IndieAuth support (#1811)
* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com>
This commit is contained in:
Gabe Kangas
120
auth/indieauth/helpers.go
Normal file
120
auth/indieauth/helpers.go
Normal file
@@ -0,0 +1,120 @@
|
||||
package indieauth
|
||||
|
||||
import (
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/andybalholm/cascadia"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/net/html"
|
||||
)
|
||||
|
||||
func createAuthRequest(authDestination, userID, displayName, accessToken, baseServer string) (*Request, error) {
|
||||
authURL, err := url.Parse(authDestination)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "unable to parse IndieAuth destination")
|
||||
}
|
||||
|
||||
authEndpointURL, err := getAuthEndpointFromURL(authURL.String())
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "unable to get IndieAuth endpoint from destination URL")
|
||||
}
|
||||
|
||||
baseServerURL, err := url.Parse(baseServer)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "unable to parse local owncast base server URL")
|
||||
}
|
||||
|
||||
callbackURL := *baseServerURL
|
||||
callbackURL.Path = "/api/auth/indieauth/callback"
|
||||
|
||||
codeVerifier := randString(50)
|
||||
codeChallenge := createCodeChallenge(codeVerifier)
|
||||
state := randString(20)
|
||||
responseType := "code"
|
||||
clientID := baseServerURL.String() // Our local URL
|
||||
codeChallengeMethod := "S256"
|
||||
|
||||
redirect := *authEndpointURL
|
||||
|
||||
q := authURL.Query()
|
||||
q.Add("response_type", responseType)
|
||||
q.Add("client_id", clientID)
|
||||
q.Add("state", state)
|
||||
q.Add("code_challenge_method", codeChallengeMethod)
|
||||
q.Add("code_challenge", codeChallenge)
|
||||
q.Add("me", authURL.String())
|
||||
q.Add("redirect_uri", callbackURL.String())
|
||||
redirect.RawQuery = q.Encode()
|
||||
|
||||
return &Request{
|
||||
Me: authURL,
|
||||
UserID: userID,
|
||||
DisplayName: displayName,
|
||||
CurrentAccessToken: accessToken,
|
||||
Endpoint: authEndpointURL,
|
||||
ClientID: baseServer,
|
||||
CodeVerifier: codeVerifier,
|
||||
CodeChallenge: codeChallenge,
|
||||
State: state,
|
||||
Redirect: &redirect,
|
||||
Callback: &callbackURL,
|
||||
}, nil
|
||||
}
|
||||
|
||||
func getAuthEndpointFromURL(urlstring string) (*url.URL, error) {
|
||||
htmlDocScrapeURL, err := url.Parse(urlstring)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "unable to parse URL")
|
||||
}
|
||||
|
||||
r, err := http.Get(htmlDocScrapeURL.String()) // nolint:gosec
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer r.Body.Close()
|
||||
|
||||
scrapedHTMLDocument, err := html.Parse(r.Body)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "unable to parse html at remote auth host")
|
||||
}
|
||||
authorizationEndpointTag := cascadia.MustCompile("link[rel=authorization_endpoint]").MatchAll(scrapedHTMLDocument)
|
||||
if len(authorizationEndpointTag) == 0 {
|
||||
return nil, fmt.Errorf("url does not support indieauth")
|
||||
}
|
||||
|
||||
for _, attr := range authorizationEndpointTag[len(authorizationEndpointTag)-1].Attr {
|
||||
if attr.Key == "href" {
|
||||
u, err := url.Parse(attr.Val)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "unable to parse authorization endpoint")
|
||||
}
|
||||
|
||||
// If it is a relative URL we an fill in the missing components
|
||||
// by using the original URL we scraped, since it is the same host.
|
||||
if u.Scheme == "" {
|
||||
u.Scheme = htmlDocScrapeURL.Scheme
|
||||
}
|
||||
|
||||
if u.Host == "" {
|
||||
u.Host = htmlDocScrapeURL.Host
|
||||
}
|
||||
|
||||
return u, nil
|
||||
}
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("unable to find href value for authorization_endpoint")
|
||||
}
|
||||
|
||||
func createCodeChallenge(codeVerifier string) string {
|
||||
sha256hash := sha256.Sum256([]byte(codeVerifier))
|
||||
|
||||
encodedHashedCode := strings.TrimRight(base64.URLEncoding.EncodeToString(sha256hash[:]), "=")
|
||||
|
||||
return encodedHashedCode
|
||||
}
|
||||
Reference in New Issue
Block a user