Oidc (#109)

* add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments
2025-06-05 21:59:39 +02:00 · 2021-07-23 10:36:28 +02:00
parent 113186ce4e
commit 05e9af089c
61 changed files with 2597 additions and 757 deletions
--- a/internal/api/client/auth/authorize.go
+++ b/internal/api/client/auth/authorize.go
@ -23,9 +23,11 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 	"github.com/superseriousbusiness/gotosocial/internal/api/model"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@ -46,16 +48,19 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		form := &model.OAuthAuthorize{}
 		if err := c.Bind(form); err != nil {
 			l.Debugf("invalid auth form: %s", err)
-			return
-		}
-		l.Tracef("parsed auth form: %+v", form)
-
-		if err := extractAuthForm(s, form); err != nil {
-			l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
+			m.clearSession(s)
 			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 			return
 		}
-		c.Redirect(http.StatusFound, AuthSignInPath)
+		l.Debugf("parsed auth form: %+v", form)
+
+		if err := extractAuthForm(s, form); err != nil {
+			l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
+			m.clearSession(s)
+			c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+			return
+		}
+		c.Redirect(http.StatusSeeOther, AuthSignInPath)
 		return
 	}

@ -69,6 +74,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		ClientID: clientID,
 	}
 	if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
 		return
 	}
@ -78,6 +84,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 		ID: userID,
 	}
 	if err := m.db.GetByID(user.ID, user); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
@ -87,6 +94,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 	}

 	if err := m.db.GetByID(acct.ID, acct); err != nil {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
 		return
 	}
@ -94,11 +102,13 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
 	// Finally we should also get the redirect and scope of this particular request, as stored in the session.
 	redirect, ok := s.Get(sessionRedirectURI).(string)
 	if !ok || redirect == "" {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"})
 		return
 	}
 	scope, ok := s.Get(sessionScope).(string)
 	if !ok || scope == "" {
+		m.clearSession(s)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"})
 		return
 	}
@ -128,48 +138,42 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
 	// recreate it on the request so that it can be used further by the oauth2 library.
 	// So first fetch all the values from the session.

+	errs := []string{}
+
 	forceLogin, ok := s.Get(sessionForceLogin).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"})
-		return
+		forceLogin = "false"
 	}

 	responseType, ok := s.Get(sessionResponseType).(string)
 	if !ok || responseType == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"})
-		return
+		errs = append(errs, "session missing response_type")
 	}

 	clientID, ok := s.Get(sessionClientID).(string)
 	if !ok || clientID == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"})
-		return
+		errs = append(errs, "session missing client_id")
 	}

 	redirectURI, ok := s.Get(sessionRedirectURI).(string)
 	if !ok || redirectURI == "" {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"})
-		return
+		errs = append(errs, "session missing redirect_uri")
 	}

 	scope, ok := s.Get(sessionScope).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"})
-		return
+		errs = append(errs, "session missing scope")
 	}

 	userID, ok := s.Get(sessionUserID).(string)
 	if !ok {
-		c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"})
-		return
+		errs = append(errs, "session missing userid")
 	}

-	// we're done with the session so we can clear it now
-	for _, key := range sessionKeys {
-		s.Delete(key)
-	}
-	if err := s.Save(); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+	m.clearSession(s)
+
+	if len(errs) != 0 {
+		c.JSON(http.StatusBadRequest, gin.H{"error": strings.Join(errs, ": ")})
 		return
 	}

@ -209,5 +213,6 @@ func extractAuthForm(s sessions.Session, form *model.OAuthAuthorize) error {
 	s.Set(sessionClientID, form.ClientID)
 	s.Set(sessionRedirectURI, form.RedirectURI)
 	s.Set(sessionScope, form.Scope)
+	s.Set(sessionState, uuid.NewString())
 	return s.Save()
 }