder := json.NewDecoder(rr.Body)
+		if err := decoder.Decode(&responseData); err != nil {
+			t.Fatalf("Error decoding response: %s", err)
+		}
+
+		if err := hs.Auth.ValidateToken(responseData.Token); err != nil {
+			t.Fatalf("Unable to validate received token: %s", err)
+		}
+	})
 }
--- a/user.go
+++ b/user.go
@ -0,0 +1,27 @@
+package gpaste
+
+import "golang.org/x/crypto/bcrypt"
+
+type User struct {
+	Username       string `json:"username"`
+	HashedPassword []byte `json:"hashed_password"`
+}
+
+type UserStore interface {
+	Get(username string) (*User, error)
+	Store(user *User) error
+	Delete(username string) error
+}
+
+func (u *User) ValidatePassword(password string) error {
+	return bcrypt.CompareHashAndPassword(u.HashedPassword, []byte(password))
+}
+
+func (u *User) SetPassword(password string) error {
+	hashed, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return err
+	}
+	u.HashedPassword = hashed
+	return nil
+}
--- a/user_test.go
+++ b/user_test.go
@ -0,0 +1,37 @@
+package gpaste_test
+
+import (
+	"math/rand"
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestUser(t *testing.T) {
+	t.Run("Password", func(t *testing.T) {
+		userMap := make(map[string]string)
+		for i := 0; i < 10; i++ {
+			userMap[randomString(8)] = randomString(16)
+		}
+
+		for username, password := range userMap {
+			user := &gpaste.User{Username: username}
+			if err := user.SetPassword(password); err != nil {
+				t.Fatalf("Error setting password: %s", err)
+			}
+			if err := user.ValidatePassword(password); err != nil {
+				t.Fatalf("Error validating password: %s", err)
+			}
+		}
+	})
+}
+
+func randomString(length int) string {
+	const charset = "abcdefghijklmnopqrstabcdefghijklmnopqrstuvwxyz" +
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	b := make([]byte, length)
+	for i := range b {
+		b[i] = charset[rand.Intn(len(charset))]
+	}
+	return string(b)
+}
--- a/userstore_bolt.go
+++ b/userstore_bolt.go
@ -0,0 +1,69 @@
+package gpaste
+
+import (
+	"encoding/json"
+
+	"go.etcd.io/bbolt"
+)
+
+var keyUsers = []byte("users")
+
+type BoltUserStore struct {
+	db *bbolt.DB
+}
+
+func NewBoltUserStore(path string) (*BoltUserStore, error) {
+	db, err := bbolt.Open(path, 0666, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := db.Update(func(tx *bbolt.Tx) error {
+		_, err := tx.CreateBucketIfNotExists(keyUsers)
+		return err
+	}); err != nil {
+		return nil, err
+	}
+
+	return &BoltUserStore{db: db}, nil
+}
+
+func (s *BoltUserStore) Close() error {
+	return s.db.Close()
+}
+
+func (s *BoltUserStore) Get(username string) (*User, error) {
+	var user User
+	err := s.db.View(func(tx *bbolt.Tx) error {
+		bkt := tx.Bucket(keyUsers)
+		rawUser := bkt.Get([]byte(username))
+		if err := json.Unmarshal(rawUser, &user); err != nil {
+			return err
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (s *BoltUserStore) Store(user *User) error {
+	return s.db.Update(func(tx *bbolt.Tx) error {
+		bkt := tx.Bucket(keyUsers)
+
+		data, err := json.Marshal(user)
+		if err != nil {
+			return err
+		}
+
+		return bkt.Put([]byte(user.Username), data)
+	})
+}
+
+func (s *BoltUserStore) Delete(username string) error {
+	return s.db.Update(func(tx *bbolt.Tx) error {
+		bkt := tx.Bucket(keyUsers)
+		return bkt.Delete([]byte(username))
+	})
+}
--- a/userstore_bolt_test.go
+++ b/userstore_bolt_test.go
@ -0,0 +1,27 @@
+package gpaste_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestBoltUserStore(t *testing.T) {
+	tmpDir := t.TempDir()
+	newFunc := func() (func(), gpaste.UserStore) {
+		tmpFile := filepath.Join(tmpDir, randomString(8))
+
+		store, err := gpaste.NewBoltUserStore(tmpFile)
+		if err != nil {
+			t.Fatalf("Error creating store: %s", err)
+		}
+		cleanup := func() {
+			store.Close()
+		}
+		return cleanup, store
+	}
+
+	RunUserStoreTest(newFunc, t)
+
+}
--- a/userstore_memory.go
+++ b/userstore_memory.go
@ -0,0 +1,39 @@
+package gpaste
+
+import (
+	"fmt"
+	"sync"
+)
+
+type MemoryUserStore struct {
+	users map[string]*User
+	lock  sync.Mutex
+}
+
+func NewMemoryUserStore() *MemoryUserStore {
+	return &MemoryUserStore{users: make(map[string]*User)}
+}
+func (s *MemoryUserStore) Get(username string) (*User, error) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	user, ok := s.users[username]
+	if !ok {
+		return nil, fmt.Errorf("no such user: %s", username)
+	}
+
+	return user, nil
+}
+
+func (s *MemoryUserStore) Store(user *User) error {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	s.users[user.Username] = user
+	return nil
+}
+
+func (s *MemoryUserStore) Delete(username string) error {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	delete(s.users, username)
+	return nil
+}
--- a/userstore_memory_test.go
+++ b/userstore_memory_test.go
@ -0,0 +1,15 @@
+package gpaste_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestMemoryUserStore(t *testing.T) {
+	newFunc := func() (func(), gpaste.UserStore) {
+		return func() {}, gpaste.NewMemoryUserStore()
+	}
+
+	RunUserStoreTest(newFunc, t)
+}
--- a/userstore_test.go
+++ b/userstore_test.go
@ -0,0 +1,41 @@
+package gpaste_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func RunUserStoreTest(newFunc func() (func(), gpaste.UserStore), t *testing.T) {
+	t.Run("Basics", func(t *testing.T) {
+		cleanup, s := newFunc()
+		t.Cleanup(cleanup)
+
+		userMap := make(map[string]string)
+		for i := 0; i < 10; i++ {
+			userMap[randomString(8)] = randomString(16)
+		}
+
+		for k, v := range userMap {
+			user := &gpaste.User{
+				Username: k,
+			}
+			if err := user.SetPassword(v); err != nil {
+				t.Fatalf("Error setting password: %s", err)
+			}
+			if err := s.Store(user); err != nil {
+				t.Fatalf("Error storing user: %s", err)
+			}
+		}
+
+		for k, v := range userMap {
+			user, err := s.Get(k)
+			if err != nil {
+				t.Errorf("Error getting user: %s", err)
+			}
+			if err := user.ValidatePassword(v); err != nil {
+				t.Errorf("Error verifying password: %s", err)
+			}
+		}
+	})
+}