diff options
Diffstat (limited to 'internal/oauth')
| -rw-r--r-- | internal/oauth/clientstore.go | 72 | ||||
| -rw-r--r-- | internal/oauth/clientstore_test.go | 144 | ||||
| -rw-r--r-- | internal/oauth/mock_Server.go | 89 | ||||
| -rw-r--r-- | internal/oauth/oauth_test.go | 21 | ||||
| -rw-r--r-- | internal/oauth/server.go | 254 | ||||
| -rw-r--r-- | internal/oauth/tokenstore.go | 260 | ||||
| -rw-r--r-- | internal/oauth/tokenstore_test.go | 21 | 
7 files changed, 861 insertions, 0 deletions
| diff --git a/internal/oauth/clientstore.go b/internal/oauth/clientstore.go new file mode 100644 index 000000000..e062383ce --- /dev/null +++ b/internal/oauth/clientstore.go @@ -0,0 +1,72 @@ +/* +   GoToSocial +   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + +   This program is free software: you can redistribute it and/or modify +   it under the terms of the GNU Affero General Public License as published by +   the Free Software Foundation, either version 3 of the License, or +   (at your option) any later version. + +   This program is distributed in the hope that it will be useful, +   but WITHOUT ANY WARRANTY; without even the implied warranty of +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the +   GNU Affero General Public License for more details. + +   You should have received a copy of the GNU Affero General Public License +   along with this program.  If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +import ( +	"context" + +	"github.com/superseriousbusiness/gotosocial/internal/db" +	"github.com/superseriousbusiness/oauth2/v4" +	"github.com/superseriousbusiness/oauth2/v4/models" +) + +type clientStore struct { +	db db.DB +} + +func newClientStore(db db.DB) oauth2.ClientStore { +	pts := &clientStore{ +		db: db, +	} +	return pts +} + +func (cs *clientStore) GetByID(ctx context.Context, clientID string) (oauth2.ClientInfo, error) { +	poc := &Client{ +		ID: clientID, +	} +	if err := cs.db.GetByID(clientID, poc); err != nil { +		return nil, err +	} +	return models.New(poc.ID, poc.Secret, poc.Domain, poc.UserID), nil +} + +func (cs *clientStore) Set(ctx context.Context, id string, cli oauth2.ClientInfo) error { +	poc := &Client{ +		ID:     cli.GetID(), +		Secret: cli.GetSecret(), +		Domain: cli.GetDomain(), +		UserID: cli.GetUserID(), +	} +	return cs.db.UpdateByID(id, poc) +} + +func (cs *clientStore) Delete(ctx context.Context, id string) error { +	poc := &Client{ +		ID: id, +	} +	return cs.db.DeleteByID(id, poc) +} + +type Client struct { +	ID     string +	Secret string +	Domain string +	UserID string +} diff --git a/internal/oauth/clientstore_test.go b/internal/oauth/clientstore_test.go new file mode 100644 index 000000000..a7028228d --- /dev/null +++ b/internal/oauth/clientstore_test.go @@ -0,0 +1,144 @@ +/* +   GoToSocial +   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + +   This program is free software: you can redistribute it and/or modify +   it under the terms of the GNU Affero General Public License as published by +   the Free Software Foundation, either version 3 of the License, or +   (at your option) any later version. + +   This program is distributed in the hope that it will be useful, +   but WITHOUT ANY WARRANTY; without even the implied warranty of +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the +   GNU Affero General Public License for more details. + +   You should have received a copy of the GNU Affero General Public License +   along with this program.  If not, see <http://www.gnu.org/licenses/>. +*/ +package oauth + +import ( +	"context" +	"testing" + +	"github.com/sirupsen/logrus" +	"github.com/stretchr/testify/suite" +	"github.com/superseriousbusiness/gotosocial/internal/config" +	"github.com/superseriousbusiness/gotosocial/internal/db" +	"github.com/superseriousbusiness/oauth2/v4/models" +) + +type PgClientStoreTestSuite struct { +	suite.Suite +	db               db.DB +	testClientID     string +	testClientSecret string +	testClientDomain string +	testClientUserID string +} + +const () + +// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout +func (suite *PgClientStoreTestSuite) SetupSuite() { +	suite.testClientID = "test-client-id" +	suite.testClientSecret = "test-client-secret" +	suite.testClientDomain = "https://example.org" +	suite.testClientUserID = "test-client-user-id" +} + +// SetupTest creates a postgres connection and creates the oauth_clients table before each test +func (suite *PgClientStoreTestSuite) SetupTest() { +	log := logrus.New() +	log.SetLevel(logrus.TraceLevel) +	c := config.Empty() +	c.DBConfig = &config.DBConfig{ +		Type:            "postgres", +		Address:         "localhost", +		Port:            5432, +		User:            "postgres", +		Password:        "postgres", +		Database:        "postgres", +		ApplicationName: "gotosocial", +	} +	db, err := db.New(context.Background(), c, log) +	if err != nil { +		logrus.Panicf("error creating database connection: %s", err) +	} + +	suite.db = db + +	models := []interface{}{ +		&Client{}, +	} + +	for _, m := range models { +		if err := suite.db.CreateTable(m); err != nil { +			logrus.Panicf("db connection error: %s", err) +		} +	} +} + +// TearDownTest drops the oauth_clients table and closes the pg connection after each test +func (suite *PgClientStoreTestSuite) TearDownTest() { +	models := []interface{}{ +		&Client{}, +	} +	for _, m := range models { +		if err := suite.db.DropTable(m); err != nil { +			logrus.Panicf("error dropping table: %s", err) +		} +	} +	if err := suite.db.Stop(context.Background()); err != nil { +		logrus.Panicf("error closing db connection: %s", err) +	} +	suite.db = nil +} + +func (suite *PgClientStoreTestSuite) TestClientStoreSetAndGet() { +	// set a new client in the store +	cs := newClientStore(suite.db) +	if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil { +		suite.FailNow(err.Error()) +	} + +	// fetch that client from the store +	client, err := cs.GetByID(context.Background(), suite.testClientID) +	if err != nil { +		suite.FailNow(err.Error()) +	} + +	// check that the values are the same +	suite.NotNil(client) +	suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client) +} + +func (suite *PgClientStoreTestSuite) TestClientSetAndDelete() { +	// set a new client in the store +	cs := newClientStore(suite.db) +	if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil { +		suite.FailNow(err.Error()) +	} + +	// fetch the client from the store +	client, err := cs.GetByID(context.Background(), suite.testClientID) +	if err != nil { +		suite.FailNow(err.Error()) +	} + +	// check that the values are the same +	suite.NotNil(client) +	suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client) +	if err := cs.Delete(context.Background(), suite.testClientID); err != nil { +		suite.FailNow(err.Error()) +	} + +	// try to get the deleted client; we should get an error +	deletedClient, err := cs.GetByID(context.Background(), suite.testClientID) +	suite.Assert().Nil(deletedClient) +	suite.Assert().EqualValues(db.ErrNoEntries{}, err) +} + +func TestPgClientStoreTestSuite(t *testing.T) { +	suite.Run(t, new(PgClientStoreTestSuite)) +} diff --git a/internal/oauth/mock_Server.go b/internal/oauth/mock_Server.go new file mode 100644 index 000000000..a5c0d603e --- /dev/null +++ b/internal/oauth/mock_Server.go @@ -0,0 +1,89 @@ +// Code generated by mockery v2.7.4. DO NOT EDIT. + +package oauth + +import ( +	http "net/http" + +	mock "github.com/stretchr/testify/mock" +	oauth2 "github.com/superseriousbusiness/oauth2/v4" +) + +// MockServer is an autogenerated mock type for the Server type +type MockServer struct { +	mock.Mock +} + +// GenerateUserAccessToken provides a mock function with given fields: ti, clientSecret, userID +func (_m *MockServer) GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (oauth2.TokenInfo, error) { +	ret := _m.Called(ti, clientSecret, userID) + +	var r0 oauth2.TokenInfo +	if rf, ok := ret.Get(0).(func(oauth2.TokenInfo, string, string) oauth2.TokenInfo); ok { +		r0 = rf(ti, clientSecret, userID) +	} else { +		if ret.Get(0) != nil { +			r0 = ret.Get(0).(oauth2.TokenInfo) +		} +	} + +	var r1 error +	if rf, ok := ret.Get(1).(func(oauth2.TokenInfo, string, string) error); ok { +		r1 = rf(ti, clientSecret, userID) +	} else { +		r1 = ret.Error(1) +	} + +	return r0, r1 +} + +// HandleAuthorizeRequest provides a mock function with given fields: w, r +func (_m *MockServer) HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error { +	ret := _m.Called(w, r) + +	var r0 error +	if rf, ok := ret.Get(0).(func(http.ResponseWriter, *http.Request) error); ok { +		r0 = rf(w, r) +	} else { +		r0 = ret.Error(0) +	} + +	return r0 +} + +// HandleTokenRequest provides a mock function with given fields: w, r +func (_m *MockServer) HandleTokenRequest(w http.ResponseWriter, r *http.Request) error { +	ret := _m.Called(w, r) + +	var r0 error +	if rf, ok := ret.Get(0).(func(http.ResponseWriter, *http.Request) error); ok { +		r0 = rf(w, r) +	} else { +		r0 = ret.Error(0) +	} + +	return r0 +} + +// ValidationBearerToken provides a mock function with given fields: r +func (_m *MockServer) ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) { +	ret := _m.Called(r) + +	var r0 oauth2.TokenInfo +	if rf, ok := ret.Get(0).(func(*http.Request) oauth2.TokenInfo); ok { +		r0 = rf(r) +	} else { +		if ret.Get(0) != nil { +			r0 = ret.Get(0).(oauth2.TokenInfo) +		} +	} + +	var r1 error +	if rf, ok := ret.Get(1).(func(*http.Request) error); ok { +		r1 = rf(r) +	} else { +		r1 = ret.Error(1) +	} + +	return r0, r1 +} diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go new file mode 100644 index 000000000..594b9b5a9 --- /dev/null +++ b/internal/oauth/oauth_test.go @@ -0,0 +1,21 @@ +/* +   GoToSocial +   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + +   This program is free software: you can redistribute it and/or modify +   it under the terms of the GNU Affero General Public License as published by +   the Free Software Foundation, either version 3 of the License, or +   (at your option) any later version. + +   This program is distributed in the hope that it will be useful, +   but WITHOUT ANY WARRANTY; without even the implied warranty of +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the +   GNU Affero General Public License for more details. + +   You should have received a copy of the GNU Affero General Public License +   along with this program.  If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +// TODO: write tests diff --git a/internal/oauth/server.go b/internal/oauth/server.go new file mode 100644 index 000000000..8bac8fc2f --- /dev/null +++ b/internal/oauth/server.go @@ -0,0 +1,254 @@ +/* +   GoToSocial +   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + +   This program is free software: you can redistribute it and/or modify +   it under the terms of the GNU Affero General Public License as published by +   the Free Software Foundation, either version 3 of the License, or +   (at your option) any later version. + +   This program is distributed in the hope that it will be useful, +   but WITHOUT ANY WARRANTY; without even the implied warranty of +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the +   GNU Affero General Public License for more details. + +   You should have received a copy of the GNU Affero General Public License +   along with this program.  If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +import ( +	"context" +	"fmt" +	"net/http" + +	"github.com/gin-gonic/gin" +	"github.com/sirupsen/logrus" +	"github.com/superseriousbusiness/gotosocial/internal/db" +	"github.com/superseriousbusiness/gotosocial/internal/db/model" +	"github.com/superseriousbusiness/oauth2/v4" +	"github.com/superseriousbusiness/oauth2/v4/errors" +	"github.com/superseriousbusiness/oauth2/v4/manage" +	"github.com/superseriousbusiness/oauth2/v4/server" +) + +const ( +	SessionAuthorizedToken = "authorized_token" +	// SessionAuthorizedUser is the key set in the gin context for the id of +	// a User who has successfully passed Bearer token authorization. +	// The interface returned from grabbing this key should be parsed as a *gtsmodel.User +	SessionAuthorizedUser = "authorized_user" +	// SessionAuthorizedAccount is the key set in the gin context for the Account +	// of a User who has successfully passed Bearer token authorization. +	// The interface returned from grabbing this key should be parsed as a *gtsmodel.Account +	SessionAuthorizedAccount = "authorized_account" +	// SessionAuthorizedAccount is the key set in the gin context for the Application +	// of a Client who has successfully passed Bearer token authorization. +	// The interface returned from grabbing this key should be parsed as a *gtsmodel.Application +	SessionAuthorizedApplication = "authorized_app" +) + +// Server wraps some oauth2 server functions in an interface, exposing only what is needed +type Server interface { +	HandleTokenRequest(w http.ResponseWriter, r *http.Request) error +	HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error +	ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) +	GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (accessToken oauth2.TokenInfo, err error) +} + +// s fulfils the Server interface using the underlying oauth2 server +type s struct { +	server *server.Server +	log    *logrus.Logger +} + +type Authed struct { +	Token       oauth2.TokenInfo +	Application *model.Application +	User        *model.User +	Account     *model.Account +} + +// GetAuthed is a convenience function for returning an Authed struct from a gin context. +// In essence, it tries to extract a token, application, user, and account from the context, +// and then sets them on a struct for convenience. +// +// If any are not present in the context, they will be set to nil on the returned Authed struct. +// +// If *ALL* are not present, then nil and an error will be returned. +// +// If something goes wrong during parsing, then nil and an error will be returned (consider this not authed). +func GetAuthed(c *gin.Context) (*Authed, error) { +	ctx := c.Copy() +	a := &Authed{} +	var i interface{} +	var ok bool + +	i, ok = ctx.Get(SessionAuthorizedToken) +	if ok { +		parsed, ok := i.(oauth2.TokenInfo) +		if !ok { +			return nil, errors.New("could not parse token from session context") +		} +		a.Token = parsed +	} + +	i, ok = ctx.Get(SessionAuthorizedApplication) +	if ok { +		parsed, ok := i.(*model.Application) +		if !ok { +			return nil, errors.New("could not parse application from session context") +		} +		a.Application = parsed +	} + +	i, ok = ctx.Get(SessionAuthorizedUser) +	if ok { +		parsed, ok := i.(*model.User) +		if !ok { +			return nil, errors.New("could not parse user from session context") +		} +		a.User = parsed +	} + +	i, ok = ctx.Get(SessionAuthorizedAccount) +	if ok { +		parsed, ok := i.(*model.Account) +		if !ok { +			return nil, errors.New("could not parse account from session context") +		} +		a.Account = parsed +	} + +	if a.Token == nil && a.Application == nil && a.User == nil && a.Account == nil { +		return nil, errors.New("not authorized") +	} + +	return a, nil +} + +// MustAuth is like GetAuthed, but will fail if one of the requirements is not met. +func MustAuth(c *gin.Context, requireToken bool, requireApp bool, requireUser bool, requireAccount bool) (*Authed, error) { +	a, err := GetAuthed(c) +	if err != nil { +		return nil, err +	} +	if requireToken && a.Token == nil { +		return nil, errors.New("token not supplied") +	} +	if requireApp && a.Application == nil { +		return nil, errors.New("application not supplied") +	} +	if requireUser && a.User == nil { +		return nil, errors.New("user not supplied") +	} +	if requireAccount && a.Account == nil { +		return nil, errors.New("account not supplied") +	} +	return a, nil +} + +// HandleTokenRequest wraps the oauth2 library's HandleTokenRequest function +func (s *s) HandleTokenRequest(w http.ResponseWriter, r *http.Request) error { +	return s.server.HandleTokenRequest(w, r) +} + +// HandleAuthorizeRequest wraps the oauth2 library's HandleAuthorizeRequest function +func (s *s) HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error { +	return s.server.HandleAuthorizeRequest(w, r) +} + +// ValidationBearerToken wraps the oauth2 library's ValidationBearerToken function +func (s *s) ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) { +	return s.server.ValidationBearerToken(r) +} + +// GenerateUserAccessToken shortcuts the normal oauth flow to create an user-level +// bearer token *without* requiring that user to log in. This is useful when we +// need to create a token for new users who haven't validated their email or logged in yet. +// +// The ti parameter refers to an existing Application token that was used to make the upstream +// request. This token needs to be validated and exist in database in order to create a new token. +func (s *s) GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (oauth2.TokenInfo, error) { + +	authToken, err := s.server.Manager.GenerateAuthToken(context.Background(), oauth2.Code, &oauth2.TokenGenerateRequest{ +		ClientID:     ti.GetClientID(), +		ClientSecret: clientSecret, +		UserID:       userID, +		RedirectURI:  ti.GetRedirectURI(), +		Scope:        ti.GetScope(), +	}) +	if err != nil { +		return nil, fmt.Errorf("error generating auth token: %s", err) +	} +	if authToken == nil { +		return nil, errors.New("generated auth token was empty") +	} +	s.log.Tracef("obtained auth token: %+v", authToken) + +	accessToken, err := s.server.Manager.GenerateAccessToken(context.Background(), oauth2.AuthorizationCode, &oauth2.TokenGenerateRequest{ +		ClientID:     authToken.GetClientID(), +		ClientSecret: clientSecret, +		RedirectURI:  authToken.GetRedirectURI(), +		Scope:        authToken.GetScope(), +		Code:         authToken.GetCode(), +	}) + +	if err != nil { +		return nil, fmt.Errorf("error generating user-level access token: %s", err) +	} +	if accessToken == nil { +		return nil, errors.New("generated user-level access token was empty") +	} +	s.log.Tracef("obtained user-level access token: %+v", accessToken) +	return accessToken, nil +} + +func New(database db.DB, log *logrus.Logger) Server { +	ts := newTokenStore(context.Background(), database, log) +	cs := newClientStore(database) + +	manager := manage.NewDefaultManager() +	manager.MapTokenStorage(ts) +	manager.MapClientStorage(cs) +	manager.SetAuthorizeCodeTokenCfg(manage.DefaultAuthorizeCodeTokenCfg) +	sc := &server.Config{ +		TokenType: "Bearer", +		// Must follow the spec. +		AllowGetAccessRequest: false, +		// Support only the non-implicit flow. +		AllowedResponseTypes: []oauth2.ResponseType{oauth2.Code}, +		// Allow: +		// - Authorization Code (for first & third parties) +		// - Client Credentials (for applications) +		AllowedGrantTypes: []oauth2.GrantType{ +			oauth2.AuthorizationCode, +			oauth2.ClientCredentials, +		}, +		AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{oauth2.CodeChallengePlain}, +	} + +	srv := server.NewServer(sc, manager) +	srv.SetInternalErrorHandler(func(err error) *errors.Response { +		log.Errorf("internal oauth error: %s", err) +		return nil +	}) + +	srv.SetResponseErrorHandler(func(re *errors.Response) { +		log.Errorf("internal response error: %s", re.Error) +	}) + +	srv.SetUserAuthorizationHandler(func(w http.ResponseWriter, r *http.Request) (string, error) { +		userID := r.FormValue("userid") +		if userID == "" { +			return "", errors.New("userid was empty") +		} +		return userID, nil +	}) +	srv.SetClientInfoHandler(server.ClientFormHandler) +	return &s{ +		server: srv, +		log:    log, +	} +} diff --git a/internal/oauth/tokenstore.go b/internal/oauth/tokenstore.go new file mode 100644 index 000000000..c4c9ff1d5 --- /dev/null +++ b/internal/oauth/tokenstore.go @@ -0,0 +1,260 @@ +/* +   GoToSocial +   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + +   This program is free software: you can redistribute it and/or modify +   it under the terms of the GNU Affero General Public License as published by +   the Free Software Foundation, either version 3 of the License, or +   (at your option) any later version. + +   This program is distributed in the hope that it will be useful, +   but WITHOUT ANY WARRANTY; without even the implied warranty of +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the +   GNU Affero General Public License for more details. + +   You should have received a copy of the GNU Affero General Public License +   along with this program.  If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +import ( +	"context" +	"errors" +	"fmt" +	"time" + +	"github.com/sirupsen/logrus" +	"github.com/superseriousbusiness/gotosocial/internal/db" +	"github.com/superseriousbusiness/oauth2/v4" +	"github.com/superseriousbusiness/oauth2/v4/models" +) + +// tokenStore is an implementation of oauth2.TokenStore, which uses our db interface as a storage backend. +type tokenStore struct { +	oauth2.TokenStore +	db  db.DB +	log *logrus.Logger +} + +// newTokenStore returns a token store that satisfies the oauth2.TokenStore interface. +// +// In order to allow tokens to 'expire', it will also set off a goroutine that iterates through +// the tokens in the DB once per minute and deletes any that have expired. +func newTokenStore(ctx context.Context, db db.DB, log *logrus.Logger) oauth2.TokenStore { +	pts := &tokenStore{ +		db:  db, +		log: log, +	} + +	// set the token store to clean out expired tokens once per minute, or return if we're done +	go func(ctx context.Context, pts *tokenStore, log *logrus.Logger) { +	cleanloop: +		for { +			select { +			case <-ctx.Done(): +				log.Info("breaking cleanloop") +				break cleanloop +			case <-time.After(1 * time.Minute): +				log.Debug("sweeping out old oauth entries broom broom") +				if err := pts.sweep(); err != nil { +					log.Errorf("error while sweeping oauth entries: %s", err) +				} +			} +		} +	}(ctx, pts, log) +	return pts +} + +// sweep clears out old tokens that have expired; it should be run on a loop about once per minute or so. +func (pts *tokenStore) sweep() error { +	// select *all* tokens from the db +	// todo: if this becomes expensive (ie., there are fucking LOADS of tokens) then figure out a better way. +	tokens := new([]*Token) +	if err := pts.db.GetAll(tokens); err != nil { +		return err +	} + +	// iterate through and remove expired tokens +	now := time.Now() +	for _, pgt := range *tokens { +		// The zero value of a time.Time is 00:00 january 1 1970, which will always be before now. So: +		// we only want to check if a token expired before now if the expiry time is *not zero*; +		// ie., if it's been explicity set. +		if !pgt.CodeExpiresAt.IsZero() && pgt.CodeExpiresAt.Before(now) || !pgt.RefreshExpiresAt.IsZero() && pgt.RefreshExpiresAt.Before(now) || !pgt.AccessExpiresAt.IsZero() && pgt.AccessExpiresAt.Before(now) { +			if err := pts.db.DeleteByID(pgt.ID, &pgt); err != nil { +				return err +			} +		} +	} + +	return nil +} + +// Create creates and store the new token information. +// For the original implementation, see https://github.com/superseriousbusiness/oauth2/blob/master/store/token.go#L34 +func (pts *tokenStore) Create(ctx context.Context, info oauth2.TokenInfo) error { +	t, ok := info.(*models.Token) +	if !ok { +		return errors.New("info param was not a models.Token") +	} +	if err := pts.db.Put(oauthTokenToPGToken(t)); err != nil { +		return fmt.Errorf("error in tokenstore create: %s", err) +	} +	return nil +} + +// RemoveByCode deletes a token from the DB based on the Code field +func (pts *tokenStore) RemoveByCode(ctx context.Context, code string) error { +	return pts.db.DeleteWhere("code", code, &Token{}) +} + +// RemoveByAccess deletes a token from the DB based on the Access field +func (pts *tokenStore) RemoveByAccess(ctx context.Context, access string) error { +	return pts.db.DeleteWhere("access", access, &Token{}) +} + +// RemoveByRefresh deletes a token from the DB based on the Refresh field +func (pts *tokenStore) RemoveByRefresh(ctx context.Context, refresh string) error { +	return pts.db.DeleteWhere("refresh", refresh, &Token{}) +} + +// GetByCode selects a token from the DB based on the Code field +func (pts *tokenStore) GetByCode(ctx context.Context, code string) (oauth2.TokenInfo, error) { +	if code == "" { +		return nil, nil +	} +	pgt := &Token{ +		Code: code, +	} +	if err := pts.db.GetWhere("code", code, pgt); err != nil { +		return nil, err +	} +	return pgTokenToOauthToken(pgt), nil +} + +// GetByAccess selects a token from the DB based on the Access field +func (pts *tokenStore) GetByAccess(ctx context.Context, access string) (oauth2.TokenInfo, error) { +	if access == "" { +		return nil, nil +	} +	pgt := &Token{ +		Access: access, +	} +	if err := pts.db.GetWhere("access", access, pgt); err != nil { +		return nil, err +	} +	return pgTokenToOauthToken(pgt), nil +} + +// GetByRefresh selects a token from the DB based on the Refresh field +func (pts *tokenStore) GetByRefresh(ctx context.Context, refresh string) (oauth2.TokenInfo, error) { +	if refresh == "" { +		return nil, nil +	} +	pgt := &Token{ +		Refresh: refresh, +	} +	if err := pts.db.GetWhere("refresh", refresh, pgt); err != nil { +		return nil, err +	} +	return pgTokenToOauthToken(pgt), nil +} + +/* +	The following models are basically helpers for the postgres token store implementation, they should only be used internally. +*/ + +// Token is a translation of the gotosocial token with the ExpiresIn fields replaced with ExpiresAt. +// +// Explanation for this: gotosocial assumes an in-memory or file database of some kind, where a time-to-live parameter (TTL) can be defined, +// and tokens with expired TTLs are automatically removed. Since Postgres doesn't have that feature, it's easier to set an expiry time and +// then periodically sweep out tokens when that time has passed. +// +// Note that this struct does *not* satisfy the token interface shown here: https://github.com/superseriousbusiness/oauth2/blob/master/model.go#L22 +// and implemented here: https://github.com/superseriousbusiness/oauth2/blob/master/models/token.go. +// As such, manual translation is always required between Token and the gotosocial *model.Token. The helper functions oauthTokenToPGToken +// and pgTokenToOauthToken can be used for that. +type Token struct { +	ID                  string `pg:"type:uuid,default:gen_random_uuid(),pk,notnull"` +	ClientID            string +	UserID              string +	RedirectURI         string +	Scope               string +	Code                string `pg:"default:'',pk"` +	CodeChallenge       string +	CodeChallengeMethod string +	CodeCreateAt        time.Time `pg:"type:timestamp"` +	CodeExpiresAt       time.Time `pg:"type:timestamp"` +	Access              string    `pg:"default:'',pk"` +	AccessCreateAt      time.Time `pg:"type:timestamp"` +	AccessExpiresAt     time.Time `pg:"type:timestamp"` +	Refresh             string    `pg:"default:'',pk"` +	RefreshCreateAt     time.Time `pg:"type:timestamp"` +	RefreshExpiresAt    time.Time `pg:"type:timestamp"` +} + +// oauthTokenToPGToken is a lil util function that takes a gotosocial token and gives back a token for inserting into postgres +func oauthTokenToPGToken(tkn *models.Token) *Token { +	now := time.Now() + +	// For the following, we want to make sure we're not adding a time.Now() to an *empty* ExpiresIn, otherwise that's +	// going to cause all sorts of interesting problems. So check first to make sure that the ExpiresIn is not equal +	// to the zero value of a time.Duration, which is 0s. If it *is* empty/nil, just leave the ExpiresAt at nil as well. + +	var cea time.Time +	if tkn.CodeExpiresIn != 0*time.Second { +		cea = now.Add(tkn.CodeExpiresIn) +	} + +	var aea time.Time +	if tkn.AccessExpiresIn != 0*time.Second { +		aea = now.Add(tkn.AccessExpiresIn) +	} + +	var rea time.Time +	if tkn.RefreshExpiresIn != 0*time.Second { +		rea = now.Add(tkn.RefreshExpiresIn) +	} + +	return &Token{ +		ClientID:            tkn.ClientID, +		UserID:              tkn.UserID, +		RedirectURI:         tkn.RedirectURI, +		Scope:               tkn.Scope, +		Code:                tkn.Code, +		CodeChallenge:       tkn.CodeChallenge, +		CodeChallengeMethod: tkn.CodeChallengeMethod, +		CodeCreateAt:        tkn.CodeCreateAt, +		CodeExpiresAt:       cea, +		Access:              tkn.Access, +		AccessCreateAt:      tkn.AccessCreateAt, +		AccessExpiresAt:     aea, +		Refresh:             tkn.Refresh, +		RefreshCreateAt:     tkn.RefreshCreateAt, +		RefreshExpiresAt:    rea, +	} +} + +// pgTokenToOauthToken is a lil util function that takes a postgres token and gives back a gotosocial token +func pgTokenToOauthToken(pgt *Token) *models.Token { +	now := time.Now() + +	return &models.Token{ +		ClientID:            pgt.ClientID, +		UserID:              pgt.UserID, +		RedirectURI:         pgt.RedirectURI, +		Scope:               pgt.Scope, +		Code:                pgt.Code, +		CodeChallenge:       pgt.CodeChallenge, +		CodeChallengeMethod: pgt.CodeChallengeMethod, +		CodeCreateAt:        pgt.CodeCreateAt, +		CodeExpiresIn:       pgt.CodeExpiresAt.Sub(now), +		Access:              pgt.Access, +		AccessCreateAt:      pgt.AccessCreateAt, +		AccessExpiresIn:     pgt.AccessExpiresAt.Sub(now), +		Refresh:             pgt.Refresh, +		RefreshCreateAt:     pgt.RefreshCreateAt, +		RefreshExpiresIn:    pgt.RefreshExpiresAt.Sub(now), +	} +} diff --git a/internal/oauth/tokenstore_test.go b/internal/oauth/tokenstore_test.go new file mode 100644 index 000000000..594b9b5a9 --- /dev/null +++ b/internal/oauth/tokenstore_test.go @@ -0,0 +1,21 @@ +/* +   GoToSocial +   Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + +   This program is free software: you can redistribute it and/or modify +   it under the terms of the GNU Affero General Public License as published by +   the Free Software Foundation, either version 3 of the License, or +   (at your option) any later version. + +   This program is distributed in the hope that it will be useful, +   but WITHOUT ANY WARRANTY; without even the implied warranty of +   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the +   GNU Affero General Public License for more details. + +   You should have received a copy of the GNU Affero General Public License +   along with this program.  If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +// TODO: write tests | 
