mirror of
https://github.com/superseriousbusiness/gotosocial
synced 2025-06-05 21:59:39 +02:00
Some more messing around with oauth2
This commit is contained in:
tsmethurst
@ -19,7 +19,14 @@
|
||||
package oauth
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"time"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/go-pg/pg/v10"
|
||||
"github.com/go-session/session"
|
||||
"github.com/gotosocial/gotosocial/internal/api"
|
||||
"github.com/gotosocial/gotosocial/internal/gtsmodel"
|
||||
"github.com/gotosocial/oauth2/v4"
|
||||
@ -30,6 +37,8 @@ import (
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
const methodAny = "ANY"
|
||||
|
||||
type API struct {
|
||||
manager *manage.Manager
|
||||
server *server.Server
|
||||
@ -52,15 +61,24 @@ func New(ts oauth2.TokenStore, cs oauth2.ClientStore, conn *pg.DB, log *logrus.L
|
||||
log.Errorf("internal response error: %s", re.Error)
|
||||
})
|
||||
|
||||
return &API{
|
||||
api := &API{
|
||||
manager: manager,
|
||||
server: srv,
|
||||
conn: conn,
|
||||
log: log,
|
||||
}
|
||||
|
||||
api.server.SetPasswordAuthorizationHandler(api.PasswordAuthorizationHandler)
|
||||
api.server.SetUserAuthorizationHandler(api.UserAuthorizationHandler)
|
||||
api.server.SetClientInfoHandler(server.ClientFormHandler)
|
||||
return api
|
||||
}
|
||||
|
||||
func (a *API) AddRoutes(s api.Server) error {
|
||||
s.AttachHandler(methodAny, "/auth/sign_in", gin.WrapF(a.SignInHandler))
|
||||
s.AttachHandler(methodAny, "/oauth/token", gin.WrapF(a.TokenHandler))
|
||||
s.AttachHandler(methodAny, "/oauth/authorize", gin.WrapF(a.AuthorizeHandler))
|
||||
s.AttachHandler(methodAny, "/auth", gin.WrapF(a.AuthHandler))
|
||||
return nil
|
||||
}
|
||||
|
||||
@ -68,7 +86,101 @@ func incorrectPassword() (string, error) {
|
||||
return "", errors.New("password/email combination was incorrect")
|
||||
}
|
||||
|
||||
/*
|
||||
MAIN HANDLERS -- serve these through a server/router
|
||||
*/
|
||||
|
||||
// SignInHandler should be served at https://example.org/auth/sign_in.
|
||||
// The idea is to present a sign in page to the user, where they can enter their username and password.
|
||||
// The handler will then redirect to the auth handler served at /auth
|
||||
func (a *API) SignInHandler(w http.ResponseWriter, r *http.Request) {
|
||||
store, err := session.Start(r.Context(), w, r)
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if r.Method == "POST" {
|
||||
if r.Form == nil {
|
||||
if err := r.ParseForm(); err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
}
|
||||
store.Set("username", r.Form.Get("username"))
|
||||
store.Save()
|
||||
|
||||
w.Header().Set("Location", "/auth")
|
||||
w.WriteHeader(http.StatusFound)
|
||||
return
|
||||
}
|
||||
http.ServeContent(w, r, "sign_in.html", time.Unix(0, 0), bytes.NewReader([]byte(signInHTML)))
|
||||
}
|
||||
|
||||
// TokenHandler should be served at https://example.org/oauth/token
|
||||
// The idea here is to serve an oauth access token to a user, which can be used for authorizing against non-public APIs.
|
||||
// See https://docs.joinmastodon.org/methods/apps/oauth/#obtain-a-token
|
||||
func (a *API) TokenHandler(w http.ResponseWriter, r *http.Request) {
|
||||
if err := a.server.HandleTokenRequest(w, r); err != nil {
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
}
|
||||
}
|
||||
|
||||
// AuthorizeHandler should be served at https://example.org/oauth/authorize
|
||||
// The idea here is to present an oauth authorize page to the user, with a button
|
||||
// that they have to click to accept. See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user
|
||||
func (a *API) AuthorizeHandler(w http.ResponseWriter, r *http.Request) {
|
||||
store, err := session.Start(nil, w, r)
|
||||
if err != nil {
|
||||
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
if _, ok := store.Get("username"); !ok {
|
||||
w.Header().Set("Location", "/auth/sign_in")
|
||||
w.WriteHeader(http.StatusFound)
|
||||
return
|
||||
}
|
||||
|
||||
http.ServeContent(w, r, "authorize.html", time.Unix(0, 0), bytes.NewReader([]byte(authorizeHTML)))
|
||||
}
|
||||
|
||||
// AuthHandler should be served at https://example.org/auth
|
||||
func (a *API) AuthHandler(w http.ResponseWriter, r *http.Request) {
|
||||
store, err := session.Start(r.Context(), w, r)
|
||||
if err != nil {
|
||||
a.log.Errorf("error creating session in authhandler: %s", err)
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
var form url.Values
|
||||
if v, ok := store.Get("ReturnUri"); ok {
|
||||
form = v.(url.Values)
|
||||
}
|
||||
r.Form = form
|
||||
|
||||
store.Delete("ReturnUri")
|
||||
store.Save()
|
||||
|
||||
if err := a.server.HandleAuthorizeRequest(w, r); err != nil {
|
||||
a.log.Errorf("error in authhandler during handleauthorizerequest: %s", err)
|
||||
http.Error(w, err.Error(), http.StatusBadRequest)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
SUB-HANDLERS -- don't serve these directly
|
||||
*/
|
||||
|
||||
// PasswordAuthorizationHandler takes a username (in this case, we use an email address)
|
||||
// and a password. The goal is to authenticate the password against the one for that email
|
||||
// address stored in the database. If OK, we return the userid (a uuid) for that user,
|
||||
// so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db.
|
||||
func (a *API) PasswordAuthorizationHandler(email string, password string) (userid string, err error) {
|
||||
a.log.Debugf("entering password authorization handler with email: %s and password: %s", email, password)
|
||||
|
||||
// first we select the user from the database based on email address, bail if no user found for that email
|
||||
gtsUser := >smodel.User{}
|
||||
if err := a.conn.Model(gtsUser).Where("email = ?", email).Select(); err != nil {
|
||||
@ -93,3 +205,35 @@ func (a *API) PasswordAuthorizationHandler(email string, password string) (useri
|
||||
userid = gtsUser.ID
|
||||
return
|
||||
}
|
||||
|
||||
// UserAuthorizationHandler gets the user's email address from the session key 'username'
|
||||
// or redirects to the /auth/sign_in page, if this key is not present.
|
||||
func (a *API) UserAuthorizationHandler(w http.ResponseWriter, r *http.Request) (string, error) {
|
||||
|
||||
a.log.Errorf("entering userauthorizationhandler")
|
||||
|
||||
sessionStore, err := session.Start(r.Context(), w, r)
|
||||
if err != nil {
|
||||
a.log.Errorf("error starting session: %s", err)
|
||||
return "", err
|
||||
}
|
||||
|
||||
v, ok := sessionStore.Get("username")
|
||||
if !ok {
|
||||
if err := r.ParseForm(); err != nil {
|
||||
a.log.Errorf("error parsing form: %s", err)
|
||||
return "", err
|
||||
}
|
||||
|
||||
sessionStore.Set("ReturnUri", r.Form)
|
||||
sessionStore.Save()
|
||||
|
||||
w.Header().Set("Location", "/auth/sign_in")
|
||||
w.WriteHeader(http.StatusFound)
|
||||
return v.(string), nil
|
||||
}
|
||||
|
||||
sessionStore.Delete("username")
|
||||
sessionStore.Save()
|
||||
return v.(string), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user