Главная Обзор Помощь
Вход
SMusatov
/
ntfy
зеркало из https://github.com/binwiederhier/ntfy.git
1
0
Ответвить 0
Файлы
Дерево: 346d8d7967
Ветки Метки
ntfy
/
user
/
manager.go

manager.go 52 KB
История Исходник

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492 
  1. // Package user deals with authentication and authorization against topics
    2. 

  2. package user
    3. 

  3. 

  4. import (
    5. 

  5. 	"database/sql"
    6. 

  6. 	"encoding/json"
    7. 

  7. 	"errors"
    8. 

  8. 	"fmt"
    9. 

  9. 	_ "github.com/mattn/go-sqlite3" // SQLite driver
    10. 

  10. 	"github.com/stripe/stripe-go/v74"
    11. 

  11. 	"golang.org/x/crypto/bcrypt"
    12. 

  12. 	"heckel.io/ntfy/log"
    13. 

  13. 	"heckel.io/ntfy/util"
    14. 

  14. 	"net/netip"
    15. 

  15. 	"strings"
    16. 

  16. 	"sync"
    17. 

  17. 	"time"
    18. 

  18. )
    19. 

  19. 

  20. const (
    21. 

  21. 	tierIDPrefix                    = "ti_"
    22. 

  22. 	tierIDLength                    = 8
    23. 

  23. 	syncTopicPrefix                 = "st_"
    24. 

  24. 	syncTopicLength                 = 16
    25. 

  25. 	userIDPrefix                    = "u_"
    26. 

  26. 	userIDLength                    = 12
    27. 

  27. 	userAuthIntentionalSlowDownHash = "$2a$10$YFCQvqQDwIIwnJM1xkAYOeih0dg17UVGanaTStnrSzC8NCWxcLDwy" // Cost should match DefaultUserPasswordBcryptCost
    28. 

  28. 	userHardDeleteAfterDuration     = 7 * 24 * time.Hour
    29. 

  29. 	tokenPrefix                     = "tk_"
    30. 

  30. 	tokenLength                     = 32
    31. 

  31. 	tokenMaxCount                   = 20 // Only keep this many tokens in the table per user
    32. 

  32. 	tag                             = "user_manager"
    33. 

  33. )
    34. 

  34. 

  35. // Default constants that may be overridden by configs
    36. 

  36. const (
    37. 

  37. 	DefaultUserStatsQueueWriterInterval = 33 * time.Second
    38. 

  38. 	DefaultUserPasswordBcryptCost       = 10
    39. 

  39. )
    40. 

  40. 

  41. var (
    42. 

  42. 	errNoTokenProvided    = errors.New("no token provided")
    43. 

  43. 	errTopicOwnedByOthers = errors.New("topic owned by others")
    44. 

  44. 	errNoRows             = errors.New("no rows found")
    45. 

  45. )
    46. 

  46. 

  47. // Manager-related queries
    48. 

  48. const (
    49. 

  49. 	createTablesQueries = `
    50. 

  50. 		BEGIN;
    51. 

  51. 		CREATE TABLE IF NOT EXISTS tier (
    52. 

  52. 			id TEXT PRIMARY KEY,
    53. 

  53. 			code TEXT NOT NULL,
    54. 

  54. 			name TEXT NOT NULL,
    55. 

  55. 			messages_limit INT NOT NULL,
    56. 

  56. 			messages_expiry_duration INT NOT NULL,
    57. 

  57. 			emails_limit INT NOT NULL,
    58. 

  58. 			reservations_limit INT NOT NULL,
    59. 

  59. 			attachment_file_size_limit INT NOT NULL,
    60. 

  60. 			attachment_total_size_limit INT NOT NULL,
    61. 

  61. 			attachment_expiry_duration INT NOT NULL,
    62. 

  62. 			attachment_bandwidth_limit INT NOT NULL,
    63. 

  63. 			stripe_monthly_price_id TEXT,
    64. 

  64. 			stripe_yearly_price_id TEXT
    65. 

  65. 		);
    66. 

  66. 		CREATE UNIQUE INDEX idx_tier_code ON tier (code);
    67. 

  67. 		CREATE UNIQUE INDEX idx_tier_stripe_monthly_price_id ON tier (stripe_monthly_price_id);
    68. 

  68. 		CREATE UNIQUE INDEX idx_tier_stripe_yearly_price_id ON tier (stripe_yearly_price_id);
    69. 

  69. 		CREATE TABLE IF NOT EXISTS user (
    70. 

  70. 		    id TEXT PRIMARY KEY,
    71. 

  71. 			tier_id TEXT,
    72. 

  72. 			user TEXT NOT NULL,
    73. 

  73. 			pass TEXT NOT NULL,
    74. 

  74. 			role TEXT CHECK (role IN ('anonymous', 'admin', 'user')) NOT NULL,
    75. 

  75. 			prefs JSON NOT NULL DEFAULT '{}',
    76. 

  76. 			sync_topic TEXT NOT NULL,
    77. 

  77. 			stats_messages INT NOT NULL DEFAULT (0),
    78. 

  78. 			stats_emails INT NOT NULL DEFAULT (0),
    79. 

  79. 			stripe_customer_id TEXT,
    80. 

  80. 			stripe_subscription_id TEXT,
    81. 

  81. 			stripe_subscription_status TEXT,
    82. 

  82. 			stripe_subscription_interval TEXT,
    83. 

  83. 			stripe_subscription_paid_until INT,
    84. 

  84. 			stripe_subscription_cancel_at INT,
    85. 

  85. 			created INT NOT NULL,
    86. 

  86. 			deleted INT,
    87. 

  87. 		    FOREIGN KEY (tier_id) REFERENCES tier (id)
    88. 

  88. 		);
    89. 

  89. 		CREATE UNIQUE INDEX idx_user ON user (user);
    90. 

  90. 		CREATE UNIQUE INDEX idx_user_stripe_customer_id ON user (stripe_customer_id);
    91. 

  91. 		CREATE UNIQUE INDEX idx_user_stripe_subscription_id ON user (stripe_subscription_id);
    92. 

  92. 		CREATE TABLE IF NOT EXISTS user_access (
    93. 

  93. 			user_id TEXT NOT NULL,
    94. 

  94. 			topic TEXT NOT NULL,
    95. 

  95. 			read INT NOT NULL,
    96. 

  96. 			write INT NOT NULL,
    97. 

  97. 			owner_user_id INT,
    98. 

  98. 			PRIMARY KEY (user_id, topic),
    99. 

  99. 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE,
    100. 

  100. 		    FOREIGN KEY (owner_user_id) REFERENCES user (id) ON DELETE CASCADE
    101. 

  101. 		);
    102. 

  102. 		CREATE TABLE IF NOT EXISTS user_token (
    103. 

  103. 			user_id TEXT NOT NULL,
    104. 

  104. 			token TEXT NOT NULL,
    105. 

  105. 			label TEXT NOT NULL,
    106. 

  106. 			last_access INT NOT NULL,
    107. 

  107. 			last_origin TEXT NOT NULL,
    108. 

  108. 			expires INT NOT NULL,
    109. 

  109. 			PRIMARY KEY (user_id, token),
    110. 

  110. 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE
    111. 

  111. 		);
    112. 

  112. 		CREATE TABLE IF NOT EXISTS schemaVersion (
    113. 

  113. 			id INT PRIMARY KEY,
    114. 

  114. 			version INT NOT NULL
    115. 

  115. 		);
    116. 

  116. 		INSERT INTO user (id, user, pass, role, sync_topic, created)
    117. 

  117. 		VALUES ('` + everyoneID + `', '*', '', 'anonymous', '', UNIXEPOCH())
    118. 

  118. 		ON CONFLICT (id) DO NOTHING;
    119. 

  119. 		COMMIT;
    120. 

  120. 	`
    121. 

  121. 	builtinStartupQueries = `
    122. 

  122. 		PRAGMA foreign_keys = ON;
    123. 

  123. 	`
    124. 

  124. 

  125. 	selectUserByIDQuery = `
    126. 

  126. 		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
    127. 

  127. 		FROM user u
    128. 

  128. 		LEFT JOIN tier t on t.id = u.tier_id
    129. 

  129. 		WHERE u.id = ?
    130. 

  130. 	`
    131. 

  131. 	selectUserByNameQuery = `
    132. 

  132. 		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
    133. 

  133. 		FROM user u
    134. 

  134. 		LEFT JOIN tier t on t.id = u.tier_id
    135. 

  135. 		WHERE user = ?
    136. 

  136. 	`
    137. 

  137. 	selectUserByTokenQuery = `
    138. 

  138. 		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
    139. 

  139. 		FROM user u
    140. 

  140. 		JOIN user_token tk on u.id = tk.user_id
    141. 

  141. 		LEFT JOIN tier t on t.id = u.tier_id
    142. 

  142. 		WHERE tk.token = ? AND (tk.expires = 0 OR tk.expires >= ?)
    143. 

  143. 	`
    144. 

  144. 	selectUserByStripeCustomerIDQuery = `
    145. 

  145. 		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
    146. 

  146. 		FROM user u
    147. 

  147. 		LEFT JOIN tier t on t.id = u.tier_id
    148. 

  148. 		WHERE u.stripe_customer_id = ?
    149. 

  149. 	`
    150. 

  150. 	selectTopicPermsQuery = `
    151. 

  151. 		SELECT read, write
    152. 

  152. 		FROM user_access a
    153. 

  153. 		JOIN user u ON u.id = a.user_id
    154. 

  154. 		WHERE (u.user = ? OR u.user = ?) AND ? LIKE a.topic
    155. 

  155. 		ORDER BY u.user DESC
    156. 

  156. 	`
    157. 

  157. 

  158. 	insertUserQuery = `
    159. 

  159. 		INSERT INTO user (id, user, pass, role, sync_topic, created)
    160. 

  160. 		VALUES (?, ?, ?, ?, ?, ?)
    161. 

  161. 	`
    162. 

  162. 	selectUsernamesQuery = `
    163. 

  163. 		SELECT user
    164. 

  164. 		FROM user
    165. 

  165. 		ORDER BY
    166. 

  166. 			CASE role
    167. 

  167. 				WHEN 'admin' THEN 1
    168. 

  168. 				WHEN 'anonymous' THEN 3
    169. 

  169. 				ELSE 2
    170. 

  170. 			END, user
    171. 

  171. 	`
    172. 

  172. 	updateUserPassQuery          = `UPDATE user SET pass = ? WHERE user = ?`
    173. 

  173. 	updateUserRoleQuery          = `UPDATE user SET role = ? WHERE user = ?`
    174. 

  174. 	updateUserPrefsQuery         = `UPDATE user SET prefs = ? WHERE id = ?`
    175. 

  175. 	updateUserStatsQuery         = `UPDATE user SET stats_messages = ?, stats_emails = ? WHERE id = ?`
    176. 

  176. 	updateUserStatsResetAllQuery = `UPDATE user SET stats_messages = 0, stats_emails = 0`
    177. 

  177. 	updateUserDeletedQuery       = `UPDATE user SET deleted = ? WHERE id = ?`
    178. 

  178. 	deleteUsersMarkedQuery       = `DELETE FROM user WHERE deleted < ?`
    179. 

  179. 	deleteUserQuery              = `DELETE FROM user WHERE user = ?`
    180. 

  180. 

  181. 	upsertUserAccessQuery = `
    182. 

  182. 		INSERT INTO user_access (user_id, topic, read, write, owner_user_id)
    183. 

  183. 		VALUES ((SELECT id FROM user WHERE user = ?), ?, ?, ?, (SELECT IIF(?='',NULL,(SELECT id FROM user WHERE user=?))))
    184. 

  184. 		ON CONFLICT (user_id, topic)
    185. 

  185. 		DO UPDATE SET read=excluded.read, write=excluded.write, owner_user_id=excluded.owner_user_id
    186. 

  186. 	`
    187. 

  187. 	selectUserAccessQuery = `
    188. 

  188. 		SELECT topic, read, write
    189. 

  189. 		FROM user_access
    190. 

  190. 		WHERE user_id = (SELECT id FROM user WHERE user = ?)
    191. 

  191. 		ORDER BY write DESC, read DESC, topic
    192. 

  192. 	`
    193. 

  193. 	selectUserReservationsQuery = `
    194. 

  194. 		SELECT a_user.topic, a_user.read, a_user.write, a_everyone.read AS everyone_read, a_everyone.write AS everyone_write
    195. 

  195. 		FROM user_access a_user
    196. 

  196. 		LEFT JOIN  user_access a_everyone ON a_user.topic = a_everyone.topic AND a_everyone.user_id = (SELECT id FROM user WHERE user = ?)
    197. 

  197. 		WHERE a_user.user_id = a_user.owner_user_id
    198. 

  198. 		  AND a_user.owner_user_id = (SELECT id FROM user WHERE user = ?)
    199. 

  199. 		ORDER BY a_user.topic
    200. 

  200. 	`
    201. 

  201. 	selectUserReservationsCountQuery = `
    202. 

  202. 		SELECT COUNT(*)
    203. 

  203. 		FROM user_access
    204. 

  204. 		WHERE user_id = owner_user_id 
    205. 

  205. 		  AND owner_user_id = (SELECT id FROM user WHERE user = ?)
    206. 

  206. 	`
    207. 

  207. 	selectUserReservationsOwnerQuery = `
    208. 

  208. 		SELECT owner_user_id
    209. 

  209. 		FROM user_access
    210. 

  210. 		WHERE topic = ?
    211. 

  211. 		  AND user_id = owner_user_id
    212. 

  212. 	`
    213. 

  213. 	selectUserHasReservationQuery = `
    214. 

  214. 		SELECT COUNT(*)
    215. 

  215. 		FROM user_access
    216. 

  216. 		WHERE user_id = owner_user_id
    217. 

  217. 		  AND owner_user_id = (SELECT id FROM user WHERE user = ?)
    218. 

  218. 		  AND topic = ?
    219. 

  219. 	`
    220. 

  220. 	selectOtherAccessCountQuery = `
    221. 

  221. 		SELECT COUNT(*)
    222. 

  222. 		FROM user_access
    223. 

  223. 		WHERE (topic = ? OR ? LIKE topic)
    224. 

  224. 		  AND (owner_user_id IS NULL OR owner_user_id != (SELECT id FROM user WHERE user = ?))
    225. 

  225. 	`
    226. 

  226. 	deleteAllAccessQuery  = `DELETE FROM user_access`
    227. 

  227. 	deleteUserAccessQuery = `
    228. 

  228. 		DELETE FROM user_access
    229. 

  229. 		WHERE user_id = (SELECT id FROM user WHERE user = ?)
    230. 

  230. 		   OR owner_user_id = (SELECT id FROM user WHERE user = ?)
    231. 

  231. 	`
    232. 

  232. 	deleteTopicAccessQuery = `
    233. 

  233. 		DELETE FROM user_access
    234. 

  234. 	   	WHERE (user_id = (SELECT id FROM user WHERE user = ?) OR owner_user_id = (SELECT id FROM user WHERE user = ?))
    235. 

  235. 	   	  AND topic = ?
    236. 

  236.   	`
    237. 

  237. 

  238. 	selectTokenCountQuery      = `SELECT COUNT(*) FROM user_token WHERE user_id = ?`
    239. 

  239. 	selectTokensQuery          = `SELECT token, label, last_access, last_origin, expires FROM user_token WHERE user_id = ?`
    240. 

  240. 	selectTokenQuery           = `SELECT token, label, last_access, last_origin, expires FROM user_token WHERE user_id = ? AND token = ?`
    241. 

  241. 	insertTokenQuery           = `INSERT INTO user_token (user_id, token, label, last_access, last_origin, expires) VALUES (?, ?, ?, ?, ?, ?)`
    242. 

  242. 	updateTokenExpiryQuery     = `UPDATE user_token SET expires = ? WHERE user_id = ? AND token = ?`
    243. 

  243. 	updateTokenLabelQuery      = `UPDATE user_token SET label = ? WHERE user_id = ? AND token = ?`
    244. 

  244. 	updateTokenLastAccessQuery = `UPDATE user_token SET last_access = ?, last_origin = ? WHERE token = ?`
    245. 

  245. 	deleteTokenQuery           = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
    246. 

  246. 	deleteAllTokenQuery        = `DELETE FROM user_token WHERE user_id = ?`
    247. 

  247. 	deleteExpiredTokensQuery   = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
    248. 

  248. 	deleteExcessTokensQuery    = `
    249. 

  249. 		DELETE FROM user_token
    250. 

  250. 		WHERE (user_id, token) NOT IN (
    251. 

  251. 			SELECT user_id, token
    252. 

  252. 			FROM user_token
    253. 

  253. 			WHERE user_id = ?
    254. 

  254. 			ORDER BY expires DESC
    255. 

  255. 			LIMIT ?
    256. 

  256. 		)
    257. 

  257. 	`
    258. 

  258. 

  259. 	insertTierQuery = `
    260. 

  260. 		INSERT INTO tier (id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id)
    261. 

  261. 		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
    262. 

  262. 	`
    263. 

  263. 	updateTierQuery = `
    264. 

  264. 		UPDATE tier
    265. 

  265. 		SET name = ?, messages_limit = ?, messages_expiry_duration = ?, emails_limit = ?, reservations_limit = ?, attachment_file_size_limit = ?, attachment_total_size_limit = ?, attachment_expiry_duration = ?, attachment_bandwidth_limit = ?, stripe_monthly_price_id = ?, stripe_yearly_price_id = ?
    266. 

  266. 		WHERE code = ?
    267. 

  267. 	`
    268. 

  268. 	selectTiersQuery = `
    269. 

  269. 		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id
    270. 

  270. 		FROM tier
    271. 

  271. 	`
    272. 

  272. 	selectTierByCodeQuery = `
    273. 

  273. 		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id
    274. 

  274. 		FROM tier
    275. 

  275. 		WHERE code = ?
    276. 

  276. 	`
    277. 

  277. 	selectTierByPriceIDQuery = `
    278. 

  278. 		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id
    279. 

  279. 		FROM tier
    280. 

  280. 		WHERE (stripe_monthly_price_id = ? OR stripe_yearly_price_id = ?)
    281. 

  281. 	`
    282. 

  282. 	updateUserTierQuery = `UPDATE user SET tier_id = (SELECT id FROM tier WHERE code = ?) WHERE user = ?`
    283. 

  283. 	deleteUserTierQuery = `UPDATE user SET tier_id = null WHERE user = ?`
    284. 

  284. 	deleteTierQuery     = `DELETE FROM tier WHERE code = ?`
    285. 

  285. 

  286. 	updateBillingQuery = `
    287. 

  287. 		UPDATE user
    288. 

  288. 		SET stripe_customer_id = ?, stripe_subscription_id = ?, stripe_subscription_status = ?, stripe_subscription_interval = ?, stripe_subscription_paid_until = ?, stripe_subscription_cancel_at = ?
    289. 

  289. 		WHERE user = ?
    290. 

  290. 	`
    291. 

  291. )
    292. 

  292. 

  293. // Schema management queries
    294. 

  294. const (
    295. 

  295. 	currentSchemaVersion     = 3
    296. 

  296. 	insertSchemaVersion      = `INSERT INTO schemaVersion VALUES (1, ?)`
    297. 

  297. 	updateSchemaVersion      = `UPDATE schemaVersion SET version = ? WHERE id = 1`
    298. 

  298. 	selectSchemaVersionQuery = `SELECT version FROM schemaVersion WHERE id = 1`
    299. 

  299. 

  300. 	// 1 -> 2 (complex migration!)
    301. 

  301. 	migrate1To2CreateTablesQueries = `
    302. 

  302. 		ALTER TABLE user RENAME TO user_old;
    303. 

  303. 		CREATE TABLE IF NOT EXISTS tier (
    304. 

  304. 			id TEXT PRIMARY KEY,
    305. 

  305. 			code TEXT NOT NULL,
    306. 

  306. 			name TEXT NOT NULL,
    307. 

  307. 			messages_limit INT NOT NULL,
    308. 

  308. 			messages_expiry_duration INT NOT NULL,
    309. 

  309. 			emails_limit INT NOT NULL,
    310. 

  310. 			reservations_limit INT NOT NULL,
    311. 

  311. 			attachment_file_size_limit INT NOT NULL,
    312. 

  312. 			attachment_total_size_limit INT NOT NULL,
    313. 

  313. 			attachment_expiry_duration INT NOT NULL,
    314. 

  314. 			attachment_bandwidth_limit INT NOT NULL,
    315. 

  315. 			stripe_price_id TEXT
    316. 

  316. 		);
    317. 

  317. 		CREATE UNIQUE INDEX idx_tier_code ON tier (code);
    318. 

  318. 		CREATE UNIQUE INDEX idx_tier_price_id ON tier (stripe_price_id);
    319. 

  319. 		CREATE TABLE IF NOT EXISTS user (
    320. 

  320. 		    id TEXT PRIMARY KEY,
    321. 

  321. 			tier_id TEXT,
    322. 

  322. 			user TEXT NOT NULL,
    323. 

  323. 			pass TEXT NOT NULL,
    324. 

  324. 			role TEXT CHECK (role IN ('anonymous', 'admin', 'user')) NOT NULL,
    325. 

  325. 			prefs JSON NOT NULL DEFAULT '{}',
    326. 

  326. 			sync_topic TEXT NOT NULL,
    327. 

  327. 			stats_messages INT NOT NULL DEFAULT (0),
    328. 

  328. 			stats_emails INT NOT NULL DEFAULT (0),
    329. 

  329. 			stripe_customer_id TEXT,
    330. 

  330. 			stripe_subscription_id TEXT,
    331. 

  331. 			stripe_subscription_status TEXT,
    332. 

  332. 			stripe_subscription_paid_until INT,
    333. 

  333. 			stripe_subscription_cancel_at INT,
    334. 

  334. 			created INT NOT NULL,
    335. 

  335. 			deleted INT,
    336. 

  336. 		    FOREIGN KEY (tier_id) REFERENCES tier (id)
    337. 

  337. 		);
    338. 

  338. 		CREATE UNIQUE INDEX idx_user ON user (user);
    339. 

  339. 		CREATE UNIQUE INDEX idx_user_stripe_customer_id ON user (stripe_customer_id);
    340. 

  340. 		CREATE UNIQUE INDEX idx_user_stripe_subscription_id ON user (stripe_subscription_id);
    341. 

  341. 		CREATE TABLE IF NOT EXISTS user_access (
    342. 

  342. 			user_id TEXT NOT NULL,
    343. 

  343. 			topic TEXT NOT NULL,
    344. 

  344. 			read INT NOT NULL,
    345. 

  345. 			write INT NOT NULL,
    346. 

  346. 			owner_user_id INT,
    347. 

  347. 			PRIMARY KEY (user_id, topic),
    348. 

  348. 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE,
    349. 

  349. 		    FOREIGN KEY (owner_user_id) REFERENCES user (id) ON DELETE CASCADE
    350. 

  350. 		);
    351. 

  351. 		CREATE TABLE IF NOT EXISTS user_token (
    352. 

  352. 			user_id TEXT NOT NULL,
    353. 

  353. 			token TEXT NOT NULL,
    354. 

  354. 			label TEXT NOT NULL,
    355. 

  355. 			last_access INT NOT NULL,
    356. 

  356. 			last_origin TEXT NOT NULL,
    357. 

  357. 			expires INT NOT NULL,
    358. 

  358. 			PRIMARY KEY (user_id, token),
    359. 

  359. 			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE
    360. 

  360. 		);
    361. 

  361. 		CREATE TABLE IF NOT EXISTS schemaVersion (
    362. 

  362. 			id INT PRIMARY KEY,
    363. 

  363. 			version INT NOT NULL
    364. 

  364. 		);
    365. 

  365. 		INSERT INTO user (id, user, pass, role, sync_topic, created)
    366. 

  366. 		VALUES ('u_everyone', '*', '', 'anonymous', '', UNIXEPOCH())
    367. 

  367. 		ON CONFLICT (id) DO NOTHING;
    368. 

  368. 	`
    369. 

  369. 	migrate1To2SelectAllOldUsernamesNoTx = `SELECT user FROM user_old`
    370. 

  370. 	migrate1To2InsertUserNoTx            = `
    371. 

  371. 		INSERT INTO user (id, user, pass, role, sync_topic, created)
    372. 

  372. 		SELECT ?, user, pass, role, ?, UNIXEPOCH() FROM user_old WHERE user = ?
    373. 

  373. 	`
    374. 

  374. 	migrate1To2InsertFromOldTablesAndDropNoTx = `
    375. 

  375. 		INSERT INTO user_access (user_id, topic, read, write)
    376. 

  376. 		SELECT u.id, a.topic, a.read, a.write
    377. 

  377. 		FROM user u
    378. 

  378. 	 	JOIN access a ON u.user = a.user;
    379. 

  379. 

  380. 		DROP TABLE access;
    381. 

  381. 		DROP TABLE user_old;
    382. 

  382. 	`
    383. 

  383. 

  384. 	// 2 -> 3
    385. 

  385. 	migrate2To3UpdateQueries = `
    386. 

  386. 		ALTER TABLE user ADD COLUMN stripe_subscription_interval TEXT;
    387. 

  387. 		ALTER TABLE tier RENAME COLUMN stripe_price_id TO stripe_monthly_price_id;
    388. 

  388. 		ALTER TABLE tier ADD COLUMN stripe_yearly_price_id TEXT;
    389. 

  389. 		DROP INDEX IF EXISTS idx_tier_price_id;
    390. 

  390. 		CREATE UNIQUE INDEX idx_tier_stripe_monthly_price_id ON tier (stripe_monthly_price_id);
    391. 

  391. 		CREATE UNIQUE INDEX idx_tier_stripe_yearly_price_id ON tier (stripe_yearly_price_id);
    392. 

  392. 	`
    393. 

  393. )
    394. 

  394. 

  395. var (
    396. 

  396. 	migrations = map[int]func(db *sql.DB) error{
    397. 

  397. 		1: migrateFrom1,
    398. 

  398. 		2: migrateFrom2,
    399. 

  399. 	}
    400. 

  400. )
    401. 

  401. 

  402. // Manager is an implementation of Manager. It stores users and access control list
    403. 

  403. // in a SQLite database.
    404. 

  404. type Manager struct {
    405. 

  405. 	db            *sql.DB
    406. 

  406. 	defaultAccess Permission              // Default permission if no ACL matches
    407. 

  407. 	statsQueue    map[string]*Stats       // "Queue" to asynchronously write user stats to the database (UserID -> Stats)
    408. 

  408. 	tokenQueue    map[string]*TokenUpdate // "Queue" to asynchronously write token access stats to the database (Token ID -> TokenUpdate)
    409. 

  409. 	bcryptCost    int                     // Makes testing easier
    410. 

  410. 	mu            sync.Mutex
    411. 

  411. }
    412. 

  412. 

  413. var _ Auther = (*Manager)(nil)
    414. 

  414. 

  415. // NewManager creates a new Manager instance
    416. 

  416. func NewManager(filename, startupQueries string, defaultAccess Permission, bcryptCost int, queueWriterInterval time.Duration) (*Manager, error) {
    417. 

  417. 	db, err := sql.Open("sqlite3", filename)
    418. 

  418. 	if err != nil {
    419. 

  419. 		return nil, err
    420. 

  420. 	}
    421. 

  421. 	if err := setupDB(db); err != nil {
    422. 

  422. 		return nil, err
    423. 

  423. 	}
    424. 

  424. 	if err := runStartupQueries(db, startupQueries); err != nil {
    425. 

  425. 		return nil, err
    426. 

  426. 	}
    427. 

  427. 	manager := &Manager{
    428. 

  428. 		db:            db,
    429. 

  429. 		defaultAccess: defaultAccess,
    430. 

  430. 		statsQueue:    make(map[string]*Stats),
    431. 

  431. 		tokenQueue:    make(map[string]*TokenUpdate),
    432. 

  432. 		bcryptCost:    bcryptCost,
    433. 

  433. 	}
    434. 

  434. 	go manager.asyncQueueWriter(queueWriterInterval)
    435. 

  435. 	return manager, nil
    436. 

  436. }
    437. 

  437. 

  438. // Authenticate checks username and password and returns a User if correct, and the user has not been
    439. 

  439. // marked as deleted. The method returns in constant-ish time, regardless of whether the user exists or
    440. 

  440. // the password is correct or incorrect.
    441. 

  441. func (a *Manager) Authenticate(username, password string) (*User, error) {
    442. 

  442. 	if username == Everyone {
    443. 

  443. 		return nil, ErrUnauthenticated
    444. 

  444. 	}
    445. 

  445. 	user, err := a.User(username)
    446. 

  446. 	if err != nil {
    447. 

  447. 		log.Tag(tag).Field("user_name", username).Err(err).Trace("Authentication of user failed (1)")
    448. 

  448. 		bcrypt.CompareHashAndPassword([]byte(userAuthIntentionalSlowDownHash), []byte("intentional slow-down to avoid timing attacks"))
    449. 

  449. 		return nil, ErrUnauthenticated
    450. 

  450. 	} else if user.Deleted {
    451. 

  451. 		log.Tag(tag).Field("user_name", username).Trace("Authentication of user failed (2): user marked deleted")
    452. 

  452. 		bcrypt.CompareHashAndPassword([]byte(userAuthIntentionalSlowDownHash), []byte("intentional slow-down to avoid timing attacks"))
    453. 

  453. 		return nil, ErrUnauthenticated
    454. 

  454. 	} else if err := bcrypt.CompareHashAndPassword([]byte(user.Hash), []byte(password)); err != nil {
    455. 

  455. 		log.Tag(tag).Field("user_name", username).Err(err).Trace("Authentication of user failed (3)")
    456. 

  456. 		return nil, ErrUnauthenticated
    457. 

  457. 	}
    458. 

  458. 	return user, nil
    459. 

  459. }
    460. 

  460. 

  461. // AuthenticateToken checks if the token exists and returns the associated User if it does.
    462. 

  462. // The method sets the User.Token value to the token that was used for authentication.
    463. 

  463. func (a *Manager) AuthenticateToken(token string) (*User, error) {
    464. 

  464. 	if len(token) != tokenLength {
    465. 

  465. 		return nil, ErrUnauthenticated
    466. 

  466. 	}
    467. 

  467. 	user, err := a.userByToken(token)
    468. 

  468. 	if err != nil {
    469. 

  469. 		log.Tag(tag).Field("token", token).Err(err).Trace("Authentication of token failed")
    470. 

  470. 		return nil, ErrUnauthenticated
    471. 

  471. 	}
    472. 

  472. 	user.Token = token
    473. 

  473. 	return user, nil
    474. 

  474. }
    475. 

  475. 

  476. // CreateToken generates a random token for the given user and returns it. The token expires
    477. 

  477. // after a fixed duration unless ChangeToken is called. This function also prunes tokens for the
    478. 

  478. // given user, if there are too many of them.
    479. 

  479. func (a *Manager) CreateToken(userID, label string, expires time.Time, origin netip.Addr) (*Token, error) {
    480. 

  480. 	token := util.RandomStringPrefix(tokenPrefix, tokenLength)
    481. 

  481. 	tx, err := a.db.Begin()
    482. 

  482. 	if err != nil {
    483. 

  483. 		return nil, err
    484. 

  484. 	}
    485. 

  485. 	defer tx.Rollback()
    486. 

  486. 	access := time.Now()
    487. 

  487. 	if _, err := tx.Exec(insertTokenQuery, userID, token, label, access.Unix(), origin.String(), expires.Unix()); err != nil {
    488. 

  488. 		return nil, err
    489. 

  489. 	}
    490. 

  490. 	rows, err := tx.Query(selectTokenCountQuery, userID)
    491. 

  491. 	if err != nil {
    492. 

  492. 		return nil, err
    493. 

  493. 	}
    494. 

  494. 	defer rows.Close()
    495. 

  495. 	if !rows.Next() {
    496. 

  496. 		return nil, errNoRows
    497. 

  497. 	}
    498. 

  498. 	var tokenCount int
    499. 

  499. 	if err := rows.Scan(&tokenCount); err != nil {
    500. 

  500. 		return nil, err
    501. 

  501. 	}
    502. 

  502. 	if tokenCount >= tokenMaxCount {
    503. 

  503. 		// This pruning logic is done in two queries for efficiency. The SELECT above is a lookup
    504. 

  504. 		// on two indices, whereas the query below is a full table scan.
    505. 

  505. 		if _, err := tx.Exec(deleteExcessTokensQuery, userID, tokenMaxCount); err != nil {
    506. 

  506. 			return nil, err
    507. 

  507. 		}
    508. 

  508. 	}
    509. 

  509. 	if err := tx.Commit(); err != nil {
    510. 

  510. 		return nil, err
    511. 

  511. 	}
    512. 

  512. 	return &Token{
    513. 

  513. 		Value:      token,
    514. 

  514. 		Label:      label,
    515. 

  515. 		LastAccess: access,
    516. 

  516. 		LastOrigin: origin,
    517. 

  517. 		Expires:    expires,
    518. 

  518. 	}, nil
    519. 

  519. }
    520. 

  520. 

  521. // Tokens returns all existing tokens for the user with the given user ID
    522. 

  522. func (a *Manager) Tokens(userID string) ([]*Token, error) {
    523. 

  523. 	rows, err := a.db.Query(selectTokensQuery, userID)
    524. 

  524. 	if err != nil {
    525. 

  525. 		return nil, err
    526. 

  526. 	}
    527. 

  527. 	defer rows.Close()
    528. 

  528. 	tokens := make([]*Token, 0)
    529. 

  529. 	for {
    530. 

  530. 		token, err := a.readToken(rows)
    531. 

  531. 		if err == ErrTokenNotFound {
    532. 

  532. 			break
    533. 

  533. 		} else if err != nil {
    534. 

  534. 			return nil, err
    535. 

  535. 		}
    536. 

  536. 		tokens = append(tokens, token)
    537. 

  537. 	}
    538. 

  538. 	return tokens, nil
    539. 

  539. }
    540. 

  540. 

  541. // Token returns a specific token for a user
    542. 

  542. func (a *Manager) Token(userID, token string) (*Token, error) {
    543. 

  543. 	rows, err := a.db.Query(selectTokenQuery, userID, token)
    544. 

  544. 	if err != nil {
    545. 

  545. 		return nil, err
    546. 

  546. 	}
    547. 

  547. 	defer rows.Close()
    548. 

  548. 	return a.readToken(rows)
    549. 

  549. }
    550. 

  550. 

  551. func (a *Manager) readToken(rows *sql.Rows) (*Token, error) {
    552. 

  552. 	var token, label, lastOrigin string
    553. 

  553. 	var lastAccess, expires int64
    554. 

  554. 	if !rows.Next() {
    555. 

  555. 		return nil, ErrTokenNotFound
    556. 

  556. 	}
    557. 

  557. 	if err := rows.Scan(&token, &label, &lastAccess, &lastOrigin, &expires); err != nil {
    558. 

  558. 		return nil, err
    559. 

  559. 	} else if err := rows.Err(); err != nil {
    560. 

  560. 		return nil, err
    561. 

  561. 	}
    562. 

  562. 	lastOriginIP, err := netip.ParseAddr(lastOrigin)
    563. 

  563. 	if err != nil {
    564. 

  564. 		lastOriginIP = netip.IPv4Unspecified()
    565. 

  565. 	}
    566. 

  566. 	return &Token{
    567. 

  567. 		Value:      token,
    568. 

  568. 		Label:      label,
    569. 

  569. 		LastAccess: time.Unix(lastAccess, 0),
    570. 

  570. 		LastOrigin: lastOriginIP,
    571. 

  571. 		Expires:    time.Unix(expires, 0),
    572. 

  572. 	}, nil
    573. 

  573. }
    574. 

  574. 

  575. // ChangeToken updates a token's label and/or expiry date
    576. 

  576. func (a *Manager) ChangeToken(userID, token string, label *string, expires *time.Time) (*Token, error) {
    577. 

  577. 	if token == "" {
    578. 

  578. 		return nil, errNoTokenProvided
    579. 

  579. 	}
    580. 

  580. 	tx, err := a.db.Begin()
    581. 

  581. 	if err != nil {
    582. 

  582. 		return nil, err
    583. 

  583. 	}
    584. 

  584. 	defer tx.Rollback()
    585. 

  585. 	if label != nil {
    586. 

  586. 		if _, err := tx.Exec(updateTokenLabelQuery, *label, userID, token); err != nil {
    587. 

  587. 			return nil, err
    588. 

  588. 		}
    589. 

  589. 	}
    590. 

  590. 	if expires != nil {
    591. 

  591. 		if _, err := tx.Exec(updateTokenExpiryQuery, expires.Unix(), userID, token); err != nil {
    592. 

  592. 			return nil, err
    593. 

  593. 		}
    594. 

  594. 	}
    595. 

  595. 	if err := tx.Commit(); err != nil {
    596. 

  596. 		return nil, err
    597. 

  597. 	}
    598. 

  598. 	return a.Token(userID, token)
    599. 

  599. }
    600. 

  600. 

  601. // RemoveToken deletes the token defined in User.Token
    602. 

  602. func (a *Manager) RemoveToken(userID, token string) error {
    603. 

  603. 	if token == "" {
    604. 

  604. 		return errNoTokenProvided
    605. 

  605. 	}
    606. 

  606. 	if _, err := a.db.Exec(deleteTokenQuery, userID, token); err != nil {
    607. 

  607. 		return err
    608. 

  608. 	}
    609. 

  609. 	return nil
    610. 

  610. }
    611. 

  611. 

  612. // RemoveExpiredTokens deletes all expired tokens from the database
    613. 

  613. func (a *Manager) RemoveExpiredTokens() error {
    614. 

  614. 	if _, err := a.db.Exec(deleteExpiredTokensQuery, time.Now().Unix()); err != nil {
    615. 

  615. 		return err
    616. 

  616. 	}
    617. 

  617. 	return nil
    618. 

  618. }
    619. 

  619. 

  620. // RemoveDeletedUsers deletes all users that have been marked deleted for
    621. 

  621. func (a *Manager) RemoveDeletedUsers() error {
    622. 

  622. 	if _, err := a.db.Exec(deleteUsersMarkedQuery, time.Now().Unix()); err != nil {
    623. 

  623. 		return err
    624. 

  624. 	}
    625. 

  625. 	return nil
    626. 

  626. }
    627. 

  627. 

  628. // ChangeSettings persists the user settings
    629. 

  629. func (a *Manager) ChangeSettings(userID string, prefs *Prefs) error {
    630. 

  630. 	b, err := json.Marshal(prefs)
    631. 

  631. 	if err != nil {
    632. 

  632. 		return err
    633. 

  633. 	}
    634. 

  634. 	if _, err := a.db.Exec(updateUserPrefsQuery, string(b), userID); err != nil {
    635. 

  635. 		return err
    636. 

  636. 	}
    637. 

  637. 	return nil
    638. 

  638. }
    639. 

  639. 

  640. // ResetStats resets all user stats in the user database. This touches all users.
    641. 

  641. func (a *Manager) ResetStats() error {
    642. 

  642. 	a.mu.Lock() // Includes database query to avoid races!
    643. 

  643. 	defer a.mu.Unlock()
    644. 

  644. 	if _, err := a.db.Exec(updateUserStatsResetAllQuery); err != nil {
    645. 

  645. 		return err
    646. 

  646. 	}
    647. 

  647. 	a.statsQueue = make(map[string]*Stats)
    648. 

  648. 	return nil
    649. 

  649. }
    650. 

  650. 

  651. // EnqueueUserStats adds the user to a queue which writes out user stats (messages, emails, ..) in
    652. 

  652. // batches at a regular interval
    653. 

  653. func (a *Manager) EnqueueUserStats(userID string, stats *Stats) {
    654. 

  654. 	a.mu.Lock()
    655. 

  655. 	defer a.mu.Unlock()
    656. 

  656. 	a.statsQueue[userID] = stats
    657. 

  657. }
    658. 

  658. 

  659. // EnqueueTokenUpdate adds the token update to  a queue which writes out token access times
    660. 

  660. // in batches at a regular interval
    661. 

  661. func (a *Manager) EnqueueTokenUpdate(tokenID string, update *TokenUpdate) {
    662. 

  662. 	a.mu.Lock()
    663. 

  663. 	defer a.mu.Unlock()
    664. 

  664. 	a.tokenQueue[tokenID] = update
    665. 

  665. }
    666. 

  666. 

  667. func (a *Manager) asyncQueueWriter(interval time.Duration) {
    668. 

  668. 	ticker := time.NewTicker(interval)
    669. 

  669. 	for range ticker.C {
    670. 

  670. 		if err := a.writeUserStatsQueue(); err != nil {
    671. 

  671. 			log.Tag(tag).Err(err).Warn("Writing user stats queue failed")
    672. 

  672. 		}
    673. 

  673. 		if err := a.writeTokenUpdateQueue(); err != nil {
    674. 

  674. 			log.Tag(tag).Err(err).Warn("Writing token update queue failed")
    675. 

  675. 		}
    676. 

  676. 	}
    677. 

  677. }
    678. 

  678. 

  679. func (a *Manager) writeUserStatsQueue() error {
    680. 

  680. 	a.mu.Lock()
    681. 

  681. 	if len(a.statsQueue) == 0 {
    682. 

  682. 		a.mu.Unlock()
    683. 

  683. 		log.Tag(tag).Trace("No user stats updates to commit")
    684. 

  684. 		return nil
    685. 

  685. 	}
    686. 

  686. 	statsQueue := a.statsQueue
    687. 

  687. 	a.statsQueue = make(map[string]*Stats)
    688. 

  688. 	a.mu.Unlock()
    689. 

  689. 	tx, err := a.db.Begin()
    690. 

  690. 	if err != nil {
    691. 

  691. 		return err
    692. 

  692. 	}
    693. 

  693. 	defer tx.Rollback()
    694. 

  694. 	log.Tag(tag).Debug("Writing user stats queue for %d user(s)", len(statsQueue))
    695. 

  695. 	for userID, update := range statsQueue {
    696. 

  696. 		log.
    697. 

  697. 			Tag(tag).
    698. 

  698. 			Fields(log.Context{
    699. 

  699. 				"user_id":        userID,
    700. 

  700. 				"messages_count": update.Messages,
    701. 

  701. 				"emails_count":   update.Emails,
    702. 

  702. 			}).
    703. 

  703. 			Trace("Updating stats for user %s", userID)
    704. 

  704. 		if _, err := tx.Exec(updateUserStatsQuery, update.Messages, update.Emails, userID); err != nil {
    705. 

  705. 			return err
    706. 

  706. 		}
    707. 

  707. 	}
    708. 

  708. 	return tx.Commit()
    709. 

  709. }
    710. 

  710. 

  711. func (a *Manager) writeTokenUpdateQueue() error {
    712. 

  712. 	a.mu.Lock()
    713. 

  713. 	if len(a.tokenQueue) == 0 {
    714. 

  714. 		a.mu.Unlock()
    715. 

  715. 		log.Tag(tag).Trace("No token updates to commit")
    716. 

  716. 		return nil
    717. 

  717. 	}
    718. 

  718. 	tokenQueue := a.tokenQueue
    719. 

  719. 	a.tokenQueue = make(map[string]*TokenUpdate)
    720. 

  720. 	a.mu.Unlock()
    721. 

  721. 	tx, err := a.db.Begin()
    722. 

  722. 	if err != nil {
    723. 

  723. 		return err
    724. 

  724. 	}
    725. 

  725. 	defer tx.Rollback()
    726. 

  726. 	log.Tag(tag).Debug("Writing token update queue for %d token(s)", len(tokenQueue))
    727. 

  727. 	for tokenID, update := range tokenQueue {
    728. 

  728. 		log.Tag(tag).Trace("Updating token %s with last access time %v", tokenID, update.LastAccess.Unix())
    729. 

  729. 		if _, err := tx.Exec(updateTokenLastAccessQuery, update.LastAccess.Unix(), update.LastOrigin.String(), tokenID); err != nil {
    730. 

  730. 			return err
    731. 

  731. 		}
    732. 

  732. 	}
    733. 

  733. 	return tx.Commit()
    734. 

  734. }
    735. 

  735. 

  736. // Authorize returns nil if the given user has access to the given topic using the desired
    737. 

  737. // permission. The user param may be nil to signal an anonymous user.
    738. 

  738. func (a *Manager) Authorize(user *User, topic string, perm Permission) error {
    739. 

  739. 	if user != nil && user.Role == RoleAdmin {
    740. 

  740. 		return nil // Admin can do everything
    741. 

  741. 	}
    742. 

  742. 	username := Everyone
    743. 

  743. 	if user != nil {
    744. 

  744. 		username = user.Name
    745. 

  745. 	}
    746. 

  746. 	// Select the read/write permissions for this user/topic combo. The query may return two
    747. 

  747. 	// rows (one for everyone, and one for the user), but prioritizes the user.
    748. 

  748. 	rows, err := a.db.Query(selectTopicPermsQuery, Everyone, username, topic)
    749. 

  749. 	if err != nil {
    750. 

  750. 		return err
    751. 

  751. 	}
    752. 

  752. 	defer rows.Close()
    753. 

  753. 	if !rows.Next() {
    754. 

  754. 		return a.resolvePerms(a.defaultAccess, perm)
    755. 

  755. 	}
    756. 

  756. 	var read, write bool
    757. 

  757. 	if err := rows.Scan(&read, &write); err != nil {
    758. 

  758. 		return err
    759. 

  759. 	} else if err := rows.Err(); err != nil {
    760. 

  760. 		return err
    761. 

  761. 	}
    762. 

  762. 	return a.resolvePerms(NewPermission(read, write), perm)
    763. 

  763. }
    764. 

  764. 

  765. func (a *Manager) resolvePerms(base, perm Permission) error {
    766. 

  766. 	if perm == PermissionRead && base.IsRead() {
    767. 

  767. 		return nil
    768. 

  768. 	} else if perm == PermissionWrite && base.IsWrite() {
    769. 

  769. 		return nil
    770. 

  770. 	}
    771. 

  771. 	return ErrUnauthorized
    772. 

  772. }
    773. 

  773. 

  774. // AddUser adds a user with the given username, password and role
    775. 

  775. func (a *Manager) AddUser(username, password string, role Role) error {
    776. 

  776. 	if !AllowedUsername(username) || !AllowedRole(role) {
    777. 

  777. 		return ErrInvalidArgument
    778. 

  778. 	}
    779. 

  779. 	hash, err := bcrypt.GenerateFromPassword([]byte(password), a.bcryptCost)
    780. 

  780. 	if err != nil {
    781. 

  781. 		return err
    782. 

  782. 	}
    783. 

  783. 	userID := util.RandomStringPrefix(userIDPrefix, userIDLength)
    784. 

  784. 	syncTopic, now := util.RandomStringPrefix(syncTopicPrefix, syncTopicLength), time.Now().Unix()
    785. 

  785. 	if _, err = a.db.Exec(insertUserQuery, userID, username, hash, role, syncTopic, now); err != nil {
    786. 

  786. 		return err
    787. 

  787. 	}
    788. 

  788. 	return nil
    789. 

  789. }
    790. 

  790. 

  791. // RemoveUser deletes the user with the given username. The function returns nil on success, even
    792. 

  792. // if the user did not exist in the first place.
    793. 

  793. func (a *Manager) RemoveUser(username string) error {
    794. 

  794. 	if !AllowedUsername(username) {
    795. 

  795. 		return ErrInvalidArgument
    796. 

  796. 	}
    797. 

  797. 	// Rows in user_access, user_token, etc. are deleted via foreign keys
    798. 

  798. 	if _, err := a.db.Exec(deleteUserQuery, username); err != nil {
    799. 

  799. 		return err
    800. 

  800. 	}
    801. 

  801. 	return nil
    802. 

  802. }
    803. 

  803. 

  804. // MarkUserRemoved sets the deleted flag on the user, and deletes all access tokens. This prevents
    805. 

  805. // successful auth via Authenticate. A background process will delete the user at a later date.
    806. 

  806. func (a *Manager) MarkUserRemoved(user *User) error {
    807. 

  807. 	if !AllowedUsername(user.Name) {
    808. 

  808. 		return ErrInvalidArgument
    809. 

  809. 	}
    810. 

  810. 	tx, err := a.db.Begin()
    811. 

  811. 	if err != nil {
    812. 

  812. 		return err
    813. 

  813. 	}
    814. 

  814. 	defer tx.Rollback()
    815. 

  815. 	if _, err := tx.Exec(deleteUserAccessQuery, user.Name, user.Name); err != nil {
    816. 

  816. 		return err
    817. 

  817. 	}
    818. 

  818. 	if _, err := tx.Exec(deleteAllTokenQuery, user.ID); err != nil {
    819. 

  819. 		return err
    820. 

  820. 	}
    821. 

  821. 	if _, err := tx.Exec(updateUserDeletedQuery, time.Now().Add(userHardDeleteAfterDuration).Unix(), user.ID); err != nil {
    822. 

  822. 		return err
    823. 

  823. 	}
    824. 

  824. 	return tx.Commit()
    825. 

  825. }
    826. 

  826. 

  827. // Users returns a list of users. It always also returns the Everyone user ("*").
    828. 

  828. func (a *Manager) Users() ([]*User, error) {
    829. 

  829. 	rows, err := a.db.Query(selectUsernamesQuery)
    830. 

  830. 	if err != nil {
    831. 

  831. 		return nil, err
    832. 

  832. 	}
    833. 

  833. 	defer rows.Close()
    834. 

  834. 	usernames := make([]string, 0)
    835. 

  835. 	for rows.Next() {
    836. 

  836. 		var username string
    837. 

  837. 		if err := rows.Scan(&username); err != nil {
    838. 

  838. 			return nil, err
    839. 

  839. 		} else if err := rows.Err(); err != nil {
    840. 

  840. 			return nil, err
    841. 

  841. 		}
    842. 

  842. 		usernames = append(usernames, username)
    843. 

  843. 	}
    844. 

  844. 	rows.Close()
    845. 

  845. 	users := make([]*User, 0)
    846. 

  846. 	for _, username := range usernames {
    847. 

  847. 		user, err := a.User(username)
    848. 

  848. 		if err != nil {
    849. 

  849. 			return nil, err
    850. 

  850. 		}
    851. 

  851. 		users = append(users, user)
    852. 

  852. 	}
    853. 

  853. 	return users, nil
    854. 

  854. }
    855. 

  855. 

  856. // User returns the user with the given username if it exists, or ErrUserNotFound otherwise.
    857. 

  857. // You may also pass Everyone to retrieve the anonymous user and its Grant list.
    858. 

  858. func (a *Manager) User(username string) (*User, error) {
    859. 

  859. 	rows, err := a.db.Query(selectUserByNameQuery, username)
    860. 

  860. 	if err != nil {
    861. 

  861. 		return nil, err
    862. 

  862. 	}
    863. 

  863. 	return a.readUser(rows)
    864. 

  864. }
    865. 

  865. 

  866. // UserByID returns the user with the given ID if it exists, or ErrUserNotFound otherwise
    867. 

  867. func (a *Manager) UserByID(id string) (*User, error) {
    868. 

  868. 	rows, err := a.db.Query(selectUserByIDQuery, id)
    869. 

  869. 	if err != nil {
    870. 

  870. 		return nil, err
    871. 

  871. 	}
    872. 

  872. 	return a.readUser(rows)
    873. 

  873. }
    874. 

  874. 

  875. // UserByStripeCustomer returns the user with the given Stripe customer ID if it exists, or ErrUserNotFound otherwise.
    876. 

  876. func (a *Manager) UserByStripeCustomer(stripeCustomerID string) (*User, error) {
    877. 

  877. 	rows, err := a.db.Query(selectUserByStripeCustomerIDQuery, stripeCustomerID)
    878. 

  878. 	if err != nil {
    879. 

  879. 		return nil, err
    880. 

  880. 	}
    881. 

  881. 	return a.readUser(rows)
    882. 

  882. }
    883. 

  883. 

  884. func (a *Manager) userByToken(token string) (*User, error) {
    885. 

  885. 	rows, err := a.db.Query(selectUserByTokenQuery, token, time.Now().Unix())
    886. 

  886. 	if err != nil {
    887. 

  887. 		return nil, err
    888. 

  888. 	}
    889. 

  889. 	return a.readUser(rows)
    890. 

  890. }
    891. 

  891. 

  892. func (a *Manager) readUser(rows *sql.Rows) (*User, error) {
    893. 

  893. 	defer rows.Close()
    894. 

  894. 	var id, username, hash, role, prefs, syncTopic string
    895. 

  895. 	var stripeCustomerID, stripeSubscriptionID, stripeSubscriptionStatus, stripeSubscriptionInterval, stripeMonthlyPriceID, stripeYearlyPriceID, tierID, tierCode, tierName sql.NullString
    896. 

  896. 	var messages, emails int64
    897. 

  897. 	var messagesLimit, messagesExpiryDuration, emailsLimit, reservationsLimit, attachmentFileSizeLimit, attachmentTotalSizeLimit, attachmentExpiryDuration, attachmentBandwidthLimit, stripeSubscriptionPaidUntil, stripeSubscriptionCancelAt, deleted sql.NullInt64
    898. 

  898. 	if !rows.Next() {
    899. 

  899. 		return nil, ErrUserNotFound
    900. 

  900. 	}
    901. 

  901. 	if err := rows.Scan(&id, &username, &hash, &role, &prefs, &syncTopic, &messages, &emails, &stripeCustomerID, &stripeSubscriptionID, &stripeSubscriptionStatus, &stripeSubscriptionInterval, &stripeSubscriptionPaidUntil, &stripeSubscriptionCancelAt, &deleted, &tierID, &tierCode, &tierName, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripeMonthlyPriceID, &stripeYearlyPriceID); err != nil {
    902. 

  902. 		return nil, err
    903. 

  903. 	} else if err := rows.Err(); err != nil {
    904. 

  904. 		return nil, err
    905. 

  905. 	}
    906. 

  906. 	user := &User{
    907. 

  907. 		ID:        id,
    908. 

  908. 		Name:      username,
    909. 

  909. 		Hash:      hash,
    910. 

  910. 		Role:      Role(role),
    911. 

  911. 		Prefs:     &Prefs{},
    912. 

  912. 		SyncTopic: syncTopic,
    913. 

  913. 		Stats: &Stats{
    914. 

  914. 			Messages: messages,
    915. 

  915. 			Emails:   emails,
    916. 

  916. 		},
    917. 

  917. 		Billing: &Billing{
    918. 

  918. 			StripeCustomerID:            stripeCustomerID.String,                                          // May be empty
    919. 

  919. 			StripeSubscriptionID:        stripeSubscriptionID.String,                                      // May be empty
    920. 

  920. 			StripeSubscriptionStatus:    stripe.SubscriptionStatus(stripeSubscriptionStatus.String),       // May be empty
    921. 

  921. 			StripeSubscriptionInterval:  stripe.PriceRecurringInterval(stripeSubscriptionInterval.String), // May be empty
    922. 

  922. 			StripeSubscriptionPaidUntil: time.Unix(stripeSubscriptionPaidUntil.Int64, 0),                  // May be zero
    923. 

  923. 			StripeSubscriptionCancelAt:  time.Unix(stripeSubscriptionCancelAt.Int64, 0),                   // May be zero
    924. 

  924. 		},
    925. 

  925. 		Deleted: deleted.Valid,
    926. 

  926. 	}
    927. 

  927. 	if err := json.Unmarshal([]byte(prefs), user.Prefs); err != nil {
    928. 

  928. 		return nil, err
    929. 

  929. 	}
    930. 

  930. 	if tierCode.Valid {
    931. 

  931. 		// See readTier() when this is changed!
    932. 

  932. 		user.Tier = &Tier{
    933. 

  933. 			ID:                       tierID.String,
    934. 

  934. 			Code:                     tierCode.String,
    935. 

  935. 			Name:                     tierName.String,
    936. 

  936. 			MessageLimit:             messagesLimit.Int64,
    937. 

  937. 			MessageExpiryDuration:    time.Duration(messagesExpiryDuration.Int64) * time.Second,
    938. 

  938. 			EmailLimit:               emailsLimit.Int64,
    939. 

  939. 			ReservationLimit:         reservationsLimit.Int64,
    940. 

  940. 			AttachmentFileSizeLimit:  attachmentFileSizeLimit.Int64,
    941. 

  941. 			AttachmentTotalSizeLimit: attachmentTotalSizeLimit.Int64,
    942. 

  942. 			AttachmentExpiryDuration: time.Duration(attachmentExpiryDuration.Int64) * time.Second,
    943. 

  943. 			AttachmentBandwidthLimit: attachmentBandwidthLimit.Int64,
    944. 

  944. 			StripeMonthlyPriceID:     stripeMonthlyPriceID.String, // May be empty
    945. 

  945. 			StripeYearlyPriceID:      stripeYearlyPriceID.String,  // May be empty
    946. 

  946. 		}
    947. 

  947. 	}
    948. 

  948. 	return user, nil
    949. 

  949. }
    950. 

  950. 

  951. // Grants returns all user-specific access control entries
    952. 

  952. func (a *Manager) Grants(username string) ([]Grant, error) {
    953. 

  953. 	rows, err := a.db.Query(selectUserAccessQuery, username)
    954. 

  954. 	if err != nil {
    955. 

  955. 		return nil, err
    956. 

  956. 	}
    957. 

  957. 	defer rows.Close()
    958. 

  958. 	grants := make([]Grant, 0)
    959. 

  959. 	for rows.Next() {
    960. 

  960. 		var topic string
    961. 

  961. 		var read, write bool
    962. 

  962. 		if err := rows.Scan(&topic, &read, &write); err != nil {
    963. 

  963. 			return nil, err
    964. 

  964. 		} else if err := rows.Err(); err != nil {
    965. 

  965. 			return nil, err
    966. 

  966. 		}
    967. 

  967. 		grants = append(grants, Grant{
    968. 

  968. 			TopicPattern: fromSQLWildcard(topic),
    969. 

  969. 			Allow:        NewPermission(read, write),
    970. 

  970. 		})
    971. 

  971. 	}
    972. 

  972. 	return grants, nil
    973. 

  973. }
    974. 

  974. 

  975. // Reservations returns all user-owned topics, and the associated everyone-access
    976. 

  976. func (a *Manager) Reservations(username string) ([]Reservation, error) {
    977. 

  977. 	rows, err := a.db.Query(selectUserReservationsQuery, Everyone, username)
    978. 

  978. 	if err != nil {
    979. 

  979. 		return nil, err
    980. 

  980. 	}
    981. 

  981. 	defer rows.Close()
    982. 

  982. 	reservations := make([]Reservation, 0)
    983. 

  983. 	for rows.Next() {
    984. 

  984. 		var topic string
    985. 

  985. 		var ownerRead, ownerWrite bool
    986. 

  986. 		var everyoneRead, everyoneWrite sql.NullBool
    987. 

  987. 		if err := rows.Scan(&topic, &ownerRead, &ownerWrite, &everyoneRead, &everyoneWrite); err != nil {
    988. 

  988. 			return nil, err
    989. 

  989. 		} else if err := rows.Err(); err != nil {
    990. 

  990. 			return nil, err
    991. 

  991. 		}
    992. 

  992. 		reservations = append(reservations, Reservation{
    993. 

  993. 			Topic:    topic,
    994. 

  994. 			Owner:    NewPermission(ownerRead, ownerWrite),
    995. 

  995. 			Everyone: NewPermission(everyoneRead.Bool, everyoneWrite.Bool), // false if null
    996. 

  996. 		})
    997. 

  997. 	}
    998. 

  998. 	return reservations, nil
    999. 

  999. }
    1000. 

  1000. 

  1001. // HasReservation returns true if the given topic access is owned by the user
    1002. 

  1002. func (a *Manager) HasReservation(username, topic string) (bool, error) {
    1003. 

  1003. 	rows, err := a.db.Query(selectUserHasReservationQuery, username, topic)
    1004. 

  1004. 	if err != nil {
    1005. 

  1005. 		return false, err
    1006. 

  1006. 	}
    1007. 

  1007. 	defer rows.Close()
    1008. 

  1008. 	if !rows.Next() {
    1009. 

  1009. 		return false, errNoRows
    1010. 

  1010. 	}
    1011. 

  1011. 	var count int64
    1012. 

  1012. 	if err := rows.Scan(&count); err != nil {
    1013. 

  1013. 		return false, err
    1014. 

  1014. 	}
    1015. 

  1015. 	return count > 0, nil
    1016. 

  1016. }
    1017. 

  1017. 

  1018. // ReservationsCount returns the number of reservations owned by this user
    1019. 

  1019. func (a *Manager) ReservationsCount(username string) (int64, error) {
    1020. 

  1020. 	rows, err := a.db.Query(selectUserReservationsCountQuery, username)
    1021. 

  1021. 	if err != nil {
    1022. 

  1022. 		return 0, err
    1023. 

  1023. 	}
    1024. 

  1024. 	defer rows.Close()
    1025. 

  1025. 	if !rows.Next() {
    1026. 

  1026. 		return 0, errNoRows
    1027. 

  1027. 	}
    1028. 

  1028. 	var count int64
    1029. 

  1029. 	if err := rows.Scan(&count); err != nil {
    1030. 

  1030. 		return 0, err
    1031. 

  1031. 	}
    1032. 

  1032. 	return count, nil
    1033. 

  1033. }
    1034. 

  1034. 

  1035. // ReservationOwner returns user ID of the user that owns this topic, or an
    1036. 

  1036. // empty string if it's not owned by anyone
    1037. 

  1037. func (a *Manager) ReservationOwner(topic string) (string, error) {
    1038. 

  1038. 	rows, err := a.db.Query(selectUserReservationsOwnerQuery, topic)
    1039. 

  1039. 	if err != nil {
    1040. 

  1040. 		return "", err
    1041. 

  1041. 	}
    1042. 

  1042. 	defer rows.Close()
    1043. 

  1043. 	if !rows.Next() {
    1044. 

  1044. 		return "", nil
    1045. 

  1045. 	}
    1046. 

  1046. 	var ownerUserID string
    1047. 

  1047. 	if err := rows.Scan(&ownerUserID); err != nil {
    1048. 

  1048. 		return "", err
    1049. 

  1049. 	}
    1050. 

  1050. 	return ownerUserID, nil
    1051. 

  1051. }
    1052. 

  1052. 

  1053. // ChangePassword changes a user's password
    1054. 

  1054. func (a *Manager) ChangePassword(username, password string) error {
    1055. 

  1055. 	hash, err := bcrypt.GenerateFromPassword([]byte(password), a.bcryptCost)
    1056. 

  1056. 	if err != nil {
    1057. 

  1057. 		return err
    1058. 

  1058. 	}
    1059. 

  1059. 	if _, err := a.db.Exec(updateUserPassQuery, hash, username); err != nil {
    1060. 

  1060. 		return err
    1061. 

  1061. 	}
    1062. 

  1062. 	return nil
    1063. 

  1063. }
    1064. 

  1064. 

  1065. // ChangeRole changes a user's role. When a role is changed from RoleUser to RoleAdmin,
    1066. 

  1066. // all existing access control entries (Grant) are removed, since they are no longer needed.
    1067. 

  1067. func (a *Manager) ChangeRole(username string, role Role) error {
    1068. 

  1068. 	if !AllowedUsername(username) || !AllowedRole(role) {
    1069. 

  1069. 		return ErrInvalidArgument
    1070. 

  1070. 	}
    1071. 

  1071. 	if _, err := a.db.Exec(updateUserRoleQuery, string(role), username); err != nil {
    1072. 

  1072. 		return err
    1073. 

  1073. 	}
    1074. 

  1074. 	if role == RoleAdmin {
    1075. 

  1075. 		if _, err := a.db.Exec(deleteUserAccessQuery, username, username); err != nil {
    1076. 

  1076. 			return err
    1077. 

  1077. 		}
    1078. 

  1078. 	}
    1079. 

  1079. 	return nil
    1080. 

  1080. }
    1081. 

  1081. 

  1082. // ChangeTier changes a user's tier using the tier code. This function does not delete reservations, messages,
    1083. 

  1083. // or attachments, even if the new tier has lower limits in this regard. That has to be done elsewhere.
    1084. 

  1084. func (a *Manager) ChangeTier(username, tier string) error {
    1085. 

  1085. 	if !AllowedUsername(username) {
    1086. 

  1086. 		return ErrInvalidArgument
    1087. 

  1087. 	}
    1088. 

  1088. 	t, err := a.Tier(tier)
    1089. 

  1089. 	if err != nil {
    1090. 

  1090. 		return err
    1091. 

  1091. 	} else if err := a.checkReservationsLimit(username, t.ReservationLimit); err != nil {
    1092. 

  1092. 		return err
    1093. 

  1093. 	}
    1094. 

  1094. 	if _, err := a.db.Exec(updateUserTierQuery, tier, username); err != nil {
    1095. 

  1095. 		return err
    1096. 

  1096. 	}
    1097. 

  1097. 	return nil
    1098. 

  1098. }
    1099. 

  1099. 

  1100. // ResetTier removes the tier from the given user
    1101. 

  1101. func (a *Manager) ResetTier(username string) error {
    1102. 

  1102. 	if !AllowedUsername(username) && username != Everyone && username != "" {
    1103. 

  1103. 		return ErrInvalidArgument
    1104. 

  1104. 	} else if err := a.checkReservationsLimit(username, 0); err != nil {
    1105. 

  1105. 		return err
    1106. 

  1106. 	}
    1107. 

  1107. 	_, err := a.db.Exec(deleteUserTierQuery, username)
    1108. 

  1108. 	return err
    1109. 

  1109. }
    1110. 

  1110. 

  1111. func (a *Manager) checkReservationsLimit(username string, reservationsLimit int64) error {
    1112. 

  1112. 	u, err := a.User(username)
    1113. 

  1113. 	if err != nil {
    1114. 

  1114. 		return err
    1115. 

  1115. 	}
    1116. 

  1116. 	if u.Tier != nil && reservationsLimit < u.Tier.ReservationLimit {
    1117. 

  1117. 		reservations, err := a.Reservations(username)
    1118. 

  1118. 		if err != nil {
    1119. 

  1119. 			return err
    1120. 

  1120. 		} else if int64(len(reservations)) > reservationsLimit {
    1121. 

  1121. 			return ErrTooManyReservations
    1122. 

  1122. 		}
    1123. 

  1123. 	}
    1124. 

  1124. 	return nil
    1125. 

  1125. }
    1126. 

  1126. 

  1127. // AllowReservation tests if a user may create an access control entry for the given topic.
    1128. 

  1128. // If there are any ACL entries that are not owned by the user, an error is returned.
    1129. 

  1129. func (a *Manager) AllowReservation(username string, topic string) error {
    1130. 

  1130. 	if (!AllowedUsername(username) && username != Everyone) || !AllowedTopic(topic) {
    1131. 

  1131. 		return ErrInvalidArgument
    1132. 

  1132. 	}
    1133. 

  1133. 	rows, err := a.db.Query(selectOtherAccessCountQuery, topic, topic, username)
    1134. 

  1134. 	if err != nil {
    1135. 

  1135. 		return err
    1136. 

  1136. 	}
    1137. 

  1137. 	defer rows.Close()
    1138. 

  1138. 	if !rows.Next() {
    1139. 

  1139. 		return errNoRows
    1140. 

  1140. 	}
    1141. 

  1141. 	var otherCount int
    1142. 

  1142. 	if err := rows.Scan(&otherCount); err != nil {
    1143. 

  1143. 		return err
    1144. 

  1144. 	}
    1145. 

  1145. 	if otherCount > 0 {
    1146. 

  1146. 		return errTopicOwnedByOthers
    1147. 

  1147. 	}
    1148. 

  1148. 	return nil
    1149. 

  1149. }
    1150. 

  1150. 

  1151. // AllowAccess adds or updates an entry in th access control list for a specific user. It controls
    1152. 

  1152. // read/write access to a topic. The parameter topicPattern may include wildcards (*). The ACL entry
    1153. 

  1153. // owner may either be a user (username), or the system (empty).
    1154. 

  1154. func (a *Manager) AllowAccess(username string, topicPattern string, permission Permission) error {
    1155. 

  1155. 	if !AllowedUsername(username) && username != Everyone {
    1156. 

  1156. 		return ErrInvalidArgument
    1157. 

  1157. 	} else if !AllowedTopicPattern(topicPattern) {
    1158. 

  1158. 		return ErrInvalidArgument
    1159. 

  1159. 	}
    1160. 

  1160. 	owner := ""
    1161. 

  1161. 	if _, err := a.db.Exec(upsertUserAccessQuery, username, toSQLWildcard(topicPattern), permission.IsRead(), permission.IsWrite(), owner, owner); err != nil {
    1162. 

  1162. 		return err
    1163. 

  1163. 	}
    1164. 

  1164. 	return nil
    1165. 

  1165. }
    1166. 

  1166. 

  1167. // ResetAccess removes an access control list entry for a specific username/topic, or (if topic is
    1168. 

  1168. // empty) for an entire user. The parameter topicPattern may include wildcards (*).
    1169. 

  1169. func (a *Manager) ResetAccess(username string, topicPattern string) error {
    1170. 

  1170. 	if !AllowedUsername(username) && username != Everyone && username != "" {
    1171. 

  1171. 		return ErrInvalidArgument
    1172. 

  1172. 	} else if !AllowedTopicPattern(topicPattern) && topicPattern != "" {
    1173. 

  1173. 		return ErrInvalidArgument
    1174. 

  1174. 	}
    1175. 

  1175. 	if username == "" && topicPattern == "" {
    1176. 

  1176. 		_, err := a.db.Exec(deleteAllAccessQuery, username)
    1177. 

  1177. 		return err
    1178. 

  1178. 	} else if topicPattern == "" {
    1179. 

  1179. 		_, err := a.db.Exec(deleteUserAccessQuery, username, username)
    1180. 

  1180. 		return err
    1181. 

  1181. 	}
    1182. 

  1182. 	_, err := a.db.Exec(deleteTopicAccessQuery, username, username, toSQLWildcard(topicPattern))
    1183. 

  1183. 	return err
    1184. 

  1184. }
    1185. 

  1185. 

  1186. // AddReservation creates two access control entries for the given topic: one with full read/write access for the
    1187. 

  1187. // given user, and one for Everyone with the permission passed as everyone. The user also owns the entries, and
    1188. 

  1188. // can modify or delete them.
    1189. 

  1189. func (a *Manager) AddReservation(username string, topic string, everyone Permission) error {
    1190. 

  1190. 	if !AllowedUsername(username) || username == Everyone || !AllowedTopic(topic) {
    1191. 

  1191. 		return ErrInvalidArgument
    1192. 

  1192. 	}
    1193. 

  1193. 	tx, err := a.db.Begin()
    1194. 

  1194. 	if err != nil {
    1195. 

  1195. 		return err
    1196. 

  1196. 	}
    1197. 

  1197. 	defer tx.Rollback()
    1198. 

  1198. 	if _, err := tx.Exec(upsertUserAccessQuery, username, topic, true, true, username, username); err != nil {
    1199. 

  1199. 		return err
    1200. 

  1200. 	}
    1201. 

  1201. 	if _, err := tx.Exec(upsertUserAccessQuery, Everyone, topic, everyone.IsRead(), everyone.IsWrite(), username, username); err != nil {
    1202. 

  1202. 		return err
    1203. 

  1203. 	}
    1204. 

  1204. 	return tx.Commit()
    1205. 

  1205. }
    1206. 

  1206. 

  1207. // RemoveReservations deletes the access control entries associated with the given username/topic, as
    1208. 

  1208. // well as all entries with Everyone/topic. This is the counterpart for AddReservation.
    1209. 

  1209. func (a *Manager) RemoveReservations(username string, topics ...string) error {
    1210. 

  1210. 	if !AllowedUsername(username) || username == Everyone || len(topics) == 0 {
    1211. 

  1211. 		return ErrInvalidArgument
    1212. 

  1212. 	}
    1213. 

  1213. 	for _, topic := range topics {
    1214. 

  1214. 		if !AllowedTopic(topic) {
    1215. 

  1215. 			return ErrInvalidArgument
    1216. 

  1216. 		}
    1217. 

  1217. 	}
    1218. 

  1218. 	tx, err := a.db.Begin()
    1219. 

  1219. 	if err != nil {
    1220. 

  1220. 		return err
    1221. 

  1221. 	}
    1222. 

  1222. 	defer tx.Rollback()
    1223. 

  1223. 	for _, topic := range topics {
    1224. 

  1224. 		if _, err := tx.Exec(deleteTopicAccessQuery, username, username, topic); err != nil {
    1225. 

  1225. 			return err
    1226. 

  1226. 		}
    1227. 

  1227. 		if _, err := tx.Exec(deleteTopicAccessQuery, Everyone, Everyone, topic); err != nil {
    1228. 

  1228. 			return err
    1229. 

  1229. 		}
    1230. 

  1230. 	}
    1231. 

  1231. 	return tx.Commit()
    1232. 

  1232. }
    1233. 

  1233. 

  1234. // DefaultAccess returns the default read/write access if no access control entry matches
    1235. 

  1235. func (a *Manager) DefaultAccess() Permission {
    1236. 

  1236. 	return a.defaultAccess
    1237. 

  1237. }
    1238. 

  1238. 

  1239. // AddTier creates a new tier in the database
    1240. 

  1240. func (a *Manager) AddTier(tier *Tier) error {
    1241. 

  1241. 	if tier.ID == "" {
    1242. 

  1242. 		tier.ID = util.RandomStringPrefix(tierIDPrefix, tierIDLength)
    1243. 

  1243. 	}
    1244. 

  1244. 	if _, err := a.db.Exec(insertTierQuery, tier.ID, tier.Code, tier.Name, tier.MessageLimit, int64(tier.MessageExpiryDuration.Seconds()), tier.EmailLimit, tier.ReservationLimit, tier.AttachmentFileSizeLimit, tier.AttachmentTotalSizeLimit, int64(tier.AttachmentExpiryDuration.Seconds()), tier.AttachmentBandwidthLimit, nullString(tier.StripeMonthlyPriceID), nullString(tier.StripeYearlyPriceID)); err != nil {
    1245. 

  1245. 		return err
    1246. 

  1246. 	}
    1247. 

  1247. 	return nil
    1248. 

  1248. }
    1249. 

  1249. 

  1250. // UpdateTier updates a tier's properties in the database
    1251. 

  1251. func (a *Manager) UpdateTier(tier *Tier) error {
    1252. 

  1252. 	if _, err := a.db.Exec(updateTierQuery, tier.Name, tier.MessageLimit, int64(tier.MessageExpiryDuration.Seconds()), tier.EmailLimit, tier.ReservationLimit, tier.AttachmentFileSizeLimit, tier.AttachmentTotalSizeLimit, int64(tier.AttachmentExpiryDuration.Seconds()), tier.AttachmentBandwidthLimit, nullString(tier.StripeMonthlyPriceID), nullString(tier.StripeYearlyPriceID), tier.Code); err != nil {
    1253. 

  1253. 		return err
    1254. 

  1254. 	}
    1255. 

  1255. 	return nil
    1256. 

  1256. }
    1257. 

  1257. 

  1258. // RemoveTier deletes the tier with the given code
    1259. 

  1259. func (a *Manager) RemoveTier(code string) error {
    1260. 

  1260. 	if !AllowedTier(code) {
    1261. 

  1261. 		return ErrInvalidArgument
    1262. 

  1262. 	}
    1263. 

  1263. 	// This fails if any user has this tier
    1264. 

  1264. 	if _, err := a.db.Exec(deleteTierQuery, code); err != nil {
    1265. 

  1265. 		return err
    1266. 

  1266. 	}
    1267. 

  1267. 	return nil
    1268. 

  1268. }
    1269. 

  1269. 

  1270. // ChangeBilling updates a user's billing fields, namely the Stripe customer ID, and subscription information
    1271. 

  1271. func (a *Manager) ChangeBilling(username string, billing *Billing) error {
    1272. 

  1272. 	if _, err := a.db.Exec(updateBillingQuery, nullString(billing.StripeCustomerID), nullString(billing.StripeSubscriptionID), nullString(string(billing.StripeSubscriptionStatus)), nullString(string(billing.StripeSubscriptionInterval)), nullInt64(billing.StripeSubscriptionPaidUntil.Unix()), nullInt64(billing.StripeSubscriptionCancelAt.Unix()), username); err != nil {
    1273. 

  1273. 		return err
    1274. 

  1274. 	}
    1275. 

  1275. 	return nil
    1276. 

  1276. }
    1277. 

  1277. 

  1278. // Tiers returns a list of all Tier structs
    1279. 

  1279. func (a *Manager) Tiers() ([]*Tier, error) {
    1280. 

  1280. 	rows, err := a.db.Query(selectTiersQuery)
    1281. 

  1281. 	if err != nil {
    1282. 

  1282. 		return nil, err
    1283. 

  1283. 	}
    1284. 

  1284. 	defer rows.Close()
    1285. 

  1285. 	tiers := make([]*Tier, 0)
    1286. 

  1286. 	for {
    1287. 

  1287. 		tier, err := a.readTier(rows)
    1288. 

  1288. 		if err == ErrTierNotFound {
    1289. 

  1289. 			break
    1290. 

  1290. 		} else if err != nil {
    1291. 

  1291. 			return nil, err
    1292. 

  1292. 		}
    1293. 

  1293. 		tiers = append(tiers, tier)
    1294. 

  1294. 	}
    1295. 

  1295. 	return tiers, nil
    1296. 

  1296. }
    1297. 

  1297. 

  1298. // Tier returns a Tier based on the code, or ErrTierNotFound if it does not exist
    1299. 

  1299. func (a *Manager) Tier(code string) (*Tier, error) {
    1300. 

  1300. 	rows, err := a.db.Query(selectTierByCodeQuery, code)
    1301. 

  1301. 	if err != nil {
    1302. 

  1302. 		return nil, err
    1303. 

  1303. 	}
    1304. 

  1304. 	defer rows.Close()
    1305. 

  1305. 	return a.readTier(rows)
    1306. 

  1306. }
    1307. 

  1307. 

  1308. // TierByStripePrice returns a Tier based on the Stripe price ID, or ErrTierNotFound if it does not exist
    1309. 

  1309. func (a *Manager) TierByStripePrice(priceID string) (*Tier, error) {
    1310. 

  1310. 	rows, err := a.db.Query(selectTierByPriceIDQuery, priceID, priceID)
    1311. 

  1311. 	if err != nil {
    1312. 

  1312. 		return nil, err
    1313. 

  1313. 	}
    1314. 

  1314. 	defer rows.Close()
    1315. 

  1315. 	return a.readTier(rows)
    1316. 

  1316. }
    1317. 

  1317. 

  1318. func (a *Manager) readTier(rows *sql.Rows) (*Tier, error) {
    1319. 

  1319. 	var id, code, name string
    1320. 

  1320. 	var stripeMonthlyPriceID, stripeYearlyPriceID sql.NullString
    1321. 

  1321. 	var messagesLimit, messagesExpiryDuration, emailsLimit, reservationsLimit, attachmentFileSizeLimit, attachmentTotalSizeLimit, attachmentExpiryDuration, attachmentBandwidthLimit sql.NullInt64
    1322. 

  1322. 	if !rows.Next() {
    1323. 

  1323. 		return nil, ErrTierNotFound
    1324. 

  1324. 	}
    1325. 

  1325. 	if err := rows.Scan(&id, &code, &name, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripeMonthlyPriceID, &stripeYearlyPriceID); err != nil {
    1326. 

  1326. 		return nil, err
    1327. 

  1327. 	} else if err := rows.Err(); err != nil {
    1328. 

  1328. 		return nil, err
    1329. 

  1329. 	}
    1330. 

  1330. 	// When changed, note readUser() as well
    1331. 

  1331. 	return &Tier{
    1332. 

  1332. 		ID:                       id,
    1333. 

  1333. 		Code:                     code,
    1334. 

  1334. 		Name:                     name,
    1335. 

  1335. 		MessageLimit:             messagesLimit.Int64,
    1336. 

  1336. 		MessageExpiryDuration:    time.Duration(messagesExpiryDuration.Int64) * time.Second,
    1337. 

  1337. 		EmailLimit:               emailsLimit.Int64,
    1338. 

  1338. 		ReservationLimit:         reservationsLimit.Int64,
    1339. 

  1339. 		AttachmentFileSizeLimit:  attachmentFileSizeLimit.Int64,
    1340. 

  1340. 		AttachmentTotalSizeLimit: attachmentTotalSizeLimit.Int64,
    1341. 

  1341. 		AttachmentExpiryDuration: time.Duration(attachmentExpiryDuration.Int64) * time.Second,
    1342. 

  1342. 		AttachmentBandwidthLimit: attachmentBandwidthLimit.Int64,
    1343. 

  1343. 		StripeMonthlyPriceID:     stripeMonthlyPriceID.String, // May be empty
    1344. 

  1344. 		StripeYearlyPriceID:      stripeYearlyPriceID.String,  // May be empty
    1345. 

  1345. 	}, nil
    1346. 

  1346. }
    1347. 

  1347. 

  1348. // Close closes the underlying database
    1349. 

  1349. func (a *Manager) Close() error {
    1350. 

  1350. 	return a.db.Close()
    1351. 

  1351. }
    1352. 

  1352. 

  1353. func toSQLWildcard(s string) string {
    1354. 

  1354. 	return strings.ReplaceAll(s, "*", "%")
    1355. 

  1355. }
    1356. 

  1356. 

  1357. func fromSQLWildcard(s string) string {
    1358. 

  1358. 	return strings.ReplaceAll(s, "%", "*")
    1359. 

  1359. }
    1360. 

  1360. 

  1361. func runStartupQueries(db *sql.DB, startupQueries string) error {
    1362. 

  1362. 	if _, err := db.Exec(startupQueries); err != nil {
    1363. 

  1363. 		return err
    1364. 

  1364. 	}
    1365. 

  1365. 	if _, err := db.Exec(builtinStartupQueries); err != nil {
    1366. 

  1366. 		return err
    1367. 

  1367. 	}
    1368. 

  1368. 	return nil
    1369. 

  1369. }
    1370. 

  1370. 

  1371. func setupDB(db *sql.DB) error {
    1372. 

  1372. 	// If 'schemaVersion' table does not exist, this must be a new database
    1373. 

  1373. 	rowsSV, err := db.Query(selectSchemaVersionQuery)
    1374. 

  1374. 	if err != nil {
    1375. 

  1375. 		return setupNewDB(db)
    1376. 

  1376. 	}
    1377. 

  1377. 	defer rowsSV.Close()
    1378. 

  1378. 

  1379. 	// If 'schemaVersion' table exists, read version and potentially upgrade
    1380. 

  1380. 	schemaVersion := 0
    1381. 

  1381. 	if !rowsSV.Next() {
    1382. 

  1382. 		return errors.New("cannot determine schema version: database file may be corrupt")
    1383. 

  1383. 	}
    1384. 

  1384. 	if err := rowsSV.Scan(&schemaVersion); err != nil {
    1385. 

  1385. 		return err
    1386. 

  1386. 	}
    1387. 

  1387. 	rowsSV.Close()
    1388. 

  1388. 

  1389. 	// Do migrations
    1390. 

  1390. 	if schemaVersion == currentSchemaVersion {
    1391. 

  1391. 		return nil
    1392. 

  1392. 	} else if schemaVersion > currentSchemaVersion {
    1393. 

  1393. 		return fmt.Errorf("unexpected schema version: version %d is higher than current version %d", schemaVersion, currentSchemaVersion)
    1394. 

  1394. 	}
    1395. 

  1395. 	for i := schemaVersion; i < currentSchemaVersion; i++ {
    1396. 

  1396. 		fn, ok := migrations[i]
    1397. 

  1397. 		if !ok {
    1398. 

  1398. 			return fmt.Errorf("cannot find migration step from schema version %d to %d", i, i+1)
    1399. 

  1399. 		} else if err := fn(db); err != nil {
    1400. 

  1400. 			return err
    1401. 

  1401. 		}
    1402. 

  1402. 	}
    1403. 

  1403. 	return nil
    1404. 

  1404. }
    1405. 

  1405. 

  1406. func setupNewDB(db *sql.DB) error {
    1407. 

  1407. 	if _, err := db.Exec(createTablesQueries); err != nil {
    1408. 

  1408. 		return err
    1409. 

  1409. 	}
    1410. 

  1410. 	if _, err := db.Exec(insertSchemaVersion, currentSchemaVersion); err != nil {
    1411. 

  1411. 		return err
    1412. 

  1412. 	}
    1413. 

  1413. 	return nil
    1414. 

  1414. }
    1415. 

  1415. 

  1416. func migrateFrom1(db *sql.DB) error {
    1417. 

  1417. 	log.Tag(tag).Info("Migrating user database schema: from 1 to 2")
    1418. 

  1418. 	tx, err := db.Begin()
    1419. 

  1419. 	if err != nil {
    1420. 

  1420. 		return err
    1421. 

  1421. 	}
    1422. 

  1422. 	defer tx.Rollback()
    1423. 

  1423. 	// Rename user -> user_old, and create new tables
    1424. 

  1424. 	if _, err := tx.Exec(migrate1To2CreateTablesQueries); err != nil {
    1425. 

  1425. 		return err
    1426. 

  1426. 	}
    1427. 

  1427. 	// Insert users from user_old into new user table, with ID and sync_topic
    1428. 

  1428. 	rows, err := tx.Query(migrate1To2SelectAllOldUsernamesNoTx)
    1429. 

  1429. 	if err != nil {
    1430. 

  1430. 		return err
    1431. 

  1431. 	}
    1432. 

  1432. 	defer rows.Close()
    1433. 

  1433. 	usernames := make([]string, 0)
    1434. 

  1434. 	for rows.Next() {
    1435. 

  1435. 		var username string
    1436. 

  1436. 		if err := rows.Scan(&username); err != nil {
    1437. 

  1437. 			return err
    1438. 

  1438. 		}
    1439. 

  1439. 		usernames = append(usernames, username)
    1440. 

  1440. 	}
    1441. 

  1441. 	if err := rows.Close(); err != nil {
    1442. 

  1442. 		return err
    1443. 

  1443. 	}
    1444. 

  1444. 	for _, username := range usernames {
    1445. 

  1445. 		userID := util.RandomStringPrefix(userIDPrefix, userIDLength)
    1446. 

  1446. 		syncTopic := util.RandomStringPrefix(syncTopicPrefix, syncTopicLength)
    1447. 

  1447. 		if _, err := tx.Exec(migrate1To2InsertUserNoTx, userID, syncTopic, username); err != nil {
    1448. 

  1448. 			return err
    1449. 

  1449. 		}
    1450. 

  1450. 	}
    1451. 

  1451. 	// Migrate old "access" table to "user_access" and drop "access" and "user_old"
    1452. 

  1452. 	if _, err := tx.Exec(migrate1To2InsertFromOldTablesAndDropNoTx); err != nil {
    1453. 

  1453. 		return err
    1454. 

  1454. 	}
    1455. 

  1455. 	if _, err := tx.Exec(updateSchemaVersion, 2); err != nil {
    1456. 

  1456. 		return err
    1457. 

  1457. 	}
    1458. 

  1458. 	if err := tx.Commit(); err != nil {
    1459. 

  1459. 		return err
    1460. 

  1460. 	}
    1461. 

  1461. 	return nil
    1462. 

  1462. }
    1463. 

  1463. 

  1464. func migrateFrom2(db *sql.DB) error {
    1465. 

  1465. 	log.Tag(tag).Info("Migrating user database schema: from 2 to 3")
    1466. 

  1466. 	tx, err := db.Begin()
    1467. 

  1467. 	if err != nil {
    1468. 

  1468. 		return err
    1469. 

  1469. 	}
    1470. 

  1470. 	defer tx.Rollback()
    1471. 

  1471. 	if _, err := tx.Exec(migrate2To3UpdateQueries); err != nil {
    1472. 

  1472. 		return err
    1473. 

  1473. 	}
    1474. 

  1474. 	if _, err := tx.Exec(updateSchemaVersion, 3); err != nil {
    1475. 

  1475. 		return err
    1476. 

  1476. 	}
    1477. 

  1477. 	return tx.Commit()
    1478. 

  1478. }
    1479. 

  1479. 

  1480. func nullString(s string) sql.NullString {
    1481. 

  1481. 	if s == "" {
    1482. 

  1482. 		return sql.NullString{}
    1483. 

  1483. 	}
    1484. 

  1484. 	return sql.NullString{String: s, Valid: true}
    1485. 

  1485. }
    1486. 

  1486. 

  1487. func nullInt64(v int64) sql.NullInt64 {
    1488. 

  1488. 	if v == 0 {
    1489. 

  1489. 		return sql.NullInt64{}
    1490. 

  1490. 	}
    1491. 

  1491. 	return sql.NullInt64{Int64: v, Valid: true}
    1492. 

  1492. }
    1493.