writefreely
/
writefreely
mirror da https://github.com/writefreely/writefreely.git
2
0
Forka 0
Codice Problemi Rilasci 25 Wiki Attività
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
Non puoi selezionare più di 25 argomenti Gli argomenti devono iniziare con una lettera o un numero, possono includere trattini ('-') e possono essere lunghi fino a 35 caratteri.
907 Commit
45 Rami (Branch)
128 MiB
 
 
 
 
 
Albero (Tree): 37ccf69d81
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '37ccf69d81'
${ noResults }
writefreely/oauth.go

350 righe
12 KiB
Originale Blame Cronologia 

  1. package writefreely

  2. 

  3. import (

  4. 	"context"

  5. 	"encoding/json"

  6. 	"fmt"

  7. 	"io"

  8. 	"io/ioutil"

  9. 	"net/http"

  10. 	"net/url"

  11. 	"strings"

  12. 	"time"

  13. 

  14. 	"github.com/gorilla/mux"

  15. 	"github.com/gorilla/sessions"

  16. 	"github.com/writeas/impart"

  17. 	"github.com/writeas/web-core/log"

  18. 

  19. 	"github.com/writeas/writefreely/config"

  20. )

  21. 

  22. // TokenResponse contains data returned when a token is created either

  23. // through a code exchange or using a refresh token.

  24. type TokenResponse struct {

  25. 	AccessToken  string `json:"access_token"`

  26. 	ExpiresIn    int    `json:"expires_in"`

  27. 	RefreshToken string `json:"refresh_token"`

  28. 	TokenType    string `json:"token_type"`

  29. 	Error        string `json:"error"`

  30. }

  31. 

  32. // InspectResponse contains data returned when an access token is inspected.

  33. type InspectResponse struct {

  34. 	ClientID    string    `json:"client_id"`

  35. 	UserID      string    `json:"user_id"`

  36. 	ExpiresAt   time.Time `json:"expires_at"`

  37. 	Username    string    `json:"username"`

  38. 	DisplayName string    `json:"-"`

  39. 	Email       string    `json:"email"`

  40. 	Error       string    `json:"error"`

  41. }

  42. 

  43. // tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token

  44. // endpoint. One megabyte is plenty.

  45. const tokenRequestMaxLen = 1000000

  46. 

  47. // infoRequestMaxLen is the most bytes that we'll read from the

  48. // /oauth/inspect endpoint.

  49. const infoRequestMaxLen = 1000000

  50. 

  51. // OAuthDatastoreProvider provides a minimal interface of data store, config,

  52. // and session store for use with the oauth handlers.

  53. type OAuthDatastoreProvider interface {

  54. 	DB() OAuthDatastore

  55. 	Config() *config.Config

  56. 	SessionStore() sessions.Store

  57. }

  58. 

  59. // OAuthDatastore provides a minimal interface of data store methods used in

  60. // oauth functionality.

  61. type OAuthDatastore interface {

  62. 	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)

  63. 	RecordRemoteUserID(context.Context, int64, string, string, string, string) error

  64. 	ValidateOAuthState(context.Context, string) (string, string, int64, error)

  65. 	GenerateOAuthState(context.Context, string, string, int64) (string, error)

  66. 

  67. 	CreateUser(*config.Config, *User, string) error

  68. 	GetUserByID(int64) (*User, error)

  69. }

  70. 

  71. type HttpClient interface {

  72. 	Do(req *http.Request) (*http.Response, error)

  73. }

  74. 

  75. type oauthClient interface {

  76. 	GetProvider() string

  77. 	GetClientID() string

  78. 	GetCallbackLocation() string

  79. 	buildLoginURL(state string) (string, error)

  80. 	exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error)

  81. 	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)

  82. }

  83. 

  84. type callbackProxyClient struct {

  85. 	server           string

  86. 	callbackLocation string

  87. 	httpClient       HttpClient

  88. }

  89. 

  90. type oauthHandler struct {

  91. 	Config        *config.Config

  92. 	DB            OAuthDatastore

  93. 	Store         sessions.Store

  94. 	EmailKey      []byte

  95. 	oauthClient   oauthClient

  96. 	callbackProxy *callbackProxyClient

  97. }

  98. 

  99. func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {

  100. 	ctx := r.Context()

  101. 

  102. 	var attachUser int64

  103. 	if attach := r.URL.Query().Get("attach"); attach == "t" {

  104. 		user, _ := getUserAndSession(app, r)

  105. 		if user == nil {

  106. 			return impart.HTTPError{http.StatusInternalServerError, "cannot attach auth to user: user not found in session"}

  107. 		}

  108. 		attachUser = user.ID

  109. 	}

  110. 

  111. 	state, err := h.DB.GenerateOAuthState(ctx, h.oauthClient.GetProvider(), h.oauthClient.GetClientID(), attachUser)

  112. 	if err != nil {

  113. 		log.Error("viewOauthInit error: %s", err)

  114. 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}

  115. 	}

  116. 

  117. 	if h.callbackProxy != nil {

  118. 		if err := h.callbackProxy.register(ctx, state); err != nil {

  119. 			log.Error("viewOauthInit error: %s", err)

  120. 			return impart.HTTPError{http.StatusInternalServerError, "could not register state server"}

  121. 		}

  122. 	}

  123. 

  124. 	location, err := h.oauthClient.buildLoginURL(state)

  125. 	if err != nil {

  126. 		log.Error("viewOauthInit error: %s", err)

  127. 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}

  128. 	}

  129. 	return impart.HTTPError{http.StatusTemporaryRedirect, location}

  130. }

  131. 

  132. func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {

  133. 	if app.Config().SlackOauth.ClientID != "" {

  134. 		callbackLocation := app.Config().App.Host + "/oauth/callback/slack"

  135. 

  136. 		var stateRegisterClient *callbackProxyClient = nil

  137. 		if app.Config().SlackOauth.CallbackProxyAPI != "" {

  138. 			stateRegisterClient = &callbackProxyClient{

  139. 				server:           app.Config().SlackOauth.CallbackProxyAPI,

  140. 				callbackLocation: app.Config().App.Host + "/oauth/callback/slack",

  141. 				httpClient:       config.DefaultHTTPClient(),

  142. 			}

  143. 			callbackLocation = app.Config().SlackOauth.CallbackProxy

  144. 		}

  145. 		oauthClient := slackOauthClient{

  146. 			ClientID:         app.Config().SlackOauth.ClientID,

  147. 			ClientSecret:     app.Config().SlackOauth.ClientSecret,

  148. 			TeamID:           app.Config().SlackOauth.TeamID,

  149. 			HttpClient:       config.DefaultHTTPClient(),

  150. 			CallbackLocation: callbackLocation,

  151. 		}

  152. 		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)

  153. 	}

  154. }

  155. 

  156. func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {

  157. 	if app.Config().WriteAsOauth.ClientID != "" {

  158. 		callbackLocation := app.Config().App.Host + "/oauth/callback/write.as"

  159. 

  160. 		var callbackProxy *callbackProxyClient = nil

  161. 		if app.Config().WriteAsOauth.CallbackProxy != "" {

  162. 			callbackProxy = &callbackProxyClient{

  163. 				server:           app.Config().WriteAsOauth.CallbackProxyAPI,

  164. 				callbackLocation: app.Config().App.Host + "/oauth/callback/write.as",

  165. 				httpClient:       config.DefaultHTTPClient(),

  166. 			}

  167. 			callbackLocation = app.Config().WriteAsOauth.CallbackProxy

  168. 		}

  169. 

  170. 		oauthClient := writeAsOauthClient{

  171. 			ClientID:         app.Config().WriteAsOauth.ClientID,

  172. 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,

  173. 			ExchangeLocation: config.OrDefaultString(app.Config().WriteAsOauth.TokenLocation, writeAsExchangeLocation),

  174. 			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),

  175. 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),

  176. 			HttpClient:       config.DefaultHTTPClient(),

  177. 			CallbackLocation: callbackLocation,

  178. 		}

  179. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  180. 	}

  181. }

  182. 

  183. func configureGitlabOauth(parentHandler *Handler, r *mux.Router, app *App) {

  184. 	if app.Config().GitlabOauth.ClientID != "" {

  185. 		callbackLocation := app.Config().App.Host + "/oauth/callback/gitlab"

  186. 

  187. 		var callbackProxy *callbackProxyClient = nil

  188. 		if app.Config().GitlabOauth.CallbackProxy != "" {

  189. 			callbackProxy = &callbackProxyClient{

  190. 				server:           app.Config().GitlabOauth.CallbackProxyAPI,

  191. 				callbackLocation: app.Config().App.Host + "/oauth/callback/gitlab",

  192. 				httpClient:       config.DefaultHTTPClient(),

  193. 			}

  194. 			callbackLocation = app.Config().GitlabOauth.CallbackProxy

  195. 		}

  196. 

  197. 		address := config.OrDefaultString(app.Config().GitlabOauth.Host, gitlabHost)

  198. 		oauthClient := gitlabOauthClient{

  199. 			ClientID:         app.Config().GitlabOauth.ClientID,

  200. 			ClientSecret:     app.Config().GitlabOauth.ClientSecret,

  201. 			ExchangeLocation: address + "/oauth/token",

  202. 			InspectLocation:  address + "/api/v4/user",

  203. 			AuthLocation:     address + "/oauth/authorize",

  204. 			HttpClient:       config.DefaultHTTPClient(),

  205. 			CallbackLocation: callbackLocation,

  206. 		}

  207. 		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)

  208. 	}

  209. }

  210. 

  211. func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, callbackProxy *callbackProxyClient) {

  212. 	handler := &oauthHandler{

  213. 		Config:        app.Config(),

  214. 		DB:            app.DB(),

  215. 		Store:         app.SessionStore(),

  216. 		oauthClient:   oauthClient,

  217. 		EmailKey:      app.keys.EmailKey,

  218. 		callbackProxy: callbackProxy,

  219. 	}

  220. 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")

  221. 	r.HandleFunc("/oauth/callback/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")

  222. 	r.HandleFunc("/oauth/signup", parentHandler.OAuth(handler.viewOauthSignup)).Methods("POST")

  223. }

  224. 

  225. func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http.Request) error {

  226. 	ctx := r.Context()

  227. 

  228. 	code := r.FormValue("code")

  229. 	state := r.FormValue("state")

  230. 

  231. 	provider, clientID, attachUserID, err := h.DB.ValidateOAuthState(ctx, state)

  232. 	if err != nil {

  233. 		log.Error("Unable to ValidateOAuthState: %s", err)

  234. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  235. 	}

  236. 

  237. 	tokenResponse, err := h.oauthClient.exchangeOauthCode(ctx, code)

  238. 	if err != nil {

  239. 		log.Error("Unable to exchangeOauthCode: %s", err)

  240. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  241. 	}

  242. 

  243. 	// Now that we have the access token, let's use it real quick to make sur

  244. 	// it really really works.

  245. 	tokenInfo, err := h.oauthClient.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)

  246. 	if err != nil {

  247. 		log.Error("Unable to inspectOauthAccessToken: %s", err)

  248. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  249. 	}

  250. 

  251. 	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID, provider, clientID)

  252. 	if err != nil {

  253. 		log.Error("Unable to GetIDForRemoteUser: %s", err)

  254. 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  255. 	}

  256. 

  257. 	if localUserID != -1 && attachUserID > 0 {

  258. 		if err = addSessionFlash(app, w, r, "This Slack account is already attached to another user.", nil); err != nil {

  259. 			return impart.HTTPError{Status: http.StatusInternalServerError, Message: err.Error()}

  260. 		}

  261. 		return impart.HTTPError{http.StatusFound, "/me/settings"}

  262. 	}

  263. 

  264. 	if localUserID != -1 {

  265. 		user, err := h.DB.GetUserByID(localUserID)

  266. 		if err != nil {

  267. 			log.Error("Unable to GetUserByID %d: %s", localUserID, err)

  268. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  269. 		}

  270. 		if err = loginOrFail(h.Store, w, r, user); err != nil {

  271. 			log.Error("Unable to loginOrFail %d: %s", localUserID, err)

  272. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  273. 		}

  274. 		return nil

  275. 	}

  276. 	if attachUserID > 0 {

  277. 		log.Info("attaching to user %d", attachUserID)

  278. 		err = h.DB.RecordRemoteUserID(r.Context(), attachUserID, tokenInfo.UserID, provider, clientID, tokenResponse.AccessToken)

  279. 		if err != nil {

  280. 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}

  281. 		}

  282. 		return impart.HTTPError{http.StatusFound, "/me/settings"}

  283. 	}

  284. 

  285. 	displayName := tokenInfo.DisplayName

  286. 	if len(displayName) == 0 {

  287. 		displayName = tokenInfo.Username

  288. 	}

  289. 

  290. 	tp := &oauthSignupPageParams{

  291. 		AccessToken:     tokenResponse.AccessToken,

  292. 		TokenUsername:   tokenInfo.Username,

  293. 		TokenAlias:      tokenInfo.DisplayName,

  294. 		TokenEmail:      tokenInfo.Email,

  295. 		TokenRemoteUser: tokenInfo.UserID,

  296. 		Provider:        provider,

  297. 		ClientID:        clientID,

  298. 	}

  299. 	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)

  300. 

  301. 	return h.showOauthSignupPage(app, w, r, tp, nil)

  302. }

  303. 

  304. func (r *callbackProxyClient) register(ctx context.Context, state string) error {

  305. 	form := url.Values{}

  306. 	form.Add("state", state)

  307. 	form.Add("location", r.callbackLocation)

  308. 	req, err := http.NewRequestWithContext(ctx, "POST", r.server, strings.NewReader(form.Encode()))

  309. 	if err != nil {

  310. 		return err

  311. 	}

  312. 	req.Header.Set("User-Agent", "writefreely")

  313. 	req.Header.Set("Accept", "application/json")

  314. 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

  315. 

  316. 	resp, err := r.httpClient.Do(req)

  317. 	if err != nil {

  318. 		return err

  319. 	}

  320. 	if resp.StatusCode != http.StatusCreated {

  321. 		return fmt.Errorf("unable register state location: %d", resp.StatusCode)

  322. 	}

  323. 

  324. 	return nil

  325. }

  326. 

  327. func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {

  328. 	lr := io.LimitReader(body, int64(n+1))

  329. 	data, err := ioutil.ReadAll(lr)

  330. 	if err != nil {

  331. 		return err

  332. 	}

  333. 	if len(data) == n+1 {

  334. 		return fmt.Errorf("content larger than max read allowance: %d", n)

  335. 	}

  336. 	return json.Unmarshal(data, thing)

  337. }

  338. 

  339. func loginOrFail(store sessions.Store, w http.ResponseWriter, r *http.Request, user *User) error {

  340. 	// An error may be returned, but a valid session should always be returned.

  341. 	session, _ := store.Get(r, cookieName)

  342. 	session.Values[cookieUserVal] = user.Cookie()

  343. 	if err := session.Save(r, w); err != nil {

  344. 		fmt.Println("error saving session", err)

  345. 		return err

  346. 	}

  347. 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)

  348. 	return nil

  349. }