further oidc

2025-12-18 17:13:00 -06:00 · 2021-07-22 11:52:17 +02:00 · 2021-07-22 11:52:17 +02:00 · 81206d93f3
commit 81206d93f3
parent 8e0d32d3e1
14 changed files with 227 additions and 70 deletions
--- a/internal/api/client/auth/auth.go
+++ b/internal/api/client/auth/auth.go
@ -50,6 +50,7 @@ const (
 	sessionResponseType = "response_type"
 	sessionCode         = "code"
 	sessionScope        = "scope"
+	sessionState        = "state"
 )

 var sessionKeys []string = []string{
--- a/internal/api/client/auth/authorize.go
+++ b/internal/api/client/auth/authorize.go
@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@ -46,6 +47,8 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		form := &model.OAuthAuthorize{}
 		if err := c.Bind(form); err != nil {
 			l.Debugf("invalid auth form: %s", err)
+			m.clearSession(s)
+			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 			return
 		}
 		l.Tracef("parsed auth form: %+v", form)
@ -69,6 +72,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		ClientID: clientID,
 	}
 	if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
 		return
 	}
@ -78,6 +82,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		ID: userID,
 	}
 	if err := m.db.GetByID(user.ID, user); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
@ -87,6 +92,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 	}

 	if err := m.db.GetByID(acct.ID, acct); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
@ -94,11 +100,13 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 	// Finally we should also get the redirect and scope of this particular request, as stored in the session.
 	redirect, ok := s.Get(sessionRedirectURI).(string)
 	if !ok || redirect == "" {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"})
 		return
 	}
 	scope, ok := s.Get(sessionScope).(string)
 	if !ok || scope == "" {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"})
 		return
 	}
@ -128,48 +136,42 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
 	// recreate it on the request so that it can be used further by the oauth2 library.
 	// So first fetch all the values from the session.

+	errs := []string{}
+
 	forceLogin, ok := s.Get(sessionForceLogin).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"})
-		return
+		errs = append(errs, "session missing force_login")
 	}

 	responseType, ok := s.Get(sessionResponseType).(string)
 	if !ok || responseType == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"})
-		return
+		errs = append(errs, "session missing response_type")
 	}

 	clientID, ok := s.Get(sessionClientID).(string)
 	if !ok || clientID == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"})
-		return
+		errs = append(errs, "session missing client_id")
 	}

 	redirectURI, ok := s.Get(sessionRedirectURI).(string)
 	if !ok || redirectURI == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"})
-		return
+		errs = append(errs, "session missing redirect_uri")
 	}

 	scope, ok := s.Get(sessionScope).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"})
-		return
+		errs = append(errs, "session missing scope")
 	}

 	userID, ok := s.Get(sessionUserID).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"})
-		return
+		errs = append(errs, "session missing userid")
 	}

-	// we're done with the session so we can clear it now
-	for _, key := range sessionKeys {
-		s.Delete(key)
-	}
-	if err := s.Save(); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+	m.clearSession(s)
+
+	if len(errs) != 0 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": strings.Join(errs, ": ")})
 		return
 	}

--- a/internal/api/client/auth/callback.go
+++ b/internal/api/client/auth/callback.go
@ -19,21 +19,81 @@
 package auth

 import (
+	"errors"
 	"net/http"
+	"strings"

+	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/oidc"
 )

 // CallbackGETHandler parses a token from an external auth provider.
 func (m *Module) CallbackGETHandler(c *gin.Context) {
-	state := c.Query(callbackStateParam)
-	code := c.Query(callbackCodeParam)
+   s := sessions.Default(c)

-	claims, err := m.idp.HandleCallback(c.Request.Context(), state, code)
-	if err != nil {
-		c.String(http.StatusForbidden, err.Error())
+	// first make sure the state set in the cookie is the same as the state returned from the external provider
+	state := c.Query(callbackStateParam)
+	if state == "" {
+      m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": "state query not found on callback"})
 		return
 	}

-	c.JSON(http.StatusOK, claims)
+	savedStateI := s.Get(sessionState)
+	savedState, ok := savedStateI.(string)
+	if !ok {
+      m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
+		return
+	}
+
+	if state != savedState {
+      m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": "state mismatch"})
+		return
+	}
+
+	code := c.Query(callbackCodeParam)
+
+	claims, err := m.idp.HandleCallback(c.Request.Context(), code)
+	if err != nil {
+      m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+		return
+	}
+
+	user, err := m.parseUserFromClaims(claims)
+	if err != nil {
+      m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+		return
+	}
+
+	s.Set(sessionUserID, user.ID)
+	if err := s.Save(); err != nil {
+      m.clearSession(s)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.Redirect(http.StatusFound, OauthAuthorizePath)
+}
+
+func (m *Module) parseUserFromClaims(claims *oidc.Claims) (*gtsmodel.User, error) {
+   if claims.Email == "" {
+      return nil, errors.New("no email returned in claims")
+   }
+   // see if we already have a user for this email address
+
+
+   if claims.Name == "" {
+		return nil, errors.New("no name returned in claims")
+	}
+   username := ""
+	nameParts := strings.Split(claims.Name, " ")
+   for i, n := range nameParts {
+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+   }
 }
--- a/internal/api/client/auth/signin.go
+++ b/internal/api/client/auth/signin.go
@ -24,6 +24,7 @@ import (

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"golang.org/x/crypto/bcrypt"
@ -41,9 +42,18 @@ type login struct {
 func (m *Module) SignInGETHandler(c *gin.Context) {
 	l := m.log.WithField("func", "SignInGETHandler")
 	l.Trace("entering sign in handler")
-	if m.idp != nil && m.config.OIDCConfig.Issuer != "" {
-		l.Debug("redirecting to external idp at %s", m.config.OIDCConfig.Issuer)
-		c.Redirect(http.StatusFound, m.config.OIDCConfig.Issuer)
+	if m.idp != nil {
+		s := sessions.Default(c)
+		state := uuid.NewString()
+		s.Set(sessionState, state)
+		if err := s.Save(); err != nil {
+			m.clearSession(s)
+			c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+			return
+		}
+		redirect := m.idp.AuthCodeURL(state)
+		l.Debugf("redirecting to external idp at %s", redirect)
+		c.Redirect(http.StatusSeeOther, redirect)
 		return
 	}
 	c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{})
@ -58,6 +68,7 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
 	form := &login{}
 	if err := c.ShouldBind(form); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		m.clearSession(s)
 		return
 	}
 	l.Tracef("parsed form: %+v", form)
@ -65,12 +76,14 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
 	userid, err := m.ValidatePassword(form.Email, form.Password)
 	if err != nil {
 		c.String(http.StatusForbidden, err.Error())
+		m.clearSession(s)
 		return
 	}

 	s.Set(sessionUserID, userid)
 	if err := s.Save(); err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		m.clearSession(s)
 		return
 	}

--- a/internal/api/client/auth/util.go
+++ b/internal/api/client/auth/util.go
@ -0,0 +1,20 @@
+package auth
+
+import (
+	"github.com/gin-contrib/sessions"
+	"github.com/superseriousbusiness/gotosocial/internal/router"
+)
+
+func (m *Module) clearSession(s sessions.Session) {
+	for _, key := range sessionKeys {
+		s.Delete(key)
+	}
+
+	newOptions := router.SessionOptions(m.config)
+	newOptions.MaxAge = -1 // instruct browser to delete cookie immediately
+	s.Options(newOptions)
+
+	if err := s.Save(); err != nil {
+		panic(err)
+	}
+}