feat: token must be based on an existing user to generate

auth/app.go

@@ -104,6 +104,10 @@ func (o *oauthApp) GetDefaultAdminToken() (string, error) {
 		}
 	}
 	// create one
+	_, err = o.srv.CreateUser(adminCtx, &CreateUserRequest{Name: DefaultAdminTokenName})
+	if err != nil {
+		return "", fmt.Errorf("create default user for admin token: %w", err)
+	}
 	ret, err := o.srv.GenerateToken(adminCtx, &JWTPayload{
 		Name: DefaultAdminTokenName,
 		Perm: core.PermAdmin,

auth/jwt.go

@@ -132,6 +132,14 @@ func (o *jwtOAuth) GenerateToken(ctx context.Context, pl *JWTPayload) (string, e
 		return "", fmt.Errorf("need admin prem: %w", err)
 	}
 
+	exist, err := o.store.HasUser(pl.Name)
+	if err != nil {
+		return "", fmt.Errorf("check user %s exist failed: %w", pl.Name, err)
+	}
+	if !exist {
+		return "", fmt.Errorf("token must be based on an existing user %s to generate", pl.Name)
+	}
+
 	// one token, one secret
 	secret, err := config.RandSecret()
 	if err != nil {

auth/jwt_test.go

@@ -19,6 +19,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/filecoin-project/go-address"
+
 	"github.com/filecoin-project/venus-auth/config"
 	"github.com/filecoin-project/venus-auth/core"
 	"github.com/filecoin-project/venus-auth/storage"
@@ -109,13 +110,23 @@ func testGenerateToken(t *testing.T) {
 		Extra: "",
 	}
 
-	token1, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	_, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	assert.NotNil(t, err)
+	require.Contains(t, err.Error(), "token must be based on an existing user")
+
+	createUserReq := &CreateUserRequest{
+		Name:  "test-token-01",
+		State: 0,
+	}
+	resp, err := jwtOAuthInstance.CreateUser(adminCtx, createUserReq)
 	assert.Nil(t, err)
-	assert.Equal(t, 3, len(strings.Split(token1, ".")))
+	assert.Equal(t, "test-token-01", resp.Name)
+	token, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	assert.Nil(t, err)
+	assert.Equal(t, 3, len(strings.Split(token, ".")))
 
 	_, err = jwtOAuthInstance.GenerateToken(signCtx, pl1)
 	assert.True(t, errors.Is(err, ErrorPermissionDeny))
-
 }
 
 func testVerifyToken(t *testing.T) {
@@ -130,11 +141,18 @@ func testVerifyToken(t *testing.T) {
 		Extra: "",
 	}
 
-	token1, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	createUserReq := &CreateUserRequest{
+		Name:  "test-token-01",
+		State: 0,
+	}
+	resp, err := jwtOAuthInstance.CreateUser(adminCtx, createUserReq)
+	assert.Nil(t, err)
+	assert.Equal(t, "test-token-01", resp.Name)
+	token, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
 	assert.Nil(t, err)
 
 	// Verify a valid token
-	payload1, err := jwtOAuthInstance.Verify(readCtx, token1)
+	payload1, err := jwtOAuthInstance.Verify(readCtx, token)
 	assert.Nil(t, err)
 	assert.True(t, reflect.DeepEqual(payload1, pl1))
 
@@ -144,7 +162,7 @@ func testVerifyToken(t *testing.T) {
 	assert.NotNil(t, err)
 
 	// with ctx no perm
-	_, err = jwtOAuthInstance.Verify(context.Background(), token1)
+	_, err = jwtOAuthInstance.Verify(context.Background(), token)
 	assert.True(t, errors.Is(err, ErrorPermissionDeny))
 }
 
@@ -160,12 +178,18 @@ func testGetToken(t *testing.T) {
 		Extra: "",
 	}
 
-	// with ctx admin perm
-	token1, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	createUserReq := &CreateUserRequest{
+		Name:  "test-token-01",
+		State: 0,
+	}
+	resp, err := jwtOAuthInstance.CreateUser(adminCtx, createUserReq)
+	assert.Nil(t, err)
+	assert.Equal(t, "test-token-01", resp.Name)
+	token, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
 	assert.Nil(t, err)
 
 	// Get token
-	tokenInfo1, err := jwtOAuthInstance.GetToken(adminCtx, token1)
+	tokenInfo1, err := jwtOAuthInstance.GetToken(adminCtx, token)
 	assert.Nil(t, err)
 	assert.Equal(t, pl1.Name, tokenInfo1.Name)
 	assert.Equal(t, pl1.Perm, tokenInfo1.Perm)
@@ -175,7 +199,7 @@ func testGetToken(t *testing.T) {
 	assert.NotNil(t, err)
 
 	// with ctx no perm
-	_, err = jwtOAuthInstance.GetToken(context.Background(), token1)
+	_, err = jwtOAuthInstance.GetToken(context.Background(), token)
 	assert.True(t, errors.Is(err, ErrorPermissionDeny))
 	_, err = jwtOAuthInstance.GetToken(signCtx, invalidToken)
 	assert.True(t, errors.Is(err, ErrorPermissionDeny))
@@ -193,7 +217,14 @@ func testGetTokenByName(t *testing.T) {
 		Extra: "",
 	}
 
-	token1, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	createUserReq := &CreateUserRequest{
+		Name:  "test-token-01",
+		State: 0,
+	}
+	resp, err := jwtOAuthInstance.CreateUser(adminCtx, createUserReq)
+	assert.Nil(t, err)
+	assert.Equal(t, "test-token-01", resp.Name)
+	token, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
 	assert.Nil(t, err)
 	userCtx := newUserCtx(pl1.Name)
 
@@ -202,7 +233,7 @@ func testGetTokenByName(t *testing.T) {
 		tokenInfoList1, err := jwtOAuthInstance.GetTokenByName(ctx, "test-token-01")
 		assert.Nil(t, err)
 		assert.Equal(t, 1, len(tokenInfoList1))
-		assert.Equal(t, token1, tokenInfoList1[0].Token)
+		assert.Equal(t, token, tokenInfoList1[0].Token)
 
 	}
 	invalidPermTest := func(ctx context.Context) {
@@ -237,8 +268,23 @@ func testTokenList(t *testing.T) {
 		Perm:  "admin",
 		Extra: "",
 	}
-	_, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+
+	createUserReq := &CreateUserRequest{
+		Name:  "test-token-01",
+		State: 0,
+	}
+	resp, err := jwtOAuthInstance.CreateUser(adminCtx, createUserReq)
 	assert.Nil(t, err)
+	assert.Equal(t, "test-token-01", resp.Name)
+	_, err = jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	assert.Nil(t, err)
+	createUserReq = &CreateUserRequest{
+		Name:  "test-token-02",
+		State: 0,
+	}
+	resp, err = jwtOAuthInstance.CreateUser(adminCtx, createUserReq)
+	assert.Nil(t, err)
+	assert.Equal(t, "test-token-02", resp.Name)
 	_, err = jwtOAuthInstance.GenerateToken(adminCtx, pl2)
 	assert.Nil(t, err)
 
@@ -277,30 +323,37 @@ func testRemoveAndRecoverToken(t *testing.T) {
 		Extra: "",
 	}
 
-	token1, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
+	createUserReq := &CreateUserRequest{
+		Name:  "test-token-01",
+		State: 0,
+	}
+	resp, err := jwtOAuthInstance.CreateUser(adminCtx, createUserReq)
+	assert.Nil(t, err)
+	assert.Equal(t, "test-token-01", resp.Name)
+	token, err := jwtOAuthInstance.GenerateToken(adminCtx, pl1)
 	assert.Nil(t, err)
 
 	validPermTest := func(ctx context.Context) {
 
 		// token is usable.
-		err = jwtOAuthInstance.RecoverToken(ctx, token1)
+		err = jwtOAuthInstance.RecoverToken(ctx, token)
 		assert.Error(t, err)
 
 		// Remove a token
-		err = jwtOAuthInstance.RemoveToken(ctx, token1)
+		err = jwtOAuthInstance.RemoveToken(ctx, token)
 		assert.Nil(t, err)
 
-		_, err = jwtOAuthInstance.Verify(ctx, token1)
+		_, err = jwtOAuthInstance.Verify(ctx, token)
 		assert.NotNil(t, err)
 
 		tokenInfoList1, err := jwtOAuthInstance.GetTokenByName(ctx, "test-token-01")
 		assert.Nil(t, err)
 		assert.Equal(t, 0, len(tokenInfoList1))
 
 		// Recover a token
-		err = jwtOAuthInstance.RecoverToken(ctx, token1)
+		err = jwtOAuthInstance.RecoverToken(ctx, token)
 		assert.Nil(t, err)
-		payload1, err := jwtOAuthInstance.Verify(ctx, token1)
+		payload1, err := jwtOAuthInstance.Verify(ctx, token)
 		assert.Nil(t, err)
 		assert.True(t, reflect.DeepEqual(payload1, pl1))
 		allTokenInfos, err := jwtOAuthInstance.Tokens(adminCtx, 0, 2)
@@ -310,11 +363,11 @@ func testRemoveAndRecoverToken(t *testing.T) {
 
 	invalidPermTest := func(ctx context.Context) {
 		// Remove a token
-		err = jwtOAuthInstance.RemoveToken(ctx, token1)
+		err = jwtOAuthInstance.RemoveToken(ctx, token)
 		assert.True(t, errors.Is(err, ErrorPermissionDeny))
 
 		// Recover a token
-		err = jwtOAuthInstance.RecoverToken(ctx, token1)
+		err = jwtOAuthInstance.RecoverToken(ctx, token)
 		assert.True(t, errors.Is(err, ErrorPermissionDeny))
 	}
 

integrate_test/token_test.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"testing"
 
-	"github.com/filecoin-project/venus-auth/jwtclient"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/filecoin-project/venus-auth/auth"
+	"github.com/filecoin-project/venus-auth/jwtclient"
 )
 
 func TestTokenApis(t *testing.T) {
@@ -22,6 +24,8 @@ func setupAndGenerateToken(t *testing.T, name string, perm string) (*jwtclient.A
 	assert.Nil(t, err)
 
 	// Generate a token
+	_, err = client.CreateUser(context.TODO(), &auth.CreateUserRequest{Name: name})
+	assert.Nil(t, err)
 	token, err := client.GenerateToken(context.TODO(), name, perm, "")
 	assert.Nil(t, err)
 	return client, tmpDir, token

integrate_test/user_test.go

@@ -109,7 +109,8 @@ func testListUser(t *testing.T) {
 	// List users
 	listResp, err := client.ListUsers(context.Background(), 0, 10, core.UserStateUndefined)
 	assert.Nil(t, err)
-	assert.Equal(t, len(listResp), 1)
+	// DefaultAdminTokenName created at setup func
+	assert.Equal(t, len(listResp), 2)
 }
 
 func testDeleteUser(t *testing.T) {

jwtclient/auth_client_test.go

@@ -90,12 +90,24 @@ func TestMain(m *testing.M) {
 func TestTokenBusiness(t *testing.T) {
 	ctx := context.TODO()
 	var originTks []string
+	_, err := cli.CreateUser(context.TODO(), &auth.CreateUserRequest{
+		Name: "Rennbon1",
+	})
+	if err != nil {
+		t.Fatalf("create user err:%s", err)
+	}
 	tk1, err := cli.GenerateToken(context.TODO(), "Rennbon1", core.PermAdmin, "custom params")
 	if err != nil {
 		t.Fatalf("gen token err:%s", err)
 	}
 	originTks = append(originTks, tk1)
 
+	_, err = cli.CreateUser(context.TODO(), &auth.CreateUserRequest{
+		Name: "Rennbon2",
+	})
+	if err != nil {
+		t.Fatalf("create user err:%s", err)
+	}
 	tk2, err := cli.GenerateToken(context.TODO(), "Rennbon2", core.PermRead, "custom params")
 	if err != nil {
 		t.Fatalf("gen token err:%s", err)
@@ -241,7 +253,7 @@ func TestUserBusiness(t *testing.T) {
 	if err != nil {
 		t.Fatalf("get user err:%s", err)
 	}
-	assert.DeepEqual(t, users[1].Name, user.Name)
+	assert.DeepEqual(t, "name2", user.Name)
 
 	err = cli.VerifyUsers(context.Background(), []string{"name1", "name2"})
 	if err != nil {