Prune expired auth requests + add global max limit. Closes #2490
This commit is contained in:
parent
a5f6f49280
commit
87eeeffa1c
@ -2,9 +2,13 @@ package fediverse
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"errors"
|
||||
"io"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// OTPRegistration represents a single OTP request.
|
||||
@ -18,19 +22,53 @@ type OTPRegistration struct {
|
||||
|
||||
// Key by access token to limit one OTP request for a person
|
||||
// to be active at a time.
|
||||
var pendingAuthRequests = make(map[string]OTPRegistration)
|
||||
var (
|
||||
pendingAuthRequests = make(map[string]OTPRegistration)
|
||||
lock = sync.Mutex{}
|
||||
)
|
||||
|
||||
const registrationTimeout = time.Minute * 10
|
||||
const (
|
||||
registrationTimeout = time.Minute * 10
|
||||
maxPendingRequests = 1000
|
||||
)
|
||||
|
||||
func init() {
|
||||
go setupExpiredRequestPruner()
|
||||
}
|
||||
|
||||
// Clear out any pending requests that have been pending for greater than
|
||||
// the specified timeout value.
|
||||
func setupExpiredRequestPruner() {
|
||||
pruneExpiredRequestsTimer := time.NewTicker(registrationTimeout)
|
||||
|
||||
for range pruneExpiredRequestsTimer.C {
|
||||
lock.Lock()
|
||||
log.Debugln("Pruning expired OTP requests.")
|
||||
for k, v := range pendingAuthRequests {
|
||||
if time.Since(v.Timestamp) > registrationTimeout {
|
||||
delete(pendingAuthRequests, k)
|
||||
}
|
||||
}
|
||||
lock.Unlock()
|
||||
}
|
||||
}
|
||||
|
||||
// RegisterFediverseOTP will start the OTP flow for a user, creating a new
|
||||
// code and returning it to be sent to a destination.
|
||||
func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool) {
|
||||
func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool, error) {
|
||||
request, requestExists := pendingAuthRequests[accessToken]
|
||||
|
||||
// If a request is already registered and has not expired then return that
|
||||
// existing request.
|
||||
if requestExists && time.Since(request.Timestamp) < registrationTimeout {
|
||||
return request, false
|
||||
return request, false, nil
|
||||
}
|
||||
|
||||
lock.Lock()
|
||||
defer lock.Unlock()
|
||||
|
||||
if len(pendingAuthRequests)+1 > maxPendingRequests {
|
||||
return request, false, errors.New("Please try again later. Too many pending requests.")
|
||||
}
|
||||
|
||||
code, _ := createCode()
|
||||
@ -43,7 +81,7 @@ func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string)
|
||||
}
|
||||
pendingAuthRequests[accessToken] = r
|
||||
|
||||
return r, true
|
||||
return r, true, nil
|
||||
}
|
||||
|
||||
// ValidateFediverseOTP will verify a OTP code for a auth request.
|
||||
@ -54,6 +92,9 @@ func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
lock.Lock()
|
||||
defer lock.Unlock()
|
||||
|
||||
delete(pendingAuthRequests, accessToken)
|
||||
return true, &request
|
||||
}
|
||||
|
@ -3,6 +3,8 @@ package fediverse
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"github.com/owncast/owncast/utils"
|
||||
)
|
||||
|
||||
const (
|
||||
@ -13,7 +15,10 @@ const (
|
||||
)
|
||||
|
||||
func TestOTPFlowValidation(t *testing.T) {
|
||||
r, success := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
r, success, err := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
if err != nil {
|
||||
t.Error(err)
|
||||
}
|
||||
|
||||
if !success {
|
||||
t.Error("Registration should be permitted.")
|
||||
@ -50,8 +55,8 @@ func TestOTPFlowValidation(t *testing.T) {
|
||||
}
|
||||
|
||||
func TestSingleOTPFlowRequest(t *testing.T) {
|
||||
r1, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
r2, s2 := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
r1, _, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
r2, s2, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
|
||||
if r1.Code != r2.Code {
|
||||
t.Error("Only one registration should be permitted.")
|
||||
@ -65,14 +70,42 @@ func TestSingleOTPFlowRequest(t *testing.T) {
|
||||
func TestAccountCaseInsensitive(t *testing.T) {
|
||||
account := "Account"
|
||||
accessToken := "another-fake-access-token"
|
||||
r1, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
r1, _, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
|
||||
_, reg1 := ValidateFediverseOTP(accessToken, r1.Code)
|
||||
|
||||
// Simulate second auth with account in different case
|
||||
r2, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, strings.ToUpper(account))
|
||||
r2, _, _ := RegisterFediverseOTP(accessToken, userID, userDisplayName, strings.ToUpper(account))
|
||||
_, reg2 := ValidateFediverseOTP(accessToken, r2.Code)
|
||||
|
||||
if reg1.Account != reg2.Account {
|
||||
t.Errorf("Account names should be case-insensitive: %s %s", reg1.Account, reg2.Account)
|
||||
}
|
||||
}
|
||||
|
||||
func TestLimitGlobalPendingRequests(t *testing.T) {
|
||||
for i := 0; i < maxPendingRequests-1; i++ {
|
||||
at, _ := utils.GenerateRandomString(10)
|
||||
uid, _ := utils.GenerateRandomString(10)
|
||||
account, _ := utils.GenerateRandomString(10)
|
||||
|
||||
_, success, error := RegisterFediverseOTP(at, uid, "userDisplayName", account)
|
||||
if !success {
|
||||
t.Error("Registration should be permitted.", i, " of ", len(pendingAuthRequests))
|
||||
}
|
||||
if error != nil {
|
||||
t.Error(error)
|
||||
}
|
||||
}
|
||||
|
||||
// This one should fail
|
||||
at, _ := utils.GenerateRandomString(10)
|
||||
uid, _ := utils.GenerateRandomString(10)
|
||||
account, _ := utils.GenerateRandomString(10)
|
||||
_, success, error := RegisterFediverseOTP(at, uid, "userDisplayName", account)
|
||||
if success {
|
||||
t.Error("Registration should not be permitted.")
|
||||
}
|
||||
if error == nil {
|
||||
t.Error("Error should be returned.")
|
||||
}
|
||||
}
|
||||
|
@ -8,16 +8,48 @@ import (
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
"github.com/owncast/owncast/core/data"
|
||||
"github.com/pkg/errors"
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
var pendingAuthRequests = make(map[string]*Request)
|
||||
var (
|
||||
pendingAuthRequests = make(map[string]*Request)
|
||||
lock = sync.Mutex{}
|
||||
)
|
||||
|
||||
const registrationTimeout = time.Minute * 10
|
||||
|
||||
func init() {
|
||||
go setupExpiredRequestPruner()
|
||||
}
|
||||
|
||||
// Clear out any pending requests that have been pending for greater than
|
||||
// the specified timeout value.
|
||||
func setupExpiredRequestPruner() {
|
||||
pruneExpiredRequestsTimer := time.NewTicker(registrationTimeout)
|
||||
|
||||
for range pruneExpiredRequestsTimer.C {
|
||||
lock.Lock()
|
||||
log.Debugln("Pruning expired IndieAuth requests.")
|
||||
for k, v := range pendingAuthRequests {
|
||||
if time.Since(v.Timestamp) > registrationTimeout {
|
||||
delete(pendingAuthRequests, k)
|
||||
}
|
||||
}
|
||||
lock.Unlock()
|
||||
}
|
||||
}
|
||||
|
||||
// StartAuthFlow will begin the IndieAuth flow by generating an auth request.
|
||||
func StartAuthFlow(authHost, userID, accessToken, displayName string) (*url.URL, error) {
|
||||
if len(pendingAuthRequests) >= maxPendingRequests {
|
||||
return nil, errors.New("Please try again later. Too many pending requests.")
|
||||
}
|
||||
|
||||
serverURL := data.GetServerURL()
|
||||
if serverURL == "" {
|
||||
return nil, errors.New("Owncast server URL must be set when using auth")
|
||||
|
@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/andybalholm/cascadia"
|
||||
"github.com/pkg/errors"
|
||||
@ -63,6 +64,7 @@ func createAuthRequest(authDestination, userID, displayName, accessToken, baseSe
|
||||
State: state,
|
||||
Redirect: &redirect,
|
||||
Callback: &callbackURL,
|
||||
Timestamp: time.Now(),
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
35
auth/indieauth/indieauth_test.go
Normal file
35
auth/indieauth/indieauth_test.go
Normal file
@ -0,0 +1,35 @@
|
||||
package indieauth
|
||||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/owncast/owncast/utils"
|
||||
)
|
||||
|
||||
func TestLimitGlobalPendingRequests(t *testing.T) {
|
||||
// Simulate 10 pending requests
|
||||
for i := 0; i < maxPendingRequests-1; i++ {
|
||||
cid, _ := utils.GenerateRandomString(10)
|
||||
redirectURL, _ := utils.GenerateRandomString(10)
|
||||
cc, _ := utils.GenerateRandomString(10)
|
||||
state, _ := utils.GenerateRandomString(10)
|
||||
me, _ := utils.GenerateRandomString(10)
|
||||
|
||||
_, err := StartServerAuth(cid, redirectURL, cc, state, me)
|
||||
if err != nil {
|
||||
t.Error("Registration should be permitted.", i, " of ", len(pendingAuthRequests), err)
|
||||
}
|
||||
}
|
||||
|
||||
// This should throw an error
|
||||
cid, _ := utils.GenerateRandomString(10)
|
||||
redirectURL, _ := utils.GenerateRandomString(10)
|
||||
cc, _ := utils.GenerateRandomString(10)
|
||||
state, _ := utils.GenerateRandomString(10)
|
||||
me, _ := utils.GenerateRandomString(10)
|
||||
|
||||
_, err := StartServerAuth(cid, redirectURL, cc, state, me)
|
||||
if err == nil {
|
||||
t.Error("Registration should not be permitted.")
|
||||
}
|
||||
}
|
@ -1,6 +1,9 @@
|
||||
package indieauth
|
||||
|
||||
import "net/url"
|
||||
import (
|
||||
"net/url"
|
||||
"time"
|
||||
)
|
||||
|
||||
// Request represents a single in-flight IndieAuth request.
|
||||
type Request struct {
|
||||
@ -15,4 +18,5 @@ type Request struct {
|
||||
CodeChallenge string
|
||||
State string
|
||||
Me *url.URL
|
||||
Timestamp time.Time
|
||||
}
|
||||
|
@ -2,6 +2,7 @@ package indieauth
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/owncast/owncast/core/data"
|
||||
"github.com/pkg/errors"
|
||||
@ -17,6 +18,7 @@ type ServerAuthRequest struct {
|
||||
State string
|
||||
Me string
|
||||
Code string
|
||||
Timestamp time.Time
|
||||
}
|
||||
|
||||
// ServerProfile represents basic user-provided data about this Owncast instance.
|
||||
@ -38,10 +40,16 @@ type ServerProfileResponse struct {
|
||||
|
||||
var pendingServerAuthRequests = map[string]ServerAuthRequest{}
|
||||
|
||||
const maxPendingRequests = 1000
|
||||
|
||||
// StartServerAuth will handle the authentication for the admin user of this
|
||||
// Owncast server. Initiated via a GET of the auth endpoint.
|
||||
// https://indieweb.org/authorization-endpoint
|
||||
func StartServerAuth(clientID, redirectURI, codeChallenge, state, me string) (*ServerAuthRequest, error) {
|
||||
if len(pendingServerAuthRequests)+1 >= maxPendingRequests {
|
||||
return nil, errors.New("Please try again later. Too many pending requests.")
|
||||
}
|
||||
|
||||
code := shortid.MustGenerate()
|
||||
|
||||
r := ServerAuthRequest{
|
||||
@ -51,6 +59,7 @@ func StartServerAuth(clientID, redirectURI, codeChallenge, state, me string) (*S
|
||||
State: state,
|
||||
Me: me,
|
||||
Code: code,
|
||||
Timestamp: time.Now(),
|
||||
}
|
||||
|
||||
pendingServerAuthRequests[code] = r
|
||||
|
@ -28,7 +28,12 @@ func RegisterFediverseOTPRequest(u user.User, w http.ResponseWriter, r *http.Req
|
||||
}
|
||||
|
||||
accessToken := r.URL.Query().Get("accessToken")
|
||||
reg, success := fediverseauth.RegisterFediverseOTP(accessToken, u.ID, u.DisplayName, req.FediverseAccount)
|
||||
reg, success, err := fediverseauth.RegisterFediverseOTP(accessToken, u.ID, u.DisplayName, req.FediverseAccount)
|
||||
if err != nil {
|
||||
controllers.WriteSimpleResponse(w, false, "Could not register auth request: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
if !success {
|
||||
controllers.WriteSimpleResponse(w, false, "Could not register auth request. One may already be pending. Try again later.")
|
||||
return
|
||||
|
@ -33,7 +33,7 @@ func handleAuthEndpointGet(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
request, err := ia.StartServerAuth(clientID, redirectURI, codeChallenge, state, me)
|
||||
if err != nil {
|
||||
// Return a human readable, HTML page as an error. JSON is no use here.
|
||||
_ = controllers.WriteString(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user