mirrors/gotosocial
1
0
Fork 0
mirror of https://github.com/superseriousbusiness/gotosocial.git synced 2025-11-02 12:02:25 -06:00
Code Issues Projects Releases Packages Wiki Activity Actions

chunking away at it

Browse source
This commit is contained in:
tsmethurst 2021-03-26 19:02:20 +01:00
commit f58f77bf1f
23 changed files with 860 additions and 394 deletions
Download patch file Download diff file Expand all files Collapse all files

85
internal/module/account/account.go
View file

@ -19,6 +19,8 @@
package account
import (
"fmt"
"net"
"net/http"
"github.com/gin-gonic/gin"
@ -26,9 +28,10 @@ import (
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/gotosocial/internal/db/model"
"github.com/gotosocial/gotosocial/internal/module"
"github.com/gotosocial/gotosocial/internal/module/oauth"
"github.com/gotosocial/gotosocial/internal/oauth"
"github.com/gotosocial/gotosocial/internal/router"
"github.com/gotosocial/gotosocial/pkg/mastotypes"
"github.com/gotosocial/oauth2/v4"
"github.com/sirupsen/logrus"
)
@ -39,9 +42,10 @@ const (
)
type accountModule struct {
config *config.Config
db db.DB
log *logrus.Logger
config *config.Config
db db.DB
oauthServer oauth.Server
log *logrus.Logger
}
// New returns a new account module
@ -60,15 +64,15 @@ func (m *accountModule) Route(r router.Router) error {
return nil
}
// accountCreatePOSTHandler handles create account requests, validates them,
// and puts them in the database if they're valid.
// It should be served as a POST at /api/v1/accounts
func (m *accountModule) accountCreatePOSTHandler(c *gin.Context) {
l := m.log.WithField("func", "AccountCreatePOSTHandler")
// TODO: check whether a valid app token has been presented!!
// See: https://docs.joinmastodon.org/methods/accounts/
l.Trace("checking if registration is open")
if !m.config.AccountsConfig.OpenRegistration {
l.Debug("account registration is closed, returning error to client")
c.JSON(http.StatusUnauthorized, gin.H{"error": "account registration is closed"})
l := m.log.WithField("func", "accountCreatePOSTHandler")
authed, err := oauth.GetAuthed(c)
if err != nil {
l.Debugf("couldn't auth: %s", err)
c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
return
}
@ -81,15 +85,34 @@ func (m *accountModule) accountCreatePOSTHandler(c *gin.Context) {
}
l.Tracef("validating form %+v", form)
if err := validateCreateAccount(form, m.config.AccountsConfig.ReasonRequired, m.db); err != nil {
if err := validateCreateAccount(form, m.config.AccountsConfig, m.db); err != nil {
l.Debugf("error validating form: %s", err)
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
clientIP := c.ClientIP()
l.Tracef("attempting to parse client ip address %s", clientIP)
signUpIP := net.ParseIP(clientIP)
if signUpIP == nil {
l.Debugf("error validating sign up ip address %s", clientIP)
c.JSON(http.StatusBadRequest, gin.H{"error": "ip address could not be parsed from request"})
return
}
ti, err := m.accountCreate(form, signUpIP, authed.Token, authed.Application)
if err != nil {
l.Errorf("internal server error while creating new account: %s", err)
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
c.JSON(http.StatusOK, ti)
}
// accountVerifyGETHandler serves a user's account details to them IF they reached this
// handler while in possession of a valid token, according to the oauth middleware.
// It should be served as a GET at /api/v1/accounts/verify_credentials
func (m *accountModule) accountVerifyGETHandler(c *gin.Context) {
l := m.log.WithField("func", "AccountVerifyGETHandler")
@ -120,3 +143,39 @@ func (m *accountModule) accountVerifyGETHandler(c *gin.Context) {
l.Tracef("conversion successful, returning OK and mastosensitive account %+v", acctSensitive)
c.JSON(http.StatusOK, acctSensitive)
}
/*
HELPER FUNCTIONS
*/
// accountCreate does the dirty work of making an account and user in the database.
// It then returns a token to the caller, for use with the new account, as per the
// spec here: https://docs.joinmastodon.org/methods/accounts/
func (m *accountModule) accountCreate(form *mastotypes.AccountCreateRequest, signUpIP net.IP, token oauth2.TokenInfo, app *model.Application) (*mastotypes.Token, error) {
l := m.log.WithField("func", "accountCreate")
// don't store a reason if we don't require one
reason := form.Reason
if !m.config.AccountsConfig.ReasonRequired {
reason = ""
}
l.Trace("creating new username and account")
user, err := m.db.NewSignup(form.Username, reason, m.config.AccountsConfig.RequireApproval, form.Email, form.Password, signUpIP, form.Locale)
if err != nil {
return nil, fmt.Errorf("error creating new signup in the database: %s", err)
}
l.Tracef("generating a token for user %s with account %s and application %s", user.ID, user.AccountID, app.ID)
ti, err := m.oauthServer.GenerateUserAccessToken(token, app.ClientSecret, user.ID)
if err != nil {
return nil, fmt.Errorf("error creating new access token for user %s: %s", user.ID, err)
}
return &mastotypes.Token{
AccessToken: ti.GetCode(),
TokenType: "Bearer",
Scope: ti.GetScope(),
CreatedAt: ti.GetCodeCreateAt().Unix(),
}, nil
}

268
internal/module/account/account_test.go
View file

@ -20,34 +20,33 @@ package account
import (
"context"
"fmt"
"net/url"
"net/http/httptest"
"testing"
"time"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/gotosocial/gotosocial/internal/config"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/gotosocial/internal/db/model"
"github.com/gotosocial/gotosocial/internal/module/oauth"
"github.com/gotosocial/gotosocial/internal/router"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/suite"
"golang.org/x/crypto/bcrypt"
)
type AccountTestSuite struct {
suite.Suite
db db.DB
log *logrus.Logger
testAccountLocal *model.Account
testAccountRemote *model.Account
testUser *model.User
config *config.Config
db db.DB
accountModule *accountModule
}
// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
func (suite *AccountTestSuite) SetupSuite() {
log := logrus.New()
log.SetLevel(logrus.TraceLevel)
suite.log = log
c := config.Empty()
c.DBConfig = &config.DBConfig{
Type: "postgres",
@ -58,118 +57,126 @@ func (suite *AccountTestSuite) SetupSuite() {
Database: "postgres",
ApplicationName: "gotosocial",
}
suite.config = c
encryptedPassword, err := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)
database, err := db.New(context.Background(), c, log)
if err != nil {
logrus.Panicf("error encrypting user pass: %s", err)
suite.FailNow(err.Error())
}
suite.db = database
suite.accountModule = &accountModule{
config: c,
db: database,
log: log,
}
localAvatar, err := url.Parse("https://localhost:8080/media/aaaaaaaaa.png")
if err != nil {
logrus.Panicf("error parsing localavatar url: %s", err)
}
localHeader, err := url.Parse("https://localhost:8080/media/ffffffffff.png")
if err != nil {
logrus.Panicf("error parsing localheader url: %s", err)
}
// encryptedPassword, err := bcrypt.GenerateFromPassword([]byte("password"), bcrypt.DefaultCost)
// if err != nil {
// logrus.Panicf("error encrypting user pass: %s", err)
// }
acctID := uuid.NewString()
suite.testAccountLocal = &model.Account{
ID: acctID,
Username: "local_account_of_some_kind",
AvatarRemoteURL: localAvatar,
HeaderRemoteURL: localHeader,
DisplayName: "michael caine",
Fields: []model.Field{
{
Name: "come and ave a go",
Value: "if you think you're hard enough",
},
{
Name: "website",
Value: "https://imdb.com",
VerifiedAt: time.Now(),
},
},
Note: "My name is Michael Caine and i'm a local user.",
Discoverable: true,
}
// localAvatar, err := url.Parse("https://localhost:8080/media/aaaaaaaaa.png")
// if err != nil {
// logrus.Panicf("error parsing localavatar url: %s", err)
// }
// localHeader, err := url.Parse("https://localhost:8080/media/ffffffffff.png")
// if err != nil {
// logrus.Panicf("error parsing localheader url: %s", err)
// }
avatarURL, err := url.Parse("http://example.org/accounts/avatars/000/207/122/original/089-1098-09.png")
if err != nil {
logrus.Panicf("error parsing avatarURL: %s", err)
}
// acctID := uuid.NewString()
// suite.testAccountLocal = &model.Account{
// ID: acctID,
// Username: "local_account_of_some_kind",
// AvatarRemoteURL: localAvatar,
// HeaderRemoteURL: localHeader,
// DisplayName: "michael caine",
// Fields: []model.Field{
// {
// Name: "come and ave a go",
// Value: "if you think you're hard enough",
// },
// {
// Name: "website",
// Value: "https://imdb.com",
// VerifiedAt: time.Now(),
// },
// },
// Note: "My name is Michael Caine and i'm a local user.",
// Discoverable: true,
// }
headerURL, err := url.Parse("http://example.org/accounts/headers/000/207/122/original/111111111111.png")
if err != nil {
logrus.Panicf("error parsing avatarURL: %s", err)
}
suite.testAccountRemote = &model.Account{
ID: uuid.NewString(),
Username: "neato_bombeato",
Domain: "example.org",
// avatarURL, err := url.Parse("http://example.org/accounts/avatars/000/207/122/original/089-1098-09.png")
// if err != nil {
// logrus.Panicf("error parsing avatarURL: %s", err)
// }
AvatarFileName: "avatar.png",
AvatarContentType: "image/png",
AvatarFileSize: 1024,
AvatarUpdatedAt: time.Now(),
AvatarRemoteURL: avatarURL,
// headerURL, err := url.Parse("http://example.org/accounts/headers/000/207/122/original/111111111111.png")
// if err != nil {
// logrus.Panicf("error parsing avatarURL: %s", err)
// }
// suite.testAccountRemote = &model.Account{
// ID: uuid.NewString(),
// Username: "neato_bombeato",
// Domain: "example.org",
HeaderFileName: "avatar.png",
HeaderContentType: "image/png",
HeaderFileSize: 1024,
HeaderUpdatedAt: time.Now(),
HeaderRemoteURL: headerURL,
// AvatarFileName: "avatar.png",
// AvatarContentType: "image/png",
// AvatarFileSize: 1024,
// AvatarUpdatedAt: time.Now(),
// AvatarRemoteURL: avatarURL,
DisplayName: "one cool dude 420",
Fields: []model.Field{
{
Name: "pronouns",
Value: "he/they",
},
{
Name: "website",
Value: "https://imcool.edu",
VerifiedAt: time.Now(),
},
},
Note: "<p>I'm cool as heck!</p>",
Discoverable: true,
URI: "https://example.org/users/neato_bombeato",
URL: "https://example.org/@neato_bombeato",
LastWebfingeredAt: time.Now(),
InboxURL: "https://example.org/users/neato_bombeato/inbox",
OutboxURL: "https://example.org/users/neato_bombeato/outbox",
SharedInboxURL: "https://example.org/inbox",
FollowersURL: "https://example.org/users/neato_bombeato/followers",
FeaturedCollectionURL: "https://example.org/users/neato_bombeato/collections/featured",
}
suite.testUser = &model.User{
ID: uuid.NewString(),
EncryptedPassword: string(encryptedPassword),
Email: "user@example.org",
AccountID: acctID,
// HeaderFileName: "avatar.png",
// HeaderContentType: "image/png",
// HeaderFileSize: 1024,
// HeaderUpdatedAt: time.Now(),
// HeaderRemoteURL: headerURL,
// DisplayName: "one cool dude 420",
// Fields: []model.Field{
// {
// Name: "pronouns",
// Value: "he/they",
// },
// {
// Name: "website",
// Value: "https://imcool.edu",
// VerifiedAt: time.Now(),
// },
// },
// Note: "<p>I'm cool as heck!</p>",
// Discoverable: true,
// URI: "https://example.org/users/neato_bombeato",
// URL: "https://example.org/@neato_bombeato",
// LastWebfingeredAt: time.Now(),
// InboxURL: "https://example.org/users/neato_bombeato/inbox",
// OutboxURL: "https://example.org/users/neato_bombeato/outbox",
// SharedInboxURL: "https://example.org/inbox",
// FollowersURL: "https://example.org/users/neato_bombeato/followers",
// FeaturedCollectionURL: "https://example.org/users/neato_bombeato/collections/featured",
// }
// suite.testUser = &model.User{
// ID: uuid.NewString(),
// EncryptedPassword: string(encryptedPassword),
// Email: "user@example.org",
// AccountID: acctID,
// }
}
func (suite *AccountTestSuite) TearDownSuite() {
if err := suite.db.Stop(context.Background()); err != nil {
logrus.Panicf("error closing db connection: %s", err)
}
}
// SetupTest creates a postgres connection and creates the oauth_clients table before each test
// SetupTest creates a db connection and creates necessary tables before each test
func (suite *AccountTestSuite) SetupTest() {
log := logrus.New()
log.SetLevel(logrus.TraceLevel)
db, err := db.New(context.Background(), suite.config, log)
if err != nil {
logrus.Panicf("error creating database connection: %s", err)
}
suite.db = db
models := []interface{}{
&model.User{},
&model.Account{},
&model.Follow{},
&model.Status{},
&model.Application{},
}
for _, m := range models {
@ -177,70 +184,31 @@ func (suite *AccountTestSuite) SetupTest() {
logrus.Panicf("db connection error: %s", err)
}
}
if err := suite.db.Put(suite.testAccountLocal); err != nil {
logrus.Panicf("could not insert test account into db: %s", err)
}
if err := suite.db.Put(suite.testUser); err != nil {
logrus.Panicf("could not insert test user into db: %s", err)
}
}
// TearDownTest drops the oauth_clients table and closes the pg connection after each test
// TearDownTest drops tables to make sure there's no data in the db
func (suite *AccountTestSuite) TearDownTest() {
models := []interface{}{
&model.User{},
&model.Account{},
&model.Follow{},
&model.Status{},
&model.Application{},
}
for _, m := range models {
if err := suite.db.DropTable(m); err != nil {
logrus.Panicf("error dropping table: %s", err)
}
}
if err := suite.db.Stop(context.Background()); err != nil {
logrus.Panicf("error closing db connection: %s", err)
}
suite.db = nil
}
func (suite *AccountTestSuite) TestAPIInitialize() {
log := logrus.New()
log.SetLevel(logrus.TraceLevel)
r, err := router.New(suite.config, log)
if err != nil {
suite.FailNow(fmt.Sprintf("error creating router: %s", err))
}
r.AttachMiddleware(func(c *gin.Context) {
account := &model.Account{}
if err := suite.db.GetAccountByUserID(suite.testUser.ID, account); err != nil || account == nil {
suite.T().Log(err)
suite.FailNowf("no account found for user %s, continuing with unauthenticated request: %+v", "", suite.testUser.ID, account)
fmt.Println(account)
return
}
c.Set(oauth.SessionAuthorizedAccount, account)
c.Set(oauth.SessionAuthorizedUser, suite.testUser.ID)
})
acct := New(suite.config, suite.db, log)
if err := acct.Route(r); err != nil {
suite.FailNow(fmt.Sprintf("error mapping routes onto router: %s", err))
}
r.Start()
defer func() {
if err := r.Stop(context.Background()); err != nil {
panic(fmt.Errorf("error stopping router: %s", err))
}
}()
time.Sleep(10 * time.Second)
func (suite *AccountTestSuite) TestAccountCreatePOSTHandler() {
// TODO: figure out how to test this properly
recorder := httptest.NewRecorder()
recorder.Header().Set("X-Forwarded-For", "127.0.0.1")
ctx, _ := gin.CreateTestContext(recorder)
// ctx.Set()
suite.accountModule.accountCreatePOSTHandler(ctx)
}
func TestAccountTestSuite(t *testing.T) {

9
internal/module/account/validation.go
View file

@ -21,12 +21,17 @@ package account
import (
"errors"
"github.com/gotosocial/gotosocial/internal/config"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/gotosocial/internal/util"
"github.com/gotosocial/gotosocial/pkg/mastotypes"
)
func validateCreateAccount(form *mastotypes.AccountCreateRequest, reasonRequired bool, database db.DB) error {
func validateCreateAccount(form *mastotypes.AccountCreateRequest, c *config.AccountsConfig, database db.DB) error {
if !c.OpenRegistration {
return errors.New("registration is not open for this server")
}
if err := util.ValidateSignUpUsername(form.Username); err != nil {
return err
}
@ -47,7 +52,7 @@ func validateCreateAccount(form *mastotypes.AccountCreateRequest, reasonRequired
return err
}
if err := util.ValidateSignUpReason(form.Reason, reasonRequired); err != nil {
if err := util.ValidateSignUpReason(form.Reason, c.ReasonRequired); err != nil {
return err
}

140
internal/module/app/app.go Normal file
View file

@ -0,0 +1,140 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package app
import (
"fmt"
"net/http"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/gotosocial/internal/db/model"
"github.com/gotosocial/gotosocial/internal/module"
"github.com/gotosocial/gotosocial/internal/oauth"
"github.com/gotosocial/gotosocial/internal/router"
"github.com/gotosocial/gotosocial/pkg/mastotypes"
"github.com/sirupsen/logrus"
)
const appsPath = "/api/v1/apps"
type appModule struct {
server oauth.Server
db db.DB
log *logrus.Logger
}
// New returns a new auth module
func New(srv oauth.Server, db db.DB, log *logrus.Logger) module.ClientAPIModule {
return &appModule{
server: srv,
db: db,
log: log,
}
}
// Route satisfies the RESTAPIModule interface
func (m *appModule) Route(s router.Router) error {
s.AttachHandler(http.MethodPost, appsPath, m.appsPOSTHandler)
return nil
}
// appsPOSTHandler should be served at https://example.org/api/v1/apps
// It is equivalent to: https://docs.joinmastodon.org/methods/apps/
func (m *appModule) appsPOSTHandler(c *gin.Context) {
l := m.log.WithField("func", "AppsPOSTHandler")
l.Trace("entering AppsPOSTHandler")
form := &mastotypes.ApplicationPOSTRequest{}
if err := c.ShouldBind(form); err != nil {
c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})
return
}
// permitted length for most fields
permittedLength := 64
// redirect can be a bit bigger because we probably need to encode data in the redirect uri
permittedRedirect := 256
// check lengths of fields before proceeding so the user can't spam huge entries into the database
if len(form.ClientName) > permittedLength {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("client_name must be less than %d bytes", permittedLength)})
return
}
if len(form.Website) > permittedLength {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("website must be less than %d bytes", permittedLength)})
return
}
if len(form.RedirectURIs) > permittedRedirect {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("redirect_uris must be less than %d bytes", permittedRedirect)})
return
}
if len(form.Scopes) > permittedLength {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("scopes must be less than %d bytes", permittedLength)})
return
}
// set default 'read' for scopes if it's not set, this follows the default of the mastodon api https://docs.joinmastodon.org/methods/apps/
var scopes string
if form.Scopes == "" {
scopes = "read"
} else {
scopes = form.Scopes
}
// generate new IDs for this application and its associated client
clientID := uuid.NewString()
clientSecret := uuid.NewString()
vapidKey := uuid.NewString()
// generate the application to put in the database
app := &model.Application{
Name: form.ClientName,
Website: form.Website,
RedirectURI: form.RedirectURIs,
ClientID: clientID,
ClientSecret: clientSecret,
Scopes: scopes,
VapidKey: vapidKey,
}
// chuck it in the db
if err := m.db.Put(app); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
// now we need to model an oauth client from the application that the oauth library can use
oc := &oauth.Client{
ID: clientID,
Secret: clientSecret,
Domain: form.RedirectURIs,
UserID: "", // This client isn't yet associated with a specific user, it's just an app client right now
}
// chuck it in the db
if err := m.db.Put(oc); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
// done, return the new app information per the spec here: https://docs.joinmastodon.org/methods/apps/
c.JSON(http.StatusOK, app.ToMasto())
}

21
internal/module/app/app_test.go Normal file
View file

@ -0,0 +1,21 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package app
// TODO: write tests

2
internal/module/oauth/README.md → internal/module/auth/README.md
View file

@ -1,4 +1,4 @@
# oauth
# auth
This package provides uses the [GoToSocial oauth2](https://github.com/gotosocial/oauth2) module (forked from [go-oauth2](https://github.com/go-oauth2/oauth2)) to provide [oauth2](https://www.oauth.com/) functionality to the GoToSocial client API.

235
internal/module/oauth/oauth.go → internal/module/auth/auth.go
View file

@ -16,57 +16,42 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
// Package oauth is a module that provides oauth functionality to a router.
// Package auth is a module that provides oauth functionality to a router.
// It adds the following paths:
// /api/v1/apps
// /auth/sign_in
// /oauth/token
// /oauth/authorize
// It also includes the oauthTokenMiddleware, which can be attached to a router to authenticate every request by Bearer token.
package oauth
package auth
import (
"errors"
"fmt"
"net/http"
"net/url"
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
"github.com/google/uuid"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/gotosocial/internal/db/model"
"github.com/gotosocial/gotosocial/internal/module"
"github.com/gotosocial/gotosocial/internal/oauth"
"github.com/gotosocial/gotosocial/internal/router"
"github.com/gotosocial/gotosocial/pkg/mastotypes"
"github.com/gotosocial/oauth2/v4"
"github.com/gotosocial/oauth2/v4/errors"
"github.com/gotosocial/oauth2/v4/manage"
"github.com/gotosocial/oauth2/v4/server"
"github.com/sirupsen/logrus"
"golang.org/x/crypto/bcrypt"
)
const (
appsPath = "/api/v1/apps"
authSignInPath = "/auth/sign_in"
oauthTokenPath = "/oauth/token"
oauthAuthorizePath = "/oauth/authorize"
// SessionAuthorizedUser is the key set in the gin context for the id of
// a User who has successfully passed Bearer token authorization.
// The interface returned from grabbing this key should be parsed as a string.
SessionAuthorizedUser = "authorized_user"
// SessionAuthorizedAccount is the key set in the gin context for the Account
// of a User who has successfully passed Bearer token authorization.
// The interface returned from grabbing this key should be parsed as a *gtsmodel.Account
SessionAuthorizedAccount = "authorized_account"
)
// oauthModule is an oauth2 oauthModule that satisfies the ClientAPIModule interface
type oauthModule struct {
oauthManager *manage.Manager
oauthServer *server.Server
db db.DB
log *logrus.Logger
type authModule struct {
server oauth.Server
db db.DB
log *logrus.Logger
}
type login struct {
@ -74,52 +59,17 @@ type login struct {
Password string `form:"password"`
}
// New returns a new oauth module
func New(ts oauth2.TokenStore, cs oauth2.ClientStore, db db.DB, log *logrus.Logger) module.ClientAPIModule {
manager := manage.NewDefaultManager()
manager.MapTokenStorage(ts)
manager.MapClientStorage(cs)
manager.SetAuthorizeCodeTokenCfg(manage.DefaultAuthorizeCodeTokenCfg)
sc := &server.Config{
TokenType: "Bearer",
// Must follow the spec.
AllowGetAccessRequest: false,
// Support only the non-implicit flow.
AllowedResponseTypes: []oauth2.ResponseType{oauth2.Code},
// Allow:
// - Authorization Code (for first & third parties)
AllowedGrantTypes: []oauth2.GrantType{
oauth2.AuthorizationCode,
},
AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{oauth2.CodeChallengePlain},
// New returns a new auth module
func New(srv oauth.Server, db db.DB, log *logrus.Logger) module.ClientAPIModule {
return &authModule{
server: srv,
db: db,
log: log,
}
srv := server.NewServer(sc, manager)
srv.SetInternalErrorHandler(func(err error) *errors.Response {
log.Errorf("internal oauth error: %s", err)
return nil
})
srv.SetResponseErrorHandler(func(re *errors.Response) {
log.Errorf("internal response error: %s", re.Error)
})
m := &oauthModule{
oauthManager: manager,
oauthServer: srv,
db: db,
log: log,
}
m.oauthServer.SetUserAuthorizationHandler(m.userAuthorizationHandler)
m.oauthServer.SetClientInfoHandler(server.ClientFormHandler)
return m
}
// Route satisfies the RESTAPIModule interface
func (m *oauthModule) Route(s router.Router) error {
s.AttachHandler(http.MethodPost, appsPath, m.appsPOSTHandler)
func (m *authModule) Route(s router.Router) error {
s.AttachHandler(http.MethodGet, authSignInPath, m.signInGETHandler)
s.AttachHandler(http.MethodPost, authSignInPath, m.signInPOSTHandler)
@ -129,7 +79,6 @@ func (m *oauthModule) Route(s router.Router) error {
s.AttachHandler(http.MethodPost, oauthAuthorizePath, m.authorizePOSTHandler)
s.AttachMiddleware(m.oauthTokenMiddleware)
return nil
}
@ -137,93 +86,10 @@ func (m *oauthModule) Route(s router.Router) error {
MAIN HANDLERS -- serve these through a server/router
*/
// appsPOSTHandler should be served at https://example.org/api/v1/apps
// It is equivalent to: https://docs.joinmastodon.org/methods/apps/
func (m *oauthModule) appsPOSTHandler(c *gin.Context) {
l := m.log.WithField("func", "AppsPOSTHandler")
l.Trace("entering AppsPOSTHandler")
form := &mastotypes.ApplicationPOSTRequest{}
if err := c.ShouldBind(form); err != nil {
c.JSON(http.StatusUnprocessableEntity, gin.H{"error": err.Error()})
return
}
// permitted length for most fields
permittedLength := 64
// redirect can be a bit bigger because we probably need to encode data in the redirect uri
permittedRedirect := 256
// check lengths of fields before proceeding so the user can't spam huge entries into the database
if len(form.ClientName) > permittedLength {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("client_name must be less than %d bytes", permittedLength)})
return
}
if len(form.Website) > permittedLength {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("website must be less than %d bytes", permittedLength)})
return
}
if len(form.RedirectURIs) > permittedRedirect {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("redirect_uris must be less than %d bytes", permittedRedirect)})
return
}
if len(form.Scopes) > permittedLength {
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("scopes must be less than %d bytes", permittedLength)})
return
}
// set default 'read' for scopes if it's not set, this follows the default of the mastodon api https://docs.joinmastodon.org/methods/apps/
var scopes string
if form.Scopes == "" {
scopes = "read"
} else {
scopes = form.Scopes
}
// generate new IDs for this application and its associated client
clientID := uuid.NewString()
clientSecret := uuid.NewString()
vapidKey := uuid.NewString()
// generate the application to put in the database
app := &model.Application{
Name: form.ClientName,
Website: form.Website,
RedirectURI: form.RedirectURIs,
ClientID: clientID,
ClientSecret: clientSecret,
Scopes: scopes,
VapidKey: vapidKey,
}
// chuck it in the db
if err := m.db.Put(app); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
// now we need to model an oauth client from the application that the oauth library can use
oc := &oauthClient{
ID: clientID,
Secret: clientSecret,
Domain: form.RedirectURIs,
UserID: "", // This client isn't yet associated with a specific user, it's just an app client right now
}
// chuck it in the db
if err := m.db.Put(oc); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
// done, return the new app information per the spec here: https://docs.joinmastodon.org/methods/apps/
c.JSON(http.StatusOK, app.ToMasto())
}
// signInGETHandler should be served at https://example.org/auth/sign_in.
// The idea is to present a sign in page to the user, where they can enter their username and password.
// The form will then POST to the sign in page, which will be handled by SignInPOSTHandler
func (m *oauthModule) signInGETHandler(c *gin.Context) {
func (m *authModule) signInGETHandler(c *gin.Context) {
m.log.WithField("func", "SignInGETHandler").Trace("serving sign in html")
c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{})
}
@ -231,7 +97,7 @@ func (m *oauthModule) signInGETHandler(c *gin.Context) {
// signInPOSTHandler should be served at https://example.org/auth/sign_in.
// The idea is to present a sign in page to the user, where they can enter their username and password.
// The handler will then redirect to the auth handler served at /auth
func (m *oauthModule) signInPOSTHandler(c *gin.Context) {
func (m *authModule) signInPOSTHandler(c *gin.Context) {
l := m.log.WithField("func", "SignInPOSTHandler")
s := sessions.Default(c)
form := &login{}
@ -260,10 +126,10 @@ func (m *oauthModule) signInPOSTHandler(c *gin.Context) {
// tokenPOSTHandler should be served as a POST at https://example.org/oauth/token
// The idea here is to serve an oauth access token to a user, which can be used for authorizing against non-public APIs.
// See https://docs.joinmastodon.org/methods/apps/oauth/#obtain-a-token
func (m *oauthModule) tokenPOSTHandler(c *gin.Context) {
func (m *authModule) tokenPOSTHandler(c *gin.Context) {
l := m.log.WithField("func", "TokenPOSTHandler")
l.Trace("entered TokenPOSTHandler")
if err := m.oauthServer.HandleTokenRequest(c.Writer, c.Request); err != nil {
if err := m.server.HandleTokenRequest(c.Writer, c.Request); err != nil {
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
}
}
@ -271,7 +137,7 @@ func (m *oauthModule) tokenPOSTHandler(c *gin.Context) {
// authorizeGETHandler should be served as GET at https://example.org/oauth/authorize
// The idea here is to present an oauth authorize page to the user, with a button
// that they have to click to accept. See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user
func (m *oauthModule) authorizeGETHandler(c *gin.Context) {
func (m *authModule) authorizeGETHandler(c *gin.Context) {
l := m.log.WithField("func", "AuthorizeGETHandler")
s := sessions.Default(c)
@ -349,7 +215,7 @@ func (m *oauthModule) authorizeGETHandler(c *gin.Context) {
// At this point we assume that the user has A) logged in and B) accepted that the app should act for them,
// so we should proceed with the authentication flow and generate an oauth token for them if we can.
// See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user
func (m *oauthModule) authorizePOSTHandler(c *gin.Context) {
func (m *authModule) authorizePOSTHandler(c *gin.Context) {
l := m.log.WithField("func", "AuthorizePOSTHandler")
s := sessions.Default(c)
@ -404,7 +270,7 @@ func (m *oauthModule) authorizePOSTHandler(c *gin.Context) {
l.Tracef("values on request set to %+v", c.Request.Form)
// and proceed with authorization using the oauth2 library
if err := m.oauthServer.HandleAuthorizeRequest(c.Writer, c.Request); err != nil {
if err := m.server.HandleAuthorizeRequest(c.Writer, c.Request); err != nil {
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
}
}
@ -418,25 +284,50 @@ func (m *oauthModule) authorizePOSTHandler(c *gin.Context) {
// the request. Then, it will look up the account for that user, and set that in the request too.
// If user or account can't be found, then the handler won't *fail*, in case the server wants to allow
// public requests that don't have a Bearer token set (eg., for public instance information and so on).
func (m *oauthModule) oauthTokenMiddleware(c *gin.Context) {
func (m *authModule) oauthTokenMiddleware(c *gin.Context) {
l := m.log.WithField("func", "ValidatePassword")
l.Trace("entering OauthTokenMiddleware")
ti, err := m.oauthServer.ValidationBearerToken(c.Request)
ti, err := m.server.ValidationBearerToken(c.Request)
if err != nil {
l.Trace("no valid token presented: continuing with unauthenticated request")
return
}
l.Tracef("authenticated user %s with bearer token, scope is %s", ti.GetUserID(), ti.GetScope())
c.Set(oauth.SessionAuthorizedToken, ti)
l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedToken, ti)
acct := &model.Account{}
if err := m.db.GetAccountByUserID(ti.GetUserID(), acct); err != nil || acct == nil {
l.Tracef("no account found for user %s, continuing with unauthenticated request", ti.GetUserID())
return
// check for user-level token
if uid := ti.GetUserID(); uid != "" {
l.Tracef("authenticated user %s with bearer token, scope is %s", uid, ti.GetScope())
// fetch user's and account for this user id
user := &model.User{}
if err := m.db.GetByID(uid, user); err != nil || user == nil {
l.Warnf("no user found for validated uid %s", uid)
return
}
c.Set(oauth.SessionAuthorizedUser, user)
l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedUser, user)
acct := &model.Account{}
if err := m.db.GetByID(user.AccountID, acct); err != nil || acct == nil {
l.Warnf("no account found for validated user %s", uid)
return
}
c.Set(oauth.SessionAuthorizedAccount, acct)
l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedAccount, acct)
}
c.Set(SessionAuthorizedAccount, acct)
c.Set(SessionAuthorizedUser, ti.GetUserID())
// check for application token
if cid := ti.GetClientID(); cid != "" {
l.Tracef("authenticated client %s with bearer token, scope is %s", cid, ti.GetScope())
app := &model.Application{}
if err := m.db.GetWhere("client_id", cid, app); err != nil {
l.Tracef("no app found for client %s", cid)
}
c.Set(oauth.SessionAuthorizedApplication, app)
l.Tracef("set gin context %s to %+v", oauth.SessionAuthorizedApplication, app)
}
}
/*
@ -447,7 +338,7 @@ func (m *oauthModule) oauthTokenMiddleware(c *gin.Context) {
// The goal is to authenticate the password against the one for that email
// address stored in the database. If OK, we return the userid (a uuid) for that user,
// so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db.
func (m *oauthModule) validatePassword(email string, password string) (userid string, err error) {
func (m *authModule) validatePassword(email string, password string) (userid string, err error) {
l := m.log.WithField("func", "ValidatePassword")
// make sure an email/password was provided and bail if not
@ -487,18 +378,6 @@ func incorrectPassword() (string, error) {
return "", errors.New("password/email combination was incorrect")
}
// userAuthorizationHandler gets the user's ID from the 'userid' field of the request form,
// or redirects to the /auth/sign_in page, if this key is not present.
func (m *oauthModule) userAuthorizationHandler(w http.ResponseWriter, r *http.Request) (userID string, err error) {
l := m.log.WithField("func", "UserAuthorizationHandler")
userID = r.FormValue("userid")
if userID == "" {
return "", errors.New("userid was empty, redirecting to sign in page")
}
l.Tracef("returning userID %s", userID)
return userID, err
}
// parseAuthForm parses the OAuthAuthorize form in the gin context, and stores
// the values in the form into the session.
func parseAuthForm(c *gin.Context, l *logrus.Entry) error {

40
internal/module/oauth/oauth_test.go → internal/module/auth/auth_test.go
View file

@ -16,38 +16,38 @@
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package oauth
package auth
import (
"context"
"fmt"
"testing"
"time"
"github.com/google/uuid"
"github.com/gotosocial/gotosocial/internal/config"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/gotosocial/internal/db/model"
"github.com/gotosocial/gotosocial/internal/oauth"
"github.com/gotosocial/gotosocial/internal/router"
"github.com/gotosocial/oauth2/v4"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/suite"
"golang.org/x/crypto/bcrypt"
)
type OauthTestSuite struct {
type AuthTestSuite struct {
suite.Suite
tokenStore oauth2.TokenStore
clientStore oauth2.ClientStore
oauthServer oauth.Server
db db.DB
testAccount *model.Account
testApplication *model.Application
testUser *model.User
testClient *oauthClient
testClient *oauth.Client
config *config.Config
}
// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
func (suite *OauthTestSuite) SetupSuite() {
func (suite *AuthTestSuite) SetupSuite() {
c := config.Empty()
// we're running on localhost without https so set the protocol to http
c.Protocol = "http"
@ -84,7 +84,7 @@ func (suite *OauthTestSuite) SetupSuite() {
Email: "user@example.org",
AccountID: acctID,
}
suite.testClient = &oauthClient{
suite.testClient = &oauth.Client{
ID: "a-known-client-id",
Secret: "some-secret",
Domain: fmt.Sprintf("%s://%s", c.Protocol, c.Host),
@ -101,7 +101,7 @@ func (suite *OauthTestSuite) SetupSuite() {
}
// SetupTest creates a postgres connection and creates the oauth_clients table before each test
func (suite *OauthTestSuite) SetupTest() {
func (suite *AuthTestSuite) SetupTest() {
log := logrus.New()
log.SetLevel(logrus.TraceLevel)
@ -113,8 +113,8 @@ func (suite *OauthTestSuite) SetupTest() {
suite.db = db
models := []interface{}{
&oauthClient{},
&oauthToken{},
&oauth.Client{},
&oauth.Token{},
&model.User{},
&model.Account{},
&model.Application{},
@ -126,8 +126,7 @@ func (suite *OauthTestSuite) SetupTest() {
}
}
suite.tokenStore = newTokenStore(context.Background(), suite.db, logrus.New())
suite.clientStore = newClientStore(suite.db)
suite.oauthServer = oauth.New(suite.db, log)
if err := suite.db.Put(suite.testAccount); err != nil {
logrus.Panicf("could not insert test account into db: %s", err)
@ -145,10 +144,10 @@ func (suite *OauthTestSuite) SetupTest() {
}
// TearDownTest drops the oauth_clients table and closes the pg connection after each test
func (suite *OauthTestSuite) TearDownTest() {
func (suite *AuthTestSuite) TearDownTest() {
models := []interface{}{
&oauthClient{},
&oauthToken{},
&oauth.Client{},
&oauth.Token{},
&model.User{},
&model.Account{},
&model.Application{},
@ -164,7 +163,7 @@ func (suite *OauthTestSuite) TearDownTest() {
suite.db = nil
}
func (suite *OauthTestSuite) TestAPIInitialize() {
func (suite *AuthTestSuite) TestAPIInitialize() {
log := logrus.New()
log.SetLevel(logrus.TraceLevel)
@ -173,17 +172,18 @@ func (suite *OauthTestSuite) TestAPIInitialize() {
suite.FailNow(fmt.Sprintf("error mapping routes onto router: %s", err))
}
api := New(suite.tokenStore, suite.clientStore, suite.db, log)
api := New(suite.oauthServer, suite.db, log)
if err := api.Route(r); err != nil {
suite.FailNow(fmt.Sprintf("error mapping routes onto router: %s", err))
}
r.Start()
time.Sleep(60 * time.Second)
if err := r.Stop(context.Background()); err != nil {
suite.FailNow(fmt.Sprintf("error stopping router: %s", err))
}
}
func TestOauthTestSuite(t *testing.T) {
suite.Run(t, new(OauthTestSuite))
func TestAuthTestSuite(t *testing.T) {
suite.Run(t, new(AuthTestSuite))
}

72
internal/module/oauth/clientstore.go
View file

@ -1,72 +0,0 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package oauth
import (
"context"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/oauth2/v4"
"github.com/gotosocial/oauth2/v4/models"
)
type clientStore struct {
db db.DB
}
func newClientStore(db db.DB) oauth2.ClientStore {
pts := &clientStore{
db: db,
}
return pts
}
func (cs *clientStore) GetByID(ctx context.Context, clientID string) (oauth2.ClientInfo, error) {
poc := &oauthClient{
ID: clientID,
}
if err := cs.db.GetByID(clientID, poc); err != nil {
return nil, err
}
return models.New(poc.ID, poc.Secret, poc.Domain, poc.UserID), nil
}
func (cs *clientStore) Set(ctx context.Context, id string, cli oauth2.ClientInfo) error {
poc := &oauthClient{
ID: cli.GetID(),
Secret: cli.GetSecret(),
Domain: cli.GetDomain(),
UserID: cli.GetUserID(),
}
return cs.db.UpdateByID(id, poc)
}
func (cs *clientStore) Delete(ctx context.Context, id string) error {
poc := &oauthClient{
ID: id,
}
return cs.db.DeleteByID(id, poc)
}
type oauthClient struct {
ID string
Secret string
Domain string
UserID string
}

144
internal/module/oauth/clientstore_test.go
View file

@ -1,144 +0,0 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package oauth
import (
"context"
"testing"
"github.com/gotosocial/gotosocial/internal/config"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/oauth2/v4/models"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/suite"
)
type PgClientStoreTestSuite struct {
suite.Suite
db db.DB
testClientID string
testClientSecret string
testClientDomain string
testClientUserID string
}
const ()
// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout
func (suite *PgClientStoreTestSuite) SetupSuite() {
suite.testClientID = "test-client-id"
suite.testClientSecret = "test-client-secret"
suite.testClientDomain = "https://example.org"
suite.testClientUserID = "test-client-user-id"
}
// SetupTest creates a postgres connection and creates the oauth_clients table before each test
func (suite *PgClientStoreTestSuite) SetupTest() {
log := logrus.New()
log.SetLevel(logrus.TraceLevel)
c := config.Empty()
c.DBConfig = &config.DBConfig{
Type: "postgres",
Address: "localhost",
Port: 5432,
User: "postgres",
Password: "postgres",
Database: "postgres",
ApplicationName: "gotosocial",
}
db, err := db.New(context.Background(), c, log)
if err != nil {
logrus.Panicf("error creating database connection: %s", err)
}
suite.db = db
models := []interface{}{
&oauthClient{},
}
for _, m := range models {
if err := suite.db.CreateTable(m); err != nil {
logrus.Panicf("db connection error: %s", err)
}
}
}
// TearDownTest drops the oauth_clients table and closes the pg connection after each test
func (suite *PgClientStoreTestSuite) TearDownTest() {
models := []interface{}{
&oauthClient{},
}
for _, m := range models {
if err := suite.db.DropTable(m); err != nil {
logrus.Panicf("error dropping table: %s", err)
}
}
if err := suite.db.Stop(context.Background()); err != nil {
logrus.Panicf("error closing db connection: %s", err)
}
suite.db = nil
}
func (suite *PgClientStoreTestSuite) TestClientStoreSetAndGet() {
// set a new client in the store
cs := newClientStore(suite.db)
if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil {
suite.FailNow(err.Error())
}
// fetch that client from the store
client, err := cs.GetByID(context.Background(), suite.testClientID)
if err != nil {
suite.FailNow(err.Error())
}
// check that the values are the same
suite.NotNil(client)
suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client)
}
func (suite *PgClientStoreTestSuite) TestClientSetAndDelete() {
// set a new client in the store
cs := newClientStore(suite.db)
if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil {
suite.FailNow(err.Error())
}
// fetch the client from the store
client, err := cs.GetByID(context.Background(), suite.testClientID)
if err != nil {
suite.FailNow(err.Error())
}
// check that the values are the same
suite.NotNil(client)
suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client)
if err := cs.Delete(context.Background(), suite.testClientID); err != nil {
suite.FailNow(err.Error())
}
// try to get the deleted client; we should get an error
deletedClient, err := cs.GetByID(context.Background(), suite.testClientID)
suite.Assert().Nil(deletedClient)
suite.Assert().EqualValues(db.ErrNoEntries{}, err)
}
func TestPgClientStoreTestSuite(t *testing.T) {
suite.Run(t, new(PgClientStoreTestSuite))
}

251
internal/module/oauth/tokenstore.go
View file

@ -1,251 +0,0 @@
/*
GoToSocial
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
package oauth
import (
"context"
"errors"
"fmt"
"time"
"github.com/gotosocial/gotosocial/internal/db"
"github.com/gotosocial/oauth2/v4"
"github.com/gotosocial/oauth2/v4/models"
"github.com/sirupsen/logrus"
)
// tokenStore is an implementation of oauth2.TokenStore, which uses our db interface as a storage backend.
type tokenStore struct {
oauth2.TokenStore
db db.DB
log *logrus.Logger
}
// newTokenStore returns a token store that satisfies the oauth2.TokenStore interface.
//
// In order to allow tokens to 'expire', it will also set off a goroutine that iterates through
// the tokens in the DB once per minute and deletes any that have expired.
func newTokenStore(ctx context.Context, db db.DB, log *logrus.Logger) oauth2.TokenStore {
pts := &tokenStore{
db: db,
log: log,
}
// set the token store to clean out expired tokens once per minute, or return if we're done
go func(ctx context.Context, pts *tokenStore, log *logrus.Logger) {
cleanloop:
for {
select {
case <-ctx.Done():
log.Info("breaking cleanloop")
break cleanloop
case <-time.After(1 * time.Minute):
log.Debug("sweeping out old oauth entries broom broom")
if err := pts.sweep(); err != nil {
log.Errorf("error while sweeping oauth entries: %s", err)
}
}
}
}(ctx, pts, log)
return pts
}
// sweep clears out old tokens that have expired; it should be run on a loop about once per minute or so.
func (pts *tokenStore) sweep() error {
// select *all* tokens from the db
// todo: if this becomes expensive (ie., there are fucking LOADS of tokens) then figure out a better way.
tokens := new([]*oauthToken)
if err := pts.db.GetAll(tokens); err != nil {
return err
}
// iterate through and remove expired tokens
now := time.Now()
for _, pgt := range *tokens {
// The zero value of a time.Time is 00:00 january 1 1970, which will always be before now. So:
// we only want to check if a token expired before now if the expiry time is *not zero*;
// ie., if it's been explicity set.
if !pgt.CodeExpiresAt.IsZero() && pgt.CodeExpiresAt.Before(now) || !pgt.RefreshExpiresAt.IsZero() && pgt.RefreshExpiresAt.Before(now) || !pgt.AccessExpiresAt.IsZero() && pgt.AccessExpiresAt.Before(now) {
if err := pts.db.DeleteByID(pgt.ID, &pgt); err != nil {
return err
}
}
}
return nil
}
// Create creates and store the new token information.
// For the original implementation, see https://github.com/gotosocial/oauth2/blob/master/store/token.go#L34
func (pts *tokenStore) Create(ctx context.Context, info oauth2.TokenInfo) error {
t, ok := info.(*models.Token)
if !ok {
return errors.New("info param was not a models.Token")
}
if err := pts.db.Put(oauthTokenToPGToken(t)); err != nil {
return fmt.Errorf("error in tokenstore create: %s", err)
}
return nil
}
// RemoveByCode deletes a token from the DB based on the Code field
func (pts *tokenStore) RemoveByCode(ctx context.Context, code string) error {
return pts.db.DeleteWhere("code", code, &oauthToken{})
}
// RemoveByAccess deletes a token from the DB based on the Access field
func (pts *tokenStore) RemoveByAccess(ctx context.Context, access string) error {
return pts.db.DeleteWhere("access", access, &oauthToken{})
}
// RemoveByRefresh deletes a token from the DB based on the Refresh field
func (pts *tokenStore) RemoveByRefresh(ctx context.Context, refresh string) error {
return pts.db.DeleteWhere("refresh", refresh, &oauthToken{})
}
// GetByCode selects a token from the DB based on the Code field
func (pts *tokenStore) GetByCode(ctx context.Context, code string) (oauth2.TokenInfo, error) {
pgt := &oauthToken{
Code: code,
}
if err := pts.db.GetWhere("code", code, pgt); err != nil {
return nil, err
}
return pgTokenToOauthToken(pgt), nil
}
// GetByAccess selects a token from the DB based on the Access field
func (pts *tokenStore) GetByAccess(ctx context.Context, access string) (oauth2.TokenInfo, error) {
pgt := &oauthToken{
Access: access,
}
if err := pts.db.GetWhere("access", access, pgt); err != nil {
return nil, err
}
return pgTokenToOauthToken(pgt), nil
}
// GetByRefresh selects a token from the DB based on the Refresh field
func (pts *tokenStore) GetByRefresh(ctx context.Context, refresh string) (oauth2.TokenInfo, error) {
pgt := &oauthToken{
Refresh: refresh,
}
if err := pts.db.GetWhere("refresh", refresh, pgt); err != nil {
return nil, err
}
return pgTokenToOauthToken(pgt), nil
}
/*
The following models are basically helpers for the postgres token store implementation, they should only be used internally.
*/
// oauthToken is a translation of the gotosocial token with the ExpiresIn fields replaced with ExpiresAt.
//
// Explanation for this: gotosocial assumes an in-memory or file database of some kind, where a time-to-live parameter (TTL) can be defined,
// and tokens with expired TTLs are automatically removed. Since Postgres doesn't have that feature, it's easier to set an expiry time and
// then periodically sweep out tokens when that time has passed.
//
// Note that this struct does *not* satisfy the token interface shown here: https://github.com/gotosocial/oauth2/blob/master/model.go#L22
// and implemented here: https://github.com/gotosocial/oauth2/blob/master/models/token.go.
// As such, manual translation is always required between oauthToken and the gotosocial *model.Token. The helper functions oauthTokenToPGToken
// and pgTokenToOauthToken can be used for that.
type oauthToken struct {
ID string `pg:"type:uuid,default:gen_random_uuid(),pk,notnull"`
ClientID string
UserID string
RedirectURI string
Scope string
Code string `pg:"default:'',pk"`
CodeChallenge string
CodeChallengeMethod string
CodeCreateAt time.Time `pg:"type:timestamp"`
CodeExpiresAt time.Time `pg:"type:timestamp"`
Access string `pg:"default:'',pk"`
AccessCreateAt time.Time `pg:"type:timestamp"`
AccessExpiresAt time.Time `pg:"type:timestamp"`
Refresh string `pg:"default:'',pk"`
RefreshCreateAt time.Time `pg:"type:timestamp"`
RefreshExpiresAt time.Time `pg:"type:timestamp"`
}
// oauthTokenToPGToken is a lil util function that takes a gotosocial token and gives back a token for inserting into postgres
func oauthTokenToPGToken(tkn *models.Token) *oauthToken {
now := time.Now()
// For the following, we want to make sure we're not adding a time.Now() to an *empty* ExpiresIn, otherwise that's
// going to cause all sorts of interesting problems. So check first to make sure that the ExpiresIn is not equal
// to the zero value of a time.Duration, which is 0s. If it *is* empty/nil, just leave the ExpiresAt at nil as well.
var cea time.Time
if tkn.CodeExpiresIn != 0*time.Second {
cea = now.Add(tkn.CodeExpiresIn)
}
var aea time.Time
if tkn.AccessExpiresIn != 0*time.Second {
aea = now.Add(tkn.AccessExpiresIn)
}
var rea time.Time
if tkn.RefreshExpiresIn != 0*time.Second {
rea = now.Add(tkn.RefreshExpiresIn)
}
return &oauthToken{
ClientID: tkn.ClientID,
UserID: tkn.UserID,
RedirectURI: tkn.RedirectURI,
Scope: tkn.Scope,
Code: tkn.Code,
CodeChallenge: tkn.CodeChallenge,
CodeChallengeMethod: tkn.CodeChallengeMethod,
CodeCreateAt: tkn.CodeCreateAt,
CodeExpiresAt: cea,
Access: tkn.Access,
AccessCreateAt: tkn.AccessCreateAt,
AccessExpiresAt: aea,
Refresh: tkn.Refresh,
RefreshCreateAt: tkn.RefreshCreateAt,
RefreshExpiresAt: rea,
}
}
// pgTokenToOauthToken is a lil util function that takes a postgres token and gives back a gotosocial token
func pgTokenToOauthToken(pgt *oauthToken) *models.Token {
now := time.Now()
return &models.Token{
ClientID: pgt.ClientID,
UserID: pgt.UserID,
RedirectURI: pgt.RedirectURI,
Scope: pgt.Scope,
Code: pgt.Code,
CodeChallenge: pgt.CodeChallenge,
CodeChallengeMethod: pgt.CodeChallengeMethod,
CodeCreateAt: pgt.CodeCreateAt,
CodeExpiresIn: pgt.CodeExpiresAt.Sub(now),
Access: pgt.Access,
AccessCreateAt: pgt.AccessCreateAt,
AccessExpiresIn: pgt.AccessExpiresAt.Sub(now),
Refresh: pgt.Refresh,
RefreshCreateAt: pgt.RefreshCreateAt,
RefreshExpiresIn: pgt.RefreshExpiresAt.Sub(now),
}
}