diff options
| author | 2021-03-17 11:33:06 +0100 | |
|---|---|---|
| committer | 2021-03-17 11:33:06 +0100 | |
| commit | eb2ff2ab23a70298c65f19d52b76c794b2f4937c (patch) | |
| tree | c58a5039b91e11589b4a47a99803530b0cea3b07 /internal | |
| parent | add liberapay widgets (diff) | |
| download | gotosocial-eb2ff2ab23a70298c65f19d52b76c794b2f4937c.tar.xz | |
Some more messing around with oauth2
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/api/server.go | 17 | ||||
| -rw-r--r-- | internal/oauth/html.go | 68 | ||||
| -rw-r--r-- | internal/oauth/oauth.go | 146 | ||||
| -rw-r--r-- | internal/oauth/oauth_test.go | 115 | 
4 files changed, 335 insertions, 11 deletions
| diff --git a/internal/api/server.go b/internal/api/server.go index 8af9e75fa..9073618f0 100644 --- a/internal/api/server.go +++ b/internal/api/server.go @@ -19,16 +19,13 @@  package api  import ( -	"net/http" -  	"github.com/gin-gonic/gin"  	"github.com/gotosocial/gotosocial/internal/config"  	"github.com/sirupsen/logrus"  )  type Server interface { -	AttachHTTPHandler(method string, path string, handler http.HandlerFunc) -	AttachGinHandler(method string, path string, handler gin.HandlerFunc) +	AttachHandler(method string, path string, handler gin.HandlerFunc)  	// AttachMiddleware(handler gin.HandlerFunc)  	GetAPIGroup() *gin.RouterGroup  	Start() @@ -60,12 +57,12 @@ func (s *server) Stop() {  	// todo: shut down gracefully  } -func (s *server) AttachHTTPHandler(method string, path string, handler http.HandlerFunc) { -	s.engine.Handle(method, path, gin.WrapH(handler)) -} - -func (s *server) AttachGinHandler(method string, path string, handler gin.HandlerFunc) { -	s.engine.Handle(method, path, handler) +func (s *server) AttachHandler(method string, path string, handler gin.HandlerFunc) { +	if method == "ANY" { +		s.engine.Any(path, handler) +	} else { +		s.engine.Handle(method, path, handler) +	}  }  func New(config *config.Config, logger *logrus.Logger) Server { diff --git a/internal/oauth/html.go b/internal/oauth/html.go new file mode 100644 index 000000000..06089aedd --- /dev/null +++ b/internal/oauth/html.go @@ -0,0 +1,68 @@ +package oauth + +const ( +	signInHTML = ` +<!DOCTYPE html> +<html lang="en"> +<head> +    <meta charset="UTF-8"> +    <title>Login</title> +    <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"> +    <script src="//code.jquery.com/jquery-2.2.4.min.js"></script> +    <script src="//maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script> +</head> + +<body> +    <div class="container"> +        <h1>Login</h1> +        <form action="/auth/sign_in" method="POST"> +            <div class="form-group"> +                <label for="email">Email</label> +                <input type="text" class="form-control" name="username" required placeholder="Please enter your email address"> +            </div> +            <div class="form-group"> +                <label for="password">Password</label> +                <input type="password" class="form-control" name="password" placeholder="Please enter your password"> +            </div> +            <button type="submit" class="btn btn-success">Login</button> +        </form> +    </div> +</body> + +</html>` + +	authorizeHTML = ` +<!DOCTYPE html> +<html lang="en"> +  <head> +    <meta charset="UTF-8" /> +    <title>Auth</title> +    <link +      rel="stylesheet" +      href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" +    /> +    <script src="//code.jquery.com/jquery-2.2.4.min.js"></script> +    <script src="//maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script> +  </head> + +  <body> +    <div class="container"> +      <div class="jumbotron"> +        <form action="/oauth/authorize" method="POST"> +          <h1>Authorize</h1> +          <p>The client would like to perform actions on your behalf.</p> +          <p> +            <button +              type="submit" +              class="btn btn-primary btn-lg" +              style="width:200px;" +            > +              Allow +            </button> +          </p> +        </form> +      </div> +    </div> +  </body> +</html>` +) diff --git a/internal/oauth/oauth.go b/internal/oauth/oauth.go index 050c23dab..d877022d9 100644 --- a/internal/oauth/oauth.go +++ b/internal/oauth/oauth.go @@ -19,7 +19,14 @@  package oauth  import ( +	"bytes" +	"net/http" +	"net/url" +	"time" + +	"github.com/gin-gonic/gin"  	"github.com/go-pg/pg/v10" +	"github.com/go-session/session"  	"github.com/gotosocial/gotosocial/internal/api"  	"github.com/gotosocial/gotosocial/internal/gtsmodel"  	"github.com/gotosocial/oauth2/v4" @@ -30,6 +37,8 @@ import (  	"golang.org/x/crypto/bcrypt"  ) +const methodAny = "ANY" +  type API struct {  	manager *manage.Manager  	server  *server.Server @@ -52,15 +61,24 @@ func New(ts oauth2.TokenStore, cs oauth2.ClientStore, conn *pg.DB, log *logrus.L  		log.Errorf("internal response error: %s", re.Error)  	}) -	return &API{ +	api := &API{  		manager: manager,  		server:  srv,  		conn:    conn,  		log:     log,  	} + +	api.server.SetPasswordAuthorizationHandler(api.PasswordAuthorizationHandler) +	api.server.SetUserAuthorizationHandler(api.UserAuthorizationHandler) +	api.server.SetClientInfoHandler(server.ClientFormHandler) +	return api  }  func (a *API) AddRoutes(s api.Server) error { +	s.AttachHandler(methodAny, "/auth/sign_in", gin.WrapF(a.SignInHandler)) +	s.AttachHandler(methodAny, "/oauth/token", gin.WrapF(a.TokenHandler)) +	s.AttachHandler(methodAny, "/oauth/authorize", gin.WrapF(a.AuthorizeHandler)) +	s.AttachHandler(methodAny, "/auth", gin.WrapF(a.AuthHandler))  	return nil  } @@ -68,7 +86,101 @@ func incorrectPassword() (string, error) {  	return "", errors.New("password/email combination was incorrect")  } +/* +	MAIN HANDLERS -- serve these through a server/router +*/ + +// SignInHandler should be served at https://example.org/auth/sign_in. +// The idea is to present a sign in page to the user, where they can enter their username and password. +// The handler will then redirect to the auth handler served at /auth +func (a *API) SignInHandler(w http.ResponseWriter, r *http.Request) { +	store, err := session.Start(r.Context(), w, r) +	if err != nil { +		http.Error(w, err.Error(), http.StatusInternalServerError) +		return +	} + +	if r.Method == "POST" { +		if r.Form == nil { +			if err := r.ParseForm(); err != nil { +				http.Error(w, err.Error(), http.StatusInternalServerError) +				return +			} +		} +		store.Set("username", r.Form.Get("username")) +		store.Save() + +		w.Header().Set("Location", "/auth") +		w.WriteHeader(http.StatusFound) +		return +	} +	http.ServeContent(w, r, "sign_in.html", time.Unix(0, 0), bytes.NewReader([]byte(signInHTML))) +} + +// TokenHandler should be served at https://example.org/oauth/token +// The idea here is to serve an oauth access token to a user, which can be used for authorizing against non-public APIs. +// See https://docs.joinmastodon.org/methods/apps/oauth/#obtain-a-token +func (a *API) TokenHandler(w http.ResponseWriter, r *http.Request) { +	if err := a.server.HandleTokenRequest(w, r); err != nil { +		http.Error(w, err.Error(), http.StatusInternalServerError) +	} +} + +// AuthorizeHandler should be served at https://example.org/oauth/authorize +// The idea here is to present an oauth authorize page to the user, with a button +// that they have to click to accept. See here: https://docs.joinmastodon.org/methods/apps/oauth/#authorize-a-user +func (a *API) AuthorizeHandler(w http.ResponseWriter, r *http.Request) { +	store, err := session.Start(nil, w, r) +	if err != nil { + +		http.Error(w, err.Error(), http.StatusInternalServerError) +		return +	} + +	if _, ok := store.Get("username"); !ok { +		w.Header().Set("Location", "/auth/sign_in") +		w.WriteHeader(http.StatusFound) +		return +	} + +	http.ServeContent(w, r, "authorize.html", time.Unix(0, 0), bytes.NewReader([]byte(authorizeHTML))) +} + +// AuthHandler should be served at https://example.org/auth +func (a *API) AuthHandler(w http.ResponseWriter, r *http.Request) { +	store, err := session.Start(r.Context(), w, r) +	if err != nil { +		a.log.Errorf("error creating session in authhandler: %s", err) +		http.Error(w, err.Error(), http.StatusInternalServerError) +		return +	} + +	var form url.Values +	if v, ok := store.Get("ReturnUri"); ok { +		form = v.(url.Values) +	} +	r.Form = form + +	store.Delete("ReturnUri") +	store.Save() + +	if err := a.server.HandleAuthorizeRequest(w, r); err != nil { +		a.log.Errorf("error in authhandler during handleauthorizerequest: %s", err) +		http.Error(w, err.Error(), http.StatusBadRequest) +	} +} + +/* +	SUB-HANDLERS -- don't serve these directly +*/ + +// PasswordAuthorizationHandler takes a username (in this case, we use an email address) +// and a password. The goal is to authenticate the password against the one for that email +// address stored in the database. If OK, we return the userid (a uuid) for that user, +// so that it can be used in further Oauth flows to generate a token/retreieve an oauth client from the db.  func (a *API) PasswordAuthorizationHandler(email string, password string) (userid string, err error) { +	a.log.Debugf("entering password authorization handler with email: %s and password: %s", email, password) +  	// first we select the user from the database based on email address, bail if no user found for that email  	gtsUser := >smodel.User{}  	if err := a.conn.Model(gtsUser).Where("email = ?", email).Select(); err != nil { @@ -93,3 +205,35 @@ func (a *API) PasswordAuthorizationHandler(email string, password string) (useri  	userid = gtsUser.ID  	return  } + +// UserAuthorizationHandler gets the user's email address from the session key 'username' +// or redirects to the /auth/sign_in page, if this key is not present. +func (a *API) UserAuthorizationHandler(w http.ResponseWriter, r *http.Request) (string, error) { + +	a.log.Errorf("entering userauthorizationhandler") + +	sessionStore, err := session.Start(r.Context(), w, r) +	if err != nil { +		a.log.Errorf("error starting session: %s", err) +		return "", err +	} + +	v, ok := sessionStore.Get("username") +	if !ok { +		if err := r.ParseForm(); err != nil { +			a.log.Errorf("error parsing form: %s", err) +			return "", err +		} + +		sessionStore.Set("ReturnUri", r.Form) +		sessionStore.Save() + +		w.Header().Set("Location", "/auth/sign_in") +		w.WriteHeader(http.StatusFound) +		return v.(string), nil +	} + +	sessionStore.Delete("username") +	sessionStore.Save() +	return v.(string), nil +} diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go new file mode 100644 index 000000000..4d942c51d --- /dev/null +++ b/internal/oauth/oauth_test.go @@ -0,0 +1,115 @@ +package oauth + +import ( +	"context" +	"testing" +	"time" + +	"github.com/go-pg/pg/v10" +	"github.com/go-pg/pg/v10/orm" +	"github.com/gotosocial/gotosocial/internal/api" +	"github.com/gotosocial/gotosocial/internal/config" +	"github.com/gotosocial/gotosocial/internal/gtsmodel" +	"github.com/gotosocial/oauth2/v4" +	"github.com/sirupsen/logrus" +	"github.com/stretchr/testify/suite" +	"golang.org/x/crypto/bcrypt" +) + +type OauthTestSuite struct { +	suite.Suite +	tokenStore       oauth2.TokenStore +	clientStore      oauth2.ClientStore +	conn             *pg.DB +	testClientID     string +	testClientSecret string +	testClientDomain string +	testClientUserID string +	testUser         *gtsmodel.User +	config           *config.Config +} + +const () + +// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout +func (suite *OauthTestSuite) SetupSuite() { +	suite.testClientID = "test-client-id" +	suite.testClientSecret = "test-client-secret" +	suite.testClientDomain = "https://example.org" +	suite.testClientUserID = "test-client-user-id" +	encryptedPassword, err := bcrypt.GenerateFromPassword([]byte("test-password"), bcrypt.DefaultCost) +	if err != nil { +		logrus.Panicf("error encrypting user pass: %s", err) +	} +	suite.testUser = >smodel.User{ +		EncryptedPassword: string(encryptedPassword), +		Email:             "user@example.org", +		CreatedAt:         time.Now(), +		UpdatedAt:         time.Now(), +		AccountID:         "whatever", +	} +} + +// SetupTest creates a postgres connection and creates the oauth_clients table before each test +func (suite *OauthTestSuite) SetupTest() { +	suite.conn = pg.Connect(&pg.Options{}) +	if err := suite.conn.Ping(context.Background()); err != nil { +		logrus.Panicf("db connection error: %s", err) +	} + +	models := []interface{}{ +		&oauthClient{}, +		&oauthToken{}, +		>smodel.User{}, +	} + +	for _, m := range models { +		if err := suite.conn.Model(m).CreateTable(&orm.CreateTableOptions{ +			IfNotExists: true, +		}); err != nil { +			logrus.Panicf("db connection error: %s", err) +		} +	} + +	suite.tokenStore = NewPGTokenStore(context.Background(), suite.conn, logrus.New()) +	suite.clientStore = NewPGClientStore(suite.conn) + +	if _, err := suite.conn.Model(suite.testUser).Insert(); err != nil { +		logrus.Panicf("could not insert test user into db: %s", err) +	} + +} + +// TearDownTest drops the oauth_clients table and closes the pg connection after each test +func (suite *OauthTestSuite) TearDownTest() { +	models := []interface{}{ +		&oauthClient{}, +		&oauthToken{}, +		>smodel.User{}, +	} +	for _, m := range models { +		if err := suite.conn.Model(m).DropTable(&orm.DropTableOptions{}); err != nil { +			logrus.Panicf("drop table error: %s", err) +		} +	} +	if err := suite.conn.Close(); err != nil { +		logrus.Panicf("error closing db connection: %s", err) +	} +	suite.conn = nil +} + +func (suite *OauthTestSuite) TestAPIInitialize() { +	log := logrus.New() +	log.SetLevel(logrus.DebugLevel) + +	r := api.New(suite.config, log) +	api := New(suite.tokenStore, suite.clientStore, suite.conn, log) +	api.AddRoutes(r) +	go r.Start() +	time.Sleep(30 * time.Second) +	// http://localhost:8080/oauth/authorize?client_id=whatever +} + +func TestOauthTestSuite(t *testing.T) { +	suite.Run(t, new(OauthTestSuite)) +} | 
