Oidc (#109)

* add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments
2025-06-05 21:59:39 +02:00 · 2021-07-23 10:36:28 +02:00
parent 113186ce4e
commit 05e9af089c
61 changed files with 2597 additions and 757 deletions
--- a/internal/api/client/auth/auth.go
+++ b/internal/api/client/auth/auth.go
@@ -26,6 +26,7 @@ import (
 	"github.com/superseriousbusiness/gotosocial/internal/config"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/oauth"
+	"github.com/superseriousbusiness/gotosocial/internal/oidc"
 	"github.com/superseriousbusiness/gotosocial/internal/router"
 )

@@ -36,40 +37,37 @@ const (
 	OauthTokenPath = "/oauth/token"
 	// OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user)
 	OauthAuthorizePath = "/oauth/authorize"
+	// CallbackPath is the API path for receiving callback tokens from external OIDC providers
+	CallbackPath = oidc.CallbackPath
+
+	callbackStateParam = "state"
+	callbackCodeParam  = "code"

 	sessionUserID       = "userid"
 	sessionClientID     = "client_id"
 	sessionRedirectURI  = "redirect_uri"
 	sessionForceLogin   = "force_login"
 	sessionResponseType = "response_type"
-	sessionCode         = "code"
 	sessionScope        = "scope"
+	sessionState        = "state"
 )

-var sessionKeys []string = []string{
-	sessionUserID,
-	sessionClientID,
-	sessionRedirectURI,
-	sessionForceLogin,
-	sessionResponseType,
-	sessionCode,
-	sessionScope,
-}
-
 // Module implements the ClientAPIModule interface for
 type Module struct {
 	config *config.Config
 	db     db.DB
 	server oauth.Server
+	idp    oidc.IDP
 	log    *logrus.Logger
 }

 // New returns a new auth module
-func New(config *config.Config, db db.DB, server oauth.Server, log *logrus.Logger) api.ClientModule {
+func New(config *config.Config, db db.DB, server oauth.Server, idp oidc.IDP, log *logrus.Logger) api.ClientModule {
 	return &Module{
 		config: config,
 		db:     db,
 		server: server,
+		idp:    idp,
 		log:    log,
 	}
 }
@@ -84,6 +82,8 @@ func (m *Module) Route(s router.Router) error {
 	s.AttachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)
 	s.AttachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)

+	s.AttachHandler(http.MethodGet, CallbackPath, m.CallbackGETHandler)
+
 	s.AttachMiddleware(m.OauthTokenMiddleware)
 	return nil
 }
--- a/internal/api/client/auth/authorize.go
+++ b/internal/api/client/auth/authorize.go
@@ -23,9 +23,11 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 	"github.com/superseriousbusiness/gotosocial/internal/api/model"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@@ -46,16 +48,19 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		form := &model.OAuthAuthorize{}
 		if err := c.Bind(form); err != nil {
 			l.Debugf("invalid auth form: %s", err)
-			return
-		}
-		l.Tracef("parsed auth form: %+v", form)
-
-		if err := extractAuthForm(s, form); err != nil {
-			l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
+			m.clearSession(s)
 			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 			return
 		}
-		c.Redirect(http.StatusFound, AuthSignInPath)
+		l.Debugf("parsed auth form: %+v", form)
+
+		if err := extractAuthForm(s, form); err != nil {
+			l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
+			m.clearSession(s)
+			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+			return
+		}
+		c.Redirect(http.StatusSeeOther, AuthSignInPath)
 		return
 	}

@@ -69,6 +74,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		ClientID: clientID,
 	}
 	if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
 		return
 	}
@@ -78,6 +84,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		ID: userID,
 	}
 	if err := m.db.GetByID(user.ID, user); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
@@ -87,6 +94,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 	}

 	if err := m.db.GetByID(acct.ID, acct); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
@@ -94,11 +102,13 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 	// Finally we should also get the redirect and scope of this particular request, as stored in the session.
 	redirect, ok := s.Get(sessionRedirectURI).(string)
 	if !ok || redirect == "" {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"})
 		return
 	}
 	scope, ok := s.Get(sessionScope).(string)
 	if !ok || scope == "" {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"})
 		return
 	}
@@ -128,48 +138,42 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
 	// recreate it on the request so that it can be used further by the oauth2 library.
 	// So first fetch all the values from the session.

+	errs := []string{}
+
 	forceLogin, ok := s.Get(sessionForceLogin).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"})
-		return
+		forceLogin = "false"
 	}

 	responseType, ok := s.Get(sessionResponseType).(string)
 	if !ok || responseType == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"})
-		return
+		errs = append(errs, "session missing response_type")
 	}

 	clientID, ok := s.Get(sessionClientID).(string)
 	if !ok || clientID == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"})
-		return
+		errs = append(errs, "session missing client_id")
 	}

 	redirectURI, ok := s.Get(sessionRedirectURI).(string)
 	if !ok || redirectURI == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"})
-		return
+		errs = append(errs, "session missing redirect_uri")
 	}

 	scope, ok := s.Get(sessionScope).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"})
-		return
+		errs = append(errs, "session missing scope")
 	}

 	userID, ok := s.Get(sessionUserID).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"})
-		return
+		errs = append(errs, "session missing userid")
 	}

-	// we're done with the session so we can clear it now
-	for _, key := range sessionKeys {
-		s.Delete(key)
-	}
-	if err := s.Save(); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+	m.clearSession(s)
+
+	if len(errs) != 0 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": strings.Join(errs, ": ")})
 		return
 	}

@@ -209,5 +213,6 @@ func extractAuthForm(s sessions.Session, form *model.OAuthAuthorize) error {
 	s.Set(sessionClientID, form.ClientID)
 	s.Set(sessionRedirectURI, form.RedirectURI)
 	s.Set(sessionScope, form.Scope)
+	s.Set(sessionState, uuid.NewString())
 	return s.Save()
 }
--- a/internal/api/client/auth/callback.go
+++ b/internal/api/client/auth/callback.go
@@ -0,0 +1,219 @@
+/*
+   GoToSocial
+   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
+
+   This program is free software: you can redistribute it and/or modify
+   it under the terms of the GNU Affero General Public License as published by
+   the Free Software Foundation, either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU Affero General Public License for more details.
+
+   You should have received a copy of the GNU Affero General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/gin-contrib/sessions"
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
+	"github.com/superseriousbusiness/gotosocial/internal/oidc"
+	"github.com/superseriousbusiness/gotosocial/internal/util"
+)
+
+// CallbackGETHandler parses a token from an external auth provider.
+func (m *Module) CallbackGETHandler(c *gin.Context) {
+	s := sessions.Default(c)
+
+	// first make sure the state set in the cookie is the same as the state returned from the external provider
+	state := c.Query(callbackStateParam)
+	if state == "" {
+		m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": "state query not found on callback"})
+		return
+	}
+
+	savedStateI := s.Get(sessionState)
+	savedState, ok := savedStateI.(string)
+	if !ok {
+		m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
+		return
+	}
+
+	if state != savedState {
+		m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": "state mismatch"})
+		return
+	}
+
+	code := c.Query(callbackCodeParam)
+
+	claims, err := m.idp.HandleCallback(c.Request.Context(), code)
+	if err != nil {
+		m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+		return
+	}
+
+	// We can use the client_id on the session to retrieve info about the app associated with the client_id
+	clientID, ok := s.Get(sessionClientID).(string)
+	if !ok || clientID == "" {
+		m.clearSession(s)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "no client_id found in session during callback"})
+		return
+	}
+	app := &gtsmodel.Application{
+		ClientID: clientID,
+	}
+	if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
+		m.clearSession(s)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
+		return
+	}
+
+	user, err := m.parseUserFromClaims(claims, net.IP(c.ClientIP()), app.ID)
+	if err != nil {
+		m.clearSession(s)
+		c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+		return
+	}
+
+	s.Set(sessionUserID, user.ID)
+	if err := s.Save(); err != nil {
+		m.clearSession(s)
+		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	c.Redirect(http.StatusFound, OauthAuthorizePath)
+}
+
+func (m *Module) parseUserFromClaims(claims *oidc.Claims, ip net.IP, appID string) (*gtsmodel.User, error) {
+	if claims.Email == "" {
+		return nil, errors.New("no email returned in claims")
+	}
+
+	// see if we already have a user for this email address
+	user := &gtsmodel.User{}
+	err := m.db.GetWhere([]db.Where{{Key: "email", Value: claims.Email}}, user)
+	if err == nil {
+		// we do! so we can just return it
+		return user, nil
+	}
+
+	if _, ok := err.(db.ErrNoEntries); !ok {
+		// we have an actual error in the database
+		return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err)
+	}
+
+	// maybe we have an unconfirmed user
+	err = m.db.GetWhere([]db.Where{{Key: "unconfirmed_email", Value: claims.Email}}, user)
+	if err == nil {
+		// user is unconfirmed so return an error
+		return nil, fmt.Errorf("user with email address %s is unconfirmed", claims.Email)
+	}
+
+	if _, ok := err.(db.ErrNoEntries); !ok {
+		// we have an actual error in the database
+		return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err)
+	}
+
+	// we don't have a confirmed or unconfirmed user with the claimed email address
+	// however, because we trust the OIDC provider, we should now create a user + account with the provided claims
+
+	// check if the email address is available for use; if it's not there's nothing we can so
+	if err := m.db.IsEmailAvailable(claims.Email); err != nil {
+		return nil, fmt.Errorf("email %s not available: %s", claims.Email, err)
+	}
+
+	// now we need a username
+	var username string
+
+	// make sure claims.Name is defined since we'll be using that for the username
+	if claims.Name == "" {
+		return nil, errors.New("no name returned in claims")
+	}
+
+	// check if we can just use claims.Name as-is
+	err = util.ValidateUsername(claims.Name)
+	if err == nil {
+		// the name we have on the claims is already a valid username
+		username = claims.Name
+	} else {
+		// not a valid username so we have to fiddle with it to try to make it valid
+		// first trim leading and trailing whitespace
+		trimmed := strings.TrimSpace(claims.Name)
+		// underscore any spaces in the middle of the name
+		underscored := strings.ReplaceAll(trimmed, " ", "_")
+		// lowercase the whole thing
+		lower := strings.ToLower(underscored)
+		// see if this is valid....
+		if err := util.ValidateUsername(lower); err == nil {
+			// we managed to get a valid username
+			username = lower
+		} else {
+			return nil, fmt.Errorf("couldn't parse a valid username from claims.Name value of %s", claims.Name)
+		}
+	}
+
+	var iString string
+	var found bool
+	// if the username isn't available we need to iterate on it until we find one that is
+	// we should try to do this in a predictable way so we just keep iterating i by one and trying
+	// the username with that number on the end
+	//
+	// note that for the first iteration, iString is still "" when the check is made, so our first choice
+	// is still the raw username with no integer stuck on the end
+	for i := 1; !found; i = i + 1 {
+		if err := m.db.IsUsernameAvailable(username + iString); err != nil {
+			if strings.Contains(err.Error(), "db error") {
+				// if there's an actual db error we should return
+				return nil, fmt.Errorf("error checking username availability: %s", err)
+			}
+		} else {
+			// no error so we've found a username that works
+			found = true
+			username = username + iString
+			continue
+		}
+		iString = strconv.Itoa(i)
+	}
+
+	// check if the user is in any recognised admin groups
+	var admin bool
+	for _, g := range claims.Groups {
+		if strings.EqualFold(g, "admin") || strings.EqualFold(g, "admins") {
+			admin = true
+		}
+	}
+
+	// we still need to set *a* password even if it's not a password the user will end up using, so set something random
+	// in this case, we'll just set two uuids on top of each other, which should be long + random enough to baffle any attempts to crack.
+	//
+	// if the user ever wants to log in using gts password rather than oidc flow, they'll have to request a password reset, which is fine
+	password := uuid.NewString() + uuid.NewString()
+
+	// create the user! this will also create an account and store it in the database so we don't need to do that here
+	user, err = m.db.NewSignup(username, "", m.config.AccountsConfig.RequireApproval, claims.Email, password, ip, "", appID, claims.EmailVerified, admin)
+	if err != nil {
+		return nil, fmt.Errorf("error creating user: %s", err)
+	}
+
+	return user, nil
+
+}
--- a/internal/api/client/auth/signin.go
+++ b/internal/api/client/auth/signin.go
@@ -39,7 +39,24 @@ type login struct {
 // The idea is to present a sign in page to the user, where they can enter their username and password.
 // The form will then POST to the sign in page, which will be handled by SignInPOSTHandler
 func (m *Module) SignInGETHandler(c *gin.Context) {
-	m.log.WithField("func", "SignInGETHandler").Trace("serving sign in html")
+	l := m.log.WithField("func", "SignInGETHandler")
+	l.Trace("entering sign in handler")
+	if m.idp != nil {
+		s := sessions.Default(c)
+
+		stateI := s.Get(sessionState)
+		state, ok := stateI.(string)
+		if !ok {
+			m.clearSession(s)
+			c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
+			return
+		}
+
+		redirect := m.idp.AuthCodeURL(state)
+		l.Debugf("redirecting to external idp at %s", redirect)
+		c.Redirect(http.StatusSeeOther, redirect)
+		return
+	}
 	c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{})
 }

@@ -52,6 +69,7 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
 	form := &login{}
 	if err := c.ShouldBind(form); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		m.clearSession(s)
 		return
 	}
 	l.Tracef("parsed form: %+v", form)
@@ -59,12 +77,14 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
 	userid, err := m.ValidatePassword(form.Email, form.Password)
 	if err != nil {
 		c.String(http.StatusForbidden, err.Error())
+		m.clearSession(s)
 		return
 	}

 	s.Set(sessionUserID, userid)
 	if err := s.Save(); err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		m.clearSession(s)
 		return
 	}

--- a/internal/api/client/auth/util.go
+++ b/internal/api/client/auth/util.go
@@ -0,0 +1,17 @@
+package auth
+
+import (
+	"github.com/gin-contrib/sessions"
+)
+
+func (m *Module) clearSession(s sessions.Session) {
+	s.Clear()
+
+	// newOptions := router.SessionOptions(m.config)
+	// newOptions.MaxAge = -1 // instruct browser to delete cookie immediately
+	// s.Options(newOptions)
+
+	if err := s.Save(); err != nil {
+		panic(err)
+	}
+}