package controllers import ( "context" "crypto/hmac" "crypto/sha256" "encoding/base64" "encoding/hex" "encoding/json" "errors" "fmt" "github.com/go-playground/validator/v10" "github.com/gofiber/fiber/v2" "github.com/redis/go-redis/v9" "github.com/sirupsen/logrus" "gorm.io/gorm" "strconv" "strings" "sync" "time" "gitlab.com/mbugroup/lti-api.git/internal/config" entity "gitlab.com/mbugroup/lti-api.git/internal/entities" "gitlab.com/mbugroup/lti-api.git/internal/modules/sso/session" "gitlab.com/mbugroup/lti-api.git/internal/modules/users/dto" userRepository "gitlab.com/mbugroup/lti-api.git/internal/modules/users/repositories" "gitlab.com/mbugroup/lti-api.git/internal/response" "gitlab.com/mbugroup/lti-api.git/internal/sso" "gitlab.com/mbugroup/lti-api.git/internal/utils" ) const ( headerClient = "X-Sync-Client" headerTimestamp = "X-Sync-Timestamp" headerNonce = "X-Sync-Nonce" headerSignature = "X-Sync-Signature" defaultDrift = 2 * time.Minute defaultNonceTTL = 10 * time.Minute ) // UserSyncController handles incoming user management events from the central SSO service. type UserSyncController struct { validate *validator.Validate repo userRepository.UserRepository redis *redis.Client clients map[string]config.SSOClientConfig drift time.Duration nonceTTL time.Duration maxBodyBytes int log *logrus.Logger localNonces sync.Map } type userSyncRequest struct { Action string `json:"action" validate:"required,oneof=create update delete logout"` PublicID string `json:"public_id" validate:"required"` User userSyncUser `json:"user" validate:"required"` } type userSyncUser struct { ID int64 `json:"id" validate:"required"` Email string `json:"email"` Name string `json:"name"` } func NewUserSyncController(validate *validator.Validate, repo userRepository.UserRepository, redis *redis.Client, clients map[string]config.SSOClientConfig) *UserSyncController { normalized := make(map[string]config.SSOClientConfig, len(clients)) for alias, cfg := range clients { alias = strings.ToLower(strings.TrimSpace(alias)) normalized[alias] = cfg } drift := config.SSOUserSyncDrift if drift <= 0 { drift = defaultDrift } nonceTTL := config.SSOUserSyncNonceTTL if nonceTTL <= 0 { nonceTTL = defaultNonceTTL } maxBody := config.SSOUserSyncMaxBodyBytes if maxBody <= 0 { maxBody = 32 * 1024 } log := utils.Log if redis == nil { log.Warn("SSO user sync nonce store fallback to in-memory cache; enable Redis for replay protection") } return &UserSyncController{ validate: validate, repo: repo, redis: redis, clients: normalized, drift: drift, nonceTTL: nonceTTL, maxBodyBytes: maxBody, log: log, } } func (h *UserSyncController) Sync(c *fiber.Ctx) error { if ct := strings.TrimSpace(c.Get(fiber.HeaderContentType)); ct != "" && !strings.HasPrefix(strings.ToLower(ct), fiber.MIMEApplicationJSON) { return fiber.NewError(fiber.StatusUnsupportedMediaType, "content-type must be application/json") } body := c.Body() if h.maxBodyBytes > 0 && len(body) > h.maxBodyBytes { return fiber.NewError(fiber.StatusRequestEntityTooLarge, "request body too large") } alias, clientCfg, err := h.authenticate(c, body) if err != nil { return err } req := new(userSyncRequest) if err := json.Unmarshal(body, req); err != nil { return fiber.NewError(fiber.StatusBadRequest, "invalid request body") } req.Action = strings.ToLower(strings.TrimSpace(req.Action)) req.PublicID = strings.TrimSpace(req.PublicID) req.User.Email = strings.TrimSpace(req.User.Email) req.User.Name = strings.TrimSpace(req.User.Name) if err := h.validate.Struct(req); err != nil { return fiber.NewError(fiber.StatusBadRequest, err.Error()) } if clientCfg.PublicID != "" && req.PublicID != clientCfg.PublicID { return fiber.NewError(fiber.StatusBadRequest, "public_id mismatch with configured client") } if req.Action == "create" || req.Action == "update" { if req.User.Email == "" || req.User.Name == "" { return fiber.NewError(fiber.StatusBadRequest, "email and name are required for create/update actions") } if err := h.validate.Var(req.User.Email, "email"); err != nil { return fiber.NewError(fiber.StatusBadRequest, "invalid email format") } } if req.User.ID <= 0 { return fiber.NewError(fiber.StatusBadRequest, "invalid user id") } switch req.Action { case "create", "update": return h.upsertUser(c, alias, req) case "delete": return h.removeUser(c, alias, req) case "logout": return h.logoutUser(c, alias, req) default: return fiber.NewError(fiber.StatusBadRequest, "unsupported action") } } func (h *UserSyncController) authenticate(c *fiber.Ctx, body []byte) (string, config.SSOClientConfig, error) { rawAlias := strings.TrimSpace(c.Get(headerClient)) if rawAlias == "" { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "missing sync client header") } aliasKey := strings.ToLower(rawAlias) clientCfg, ok := h.clients[aliasKey] if !ok { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "unknown sync client") } if err := h.verifyAuthorization(c, aliasKey); err != nil { return "", config.SSOClientConfig{}, err } secret := strings.TrimSpace(clientCfg.SyncSecret) if secret == "" { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "sync secret not configured") } timestamp := strings.TrimSpace(c.Get(headerTimestamp)) nonce := strings.TrimSpace(c.Get(headerNonce)) signature := strings.TrimSpace(c.Get(headerSignature)) if timestamp == "" || nonce == "" || signature == "" { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "missing signature headers") } if len(nonce) < 16 { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "nonce too short") } ts, err := strconv.ParseInt(timestamp, 10, 64) if err != nil { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusBadRequest, "invalid timestamp") } msgTime := time.Unix(ts, 0).UTC() now := time.Now().UTC() drift := now.Sub(msgTime) if drift > h.drift || drift < -h.drift { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "timestamp outside allowed window") } providedSig, err := decodeSignature(signature) if err != nil { return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "invalid signature encoding") } expectedSignature := h.calculateSignature(secret, rawAlias, timestamp, nonce, body) if !hmac.Equal(providedSig, expectedSignature) { bodyHash := sha256.Sum256(body) h.log.WithFields(logrus.Fields{ "alias": rawAlias, "alias_key": aliasKey, "timestamp": timestamp, "nonce": nonce, "body_len": len(body), "body_sha256": hex.EncodeToString(bodyHash[:]), "body_base64": base64.StdEncoding.EncodeToString(body), "provided_hex_full": hex.EncodeToString(providedSig), "expected_hex_full": hex.EncodeToString(expectedSignature), }).Warn("sso sync signature mismatch") return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "invalid signature") } if err := h.registerNonce(c.Context(), aliasKey, nonce); err != nil { return "", config.SSOClientConfig{}, err } return aliasKey, clientCfg, nil } func (h *UserSyncController) verifyAuthorization(c *fiber.Ctx, alias string) error { authHeader := strings.TrimSpace(c.Get(fiber.HeaderAuthorization)) if authHeader == "" { return fiber.NewError(fiber.StatusUnauthorized, "missing authorization header") } parts := strings.SplitN(authHeader, " ", 2) if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") { return fiber.NewError(fiber.StatusUnauthorized, "invalid authorization header") } token := strings.TrimSpace(parts[1]) if token == "" { return fiber.NewError(fiber.StatusUnauthorized, "invalid authorization header") } verification, err := sso.VerifyAccessToken(token) if err != nil { return fiber.NewError(fiber.StatusUnauthorized, "invalid access token") } if verification.ServiceAlias == "" || verification.ServiceAlias != alias { return fiber.NewError(fiber.StatusUnauthorized, "service subject mismatch") } if !containsScope(verification.Claims.Scopes(), "sync.users") { return fiber.NewError(fiber.StatusForbidden, "missing sync scope") } return nil } func (h *UserSyncController) upsertUser(c *fiber.Ctx, alias string, req *userSyncRequest) error { entity := &entity.User{ IdUser: req.User.ID, Email: req.User.Email, Name: req.User.Name, } //TODO: MIGRATION TO UPSERT BASE REPOSITORY if err := h.repo.UpsertByIdUser(c.Context(), entity); err != nil { h.log.Errorf("sso user upsert failed: %v", err) return fiber.NewError(fiber.StatusInternalServerError, "failed to upsert user") } user, err := h.repo.GetByIdUser(c.Context(), req.User.ID, nil) if err != nil { h.log.Errorf("sso user fetch after upsert failed: %v", err) return fiber.NewError(fiber.StatusInternalServerError, "failed to load user") } h.log.WithFields(logrus.Fields{ "action": req.Action, "public_id": req.PublicID, "alias": alias, "user_id": req.User.ID, }).Info("sso user synced") msg := fmt.Sprintf("User %s successfully", req.Action) return c.Status(fiber.StatusOK).JSON(response.Success{ Code: fiber.StatusOK, Status: "success", Message: msg, Data: dto.ToUserListDTO(*user), }) } func (h *UserSyncController) logoutUser(c *fiber.Ctx, alias string, req *userSyncRequest) error { revoker := session.GetRevocationStore() if revoker != nil { if err := revoker.MarkUserLogout(c.Context(), uint(req.User.ID), time.Now().UTC()); err != nil { h.log.WithError(err).Error("sso user logout revoke failed") return fiber.NewError(fiber.StatusInternalServerError, "failed to revoke user session") } } else { h.log.Warn("sso user logout received but revocation store not configured") } h.log.WithFields(logrus.Fields{ "action": req.Action, "public_id": req.PublicID, "alias": alias, "user_id": req.User.ID, }).Info("sso user logout enforced") return c.Status(fiber.StatusOK).JSON(response.Common{ Code: fiber.StatusOK, Status: "success", Message: "User sessions revoked successfully", }) } func (h *UserSyncController) removeUser(c *fiber.Ctx, alias string, req *userSyncRequest) error { if err := h.repo.SoftDeleteByIdUser(c.Context(), req.User.ID); err != nil { if err == gorm.ErrRecordNotFound { return fiber.NewError(fiber.StatusNotFound, "user not found") } h.log.Errorf("sso user delete failed: %v", err) return fiber.NewError(fiber.StatusInternalServerError, "failed to delete user") } h.log.WithFields(logrus.Fields{ "action": req.Action, "public_id": req.PublicID, "alias": alias, "user_id": req.User.ID, }).Info("sso user deleted") return c.Status(fiber.StatusOK).JSON(response.Common{ Code: fiber.StatusOK, Status: "success", Message: "User deleted successfully", }) } func (h *UserSyncController) registerNonce(ctx context.Context, alias, nonce string) error { ttl := h.nonceTTL if ttl <= 0 { ttl = defaultNonceTTL } key := fmt.Sprintf("sso:sync:%s:%s", alias, nonce) if h.redis != nil { stored, err := h.redis.SetNX(ctx, key, "1", ttl).Result() if err == nil { if !stored { return fiber.NewError(fiber.StatusUnauthorized, "nonce already used") } return nil } h.log.Errorf("store sync nonce failed: %v", err) } now := time.Now().UTC() if expRaw, ok := h.localNonces.Load(key); ok { if expTime, ok := expRaw.(time.Time); ok && expTime.After(now) { return fiber.NewError(fiber.StatusUnauthorized, "nonce already used") } } h.localNonces.Store(key, now.Add(ttl)) h.pruneLocalNonces(now) return nil } func (h *UserSyncController) calculateSignature(secret, alias, timestamp, nonce string, body []byte) []byte { mac := hmac.New(sha256.New, []byte(secret)) mac.Write([]byte(alias)) mac.Write([]byte("\n")) mac.Write([]byte(timestamp)) mac.Write([]byte("\n")) mac.Write([]byte(nonce)) mac.Write([]byte("\n")) mac.Write(body) return mac.Sum(nil) } func containsScope(scopes []string, target string) bool { target = strings.ToLower(strings.TrimSpace(target)) if target == "" { return false } for _, scope := range scopes { if strings.ToLower(strings.TrimSpace(scope)) == target { return true } } return false } func decodeSignature(sig string) ([]byte, error) { sig = strings.TrimSpace(sig) if sig == "" { return nil, errors.New("empty signature") } if decoded, err := hex.DecodeString(sig); err == nil { return decoded, nil } if decoded, err := base64.StdEncoding.DecodeString(sig); err == nil { return decoded, nil } if decoded, err := base64.URLEncoding.DecodeString(sig); err == nil { return decoded, nil } return nil, errors.New("unrecognized signature encoding") } func (h *UserSyncController) pruneLocalNonces(now time.Time) { h.localNonces.Range(func(key, value any) bool { exp, ok := value.(time.Time) if !ok || exp.Before(now) { h.localNonces.Delete(key) } return true }) }