gotosocial/internal/api/auth/auth.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package auth

import (
	"net/http"

	"github.com/gin-gonic/gin"
	"github.com/superseriousbusiness/gotosocial/internal/oidc"
	"github.com/superseriousbusiness/gotosocial/internal/processing"
	"github.com/superseriousbusiness/gotosocial/internal/state"
)

const (
	/*
		paths prefixed with 'auth'
	*/

	AuthSignInPath          = "/sign_in"
	Auth2FAPath             = "/2fa"
	AuthCheckYourEmailPath  = "/check_your_email"
	AuthWaitForApprovalPath = "/wait_for_approval"
	AuthAccountDisabledPath = "/account_disabled"
	AuthCallbackPath        = "/callback"

	/*
		paths prefixed with 'oauth'
	*/

	OauthAuthorizePath = "/authorize"
	OauthFinalizePath  = "/finalize"
	OauthOOBTokenPath  = "/oob"   // #nosec G101 else we get a hardcoded credentials warning
	OauthTokenPath     = "/token" // #nosec G101 else we get a hardcoded credentials warning
	OauthRevokePath    = "/revoke"

	/*
		params / session keys
	*/

	callbackStateParam       = "state"
	callbackCodeParam        = "code"
	sessionUserID            = "userid"
	sessionUserIDAwaiting2FA = "userid_awaiting_2fa"
	sessionClientID          = "client_id"
	sessionRedirectURI       = "redirect_uri"
	sessionForceLogin        = "force_login"
	sessionResponseType      = "response_type"
	sessionScope             = "scope"
	sessionInternalState     = "internal_state"
	sessionClientState       = "client_state"
	sessionClaims            = "claims"
	sessionAppID             = "app_id"
)

type Module struct {
	state     *state.State
	processor *processing.Processor
	idp       oidc.IDP
}

// New returns an Auth module which provides
// both 'oauth' and 'auth' endpoints.
//
// It is safe to pass a nil idp if oidc is disabled.
func New(
	state *state.State,
	processor *processing.Processor,
	idp oidc.IDP,
) *Module {
	return &Module{
		state:     state,
		processor: processor,
		idp:       idp,
	}
}

// RouteAuth routes all paths that should have an 'auth' prefix
func (m *Module) RouteAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
	attachHandler(http.MethodGet, AuthSignInPath, m.SignInGETHandler)
	attachHandler(http.MethodPost, AuthSignInPath, m.SignInPOSTHandler)
	attachHandler(http.MethodGet, Auth2FAPath, m.TwoFactorCodeGETHandler)
	attachHandler(http.MethodPost, Auth2FAPath, m.TwoFactorCodePOSTHandler)
	attachHandler(http.MethodGet, AuthCallbackPath, m.CallbackGETHandler)
}

// RouteOAuth routes all paths that should have an 'oauth' prefix
func (m *Module) RouteOAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
	attachHandler(http.MethodPost, OauthTokenPath, m.TokenPOSTHandler)
	attachHandler(http.MethodPost, OauthRevokePath, m.TokenRevokePOSTHandler)
	attachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)
	attachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)
	attachHandler(http.MethodPost, OauthFinalizePath, m.FinalizePOSTHandler)
	attachHandler(http.MethodGet, OauthOOBTokenPath, m.OOBTokenGETHandler)
}
[chore] Improve copyright header handling (#1608) * [chore] Remove years from all license headers Years or year ranges aren't required in license headers. Many projects have removed them in recent years and it avoids a bit of yearly toil. In many cases our copyright claim was also a bit dodgy since we added the 2021-2023 header to files created after 2021 but you can't claim copyright into the past that way. * [chore] Add license header check This ensures a license header is always added to any new file. This avoids maintainers/reviewers needing to remember to check for and ask for it in case a contribution doesn't include it. * [chore] Add missing license headers * [chore] Further updates to license header * Use the more common // indentend comment format * Remove the hack we had for the linter now that we use the // format * Add SPDX license identifier 2023-03-12 16:00:57 +01:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00
			`package auth`

			`import (`
			`"net/http"`

			`"github.com/gin-gonic/gin"`
			`"github.com/superseriousbusiness/gotosocial/internal/oidc"`
			`"github.com/superseriousbusiness/gotosocial/internal/processing"`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`"github.com/superseriousbusiness/gotosocial/internal/state"`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`)`

			`const (`
			`/*`
			`paths prefixed with 'auth'`
			`*/`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`AuthSignInPath = "/sign_in"`
			`Auth2FAPath = "/2fa"`
			`AuthCheckYourEmailPath = "/check_your_email"`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`AuthWaitForApprovalPath = "/wait_for_approval"`
			`AuthAccountDisabledPath = "/account_disabled"`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`AuthCallbackPath = "/callback"`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00
			`/*`
			`paths prefixed with 'oauth'`
			`*/`

			`OauthAuthorizePath = "/authorize"`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`OauthFinalizePath = "/finalize"`
			`OauthOOBTokenPath = "/oob" // #nosec G101 else we get a hardcoded credentials warning`
			`OauthTokenPath = "/token" // #nosec G101 else we get a hardcoded credentials warning`
[feature] Implement /oauth/revoke for token revocation (#3983) 2025-04-10 16:24:17 +02:00			`OauthRevokePath = "/revoke"`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00
			`/*`
			`params / session keys`
			`*/`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`callbackStateParam = "state"`
			`callbackCodeParam = "code"`
			`sessionUserID = "userid"`
			`sessionUserIDAwaiting2FA = "userid_awaiting_2fa"`
			`sessionClientID = "client_id"`
			`sessionRedirectURI = "redirect_uri"`
			`sessionForceLogin = "force_login"`
			`sessionResponseType = "response_type"`
			`sessionScope = "scope"`
			`sessionInternalState = "internal_state"`
			`sessionClientState = "client_state"`
			`sessionClaims = "claims"`
			`sessionAppID = "app_id"`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`)`

			`type Module struct {`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`state *state.State`
[chore] Deinterface processor and subprocessors (#1501) * [chore] Deinterface processor and subprocessors * expose subprocessors via function calls * missing license header 2023-02-22 16:05:26 +01:00			`processor *processing.Processor`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`idp oidc.IDP`
			`}`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`// New returns an Auth module which provides`
			`// both 'oauth' and 'auth' endpoints.`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`//`
			`// It is safe to pass a nil idp if oidc is disabled.`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`func New(`
			`state *state.State,`
			`processor *processing.Processor,`
			`idp oidc.IDP,`
			`) *Module {`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`return &Module{`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`state: state,`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`processor: processor,`
			`idp: idp,`
			`}`
			`}`

			`// RouteAuth routes all paths that should have an 'auth' prefix`
			`func (m *Module) RouteAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {`
			`attachHandler(http.MethodGet, AuthSignInPath, m.SignInGETHandler)`
			`attachHandler(http.MethodPost, AuthSignInPath, m.SignInPOSTHandler)`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`attachHandler(http.MethodGet, Auth2FAPath, m.TwoFactorCodeGETHandler)`
			`attachHandler(http.MethodPost, Auth2FAPath, m.TwoFactorCodePOSTHandler)`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`attachHandler(http.MethodGet, AuthCallbackPath, m.CallbackGETHandler)`
			`}`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`// RouteOAuth routes all paths that should have an 'oauth' prefix`
			`func (m *Module) RouteOAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`attachHandler(http.MethodPost, OauthTokenPath, m.TokenPOSTHandler)`
[feature] Implement /oauth/revoke for token revocation (#3983) 2025-04-10 16:24:17 +02:00			`attachHandler(http.MethodPost, OauthRevokePath, m.TokenRevokePOSTHandler)`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`attachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)`
			`attachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)`
			`attachHandler(http.MethodPost, OauthFinalizePath, m.FinalizePOSTHandler)`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`attachHandler(http.MethodGet, OauthOOBTokenPath, m.OOBTokenGETHandler)`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`}`