Fix bug where a client could not authorize

Author: NHAS

internal/data/devices.go

@@ -8,6 +8,7 @@ import (
 	"net"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/NHAS/wag/internal/config"
 	"github.com/NHAS/wag/internal/utils"
@@ -24,7 +25,7 @@ type Device struct {
 	Endpoint     *net.UDPAddr
 	Attempts     int
 	Active       bool
-	Authorised   bool
+	Authorised   time.Time
 }
 
 func stringToUDPaddr(address string) (r *net.UDPAddr) {
@@ -96,6 +97,7 @@ func GetDevice(username, id string) (device Device, err error) {
 	return
 }
 
+// Set device as authorized and clear authentication attempts
 func AuthoriseDevice(username, address string) error {
 	return doSafeUpdate(context.Background(), deviceKey(username, address), func(gr *clientv3.GetResponse) (string, bool, error) {
 		if len(gr.Kvs) != 1 {
@@ -114,7 +116,12 @@ func AuthoriseDevice(username, address string) error {
 			return "", false, err
 		}
 
-		device.Authorised = !u.Locked
+		if u.Locked {
+			return "", false, errors.New("account is locked")
+		}
+
+		device.Authorised = time.Now()
+		device.Attempts = 0
 
 		b, _ := json.Marshal(device)
 
@@ -144,7 +151,7 @@ func DeauthenticateDevice(address string) error {
 			return "", false, err
 		}
 
-		device.Authorised = false
+		device.Authorised = time.Time{}
 
 		b, _ := json.Marshal(device)
 

internal/data/events.go

@@ -64,7 +64,6 @@ func addWatcher[I any, T WatcherFuncType[I]](watcher T, existingWatches *[]T) {
 func execWatchers[I any, T WatcherFuncType[I]](watchers []T, data I, state int) {
 	lck.RLock()
 
-	log.Println(len(watchers), data)
 	for _, watcher := range watchers {
 		go watcher(data, state)
 	}

internal/router/statemachine.go

@@ -18,6 +18,9 @@ func handleEvents(erroChan chan<- error) {
 }
 
 func deviceChanges(device data.BasicEvent[data.Device], state int) {
+
+	log.Printf("state: %d, event: %+v", state, device)
+
 	switch state {
 	case data.DELETED:
 		err := RemovePeer(device.CurrentValue.Publickey, device.CurrentValue.Address)
@@ -42,16 +45,21 @@ func deviceChanges(device data.BasicEvent[data.Device], state int) {
 			}
 		}
 
-		if (device.CurrentValue.Attempts != device.Previous.Attempts && device.CurrentValue.Attempts > config.Values().Lockout) ||
-			device.CurrentValue.Endpoint.String() != device.Previous.Endpoint.String() {
+		if (device.CurrentValue.Attempts != device.Previous.Attempts && device.CurrentValue.Attempts > config.Values().Lockout) || // If the number of authentication attempts on a device has exceeded the max
+			device.CurrentValue.Endpoint.String() != device.Previous.Endpoint.String() || // If the client ip has changed
+			device.CurrentValue.Authorised.IsZero() { // If we've explicitly deauthorised a device
 			err := Deauthenticate(device.CurrentValue.Address)
 			if err != nil {
 				log.Println(err)
 			}
 		}
 
 		if device.CurrentValue.Authorised != device.Previous.Authorised {
-			if device.CurrentValue.Attempts <= config.Values().Lockout {
+			log.Println("authorisation state changed on device")
+
+			if !device.CurrentValue.Authorised.IsZero() && device.CurrentValue.Attempts <= config.Values().Lockout {
+
+				log.Println("authorising device")
 				err := SetAuthorized(device.CurrentValue.Address, device.CurrentValue.Username)
 				if err != nil {
 					log.Println(err)

internal/users/user.go

@@ -3,6 +3,7 @@ package users
 import (
 	"errors"
 	"fmt"
+	"log"
 	"net"
 
 	"github.com/NHAS/wag/internal/config"
@@ -140,19 +141,17 @@ func (u *user) Authenticate(device, mfaType string, authenticator authenticators
 		}
 	}
 
-	err = u.ResetDeviceAuthAttempts(device)
-	if err != nil {
-		return fmt.Errorf("%s %s unable to reset number of mfa attempts: %s", u.Username, device, err)
-	}
-
 	err = data.AuthoriseDevice(u.Username, device)
 	if err != nil {
 		return fmt.Errorf("%s %s unable to reset number of mfa attempts: %s", u.Username, device, err)
 	}
 
+	log.Println("untrace")
 	return nil
 }
 
+//
+
 func (u *user) Deauthenticate(device string) error {
 	return data.DeauthenticateDevice(device)
 }