mirror of
https://github.com/superseriousbusiness/gotosocial
synced 2025-06-05 21:59:39 +02:00
Oidc (#109)
* add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments
This commit is contained in:
@@ -26,6 +26,7 @@ import (
|
||||
"github.com/superseriousbusiness/gotosocial/internal/config"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/db"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/oauth"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/oidc"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/router"
|
||||
)
|
||||
|
||||
@@ -36,40 +37,37 @@ const (
|
||||
OauthTokenPath = "/oauth/token"
|
||||
// OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user)
|
||||
OauthAuthorizePath = "/oauth/authorize"
|
||||
// CallbackPath is the API path for receiving callback tokens from external OIDC providers
|
||||
CallbackPath = oidc.CallbackPath
|
||||
|
||||
callbackStateParam = "state"
|
||||
callbackCodeParam = "code"
|
||||
|
||||
sessionUserID = "userid"
|
||||
sessionClientID = "client_id"
|
||||
sessionRedirectURI = "redirect_uri"
|
||||
sessionForceLogin = "force_login"
|
||||
sessionResponseType = "response_type"
|
||||
sessionCode = "code"
|
||||
sessionScope = "scope"
|
||||
sessionState = "state"
|
||||
)
|
||||
|
||||
var sessionKeys []string = []string{
|
||||
sessionUserID,
|
||||
sessionClientID,
|
||||
sessionRedirectURI,
|
||||
sessionForceLogin,
|
||||
sessionResponseType,
|
||||
sessionCode,
|
||||
sessionScope,
|
||||
}
|
||||
|
||||
// Module implements the ClientAPIModule interface for
|
||||
type Module struct {
|
||||
config *config.Config
|
||||
db db.DB
|
||||
server oauth.Server
|
||||
idp oidc.IDP
|
||||
log *logrus.Logger
|
||||
}
|
||||
|
||||
// New returns a new auth module
|
||||
func New(config *config.Config, db db.DB, server oauth.Server, log *logrus.Logger) api.ClientModule {
|
||||
func New(config *config.Config, db db.DB, server oauth.Server, idp oidc.IDP, log *logrus.Logger) api.ClientModule {
|
||||
return &Module{
|
||||
config: config,
|
||||
db: db,
|
||||
server: server,
|
||||
idp: idp,
|
||||
log: log,
|
||||
}
|
||||
}
|
||||
@@ -84,6 +82,8 @@ func (m *Module) Route(s router.Router) error {
|
||||
s.AttachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)
|
||||
s.AttachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)
|
||||
|
||||
s.AttachHandler(http.MethodGet, CallbackPath, m.CallbackGETHandler)
|
||||
|
||||
s.AttachMiddleware(m.OauthTokenMiddleware)
|
||||
return nil
|
||||
}
|
||||
|
@@ -23,9 +23,11 @@ import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/gin-contrib/sessions"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/google/uuid"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/api/model"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/db"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
|
||||
@@ -46,16 +48,19 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
|
||||
form := &model.OAuthAuthorize{}
|
||||
if err := c.Bind(form); err != nil {
|
||||
l.Debugf("invalid auth form: %s", err)
|
||||
return
|
||||
}
|
||||
l.Tracef("parsed auth form: %+v", form)
|
||||
|
||||
if err := extractAuthForm(s, form); err != nil {
|
||||
l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
c.Redirect(http.StatusFound, AuthSignInPath)
|
||||
l.Debugf("parsed auth form: %+v", form)
|
||||
|
||||
if err := extractAuthForm(s, form); err != nil {
|
||||
l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
c.Redirect(http.StatusSeeOther, AuthSignInPath)
|
||||
return
|
||||
}
|
||||
|
||||
@@ -69,6 +74,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
|
||||
ClientID: clientID,
|
||||
}
|
||||
if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
|
||||
return
|
||||
}
|
||||
@@ -78,6 +84,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
|
||||
ID: userID,
|
||||
}
|
||||
if err := m.db.GetByID(user.ID, user); err != nil {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
@@ -87,6 +94,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
|
||||
}
|
||||
|
||||
if err := m.db.GetByID(acct.ID, acct); err != nil {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
@@ -94,11 +102,13 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
|
||||
// Finally we should also get the redirect and scope of this particular request, as stored in the session.
|
||||
redirect, ok := s.Get(sessionRedirectURI).(string)
|
||||
if !ok || redirect == "" {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"})
|
||||
return
|
||||
}
|
||||
scope, ok := s.Get(sessionScope).(string)
|
||||
if !ok || scope == "" {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"})
|
||||
return
|
||||
}
|
||||
@@ -128,48 +138,42 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
|
||||
// recreate it on the request so that it can be used further by the oauth2 library.
|
||||
// So first fetch all the values from the session.
|
||||
|
||||
errs := []string{}
|
||||
|
||||
forceLogin, ok := s.Get(sessionForceLogin).(string)
|
||||
if !ok {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"})
|
||||
return
|
||||
forceLogin = "false"
|
||||
}
|
||||
|
||||
responseType, ok := s.Get(sessionResponseType).(string)
|
||||
if !ok || responseType == "" {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"})
|
||||
return
|
||||
errs = append(errs, "session missing response_type")
|
||||
}
|
||||
|
||||
clientID, ok := s.Get(sessionClientID).(string)
|
||||
if !ok || clientID == "" {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"})
|
||||
return
|
||||
errs = append(errs, "session missing client_id")
|
||||
}
|
||||
|
||||
redirectURI, ok := s.Get(sessionRedirectURI).(string)
|
||||
if !ok || redirectURI == "" {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"})
|
||||
return
|
||||
errs = append(errs, "session missing redirect_uri")
|
||||
}
|
||||
|
||||
scope, ok := s.Get(sessionScope).(string)
|
||||
if !ok {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"})
|
||||
return
|
||||
errs = append(errs, "session missing scope")
|
||||
}
|
||||
|
||||
userID, ok := s.Get(sessionUserID).(string)
|
||||
if !ok {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"})
|
||||
return
|
||||
errs = append(errs, "session missing userid")
|
||||
}
|
||||
|
||||
// we're done with the session so we can clear it now
|
||||
for _, key := range sessionKeys {
|
||||
s.Delete(key)
|
||||
}
|
||||
if err := s.Save(); err != nil {
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
|
||||
m.clearSession(s)
|
||||
|
||||
if len(errs) != 0 {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": strings.Join(errs, ": ")})
|
||||
return
|
||||
}
|
||||
|
||||
@@ -209,5 +213,6 @@ func extractAuthForm(s sessions.Session, form *model.OAuthAuthorize) error {
|
||||
s.Set(sessionClientID, form.ClientID)
|
||||
s.Set(sessionRedirectURI, form.RedirectURI)
|
||||
s.Set(sessionScope, form.Scope)
|
||||
s.Set(sessionState, uuid.NewString())
|
||||
return s.Save()
|
||||
}
|
||||
|
219
internal/api/client/auth/callback.go
Normal file
219
internal/api/client/auth/callback.go
Normal file
@@ -0,0 +1,219 @@
|
||||
/*
|
||||
GoToSocial
|
||||
Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org
|
||||
|
||||
This program is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU Affero General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU Affero General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Affero General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
package auth
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
"github.com/gin-contrib/sessions"
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/google/uuid"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/db"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/oidc"
|
||||
"github.com/superseriousbusiness/gotosocial/internal/util"
|
||||
)
|
||||
|
||||
// CallbackGETHandler parses a token from an external auth provider.
|
||||
func (m *Module) CallbackGETHandler(c *gin.Context) {
|
||||
s := sessions.Default(c)
|
||||
|
||||
// first make sure the state set in the cookie is the same as the state returned from the external provider
|
||||
state := c.Query(callbackStateParam)
|
||||
if state == "" {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "state query not found on callback"})
|
||||
return
|
||||
}
|
||||
|
||||
savedStateI := s.Get(sessionState)
|
||||
savedState, ok := savedStateI.(string)
|
||||
if !ok {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
|
||||
return
|
||||
}
|
||||
|
||||
if state != savedState {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "state mismatch"})
|
||||
return
|
||||
}
|
||||
|
||||
code := c.Query(callbackCodeParam)
|
||||
|
||||
claims, err := m.idp.HandleCallback(c.Request.Context(), code)
|
||||
if err != nil {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
// We can use the client_id on the session to retrieve info about the app associated with the client_id
|
||||
clientID, ok := s.Get(sessionClientID).(string)
|
||||
if !ok || clientID == "" {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": "no client_id found in session during callback"})
|
||||
return
|
||||
}
|
||||
app := >smodel.Application{
|
||||
ClientID: clientID,
|
||||
}
|
||||
if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
|
||||
return
|
||||
}
|
||||
|
||||
user, err := m.parseUserFromClaims(claims, net.IP(c.ClientIP()), app.ID)
|
||||
if err != nil {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
s.Set(sessionUserID, user.ID)
|
||||
if err := s.Save(); err != nil {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
c.Redirect(http.StatusFound, OauthAuthorizePath)
|
||||
}
|
||||
|
||||
func (m *Module) parseUserFromClaims(claims *oidc.Claims, ip net.IP, appID string) (*gtsmodel.User, error) {
|
||||
if claims.Email == "" {
|
||||
return nil, errors.New("no email returned in claims")
|
||||
}
|
||||
|
||||
// see if we already have a user for this email address
|
||||
user := >smodel.User{}
|
||||
err := m.db.GetWhere([]db.Where{{Key: "email", Value: claims.Email}}, user)
|
||||
if err == nil {
|
||||
// we do! so we can just return it
|
||||
return user, nil
|
||||
}
|
||||
|
||||
if _, ok := err.(db.ErrNoEntries); !ok {
|
||||
// we have an actual error in the database
|
||||
return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err)
|
||||
}
|
||||
|
||||
// maybe we have an unconfirmed user
|
||||
err = m.db.GetWhere([]db.Where{{Key: "unconfirmed_email", Value: claims.Email}}, user)
|
||||
if err == nil {
|
||||
// user is unconfirmed so return an error
|
||||
return nil, fmt.Errorf("user with email address %s is unconfirmed", claims.Email)
|
||||
}
|
||||
|
||||
if _, ok := err.(db.ErrNoEntries); !ok {
|
||||
// we have an actual error in the database
|
||||
return nil, fmt.Errorf("error checking database for email %s: %s", claims.Email, err)
|
||||
}
|
||||
|
||||
// we don't have a confirmed or unconfirmed user with the claimed email address
|
||||
// however, because we trust the OIDC provider, we should now create a user + account with the provided claims
|
||||
|
||||
// check if the email address is available for use; if it's not there's nothing we can so
|
||||
if err := m.db.IsEmailAvailable(claims.Email); err != nil {
|
||||
return nil, fmt.Errorf("email %s not available: %s", claims.Email, err)
|
||||
}
|
||||
|
||||
// now we need a username
|
||||
var username string
|
||||
|
||||
// make sure claims.Name is defined since we'll be using that for the username
|
||||
if claims.Name == "" {
|
||||
return nil, errors.New("no name returned in claims")
|
||||
}
|
||||
|
||||
// check if we can just use claims.Name as-is
|
||||
err = util.ValidateUsername(claims.Name)
|
||||
if err == nil {
|
||||
// the name we have on the claims is already a valid username
|
||||
username = claims.Name
|
||||
} else {
|
||||
// not a valid username so we have to fiddle with it to try to make it valid
|
||||
// first trim leading and trailing whitespace
|
||||
trimmed := strings.TrimSpace(claims.Name)
|
||||
// underscore any spaces in the middle of the name
|
||||
underscored := strings.ReplaceAll(trimmed, " ", "_")
|
||||
// lowercase the whole thing
|
||||
lower := strings.ToLower(underscored)
|
||||
// see if this is valid....
|
||||
if err := util.ValidateUsername(lower); err == nil {
|
||||
// we managed to get a valid username
|
||||
username = lower
|
||||
} else {
|
||||
return nil, fmt.Errorf("couldn't parse a valid username from claims.Name value of %s", claims.Name)
|
||||
}
|
||||
}
|
||||
|
||||
var iString string
|
||||
var found bool
|
||||
// if the username isn't available we need to iterate on it until we find one that is
|
||||
// we should try to do this in a predictable way so we just keep iterating i by one and trying
|
||||
// the username with that number on the end
|
||||
//
|
||||
// note that for the first iteration, iString is still "" when the check is made, so our first choice
|
||||
// is still the raw username with no integer stuck on the end
|
||||
for i := 1; !found; i = i + 1 {
|
||||
if err := m.db.IsUsernameAvailable(username + iString); err != nil {
|
||||
if strings.Contains(err.Error(), "db error") {
|
||||
// if there's an actual db error we should return
|
||||
return nil, fmt.Errorf("error checking username availability: %s", err)
|
||||
}
|
||||
} else {
|
||||
// no error so we've found a username that works
|
||||
found = true
|
||||
username = username + iString
|
||||
continue
|
||||
}
|
||||
iString = strconv.Itoa(i)
|
||||
}
|
||||
|
||||
// check if the user is in any recognised admin groups
|
||||
var admin bool
|
||||
for _, g := range claims.Groups {
|
||||
if strings.EqualFold(g, "admin") || strings.EqualFold(g, "admins") {
|
||||
admin = true
|
||||
}
|
||||
}
|
||||
|
||||
// we still need to set *a* password even if it's not a password the user will end up using, so set something random
|
||||
// in this case, we'll just set two uuids on top of each other, which should be long + random enough to baffle any attempts to crack.
|
||||
//
|
||||
// if the user ever wants to log in using gts password rather than oidc flow, they'll have to request a password reset, which is fine
|
||||
password := uuid.NewString() + uuid.NewString()
|
||||
|
||||
// create the user! this will also create an account and store it in the database so we don't need to do that here
|
||||
user, err = m.db.NewSignup(username, "", m.config.AccountsConfig.RequireApproval, claims.Email, password, ip, "", appID, claims.EmailVerified, admin)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error creating user: %s", err)
|
||||
}
|
||||
|
||||
return user, nil
|
||||
|
||||
}
|
@@ -39,7 +39,24 @@ type login struct {
|
||||
// The idea is to present a sign in page to the user, where they can enter their username and password.
|
||||
// The form will then POST to the sign in page, which will be handled by SignInPOSTHandler
|
||||
func (m *Module) SignInGETHandler(c *gin.Context) {
|
||||
m.log.WithField("func", "SignInGETHandler").Trace("serving sign in html")
|
||||
l := m.log.WithField("func", "SignInGETHandler")
|
||||
l.Trace("entering sign in handler")
|
||||
if m.idp != nil {
|
||||
s := sessions.Default(c)
|
||||
|
||||
stateI := s.Get(sessionState)
|
||||
state, ok := stateI.(string)
|
||||
if !ok {
|
||||
m.clearSession(s)
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
|
||||
return
|
||||
}
|
||||
|
||||
redirect := m.idp.AuthCodeURL(state)
|
||||
l.Debugf("redirecting to external idp at %s", redirect)
|
||||
c.Redirect(http.StatusSeeOther, redirect)
|
||||
return
|
||||
}
|
||||
c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{})
|
||||
}
|
||||
|
||||
@@ -52,6 +69,7 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
|
||||
form := &login{}
|
||||
if err := c.ShouldBind(form); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
m.clearSession(s)
|
||||
return
|
||||
}
|
||||
l.Tracef("parsed form: %+v", form)
|
||||
@@ -59,12 +77,14 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
|
||||
userid, err := m.ValidatePassword(form.Email, form.Password)
|
||||
if err != nil {
|
||||
c.String(http.StatusForbidden, err.Error())
|
||||
m.clearSession(s)
|
||||
return
|
||||
}
|
||||
|
||||
s.Set(sessionUserID, userid)
|
||||
if err := s.Save(); err != nil {
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
|
||||
m.clearSession(s)
|
||||
return
|
||||
}
|
||||
|
||||
|
17
internal/api/client/auth/util.go
Normal file
17
internal/api/client/auth/util.go
Normal file
@@ -0,0 +1,17 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"github.com/gin-contrib/sessions"
|
||||
)
|
||||
|
||||
func (m *Module) clearSession(s sessions.Session) {
|
||||
s.Clear()
|
||||
|
||||
// newOptions := router.SessionOptions(m.config)
|
||||
// newOptions.MaxAge = -1 // instruct browser to delete cookie immediately
|
||||
// s.Options(newOptions)
|
||||
|
||||
if err := s.Save(); err != nil {
|
||||
panic(err)
|
||||
}
|
||||
}
|
Reference in New Issue
Block a user