gotosocial/internal/module/account/account.go

/*
   GoToSocial
   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU Affero General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU Affero General Public License for more details.

   You should have received a copy of the GNU Affero General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.
*/

package account

import (
	"fmt"
	"net"
	"net/http"

	"github.com/gin-gonic/gin"
	"github.com/superseriousbusiness/gotosocial/internal/config"
	"github.com/superseriousbusiness/gotosocial/internal/db"
	"github.com/superseriousbusiness/gotosocial/internal/db/model"
	"github.com/superseriousbusiness/gotosocial/internal/module"
	"github.com/superseriousbusiness/gotosocial/internal/oauth"
	"github.com/superseriousbusiness/gotosocial/internal/router"
	"github.com/superseriousbusiness/gotosocial/pkg/mastotypes"
	"github.com/superseriousbusiness/oauth2/v4"
	"github.com/sirupsen/logrus"
)

const (
	basePath       = "/api/v1/accounts"
	basePathWithID = basePath + "/:id"
	verifyPath     = basePath + "/verify_credentials"
)

type accountModule struct {
	config      *config.Config
	db          db.DB
	oauthServer oauth.Server
	log         *logrus.Logger
}

// New returns a new account module
func New(config *config.Config, db db.DB, oauthServer oauth.Server, log *logrus.Logger) module.ClientAPIModule {
	return &accountModule{
		config: config,
		db:     db,
		oauthServer: oauthServer,
		log:    log,
	}
}

// Route attaches all routes from this module to the given router
func (m *accountModule) Route(r router.Router) error {
	r.AttachHandler(http.MethodPost, basePath, m.accountCreatePOSTHandler)
	r.AttachHandler(http.MethodGet, verifyPath, m.accountVerifyGETHandler)
	return nil
}

// accountCreatePOSTHandler handles create account requests, validates them,
// and puts them in the database if they're valid.
// It should be served as a POST at /api/v1/accounts
func (m *accountModule) accountCreatePOSTHandler(c *gin.Context) {
	l := m.log.WithField("func", "accountCreatePOSTHandler")
	authed, err := oauth.MustAuthed(c, true, true, false, false)
	if err != nil {
		l.Debugf("couldn't auth: %s", err)
		c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
		return
	}

	l.Trace("parsing request form")
	form := &mastotypes.AccountCreateRequest{}
	if err := c.ShouldBind(form); err != nil {
		l.Debugf("could not parse form from request: %s", err)
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

	l.Tracef("validating form %+v", form)
	if err := validateCreateAccount(form, m.config.AccountsConfig, m.db); err != nil {
		l.Debugf("error validating form: %s", err)
		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
		return
	}

	clientIP := c.ClientIP()
	l.Tracef("attempting to parse client ip address %s", clientIP)
	signUpIP := net.ParseIP(clientIP)
	if signUpIP == nil {
		l.Debugf("error validating sign up ip address %s", clientIP)
		c.JSON(http.StatusBadRequest, gin.H{"error": "ip address could not be parsed from request"})
		return
	}

	ti, err := m.accountCreate(form, signUpIP, authed.Token, authed.Application)
	if err != nil {
		l.Errorf("internal server error while creating new account: %s", err)
		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
		return
	}

	c.JSON(http.StatusOK, ti)
}

// accountVerifyGETHandler serves a user's account details to them IF they reached this
// handler while in possession of a valid token, according to the oauth middleware.
// It should be served as a GET at /api/v1/accounts/verify_credentials
func (m *accountModule) accountVerifyGETHandler(c *gin.Context) {
	l := m.log.WithField("func", "AccountVerifyGETHandler")

	l.Trace("getting account details from session")
	i, ok := c.Get(oauth.SessionAuthorizedAccount)
	if !ok {
		l.Trace("no account in session, returning error to client")
		c.JSON(http.StatusUnauthorized, gin.H{"error": "The access token is invalid"})
		return
	}

	l.Trace("attempting to convert account interface into account struct...")
	acct, ok := i.(*model.Account)
	if !ok {
		l.Tracef("could not convert %+v into account struct, returning error to client", i)
		c.JSON(http.StatusUnauthorized, gin.H{"error": "The access token is invalid"})
		return
	}

	l.Tracef("retrieved account %+v, converting to mastosensitive...", acct)
	acctSensitive, err := m.db.AccountToMastoSensitive(acct)
	if err != nil {
		l.Tracef("could not convert account into mastosensitive account: %s", err)
		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
		return
	}

	l.Tracef("conversion successful, returning OK and mastosensitive account %+v", acctSensitive)
	c.JSON(http.StatusOK, acctSensitive)
}

/*
	HELPER FUNCTIONS
*/

// accountCreate does the dirty work of making an account and user in the database.
// It then returns a token to the caller, for use with the new account, as per the
// spec here: https://docs.joinmastodon.org/methods/accounts/
func (m *accountModule) accountCreate(form *mastotypes.AccountCreateRequest, signUpIP net.IP, token oauth2.TokenInfo, app *model.Application) (*mastotypes.Token, error) {
	l := m.log.WithField("func", "accountCreate")

	// don't store a reason if we don't require one
	reason := form.Reason
	if !m.config.AccountsConfig.ReasonRequired {
		reason = ""
	}

	l.Trace("creating new username and account")
	user, err := m.db.NewSignup(form.Username, reason, m.config.AccountsConfig.RequireApproval, form.Email, form.Password, signUpIP, form.Locale, app.ID)
	if err != nil {
		return nil, fmt.Errorf("error creating new signup in the database: %s", err)
	}

	l.Tracef("generating a token for user %s with account %s and application %s", user.ID, user.AccountID, app.ID)
	ti, err := m.oauthServer.GenerateUserAccessToken(token, app.ClientSecret, user.ID)
	if err != nil {
		return nil, fmt.Errorf("error creating new access token for user %s: %s", user.ID, err)
	}

	return &mastotypes.Token{
		AccessToken: ti.GetCode(),
		TokenType:   "Bearer",
		Scope:       ti.GetScope(),
		CreatedAt:   ti.GetCodeCreateAt().Unix(),
	}, nil
}
bits n bobs 2021-03-01 15:41:43 +01:00			`/*`
			`GoToSocial`
			`Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org`

			`This program is free software: you can redistribute it and/or modify`
			`it under the terms of the GNU Affero General Public License as published by`
			`the Free Software Foundation, either version 3 of the License, or`
			`(at your option) any later version.`

			`This program is distributed in the hope that it will be useful,`
			`but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`GNU Affero General Public License for more details.`

			`You should have received a copy of the GNU Affero General Public License`
			`along with this program. If not, see <http://www.gnu.org/licenses/>.`
			`*/`

Oauth/token (#7) * add host and protocol options * some fiddling * tidying up and comments * tick off /oauth/token * tidying a bit * tidying * go mod tidy * allow attaching middleware to server * add middleware * more user friendly * add comments * comments * store account + app * tidying * lots of restructuring * lint + tidy 2021-03-22 22:26:54 +01:00			`package account`

			`import (`
chunking away at it 2021-03-26 19:02:20 +01:00			`"fmt"`
			`"net"`
start work on accounts module 2021-03-23 13:17:54 +01:00			`"net/http"`

			`"github.com/gin-gonic/gin"`
relocate repo 2021-03-27 13:00:22 +01:00			`"github.com/superseriousbusiness/gotosocial/internal/config"`
			`"github.com/superseriousbusiness/gotosocial/internal/db"`
			`"github.com/superseriousbusiness/gotosocial/internal/db/model"`
			`"github.com/superseriousbusiness/gotosocial/internal/module"`
			`"github.com/superseriousbusiness/gotosocial/internal/oauth"`
			`"github.com/superseriousbusiness/gotosocial/internal/router"`
			`"github.com/superseriousbusiness/gotosocial/pkg/mastotypes"`
			`"github.com/superseriousbusiness/oauth2/v4"`
groundwork for other account routes 2021-03-24 17:34:41 +01:00			`"github.com/sirupsen/logrus"`
Oauth/token (#7) * add host and protocol options * some fiddling * tidying up and comments * tick off /oauth/token * tidying a bit * tidying * go mod tidy * allow attaching middleware to server * add middleware * more user friendly * add comments * comments * store account + app * tidying * lots of restructuring * lint + tidy 2021-03-22 22:26:54 +01:00			`)`

start work on accounts module 2021-03-23 13:17:54 +01:00			`const (`
			`basePath = "/api/v1/accounts"`
			`basePathWithID = basePath + "/:id"`
			`verifyPath = basePath + "/verify_credentials"`
			`)`

Oauth/token (#7) * add host and protocol options * some fiddling * tidying up and comments * tick off /oauth/token * tidying a bit * tidying * go mod tidy * allow attaching middleware to server * add middleware * more user friendly * add comments * comments * store account + app * tidying * lots of restructuring * lint + tidy 2021-03-22 22:26:54 +01:00			`type accountModule struct {`
chunking away at it 2021-03-26 19:02:20 +01:00			`config *config.Config`
			`db db.DB`
			`oauthServer oauth.Server`
			`log *logrus.Logger`
Oauth/token (#7) * add host and protocol options * some fiddling * tidying up and comments * tick off /oauth/token * tidying a bit * tidying * go mod tidy * allow attaching middleware to server * add middleware * more user friendly * add comments * comments * store account + app * tidying * lots of restructuring * lint + tidy 2021-03-22 22:26:54 +01:00			`}`

			`// New returns a new account module`
initialize oauth server properly 2021-03-27 16:28:13 +01:00			`func New(config config.Config, db db.DB, oauthServer oauth.Server, log logrus.Logger) module.ClientAPIModule {`
start work on accounts module 2021-03-23 13:17:54 +01:00			`return &accountModule{`
			`config: config,`
			`db: db,`
initialize oauth server properly 2021-03-27 16:28:13 +01:00			`oauthServer: oauthServer,`
validate new account requests 2021-03-25 20:10:10 +01:00			`log: log,`
start work on accounts module 2021-03-23 13:17:54 +01:00			`}`
Oauth/token (#7) * add host and protocol options * some fiddling * tidying up and comments * tick off /oauth/token * tidying a bit * tidying * go mod tidy * allow attaching middleware to server * add middleware * more user friendly * add comments * comments * store account + app * tidying * lots of restructuring * lint + tidy 2021-03-22 22:26:54 +01:00			`}`

			`// Route attaches all routes from this module to the given router`
			`func (m *accountModule) Route(r router.Router) error {`
validate new account requests 2021-03-25 20:10:10 +01:00			`r.AttachHandler(http.MethodPost, basePath, m.accountCreatePOSTHandler)`
			`r.AttachHandler(http.MethodGet, verifyPath, m.accountVerifyGETHandler)`
Oauth/token (#7) * add host and protocol options * some fiddling * tidying up and comments * tick off /oauth/token * tidying a bit * tidying * go mod tidy * allow attaching middleware to server * add middleware * more user friendly * add comments * comments * store account + app * tidying * lots of restructuring * lint + tidy 2021-03-22 22:26:54 +01:00			`return nil`
			`}`
start work on accounts module 2021-03-23 13:17:54 +01:00
chunking away at it 2021-03-26 19:02:20 +01:00			`// accountCreatePOSTHandler handles create account requests, validates them,`
			`// and puts them in the database if they're valid.`
			`// It should be served as a POST at /api/v1/accounts`
validate new account requests 2021-03-25 20:10:10 +01:00			`func (m accountModule) accountCreatePOSTHandler(c gin.Context) {`
chunking away at it 2021-03-26 19:02:20 +01:00			`l := m.log.WithField("func", "accountCreatePOSTHandler")`
some fiddling with tests 2021-03-26 23:48:21 +01:00			`authed, err := oauth.MustAuthed(c, true, true, false, false)`
chunking away at it 2021-03-26 19:02:20 +01:00			`if err != nil {`
			`l.Debugf("couldn't auth: %s", err)`
			`c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})`
validate new account requests 2021-03-25 20:10:10 +01:00			`return`
			`}`

			`l.Trace("parsing request form")`
			`form := &mastotypes.AccountCreateRequest{}`
			`if err := c.ShouldBind(form); err != nil {`
			`l.Debugf("could not parse form from request: %s", err)`
			`c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})`
			`return`
			`}`

			`l.Tracef("validating form %+v", form)`
chunking away at it 2021-03-26 19:02:20 +01:00			`if err := validateCreateAccount(form, m.config.AccountsConfig, m.db); err != nil {`
validate new account requests 2021-03-25 20:10:10 +01:00			`l.Debugf("error validating form: %s", err)`
			`c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})`
			`return`
groundwork for other account routes 2021-03-24 17:34:41 +01:00			`}`
chunking away at it 2021-03-26 19:02:20 +01:00
			`clientIP := c.ClientIP()`
			`l.Tracef("attempting to parse client ip address %s", clientIP)`
			`signUpIP := net.ParseIP(clientIP)`
			`if signUpIP == nil {`
			`l.Debugf("error validating sign up ip address %s", clientIP)`
			`c.JSON(http.StatusBadRequest, gin.H{"error": "ip address could not be parsed from request"})`
			`return`
			`}`

			`ti, err := m.accountCreate(form, signUpIP, authed.Token, authed.Application)`
			`if err != nil {`
			`l.Errorf("internal server error while creating new account: %s", err)`
			`c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})`
			`return`
			`}`

			`c.JSON(http.StatusOK, ti)`
groundwork for other account routes 2021-03-24 17:34:41 +01:00			`}`

validate new account requests 2021-03-25 20:10:10 +01:00			`// accountVerifyGETHandler serves a user's account details to them IF they reached this`
plodding away on the accounts endpoint 2021-03-23 22:13:01 +01:00			`// handler while in possession of a valid token, according to the oauth middleware.`
chunking away at it 2021-03-26 19:02:20 +01:00			`// It should be served as a GET at /api/v1/accounts/verify_credentials`
validate new account requests 2021-03-25 20:10:10 +01:00			`func (m accountModule) accountVerifyGETHandler(c gin.Context) {`
groundwork for other account routes 2021-03-24 17:34:41 +01:00			`l := m.log.WithField("func", "AccountVerifyGETHandler")`
validate new account requests 2021-03-25 20:10:10 +01:00
groundwork for other account routes 2021-03-24 17:34:41 +01:00			`l.Trace("getting account details from session")`
			`i, ok := c.Get(oauth.SessionAuthorizedAccount)`
plodding away on the accounts endpoint 2021-03-23 22:13:01 +01:00			`if !ok {`
groundwork for other account routes 2021-03-24 17:34:41 +01:00			`l.Trace("no account in session, returning error to client")`
plodding away on the accounts endpoint 2021-03-23 22:13:01 +01:00			`c.JSON(http.StatusUnauthorized, gin.H{"error": "The access token is invalid"})`
			`return`
			`}`

groundwork for other account routes 2021-03-24 17:34:41 +01:00			`l.Trace("attempting to convert account interface into account struct...")`
			`acct, ok := i.(*model.Account)`
			`if !ok {`
			`l.Tracef("could not convert %+v into account struct, returning error to client", i)`
start work on accounts module 2021-03-23 13:17:54 +01:00			`c.JSON(http.StatusUnauthorized, gin.H{"error": "The access token is invalid"})`
			`return`
			`}`

groundwork for other account routes 2021-03-24 17:34:41 +01:00			`l.Tracef("retrieved account %+v, converting to mastosensitive...", acct)`
plodding away on the accounts endpoint 2021-03-23 22:13:01 +01:00			`acctSensitive, err := m.db.AccountToMastoSensitive(acct)`
			`if err != nil {`
groundwork for other account routes 2021-03-24 17:34:41 +01:00			`l.Tracef("could not convert account into mastosensitive account: %s", err)`
plodding away on the accounts endpoint 2021-03-23 22:13:01 +01:00			`c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})`
			`return`
start work on accounts module 2021-03-23 13:17:54 +01:00			`}`

groundwork for other account routes 2021-03-24 17:34:41 +01:00			`l.Tracef("conversion successful, returning OK and mastosensitive account %+v", acctSensitive)`
plodding away on the accounts endpoint 2021-03-23 22:13:01 +01:00			`c.JSON(http.StatusOK, acctSensitive)`
start work on accounts module 2021-03-23 13:17:54 +01:00			`}`
chunking away at it 2021-03-26 19:02:20 +01:00
			`/*`
			`HELPER FUNCTIONS`
			`*/`

			`// accountCreate does the dirty work of making an account and user in the database.`
			`// It then returns a token to the caller, for use with the new account, as per the`
			`// spec here: https://docs.joinmastodon.org/methods/accounts/`
			`func (m accountModule) accountCreate(form mastotypes.AccountCreateRequest, signUpIP net.IP, token oauth2.TokenInfo, app model.Application) (mastotypes.Token, error) {`
			`l := m.log.WithField("func", "accountCreate")`

			`// don't store a reason if we don't require one`
			`reason := form.Reason`
			`if !m.config.AccountsConfig.ReasonRequired {`
			`reason = ""`
			`}`

			`l.Trace("creating new username and account")`
initialize oauth server properly 2021-03-27 16:28:13 +01:00			`user, err := m.db.NewSignup(form.Username, reason, m.config.AccountsConfig.RequireApproval, form.Email, form.Password, signUpIP, form.Locale, app.ID)`
chunking away at it 2021-03-26 19:02:20 +01:00			`if err != nil {`
			`return nil, fmt.Errorf("error creating new signup in the database: %s", err)`
			`}`

			`l.Tracef("generating a token for user %s with account %s and application %s", user.ID, user.AccountID, app.ID)`
			`ti, err := m.oauthServer.GenerateUserAccessToken(token, app.ClientSecret, user.ID)`
			`if err != nil {`
			`return nil, fmt.Errorf("error creating new access token for user %s: %s", user.ID, err)`
			`}`

			`return &mastotypes.Token{`
			`AccessToken: ti.GetCode(),`
			`TokenType: "Bearer",`
			`Scope: ti.GetScope(),`
			`CreatedAt: ti.GetCodeCreateAt().Unix(),`
			`}, nil`
			`}`