From 6e63aba2b4a13c319a7274625808a268ed842b3e Mon Sep 17 00:00:00 2001
From: Branden J Brown <zephyrtronium@gmail.com>
Date: Wed, 31 Jan 2024 18:42:00 -0600
Subject: [PATCH] add user credentials stuff

---
 go.mod              | 23 +++++++++++
 go.sum              | 75 +++++++++++++++++++++++++++++++++++
 player/auth.go      | 96 +++++++++++++++++++++++++++++++++++++++++++++
 player/auth_test.go | 57 +++++++++++++++++++++++++++
 player/player.go    |  9 +----
 5 files changed, 253 insertions(+), 7 deletions(-)
 create mode 100644 player/auth.go
 create mode 100644 player/auth_test.go

diff --git a/go.mod b/go.mod
index 40e9fec..fc1fa1e 100644
--- a/go.mod
+++ b/go.mod
@@ -5,5 +5,28 @@ go 1.21.6
 require (
 	github.com/go-chi/chi/v5 v5.0.11
 	github.com/google/uuid v1.5.0
+	gitlab.com/zephyrtronium/sq v1.0.1
+	golang.org/x/crypto v0.18.0
+	modernc.org/sqlite v1.28.0
 	nhooyr.io/websocket v1.8.10
 )
+
+require (
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	golang.org/x/mod v0.3.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78 // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	lukechampine.com/uint128 v1.2.0 // indirect
+	modernc.org/cc/v3 v3.40.0 // indirect
+	modernc.org/ccgo/v3 v3.16.13 // indirect
+	modernc.org/libc v1.29.0 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.7.2 // indirect
+	modernc.org/opt v0.1.3 // indirect
+	modernc.org/strutil v1.1.3 // indirect
+	modernc.org/token v1.0.1 // indirect
+)
diff --git a/go.sum b/go.sum
index 8924d10..b28d42a 100644
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,81 @@
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
+github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/go-chi/chi/v5 v5.0.11 h1:BnpYbFZ3T3S1WMpD79r7R5ThWX40TaFB7L31Y8xqSwA=
 github.com/go-chi/chi/v5 v5.0.11/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
+github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
 github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 h1:Z9n2FFNUXsshfwJMBgNA0RU6/i7WVaAegv3PtuIHPMs=
+github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51/go.mod h1:CzGEWj7cYgsdH8dAjBGEr58BoE7ScuLd+fwFZ44+/x8=
+github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
+github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
+github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+gitlab.com/zephyrtronium/sq v1.0.1 h1:adEgr3pNIrpeUTn8pf4l5bzCZU3P+lZ71shhQpTtU3k=
+gitlab.com/zephyrtronium/sq v1.0.1/go.mod h1:1PixOalEEwM8B2bR0JHkH0kqE4eaqG47DRFn4mWOtaQ=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
+golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/mod v0.3.0 h1:RM4zey1++hCTbCVQfnWeKs9/IEsaBLA8vTkd0WVtmH4=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
+golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78 h1:M8tBwCtWD/cZV9DZpFYRUgaymAYAr+aIUTWzDaM3uPs=
+golang.org/x/tools v0.0.0-20201124115921-2c860bdd6e78/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI=
+lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
+modernc.org/cc/v3 v3.40.0 h1:P3g79IUS/93SYhtoeaHW+kRCIrYaxJ27MFPv+7kaTOw=
+modernc.org/cc/v3 v3.40.0/go.mod h1:/bTg4dnWkSXowUO6ssQKnOV0yMVxDYNIsIrzqTFDGH0=
+modernc.org/ccgo/v3 v3.16.13 h1:Mkgdzl46i5F/CNR/Kj80Ri59hC8TKAhZrYSaqvkwzUw=
+modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY=
+modernc.org/ccorpus v1.11.6 h1:J16RXiiqiCgua6+ZvQot4yUuUy8zxgqbqEEUuGPlISk=
+modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
+modernc.org/httpfs v1.0.6 h1:AAgIpFZRXuYnkjftxTAZwMIiwEqAfk8aVB2/oA6nAeM=
+modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
+modernc.org/libc v1.29.0 h1:tTFRFq69YKCF2QyGNuRUQxKBm1uZZLubf6Cjh/pVHXs=
+modernc.org/libc v1.29.0/go.mod h1:DaG/4Q3LRRdqpiLyP0C2m1B8ZMGkQ+cCgOIjEtQlYhQ=
+modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
+modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
+modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
+modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
+modernc.org/opt v0.1.3 h1:3XOZf2yznlhC+ibLltsDGzABUGVx8J6pnFMS3E4dcq4=
+modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
+modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ=
+modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0=
+modernc.org/strutil v1.1.3 h1:fNMm+oJklMGYfU9Ylcywl0CO5O6nTfaowNsh2wpPjzY=
+modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
+modernc.org/tcl v1.15.2 h1:C4ybAYCGJw968e+Me18oW55kD/FexcHbqH2xak1ROSY=
+modernc.org/tcl v1.15.2/go.mod h1:3+k/ZaEbKrC8ePv8zJWPtBSW0V7Gg9g8rkmhI1Kfs3c=
+modernc.org/token v1.0.1 h1:A3qvTqOwexpfZZeyI0FeGPDlSWX5pjZu9hF4lU+EKWg=
+modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
+modernc.org/z v1.7.3 h1:zDJf6iHjrnB+WRD88stbXokugjyc0/pB91ri1gO6LZY=
+modernc.org/z v1.7.3/go.mod h1:Ipv4tsdxZRbQyLq9Q1M6gdbkxYzdlrciF2Hi/lS7nWE=
 nhooyr.io/websocket v1.8.10 h1:mv4p+MnGrLDcPlBoWsvPP7XCzTYMXP9F9eIGoKbgx7Q=
 nhooyr.io/websocket v1.8.10/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c=
diff --git a/player/auth.go b/player/auth.go
new file mode 100644
index 0000000..be542b1
--- /dev/null
+++ b/player/auth.go
@@ -0,0 +1,96 @@
+package player
+
+import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"log/slog"
+	"strings"
+
+	"github.com/google/uuid"
+	"gitlab.com/zephyrtronium/sq"
+	"golang.org/x/crypto/argon2"
+)
+
+const (
+	// Argon2id parameters recommended in
+	// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
+	time    = 3
+	memory  = 12 << 10
+	threads = 1
+	hashLen = 48
+)
+
+type (
+	Execer interface {
+		Exec(ctx context.Context, query string, args ...any) (sq.Result, error)
+	}
+	RowQuerier interface {
+		QueryRow(ctx context.Context, query string, args ...any) *sq.Row
+	}
+)
+
+// InitUsers initializes the table for permanent storage of user credentials.
+func InitUsers(ctx context.Context, db Execer) error {
+	_, err := db.Exec(ctx, initUsers)
+	if err != nil {
+		return fmt.Errorf("couldn't init users table: %w", err)
+	}
+	return nil
+}
+
+// Register adds a new user to a database initialized with [InitUsers].
+func Register(ctx context.Context, db Execer, user, pass string) error {
+	user = strings.ToLower(user)
+	// TODO(zeph): validate length and content
+	slog.InfoContext(ctx, "register user", "user", user)
+	salt := make([]byte, 16)
+	if _, err := rand.Read(salt); err != nil {
+		slog.ErrorContext(ctx, "failed to get salt for new user", "user", user, "err", err.Error())
+		panic(err)
+	}
+	h := argon2.IDKey([]byte(pass), salt, time, memory, threads, hashLen)
+	id := uuid.New()
+	_, err := db.Exec(ctx, `INSERT INTO shotgun_users(user, pass, salt, id) VALUES (?, ?, ?, ?)`, user, h, salt, id)
+	if err != nil {
+		slog.ErrorContext(ctx, "failed to register user", "user", user, "err", err.Error())
+		return fmt.Errorf("couldn't register new user: %w", err)
+	}
+	slog.InfoContext(ctx, "registered user", "user", user, "id", id)
+	return nil
+}
+
+// Login gets the user ID associcated with a user if their saved credentials
+// match those provided.
+func Login(ctx context.Context, db RowQuerier, user, pass string) (ID, error) {
+	// TODO(zeph): we are making almost no attempt to distinguish
+	// "user does not exist" from "wrong password"
+	user = strings.ToLower(user)
+	slog.InfoContext(ctx, "login", "user", user)
+	var (
+		p, salt []byte
+		id      uuid.UUID
+	)
+	if err := db.QueryRow(ctx, `SELECT pass, salt, id FROM shotgun_users WHERE user = ?`, user).Scan(&p, &salt, &id); err != nil {
+		slog.ErrorContext(ctx, "failed to get user creds", "user", user, "err", err.Error())
+		if errors.Is(err, sq.ErrNoRows) {
+			return ID{}, fmt.Errorf("invalid credentials")
+		}
+		return ID{}, fmt.Errorf("couldn't get user creds: %w", err)
+	}
+	h := argon2.IDKey([]byte(pass), salt, time, memory, threads, hashLen)
+	if !bytes.Equal(p, h) {
+		slog.ErrorContext(ctx, "login failed", "user", user)
+		return ID{}, fmt.Errorf("invalid credentials")
+	}
+	return ID(id), nil
+}
+
+const initUsers = `CREATE TABLE shotgun_users (
+	user TEXT PRIMARY KEY NOT NULL,
+	pass BLOB NOT NULL,
+	salt BLOB NOT NULL,
+	id TEXT NOT NULL
+);`
diff --git a/player/auth_test.go b/player/auth_test.go
new file mode 100644
index 0000000..733205d
--- /dev/null
+++ b/player/auth_test.go
@@ -0,0 +1,57 @@
+package player_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/uuid"
+	"gitlab.com/zephyrtronium/sq"
+
+	"git.sunturtle.xyz/studio/shotgun/player"
+
+	_ "modernc.org/sqlite" // sqlite driver
+)
+
+func TestLogin(t *testing.T) {
+	ctx := context.Background()
+	db, err := sq.Open("sqlite", ":memory:")
+	if err != nil {
+		t.Fatal(err)
+	}
+	conn, err := db.Conn(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := player.InitUsers(ctx, conn); err != nil {
+		t.Fatalf("couldn't init users: %v", err)
+	}
+
+	user, pass := "bocchi", "the rock!"
+	id, err := player.Login(ctx, conn, user, pass)
+	if err == nil {
+		t.Errorf("logging in nonexistent user didn't err")
+	}
+	if id != uuid.Nil {
+		t.Errorf("got nonzero user %v before registering", id)
+	}
+
+	if err := player.Register(ctx, conn, user, pass); err != nil {
+		t.Errorf("failed to register user: %v", err)
+	}
+
+	id, err = player.Login(ctx, conn, user, pass)
+	if err != nil {
+		t.Errorf("couldn't login after registering: %v", err)
+	}
+	if id == uuid.Nil {
+		t.Errorf("got zero player id after registering")
+	}
+
+	wrong, err := player.Login(ctx, conn, user, "not the rock")
+	if err == nil {
+		t.Errorf("logged in with wrong password")
+	}
+	if wrong != uuid.Nil {
+		t.Errorf("got nonzero user %v with wrong password (real is %v)", wrong, id)
+	}
+}
diff --git a/player/player.go b/player/player.go
index f185e3c..36cee9a 100644
--- a/player/player.go
+++ b/player/player.go
@@ -1,12 +1,7 @@
 // Package player implements data about players outside games.
 package player
 
-import "encoding/hex"
+import "github.com/google/uuid"
 
 // ID is a unique ID for a player.
-// May just be IPv6 (or IPv4-in-6) of their connection, or a UUID.
-type ID [16]byte
-
-func (id ID) String() string {
-	return hex.EncodeToString(id[:])
-}
+type ID = uuid.UUID