[feature] More consistent API error handling (#637)

* update templates

* start reworking api error handling

* update template

* return AP status at web endpoint if negotiated

* start making api error handling much more consistent

* update account endpoints to new error handling

* use new api error handling in admin endpoints

* go fmt ./...

* use api error logic in app

* use generic error handling in auth

* don't export generic error handler

* don't defer clearing session

* user nicer error handling on oidc callback handler

* tidy up the sign in handler

* tidy up the token handler

* use nicer error handling in blocksget

* auth emojis endpoint

* fix up remaining api endpoints

* fix whoopsie during login flow

* regenerate swagger docs

* change http error logging to debug

1 files changed, 48 insertions, 58 deletions

diff --git a/internal/api/client/auth/signin.go b/internal/api/client/auth/signin.go
index bdf00c663..b8f267f54 100644
--- a/internal/api/client/auth/signin.go
+++ b/internal/api/client/auth/signin.go
@@ -21,14 +21,14 @@ package auth
 import (
 	"context"
 	"errors"
+	"fmt"
 	"net/http"
 
-	"github.com/sirupsen/logrus"
-
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
 	"github.com/superseriousbusiness/gotosocial/internal/api"
 	"github.com/superseriousbusiness/gotosocial/internal/db"
+	"github.com/superseriousbusiness/gotosocial/internal/gtserror"
 	"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
 	"golang.org/x/crypto/bcrypt"
 )
@@ -41,64 +41,62 @@ type login struct {
 
 // SignInGETHandler should be served at https://example.org/auth/sign_in.
 // The idea is to present a sign in page to the user, where they can enter their username and password.
-// The form will then POST to the sign in page, which will be handled by SignInPOSTHandler
+// The form will then POST to the sign in page, which will be handled by SignInPOSTHandler.
+// If an idp provider is set, then the user will be redirected to that to do their sign in.
 func (m *Module) SignInGETHandler(c *gin.Context) {
-	l := logrus.WithField("func", "SignInGETHandler")
-	l.Trace("entering sign in handler")
-
 	if _, err := api.NegotiateAccept(c, api.HTMLAcceptHeaders...); err != nil {
-		c.JSON(http.StatusNotAcceptable, gin.H{"error": err.Error()})
+		api.ErrorHandler(c, gtserror.NewErrorNotAcceptable(err, err.Error()), m.processor.InstanceGet)
 		return
 	}
 
-	if m.idp != nil {
-		s := sessions.Default(c)
+	if m.idp == nil {
+		// no idp provider, use our own funky little sign in page
+		c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{})
+		return
+	}
 
-		stateI := s.Get(sessionState)
-		state, ok := stateI.(string)
-		if !ok {
-			m.clearSession(s)
-			c.JSON(http.StatusForbidden, gin.H{"error": "state not found in session"})
-			return
-		}
+	// idp provider is in use, so redirect to it
+	s := sessions.Default(c)
 
-		redirect := m.idp.AuthCodeURL(state)
-		l.Debugf("redirecting to external idp at %s", redirect)
-		c.Redirect(http.StatusSeeOther, redirect)
+	stateI := s.Get(sessionState)
+	state, ok := stateI.(string)
+	if !ok {
+		m.clearSession(s)
+		err := fmt.Errorf("key %s was not found in session", sessionState)
+		api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, err.Error()), m.processor.InstanceGet)
 		return
 	}
-	c.HTML(http.StatusOK, "sign-in.tmpl", gin.H{})
+
+	c.Redirect(http.StatusSeeOther, m.idp.AuthCodeURL(state))
 }
 
 // SignInPOSTHandler should be served at https://example.org/auth/sign_in.
 // The idea is to present a sign in page to the user, where they can enter their username and password.
 // The handler will then redirect to the auth handler served at /auth
 func (m *Module) SignInPOSTHandler(c *gin.Context) {
-	l := logrus.WithField("func", "SignInPOSTHandler")
 	s := sessions.Default(c)
+
 	form := &login{}
 	if err := c.ShouldBind(form); err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		m.clearSession(s)
+		api.ErrorHandler(c, gtserror.NewErrorBadRequest(err, helpfulAdvice), m.processor.InstanceGet)
 		return
 	}
-	l.Tracef("parsed form: %+v", form)
 
-	userid, err := m.ValidatePassword(c.Request.Context(), form.Email, form.Password)
-	if err != nil {
-		c.String(http.StatusForbidden, err.Error())
-		m.clearSession(s)
+	userid, errWithCode := m.ValidatePassword(c.Request.Context(), form.Email, form.Password)
+	if errWithCode != nil {
+		// don't clear session here, so the user can just press back and try again
+		// if they accidentally gave the wrong password or something
+		api.ErrorHandler(c, errWithCode, m.processor.InstanceGet)
 		return
 	}
 
 	s.Set(sessionUserID, userid)
 	if err := s.Save(); err != nil {
-		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
-		m.clearSession(s)
-		return
+		err := fmt.Errorf("error saving user id onto session: %s", err)
+		api.ErrorHandler(c, gtserror.NewErrorInternalError(err, helpfulAdvice), m.processor.InstanceGet)
 	}
 
-	l.Trace("redirecting to auth page")
 	c.Redirect(http.StatusFound, OauthAuthorizePath)
 }
 
@@ -106,42 +104,34 @@ func (m *Module) SignInPOSTHandler(c *gin.Context) {
 // The goal is to authenticate the password against the one for that email
 // address stored in the database. If OK, we return the userid (a ulid) for that user,
 // so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db.
-func (m *Module) ValidatePassword(ctx context.Context, email string, password string) (userid string, err error) {
-	l := logrus.WithField("func", "ValidatePassword")
-
-	// make sure an email/password was provided and bail if not
+func (m *Module) ValidatePassword(ctx context.Context, email string, password string) (string, gtserror.WithCode) {
 	if email == "" || password == "" {
-		l.Debug("email or password was not provided")
-		return incorrectPassword()
+		err := errors.New("email or password was not provided")
+		return incorrectPassword(err)
 	}
 
-	// first we select the user from the database based on email address, bail if no user found for that email
-	gtsUser := &gtsmodel.User{}
-
-	if err := m.db.GetWhere(ctx, []db.Where{{Key: "email", Value: email}}, gtsUser); err != nil {
-		l.Debugf("user %s was not retrievable from db during oauth authorization attempt: %s", email, err)
-		return incorrectPassword()
+	user := &gtsmodel.User{}
+	if err := m.db.GetWhere(ctx, []db.Where{{Key: "email", Value: email}}, user); err != nil {
+		err := fmt.Errorf("user %s was not retrievable from db during oauth authorization attempt: %s", email, err)
+		return incorrectPassword(err)
 	}
 
-	// make sure a password is actually set and bail if not
-	if gtsUser.EncryptedPassword == "" {
-		l.Warnf("encrypted password for user %s was empty for some reason", gtsUser.Email)
-		return incorrectPassword()
+	if user.EncryptedPassword == "" {
+		err := fmt.Errorf("encrypted password for user %s was empty for some reason", user.Email)
+		return incorrectPassword(err)
 	}
 
-	// compare the provided password with the encrypted one from the db, bail if they don't match
-	if err := bcrypt.CompareHashAndPassword([]byte(gtsUser.EncryptedPassword), []byte(password)); err != nil {
-		l.Debugf("password hash didn't match for user %s during login attempt: %s", gtsUser.Email, err)
-		return incorrectPassword()
+	if err := bcrypt.CompareHashAndPassword([]byte(user.EncryptedPassword), []byte(password)); err != nil {
+		err := fmt.Errorf("password hash didn't match for user %s during login attempt: %s", user.Email, err)
+		return incorrectPassword(err)
 	}
 
-	// If we've made it this far the email/password is correct, so we can just return the id of the user.
-	userid = gtsUser.ID
-	l.Tracef("returning (%s, %s)", userid, err)
-	return
+	return user.ID, nil
 }
 
-// incorrectPassword is just a little helper function to use in the ValidatePassword function
-func incorrectPassword() (string, error) {
-	return "", errors.New("password/email combination was incorrect")
+// incorrectPassword wraps the given error in a gtserror.WithCode, and returns
+// only a generic 'safe' error message to the user, to not give any info away.
+func incorrectPassword(err error) (string, gtserror.WithCode) {
+	safeErr := fmt.Errorf("password/email combination was incorrect")
+	return "", gtserror.NewErrorUnauthorized(err, safeErr.Error(), helpfulAdvice)
 }