gotosocial/internal/api/auth/auth.go

/*
   GoToSocial
   Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package auth

import (
	"net/http"

	"github.com/gin-contrib/sessions"
	"github.com/gin-gonic/gin"
	"github.com/superseriousbusiness/gotosocial/internal/db"
	"github.com/superseriousbusiness/gotosocial/internal/oidc"
	"github.com/superseriousbusiness/gotosocial/internal/processing"
)

const (
	/*
		paths prefixed with 'auth'
	*/

	// AuthSignInPath is the API path for users to sign in through
	AuthSignInPath = "/sign_in"
	// AuthCheckYourEmailPath users land here after registering a new account, instructs them to confirm their email
	AuthCheckYourEmailPath = "/check_your_email"
	// AuthWaitForApprovalPath users land here after confirming their email
	// but before an admin approves their account (if such is required)
	AuthWaitForApprovalPath = "/wait_for_approval"
	// AuthAccountDisabledPath users land here when their account is suspended by an admin
	AuthAccountDisabledPath = "/account_disabled"
	// AuthCallbackPath is the API path for receiving callback tokens from external OIDC providers
	AuthCallbackPath = "/callback"

	/*
		paths prefixed with 'oauth'
	*/

	// OauthTokenPath is the API path to use for granting token requests to users with valid credentials
	OauthTokenPath = "/token" // #nosec G101 else we get a hardcoded credentials warning
	// OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user)
	OauthAuthorizePath = "/authorize"
	// OauthFinalizePath is the API path for completing user registration with additional user details
	OauthFinalizePath = "/finalize"
	// OauthOobTokenPath is the path for serving an html representation of an oob token page.
	OauthOobTokenPath = "/oob" // #nosec G101 else we get a hardcoded credentials warning

	/*
		params / session keys
	*/

	callbackStateParam   = "state"
	callbackCodeParam    = "code"
	sessionUserID        = "userid"
	sessionClientID      = "client_id"
	sessionRedirectURI   = "redirect_uri"
	sessionForceLogin    = "force_login"
	sessionResponseType  = "response_type"
	sessionScope         = "scope"
	sessionInternalState = "internal_state"
	sessionClientState   = "client_state"
	sessionClaims        = "claims"
	sessionAppID         = "app_id"
)

type Module struct {
	db        db.DB
	processor *processing.Processor
	idp       oidc.IDP
}

// New returns an Auth module which provides both 'oauth' and 'auth' endpoints.
//
// It is safe to pass a nil idp if oidc is disabled.
func New(db db.DB, processor *processing.Processor, idp oidc.IDP) *Module {
	return &Module{
		db:        db,
		processor: processor,
		idp:       idp,
	}
}

// RouteAuth routes all paths that should have an 'auth' prefix
func (m *Module) RouteAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
	attachHandler(http.MethodGet, AuthSignInPath, m.SignInGETHandler)
	attachHandler(http.MethodPost, AuthSignInPath, m.SignInPOSTHandler)
	attachHandler(http.MethodGet, AuthCallbackPath, m.CallbackGETHandler)
}

// RouteOauth routes all paths that should have an 'oauth' prefix
func (m *Module) RouteOauth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
	attachHandler(http.MethodPost, OauthTokenPath, m.TokenPOSTHandler)
	attachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)
	attachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)
	attachHandler(http.MethodPost, OauthFinalizePath, m.FinalizePOSTHandler)
	attachHandler(http.MethodGet, OauthOobTokenPath, m.OobHandler)
}

func (m *Module) clearSession(s sessions.Session) {
	s.Clear()
	if err := s.Save(); err != nil {
		panic(err)
	}
}
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`/*`
			`GoToSocial`
[chore] Update/add license headers for 2023 (#1304) 2023-01-05 12:43:00 +01:00			`Copyright (C) 2021-2023 GoToSocial Authors admin@gotosocial.org`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00
			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU Affero General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU Affero General Public License for more details.`

			`You should have received a copy of the GNU Affero General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

			`package auth`

			`import (`
			`"net/http"`

			`"github.com/gin-contrib/sessions"`
			`"github.com/gin-gonic/gin"`
			`"github.com/superseriousbusiness/gotosocial/internal/db"`
			`"github.com/superseriousbusiness/gotosocial/internal/oidc"`
			`"github.com/superseriousbusiness/gotosocial/internal/processing"`
			`)`

			`const (`
			`/*`
			`paths prefixed with 'auth'`
			`*/`

			`// AuthSignInPath is the API path for users to sign in through`
			`AuthSignInPath = "/sign_in"`
			`// AuthCheckYourEmailPath users land here after registering a new account, instructs them to confirm their email`
			`AuthCheckYourEmailPath = "/check_your_email"`
			`// AuthWaitForApprovalPath users land here after confirming their email`
			`// but before an admin approves their account (if such is required)`
			`AuthWaitForApprovalPath = "/wait_for_approval"`
			`// AuthAccountDisabledPath users land here when their account is suspended by an admin`
			`AuthAccountDisabledPath = "/account_disabled"`
			`// AuthCallbackPath is the API path for receiving callback tokens from external OIDC providers`
			`AuthCallbackPath = "/callback"`

			`/*`
			`paths prefixed with 'oauth'`
			`*/`

			`// OauthTokenPath is the API path to use for granting token requests to users with valid credentials`
			`OauthTokenPath = "/token" // #nosec G101 else we get a hardcoded credentials warning`
			`// OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user)`
			`OauthAuthorizePath = "/authorize"`
			`// OauthFinalizePath is the API path for completing user registration with additional user details`
			`OauthFinalizePath = "/finalize"`
			`// OauthOobTokenPath is the path for serving an html representation of an oob token page.`
			`OauthOobTokenPath = "/oob" // #nosec G101 else we get a hardcoded credentials warning`

			`/*`
			`params / session keys`
			`*/`

			`callbackStateParam = "state"`
			`callbackCodeParam = "code"`
			`sessionUserID = "userid"`
			`sessionClientID = "client_id"`
			`sessionRedirectURI = "redirect_uri"`
			`sessionForceLogin = "force_login"`
			`sessionResponseType = "response_type"`
			`sessionScope = "scope"`
			`sessionInternalState = "internal_state"`
			`sessionClientState = "client_state"`
			`sessionClaims = "claims"`
			`sessionAppID = "app_id"`
			`)`

			`type Module struct {`
			`db db.DB`
[chore] Deinterface processor and subprocessors (#1501) * [chore] Deinterface processor and subprocessors * expose subprocessors via function calls * missing license header 2023-02-22 16:05:26 +01:00			`processor *processing.Processor`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`idp oidc.IDP`
			`}`

			`// New returns an Auth module which provides both 'oauth' and 'auth' endpoints.`
			`//`
			`// It is safe to pass a nil idp if oidc is disabled.`
[chore] Deinterface processor and subprocessors (#1501) * [chore] Deinterface processor and subprocessors * expose subprocessors via function calls * missing license header 2023-02-22 16:05:26 +01:00			`func New(db db.DB, processor processing.Processor, idp oidc.IDP) Module {`
[chore] The Big Middleware and API Refactor (tm) (#1250) * interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths 2023-01-02 13:10:50 +01:00			`return &Module{`
			`db: db,`
			`processor: processor,`
			`idp: idp,`
			`}`
			`}`

			`// RouteAuth routes all paths that should have an 'auth' prefix`
			`func (m *Module) RouteAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {`
			`attachHandler(http.MethodGet, AuthSignInPath, m.SignInGETHandler)`
			`attachHandler(http.MethodPost, AuthSignInPath, m.SignInPOSTHandler)`
			`attachHandler(http.MethodGet, AuthCallbackPath, m.CallbackGETHandler)`
			`}`

			`// RouteOauth routes all paths that should have an 'oauth' prefix`
			`func (m *Module) RouteOauth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {`
			`attachHandler(http.MethodPost, OauthTokenPath, m.TokenPOSTHandler)`
			`attachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)`
			`attachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)`
			`attachHandler(http.MethodPost, OauthFinalizePath, m.FinalizePOSTHandler)`
			`attachHandler(http.MethodGet, OauthOobTokenPath, m.OobHandler)`
			`}`

			`func (m *Module) clearSession(s sessions.Session) {`
			`s.Clear()`
			`if err := s.Save(); err != nil {`
			`panic(err)`
			`}`
			`}`