chore(api): reorganize web assets and codegen types+handlers

webserver/router/middleware/auth.go

@@ -0,0 +1,156 @@
+package middleware
+
+import (
+	"crypto/subtle"
+	"net/http"
+	"strings"
+
+	"github.com/owncast/owncast/core/data"
+	"github.com/owncast/owncast/models"
+	"github.com/owncast/owncast/persistence/userrepository"
+	"github.com/owncast/owncast/utils"
+	log "github.com/sirupsen/logrus"
+)
+
+// ExternalAccessTokenHandlerFunc is a function that is called after validing access.
+type ExternalAccessTokenHandlerFunc func(models.ExternalAPIUser, http.ResponseWriter, *http.Request)
+
+// UserAccessTokenHandlerFunc is a function that is called after validing user access.
+type UserAccessTokenHandlerFunc func(models.User, http.ResponseWriter, *http.Request)
+
+// RequireAdminAuth wraps a handler requiring HTTP basic auth for it using the given
+// the stream key as the password and and a hardcoded "admin" for username.
+func RequireAdminAuth(handler http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		username := "admin"
+		password := data.GetAdminPassword()
+		realm := "Owncast Authenticated Request"
+
+		// Alow CORS only for localhost:3000 to support Owncast development.
+		validAdminHost := "http://localhost:3000"
+		w.Header().Set("Access-Control-Allow-Origin", validAdminHost)
+		w.Header().Set("Access-Control-Allow-Credentials", "true")
+		w.Header().Set("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization")
+
+		// For request needing CORS, send a 204.
+		if r.Method == "OPTIONS" {
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		user, pass, ok := r.BasicAuth()
+
+		// Failed
+		if !ok || subtle.ConstantTimeCompare([]byte(user), []byte(username)) != 1 || utils.ComparseHash(password, pass) != nil {
+			w.Header().Set("WWW-Authenticate", `Basic realm="`+realm+`"`)
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			log.Debugln("Failed admin authentication")
+			return
+		}
+
+		handler(w, r)
+	}
+}
+
+func accessDenied(w http.ResponseWriter) {
+	w.WriteHeader(http.StatusUnauthorized) //nolint
+	w.Write([]byte("unauthorized"))        //nolint
+}
+
+// RequireExternalAPIAccessToken will validate a 3rd party access token.
+func RequireExternalAPIAccessToken(scope string, handler ExternalAccessTokenHandlerFunc) http.HandlerFunc {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// We should accept 3rd party preflight OPTIONS requests.
+		if r.Method == "OPTIONS" {
+			// All OPTIONS requests should have a wildcard CORS header.
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+			w.WriteHeader(http.StatusNoContent)
+			return
+		}
+
+		authHeader := r.Header.Get("Authorization")
+		token := ""
+		if strings.HasPrefix(strings.ToLower(authHeader), "bearer ") {
+			token = authHeader[len("bearer "):]
+		}
+
+		if token == "" {
+			log.Warnln("invalid access token")
+			accessDenied(w)
+			return
+		}
+
+		userRepository := userrepository.Get()
+
+		integration, err := userRepository.GetExternalAPIUserForAccessTokenAndScope(token, scope)
+		if integration == nil || err != nil {
+			accessDenied(w)
+			return
+		}
+
+		// All auth'ed 3rd party requests should have a wildcard CORS header.
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+
+		handler(*integration, w, r)
+
+		if err := userRepository.SetExternalAPIUserAccessTokenAsUsed(token); err != nil {
+			log.Debugln("token not found when updating last_used timestamp")
+		}
+	})
+}
+
+// RequireUserAccessToken will validate a provided user's access token and make sure the associated user is enabled.
+// Not to be used for validating 3rd party access.
+func RequireUserAccessToken(handler UserAccessTokenHandlerFunc) http.HandlerFunc {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		accessToken := r.URL.Query().Get("accessToken")
+		if accessToken == "" {
+			accessDenied(w)
+			return
+		}
+
+		ipAddress := utils.GetIPAddressFromRequest(r)
+		// Check if this client's IP address is banned.
+		if blocked, err := data.IsIPAddressBanned(ipAddress); blocked {
+			log.Debugln("Client ip address has been blocked. Rejecting.")
+			accessDenied(w)
+			return
+		} else if err != nil {
+			log.Errorln("error determining if IP address is blocked: ", err)
+		}
+
+		userRepository := userrepository.Get()
+
+		// A user is required to use the websocket
+		user := userRepository.GetUserByToken(accessToken)
+		if user == nil || !user.IsEnabled() {
+			accessDenied(w)
+			return
+		}
+
+		handler(*user, w, r)
+	})
+}
+
+// RequireUserModerationScopeAccesstoken will validate a provided user's access token and make sure the associated user is enabled
+// and has "MODERATOR" scope assigned to the user.
+func RequireUserModerationScopeAccesstoken(handler http.HandlerFunc) http.HandlerFunc {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		accessToken := r.URL.Query().Get("accessToken")
+		if accessToken == "" {
+			accessDenied(w)
+			return
+		}
+
+		userRepository := userrepository.Get()
+
+		// A user is required to use the websocket
+		user := userRepository.GetUserByToken(accessToken)
+		if user == nil || !user.IsEnabled() || !user.IsModerator() {
+			accessDenied(w)
+			return
+		}
+
+		handler(w, r)
+	})
+}