linstrom/storage/user.go

package storage

import (
	"crypto/ed25519"
	"crypto/rand"
	"errors"
	"fmt"
	"strings"
	"time"

	"github.com/go-webauthn/webauthn/webauthn"
	"github.com/google/uuid"
	"github.com/mstarongithub/passkey"
	"github.com/rs/zerolog/log"
	"gitlab.com/mstarongitlab/linstrom/ap"
	"gitlab.com/mstarongitlab/linstrom/util"
	"gorm.io/gorm"
)

// Database representation of a user account
// This can be a bot, remote or not
// If remote, this is used for caching the account
type Account struct {
	ID string `gorm:"primarykey"` // ID is a uuid for this account
	// Username of the user (eg "max" if the full username is @max@example.com)
	// Assume unchangable (once set by a user) to be kind to other implementations
	// Would be an easy avenue to fuck with them though
	Username  string    `gorm:"unique"`
	CreatedAt time.Time // When this entry was created. Automatically set by gorm
	// When this account was last updated. Will also be used for refreshing remote accounts. Automatically set by gorm
	UpdatedAt time.Time
	// When this entry was deleted (for soft deletions)
	// Soft delete means that this entry still exists in the db, but gorm won't include it anymore unless specifically told to
	// If not null, this entry is marked as deleted
	DeletedAt gorm.DeletedAt `gorm:"index"`
	// Server       RemoteServer   // `gorm:"foreignKey:ServerId;references:ID"` // The server this user is from
	ServerId     uint     // Id of the server this user is from, needed for including RemoteServer
	DisplayName  string   // The display name of the user. Can be different from the handle
	CustomFields []uint   `gorm:"serializer:json"` // IDs to the custom fields a user has
	Description  string   // The description of a user account
	Tags         []string `gorm:"serializer:json"` // Hashtags
	IsBot        bool     // Whether to mark this account as a script controlled one
	Relations    []uint   `gorm:"serializer:json"` // List of ids of all relations this account has. Both follows and followers
	Icon         string   // ID of a media file used as icon
	Background   *string  // ID of a media file used as background image
	Banner       *string  // ID of a media file used as banner
	Indexable    bool     // Whether this account can be found by crawlers
	PublicKey    []byte   // The public key of the account
	// Whether this account restricts following
	// If true, the owner must approve of a follow request first
	RestrictedFollow bool
	// List of things the owner identifies as
	// Example [cat human robot] means that the owner probably identifies as
	// a cyborg-catgirl/boy/human or a cathuman shaped robot, refer to Gender for pronouns
	IdentifiesAs []Being `gorm:"serializer:json"`
	// List of pronouns the owner identifies with
	// An unordered list since the owner can freely set it
	// Examples: [she her], [it they its them] or, if you want to go fancy, [this is super serious]
	Gender []string `gorm:"serializer:json"`
	// The roles assocciated with an account. Values are the names of the roles
	Roles []string `gorm:"serializer:json"`

	Location *string
	Birthday *time.Time

	// --- And internal account stuff ---
	// Still public fields since they wouldn't be able to be stored in the db otherwise
	PrivateKey []byte // The private key of the account. Nil if remote user
	WebAuthnId []byte // The unique and random ID of this account used for passkey authentication
	// Whether the account got verified and is allowed to be active
	// For local accounts being active means being allowed to login and perform interactions
	// For remote users, if an account is not verified, any interactions it sends are discarded
	Verified bool
	// TODO: Turn this into a map to give passkeys names.
	// Needed for supporting a decent passkey management interface.
	// Or check if webauthn.Credential has sufficiently easy to identify data
	// to use instead of a string mapping
	PasskeyCredentials []webauthn.Credential `gorm:"serializer:json"` // Webauthn credentials data
	// Has a RemoteAccountLinks included if remote user
	RemoteLinks *RemoteAccountLinks
}

// Contains static and cached info about a remote account, mostly links
type RemoteAccountLinks struct {
	// ---- Section: gorm
	// Sets this struct up as a value that an Account may have
	gorm.Model
	AccountID string

	// Just about every link here is optional to accomodate for servers with only minimal accounts
	// Minimal being handle, ap link and inbox
	ApLink           string
	ViewLink         *string
	FollowersLink    *string
	FollowingLink    *string
	InboxLink        string
	OutboxLink       *string
	FeaturedLink     *string
	FeaturedTagsLink *string
}

// Find an account in the db using a given full handle (@max@example.com)
// Returns an account and nil if an account is found, otherwise nil and the error
func (s *Storage) FindAccountByFullHandle(handle string) (*Account, error) {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Debug().Str("account-handle", handle).Msg("Looking for account by handle")
	log.Debug().Str("account-handle", handle).Msg("Checking if there's a cache hit")

	// Try and find the account in cache first
	cacheAccId, err := s.cacheHandleToAccUid(handle)
	if err == nil {
		log.Info().Str("account-handle", handle).Msg("Hit account handle in cache")
		// Then always load via id since unique key access should be faster than string matching
		return s.FindAccountById(*cacheAccId)
	} else {
		if !errors.Is(err, errCacheNotFound) {
			log.Error().Err(err).Str("account-handle", handle).Msg("Problem while checking cache for account")
			return nil, err
		}
	}

	// Failed to find in cache, go the slow route of hitting the db
	log.Debug().Str("account-handle", handle).Msg("Didn't hit account in cache, going to db")
	name, server, err := ap.SplitFullHandle(handle)
	if err != nil {
		log.Warn().Err(err).Str("account-handle", handle).Msg("Failed to split up account handle")
		return nil, err
	}

	acc := Account{}
	res := s.db.Where("name = ?", name).Where("server = ?", server).First(&acc)
	if res.Error != nil {
		if errors.Is(res.Error, gorm.ErrRecordNotFound) {
			log.Info().Str("account-handle", handle).Msg("Account with handle not found")
		} else {
			log.Error().Err(err).Str("account-handle", handle).Msg("Failed to get account with handle")
		}
		return nil, res.Error
	}
	log.Info().Str("account-handle", handle).Msg("Found account, also inserting into cache")
	if err = s.cache.Set(cacheUserIdToAccPrefix+acc.ID, &acc); err != nil {
		log.Warn().
			Err(err).
			Str("account-handle", handle).
			Msg("Found account but failed to insert into cache")
	}
	if err = s.cache.Set(cacheUserHandleToIdPrefix+strings.TrimLeft(handle, "@"), acc.ID); err != nil {
		log.Warn().
			Err(err).
			Str("account-handle", handle).
			Msg("Failed to store handle to id in cache")
	}
	return &acc, nil
}

// Find an account given a specific ID
func (s *Storage) FindAccountById(id string) (*Account, error) {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Debug().Str("account-id", id).Msg("Looking for account by id")
	log.Debug().Str("account-id", id).Msg("First trying to hit cache")
	acc, err := s.cacheAccIdToData(id)
	if err == nil {
		log.Info().Str("account-id", id).Msg("Found account in cache")
		return acc, nil
	} else if !errors.Is(err, errCacheNotFound) {
		log.Error().Err(err).Str("account-id", id).Msg("Error while looking for account in cache")
		return nil, err
	}

	log.Debug().Str("account-id", id).Msg("Didn't hit account in cache, checking db")
	acc = &Account{ID: id}
	res := s.db.First(acc)
	if res.Error != nil {
		if errors.Is(res.Error, gorm.ErrRecordNotFound) {
			log.Warn().Str("account-id", id).Msg("Account not found")
			return nil, ErrEntryNotFound
		} else {
			log.Error().Err(res.Error).Str("account-id", id).Msg("Failed to look for account")
			return nil, res.Error
		}
	}
	log.Info().Str("account-id", id).Msg("Found account in db, also adding to cache")
	if err = s.cache.Set(cacheUserIdToAccPrefix+id, acc); err != nil {
		log.Warn().Err(err).Str("account-id", id).Msg("Failed to add account to cache")
	}
	return acc, nil
}

func (s *Storage) FindLocalAccountByUsername(username string) (*Account, error) {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Debug().Str("account-username", username).Msg("Looking for local account")
	log.Debug().Str("account-username", username).Msg("Checking cache first")

	// Try and find the account in cache first
	cacheAccId, err := s.cacheLocalUsernameToAccUid(username)
	if err == nil {
		log.Info().Str("account-username", username).Msg("Hit account handle in cache")
		// Then always load via id since unique key access should be faster than string matching
		return s.FindAccountById(*cacheAccId)
	} else {
		if err != errCacheNotFound {
			log.Error().Err(err).Str("account-username", username).Msg("Problem while checking cache for account")
			return nil, err
		}
	}

	// Failed to find in cache, go the slow route of hitting the db
	log.Debug().Str("account-username", username).Msg("Didn't hit account in cache, going to db")

	acc := Account{}
	res := s.db.Where("username = ?", username).
		Where("server_id = ?", serverSelf.ID).
		First(&acc)
	if res.Error != nil {
		if errors.Is(res.Error, gorm.ErrRecordNotFound) {
			log.Info().
				Str("account-username", username).
				Msg("Local account with username not found")
		} else {
			log.Error().Err(err).Str("account-username", username).Msg("Failed to get local account with username")
		}
		return nil, ErrEntryNotFound
	}
	log.Info().Str("account-username", username).Msg("Found account, also inserting into cache")
	if err = s.cache.Set(cacheUserIdToAccPrefix+acc.ID, &acc); err != nil {
		log.Warn().
			Err(err).
			Str("account-username", username).
			Msg("Found account but failed to insert into cache")
	}
	if err = s.cache.Set(cacheLocalUsernameToIdPrefix+username, acc.ID); err != nil {
		log.Warn().
			Err(err).
			Str("account-username", username).
			Msg("Failed to store local username to id in cache")
	}
	return &acc, nil
}

func (s *Storage) FindAccountByPasskeyId(pkeyId []byte) (*Account, error) {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Debug().Bytes("account-passkey-id", pkeyId).Msg("Looking for account")
	log.Debug().Bytes("account-passkey-id", pkeyId).Msg("Checking cache first")

	// Try and find the account in cache first
	cacheAccId, err := s.cachePkeyIdToAccId(pkeyId)
	if err == nil {
		log.Info().Bytes("account-passkey-id", pkeyId).Msg("Hit passkey id in cache")
		// Then always load via id since unique key access should be faster than string matching
		return s.FindAccountById(*cacheAccId)
	} else {
		if err != errCacheNotFound {
			log.Error().Err(err).Bytes("account-passkey-id", pkeyId).Msg("Problem while checking cache for account")
			return nil, err
		}
	}

	// Failed to find in cache, go the slow route of hitting the db
	log.Debug().Bytes("account-passkey-id", pkeyId).Msg("Didn't hit account in cache, going to db")

	acc := Account{}
	res := s.db.Where("web_authn_id = ?", pkeyId).
		First(&acc)
	if res.Error != nil {
		if res.Error == gorm.ErrRecordNotFound {
			log.Info().
				Bytes("account-passkey-id", pkeyId).
				Msg("Local account with passkey id not found")
			return nil, ErrEntryNotFound
		} else {
			log.Error().Err(res.Error).Bytes("account-passkey-id", pkeyId).Msg("Failed to get local account with passkey id")
			return nil, res.Error
		}
	}
	log.Info().Bytes("account-passkey-id", pkeyId).Msg("Found account, also inserting into cache")
	// if err = s.cache.Set(cacheUserIdToAccPrefix+acc.ID, &acc); err != nil {
	// 	log.Warn().
	// 		Err(err).
	// 		Bytes("account-passkey-id", pkeyId).
	// 		Msg("Found account but failed to insert into cache")
	// }
	// if err = s.cache.Set(cachePasskeyIdToAccIdPrefix+string(pkeyId), acc.ID); err != nil {
	// 	log.Warn().
	// 		Err(err).
	// 		Bytes("account-passkey-id", pkeyId).
	// 		Msg("Failed to store local username to id in cache")
	// }
	return &acc, nil
}

// Update a given account in storage and cache
func (s *Storage) UpdateAccount(acc *Account) error {
	defer util.Untrace(util.Trace(&log.Logger))
	// If the account is nil or doesn't have an id, error out
	if acc == nil || acc.ID == "" {
		return ErrInvalidData
	}
	res := s.db.Save(acc)
	if res.Error != nil {
		return res.Error
	}
	if err := s.cache.Set(cacheUserIdToAccPrefix+acc.ID, acc); err != nil {
		return err
	}
	return nil
}

// Create a new empty account for future use
func (s *Storage) NewEmptyAccount() (*Account, error) {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Debug().Msg("Creating new empty account")
	acc := Account{}
	// Generate the 64 bit id for passkey and webauthn stuff
	log.Debug().Msg("Creating webauthn id for new account")
	data := make([]byte, 64)
	c, err := rand.Read(data)
	for err != nil || c != len(data) || c < 64 {
		data = make([]byte, 64)
		c, err = rand.Read(data)
	}
	log.Debug().Msg("Random webauthn id for new account created")
	acc.ID = uuid.NewString()

	accountRole, err := s.NewEmptyRole(acc.ID)
	if err != nil {
		return nil, fmt.Errorf("failed to generate account role for new account: %w", err)
	}
	accountRole.IsUserRole = true
	if err = s.UpdateRole(accountRole); err != nil {
		return nil, fmt.Errorf("failed to generate account role for new account: %w", err)
	}

	acc.WebAuthnId = data
	acc.Relations = []uint{}
	acc.Tags = []string{}
	acc.Gender = []string{}
	acc.CustomFields = []uint{}
	acc.IdentifiesAs = []Being{}
	acc.PasskeyCredentials = []webauthn.Credential{}
	acc.Roles = []string{DefaultUserRole.Name, accountRole.Name}
	acc.Icon = "placeholder"
	log.Debug().Any("account", &acc).Msg("Saving new account in db")
	res := s.db.Save(&acc)
	if res.Error != nil {
		log.Error().Err(res.Error).Msg("Failed to safe new account")
		return nil, res.Error
	}
	log.Info().Str("account-id", acc.ID).Msg("Created new account")
	return &acc, nil
}

// Create a new local account using the given handle
// The handle in this case is only the part before the domain (example: @bob@example.com would have a handle of bob)
// It also sets up a bunch of values that tend to be obvious for local accounts
func (s *Storage) NewLocalAccount(handle string) (*Account, error) {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Trace().Caller().Send()
	log.Debug().Str("account-handle", handle).Msg("Creating new local account")
	acc, err := s.NewEmptyAccount()
	if err != nil {
		log.Error().Err(err).Msg("Failed to create empty account for use")
		return nil, err
	}
	acc.Username = handle
	// acc.Server = serverSelf
	acc.ServerId = serverSelf.ID
	acc.DisplayName = handle

	publicKey, privateKey, err := ed25519.GenerateKey(nil)
	if err != nil {
		log.Error().Err(err).Msg("Failed to generate key pair for new local account")
		return nil, err
	}
	acc.PrivateKey = privateKey
	acc.PublicKey = publicKey

	log.Debug().
		Str("account-handle", handle).
		Str("account-id", acc.ID).
		Msg("Saving new local account")
	res := s.db.Save(acc)
	if res.Error != nil {
		log.Error().Err(res.Error).Any("account-full", acc).Msg("Failed to save local account")
		return nil, res.Error
	}
	log.Info().
		Str("account-handle", handle).
		Str("account-id", acc.ID).
		Msg("Created new local account")
	return acc, nil
}

func (s *Storage) DeleteAccount(accId string) error {
	defer util.Untrace(util.Trace(&log.Logger))
	return s.db.Delete(&Account{ID: accId}).Error
}

// ---- Section WebAuthn.User
// Implements the webauthn.User interface for interaction with passkeys

func (a *Account) WebAuthnID() []byte {
	defer util.Untrace(util.Trace(&log.Logger))
	return a.WebAuthnId
}

func (u *Account) WebAuthnName() string {
	defer util.Untrace(util.Trace(&log.Logger))
	return u.Username
}

func (u *Account) WebAuthnDisplayName() string {
	defer util.Untrace(util.Trace(&log.Logger))
	return u.DisplayName
}

func (u *Account) WebAuthnCredentials() []webauthn.Credential {
	defer util.Untrace(util.Trace(&log.Logger))
	return u.PasskeyCredentials
}

func (u *Account) WebAuthnIcon() string {
	defer util.Untrace(util.Trace(&log.Logger))
	return ""
}

// ---- Section passkey.User
// Implements the passkey.User interface

func (u *Account) PutCredential(new webauthn.Credential) {
	defer util.Untrace(util.Trace(&log.Logger))
	u.PasskeyCredentials = append(u.PasskeyCredentials, new)
}

// Section passkey.UserStore
// Implements the passkey.UserStore interface

func (s *Storage) GetOrCreateUser(userID string) passkey.User {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Debug().
		Str("account-handle", userID).
		Msg("Looking for or creating account for passkey stuff")
	acc := &Account{}
	res := s.db.Where(Account{Username: userID, ServerId: serverSelf.ID}).
		First(acc)
	if errors.Is(res.Error, gorm.ErrRecordNotFound) {
		log.Debug().Str("account-handle", userID)
		var err error
		acc, err = s.NewLocalAccount(userID)
		if err != nil {
			log.Error().
				Err(err).
				Str("account-handle", userID).
				Msg("Failed to create new account for webauthn request")
			return nil
		}
	}
	return acc
}

func (s *Storage) GetUserByWebAuthnId(id []byte) passkey.User {
	defer util.Untrace(util.Trace(&log.Logger))
	log.Debug().Bytes("webauthn-id", id).Msg("Looking for account with webauthn id")
	acc := Account{}
	res := s.db.Where(Account{WebAuthnId: id}).First(&acc)
	if res.Error != nil {
		log.Error().
			Err(res.Error).
			Bytes("webauthn-id", id).
			Msg("Failed to find user with webauthn ID")
		return nil
	}
	log.Info().Msg("Found account with given webauthn id")
	return &acc
}

func (s *Storage) SaveUser(rawUser passkey.User) {
	defer util.Untrace(util.Trace(&log.Logger))
	user, ok := rawUser.(*Account)
	if !ok {
		log.Error().Any("raw-user", rawUser).Msg("Failed to cast raw user to db account")
	}
	s.db.Save(user)
}