Fediverse-based authentication (#1846)
* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text
This commit is contained in:
Gabe Kangas
98
controllers/auth/fediverse/fediverse.go
Normal file
98
controllers/auth/fediverse/fediverse.go
Normal file
@@ -0,0 +1,98 @@
|
||||
package fediverse
|
||||
|
||||
import (
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"net/http"
|
||||
|
||||
"github.com/owncast/owncast/activitypub"
|
||||
"github.com/owncast/owncast/auth"
|
||||
"github.com/owncast/owncast/auth/fediverse"
|
||||
fediverseauth "github.com/owncast/owncast/auth/fediverse"
|
||||
"github.com/owncast/owncast/controllers"
|
||||
"github.com/owncast/owncast/core/chat"
|
||||
"github.com/owncast/owncast/core/data"
|
||||
"github.com/owncast/owncast/core/user"
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// RegisterFediverseOTPRequest registers a new OTP request for the given access token.
|
||||
func RegisterFediverseOTPRequest(u user.User, w http.ResponseWriter, r *http.Request) {
|
||||
type request struct {
|
||||
FediverseAccount string `json:"account"`
|
||||
}
|
||||
var req request
|
||||
decoder := json.NewDecoder(r.Body)
|
||||
if err := decoder.Decode(&req); err != nil {
|
||||
controllers.WriteSimpleResponse(w, false, "Could not decode request: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
accessToken := r.URL.Query().Get("accessToken")
|
||||
reg := fediverseauth.RegisterFediverseOTP(accessToken, u.ID, u.DisplayName, req.FediverseAccount)
|
||||
msg := fmt.Sprintf("<p>This is an automated message from %s. If you did not request this message please ignore or block. Your requested one-time code is:</p><p>%s</p>", data.GetServerName(), reg.Code)
|
||||
if err := activitypub.SendDirectFederatedMessage(msg, reg.Account); err != nil {
|
||||
controllers.WriteSimpleResponse(w, false, "Could not send code to fediverse: "+err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
controllers.WriteSimpleResponse(w, true, "")
|
||||
}
|
||||
|
||||
// VerifyFediverseOTPRequest verifies the given OTP code for the given access token.
|
||||
func VerifyFediverseOTPRequest(w http.ResponseWriter, r *http.Request) {
|
||||
type request struct {
|
||||
Code string `json:"code"`
|
||||
}
|
||||
|
||||
var req request
|
||||
decoder := json.NewDecoder(r.Body)
|
||||
if err := decoder.Decode(&req); err != nil {
|
||||
controllers.WriteSimpleResponse(w, false, "Could not decode request: "+err.Error())
|
||||
return
|
||||
}
|
||||
accessToken := r.URL.Query().Get("accessToken")
|
||||
valid, authRegistration := fediverse.ValidateFediverseOTP(accessToken, req.Code)
|
||||
if !valid {
|
||||
w.WriteHeader(http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
|
||||
// Check if a user with this auth already exists, if so, log them in.
|
||||
if u := auth.GetUserByAuth(authRegistration.Account, auth.Fediverse); u != nil {
|
||||
// Handle existing auth.
|
||||
log.Debugln("user with provided fedvierse identity already exists, logging them in")
|
||||
|
||||
// Update the current user's access token to point to the existing user id.
|
||||
userID := u.ID
|
||||
if err := user.SetAccessTokenToOwner(accessToken, userID); err != nil {
|
||||
controllers.WriteSimpleResponse(w, false, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
loginMessage := fmt.Sprintf("**%s** is now authenticated as **%s**", authRegistration.UserDisplayName, u.DisplayName)
|
||||
if err := chat.SendSystemAction(loginMessage, true); err != nil {
|
||||
log.Errorln(err)
|
||||
}
|
||||
|
||||
controllers.WriteSimpleResponse(w, true, "")
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Otherwise, save this as new auth.
|
||||
log.Debug("fediverse account does not already exist, saving it as a new one for the current user")
|
||||
if err := auth.AddAuth(authRegistration.UserID, authRegistration.Account, auth.Fediverse); err != nil {
|
||||
controllers.WriteSimpleResponse(w, false, err.Error())
|
||||
return
|
||||
}
|
||||
|
||||
// Update the current user's authenticated flag so we can show it in
|
||||
// the chat UI.
|
||||
if err := user.SetUserAsAuthenticated(authRegistration.UserID); err != nil {
|
||||
log.Errorln(err)
|
||||
}
|
||||
|
||||
controllers.WriteSimpleResponse(w, true, "")
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}
|
||||
@@ -7,6 +7,7 @@ import (
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/owncast/owncast/activitypub/webfinger"
|
||||
"github.com/owncast/owncast/core/data"
|
||||
)
|
||||
|
||||
@@ -35,7 +36,7 @@ func RemoteFollow(w http.ResponseWriter, r *http.Request) {
|
||||
localActorPath, _ := url.Parse(data.GetServerURL())
|
||||
localActorPath.Path = fmt.Sprintf("/federation/user/%s", data.GetDefaultFederationUsername())
|
||||
var template string
|
||||
links, err := getWebfingerLinks(request.Account)
|
||||
links, err := webfinger.GetWebfingerLinks(request.Account)
|
||||
if err != nil {
|
||||
WriteSimpleResponse(w, false, err.Error())
|
||||
return
|
||||
@@ -62,39 +63,3 @@ func RemoteFollow(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
WriteResponse(w, response)
|
||||
}
|
||||
|
||||
func getWebfingerLinks(account string) ([]map[string]interface{}, error) {
|
||||
type webfingerResponse struct {
|
||||
Links []map[string]interface{} `json:"links"`
|
||||
}
|
||||
|
||||
account = strings.TrimLeft(account, "@") // remove any leading @
|
||||
accountComponents := strings.Split(account, "@")
|
||||
fediverseServer := accountComponents[1]
|
||||
|
||||
// HTTPS is required.
|
||||
requestURL, err := url.Parse("https://" + fediverseServer)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to parse fediverse server host %s", fediverseServer)
|
||||
}
|
||||
|
||||
requestURL.Path = "/.well-known/webfinger"
|
||||
query := requestURL.Query()
|
||||
query.Add("resource", fmt.Sprintf("acct:%s", account))
|
||||
requestURL.RawQuery = query.Encode()
|
||||
|
||||
response, err := http.DefaultClient.Get(requestURL.String())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
defer response.Body.Close()
|
||||
|
||||
var links webfingerResponse
|
||||
decoder := json.NewDecoder(response.Body)
|
||||
if err := decoder.Decode(&links); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return links.Links, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user