[chore] The Big Middleware and API Refactor (tm) (#1250)

* interim commit: start refactoring middlewares into package under router * another interim commit, this is becoming a big job * another fucking massive interim commit * refactor bookmarks to new style * ambassador, wiz zeze commits you are spoiling uz * she compiles, we're getting there * we're just normal men; we're just innocent men * apiutil * whoopsie * i'm glad noone reads commit msgs haha :blob_sweat: * use that weirdo go-bytesize library for maxMultipartMemory * fix media module paths
author: tobi <31960611+tsmethurst@users.noreply.github.com> 2023-01-02 13:10:50 +0100
committer: GitHub <noreply@github.com> 2023-01-02 12:10:50 +0000
commit: 941893a774c83802afdc4cc76e1d30c59b6c5585 (patch)
tree: 6e7296146dedfeac8e83655157270f41e190724b /internal/api/client/auth/authorize.go
parent: [chore]: Bump github.com/abema/go-mp4 from 0.8.0 to 0.9.0 (#1287) (diff)
download: gotosocial-941893a774c83802afdc4cc76e1d30c59b6c5585.tar.xz
1 files changed, 0 insertions, 335 deletions
diff --git a/internal/api/client/auth/authorize.go b/internal/api/client/auth/authorize.go
deleted file mode 100644
index f28d1dfc9..000000000
--- a/internal/api/client/auth/authorize.go
+++ /dev/null
@@ -1,335 +0,0 @@
-/*
-   GoToSocial
-   Copyright (C) 2021-2022 GoToSocial Authors admin@gotosocial.org
-
-   This program is free software: you can redistribute it and/or modify
-   it under the terms of the GNU Affero General Public License as published by
-   the Free Software Foundation, either version 3 of the License, or
-   (at your option) any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU Affero General Public License for more details.
-
-   You should have received a copy of the GNU Affero General Public License
-   along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-package auth
-
-import (
-	"errors"
-	"fmt"
-	"net/http"
-	"net/url"
-
-	"github.com/gin-contrib/sessions"
-	"github.com/gin-gonic/gin"
-	"github.com/google/uuid"
-	"github.com/superseriousbusiness/gotosocial/internal/api"
-	"github.com/superseriousbusiness/gotosocial/internal/api/model"
-	"github.com/superseriousbusiness/gotosocial/internal/config"
-	"github.com/superseriousbusiness/gotosocial/internal/db"
-	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
-	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
-	"github.com/superseriousbusiness/gotosocial/internal/oauth"
-)
-
-// AuthorizeGETHandler should be served as GET at https://example.org/oauth/authorize
-// The idea here is to present an oauth authorize page to the user, with a button
-// that they have to click to accept.
-func (m *Module) AuthorizeGETHandler(c *gin.Context) {
-	s := sessions.Default(c)
-
-	if _, err := api.NegotiateAccept(c, api.HTMLAcceptHeaders...); err != nil {
-		api.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGet)
-		return
-	}
-
-	// UserID will be set in the session by AuthorizePOSTHandler if the caller has already gone through the authentication flow
-	// If it's not set, then we don't know yet who the user is, so we need to redirect them to the sign in page.
-	userID, ok := s.Get(sessionUserID).(string)
-	if !ok || userID == "" {
-		form := &model.OAuthAuthorize{}
-		if err := c.ShouldBind(form); err != nil {
-			m.clearSession(s)
-			api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGet)
-			return
-		}
-
-		if errWithCode := saveAuthFormToSession(s, form); errWithCode != nil {
-			m.clearSession(s)
-			api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-			return
-		}
-
-		c.Redirect(http.StatusSeeOther, AuthSignInPath)
-		return
-	}
-
-	// use session information to validate app, user, and account for this request
-	clientID, ok := s.Get(sessionClientID).(string)
-	if !ok || clientID == "" {
-		m.clearSession(s)
-		err := fmt.Errorf("key %s was not found in session", sessionClientID)
-		api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGet)
-		return
-	}
-
-	app := &gtsmodel.Application{}
-	if err := m.db.GetWhere(c.Request.Context(), []db.Where{{Key: sessionClientID, Value: clientID}}, app); err != nil {
-		m.clearSession(s)
-		safe := fmt.Sprintf("application for %s %s could not be retrieved", sessionClientID, clientID)
-		var errWithCode gtserror.WithCode
-		if err == db.ErrNoEntries {
-			errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
-		} else {
-			errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
-		}
-		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-		return
-	}
-
-	user, err := m.db.GetUserByID(c.Request.Context(), userID)
-	if err != nil {
-		m.clearSession(s)
-		safe := fmt.Sprintf("user with id %s could not be retrieved", userID)
-		var errWithCode gtserror.WithCode
-		if err == db.ErrNoEntries {
-			errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
-		} else {
-			errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
-		}
-		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-		return
-	}
-
-	acct, err := m.db.GetAccountByID(c.Request.Context(), user.AccountID)
-	if err != nil {
-		m.clearSession(s)
-		safe := fmt.Sprintf("account with id %s could not be retrieved", user.AccountID)
-		var errWithCode gtserror.WithCode
-		if err == db.ErrNoEntries {
-			errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
-		} else {
-			errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
-		}
-		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-		return
-	}
-
-	if ensureUserIsAuthorizedOrRedirect(c, user, acct) {
-		return
-	}
-
-	// Finally we should also get the redirect and scope of this particular request, as stored in the session.
-	redirect, ok := s.Get(sessionRedirectURI).(string)
-	if !ok || redirect == "" {
-		m.clearSession(s)
-		err := fmt.Errorf("key %s was not found in session", sessionRedirectURI)
-		api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGet)
-		return
-	}
-
-	scope, ok := s.Get(sessionScope).(string)
-	if !ok || scope == "" {
-		m.clearSession(s)
-		err := fmt.Errorf("key %s was not found in session", sessionScope)
-		api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, oauth.HelpfulAdvice), m.processor.InstanceGet)
-		return
-	}
-
-	instance, errWithCode := m.processor.InstanceGet(c.Request.Context(), config.GetHost())
-	if errWithCode != nil {
-		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-		return
-	}
-
-	// the authorize template will display a form to the user where they can get some information
-	// about the app that's trying to authorize, and the scope of the request.
-	// They can then approve it if it looks OK to them, which will POST to the AuthorizePOSTHandler
-	c.HTML(http.StatusOK, "authorize.tmpl", gin.H{
-		"appname":    app.Name,
-		"appwebsite": app.Website,
-		"redirect":   redirect,
-		"scope":      scope,
-		"user":       acct.Username,
-		"instance":   instance,
-	})
-}
-
-// AuthorizePOSTHandler should be served as POST at https://example.org/oauth/authorize
-// At this point we assume that the user has A) logged in and B) accepted that the app should act for them,
-// so we should proceed with the authentication flow and generate an oauth token for them if we can.
-func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
-	s := sessions.Default(c)
-
-	// We need to retrieve the original form submitted to the authorizeGEThandler, and
-	// recreate it on the request so that it can be used further by the oauth2 library.
-	errs := []string{}
-
-	forceLogin, ok := s.Get(sessionForceLogin).(string)
-	if !ok {
-		forceLogin = "false"
-	}
-
-	responseType, ok := s.Get(sessionResponseType).(string)
-	if !ok || responseType == "" {
-		errs = append(errs, fmt.Sprintf("key %s was not found in session", sessionResponseType))
-	}
-
-	clientID, ok := s.Get(sessionClientID).(string)
-	if !ok || clientID == "" {
-		errs = append(errs, fmt.Sprintf("key %s was not found in session", sessionClientID))
-	}
-
-	redirectURI, ok := s.Get(sessionRedirectURI).(string)
-	if !ok || redirectURI == "" {
-		errs = append(errs, fmt.Sprintf("key %s was not found in session", sessionRedirectURI))
-	}
-
-	scope, ok := s.Get(sessionScope).(string)
-	if !ok {
-		errs = append(errs, fmt.Sprintf("key %s was not found in session", sessionScope))
-	}
-
-	var clientState string
-	if s, ok := s.Get(sessionClientState).(string); ok {
-		clientState = s
-	}
-
-	userID, ok := s.Get(sessionUserID).(string)
-	if !ok {
-		errs = append(errs, fmt.Sprintf("key %s was not found in session", sessionUserID))
-	}
-
-	if len(errs) != 0 {
-		errs = append(errs, oauth.HelpfulAdvice)
-		api.ErrorHandler(c, gtserror.NewErrorBadRequest(errors.New("one or more missing keys on session during AuthorizePOSTHandler"), errs...), m.processor.InstanceGet)
-		return
-	}
-
-	user, err := m.db.GetUserByID(c.Request.Context(), userID)
-	if err != nil {
-		m.clearSession(s)
-		safe := fmt.Sprintf("user with id %s could not be retrieved", userID)
-		var errWithCode gtserror.WithCode
-		if err == db.ErrNoEntries {
-			errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
-		} else {
-			errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
-		}
-		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-		return
-	}
-
-	acct, err := m.db.GetAccountByID(c.Request.Context(), user.AccountID)
-	if err != nil {
-		m.clearSession(s)
-		safe := fmt.Sprintf("account with id %s could not be retrieved", user.AccountID)
-		var errWithCode gtserror.WithCode
-		if err == db.ErrNoEntries {
-			errWithCode = gtserror.NewErrorBadRequest(err, safe, oauth.HelpfulAdvice)
-		} else {
-			errWithCode = gtserror.NewErrorInternalError(err, safe, oauth.HelpfulAdvice)
-		}
-		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-		return
-	}
-
-	if ensureUserIsAuthorizedOrRedirect(c, user, acct) {
-		return
-	}
-
-	if redirectURI != oauth.OOBURI {
-		// we're done with the session now, so just clear it out
-		m.clearSession(s)
-	}
-
-	// we have to set the values on the request form
-	// so that they're picked up by the oauth server
-	c.Request.Form = url.Values{
-		sessionForceLogin:   {forceLogin},
-		sessionResponseType: {responseType},
-		sessionClientID:     {clientID},
-		sessionRedirectURI:  {redirectURI},
-		sessionScope:        {scope},
-		sessionUserID:       {userID},
-	}
-
-	if clientState != "" {
-		c.Request.Form.Set("state", clientState)
-	}
-
-	if errWithCode := m.processor.OAuthHandleAuthorizeRequest(c.Writer, c.Request); errWithCode != nil {
-		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
-	}
-}
-
-// saveAuthFormToSession checks the given OAuthAuthorize form,
-// and stores the values in the form into the session.
-func saveAuthFormToSession(s sessions.Session, form *model.OAuthAuthorize) gtserror.WithCode {
-	if form == nil {
-		err := errors.New("OAuthAuthorize form was nil")
-		return gtserror.NewErrorBadRequest(err, err.Error(), oauth.HelpfulAdvice)
-	}
-
-	if form.ResponseType == "" {
-		err := errors.New("field response_type was not set on OAuthAuthorize form")
-		return gtserror.NewErrorBadRequest(err, err.Error(), oauth.HelpfulAdvice)
-	}
-
-	if form.ClientID == "" {
-		err := errors.New("field client_id was not set on OAuthAuthorize form")
-		return gtserror.NewErrorBadRequest(err, err.Error(), oauth.HelpfulAdvice)
-	}
-
-	if form.RedirectURI == "" {
-		err := errors.New("field redirect_uri was not set on OAuthAuthorize form")
-		return gtserror.NewErrorBadRequest(err, err.Error(), oauth.HelpfulAdvice)
-	}
-
-	// set default scope to read
-	if form.Scope == "" {
-		form.Scope = "read"
-	}
-
-	// save these values from the form so we can use them elsewhere in the session
-	s.Set(sessionForceLogin, form.ForceLogin)
-	s.Set(sessionResponseType, form.ResponseType)
-	s.Set(sessionClientID, form.ClientID)
-	s.Set(sessionRedirectURI, form.RedirectURI)
-	s.Set(sessionScope, form.Scope)
-	s.Set(sessionInternalState, uuid.NewString())
-	s.Set(sessionClientState, form.State)
-
-	if err := s.Save(); err != nil {
-		err := fmt.Errorf("error saving form values onto session: %s", err)
-		return gtserror.NewErrorInternalError(err, oauth.HelpfulAdvice)
-	}
-
-	return nil
-}
-
-func ensureUserIsAuthorizedOrRedirect(ctx *gin.Context, user *gtsmodel.User, account *gtsmodel.Account) (redirected bool) {
-	if user.ConfirmedAt.IsZero() {
-		ctx.Redirect(http.StatusSeeOther, CheckYourEmailPath)
-		redirected = true
-		return
-	}
-
-	if !*user.Approved {
-		ctx.Redirect(http.StatusSeeOther, WaitForApprovalPath)
-		redirected = true
-		return
-	}
-
-	if *user.Disabled || !account.SuspendedAt.IsZero() {
-		ctx.Redirect(http.StatusSeeOther, AccountDisabledPath)
-		redirected = true
-		return
-	}
-
-	return
-}
author	tobi <31960611+tsmethurst@users.noreply.github.com>	2023-01-02 13:10:50 +0100
committer	GitHub <noreply@github.com>	2023-01-02 12:10:50 +0000
commit	941893a774c83802afdc4cc76e1d30c59b6c5585 (patch)
tree	6e7296146dedfeac8e83655157270f41e190724b /internal/api/client/auth/authorize.go
parent	[chore]: Bump github.com/abema/go-mp4 from 0.8.0 to 0.9.0 (#1287) (diff)
download	gotosocial-941893a774c83802afdc4cc76e1d30c59b6c5585.tar.xz