diff options
Diffstat (limited to 'internal/oauth')
-rw-r--r-- | internal/oauth/clientstore.go | 72 | ||||
-rw-r--r-- | internal/oauth/clientstore_test.go | 144 | ||||
-rw-r--r-- | internal/oauth/mock_Server.go | 89 | ||||
-rw-r--r-- | internal/oauth/oauth_test.go | 21 | ||||
-rw-r--r-- | internal/oauth/server.go | 254 | ||||
-rw-r--r-- | internal/oauth/tokenstore.go | 260 | ||||
-rw-r--r-- | internal/oauth/tokenstore_test.go | 21 |
7 files changed, 861 insertions, 0 deletions
diff --git a/internal/oauth/clientstore.go b/internal/oauth/clientstore.go new file mode 100644 index 000000000..e062383ce --- /dev/null +++ b/internal/oauth/clientstore.go @@ -0,0 +1,72 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +import ( + "context" + + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/oauth2/v4" + "github.com/superseriousbusiness/oauth2/v4/models" +) + +type clientStore struct { + db db.DB +} + +func newClientStore(db db.DB) oauth2.ClientStore { + pts := &clientStore{ + db: db, + } + return pts +} + +func (cs *clientStore) GetByID(ctx context.Context, clientID string) (oauth2.ClientInfo, error) { + poc := &Client{ + ID: clientID, + } + if err := cs.db.GetByID(clientID, poc); err != nil { + return nil, err + } + return models.New(poc.ID, poc.Secret, poc.Domain, poc.UserID), nil +} + +func (cs *clientStore) Set(ctx context.Context, id string, cli oauth2.ClientInfo) error { + poc := &Client{ + ID: cli.GetID(), + Secret: cli.GetSecret(), + Domain: cli.GetDomain(), + UserID: cli.GetUserID(), + } + return cs.db.UpdateByID(id, poc) +} + +func (cs *clientStore) Delete(ctx context.Context, id string) error { + poc := &Client{ + ID: id, + } + return cs.db.DeleteByID(id, poc) +} + +type Client struct { + ID string + Secret string + Domain string + UserID string +} diff --git a/internal/oauth/clientstore_test.go b/internal/oauth/clientstore_test.go new file mode 100644 index 000000000..a7028228d --- /dev/null +++ b/internal/oauth/clientstore_test.go @@ -0,0 +1,144 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ +package oauth + +import ( + "context" + "testing" + + "github.com/sirupsen/logrus" + "github.com/stretchr/testify/suite" + "github.com/superseriousbusiness/gotosocial/internal/config" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/oauth2/v4/models" +) + +type PgClientStoreTestSuite struct { + suite.Suite + db db.DB + testClientID string + testClientSecret string + testClientDomain string + testClientUserID string +} + +const () + +// SetupSuite sets some variables on the suite that we can use as consts (more or less) throughout +func (suite *PgClientStoreTestSuite) SetupSuite() { + suite.testClientID = "test-client-id" + suite.testClientSecret = "test-client-secret" + suite.testClientDomain = "https://example.org" + suite.testClientUserID = "test-client-user-id" +} + +// SetupTest creates a postgres connection and creates the oauth_clients table before each test +func (suite *PgClientStoreTestSuite) SetupTest() { + log := logrus.New() + log.SetLevel(logrus.TraceLevel) + c := config.Empty() + c.DBConfig = &config.DBConfig{ + Type: "postgres", + Address: "localhost", + Port: 5432, + User: "postgres", + Password: "postgres", + Database: "postgres", + ApplicationName: "gotosocial", + } + db, err := db.New(context.Background(), c, log) + if err != nil { + logrus.Panicf("error creating database connection: %s", err) + } + + suite.db = db + + models := []interface{}{ + &Client{}, + } + + for _, m := range models { + if err := suite.db.CreateTable(m); err != nil { + logrus.Panicf("db connection error: %s", err) + } + } +} + +// TearDownTest drops the oauth_clients table and closes the pg connection after each test +func (suite *PgClientStoreTestSuite) TearDownTest() { + models := []interface{}{ + &Client{}, + } + for _, m := range models { + if err := suite.db.DropTable(m); err != nil { + logrus.Panicf("error dropping table: %s", err) + } + } + if err := suite.db.Stop(context.Background()); err != nil { + logrus.Panicf("error closing db connection: %s", err) + } + suite.db = nil +} + +func (suite *PgClientStoreTestSuite) TestClientStoreSetAndGet() { + // set a new client in the store + cs := newClientStore(suite.db) + if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil { + suite.FailNow(err.Error()) + } + + // fetch that client from the store + client, err := cs.GetByID(context.Background(), suite.testClientID) + if err != nil { + suite.FailNow(err.Error()) + } + + // check that the values are the same + suite.NotNil(client) + suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client) +} + +func (suite *PgClientStoreTestSuite) TestClientSetAndDelete() { + // set a new client in the store + cs := newClientStore(suite.db) + if err := cs.Set(context.Background(), suite.testClientID, models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID)); err != nil { + suite.FailNow(err.Error()) + } + + // fetch the client from the store + client, err := cs.GetByID(context.Background(), suite.testClientID) + if err != nil { + suite.FailNow(err.Error()) + } + + // check that the values are the same + suite.NotNil(client) + suite.EqualValues(models.New(suite.testClientID, suite.testClientSecret, suite.testClientDomain, suite.testClientUserID), client) + if err := cs.Delete(context.Background(), suite.testClientID); err != nil { + suite.FailNow(err.Error()) + } + + // try to get the deleted client; we should get an error + deletedClient, err := cs.GetByID(context.Background(), suite.testClientID) + suite.Assert().Nil(deletedClient) + suite.Assert().EqualValues(db.ErrNoEntries{}, err) +} + +func TestPgClientStoreTestSuite(t *testing.T) { + suite.Run(t, new(PgClientStoreTestSuite)) +} diff --git a/internal/oauth/mock_Server.go b/internal/oauth/mock_Server.go new file mode 100644 index 000000000..a5c0d603e --- /dev/null +++ b/internal/oauth/mock_Server.go @@ -0,0 +1,89 @@ +// Code generated by mockery v2.7.4. DO NOT EDIT. + +package oauth + +import ( + http "net/http" + + mock "github.com/stretchr/testify/mock" + oauth2 "github.com/superseriousbusiness/oauth2/v4" +) + +// MockServer is an autogenerated mock type for the Server type +type MockServer struct { + mock.Mock +} + +// GenerateUserAccessToken provides a mock function with given fields: ti, clientSecret, userID +func (_m *MockServer) GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (oauth2.TokenInfo, error) { + ret := _m.Called(ti, clientSecret, userID) + + var r0 oauth2.TokenInfo + if rf, ok := ret.Get(0).(func(oauth2.TokenInfo, string, string) oauth2.TokenInfo); ok { + r0 = rf(ti, clientSecret, userID) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(oauth2.TokenInfo) + } + } + + var r1 error + if rf, ok := ret.Get(1).(func(oauth2.TokenInfo, string, string) error); ok { + r1 = rf(ti, clientSecret, userID) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} + +// HandleAuthorizeRequest provides a mock function with given fields: w, r +func (_m *MockServer) HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error { + ret := _m.Called(w, r) + + var r0 error + if rf, ok := ret.Get(0).(func(http.ResponseWriter, *http.Request) error); ok { + r0 = rf(w, r) + } else { + r0 = ret.Error(0) + } + + return r0 +} + +// HandleTokenRequest provides a mock function with given fields: w, r +func (_m *MockServer) HandleTokenRequest(w http.ResponseWriter, r *http.Request) error { + ret := _m.Called(w, r) + + var r0 error + if rf, ok := ret.Get(0).(func(http.ResponseWriter, *http.Request) error); ok { + r0 = rf(w, r) + } else { + r0 = ret.Error(0) + } + + return r0 +} + +// ValidationBearerToken provides a mock function with given fields: r +func (_m *MockServer) ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) { + ret := _m.Called(r) + + var r0 oauth2.TokenInfo + if rf, ok := ret.Get(0).(func(*http.Request) oauth2.TokenInfo); ok { + r0 = rf(r) + } else { + if ret.Get(0) != nil { + r0 = ret.Get(0).(oauth2.TokenInfo) + } + } + + var r1 error + if rf, ok := ret.Get(1).(func(*http.Request) error); ok { + r1 = rf(r) + } else { + r1 = ret.Error(1) + } + + return r0, r1 +} diff --git a/internal/oauth/oauth_test.go b/internal/oauth/oauth_test.go new file mode 100644 index 000000000..594b9b5a9 --- /dev/null +++ b/internal/oauth/oauth_test.go @@ -0,0 +1,21 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +// TODO: write tests diff --git a/internal/oauth/server.go b/internal/oauth/server.go new file mode 100644 index 000000000..8bac8fc2f --- /dev/null +++ b/internal/oauth/server.go @@ -0,0 +1,254 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +import ( + "context" + "fmt" + "net/http" + + "github.com/gin-gonic/gin" + "github.com/sirupsen/logrus" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/gotosocial/internal/db/model" + "github.com/superseriousbusiness/oauth2/v4" + "github.com/superseriousbusiness/oauth2/v4/errors" + "github.com/superseriousbusiness/oauth2/v4/manage" + "github.com/superseriousbusiness/oauth2/v4/server" +) + +const ( + SessionAuthorizedToken = "authorized_token" + // SessionAuthorizedUser is the key set in the gin context for the id of + // a User who has successfully passed Bearer token authorization. + // The interface returned from grabbing this key should be parsed as a *gtsmodel.User + SessionAuthorizedUser = "authorized_user" + // SessionAuthorizedAccount is the key set in the gin context for the Account + // of a User who has successfully passed Bearer token authorization. + // The interface returned from grabbing this key should be parsed as a *gtsmodel.Account + SessionAuthorizedAccount = "authorized_account" + // SessionAuthorizedAccount is the key set in the gin context for the Application + // of a Client who has successfully passed Bearer token authorization. + // The interface returned from grabbing this key should be parsed as a *gtsmodel.Application + SessionAuthorizedApplication = "authorized_app" +) + +// Server wraps some oauth2 server functions in an interface, exposing only what is needed +type Server interface { + HandleTokenRequest(w http.ResponseWriter, r *http.Request) error + HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error + ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) + GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (accessToken oauth2.TokenInfo, err error) +} + +// s fulfils the Server interface using the underlying oauth2 server +type s struct { + server *server.Server + log *logrus.Logger +} + +type Authed struct { + Token oauth2.TokenInfo + Application *model.Application + User *model.User + Account *model.Account +} + +// GetAuthed is a convenience function for returning an Authed struct from a gin context. +// In essence, it tries to extract a token, application, user, and account from the context, +// and then sets them on a struct for convenience. +// +// If any are not present in the context, they will be set to nil on the returned Authed struct. +// +// If *ALL* are not present, then nil and an error will be returned. +// +// If something goes wrong during parsing, then nil and an error will be returned (consider this not authed). +func GetAuthed(c *gin.Context) (*Authed, error) { + ctx := c.Copy() + a := &Authed{} + var i interface{} + var ok bool + + i, ok = ctx.Get(SessionAuthorizedToken) + if ok { + parsed, ok := i.(oauth2.TokenInfo) + if !ok { + return nil, errors.New("could not parse token from session context") + } + a.Token = parsed + } + + i, ok = ctx.Get(SessionAuthorizedApplication) + if ok { + parsed, ok := i.(*model.Application) + if !ok { + return nil, errors.New("could not parse application from session context") + } + a.Application = parsed + } + + i, ok = ctx.Get(SessionAuthorizedUser) + if ok { + parsed, ok := i.(*model.User) + if !ok { + return nil, errors.New("could not parse user from session context") + } + a.User = parsed + } + + i, ok = ctx.Get(SessionAuthorizedAccount) + if ok { + parsed, ok := i.(*model.Account) + if !ok { + return nil, errors.New("could not parse account from session context") + } + a.Account = parsed + } + + if a.Token == nil && a.Application == nil && a.User == nil && a.Account == nil { + return nil, errors.New("not authorized") + } + + return a, nil +} + +// MustAuth is like GetAuthed, but will fail if one of the requirements is not met. +func MustAuth(c *gin.Context, requireToken bool, requireApp bool, requireUser bool, requireAccount bool) (*Authed, error) { + a, err := GetAuthed(c) + if err != nil { + return nil, err + } + if requireToken && a.Token == nil { + return nil, errors.New("token not supplied") + } + if requireApp && a.Application == nil { + return nil, errors.New("application not supplied") + } + if requireUser && a.User == nil { + return nil, errors.New("user not supplied") + } + if requireAccount && a.Account == nil { + return nil, errors.New("account not supplied") + } + return a, nil +} + +// HandleTokenRequest wraps the oauth2 library's HandleTokenRequest function +func (s *s) HandleTokenRequest(w http.ResponseWriter, r *http.Request) error { + return s.server.HandleTokenRequest(w, r) +} + +// HandleAuthorizeRequest wraps the oauth2 library's HandleAuthorizeRequest function +func (s *s) HandleAuthorizeRequest(w http.ResponseWriter, r *http.Request) error { + return s.server.HandleAuthorizeRequest(w, r) +} + +// ValidationBearerToken wraps the oauth2 library's ValidationBearerToken function +func (s *s) ValidationBearerToken(r *http.Request) (oauth2.TokenInfo, error) { + return s.server.ValidationBearerToken(r) +} + +// GenerateUserAccessToken shortcuts the normal oauth flow to create an user-level +// bearer token *without* requiring that user to log in. This is useful when we +// need to create a token for new users who haven't validated their email or logged in yet. +// +// The ti parameter refers to an existing Application token that was used to make the upstream +// request. This token needs to be validated and exist in database in order to create a new token. +func (s *s) GenerateUserAccessToken(ti oauth2.TokenInfo, clientSecret string, userID string) (oauth2.TokenInfo, error) { + + authToken, err := s.server.Manager.GenerateAuthToken(context.Background(), oauth2.Code, &oauth2.TokenGenerateRequest{ + ClientID: ti.GetClientID(), + ClientSecret: clientSecret, + UserID: userID, + RedirectURI: ti.GetRedirectURI(), + Scope: ti.GetScope(), + }) + if err != nil { + return nil, fmt.Errorf("error generating auth token: %s", err) + } + if authToken == nil { + return nil, errors.New("generated auth token was empty") + } + s.log.Tracef("obtained auth token: %+v", authToken) + + accessToken, err := s.server.Manager.GenerateAccessToken(context.Background(), oauth2.AuthorizationCode, &oauth2.TokenGenerateRequest{ + ClientID: authToken.GetClientID(), + ClientSecret: clientSecret, + RedirectURI: authToken.GetRedirectURI(), + Scope: authToken.GetScope(), + Code: authToken.GetCode(), + }) + + if err != nil { + return nil, fmt.Errorf("error generating user-level access token: %s", err) + } + if accessToken == nil { + return nil, errors.New("generated user-level access token was empty") + } + s.log.Tracef("obtained user-level access token: %+v", accessToken) + return accessToken, nil +} + +func New(database db.DB, log *logrus.Logger) Server { + ts := newTokenStore(context.Background(), database, log) + cs := newClientStore(database) + + manager := manage.NewDefaultManager() + manager.MapTokenStorage(ts) + manager.MapClientStorage(cs) + manager.SetAuthorizeCodeTokenCfg(manage.DefaultAuthorizeCodeTokenCfg) + sc := &server.Config{ + TokenType: "Bearer", + // Must follow the spec. + AllowGetAccessRequest: false, + // Support only the non-implicit flow. + AllowedResponseTypes: []oauth2.ResponseType{oauth2.Code}, + // Allow: + // - Authorization Code (for first & third parties) + // - Client Credentials (for applications) + AllowedGrantTypes: []oauth2.GrantType{ + oauth2.AuthorizationCode, + oauth2.ClientCredentials, + }, + AllowedCodeChallengeMethods: []oauth2.CodeChallengeMethod{oauth2.CodeChallengePlain}, + } + + srv := server.NewServer(sc, manager) + srv.SetInternalErrorHandler(func(err error) *errors.Response { + log.Errorf("internal oauth error: %s", err) + return nil + }) + + srv.SetResponseErrorHandler(func(re *errors.Response) { + log.Errorf("internal response error: %s", re.Error) + }) + + srv.SetUserAuthorizationHandler(func(w http.ResponseWriter, r *http.Request) (string, error) { + userID := r.FormValue("userid") + if userID == "" { + return "", errors.New("userid was empty") + } + return userID, nil + }) + srv.SetClientInfoHandler(server.ClientFormHandler) + return &s{ + server: srv, + log: log, + } +} diff --git a/internal/oauth/tokenstore.go b/internal/oauth/tokenstore.go new file mode 100644 index 000000000..c4c9ff1d5 --- /dev/null +++ b/internal/oauth/tokenstore.go @@ -0,0 +1,260 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +import ( + "context" + "errors" + "fmt" + "time" + + "github.com/sirupsen/logrus" + "github.com/superseriousbusiness/gotosocial/internal/db" + "github.com/superseriousbusiness/oauth2/v4" + "github.com/superseriousbusiness/oauth2/v4/models" +) + +// tokenStore is an implementation of oauth2.TokenStore, which uses our db interface as a storage backend. +type tokenStore struct { + oauth2.TokenStore + db db.DB + log *logrus.Logger +} + +// newTokenStore returns a token store that satisfies the oauth2.TokenStore interface. +// +// In order to allow tokens to 'expire', it will also set off a goroutine that iterates through +// the tokens in the DB once per minute and deletes any that have expired. +func newTokenStore(ctx context.Context, db db.DB, log *logrus.Logger) oauth2.TokenStore { + pts := &tokenStore{ + db: db, + log: log, + } + + // set the token store to clean out expired tokens once per minute, or return if we're done + go func(ctx context.Context, pts *tokenStore, log *logrus.Logger) { + cleanloop: + for { + select { + case <-ctx.Done(): + log.Info("breaking cleanloop") + break cleanloop + case <-time.After(1 * time.Minute): + log.Debug("sweeping out old oauth entries broom broom") + if err := pts.sweep(); err != nil { + log.Errorf("error while sweeping oauth entries: %s", err) + } + } + } + }(ctx, pts, log) + return pts +} + +// sweep clears out old tokens that have expired; it should be run on a loop about once per minute or so. +func (pts *tokenStore) sweep() error { + // select *all* tokens from the db + // todo: if this becomes expensive (ie., there are fucking LOADS of tokens) then figure out a better way. + tokens := new([]*Token) + if err := pts.db.GetAll(tokens); err != nil { + return err + } + + // iterate through and remove expired tokens + now := time.Now() + for _, pgt := range *tokens { + // The zero value of a time.Time is 00:00 january 1 1970, which will always be before now. So: + // we only want to check if a token expired before now if the expiry time is *not zero*; + // ie., if it's been explicity set. + if !pgt.CodeExpiresAt.IsZero() && pgt.CodeExpiresAt.Before(now) || !pgt.RefreshExpiresAt.IsZero() && pgt.RefreshExpiresAt.Before(now) || !pgt.AccessExpiresAt.IsZero() && pgt.AccessExpiresAt.Before(now) { + if err := pts.db.DeleteByID(pgt.ID, &pgt); err != nil { + return err + } + } + } + + return nil +} + +// Create creates and store the new token information. +// For the original implementation, see https://github.com/superseriousbusiness/oauth2/blob/master/store/token.go#L34 +func (pts *tokenStore) Create(ctx context.Context, info oauth2.TokenInfo) error { + t, ok := info.(*models.Token) + if !ok { + return errors.New("info param was not a models.Token") + } + if err := pts.db.Put(oauthTokenToPGToken(t)); err != nil { + return fmt.Errorf("error in tokenstore create: %s", err) + } + return nil +} + +// RemoveByCode deletes a token from the DB based on the Code field +func (pts *tokenStore) RemoveByCode(ctx context.Context, code string) error { + return pts.db.DeleteWhere("code", code, &Token{}) +} + +// RemoveByAccess deletes a token from the DB based on the Access field +func (pts *tokenStore) RemoveByAccess(ctx context.Context, access string) error { + return pts.db.DeleteWhere("access", access, &Token{}) +} + +// RemoveByRefresh deletes a token from the DB based on the Refresh field +func (pts *tokenStore) RemoveByRefresh(ctx context.Context, refresh string) error { + return pts.db.DeleteWhere("refresh", refresh, &Token{}) +} + +// GetByCode selects a token from the DB based on the Code field +func (pts *tokenStore) GetByCode(ctx context.Context, code string) (oauth2.TokenInfo, error) { + if code == "" { + return nil, nil + } + pgt := &Token{ + Code: code, + } + if err := pts.db.GetWhere("code", code, pgt); err != nil { + return nil, err + } + return pgTokenToOauthToken(pgt), nil +} + +// GetByAccess selects a token from the DB based on the Access field +func (pts *tokenStore) GetByAccess(ctx context.Context, access string) (oauth2.TokenInfo, error) { + if access == "" { + return nil, nil + } + pgt := &Token{ + Access: access, + } + if err := pts.db.GetWhere("access", access, pgt); err != nil { + return nil, err + } + return pgTokenToOauthToken(pgt), nil +} + +// GetByRefresh selects a token from the DB based on the Refresh field +func (pts *tokenStore) GetByRefresh(ctx context.Context, refresh string) (oauth2.TokenInfo, error) { + if refresh == "" { + return nil, nil + } + pgt := &Token{ + Refresh: refresh, + } + if err := pts.db.GetWhere("refresh", refresh, pgt); err != nil { + return nil, err + } + return pgTokenToOauthToken(pgt), nil +} + +/* + The following models are basically helpers for the postgres token store implementation, they should only be used internally. +*/ + +// Token is a translation of the gotosocial token with the ExpiresIn fields replaced with ExpiresAt. +// +// Explanation for this: gotosocial assumes an in-memory or file database of some kind, where a time-to-live parameter (TTL) can be defined, +// and tokens with expired TTLs are automatically removed. Since Postgres doesn't have that feature, it's easier to set an expiry time and +// then periodically sweep out tokens when that time has passed. +// +// Note that this struct does *not* satisfy the token interface shown here: https://github.com/superseriousbusiness/oauth2/blob/master/model.go#L22 +// and implemented here: https://github.com/superseriousbusiness/oauth2/blob/master/models/token.go. +// As such, manual translation is always required between Token and the gotosocial *model.Token. The helper functions oauthTokenToPGToken +// and pgTokenToOauthToken can be used for that. +type Token struct { + ID string `pg:"type:uuid,default:gen_random_uuid(),pk,notnull"` + ClientID string + UserID string + RedirectURI string + Scope string + Code string `pg:"default:'',pk"` + CodeChallenge string + CodeChallengeMethod string + CodeCreateAt time.Time `pg:"type:timestamp"` + CodeExpiresAt time.Time `pg:"type:timestamp"` + Access string `pg:"default:'',pk"` + AccessCreateAt time.Time `pg:"type:timestamp"` + AccessExpiresAt time.Time `pg:"type:timestamp"` + Refresh string `pg:"default:'',pk"` + RefreshCreateAt time.Time `pg:"type:timestamp"` + RefreshExpiresAt time.Time `pg:"type:timestamp"` +} + +// oauthTokenToPGToken is a lil util function that takes a gotosocial token and gives back a token for inserting into postgres +func oauthTokenToPGToken(tkn *models.Token) *Token { + now := time.Now() + + // For the following, we want to make sure we're not adding a time.Now() to an *empty* ExpiresIn, otherwise that's + // going to cause all sorts of interesting problems. So check first to make sure that the ExpiresIn is not equal + // to the zero value of a time.Duration, which is 0s. If it *is* empty/nil, just leave the ExpiresAt at nil as well. + + var cea time.Time + if tkn.CodeExpiresIn != 0*time.Second { + cea = now.Add(tkn.CodeExpiresIn) + } + + var aea time.Time + if tkn.AccessExpiresIn != 0*time.Second { + aea = now.Add(tkn.AccessExpiresIn) + } + + var rea time.Time + if tkn.RefreshExpiresIn != 0*time.Second { + rea = now.Add(tkn.RefreshExpiresIn) + } + + return &Token{ + ClientID: tkn.ClientID, + UserID: tkn.UserID, + RedirectURI: tkn.RedirectURI, + Scope: tkn.Scope, + Code: tkn.Code, + CodeChallenge: tkn.CodeChallenge, + CodeChallengeMethod: tkn.CodeChallengeMethod, + CodeCreateAt: tkn.CodeCreateAt, + CodeExpiresAt: cea, + Access: tkn.Access, + AccessCreateAt: tkn.AccessCreateAt, + AccessExpiresAt: aea, + Refresh: tkn.Refresh, + RefreshCreateAt: tkn.RefreshCreateAt, + RefreshExpiresAt: rea, + } +} + +// pgTokenToOauthToken is a lil util function that takes a postgres token and gives back a gotosocial token +func pgTokenToOauthToken(pgt *Token) *models.Token { + now := time.Now() + + return &models.Token{ + ClientID: pgt.ClientID, + UserID: pgt.UserID, + RedirectURI: pgt.RedirectURI, + Scope: pgt.Scope, + Code: pgt.Code, + CodeChallenge: pgt.CodeChallenge, + CodeChallengeMethod: pgt.CodeChallengeMethod, + CodeCreateAt: pgt.CodeCreateAt, + CodeExpiresIn: pgt.CodeExpiresAt.Sub(now), + Access: pgt.Access, + AccessCreateAt: pgt.AccessCreateAt, + AccessExpiresIn: pgt.AccessExpiresAt.Sub(now), + Refresh: pgt.Refresh, + RefreshCreateAt: pgt.RefreshCreateAt, + RefreshExpiresIn: pgt.RefreshExpiresAt.Sub(now), + } +} diff --git a/internal/oauth/tokenstore_test.go b/internal/oauth/tokenstore_test.go new file mode 100644 index 000000000..594b9b5a9 --- /dev/null +++ b/internal/oauth/tokenstore_test.go @@ -0,0 +1,21 @@ +/* + GoToSocial + Copyright (C) 2021 GoToSocial Authors admin@gotosocial.org + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +package oauth + +// TODO: write tests |