writefreely
/
writefreely
mirror of https://github.com/writefreely/writefreely.git
2
0
Fork 0
Code Issues Releases 25 Wiki Activity
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
771 Commits
45 Branches
203 MiB
 
 
 
 
 
Tree: 468bbf2187
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '468bbf2187'
${ noResults }
writefreely/oauth_signup.go

219 lines
6.5 KiB
Raw Blame History 

  1. /*

  2.  * Copyright © 2020 A Bunch Tell LLC.

  3.  *

  4.  * This file is part of WriteFreely.

  5.  *

  6.  * WriteFreely is free software: you can redistribute it and/or modify

  7.  * it under the terms of the GNU Affero General Public License, included

  8.  * in the LICENSE file in this source code package.

  9.  */

  10. 

  11. package writefreely

  12. 

  13. import (

  14. 	"crypto/sha256"

  15. 	"encoding/hex"

  16. 	"fmt"

  17. 	"github.com/writeas/impart"

  18. 	"github.com/writeas/web-core/auth"

  19. 	"github.com/writeas/web-core/log"

  20. 	"github.com/writeas/writefreely/page"

  21. 	"html/template"

  22. 	"net/http"

  23. 	"strings"

  24. 	"time"

  25. )

  26. 

  27. type viewOauthSignupVars struct {

  28. 	page.StaticPage

  29. 	To      string

  30. 	Message template.HTML

  31. 	Flashes []template.HTML

  32. 

  33. 	AccessToken     string

  34. 	TokenUsername   string

  35. 	TokenAlias      string // TODO: rename this to match the data it represents: the collection title

  36. 	TokenEmail      string

  37. 	TokenRemoteUser string

  38. 	Provider        string

  39. 	ClientID        string

  40. 	TokenHash       string

  41. 

  42. 	LoginUsername string

  43. 	Alias         string // TODO: rename this to match the data it represents: the collection title

  44. 	Email         string

  45. }

  46. 

  47. const (

  48. 	oauthParamAccessToken       = "access_token"

  49. 	oauthParamTokenUsername     = "token_username"

  50. 	oauthParamTokenAlias        = "token_alias"

  51. 	oauthParamTokenEmail        = "token_email"

  52. 	oauthParamTokenRemoteUserID = "token_remote_user"

  53. 	oauthParamClientID          = "client_id"

  54. 	oauthParamProvider          = "provider"

  55. 	oauthParamHash              = "signature"

  56. 	oauthParamUsername          = "username"

  57. 	oauthParamAlias             = "alias"

  58. 	oauthParamEmail             = "email"

  59. 	oauthParamPassword          = "password"

  60. )

  61. 

  62. type oauthSignupPageParams struct {

  63. 	AccessToken     string

  64. 	TokenUsername   string

  65. 	TokenAlias      string // TODO: rename this to match the data it represents: the collection title

  66. 	TokenEmail      string

  67. 	TokenRemoteUser string

  68. 	ClientID        string

  69. 	Provider        string

  70. 	TokenHash       string

  71. }

  72. 

  73. func (p oauthSignupPageParams) HashTokenParams(key string) string {

  74. 	hasher := sha256.New()

  75. 	hasher.Write([]byte(key))

  76. 	hasher.Write([]byte(p.AccessToken))

  77. 	hasher.Write([]byte(p.TokenUsername))

  78. 	hasher.Write([]byte(p.TokenAlias))

  79. 	hasher.Write([]byte(p.TokenEmail))

  80. 	hasher.Write([]byte(p.TokenRemoteUser))

  81. 	hasher.Write([]byte(p.ClientID))

  82. 	hasher.Write([]byte(p.Provider))

  83. 	return hex.EncodeToString(hasher.Sum(nil))

  84. }

  85. 

  86. func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.Request) error {

  87. 	tp := &oauthSignupPageParams{

  88. 		AccessToken:     r.FormValue(oauthParamAccessToken),

  89. 		TokenUsername:   r.FormValue(oauthParamTokenUsername),

  90. 		TokenAlias:      r.FormValue(oauthParamTokenAlias),

  91. 		TokenEmail:      r.FormValue(oauthParamTokenEmail),

  92. 		TokenRemoteUser: r.FormValue(oauthParamTokenRemoteUserID),

  93. 		ClientID:        r.FormValue(oauthParamClientID),

  94. 		Provider:        r.FormValue(oauthParamProvider),

  95. 	}

  96. 	if tp.HashTokenParams(h.Config.Server.HashSeed) != r.FormValue(oauthParamHash) {

  97. 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Request has been tampered with."}

  98. 	}

  99. 	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)

  100. 	if err := h.validateOauthSignup(r); err != nil {

  101. 		return h.showOauthSignupPage(app, w, r, tp, err)

  102. 	}

  103. 

  104. 	var err error

  105. 	hashedPass := []byte{}

  106. 	clearPass := r.FormValue(oauthParamPassword)

  107. 	hasPass := clearPass != ""

  108. 	if hasPass {

  109. 		hashedPass, err = auth.HashPass([]byte(clearPass))

  110. 		if err != nil {

  111. 			return h.showOauthSignupPage(app, w, r, tp, fmt.Errorf("unable to hash password"))

  112. 		}

  113. 	}

  114. 	newUser := &User{

  115. 		Username:   r.FormValue(oauthParamUsername),

  116. 		HashedPass: hashedPass,

  117. 		HasPass:    hasPass,

  118. 		Email:      prepareUserEmail(r.FormValue(oauthParamEmail), h.EmailKey),

  119. 		Created:    time.Now().Truncate(time.Second).UTC(),

  120. 	}

  121. 	displayName := r.FormValue(oauthParamAlias)

  122. 	if len(displayName) == 0 {

  123. 		displayName = r.FormValue(oauthParamUsername)

  124. 	}

  125. 

  126. 	err = h.DB.CreateUser(h.Config, newUser, displayName)

  127. 	if err != nil {

  128. 		return h.showOauthSignupPage(app, w, r, tp, err)

  129. 	}

  130. 

  131. 	err = h.DB.RecordRemoteUserID(r.Context(), newUser.ID, r.FormValue(oauthParamTokenRemoteUserID), r.FormValue(oauthParamProvider), r.FormValue(oauthParamClientID), r.FormValue(oauthParamAccessToken))

  132. 	if err != nil {

  133. 		return h.showOauthSignupPage(app, w, r, tp, err)

  134. 	}

  135. 

  136. 	if err := loginOrFail(h.Store, w, r, newUser); err != nil {

  137. 		return h.showOauthSignupPage(app, w, r, tp, err)

  138. 	}

  139. 	return nil

  140. }

  141. 

  142. func (h oauthHandler) validateOauthSignup(r *http.Request) error {

  143. 	username := r.FormValue(oauthParamUsername)

  144. 	if len(username) < h.Config.App.MinUsernameLen {

  145. 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too short."}

  146. 	}

  147. 	if len(username) > 100 {

  148. 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too long."}

  149. 	}

  150. 	collTitle := r.FormValue(oauthParamAlias)

  151. 	if len(collTitle) == 0 {

  152. 		collTitle = username

  153. 	}

  154. 	email := r.FormValue(oauthParamEmail)

  155. 	if len(email) > 0 {

  156. 		parts := strings.Split(email, "@")

  157. 		if len(parts) != 2 || (len(parts[0]) < 1 || len(parts[1]) < 1) {

  158. 			return impart.HTTPError{Status: http.StatusBadRequest, Message: "Invalid email address"}

  159. 		}

  160. 	}

  161. 	return nil

  162. }

  163. 

  164. func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *http.Request, tp *oauthSignupPageParams, errMsg error) error {

  165. 	username := tp.TokenUsername

  166. 	collTitle := tp.TokenAlias

  167. 	email := tp.TokenEmail

  168. 

  169. 	session, err := app.sessionStore.Get(r, cookieName)

  170. 	if err != nil {

  171. 		// Ignore this

  172. 		log.Error("Unable to get session; ignoring: %v", err)

  173. 	}

  174. 

  175. 	if tmpValue := r.FormValue(oauthParamUsername); len(tmpValue) > 0 {

  176. 		username = tmpValue

  177. 	}

  178. 	if tmpValue := r.FormValue(oauthParamAlias); len(tmpValue) > 0 {

  179. 		collTitle = tmpValue

  180. 	}

  181. 	if tmpValue := r.FormValue(oauthParamEmail); len(tmpValue) > 0 {

  182. 		email = tmpValue

  183. 	}

  184. 

  185. 	p := &viewOauthSignupVars{

  186. 		StaticPage: pageForReq(app, r),

  187. 		To:         r.FormValue("to"),

  188. 		Flashes:    []template.HTML{},

  189. 

  190. 		AccessToken:     tp.AccessToken,

  191. 		TokenUsername:   tp.TokenUsername,

  192. 		TokenAlias:      tp.TokenAlias,

  193. 		TokenEmail:      tp.TokenEmail,

  194. 		TokenRemoteUser: tp.TokenRemoteUser,

  195. 		Provider:        tp.Provider,

  196. 		ClientID:        tp.ClientID,

  197. 		TokenHash:       tp.TokenHash,

  198. 

  199. 		LoginUsername: username,

  200. 		Alias:         collTitle,

  201. 		Email:         email,

  202. 	}

  203. 

  204. 	// Display any error messages

  205. 	flashes, _ := getSessionFlashes(app, w, r, session)

  206. 	for _, flash := range flashes {

  207. 		p.Flashes = append(p.Flashes, template.HTML(flash))

  208. 	}

  209. 	if errMsg != nil {

  210. 		p.Flashes = append(p.Flashes, template.HTML(errMsg.Error()))

  211. 	}

  212. 	err = pages["signup-oauth.tmpl"].ExecuteTemplate(w, "base", p)

  213. 	if err != nil {

  214. 		log.Error("Unable to render signup-oauth: %v", err)

  215. 		return err

  216. 	}

  217. 	return nil

  218. }