b835de2dc4
* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com>
149 lines
5.0 KiB
Go
149 lines
5.0 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/subtle"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/owncast/owncast/core/data"
|
|
"github.com/owncast/owncast/core/user"
|
|
"github.com/owncast/owncast/utils"
|
|
log "github.com/sirupsen/logrus"
|
|
)
|
|
|
|
// ExternalAccessTokenHandlerFunc is a function that is called after validing access.
|
|
type ExternalAccessTokenHandlerFunc func(user.ExternalAPIUser, http.ResponseWriter, *http.Request)
|
|
|
|
// UserAccessTokenHandlerFunc is a function that is called after validing user access.
|
|
type UserAccessTokenHandlerFunc func(user.User, http.ResponseWriter, *http.Request)
|
|
|
|
// RequireAdminAuth wraps a handler requiring HTTP basic auth for it using the given
|
|
// the stream key as the password and and a hardcoded "admin" for username.
|
|
func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
username := "admin"
|
|
password := data.GetStreamKey()
|
|
realm := "Owncast Authenticated Request"
|
|
|
|
// The following line is kind of a work around.
|
|
// If you want HTTP Basic Auth + Cors it requires _explicit_ origins to be provided in the
|
|
// Access-Control-Allow-Origin header. So we just pull out the origin header and specify it.
|
|
// If we want to lock down admin APIs to not be CORS accessible for anywhere, this is where we would do that.
|
|
w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
|
|
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
|
w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
|
|
|
|
// For request needing CORS, send a 204.
|
|
if r.Method == "OPTIONS" {
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
user, pass, ok := r.BasicAuth()
|
|
|
|
// Failed
|
|
if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || subtle.ConstantTimeCompare([]byte(pass), []byte(password)) != 1 {
|
|
w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
|
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
|
log.Debugln("Failed admin authentication")
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
}
|
|
}
|
|
|
|
func accessDenied(w http.ResponseWriter) {
|
|
w.WriteHeader(http.StatusUnauthorized) //nolint
|
|
w.Write([]byte("unauthorized")) //nolint
|
|
}
|
|
|
|
// RequireExternalAPIAccessToken will validate a 3rd party access token.
|
|
func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// We should accept 3rd party preflight OPTIONS requests.
|
|
if r.Method == "OPTIONS" {
|
|
// All OPTIONS requests should have a wildcard CORS header.
|
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
w.WriteHeader(http.StatusNoContent)
|
|
return
|
|
}
|
|
|
|
authHeader := strings.Split(r.Header.Get("Authorization"), "Bearer ")
|
|
token := strings.Join(authHeader, "")
|
|
|
|
if len(authHeader) == 0 || token == "" {
|
|
log.Warnln("invalid access token")
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
integration, err := user.GetExternalAPIUserForAccessTokenAndScope(token, scope)
|
|
if integration == nil || err != nil {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
// All auth'ed 3rd party requests should have a wildcard CORS header.
|
|
w.Header().Set("Access-Control-Allow-Origin", "*")
|
|
|
|
handler(*integration, w, r)
|
|
|
|
if err := user.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
|
|
log.Debugln("token not found when updating last_used timestamp")
|
|
}
|
|
})
|
|
}
|
|
|
|
// RequireUserAccessToken will validate a provided user's access token and make sure the associated user is enabled.
|
|
// Not to be used for validating 3rd party access.
|
|
func RequireUserAccessToken(handler UserAccessTokenHandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
accessToken := r.URL.Query().Get("accessToken")
|
|
if accessToken == "" {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
ipAddress := utils.GetIPAddressFromRequest(r)
|
|
// Check if this client's IP address is banned.
|
|
if blocked, err := data.IsIPAddressBanned(ipAddress); blocked {
|
|
log.Debugln("Client ip address has been blocked. Rejecting.")
|
|
accessDenied(w)
|
|
return
|
|
} else if err != nil {
|
|
log.Errorln("error determining if IP address is blocked: ", err)
|
|
}
|
|
|
|
// A user is required to use the websocket
|
|
user := user.GetUserByToken(accessToken)
|
|
if user == nil || !user.IsEnabled() {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
handler(*user, w, r)
|
|
})
|
|
}
|
|
|
|
// RequireUserModerationScopeAccesstoken will validate a provided user's access token and make sure the associated user is enabled
|
|
// and has "MODERATOR" scope assigned to the user.
|
|
func RequireUserModerationScopeAccesstoken(handler http.HandlerFunc) http.HandlerFunc {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
accessToken := r.URL.Query().Get("accessToken")
|
|
if accessToken == "" {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
// A user is required to use the websocket
|
|
user := user.GetUserByToken(accessToken)
|
|
if user == nil || !user.IsEnabled() || !user.IsModerator() {
|
|
accessDenied(w)
|
|
return
|
|
}
|
|
|
|
handler(w, r)
|
|
})
|
|
}
|