diff options
Diffstat (limited to 'internal/oauth/oauth.go')
| -rw-r--r-- | internal/oauth/oauth.go | 44 |
1 files changed, 43 insertions, 1 deletions
diff --git a/internal/oauth/oauth.go b/internal/oauth/oauth.go index d79db95ed..050c23dab 100644 --- a/internal/oauth/oauth.go +++ b/internal/oauth/oauth.go @@ -19,19 +19,25 @@ package oauth import ( + "github.com/go-pg/pg/v10" + "github.com/gotosocial/gotosocial/internal/api" + "github.com/gotosocial/gotosocial/internal/gtsmodel" "github.com/gotosocial/oauth2/v4" "github.com/gotosocial/oauth2/v4/errors" "github.com/gotosocial/oauth2/v4/manage" "github.com/gotosocial/oauth2/v4/server" "github.com/sirupsen/logrus" + "golang.org/x/crypto/bcrypt" ) type API struct { manager *manage.Manager server *server.Server + conn *pg.DB + log *logrus.Logger } -func New(ts oauth2.TokenStore, cs oauth2.ClientStore, log *logrus.Logger) *API { +func New(ts oauth2.TokenStore, cs oauth2.ClientStore, conn *pg.DB, log *logrus.Logger) *API { manager := manage.NewDefaultManager() manager.MapTokenStorage(ts) manager.MapClientStorage(cs) @@ -49,5 +55,41 @@ func New(ts oauth2.TokenStore, cs oauth2.ClientStore, log *logrus.Logger) *API { return &API{ manager: manager, server: srv, + conn: conn, + log: log, } } + +func (a *API) AddRoutes(s api.Server) error { + return nil +} + +func incorrectPassword() (string, error) { + return "", errors.New("password/email combination was incorrect") +} + +func (a *API) PasswordAuthorizationHandler(email string, password string) (userid string, err error) { + // first we select the user from the database based on email address, bail if no user found for that email + gtsUser := >smodel.User{} + if err := a.conn.Model(gtsUser).Where("email = ?", email).Select(); err != nil { + a.log.Debugf("user %s was not retrievable from db during oauth authorization attempt: %s", email, err) + return incorrectPassword() + } + + // make sure a password is actually set and bail if not + if gtsUser.EncryptedPassword == "" { + a.log.Warnf("encrypted password for user %s was empty for some reason", gtsUser.Email) + return incorrectPassword() + } + + // compare the provided password with the encrypted one from the db, bail if they don't match + if err := bcrypt.CompareHashAndPassword([]byte(gtsUser.EncryptedPassword), []byte(password)); err != nil { + a.log.Debugf("password hash didn't match for user %s during login attempt: %s", gtsUser.Email, err) + return incorrectPassword() + } + + // If we've made it this far the email/password is correct so we need the oauth client-id of the user + // This is, conveniently, the same as the user ID, so we can just return it. + userid = gtsUser.ID + return +} |