gotosocial/internal/api/auth/oob.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package auth

import (
	"errors"

	apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util"
	"github.com/gin-contrib/sessions"
	"github.com/gin-gonic/gin"
)

// OOBTokenGETHandler parses the OAuth code from the query
// params and serves a nice little HTML page showing the code.
func (m *Module) OOBTokenGETHandler(c *gin.Context) {
	s := sessions.Default(c)

	oobToken := c.Query("code")
	if oobToken == "" {
		const errText = "no 'code' query value provided in callback redirect"
		m.clearSessionWithBadRequest(c, s, errors.New(errText), errText)
		return
	}

	user := m.mustUserFromSession(c, s)
	if user == nil {
		// Error already
		// written.
		return
	}

	scope := m.mustStringFromSession(c, s, sessionScope)
	if scope == "" {
		// Error already
		// written.
		return
	}

	// We're done with
	// the session now.
	m.mustClearSession(s)

	instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context())
	if errWithCode != nil {
		apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)
		return
	}

	apiutil.TemplateWebPage(c, apiutil.WebPage{
		Template: "oob.tmpl",
		Instance: instance,
		Extra: map[string]any{
			"user":     user.Account.Username,
			"oobToken": oobToken,
			"scope":    scope,
		},
	})
}
[chore] Improve copyright header handling (#1608) * [chore] Remove years from all license headers Years or year ranges aren't required in license headers. Many projects have removed them in recent years and it avoids a bit of yearly toil. In many cases our copyright claim was also a bit dodgy since we added the 2021-2023 header to files created after 2021 but you can't claim copyright into the past that way. * [chore] Add license header check This ensures a license header is always added to any new file. This avoids maintainers/reviewers needing to remember to check for and ask for it in case a contribution doesn't include it. * [chore] Add missing license headers * [chore] Further updates to license header * Use the more common // indentend comment format * Remove the hack we had for the linter now that we use the // format * Add SPDX license identifier 2023-03-12 16:00:57 +01:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00
			`package auth`

			`import (`
			`"errors"`

[feature] Move to code.superseriousbusiness.org 2025-04-26 15:34:10 +02:00			`apiutil "code.superseriousbusiness.org/gotosocial/internal/api/util"`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00			`"github.com/gin-contrib/sessions"`
			`"github.com/gin-gonic/gin"`
			`)`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`// OOBTokenGETHandler parses the OAuth code from the query`
			`// params and serves a nice little HTML page showing the code.`
			`func (m Module) OOBTokenGETHandler(c gin.Context) {`
			`s := sessions.Default(c)`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00
			`oobToken := c.Query("code")`
			`if oobToken == "" {`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`const errText = "no 'code' query value provided in callback redirect"`
			`m.clearSessionWithBadRequest(c, s, errors.New(errText), errText)`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00			`return`
			`}`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`user := m.mustUserFromSession(c, s)`
			`if user == nil {`
			`// Error already`
			`// written.`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00			`return`
			`}`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`scope := m.mustStringFromSession(c, s, sessionScope)`
			`if scope == "" {`
			`// Error already`
			`// written.`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00			`return`
			`}`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`// We're done with`
			`// the session now.`
			`m.mustClearSession(s)`

			`instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context())`
			`if errWithCode != nil {`
			`apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1)`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00			`return`
			`}`

[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`apiutil.TemplateWebPage(c, apiutil.WebPage{`
[chore] Refactor HTML templates and CSS (#2480) * [chore] Refactor HTML templates and CSS * eslint * ignore "Local" * rss tests * fiddle with OG just a tiny bit * dick around with polls a bit more so SR stops saying "clickable" * remove break * oh lord * don't lazy load avatar * fix ogmeta tests * clean up some cruft * catch remaining calls to c.HTML * fix error rendering + stack overflow in tag * allow templating attributes * fix indent * set aria-hidden on status complementary content, since it's already present in the label anyway * tidy up templating calls a little * try to make styling a bit more consistent + readable * fix up some remaining CSS issues * fix up reports 2023-12-27 11:23:52 +01:00			`Template: "oob.tmpl",`
			`Instance: instance,`
			`Extra: map[string]any{`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`"user": user.Account.Username,`
[chore] Refactor HTML templates and CSS (#2480) * [chore] Refactor HTML templates and CSS * eslint * ignore "Local" * rss tests * fiddle with OG just a tiny bit * dick around with polls a bit more so SR stops saying "clickable" * remove break * oh lord * don't lazy load avatar * fix ogmeta tests * clean up some cruft * catch remaining calls to c.HTML * fix error rendering + stack overflow in tag * allow templating attributes * fix indent * set aria-hidden on status complementary content, since it's already present in the label anyway * tidy up templating calls a little * try to make styling a bit more consistent + readable * fix up some remaining CSS issues * fix up reports 2023-12-27 11:23:52 +01:00			`"oobToken": oobToken,`
			`"scope": scope,`
			`},`
[feature] add TOTP two-factor authentication (2FA) (#3960) * [feature] add TOTP two-factor authentication (2FA) * use byteutil.S2B to avoid allocations when comparing + generating password hashes * don't bother with string conversion for consts * use io.ReadFull * use MustGenerateSecret for backup codes * rename util functions 2025-04-07 16:14:41 +02:00			`})`
[feature] `oob` oauth token support (#889) * move helpful advice into oauth server * rewrite HandleAuthorizeRequest to allow oob 2022-10-08 13:49:56 +02:00			`}`