chore(api): reorganize handlers into webserver package

webserver/handlers/auth/indieauth/client.go

@@ -0,0 +1,107 @@
+package indieauth
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	ia "github.com/owncast/owncast/auth/indieauth"
+	"github.com/owncast/owncast/core/chat"
+	"github.com/owncast/owncast/models"
+	"github.com/owncast/owncast/persistence/userrepository"
+	webutils "github.com/owncast/owncast/webserver/utils"
+	log "github.com/sirupsen/logrus"
+)
+
+// StartAuthFlow will begin the IndieAuth flow for the current user.
+func StartAuthFlow(u models.User, w http.ResponseWriter, r *http.Request) {
+	type request struct {
+		AuthHost string `json:"authHost"`
+	}
+
+	type response struct {
+		Redirect string `json:"redirect"`
+	}
+
+	var authRequest request
+	p, err := io.ReadAll(r.Body)
+	if err != nil {
+		webutils.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	if err := json.Unmarshal(p, &authRequest); err != nil {
+		webutils.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	accessToken := r.URL.Query().Get("accessToken")
+
+	redirectURL, err := ia.StartAuthFlow(authRequest.AuthHost, u.ID, accessToken, u.DisplayName)
+	if err != nil {
+		webutils.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	redirectResponse := response{
+		Redirect: redirectURL.String(),
+	}
+	webutils.WriteResponse(w, redirectResponse)
+}
+
+// HandleRedirect will handle the redirect from an IndieAuth server to
+// continue the auth flow.
+func HandleRedirect(w http.ResponseWriter, r *http.Request) {
+	state := r.URL.Query().Get("state")
+	code := r.URL.Query().Get("code")
+	request, response, err := ia.HandleCallbackCode(code, state)
+	if err != nil {
+		log.Debugln(err)
+		msg := `Unable to complete authentication. <a href="/">Go back.</a><hr/>`
+		_ = webutils.WriteString(w, msg, http.StatusBadRequest)
+		return
+	}
+
+	userRepository := userrepository.Get()
+
+	// Check if a user with this auth already exists, if so, log them in.
+	if u := userRepository.GetUserByAuth(response.Me, models.IndieAuth); u != nil {
+		// Handle existing auth.
+		log.Debugln("user with provided indieauth already exists, logging them in")
+
+		// Update the current user's access token to point to the existing user id.
+		accessToken := request.CurrentAccessToken
+		userID := u.ID
+		if err := userRepository.SetAccessTokenToOwner(accessToken, userID); err != nil {
+			webutils.WriteSimpleResponse(w, false, err.Error())
+			return
+		}
+
+		if request.DisplayName != u.DisplayName {
+			loginMessage := fmt.Sprintf("**%s** is now authenticated as **%s**", request.DisplayName, u.DisplayName)
+			if err := chat.SendSystemAction(loginMessage, true); err != nil {
+				log.Errorln(err)
+			}
+		}
+
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+
+		return
+	}
+
+	// Otherwise, save this as new auth.
+	log.Debug("indieauth token does not already exist, saving it as a new one for the current user")
+	if err := userRepository.AddAuth(request.UserID, response.Me, models.IndieAuth); err != nil {
+		webutils.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	// Update the current user's authenticated flag so we can show it in
+	// the chat UI.
+	if err := userRepository.SetUserAsAuthenticated(request.UserID); err != nil {
+		log.Errorln(err)
+	}
+
+	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+}

webserver/handlers/auth/indieauth/server.go

@@ -0,0 +1,83 @@
+package indieauth
+
+import (
+	"net/http"
+	"net/url"
+
+	ia "github.com/owncast/owncast/auth/indieauth"
+	"github.com/owncast/owncast/webserver/router/middleware"
+	webutils "github.com/owncast/owncast/webserver/utils"
+)
+
+// HandleAuthEndpoint will handle the IndieAuth auth endpoint.
+func HandleAuthEndpoint(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		// Require the GET request for IndieAuth to be behind admin login.
+		f := middleware.RequireAdminAuth(HandleAuthEndpointGet)
+		f(w, r)
+		return
+	} else if r.Method == http.MethodPost {
+		HandleAuthEndpointPost(w, r)
+	} else {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+}
+
+func HandleAuthEndpointGet(w http.ResponseWriter, r *http.Request) {
+	clientID := r.URL.Query().Get("client_id")
+	redirectURI := r.URL.Query().Get("redirect_uri")
+	codeChallenge := r.URL.Query().Get("code_challenge")
+	state := r.URL.Query().Get("state")
+	me := r.URL.Query().Get("me")
+
+	request, err := ia.StartServerAuth(clientID, redirectURI, codeChallenge, state, me)
+	if err != nil {
+		_ = webutils.WriteString(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Redirect the client browser with the values we generated to continue
+	// the IndieAuth flow.
+	// If the URL is invalid then return with specific "invalid_request" error.
+	u, err := url.Parse(redirectURI)
+	if err != nil {
+		webutils.WriteResponse(w, ia.Response{
+			Error:            "invalid_request",
+			ErrorDescription: err.Error(),
+		})
+		return
+	}
+
+	redirectParams := u.Query()
+	redirectParams.Set("code", request.Code)
+	redirectParams.Set("state", request.State)
+	u.RawQuery = redirectParams.Encode()
+
+	http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
+}
+
+func HandleAuthEndpointPost(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		webutils.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	code := r.PostForm.Get("code")
+	redirectURI := r.PostForm.Get("redirect_uri")
+	clientID := r.PostForm.Get("client_id")
+	codeVerifier := r.PostForm.Get("code_verifier")
+
+	// If the server auth flow cannot be completed then return with specific
+	// "invalid_client" error.
+	response, err := ia.CompleteServerAuth(code, redirectURI, clientID, codeVerifier)
+	if err != nil {
+		webutils.WriteResponse(w, ia.Response{
+			Error:            "invalid_client",
+			ErrorDescription: err.Error(),
+		})
+		return
+	}
+
+	webutils.WriteResponse(w, response)
+}