owncast/controllers/auth/indieauth/client.go

package indieauth

import (
	"encoding/json"
	"fmt"
	"io"
	"net/http"

	"github.com/owncast/owncast/auth"
	ia "github.com/owncast/owncast/auth/indieauth"
	"github.com/owncast/owncast/controllers"
	"github.com/owncast/owncast/core/chat"
	"github.com/owncast/owncast/core/user"
	log "github.com/sirupsen/logrus"
)

// StartAuthFlow will begin the IndieAuth flow for the current user.
func StartAuthFlow(u user.User, w http.ResponseWriter, r *http.Request) {
	type request struct {
		AuthHost string `json:"authHost"`
	}

	type response struct {
		Redirect string `json:"redirect"`
	}

	var authRequest request
	p, err := io.ReadAll(r.Body)
	if err != nil {
		controllers.WriteSimpleResponse(w, false, err.Error())
		return
	}

	if err := json.Unmarshal(p, &authRequest); err != nil {
		controllers.WriteSimpleResponse(w, false, err.Error())
		return
	}

	accessToken := r.URL.Query().Get("accessToken")

	redirectURL, err := ia.StartAuthFlow(authRequest.AuthHost, u.ID, accessToken, u.DisplayName)
	if err != nil {
		controllers.WriteSimpleResponse(w, false, err.Error())
		return
	}

	redirectResponse := response{
		Redirect: redirectURL.String(),
	}
	controllers.WriteResponse(w, redirectResponse)
}

// HandleRedirect will handle the redirect from an IndieAuth server to
// continue the auth flow.
func HandleRedirect(w http.ResponseWriter, r *http.Request) {
	state := r.URL.Query().Get("state")
	code := r.URL.Query().Get("code")
	request, response, err := ia.HandleCallbackCode(code, state)
	if err != nil {
		log.Debugln(err)
		msg := `Unable to complete authentication. <a href="/">Go back.</a><hr/>`
		_ = controllers.WriteString(w, msg, http.StatusBadRequest)
		return
	}

	// Check if a user with this auth already exists, if so, log them in.
	if u := auth.GetUserByAuth(response.Me, auth.IndieAuth); u != nil {
		// Handle existing auth.
		log.Debugln("user with provided indieauth already exists, logging them in")

		// Update the current user's access token to point to the existing user id.
		accessToken := request.CurrentAccessToken
		userID := u.ID
		if err := user.SetAccessTokenToOwner(accessToken, userID); err != nil {
			controllers.WriteSimpleResponse(w, false, err.Error())
			return
		}

		if request.DisplayName != u.DisplayName {
			loginMessage := fmt.Sprintf("**%s** is now authenticated as **%s**", request.DisplayName, u.DisplayName)
			if err := chat.SendSystemAction(loginMessage, true); err != nil {
				log.Errorln(err)
			}
		}

		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)

		return
	}

	// Otherwise, save this as new auth.
	log.Debug("indieauth token does not already exist, saving it as a new one for the current user")
	if err := auth.AddAuth(request.UserID, response.Me, auth.IndieAuth); err != nil {
		controllers.WriteSimpleResponse(w, false, err.Error())
		return
	}

	// Update the current user's authenticated flag so we can show it in
	// the chat UI.
	if err := user.SetUserAsAuthenticated(request.UserID); err != nil {
		log.Errorln(err)
	}

	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
}
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-21 23:55:26 +02:00			`package indieauth`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"io"`
			`"net/http"`

			`"github.com/owncast/owncast/auth"`
			`ia "github.com/owncast/owncast/auth/indieauth"`
			`"github.com/owncast/owncast/controllers"`
			`"github.com/owncast/owncast/core/chat"`
			`"github.com/owncast/owncast/core/user"`
			`log "github.com/sirupsen/logrus"`
			`)`

			`// StartAuthFlow will begin the IndieAuth flow for the current user.`
			`func StartAuthFlow(u user.User, w http.ResponseWriter, r *http.Request) {`
			`type request struct {`
			AuthHost string `json:"authHost"`
			`}`

			`type response struct {`
			Redirect string `json:"redirect"`
			`}`

			`var authRequest request`
			`p, err := io.ReadAll(r.Body)`
			`if err != nil {`
			`controllers.WriteSimpleResponse(w, false, err.Error())`
			`return`
			`}`

			`if err := json.Unmarshal(p, &authRequest); err != nil {`
			`controllers.WriteSimpleResponse(w, false, err.Error())`
			`return`
			`}`

			`accessToken := r.URL.Query().Get("accessToken")`

			`redirectURL, err := ia.StartAuthFlow(authRequest.AuthHost, u.ID, accessToken, u.DisplayName)`
			`if err != nil {`
			`controllers.WriteSimpleResponse(w, false, err.Error())`
			`return`
			`}`

			`redirectResponse := response{`
			`Redirect: redirectURL.String(),`
			`}`
			`controllers.WriteResponse(w, redirectResponse)`
			`}`

			`// HandleRedirect will handle the redirect from an IndieAuth server to`
			`// continue the auth flow.`
			`func HandleRedirect(w http.ResponseWriter, r *http.Request) {`
			`state := r.URL.Query().Get("state")`
			`code := r.URL.Query().Get("code")`
			`request, response, err := ia.HandleCallbackCode(code, state)`
			`if err != nil {`
			`log.Debugln(err)`
Do not pass along the raw error. Closes #2491 2022-12-25 05:34:39 +01:00			msg := `Unable to complete authentication. <a href="/">Go back.</a><hr/>`
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-21 23:55:26 +02:00			`_ = controllers.WriteString(w, msg, http.StatusBadRequest)`
			`return`
			`}`

			`// Check if a user with this auth already exists, if so, log them in.`
			`if u := auth.GetUserByAuth(response.Me, auth.IndieAuth); u != nil {`
			`// Handle existing auth.`
			`log.Debugln("user with provided indieauth already exists, logging them in")`

			`// Update the current user's access token to point to the existing user id.`
			`accessToken := request.CurrentAccessToken`
			`userID := u.ID`
			`if err := user.SetAccessTokenToOwner(accessToken, userID); err != nil {`
			`controllers.WriteSimpleResponse(w, false, err.Error())`
			`return`
			`}`

Only show auth message if name changed 2023-01-30 20:19:50 +01:00			`if request.DisplayName != u.DisplayName {`
			`loginMessage := fmt.Sprintf("%s is now authenticated as %s", request.DisplayName, u.DisplayName)`
			`if err := chat.SendSystemAction(loginMessage, true); err != nil {`
			`log.Errorln(err)`
			`}`
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-21 23:55:26 +02:00			`}`

			`http.Redirect(w, r, "/", http.StatusTemporaryRedirect)`

			`return`
			`}`

			`// Otherwise, save this as new auth.`
			`log.Debug("indieauth token does not already exist, saving it as a new one for the current user")`
			`if err := auth.AddAuth(request.UserID, response.Me, auth.IndieAuth); err != nil {`
			`controllers.WriteSimpleResponse(w, false, err.Error())`
			`return`
			`}`

			`// Update the current user's authenticated flag so we can show it in`
			`// the chat UI.`
			`if err := user.SetUserAsAuthenticated(request.UserID); err != nil {`
			`log.Errorln(err)`
			`}`

			`http.Redirect(w, r, "/", http.StatusTemporaryRedirect)`
			`}`