feat: cache result of basic

Author: shaj13

auth/info.go

@@ -11,6 +11,10 @@ type Info interface {
 	Groups() []string
 	// Extensions can contain any additional information.
 	Extensions() map[string][]string
+	// SetGroups set the names of the groups the user is a member of.
+	SetGroups(groups []string)
+	// SetExtensions to contain additional information.
+	SetExtensions(exts map[string][]string)
 }
 
 // DefaultUser implement Info interface and provides a simple user information.

auth/strategies/basic/basic.go

@@ -7,7 +7,11 @@ import (
 	"errors"
 	"net/http"
 
+	"golang.org/x/crypto/bcrypt"
+
 	"github.com/shaj13/go-guardian/auth"
+	gerrors "github.com/shaj13/go-guardian/errors"
+	"github.com/shaj13/go-guardian/store"
 )
 
 // ErrMissingPrams is returned by Authenticate Strategy method,
@@ -18,6 +22,10 @@ var ErrMissingPrams = errors.New("basic: Request missing BasicAuth")
 // commonly used when enable/add strategy to go-passport authenticator.
 const StrategyKey = auth.StrategyKey("Basic.Strategy")
 
+// ExtensionKey represents a key for the hashed password in info extensions.
+// Typically used when basic strategy cache the authentication decisions.
+const ExtensionKey = "x-go-guardian-basic-hash"
+
 // Authenticate declare custom function to authenticate request using user credentials.
 // the authenticate function invoked by Authenticate Strategy method after extracting user credentials
 // to compare against DB or ather service, if extracting user credentials from request failed a nil info
@@ -44,3 +52,72 @@ func (auth Authenticate) credentials(r *http.Request) (string, string, error) {
 
 	return user, pass, nil
 }
+
+type cachedBasic struct {
+	cache    store.Cache
+	authFunc Authenticate
+}
+
+func (c *cachedBasic) authenticate(ctx context.Context, r *http.Request, userName, password string) (auth.Info, error) { // nolint:lll
+	v, ok, err := c.cache.Load(userName, r)
+
+	if err != nil {
+		return nil, err
+	}
+
+	// if info not found invoke user authenticate function
+	if !ok {
+		return c.authenticatAndHash(ctx, r, userName, password)
+	}
+
+	if _, ok := v.(auth.Info); !ok {
+		return nil, gerrors.NewInvalidType((*auth.Info)(nil), v)
+	}
+
+	info := v.(auth.Info)
+	ext := info.Extensions()
+	hash, ok := ext[ExtensionKey]
+
+	if !ok {
+		return c.authenticatAndHash(ctx, r, userName, password)
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(hash[0]), []byte(password))
+	return info, err
+}
+
+func (c *cachedBasic) authenticatAndHash(ctx context.Context, r *http.Request, userName, password string) (auth.Info, error) { //nolint:lll
+	info, err := c.authFunc(ctx, r, userName, password)
+	if err != nil {
+		return nil, err
+	}
+
+	ext := info.Extensions()
+	if ext == nil {
+		ext = make(map[string][]string)
+	}
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+
+	// if failed to hash password silently and return user info
+	if err != nil {
+		return info, nil
+	}
+
+	ext[ExtensionKey] = []string{string(hash)}
+	info.SetExtensions(ext)
+
+	// cache result
+	return info, c.cache.Store(userName, info, r)
+}
+
+// New return new auth.Strategy.
+// The returned strategy, caches the invocation result of authenticate function.
+func New(auth Authenticate, cache store.Cache) auth.Strategy {
+	cb := &cachedBasic{
+		authFunc: auth,
+		cache:    cache,
+	}
+
+	return Authenticate(cb.authenticate)
+}

auth/strategies/basic/basic_test.go

@@ -59,3 +59,114 @@ func Test(t *testing.T) {
 		})
 	}
 }
+
+//nolint:goconst
+func TestNewCached(t *testing.T) {
+	authFunc := func(ctx context.Context, r *http.Request, userName, password string) (auth.Info, error) {
+		if userName == "auth-error" {
+			return nil, fmt.Errorf("Invalid credentials")
+		}
+
+		return auth.NewDefaultUser("test", "10", nil, nil), nil
+	}
+
+	table := []struct {
+		name           string
+		setCredentials func(r *http.Request)
+		expectedErr    bool
+	}{
+		{
+			name:           "it return user from cache",
+			setCredentials: func(r *http.Request) { r.SetBasicAuth("predefined2", "test") },
+			expectedErr:    false,
+		},
+		{
+			name:           "it re-authenticate user when hash missing",
+			setCredentials: func(r *http.Request) { r.SetBasicAuth("predefined3", "test") },
+			expectedErr:    false,
+		},
+		{
+			name:           "it return error when cache hold invalid user info",
+			setCredentials: func(r *http.Request) { r.SetBasicAuth("predefined", "test") },
+			expectedErr:    true,
+		},
+		{
+			name:           "it return error when cache return error on load",
+			setCredentials: func(r *http.Request) { r.SetBasicAuth("error", "test") },
+			expectedErr:    true,
+		},
+		{
+			name:           "it return error when cache return error on store",
+			setCredentials: func(r *http.Request) { r.SetBasicAuth("store-error", "test") },
+			expectedErr:    true,
+		},
+		{
+			name:           "it return user info when request authenticated",
+			setCredentials: func(r *http.Request) { r.SetBasicAuth("test", "test") },
+			expectedErr:    false,
+		},
+		{
+			name:           "it return error when request has invalid credentials",
+			setCredentials: func(r *http.Request) { r.SetBasicAuth("auth-error", "unknown") },
+			expectedErr:    true,
+		},
+		{
+			name:           "it return error when request missing basic auth params",
+			setCredentials: func(r *http.Request) { /* no op */ },
+			expectedErr:    true,
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			r, _ := http.NewRequest("GET", "/", nil)
+			tt.setCredentials(r)
+
+			cache := make(mockCache)
+			cache["predefined"] = "invalid-type"
+			cache["predefined2"] = auth.NewDefaultUser(
+				"predefined2",
+				"10",
+				nil,
+				map[string][]string{
+					ExtensionKey: {"$2a$10$aj7RBUkAjknXMyqeLW0v3.FF0aarP4/MraQD7bsmvQ6YSQzxCyyKG"},
+				},
+			)
+			cache["predefined3"] = auth.NewDefaultUser("predefined3", "10", nil, nil)
+
+			info, err := New(authFunc, cache).Authenticate(r.Context(), r)
+
+			if tt.expectedErr && err == nil {
+				t.Errorf("%s: Expected error, got none", tt.name)
+				return
+			}
+
+			if !tt.expectedErr && info == nil {
+				t.Errorf("%s: Expected info object, got nil: %v", tt.name, err)
+				return
+			}
+		})
+	}
+}
+
+type mockCache map[string]interface{}
+
+func (m mockCache) Load(key string, _ *http.Request) (interface{}, bool, error) {
+	if key == "error" {
+		return nil, false, fmt.Errorf("Load Error")
+	}
+	v, ok := m[key]
+	return v, ok, nil
+}
+
+func (m mockCache) Store(key string, value interface{}, _ *http.Request) error {
+	if key == "store-error" {
+		return fmt.Errorf("Store Error")
+	}
+	m[key] = value
+	return nil
+}
+
+func (m mockCache) Delete(key string, _ *http.Request) error {
+	return nil
+}

auth/strategies/basic/example_test.go

@@ -4,9 +4,13 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"sync"
+
+	"github.com/golang/groupcache/lru"
 
 	"github.com/shaj13/go-guardian/auth"
 	"github.com/shaj13/go-guardian/errors"
+	"github.com/shaj13/go-guardian/store"
 )
 
 func Example() {
@@ -29,6 +33,33 @@ func Example() {
 	// Invalid credentials
 }
 
+func Example_second() {
+	// This example show how to caches the result of basic auth.
+	// With LRU cache
+	cache := &store.LRU{
+		Cache: lru.New(2),
+		MU:    &sync.Mutex{},
+	}
+
+	strategy := New(exampleAuthFunc, cache)
+	authenticator := auth.New()
+	authenticator.EnableStrategy(StrategyKey, strategy)
+
+	// user request
+	req, _ := http.NewRequest("GET", "/", nil)
+	req.SetBasicAuth("test", "test")
+	user, err := authenticator.Authenticate(req)
+	fmt.Println(user.ID(), err)
+
+	req.SetBasicAuth("test", "1234")
+	_, err = authenticator.Authenticate(req)
+	fmt.Println(err.(errors.MultiError)[1])
+
+	// Output:
+	// 10 <nil>
+	// crypto/bcrypt: hashedPassword is not the hash of the given password
+}
+
 func exampleAuthFunc(ctx context.Context, r *http.Request, userName, password string) (auth.Info, error) {
 	// here connect to db or any other service to fetch user and validate it.
 	if userName == "test" && password == "test" {

go.mod

@@ -6,4 +6,5 @@ require (
 	github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
 	github.com/gorilla/sessions v1.2.0
 	github.com/stretchr/testify v1.5.1
+	golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37
 )

go.sum

@@ -12,6 +12,13 @@ github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37 h1:cg5LA/zNPRzIXIWSCxQW10Rvpy94aQh3LT/ShoCpkHw=
+golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=