diff options
Diffstat (limited to 'internal/api/auth/auth.go')
| -rw-r--r-- | internal/api/auth/auth.go | 79 |
1 files changed, 35 insertions, 44 deletions
diff --git a/internal/api/auth/auth.go b/internal/api/auth/auth.go index e0e8058d6..f9dcb87ea 100644 --- a/internal/api/auth/auth.go +++ b/internal/api/auth/auth.go @@ -20,11 +20,10 @@ package auth import ( "net/http" - "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" - "github.com/superseriousbusiness/gotosocial/internal/db" "github.com/superseriousbusiness/gotosocial/internal/oidc" "github.com/superseriousbusiness/gotosocial/internal/processing" + "github.com/superseriousbusiness/gotosocial/internal/state" ) const ( @@ -32,61 +31,58 @@ const ( paths prefixed with 'auth' */ - // AuthSignInPath is the API path for users to sign in through - AuthSignInPath = "/sign_in" - // AuthCheckYourEmailPath users land here after registering a new account, instructs them to confirm their email - AuthCheckYourEmailPath = "/check_your_email" - // AuthWaitForApprovalPath users land here after confirming their email - // but before an admin approves their account (if such is required) + AuthSignInPath = "/sign_in" + Auth2FAPath = "/2fa" + AuthCheckYourEmailPath = "/check_your_email" AuthWaitForApprovalPath = "/wait_for_approval" - // AuthAccountDisabledPath users land here when their account is suspended by an admin AuthAccountDisabledPath = "/account_disabled" - // AuthCallbackPath is the API path for receiving callback tokens from external OIDC providers - AuthCallbackPath = "/callback" + AuthCallbackPath = "/callback" /* paths prefixed with 'oauth' */ - // OauthTokenPath is the API path to use for granting token requests to users with valid credentials - OauthTokenPath = "/token" // #nosec G101 else we get a hardcoded credentials warning - // OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user) OauthAuthorizePath = "/authorize" - // OauthFinalizePath is the API path for completing user registration with additional user details - OauthFinalizePath = "/finalize" - // OauthOobTokenPath is the path for serving an html representation of an oob token page. - OauthOobTokenPath = "/oob" // #nosec G101 else we get a hardcoded credentials warning + OauthFinalizePath = "/finalize" + OauthOOBTokenPath = "/oob" // #nosec G101 else we get a hardcoded credentials warning + OauthTokenPath = "/token" // #nosec G101 else we get a hardcoded credentials warning /* params / session keys */ - callbackStateParam = "state" - callbackCodeParam = "code" - sessionUserID = "userid" - sessionClientID = "client_id" - sessionRedirectURI = "redirect_uri" - sessionForceLogin = "force_login" - sessionResponseType = "response_type" - sessionScope = "scope" - sessionInternalState = "internal_state" - sessionClientState = "client_state" - sessionClaims = "claims" - sessionAppID = "app_id" + callbackStateParam = "state" + callbackCodeParam = "code" + sessionUserID = "userid" + sessionUserIDAwaiting2FA = "userid_awaiting_2fa" + sessionClientID = "client_id" + sessionRedirectURI = "redirect_uri" + sessionForceLogin = "force_login" + sessionResponseType = "response_type" + sessionScope = "scope" + sessionInternalState = "internal_state" + sessionClientState = "client_state" + sessionClaims = "claims" + sessionAppID = "app_id" ) type Module struct { - db db.DB + state *state.State processor *processing.Processor idp oidc.IDP } -// New returns an Auth module which provides both 'oauth' and 'auth' endpoints. +// New returns an Auth module which provides +// both 'oauth' and 'auth' endpoints. // // It is safe to pass a nil idp if oidc is disabled. -func New(db db.DB, processor *processing.Processor, idp oidc.IDP) *Module { +func New( + state *state.State, + processor *processing.Processor, + idp oidc.IDP, +) *Module { return &Module{ - db: db, + state: state, processor: processor, idp: idp, } @@ -96,21 +92,16 @@ func New(db db.DB, processor *processing.Processor, idp oidc.IDP) *Module { func (m *Module) RouteAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) { attachHandler(http.MethodGet, AuthSignInPath, m.SignInGETHandler) attachHandler(http.MethodPost, AuthSignInPath, m.SignInPOSTHandler) + attachHandler(http.MethodGet, Auth2FAPath, m.TwoFactorCodeGETHandler) + attachHandler(http.MethodPost, Auth2FAPath, m.TwoFactorCodePOSTHandler) attachHandler(http.MethodGet, AuthCallbackPath, m.CallbackGETHandler) } -// RouteOauth routes all paths that should have an 'oauth' prefix -func (m *Module) RouteOauth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) { +// RouteOAuth routes all paths that should have an 'oauth' prefix +func (m *Module) RouteOAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) { attachHandler(http.MethodPost, OauthTokenPath, m.TokenPOSTHandler) attachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler) attachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler) attachHandler(http.MethodPost, OauthFinalizePath, m.FinalizePOSTHandler) - attachHandler(http.MethodGet, OauthOobTokenPath, m.OobHandler) -} - -func (m *Module) clearSession(s sessions.Session) { - s.Clear() - if err := s.Save(); err != nil { - panic(err) - } + attachHandler(http.MethodGet, OauthOOBTokenPath, m.OOBTokenGETHandler) } |