IndieAuth support (#1811)

* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com>
2022-04-21 14:55:26 -07:00
parent b86537fa91
commit b835de2dc4
47 changed files with 1844 additions and 274 deletions
--- a/controllers/auth/indieauth/client.go
+++ b/controllers/auth/indieauth/client.go
@@ -0,0 +1,103 @@
+package indieauth
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+
+	"github.com/owncast/owncast/auth"
+	ia "github.com/owncast/owncast/auth/indieauth"
+	"github.com/owncast/owncast/controllers"
+	"github.com/owncast/owncast/core/chat"
+	"github.com/owncast/owncast/core/user"
+	log "github.com/sirupsen/logrus"
+)
+
+// StartAuthFlow will begin the IndieAuth flow for the current user.
+func StartAuthFlow(u user.User, w http.ResponseWriter, r *http.Request) {
+	type request struct {
+		AuthHost string `json:"authHost"`
+	}
+
+	type response struct {
+		Redirect string `json:"redirect"`
+	}
+
+	var authRequest request
+	p, err := io.ReadAll(r.Body)
+	if err != nil {
+		controllers.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	if err := json.Unmarshal(p, &authRequest); err != nil {
+		controllers.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	accessToken := r.URL.Query().Get("accessToken")
+
+	redirectURL, err := ia.StartAuthFlow(authRequest.AuthHost, u.ID, accessToken, u.DisplayName)
+	if err != nil {
+		controllers.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	redirectResponse := response{
+		Redirect: redirectURL.String(),
+	}
+	controllers.WriteResponse(w, redirectResponse)
+}
+
+// HandleRedirect will handle the redirect from an IndieAuth server to
+// continue the auth flow.
+func HandleRedirect(w http.ResponseWriter, r *http.Request) {
+	state := r.URL.Query().Get("state")
+	code := r.URL.Query().Get("code")
+	request, response, err := ia.HandleCallbackCode(code, state)
+	if err != nil {
+		log.Debugln(err)
+		msg := fmt.Sprintf("Unable to complete authentication. <a href=\"/\">Go back.</a><hr/> %s", err.Error())
+		_ = controllers.WriteString(w, msg, http.StatusBadRequest)
+		return
+	}
+
+	// Check if a user with this auth already exists, if so, log them in.
+	if u := auth.GetUserByAuth(response.Me, auth.IndieAuth); u != nil {
+		// Handle existing auth.
+		log.Debugln("user with provided indieauth already exists, logging them in")
+
+		// Update the current user's access token to point to the existing user id.
+		accessToken := request.CurrentAccessToken
+		userID := u.ID
+		if err := user.SetAccessTokenToOwner(accessToken, userID); err != nil {
+			controllers.WriteSimpleResponse(w, false, err.Error())
+			return
+		}
+
+		loginMessage := fmt.Sprintf("**%s** is now authenticated as **%s**", request.DisplayName, u.DisplayName)
+		if err := chat.SendSystemAction(loginMessage, true); err != nil {
+			log.Errorln(err)
+		}
+
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+
+		return
+	}
+
+	// Otherwise, save this as new auth.
+	log.Debug("indieauth token does not already exist, saving it as a new one for the current user")
+	if err := auth.AddAuth(request.UserID, response.Me, auth.IndieAuth); err != nil {
+		controllers.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	// Update the current user's authenticated flag so we can show it in
+	// the chat UI.
+	if err := user.SetUserAsAuthenticated(request.UserID); err != nil {
+		log.Errorln(err)
+	}
+
+	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+}
--- a/controllers/auth/indieauth/server.go
+++ b/controllers/auth/indieauth/server.go
@@ -0,0 +1,80 @@
+package indieauth
+
+import (
+	"net/http"
+	"net/url"
+
+	ia "github.com/owncast/owncast/auth/indieauth"
+	"github.com/owncast/owncast/controllers"
+)
+
+// HandleAuthEndpoint will handle the IndieAuth auth endpoint.
+func HandleAuthEndpoint(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		// Require the GET request for IndieAuth to be behind admin login.
+		handleAuthEndpointGet(w, r)
+	} else if r.Method == http.MethodPost {
+		handleAuthEndpointPost(w, r)
+	} else {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+}
+
+func handleAuthEndpointGet(w http.ResponseWriter, r *http.Request) {
+	clientID := r.URL.Query().Get("client_id")
+	redirectURI := r.URL.Query().Get("redirect_uri")
+	codeChallenge := r.URL.Query().Get("code_challenge")
+	state := r.URL.Query().Get("state")
+	me := r.URL.Query().Get("me")
+
+	request, err := ia.StartServerAuth(clientID, redirectURI, codeChallenge, state, me)
+	if err != nil {
+		// Return a human readable, HTML page as an error. JSON is no use here.
+		return
+	}
+
+	// Redirect the client browser with the values we generated to continue
+	// the IndieAuth flow.
+	// If the URL is invalid then return with specific "invalid_request" error.
+	u, err := url.Parse(redirectURI)
+	if err != nil {
+		controllers.WriteResponse(w, ia.Response{
+			Error:            "invalid_request",
+			ErrorDescription: err.Error(),
+		})
+		return
+	}
+
+	redirectParams := u.Query()
+	redirectParams.Set("code", request.Code)
+	redirectParams.Set("state", request.State)
+	u.RawQuery = redirectParams.Encode()
+
+	http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
+}
+
+func handleAuthEndpointPost(w http.ResponseWriter, r *http.Request) {
+	if err := r.ParseForm(); err != nil {
+		controllers.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	code := r.PostForm.Get("code")
+	redirectURI := r.PostForm.Get("redirect_uri")
+	clientID := r.PostForm.Get("client_id")
+	codeVerifier := r.PostForm.Get("code_verifier")
+
+	// If the server auth flow cannot be completed then return with specific
+	// "invalid_client" error.
+	response, err := ia.CompleteServerAuth(code, redirectURI, clientID, codeVerifier)
+	if err != nil {
+		controllers.WriteResponse(w, ia.Response{
+			Error:            "invalid_client",
+			ErrorDescription: err.Error(),
+		})
+		return
+	}
+
+	controllers.WriteResponse(w, response)
+}
--- a/controllers/chat.go
+++ b/controllers/chat.go
@@ -13,11 +13,15 @@ import (
 // ExternalGetChatMessages gets all of the chat messages.
 func ExternalGetChatMessages(integration user.ExternalAPIUser, w http.ResponseWriter, r *http.Request) {
 	middleware.EnableCors(w)
-	GetChatMessages(w, r)
+	getChatMessages(w, r)
 }

 // GetChatMessages gets all of the chat messages.
-func GetChatMessages(w http.ResponseWriter, r *http.Request) {
+func GetChatMessages(u user.User, w http.ResponseWriter, r *http.Request) {
+	getChatMessages(w, r)
+}
+
+func getChatMessages(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")

 	switch r.Method {
@@ -62,7 +66,7 @@ func RegisterAnonymousChatUser(w http.ResponseWriter, r *http.Request) {
 		request.DisplayName = r.Header.Get("X-Forwarded-User")
 	}

-	newUser, err := user.CreateAnonymousUser(request.DisplayName)
+	newUser, accessToken, err := user.CreateAnonymousUser(request.DisplayName)
 	if err != nil {
 		WriteSimpleResponse(w, false, err.Error())
 		return
@@ -70,7 +74,7 @@ func RegisterAnonymousChatUser(w http.ResponseWriter, r *http.Request) {

 	response := registerAnonymousUserResponse{
 		ID:          newUser.ID,
-		AccessToken: newUser.AccessToken,
+		AccessToken: accessToken,
 		DisplayName: newUser.DisplayName,
 	}

--- a/controllers/config.go
+++ b/controllers/config.go
@@ -16,22 +16,23 @@ import (
 )

 type webConfigResponse struct {
-	Name                 string                      `json:"name"`
-	Summary              string                      `json:"summary"`
-	Logo                 string                      `json:"logo"`
-	Tags                 []string                    `json:"tags"`
-	Version              string                      `json:"version"`
-	NSFW                 bool                        `json:"nsfw"`
-	SocketHostOverride   string                      `json:"socketHostOverride,omitempty"`
-	ExtraPageContent     string                      `json:"extraPageContent"`
-	StreamTitle          string                      `json:"streamTitle,omitempty"` // What's going on with the current stream
-	SocialHandles        []models.SocialHandle       `json:"socialHandles"`
-	ChatDisabled         bool                        `json:"chatDisabled"`
-	ExternalActions      []models.ExternalAction     `json:"externalActions"`
-	CustomStyles         string                      `json:"customStyles"`
-	MaxSocketPayloadSize int                         `json:"maxSocketPayloadSize"`
-	Federation           federationConfigResponse    `json:"federation"`
-	Notifications        notificationsConfigResponse `json:"notifications"`
+	Name                 string                       `json:"name"`
+	Summary              string                       `json:"summary"`
+	Logo                 string                       `json:"logo"`
+	Tags                 []string                     `json:"tags"`
+	Version              string                       `json:"version"`
+	NSFW                 bool                         `json:"nsfw"`
+	SocketHostOverride   string                       `json:"socketHostOverride,omitempty"`
+	ExtraPageContent     string                       `json:"extraPageContent"`
+	StreamTitle          string                       `json:"streamTitle,omitempty"` // What's going on with the current stream
+	SocialHandles        []models.SocialHandle        `json:"socialHandles"`
+	ChatDisabled         bool                         `json:"chatDisabled"`
+	ExternalActions      []models.ExternalAction      `json:"externalActions"`
+	CustomStyles         string                       `json:"customStyles"`
+	MaxSocketPayloadSize int                          `json:"maxSocketPayloadSize"`
+	Federation           federationConfigResponse     `json:"federation"`
+	Notifications        notificationsConfigResponse  `json:"notifications"`
+	Authentication       authenticationConfigResponse `json:"authentication"`
 }

 type federationConfigResponse struct {
@@ -49,6 +50,10 @@ type notificationsConfigResponse struct {
 	Browser browserNotificationsConfigResponse `json:"browser"`
 }

+type authenticationConfigResponse struct {
+	IndieAuthEnabled bool `json:"indieAuthEnabled"`
+}
+
 // GetWebConfig gets the status of the server.
 func GetWebConfig(w http.ResponseWriter, r *http.Request) {
 	middleware.EnableCors(w)
@@ -97,6 +102,10 @@ func GetWebConfig(w http.ResponseWriter, r *http.Request) {
 		},
 	}

+	authenticationResponse := authenticationConfigResponse{
+		IndieAuthEnabled: data.GetServerURL() != "",
+	}
+
 	configuration := webConfigResponse{
 		Name:                 data.GetServerName(),
 		Summary:              serverSummary,
@@ -114,6 +123,7 @@ func GetWebConfig(w http.ResponseWriter, r *http.Request) {
 		MaxSocketPayloadSize: config.MaxSocketPayloadSize,
 		Federation:           federationResponse,
 		Notifications:        notificationsResponse,
+		Authentication:       authenticationResponse,
 	}

 	if err := json.NewEncoder(w).Encode(configuration); err != nil {
--- a/controllers/controllers.go
+++ b/controllers/controllers.go
@@ -65,3 +65,11 @@ func WriteResponse(w http.ResponseWriter, response interface{}) {
 		InternalErrorHandler(w, err)
 	}
 }
+
+// WriteString will return a basic string and a status code to the client.
+func WriteString(w http.ResponseWriter, text string, status int) error {
+	w.Header().Set("Content-Type", "text/html")
+	w.WriteHeader(status)
+	_, err := w.Write([]byte(text))
+	return err
+}
--- a/controllers/notifications.go
+++ b/controllers/notifications.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"net/http"

+	"github.com/owncast/owncast/core/user"
 	"github.com/owncast/owncast/notifications"

 	"github.com/owncast/owncast/utils"
@@ -13,7 +14,7 @@ import (

 // RegisterForLiveNotifications will register a channel + destination to be
 // notified when a stream goes live.
-func RegisterForLiveNotifications(w http.ResponseWriter, r *http.Request) {
+func RegisterForLiveNotifications(u user.User, w http.ResponseWriter, r *http.Request) {
 	if r.Method != POST {
 		WriteSimpleResponse(w, false, r.Method+" not supported")
 		return