From 13d4fda7faaad48f0f0c8d105bbdc3ea9b21c718 Mon Sep 17 00:00:00 2001 From: tsmethurst Date: Wed, 31 Mar 2021 10:49:07 +0200 Subject: [PATCH] rearranging my package ;) ;) ;) --- internal/apimodule/account/account.go | 66 +++ .../account/account_test.go | 0 internal/apimodule/account/accountcreate.go | 155 +++++++ .../account/accountupdate.go} | 188 -------- internal/apimodule/account/accountverify.go | 50 +++ .../module.go => apimodule/apimodule.go} | 4 +- internal/apimodule/app/app.go | 52 +++ .../{module => apimodule}/app/app_test.go | 0 .../app/app.go => apimodule/app/appcreate.go} | 27 -- internal/{module => apimodule}/auth/README.md | 0 internal/apimodule/auth/auth.go | 70 +++ .../{module => apimodule}/auth/auth_test.go | 0 internal/apimodule/auth/authorize.go | 204 +++++++++ internal/apimodule/auth/middleware.go | 76 ++++ internal/apimodule/auth/signin.go | 115 +++++ internal/apimodule/auth/token.go | 36 ++ .../mock_ClientAPIModule.go | 2 +- internal/distributor/distributor.go | 2 +- internal/module/auth/auth.go | 410 ------------------ 19 files changed, 828 insertions(+), 629 deletions(-) create mode 100644 internal/apimodule/account/account.go rename internal/{module => apimodule}/account/account_test.go (100%) create mode 100644 internal/apimodule/account/accountcreate.go rename internal/{module/account/account.go => apimodule/account/accountupdate.go} (54%) create mode 100644 internal/apimodule/account/accountverify.go rename internal/{module/module.go => apimodule/apimodule.go} (89%) create mode 100644 internal/apimodule/app/app.go rename internal/{module => apimodule}/app/app_test.go (100%) rename internal/{module/app/app.go => apimodule/app/appcreate.go} (84%) rename internal/{module => apimodule}/auth/README.md (100%) create mode 100644 internal/apimodule/auth/auth.go rename internal/{module => apimodule}/auth/auth_test.go (100%) create mode 100644 internal/apimodule/auth/authorize.go create mode 100644 internal/apimodule/auth/middleware.go create mode 100644 internal/apimodule/auth/signin.go create mode 100644 internal/apimodule/auth/token.go rename internal/{module => apimodule}/mock_ClientAPIModule.go (96%) delete mode 100644 internal/module/auth/auth.go diff --git a/internal/apimodule/account/account.go b/internal/apimodule/account/account.go new file mode 100644 index 000000000..b747b399b --- /dev/null +++ b/internal/apimodule/account/account.go @@ -0,0 +1,66 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package account + +import ( + "net/http" + + "github.com/sirupsen/logrus" + "github.com/superseriousbusiness/gotosocial/internal/config" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/media" + "github.com/superseriousbusiness/gotosocial/internal/apimodule" + "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/gotosocial/internal/router" +) + +const ( + idKey = "id" + basePath = "/api/v1/accounts" + basePathWithID = basePath + "/:" + idKey + verifyPath = basePath + "/verify_credentials" + updateCredentialsPath = basePath + "/update_credentials" +) + +type accountModule struct { + config *config.Config + db db.DB + oauthServer oauth.Server + mediaHandler media.MediaHandler + log *logrus.Logger +} + +// New returns a new account module +func New(config *config.Config, db db.DB, oauthServer oauth.Server, mediaHandler media.MediaHandler, log *logrus.Logger) apimodule.ClientAPIModule { + return &accountModule{ + config: config, + db: db, + oauthServer: oauthServer, + mediaHandler: mediaHandler, + log: log, + } +} + +// Route attaches all routes from this module to the given router +func (m *accountModule) Route(r router.Router) error { + r.AttachHandler(http.MethodPost, basePath, m.accountCreatePOSTHandler) + r.AttachHandler(http.MethodGet, verifyPath, m.accountVerifyGETHandler) + r.AttachHandler(http.MethodPatch, updateCredentialsPath, m.accountUpdateCredentialsPATCHHandler) + return nil +} diff --git a/internal/module/account/account_test.go b/internal/apimodule/account/account_test.go similarity index 100% rename from internal/module/account/account_test.go rename to internal/apimodule/account/account_test.go diff --git a/internal/apimodule/account/accountcreate.go b/internal/apimodule/account/accountcreate.go new file mode 100644 index 000000000..23cb530e0 --- /dev/null +++ b/internal/apimodule/account/accountcreate.go @@ -0,0 +1,155 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package account + +import ( + "errors" + "fmt" + "net" + "net/http" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/config" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/db/model" + "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/gotosocial/internal/util" + "github.com/superseriousbusiness/gotosocial/pkg/mastotypes" + "github.com/superseriousbusiness/oauth2/v4" +) + +// accountCreatePOSTHandler handles create account requests, validates them, +// and puts them in the database if they're valid. +// It should be served as a POST at /api/v1/accounts +func (m *accountModule) accountCreatePOSTHandler(c *gin.Context) { + l := m.log.WithField("func", "accountCreatePOSTHandler") + authed, err := oauth.MustAuth(c, true, true, false, false) + if err != nil { + l.Debugf("couldn't auth: %s", err) + c.JSON(http.StatusForbidden, gin.H{"error": err.Error()}) + return + } + + l.Trace("parsing request form") + form := &mastotypes.AccountCreateRequest{} + if err := c.ShouldBind(form); err != nil || form == nil { + l.Debugf("could not parse form from request: %s", err) + c.JSON(http.StatusBadRequest, gin.H{"error": "missing one or more required form values"}) + return + } + + l.Tracef("validating form %+v", form) + if err := validateCreateAccount(form, m.config.AccountsConfig, m.db); err != nil { + l.Debugf("error validating form: %s", err) + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + + clientIP := c.ClientIP() + l.Tracef("attempting to parse client ip address %s", clientIP) + signUpIP := net.ParseIP(clientIP) + if signUpIP == nil { + l.Debugf("error validating sign up ip address %s", clientIP) + c.JSON(http.StatusBadRequest, gin.H{"error": "ip address could not be parsed from request"}) + return + } + + ti, err := m.accountCreate(form, signUpIP, authed.Token, authed.Application) + if err != nil { + l.Errorf("internal server error while creating new account: %s", err) + c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + return + } + + c.JSON(http.StatusOK, ti) +} + +// accountCreate does the dirty work of making an account and user in the database. +// It then returns a token to the caller, for use with the new account, as per the +// spec here: https://docs.joinmastodon.org/methods/accounts/ +func (m *accountModule) accountCreate(form *mastotypes.AccountCreateRequest, signUpIP net.IP, token oauth2.TokenInfo, app *model.Application) (*mastotypes.Token, error) { + l := m.log.WithField("func", "accountCreate") + + // don't store a reason if we don't require one + reason := form.Reason + if !m.config.AccountsConfig.ReasonRequired { + reason = "" + } + + l.Trace("creating new username and account") + user, err := m.db.NewSignup(form.Username, reason, m.config.AccountsConfig.RequireApproval, form.Email, form.Password, signUpIP, form.Locale, app.ID) + if err != nil { + return nil, fmt.Errorf("error creating new signup in the database: %s", err) + } + + l.Tracef("generating a token for user %s with account %s and application %s", user.ID, user.AccountID, app.ID) + ti, err := m.oauthServer.GenerateUserAccessToken(token, app.ClientSecret, user.ID) + if err != nil { + return nil, fmt.Errorf("error creating new access token for user %s: %s", user.ID, err) + } + + return &mastotypes.Token{ + AccessToken: ti.GetCode(), + TokenType: "Bearer", + Scope: ti.GetScope(), + CreatedAt: ti.GetCodeCreateAt().Unix(), + }, nil +} + +// validateCreateAccount checks through all the necessary prerequisites for creating a new account, +// according to the provided account create request. If the account isn't eligible, an error will be returned. +func validateCreateAccount(form *mastotypes.AccountCreateRequest, c *config.AccountsConfig, database db.DB) error { + if !c.OpenRegistration { + return errors.New("registration is not open for this server") + } + + if err := util.ValidateSignUpUsername(form.Username); err != nil { + return err + } + + if err := util.ValidateEmail(form.Email); err != nil { + return err + } + + if err := util.ValidateSignUpPassword(form.Password); err != nil { + return err + } + + if !form.Agreement { + return errors.New("agreement to terms and conditions not given") + } + + if err := util.ValidateLanguage(form.Locale); err != nil { + return err + } + + if err := util.ValidateSignUpReason(form.Reason, c.ReasonRequired); err != nil { + return err + } + + if err := database.IsEmailAvailable(form.Email); err != nil { + return err + } + + if err := database.IsUsernameAvailable(form.Username); err != nil { + return err + } + + return nil +} diff --git a/internal/module/account/account.go b/internal/apimodule/account/accountupdate.go similarity index 54% rename from internal/module/account/account.go rename to internal/apimodule/account/accountupdate.go index d749f7981..6221dac77 100644 --- a/internal/module/account/account.go +++ b/internal/apimodule/account/accountupdate.go @@ -24,128 +24,14 @@ import ( "fmt" "io" "mime/multipart" - "net" "net/http" "github.com/gin-gonic/gin" - "github.com/sirupsen/logrus" - "github.com/superseriousbusiness/gotosocial/internal/config" - "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/db/model" - "github.com/superseriousbusiness/gotosocial/internal/media" - "github.com/superseriousbusiness/gotosocial/internal/module" "github.com/superseriousbusiness/gotosocial/internal/oauth" - "github.com/superseriousbusiness/gotosocial/internal/router" - "github.com/superseriousbusiness/gotosocial/internal/util" "github.com/superseriousbusiness/gotosocial/pkg/mastotypes" - "github.com/superseriousbusiness/oauth2/v4" ) -const ( - idKey = "id" - basePath = "/api/v1/accounts" - basePathWithID = basePath + "/:" + idKey - verifyPath = basePath + "/verify_credentials" - updateCredentialsPath = basePath + "/update_credentials" -) - -type accountModule struct { - config *config.Config - db db.DB - oauthServer oauth.Server - mediaHandler media.MediaHandler - log *logrus.Logger -} - -// New returns a new account module -func New(config *config.Config, db db.DB, oauthServer oauth.Server, mediaHandler media.MediaHandler, log *logrus.Logger) module.ClientAPIModule { - return &accountModule{ - config: config, - db: db, - oauthServer: oauthServer, - mediaHandler: mediaHandler, - log: log, - } -} - -// Route attaches all routes from this module to the given router -func (m *accountModule) Route(r router.Router) error { - r.AttachHandler(http.MethodPost, basePath, m.accountCreatePOSTHandler) - r.AttachHandler(http.MethodGet, verifyPath, m.accountVerifyGETHandler) - r.AttachHandler(http.MethodPatch, updateCredentialsPath, m.accountUpdateCredentialsPATCHHandler) - return nil -} - -// accountCreatePOSTHandler handles create account requests, validates them, -// and puts them in the database if they're valid. -// It should be served as a POST at /api/v1/accounts -func (m *accountModule) accountCreatePOSTHandler(c *gin.Context) { - l := m.log.WithField("func", "accountCreatePOSTHandler") - authed, err := oauth.MustAuth(c, true, true, false, false) - if err != nil { - l.Debugf("couldn't auth: %s", err) - c.JSON(http.StatusForbidden, gin.H{"error": err.Error()}) - return - } - - l.Trace("parsing request form") - form := &mastotypes.AccountCreateRequest{} - if err := c.ShouldBind(form); err != nil || form == nil { - l.Debugf("could not parse form from request: %s", err) - c.JSON(http.StatusBadRequest, gin.H{"error": "missing one or more required form values"}) - return - } - - l.Tracef("validating form %+v", form) - if err := validateCreateAccount(form, m.config.AccountsConfig, m.db); err != nil { - l.Debugf("error validating form: %s", err) - c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) - return - } - - clientIP := c.ClientIP() - l.Tracef("attempting to parse client ip address %s", clientIP) - signUpIP := net.ParseIP(clientIP) - if signUpIP == nil { - l.Debugf("error validating sign up ip address %s", clientIP) - c.JSON(http.StatusBadRequest, gin.H{"error": "ip address could not be parsed from request"}) - return - } - - ti, err := m.accountCreate(form, signUpIP, authed.Token, authed.Application) - if err != nil { - l.Errorf("internal server error while creating new account: %s", err) - c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) - return - } - - c.JSON(http.StatusOK, ti) -} - -// accountVerifyGETHandler serves a user's account details to them IF they reached this -// handler while in possession of a valid token, according to the oauth middleware. -// It should be served as a GET at /api/v1/accounts/verify_credentials -func (m *accountModule) accountVerifyGETHandler(c *gin.Context) { - l := m.log.WithField("func", "accountVerifyGETHandler") - authed, err := oauth.MustAuth(c, true, false, false, true) - if err != nil { - l.Debugf("couldn't auth: %s", err) - c.JSON(http.StatusForbidden, gin.H{"error": err.Error()}) - return - } - - l.Tracef("retrieved account %+v, converting to mastosensitive...", authed.Account.ID) - acctSensitive, err := m.db.AccountToMastoSensitive(authed.Account) - if err != nil { - l.Tracef("could not convert account into mastosensitive account: %s", err) - c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) - return - } - - l.Tracef("conversion successful, returning OK and mastosensitive account %+v", acctSensitive) - c.JSON(http.StatusOK, acctSensitive) -} - // accountUpdateCredentialsPATCHHandler allows a user to modify their account/profile settings. // It should be served as a PATCH at /api/v1/accounts/update_credentials // @@ -333,77 +219,3 @@ func (m *accountModule) UpdateAccountHeader(header *multipart.FileHeader, accoun return headerInfo, f.Close() } - -// accountCreate does the dirty work of making an account and user in the database. -// It then returns a token to the caller, for use with the new account, as per the -// spec here: https://docs.joinmastodon.org/methods/accounts/ -func (m *accountModule) accountCreate(form *mastotypes.AccountCreateRequest, signUpIP net.IP, token oauth2.TokenInfo, app *model.Application) (*mastotypes.Token, error) { - l := m.log.WithField("func", "accountCreate") - - // don't store a reason if we don't require one - reason := form.Reason - if !m.config.AccountsConfig.ReasonRequired { - reason = "" - } - - l.Trace("creating new username and account") - user, err := m.db.NewSignup(form.Username, reason, m.config.AccountsConfig.RequireApproval, form.Email, form.Password, signUpIP, form.Locale, app.ID) - if err != nil { - return nil, fmt.Errorf("error creating new signup in the database: %s", err) - } - - l.Tracef("generating a token for user %s with account %s and application %s", user.ID, user.AccountID, app.ID) - ti, err := m.oauthServer.GenerateUserAccessToken(token, app.ClientSecret, user.ID) - if err != nil { - return nil, fmt.Errorf("error creating new access token for user %s: %s", user.ID, err) - } - - return &mastotypes.Token{ - AccessToken: ti.GetCode(), - TokenType: "Bearer", - Scope: ti.GetScope(), - CreatedAt: ti.GetCodeCreateAt().Unix(), - }, nil -} - -// validateCreateAccount checks through all the necessary prerequisites for creating a new account, -// according to the provided account create request. If the account isn't eligible, an error will be returned. -func validateCreateAccount(form *mastotypes.AccountCreateRequest, c *config.AccountsConfig, database db.DB) error { - if !c.OpenRegistration { - return errors.New("registration is not open for this server") - } - - if err := util.ValidateSignUpUsername(form.Username); err != nil { - return err - } - - if err := util.ValidateEmail(form.Email); err != nil { - return err - } - - if err := util.ValidateSignUpPassword(form.Password); err != nil { - return err - } - - if !form.Agreement { - return errors.New("agreement to terms and conditions not given") - } - - if err := util.ValidateLanguage(form.Locale); err != nil { - return err - } - - if err := util.ValidateSignUpReason(form.Reason, c.ReasonRequired); err != nil { - return err - } - - if err := database.IsEmailAvailable(form.Email); err != nil { - return err - } - - if err := database.IsUsernameAvailable(form.Username); err != nil { - return err - } - - return nil -} diff --git a/internal/apimodule/account/accountverify.go b/internal/apimodule/account/accountverify.go new file mode 100644 index 000000000..fe8d24b22 --- /dev/null +++ b/internal/apimodule/account/accountverify.go @@ -0,0 +1,50 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package account + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +// accountVerifyGETHandler serves a user's account details to them IF they reached this +// handler while in possession of a valid token, according to the oauth middleware. +// It should be served as a GET at /api/v1/accounts/verify_credentials +func (m *accountModule) accountVerifyGETHandler(c *gin.Context) { + l := m.log.WithField("func", "accountVerifyGETHandler") + authed, err := oauth.MustAuth(c, true, false, false, true) + if err != nil { + l.Debugf("couldn't auth: %s", err) + c.JSON(http.StatusForbidden, gin.H{"error": err.Error()}) + return + } + + l.Tracef("retrieved account %+v, converting to mastosensitive...", authed.Account.ID) + acctSensitive, err := m.db.AccountToMastoSensitive(authed.Account) + if err != nil { + l.Tracef("could not convert account into mastosensitive account: %s", err) + c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + return + } + + l.Tracef("conversion successful, returning OK and mastosensitive account %+v", acctSensitive) + c.JSON(http.StatusOK, acctSensitive) +} diff --git a/internal/module/module.go b/internal/apimodule/apimodule.go similarity index 89% rename from internal/module/module.go rename to internal/apimodule/apimodule.go index b3a49acf3..a61f6499b 100644 --- a/internal/module/module.go +++ b/internal/apimodule/apimodule.go @@ -16,8 +16,8 @@ along with this program. If not, see . */ -// Package module is basically a wrapper for a lot of modules (in subdirectories) that satisfy the ClientAPIModule interface. -package module +// Package apimodule is basically a wrapper for a lot of modules (in subdirectories) that satisfy the ClientAPIModule interface. +package apimodule import "github.com/superseriousbusiness/gotosocial/internal/router" diff --git a/internal/apimodule/app/app.go b/internal/apimodule/app/app.go new file mode 100644 index 000000000..a4be02b66 --- /dev/null +++ b/internal/apimodule/app/app.go @@ -0,0 +1,52 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package app + +import ( + "net/http" + + "github.com/sirupsen/logrus" + "github.com/superseriousbusiness/gotosocial/internal/apimodule" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/gotosocial/internal/router" +) + +const appsPath = "/api/v1/apps" + +type appModule struct { + server oauth.Server + db db.DB + log *logrus.Logger +} + +// New returns a new auth module +func New(srv oauth.Server, db db.DB, log *logrus.Logger) apimodule.ClientAPIModule { + return &appModule{ + server: srv, + db: db, + log: log, + } +} + +// Route satisfies the RESTAPIModule interface +func (m *appModule) Route(s router.Router) error { + s.AttachHandler(http.MethodPost, appsPath, m.appsPOSTHandler) + return nil +} diff --git a/internal/module/app/app_test.go b/internal/apimodule/app/app_test.go similarity index 100% rename from internal/module/app/app_test.go rename to internal/apimodule/app/app_test.go diff --git a/internal/module/app/app.go b/internal/apimodule/app/appcreate.go similarity index 84% rename from internal/module/app/app.go rename to internal/apimodule/app/appcreate.go index 67614a027..cd5aff701 100644 --- a/internal/module/app/app.go +++ b/internal/apimodule/app/appcreate.go @@ -24,38 +24,11 @@ import ( "github.com/gin-gonic/gin" "github.com/google/uuid" - "github.com/sirupsen/logrus" - "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/db/model" - "github.com/superseriousbusiness/gotosocial/internal/module" "github.com/superseriousbusiness/gotosocial/internal/oauth" - "github.com/superseriousbusiness/gotosocial/internal/router" "github.com/superseriousbusiness/gotosocial/pkg/mastotypes" ) -const appsPath = "/api/v1/apps" - -type appModule struct { - server oauth.Server - db db.DB - log *logrus.Logger -} - -// New returns a new auth module -func New(srv oauth.Server, db db.DB, log *logrus.Logger) module.ClientAPIModule { - return &appModule{ - server: srv, - db: db, - log: log, - } -} - -// Route satisfies the RESTAPIModule interface -func (m *appModule) Route(s router.Router) error { - s.AttachHandler(http.MethodPost, appsPath, m.appsPOSTHandler) - return nil -} - // appsPOSTHandler should be served at https://example.org/api/v1/apps // It is equivalent to: https://docs.joinmastodon.org/methods/apps/ func (m *appModule) appsPOSTHandler(c *gin.Context) { diff --git a/internal/module/auth/README.md b/internal/apimodule/auth/README.md similarity index 100% rename from internal/module/auth/README.md rename to internal/apimodule/auth/README.md diff --git a/internal/apimodule/auth/auth.go b/internal/apimodule/auth/auth.go new file mode 100644 index 000000000..097bbeae2 --- /dev/null +++ b/internal/apimodule/auth/auth.go @@ -0,0 +1,70 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +// Package auth is a module that provides oauth functionality to a router. +// It adds the following paths: +// /auth/sign_in +// /oauth/token +// /oauth/authorize +// It also includes the oauthTokenMiddleware, which can be attached to a router to authenticate every request by Bearer token. +package auth + +import ( + "net/http" + + "github.com/sirupsen/logrus" + "github.com/superseriousbusiness/gotosocial/internal/apimodule" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/oauth" + "github.com/superseriousbusiness/gotosocial/internal/router" +) + +const ( + authSignInPath = "/auth/sign_in" + oauthTokenPath = "/oauth/token" + oauthAuthorizePath = "/oauth/authorize" +) + +type authModule struct { + server oauth.Server + db db.DB + log *logrus.Logger +} + +// New returns a new auth module +func New(srv oauth.Server, db db.DB, log *logrus.Logger) apimodule.ClientAPIModule { + return &authModule{ + server: srv, + db: db, + log: log, + } +} + +// Route satisfies the RESTAPIModule interface +func (m *authModule) Route(s router.Router) error { + s.AttachHandler(http.MethodGet, authSignInPath, m.signInGETHandler) + s.AttachHandler(http.MethodPost, authSignInPath, m.signInPOSTHandler) + + s.AttachHandler(http.MethodPost, oauthTokenPath, m.tokenPOSTHandler) + + s.AttachHandler(http.MethodGet, oauthAuthorizePath, m.authorizeGETHandler) + s.AttachHandler(http.MethodPost, oauthAuthorizePath, m.authorizePOSTHandler) + + s.AttachMiddleware(m.oauthTokenMiddleware) + return nil +} diff --git a/internal/module/auth/auth_test.go b/internal/apimodule/auth/auth_test.go similarity index 100% rename from internal/module/auth/auth_test.go rename to internal/apimodule/auth/auth_test.go diff --git a/internal/apimodule/auth/authorize.go b/internal/apimodule/auth/authorize.go new file mode 100644 index 000000000..4a27cc20e --- /dev/null +++ b/internal/apimodule/auth/authorize.go @@ -0,0 +1,204 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package auth + +import ( + "errors" + "fmt" + "net/http" + "net/url" + + "github.com/gin-contrib/sessions" + "github.com/gin-gonic/gin" + "github.com/sirupsen/logrus" + "github.com/superseriousbusiness/gotosocial/internal/db/model" + "github.com/superseriousbusiness/gotosocial/pkg/mastotypes" +) + +// authorizeGETHandler should be served as GET at https://example.org/oauth/authorize +// The idea here is to present an oauth authorize page to the user, with a button +// that they have to click to accept. See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user +func (m *authModule) authorizeGETHandler(c *gin.Context) { + l := m.log.WithField("func", "AuthorizeGETHandler") + s := sessions.Default(c) + + // UserID will be set in the session by AuthorizePOSTHandler if the caller has already gone through the authentication flow + // If it's not set, then we don't know yet who the user is, so we need to redirect them to the sign in page. + userID, ok := s.Get("userid").(string) + if !ok || userID == "" { + l.Trace("userid was empty, parsing form then redirecting to sign in page") + if err := parseAuthForm(c, l); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + } else { + c.Redirect(http.StatusFound, authSignInPath) + } + return + } + + // We can use the client_id on the session to retrieve info about the app associated with the client_id + clientID, ok := s.Get("client_id").(string) + if !ok || clientID == "" { + c.JSON(http.StatusInternalServerError, gin.H{"error": "no client_id found in session"}) + return + } + app := &model.Application{ + ClientID: clientID, + } + if err := m.db.GetWhere("client_id", app.ClientID, app); err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)}) + return + } + + // we can also use the userid of the user to fetch their username from the db to greet them nicely <3 + user := &model.User{ + ID: userID, + } + if err := m.db.GetByID(user.ID, user); err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + return + } + + acct := &model.Account{ + ID: user.AccountID, + } + + if err := m.db.GetByID(acct.ID, acct); err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + return + } + + // Finally we should also get the redirect and scope of this particular request, as stored in the session. + redirect, ok := s.Get("redirect_uri").(string) + if !ok || redirect == "" { + c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"}) + return + } + scope, ok := s.Get("scope").(string) + if !ok || scope == "" { + c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"}) + return + } + + // the authorize template will display a form to the user where they can get some information + // about the app that's trying to authorize, and the scope of the request. + // They can then approve it if it looks OK to them, which will POST to the AuthorizePOSTHandler + l.Trace("serving authorize html") + c.HTML(http.StatusOK, "authorize.tmpl", gin.H{ + "appname": app.Name, + "appwebsite": app.Website, + "redirect": redirect, + "scope": scope, + "user": acct.Username, + }) +} + +// authorizePOSTHandler should be served as POST at https://example.org/oauth/authorize +// At this point we assume that the user has A) logged in and B) accepted that the app should act for them, +// so we should proceed with the authentication flow and generate an oauth token for them if we can. +// See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user +func (m *authModule) authorizePOSTHandler(c *gin.Context) { + l := m.log.WithField("func", "AuthorizePOSTHandler") + s := sessions.Default(c) + + // At this point we know the user has said 'yes' to allowing the application and oauth client + // work for them, so we can set the + + // We need to retrieve the original form submitted to the authorizeGEThandler, and + // recreate it on the request so that it can be used further by the oauth2 library. + // So first fetch all the values from the session. + forceLogin, ok := s.Get("force_login").(string) + if !ok { + c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"}) + return + } + responseType, ok := s.Get("response_type").(string) + if !ok || responseType == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"}) + return + } + clientID, ok := s.Get("client_id").(string) + if !ok || clientID == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"}) + return + } + redirectURI, ok := s.Get("redirect_uri").(string) + if !ok || redirectURI == "" { + c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"}) + return + } + scope, ok := s.Get("scope").(string) + if !ok { + c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"}) + return + } + userID, ok := s.Get("userid").(string) + if !ok { + c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"}) + return + } + // we're done with the session so we can clear it now + s.Clear() + + // now set the values on the request + values := url.Values{} + values.Set("force_login", forceLogin) + values.Set("response_type", responseType) + values.Set("client_id", clientID) + values.Set("redirect_uri", redirectURI) + values.Set("scope", scope) + values.Set("userid", userID) + c.Request.Form = values + l.Tracef("values on request set to %+v", c.Request.Form) + + // and proceed with authorization using the oauth2 library + if err := m.server.HandleAuthorizeRequest(c.Writer, c.Request); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + } +} + +// parseAuthForm parses the OAuthAuthorize form in the gin context, and stores +// the values in the form into the session. +func parseAuthForm(c *gin.Context, l *logrus.Entry) error { + s := sessions.Default(c) + + // first make sure they've filled out the authorize form with the required values + form := &mastotypes.OAuthAuthorize{} + if err := c.ShouldBind(form); err != nil { + return err + } + l.Tracef("parsed form: %+v", form) + + // these fields are *required* so check 'em + if form.ResponseType == "" || form.ClientID == "" || form.RedirectURI == "" { + return errors.New("missing one of: response_type, client_id or redirect_uri") + } + + // set default scope to read + if form.Scope == "" { + form.Scope = "read" + } + + // save these values from the form so we can use them elsewhere in the session + s.Set("force_login", form.ForceLogin) + s.Set("response_type", form.ResponseType) + s.Set("client_id", form.ClientID) + s.Set("redirect_uri", form.RedirectURI) + s.Set("scope", form.Scope) + return s.Save() +} diff --git a/internal/apimodule/auth/middleware.go b/internal/apimodule/auth/middleware.go new file mode 100644 index 000000000..32fc24d52 --- /dev/null +++ b/internal/apimodule/auth/middleware.go @@ -0,0 +1,76 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package auth + +import ( + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/db/model" + "github.com/superseriousbusiness/gotosocial/internal/oauth" +) + +// oauthTokenMiddleware checks if the client has presented a valid oauth Bearer token. +// If so, it will check the User that the token belongs to, and set that in the context of +// the request. Then, it will look up the account for that user, and set that in the request too. +// If user or account can't be found, then the handler won't *fail*, in case the server wants to allow +// public requests that don't have a Bearer token set (eg., for public instance information and so on). +func (m *authModule) oauthTokenMiddleware(c *gin.Context) { + l := m.log.WithField("func", "ValidatePassword") + l.Trace("entering OauthTokenMiddleware") + + ti, err := m.server.ValidationBearerToken(c.Request) + if err != nil { + l.Trace("no valid token presented: continuing with unauthenticated request") + return + } + c.Set(oauth.SessionAuthorizedToken, ti) + l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedToken, ti) + + // check for user-level token + if uid := ti.GetUserID(); uid != "" { + l.Tracef("authenticated user %s with bearer token, scope is %s", uid, ti.GetScope()) + + // fetch user's and account for this user id + user := &model.User{} + if err := m.db.GetByID(uid, user); err != nil || user == nil { + l.Warnf("no user found for validated uid %s", uid) + return + } + c.Set(oauth.SessionAuthorizedUser, user) + l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedUser, user) + + acct := &model.Account{} + if err := m.db.GetByID(user.AccountID, acct); err != nil || acct == nil { + l.Warnf("no account found for validated user %s", uid) + return + } + c.Set(oauth.SessionAuthorizedAccount, acct) + l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedAccount, acct) + } + + // check for application token + if cid := ti.GetClientID(); cid != "" { + l.Tracef("authenticated client %s with bearer token, scope is %s", cid, ti.GetScope()) + app := &model.Application{} + if err := m.db.GetWhere("client_id", cid, app); err != nil { + l.Tracef("no app found for client %s", cid) + } + c.Set(oauth.SessionAuthorizedApplication, app) + l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedApplication, app) + } +} diff --git a/internal/apimodule/auth/signin.go b/internal/apimodule/auth/signin.go new file mode 100644 index 000000000..34146cbfc --- /dev/null +++ b/internal/apimodule/auth/signin.go @@ -0,0 +1,115 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package auth + +import ( + "errors" + "net/http" + + "github.com/gin-contrib/sessions" + "github.com/gin-gonic/gin" + "github.com/superseriousbusiness/gotosocial/internal/db/model" + "golang.org/x/crypto/bcrypt" +) + +type login struct { + Email string `form:"username"` + Password string `form:"password"` +} + +// signInGETHandler should be served at https://example.org/auth/sign_in. +// The idea is to present a sign in page to the user, where they can enter their username and password. +// The form will then POST to the sign in page, which will be handled by SignInPOSTHandler +func (m *authModule) signInGETHandler(c *gin.Context) { + m.log.WithField("func", "SignInGETHandler").Trace("serving sign in html") + c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{}) +} + +// signInPOSTHandler should be served at https://example.org/auth/sign_in. +// The idea is to present a sign in page to the user, where they can enter their username and password. +// The handler will then redirect to the auth handler served at /auth +func (m *authModule) signInPOSTHandler(c *gin.Context) { + l := m.log.WithField("func", "SignInPOSTHandler") + s := sessions.Default(c) + form := &login{} + if err := c.ShouldBind(form); err != nil { + c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) + return + } + l.Tracef("parsed form: %+v", form) + + userid, err := m.validatePassword(form.Email, form.Password) + if err != nil { + c.String(http.StatusForbidden, err.Error()) + return + } + + s.Set("userid", userid) + if err := s.Save(); err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + return + } + + l.Trace("redirecting to auth page") + c.Redirect(http.StatusFound, oauthAuthorizePath) +} + +// validatePassword takes an email address and a password. +// The goal is to authenticate the password against the one for that email +// address stored in the database. If OK, we return the userid (a uuid) for that user, +// so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db. +func (m *authModule) validatePassword(email string, password string) (userid string, err error) { + l := m.log.WithField("func", "ValidatePassword") + + // make sure an email/password was provided and bail if not + if email == "" || password == "" { + l.Debug("email or password was not provided") + return incorrectPassword() + } + + // first we select the user from the database based on email address, bail if no user found for that email + gtsUser := &model.User{} + + if err := m.db.GetWhere("email", email, gtsUser); err != nil { + l.Debugf("user %s was not retrievable from db during oauth authorization attempt: %s", email, err) + return incorrectPassword() + } + + // make sure a password is actually set and bail if not + if gtsUser.EncryptedPassword == "" { + l.Warnf("encrypted password for user %s was empty for some reason", gtsUser.Email) + return incorrectPassword() + } + + // compare the provided password with the encrypted one from the db, bail if they don't match + if err := bcrypt.CompareHashAndPassword([]byte(gtsUser.EncryptedPassword), []byte(password)); err != nil { + l.Debugf("password hash didn't match for user %s during login attempt: %s", gtsUser.Email, err) + return incorrectPassword() + } + + // If we've made it this far the email/password is correct, so we can just return the id of the user. + userid = gtsUser.ID + l.Tracef("returning (%s, %s)", userid, err) + return +} + +// incorrectPassword is just a little helper function to use in the ValidatePassword function +func incorrectPassword() (string, error) { + return "", errors.New("password/email combination was incorrect") +} diff --git a/internal/apimodule/auth/token.go b/internal/apimodule/auth/token.go new file mode 100644 index 000000000..1e54b6ab3 --- /dev/null +++ b/internal/apimodule/auth/token.go @@ -0,0 +1,36 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . +*/ + +package auth + +import ( + "net/http" + + "github.com/gin-gonic/gin" +) + +// tokenPOSTHandler should be served as a POST at https://example.org/oauth/token +// The idea here is to serve an oauth access token to a user, which can be used for authorizing against non-public APIs. +// See https://docs.joinmastodon.org/methods/apps/oauth/#obtain-a-token +func (m *authModule) tokenPOSTHandler(c *gin.Context) { + l := m.log.WithField("func", "TokenPOSTHandler") + l.Trace("entered TokenPOSTHandler") + if err := m.server.HandleTokenRequest(c.Writer, c.Request); err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) + } +} diff --git a/internal/module/mock_ClientAPIModule.go b/internal/apimodule/mock_ClientAPIModule.go similarity index 96% rename from internal/module/mock_ClientAPIModule.go rename to internal/apimodule/mock_ClientAPIModule.go index 55fca0537..85c7b6ac6 100644 --- a/internal/module/mock_ClientAPIModule.go +++ b/internal/apimodule/mock_ClientAPIModule.go @@ -1,6 +1,6 @@ // Code generated by mockery v2.7.4. DO NOT EDIT. -package module +package apimodule import ( mock "github.com/stretchr/testify/mock" diff --git a/internal/distributor/distributor.go b/internal/distributor/distributor.go index 9cfe9be74..ab092907f 100644 --- a/internal/distributor/distributor.go +++ b/internal/distributor/distributor.go @@ -23,7 +23,7 @@ import ( "github.com/sirupsen/logrus" ) -// Distributor should be passed to api modules (see internal/module/...). It is used for +// Distributor should be passed to api modules (see internal/apimodule/...). It is used for // passing messages back and forth from the client API and the federating interface, via channels. // It also contains logic for filtering which messages should end up where. // It is designed to be used asynchronously: the client API and the federating API should just be able to diff --git a/internal/module/auth/auth.go b/internal/module/auth/auth.go deleted file mode 100644 index 0e7a3339f..000000000 --- a/internal/module/auth/auth.go +++ /dev/null @@ -1,410 +0,0 @@ -/* - GoToSocial - Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. - - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . -*/ - -// Package auth is a module that provides oauth functionality to a router. -// It adds the following paths: -// /auth/sign_in -// /oauth/token -// /oauth/authorize -// It also includes the oauthTokenMiddleware, which can be attached to a router to authenticate every request by Bearer token. -package auth - -import ( - "errors" - "fmt" - "net/http" - "net/url" - - "github.com/gin-contrib/sessions" - "github.com/gin-gonic/gin" - "github.com/sirupsen/logrus" - "github.com/superseriousbusiness/gotosocial/internal/db" - "github.com/superseriousbusiness/gotosocial/internal/db/model" - "github.com/superseriousbusiness/gotosocial/internal/module" - "github.com/superseriousbusiness/gotosocial/internal/oauth" - "github.com/superseriousbusiness/gotosocial/internal/router" - "github.com/superseriousbusiness/gotosocial/pkg/mastotypes" - "golang.org/x/crypto/bcrypt" -) - -const ( - authSignInPath = "/auth/sign_in" - oauthTokenPath = "/oauth/token" - oauthAuthorizePath = "/oauth/authorize" -) - -type authModule struct { - server oauth.Server - db db.DB - log *logrus.Logger -} - -type login struct { - Email string `form:"username"` - Password string `form:"password"` -} - -// New returns a new auth module -func New(srv oauth.Server, db db.DB, log *logrus.Logger) module.ClientAPIModule { - return &authModule{ - server: srv, - db: db, - log: log, - } -} - -// Route satisfies the RESTAPIModule interface -func (m *authModule) Route(s router.Router) error { - s.AttachHandler(http.MethodGet, authSignInPath, m.signInGETHandler) - s.AttachHandler(http.MethodPost, authSignInPath, m.signInPOSTHandler) - - s.AttachHandler(http.MethodPost, oauthTokenPath, m.tokenPOSTHandler) - - s.AttachHandler(http.MethodGet, oauthAuthorizePath, m.authorizeGETHandler) - s.AttachHandler(http.MethodPost, oauthAuthorizePath, m.authorizePOSTHandler) - - s.AttachMiddleware(m.oauthTokenMiddleware) - return nil -} - -/* - MAIN HANDLERS -- serve these through a server/router -*/ - -// signInGETHandler should be served at https://example.org/auth/sign_in. -// The idea is to present a sign in page to the user, where they can enter their username and password. -// The form will then POST to the sign in page, which will be handled by SignInPOSTHandler -func (m *authModule) signInGETHandler(c *gin.Context) { - m.log.WithField("func", "SignInGETHandler").Trace("serving sign in html") - c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{}) -} - -// signInPOSTHandler should be served at https://example.org/auth/sign_in. -// The idea is to present a sign in page to the user, where they can enter their username and password. -// The handler will then redirect to the auth handler served at /auth -func (m *authModule) signInPOSTHandler(c *gin.Context) { - l := m.log.WithField("func", "SignInPOSTHandler") - s := sessions.Default(c) - form := &login{} - if err := c.ShouldBind(form); err != nil { - c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) - return - } - l.Tracef("parsed form: %+v", form) - - userid, err := m.validatePassword(form.Email, form.Password) - if err != nil { - c.String(http.StatusForbidden, err.Error()) - return - } - - s.Set("userid", userid) - if err := s.Save(); err != nil { - c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) - return - } - - l.Trace("redirecting to auth page") - c.Redirect(http.StatusFound, oauthAuthorizePath) -} - -// tokenPOSTHandler should be served as a POST at https://example.org/oauth/token -// The idea here is to serve an oauth access token to a user, which can be used for authorizing against non-public APIs. -// See https://docs.joinmastodon.org/methods/apps/oauth/#obtain-a-token -func (m *authModule) tokenPOSTHandler(c *gin.Context) { - l := m.log.WithField("func", "TokenPOSTHandler") - l.Trace("entered TokenPOSTHandler") - if err := m.server.HandleTokenRequest(c.Writer, c.Request); err != nil { - c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) - } -} - -// authorizeGETHandler should be served as GET at https://example.org/oauth/authorize -// The idea here is to present an oauth authorize page to the user, with a button -// that they have to click to accept. See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user -func (m *authModule) authorizeGETHandler(c *gin.Context) { - l := m.log.WithField("func", "AuthorizeGETHandler") - s := sessions.Default(c) - - // UserID will be set in the session by AuthorizePOSTHandler if the caller has already gone through the authentication flow - // If it's not set, then we don't know yet who the user is, so we need to redirect them to the sign in page. - userID, ok := s.Get("userid").(string) - if !ok || userID == "" { - l.Trace("userid was empty, parsing form then redirecting to sign in page") - if err := parseAuthForm(c, l); err != nil { - c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) - } else { - c.Redirect(http.StatusFound, authSignInPath) - } - return - } - - // We can use the client_id on the session to retrieve info about the app associated with the client_id - clientID, ok := s.Get("client_id").(string) - if !ok || clientID == "" { - c.JSON(http.StatusInternalServerError, gin.H{"error": "no client_id found in session"}) - return - } - app := &model.Application{ - ClientID: clientID, - } - if err := m.db.GetWhere("client_id", app.ClientID, app); err != nil { - c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)}) - return - } - - // we can also use the userid of the user to fetch their username from the db to greet them nicely <3 - user := &model.User{ - ID: userID, - } - if err := m.db.GetByID(user.ID, user); err != nil { - c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) - return - } - - acct := &model.Account{ - ID: user.AccountID, - } - - if err := m.db.GetByID(acct.ID, acct); err != nil { - c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) - return - } - - // Finally we should also get the redirect and scope of this particular request, as stored in the session. - redirect, ok := s.Get("redirect_uri").(string) - if !ok || redirect == "" { - c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"}) - return - } - scope, ok := s.Get("scope").(string) - if !ok || scope == "" { - c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"}) - return - } - - // the authorize template will display a form to the user where they can get some information - // about the app that's trying to authorize, and the scope of the request. - // They can then approve it if it looks OK to them, which will POST to the AuthorizePOSTHandler - l.Trace("serving authorize html") - c.HTML(http.StatusOK, "authorize.tmpl", gin.H{ - "appname": app.Name, - "appwebsite": app.Website, - "redirect": redirect, - "scope": scope, - "user": acct.Username, - }) -} - -// authorizePOSTHandler should be served as POST at https://example.org/oauth/authorize -// At this point we assume that the user has A) logged in and B) accepted that the app should act for them, -// so we should proceed with the authentication flow and generate an oauth token for them if we can. -// See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user -func (m *authModule) authorizePOSTHandler(c *gin.Context) { - l := m.log.WithField("func", "AuthorizePOSTHandler") - s := sessions.Default(c) - - // At this point we know the user has said 'yes' to allowing the application and oauth client - // work for them, so we can set the - - // We need to retrieve the original form submitted to the authorizeGEThandler, and - // recreate it on the request so that it can be used further by the oauth2 library. - // So first fetch all the values from the session. - forceLogin, ok := s.Get("force_login").(string) - if !ok { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"}) - return - } - responseType, ok := s.Get("response_type").(string) - if !ok || responseType == "" { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"}) - return - } - clientID, ok := s.Get("client_id").(string) - if !ok || clientID == "" { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"}) - return - } - redirectURI, ok := s.Get("redirect_uri").(string) - if !ok || redirectURI == "" { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"}) - return - } - scope, ok := s.Get("scope").(string) - if !ok { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"}) - return - } - userID, ok := s.Get("userid").(string) - if !ok { - c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"}) - return - } - // we're done with the session so we can clear it now - s.Clear() - - // now set the values on the request - values := url.Values{} - values.Set("force_login", forceLogin) - values.Set("response_type", responseType) - values.Set("client_id", clientID) - values.Set("redirect_uri", redirectURI) - values.Set("scope", scope) - values.Set("userid", userID) - c.Request.Form = values - l.Tracef("values on request set to %+v", c.Request.Form) - - // and proceed with authorization using the oauth2 library - if err := m.server.HandleAuthorizeRequest(c.Writer, c.Request); err != nil { - c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) - } -} - -/* - MIDDLEWARE -*/ - -// oauthTokenMiddleware checks if the client has presented a valid oauth Bearer token. -// If so, it will check the User that the token belongs to, and set that in the context of -// the request. Then, it will look up the account for that user, and set that in the request too. -// If user or account can't be found, then the handler won't *fail*, in case the server wants to allow -// public requests that don't have a Bearer token set (eg., for public instance information and so on). -func (m *authModule) oauthTokenMiddleware(c *gin.Context) { - l := m.log.WithField("func", "ValidatePassword") - l.Trace("entering OauthTokenMiddleware") - - ti, err := m.server.ValidationBearerToken(c.Request) - if err != nil { - l.Trace("no valid token presented: continuing with unauthenticated request") - return - } - c.Set(oauth.SessionAuthorizedToken, ti) - l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedToken, ti) - - // check for user-level token - if uid := ti.GetUserID(); uid != "" { - l.Tracef("authenticated user %s with bearer token, scope is %s", uid, ti.GetScope()) - - // fetch user's and account for this user id - user := &model.User{} - if err := m.db.GetByID(uid, user); err != nil || user == nil { - l.Warnf("no user found for validated uid %s", uid) - return - } - c.Set(oauth.SessionAuthorizedUser, user) - l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedUser, user) - - acct := &model.Account{} - if err := m.db.GetByID(user.AccountID, acct); err != nil || acct == nil { - l.Warnf("no account found for validated user %s", uid) - return - } - c.Set(oauth.SessionAuthorizedAccount, acct) - l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedAccount, acct) - } - - // check for application token - if cid := ti.GetClientID(); cid != "" { - l.Tracef("authenticated client %s with bearer token, scope is %s", cid, ti.GetScope()) - app := &model.Application{} - if err := m.db.GetWhere("client_id", cid, app); err != nil { - l.Tracef("no app found for client %s", cid) - } - c.Set(oauth.SessionAuthorizedApplication, app) - l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedApplication, app) - } -} - -/* - SUB-HANDLERS -- don't serve these directly, they should be attached to the oauth2 server or used inside handler funcs -*/ - -// validatePassword takes an email address and a password. -// The goal is to authenticate the password against the one for that email -// address stored in the database. If OK, we return the userid (a uuid) for that user, -// so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db. -func (m *authModule) validatePassword(email string, password string) (userid string, err error) { - l := m.log.WithField("func", "ValidatePassword") - - // make sure an email/password was provided and bail if not - if email == "" || password == "" { - l.Debug("email or password was not provided") - return incorrectPassword() - } - - // first we select the user from the database based on email address, bail if no user found for that email - gtsUser := &model.User{} - - if err := m.db.GetWhere("email", email, gtsUser); err != nil { - l.Debugf("user %s was not retrievable from db during oauth authorization attempt: %s", email, err) - return incorrectPassword() - } - - // make sure a password is actually set and bail if not - if gtsUser.EncryptedPassword == "" { - l.Warnf("encrypted password for user %s was empty for some reason", gtsUser.Email) - return incorrectPassword() - } - - // compare the provided password with the encrypted one from the db, bail if they don't match - if err := bcrypt.CompareHashAndPassword([]byte(gtsUser.EncryptedPassword), []byte(password)); err != nil { - l.Debugf("password hash didn't match for user %s during login attempt: %s", gtsUser.Email, err) - return incorrectPassword() - } - - // If we've made it this far the email/password is correct, so we can just return the id of the user. - userid = gtsUser.ID - l.Tracef("returning (%s, %s)", userid, err) - return -} - -// incorrectPassword is just a little helper function to use in the ValidatePassword function -func incorrectPassword() (string, error) { - return "", errors.New("password/email combination was incorrect") -} - -// parseAuthForm parses the OAuthAuthorize form in the gin context, and stores -// the values in the form into the session. -func parseAuthForm(c *gin.Context, l *logrus.Entry) error { - s := sessions.Default(c) - - // first make sure they've filled out the authorize form with the required values - form := &mastotypes.OAuthAuthorize{} - if err := c.ShouldBind(form); err != nil { - return err - } - l.Tracef("parsed form: %+v", form) - - // these fields are *required* so check 'em - if form.ResponseType == "" || form.ClientID == "" || form.RedirectURI == "" { - return errors.New("missing one of: response_type, client_id or redirect_uri") - } - - // set default scope to read - if form.Scope == "" { - form.Scope = "read" - } - - // save these values from the form so we can use them elsewhere in the session - s.Set("force_login", form.ForceLogin) - s.Set("response_type", form.ResponseType) - s.Set("client_id", form.ClientID) - s.Set("redirect_uri", form.RedirectURI) - s.Set("scope", form.Scope) - return s.Save() -}