// GoToSocial // Copyright (C) GoToSocial Authors admin@gotosocial.org // SPDX-License-Identifier: AGPL-3.0-or-later // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU Affero General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Affero General Public License for more details. // // You should have received a copy of the GNU Affero General Public License // along with this program. If not, see . package auth import ( "net/http" "net/url" "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" "github.com/google/uuid" apimodel "github.com/superseriousbusiness/gotosocial/internal/api/model" apiutil "github.com/superseriousbusiness/gotosocial/internal/api/util" "github.com/superseriousbusiness/gotosocial/internal/gtserror" "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" "github.com/superseriousbusiness/gotosocial/internal/oauth" ) // AuthorizeGETHandler should be served as // GET at https://example.org/oauth/authorize. // // The idea here is to present an authorization // page to the user, informing them of the scopes // the application is requesting, with a button // that they have to click to give it permission. func (m *Module) AuthorizeGETHandler(c *gin.Context) { if _, err := apiutil.NegotiateAccept(c, apiutil.HTMLAcceptHeaders...); err != nil { apiutil.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGetV1) return } s := sessions.Default(c) // UserID will be set in the session by // AuthorizePOSTHandler if the caller has // already gone through the auth flow. // // If it's not set, then we don't yet know // yet who the user is, so send them to the // sign in page first. if userID, ok := s.Get(sessionUserID).(string); !ok || userID == "" { m.redirectAuthFormToSignIn(c) return } user := m.mustUserFromSession(c, s) if user == nil { // Error already // written. return } // If the user is unconfirmed, waiting approval, // or suspended, redirect to an appropriate help page. if !m.validateUser(c, user) { // Already // redirected. return } // Everything looks OK. // Start preparing to render the html template. instance, errWithCode := m.processor.InstanceGetV1(c.Request.Context()) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) return } redirectURI := m.mustStringFromSession(c, s, sessionRedirectURI) if redirectURI == "" { // Error already // written. return } scope := m.mustStringFromSession(c, s, sessionScope) if scope == "" { // Error already // written. return } app := m.mustAppFromSession(c, s) if app == nil { // Error already // written. return } // The authorize template will display a form // to the user where they can see some info // about the app that's trying to authorize, // and the scope of the request. They can then // approve it if it looks OK to them, which // will POST to the AuthorizePOSTHandler. apiutil.TemplateWebPage(c, apiutil.WebPage{ Template: "authorize.tmpl", Instance: instance, Extra: map[string]any{ "appname": app.Name, "appwebsite": app.Website, "redirect": redirectURI, "scope": scope, "user": user.Account.Username, }, }) } // AuthorizePOSTHandler should be served as // POST at https://example.org/oauth/authorize. // // At this point we assume that the user has signed // in and permitted the app to act on their behalf. // We should proceed with the authentication flow // and generate an oauth code at the redirect URI. func (m *Module) AuthorizePOSTHandler(c *gin.Context) { // We need to use the session cookie to // recreate the original form submitted // to the authorizeGEThandler so that it // can be validated by the oauth2 library. s := sessions.Default(c) responseType := m.mustStringFromSession(c, s, sessionResponseType) if responseType == "" { // Error already // written. return } clientID := m.mustStringFromSession(c, s, sessionClientID) if clientID == "" { // Error already // written. return } redirectURI := m.mustStringFromSession(c, s, sessionRedirectURI) if redirectURI == "" { // Error already // written. return } scope := m.mustStringFromSession(c, s, sessionScope) if scope == "" { // Error already // written. return } user := m.mustUserFromSession(c, s) if user == nil { // Error already // written. return } // Force login is optional with default of "false". forceLogin, ok := s.Get(sessionForceLogin).(string) if !ok || forceLogin == "" { forceLogin = "false" } // Client state is optional with default of "". var clientState string if cs, ok := s.Get(sessionClientState).(string); ok { clientState = cs } // If the user is unconfirmed, waiting approval, // or suspended, redirect to an appropriate help page. if !m.validateUser(c, user) { // Already // redirected. return } // If we're redirecting to our OOB token handler, // we need to keep the session around so the OOB // handler can extract values from it. Otherwise, // we're going to be redirecting somewhere else // so we can safely clear the session now. if redirectURI != oauth.OOBURI { m.mustClearSession(s) } // Set values on the request form so that // they're picked up by the oauth server. c.Request.Form = url.Values{ sessionResponseType: {responseType}, sessionClientID: {clientID}, sessionRedirectURI: {redirectURI}, sessionScope: {scope}, sessionUserID: {user.ID}, sessionForceLogin: {forceLogin}, } if clientState != "" { // If client state was submitted, // set it on the form so it can be // fed back to the client via a query // param at the eventual redirect URL. c.Request.Form.Set("state", clientState) } // If OAuthHandleAuthorizeRequest is successful, // it'll handle any further redirects for us, // but we do still need to handle any errors. errWithCode := m.processor.OAuthHandleAuthorizeRequest(c.Writer, c.Request) if errWithCode != nil { apiutil.ErrorHandler(c, errWithCode, m.processor.InstanceGetV1) } } // redirectAuthFormToSignIn binds an OAuthAuthorize form, // stores the values in the form into the session, and // redirects the user to the sign in page. func (m *Module) redirectAuthFormToSignIn(c *gin.Context) { s := sessions.Default(c) form := &apimodel.OAuthAuthorize{} if err := c.ShouldBind(form); err != nil { m.clearSessionWithBadRequest(c, s, err, err.Error(), oauth.HelpfulAdvice) return } // Set default scope to read. if form.Scope == "" { form.Scope = "read" } // Save these values from the form so we // can use them elsewhere in the session. s.Set(sessionForceLogin, form.ForceLogin) s.Set(sessionResponseType, form.ResponseType) s.Set(sessionClientID, form.ClientID) s.Set(sessionRedirectURI, form.RedirectURI) s.Set(sessionScope, form.Scope) s.Set(sessionInternalState, uuid.NewString()) s.Set(sessionClientState, form.State) m.mustSaveSession(s) c.Redirect(http.StatusSeeOther, "/auth"+AuthSignInPath) } // validateUser checks if the given user: // // 1. Has a confirmed email address. // 2. Has been approved. // 3. Is not disabled or suspended. // // If all looks OK, returns true. Otherwise, // redirects to a help page and returns false. func (m *Module) validateUser( c *gin.Context, user *gtsmodel.User, ) bool { switch { case user.ConfirmedAt.IsZero(): // User email not confirmed yet. const redirectTo = "/auth" + AuthCheckYourEmailPath c.Redirect(http.StatusSeeOther, redirectTo) return false case !*user.Approved: // User signup not approved yet. const redirectTo = "/auth" + AuthWaitForApprovalPath c.Redirect(http.StatusSeeOther, redirectTo) return false case *user.Disabled || !user.Account.SuspendedAt.IsZero(): // User disabled or suspended. const redirectTo = "/auth" + AuthAccountDisabledPath c.Redirect(http.StatusSeeOther, redirectTo) return false default: // All good. return true } }