IndieAuth support (#1811)

* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com>
2022-04-21 14:55:26 -07:00
parent b86537fa91
commit b835de2dc4
47 changed files with 1844 additions and 274 deletions
--- a/core/chat/events.go
+++ b/core/chat/events.go
@@ -21,6 +21,8 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
 	}

 	proposedUsername := receivedEvent.NewName
+
+	// Check if name is on the blocklist
 	blocklist := data.GetForbiddenUsernameList()

 	for _, blockedName := range blocklist {
@@ -39,11 +41,27 @@ func (s *Server) userNameChanged(eventData chatClientEvent) {
 		}
 	}

+	// Check if the name is not already assigned to a registered user.
+	if available, err := user.IsDisplayNameAvailable(proposedUsername); err != nil {
+		log.Errorln("error checking if name is available", err)
+		return
+	} else if !available {
+		message := fmt.Sprintf("You cannot change your name to **%s**, it is already in use.", proposedUsername)
+		s.sendActionToClient(eventData.client, message)
+
+		// Resend the client's user so their username is in sync.
+		eventData.client.sendConnectedClientInfo()
+
+		return
+	}
+
 	savedUser := user.GetUserByToken(eventData.client.accessToken)
 	oldName := savedUser.DisplayName

 	// Save the new name
-	user.ChangeUsername(eventData.client.User.ID, receivedEvent.NewName)
+	if err := user.ChangeUsername(eventData.client.User.ID, receivedEvent.NewName); err != nil {
+		log.Errorln("error changing username", err)
+	}

 	// Update the connected clients associated user with the new name
 	now := time.Now()
--- a/core/chat/events/nameChangeEvent.go
+++ b/core/chat/events/nameChangeEvent.go
@@ -10,6 +10,7 @@ type NameChangeEvent struct {
 // NameChangeBroadcast represents a user changing their chat display name.
 type NameChangeBroadcast struct {
 	Event
+	OutboundEvent
 	UserEvent
 	Oldname string `json:"oldName"`
 }
--- a/core/chat/persistence.go
+++ b/core/chat/persistence.go
@@ -104,16 +104,17 @@ func makeUserMessageEventFromRowData(row rowData) events.UserMessageEvent {
 	scopeSlice := strings.Split(scopes, ",")

 	u := user.User{
-		ID:            *row.userID,
-		AccessToken:   "",
-		DisplayName:   displayName,
-		DisplayColor:  displayColor,
-		CreatedAt:     createdAt,
-		DisabledAt:    row.userDisabledAt,
-		NameChangedAt: row.userNameChangedAt,
-		PreviousNames: previousUsernames,
-		Scopes:        scopeSlice,
-		IsBot:         isBot,
+		ID:              *row.userID,
+		DisplayName:     displayName,
+		DisplayColor:    displayColor,
+		CreatedAt:       createdAt,
+		DisabledAt:      row.userDisabledAt,
+		NameChangedAt:   row.userNameChangedAt,
+		PreviousNames:   previousUsernames,
+		AuthenticatedAt: row.userAuthenticatedAt,
+		Authenticated:   row.userAuthenticatedAt != nil,
+		Scopes:          scopeSlice,
+		IsBot:           isBot,
 	}

 	message := events.UserMessageEvent{
@@ -195,14 +196,15 @@ type rowData struct {
 	image     *string
 	link      *string

-	userDisplayName   *string
-	userDisplayColor  *int
-	userCreatedAt     *time.Time
-	userDisabledAt    *time.Time
-	previousUsernames *string
-	userNameChangedAt *time.Time
-	userScopes        *string
-	userType          *string
+	userDisplayName     *string
+	userDisplayColor    *int
+	userCreatedAt       *time.Time
+	userDisabledAt      *time.Time
+	previousUsernames   *string
+	userNameChangedAt   *time.Time
+	userAuthenticatedAt *time.Time
+	userScopes          *string
+	userType            *string
 }

 func getChat(query string) []interface{} {
@@ -235,9 +237,11 @@ func getChat(query string) []interface{} {
 			&row.userDisabledAt,
 			&row.previousUsernames,
 			&row.userNameChangedAt,
+			&row.userAuthenticatedAt,
 			&row.userScopes,
 			&row.userType,
 		); err != nil {
+			log.Errorln(err)
 			log.Errorln("There is a problem converting query to chat objects. Please report this:", query)
 			break
 		}
@@ -274,7 +278,7 @@ func GetChatModerationHistory() []interface{} {
 	}

 	// Get all messages regardless of visibility
-	query := "SELECT messages.id, user_id, body, title, subtitle, image, link, eventType, hidden_at, timestamp, display_name, display_color, created_at, disabled_at, previous_names, namechanged_at, scopes, users.type FROM messages INNER JOIN users ON messages.user_id = users.id ORDER BY timestamp DESC"
+	query := "SELECT messages.id, user_id, body, title, subtitle, image, link, eventType, hidden_at, timestamp, display_name, display_color, created_at, disabled_at, previous_names, namechanged_at, authenticated_at, scopes, type FROM messages INNER JOIN users ON messages.user_id = users.id ORDER BY timestamp DESC"
 	result := getChat(query)

 	_historyCache = &result
@@ -285,7 +289,7 @@ func GetChatModerationHistory() []interface{} {
 // GetChatHistory will return all the chat messages suitable for returning as user-facing chat history.
 func GetChatHistory() []interface{} {
 	// Get all visible messages
-	query := fmt.Sprintf("SELECT messages.id,messages.user_id, messages.body, messages.title, messages.subtitle, messages.image, messages.link, messages.eventType, messages.hidden_at, messages.timestamp, users.display_name, users.display_color, users.created_at, users.disabled_at, users.previous_names, users.namechanged_at, users.scopes, users.type FROM messages LEFT JOIN users ON messages.user_id = users.id WHERE hidden_at IS NULL AND disabled_at IS NULL ORDER BY timestamp DESC LIMIT %d", maxBacklogNumber)
+	query := fmt.Sprintf("SELECT messages.id,messages.user_id, messages.body, messages.title, messages.subtitle, messages.image, messages.link, messages.eventType, messages.hidden_at, messages.timestamp, users.display_name, users.display_color, users.created_at, users.disabled_at, users.previous_names, users.namechanged_at, users.authenticated_at, users.scopes, users.type FROM messages LEFT JOIN users ON messages.user_id = users.id WHERE hidden_at IS NULL AND disabled_at IS NULL ORDER BY timestamp DESC LIMIT %d", maxBacklogNumber)
 	m := getChat(query)

 	// Invert order of messages
@@ -305,7 +309,7 @@ func SetMessageVisibilityForUserID(userID string, visible bool) error {

 	// Get a list of IDs to send to the connected clients to hide
 	ids := make([]string, 0)
-	query := fmt.Sprintf("SELECT messages.id, user_id, body, title, subtitle, image, link, eventType, hidden_at, timestamp, display_name, display_color, created_at, disabled_at,  previous_names, namechanged_at, scopes, type FROM messages INNER JOIN users ON messages.user_id = users.id WHERE user_id IS '%s'", userID)
+	query := fmt.Sprintf("SELECT messages.id, user_id, body, title, subtitle, image, link, eventType, hidden_at, timestamp, display_name, display_color, created_at, disabled_at,  previous_names, namechanged_at, authenticated, scopes, type FROM messages INNER JOIN users ON messages.user_id = users.id WHERE user_id IS '%s'", userID)
 	messages := getChat(query)

 	if len(messages) == 0 {
--- a/core/chat/server.go
+++ b/core/chat/server.go
@@ -201,10 +201,10 @@ func (s *Server) HandleClientConnection(w http.ResponseWriter, r *http.Request)
 	// A user is required to use the websocket
 	user := user.GetUserByToken(accessToken)
 	if user == nil {
+		// Send error that registration is required
 		_ = conn.WriteJSON(events.EventPayload{
 			"type": events.ErrorNeedsRegistration,
 		})
-		// Send error that registration is required
 		_ = conn.Close()
 		return
 	}
--- a/core/core.go
+++ b/core/core.go
@@ -7,6 +7,7 @@ import (

 	log "github.com/sirupsen/logrus"

+	"github.com/owncast/owncast/auth"
 	"github.com/owncast/owncast/config"
 	"github.com/owncast/owncast/core/chat"
 	"github.com/owncast/owncast/core/data"
@@ -56,6 +57,7 @@ func Start() error {
 	}

 	user.SetupUsers()
+	auth.Setup(data.GetDatastore())

 	fileWriter.SetupFileWriterReceiverService(&handler)

--- a/core/data/data.go
+++ b/core/data/data.go
@@ -17,7 +17,7 @@ import (
 )

 const (
-	schemaVersion = 4
+	schemaVersion = 5
 )

 var (
@@ -75,6 +75,7 @@ func SetupPersistence(file string) error {

 	createWebhooksTable()
 	createUsersTable(db)
+	createAccessTokenTable(db)

 	if _, err := db.Exec(`CREATE TABLE IF NOT EXISTS config (
 		"key" string NOT NULL PRIMARY KEY,
@@ -141,6 +142,8 @@ func migrateDatabase(db *sql.DB, from, to int) error {
 			migrateToSchema3(db)
 		case 3:
 			migrateToSchema4(db)
+		case 4:
+			migrateToSchema5(db)
 		default:
 			log.Fatalln("missing database migration step")
 		}
--- a/core/data/migrations.go
+++ b/core/data/migrations.go
@@ -2,6 +2,8 @@ package data

 import (
 	"database/sql"
+	"fmt"
+	"strings"
 	"time"

 	"github.com/owncast/owncast/utils"
@@ -9,7 +11,75 @@ import (
 	"github.com/teris-io/shortid"
 )

+func migrateToSchema5(db *sql.DB) {
+	// Access tokens have been broken into its own table.
+
+	// Authenticated bool added to the users table.
+	stmt, err := db.Prepare("ALTER TABLE users ADD authenticated_at timestamp DEFAULT null ")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer stmt.Close()
+	_, err = stmt.Exec()
+	if err != nil {
+		log.Warnln(err)
+	}
+
+	// Migrate the access tokens from the users table to the access tokens table.
+	query := `SELECT id, access_token, created_at FROM users`
+	rows, err := db.Query(query)
+	if err != nil || rows.Err() != nil {
+		log.Errorln("error migrating access tokens to schema v5", err, rows.Err())
+		return
+	}
+	defer rows.Close()
+
+	valueStrings := []string{}
+	valueArgs := []interface{}{}
+
+	var token string
+	var userID string
+	var timestamp time.Time
+	for rows.Next() {
+		if err := rows.Scan(&userID, &token, &timestamp); err != nil {
+			log.Error("There is a problem reading the database.", err)
+			return
+		}
+
+		valueStrings = append(valueStrings, "(?, ?, ?)")
+		valueArgs = append(valueArgs, userID, token, timestamp)
+	}
+
+	smt := `INSERT INTO user_access_tokens(token, user_id, timestamp) VALUES %s ON CONFLICT DO NOTHING`
+	smt = fmt.Sprintf(smt, strings.Join(valueStrings, ","))
+	// fmt.Println(smt)
+	tx, err := db.Begin()
+	if err != nil {
+		log.Fatalln("Error starting transaction", err)
+	}
+	_, err = tx.Exec(smt, valueArgs...)
+	if err != nil {
+		_ = tx.Rollback()
+		log.Fatalln("Error inserting access tokens", err)
+	}
+	if err := tx.Commit(); err != nil {
+		log.Fatalln("Error committing transaction", err)
+	}
+
+	// Remove old access token column from the users table.
+	stmt, err = db.Prepare("ALTER TABLE users DROP COLUMN access_token;")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer stmt.Close()
+	_, err = stmt.Exec()
+	if err != nil {
+		log.Warnln(err)
+	}
+}
+
 func migrateToSchema4(db *sql.DB) {
+	// Access tokens have been broken into its own table.
 	stmt, err := db.Prepare("ALTER TABLE ap_followers ADD COLUMN request_object BLOB")
 	if err != nil {
 		log.Fatal(err)
--- a/core/data/users.go
+++ b/core/data/users.go
@@ -6,18 +6,37 @@ import (
 	log "github.com/sirupsen/logrus"
 )

+func createAccessTokenTable(db *sql.DB) {
+	createTableSQL := `CREATE TABLE IF NOT EXISTS user_access_tokens (
+    "token" TEXT NOT NULL PRIMARY KEY,
+    "user_id" TEXT NOT NULL,
+    "timestamp" DATE DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    FOREIGN KEY(user_id) REFERENCES users(id)
+  );`
+
+	stmt, err := db.Prepare(createTableSQL)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer stmt.Close()
+	_, err = stmt.Exec()
+	if err != nil {
+		log.Warnln(err)
+	}
+}
+
 func createUsersTable(db *sql.DB) {
 	log.Traceln("Creating users table...")

 	createTableSQL := `CREATE TABLE IF NOT EXISTS users (
 		"id" TEXT,
-		"access_token" string NOT NULL,
 		"display_name" TEXT NOT NULL,
 		"display_color" NUMBER NOT NULL,
 		"created_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
 		"disabled_at" TIMESTAMP,
 		"previous_names" TEXT DEFAULT '',
 		"namechanged_at" TIMESTAMP,
+    "authenticated_at" TIMESTAMP,
 		"scopes" TEXT,
 		"type" TEXT DEFAULT 'STANDARD',
 		"last_used" DATETIME DEFAULT CURRENT_TIMESTAMP,
--- a/core/user/externalAPIUser.go
+++ b/core/user/externalAPIUser.go
@@ -1,12 +1,13 @@
 package user

 import (
+	"context"
 	"database/sql"
-	"errors"
 	"strings"
 	"time"

 	"github.com/owncast/owncast/utils"
+	"github.com/pkg/errors"
 	log "github.com/sirupsen/logrus"
 	"github.com/teris-io/shortid"
 )
@@ -55,13 +56,13 @@ func InsertExternalAPIUser(token string, name string, color int, scopes []string
 	if err != nil {
 		return err
 	}
-	stmt, err := tx.Prepare("INSERT INTO users(id, access_token, display_name, display_color, scopes, type, previous_names) values(?, ?, ?, ?, ?, ?, ?)")
+	stmt, err := tx.Prepare("INSERT INTO users(id, display_name, display_color, scopes, type, previous_names) values(?, ?, ?, ?, ?, ?)")
 	if err != nil {
 		return err
 	}
 	defer stmt.Close()

-	if _, err = stmt.Exec(id, token, name, color, scopesString, "API", name); err != nil {
+	if _, err = stmt.Exec(id, name, color, scopesString, "API", name); err != nil {
 		return err
 	}

@@ -69,6 +70,10 @@ func InsertExternalAPIUser(token string, name string, color int, scopes []string
 		return err
 	}

+	if err := addAccessTokenForUser(token, id); err != nil {
+		return errors.Wrap(err, "unable to save access token for new external api user")
+	}
+
 	return nil
 }

@@ -83,13 +88,13 @@ func DeleteExternalAPIUser(token string) error {
 	if err != nil {
 		return err
 	}
-	stmt, err := tx.Prepare("UPDATE users SET disabled_at = ? WHERE access_token = ?")
+	stmt, err := tx.Prepare("UPDATE users SET disabled_at = CURRENT_TIMESTAMP WHERE id = (SELECT user_id FROM user_access_tokens WHERE token = ?)")
 	if err != nil {
 		return err
 	}
 	defer stmt.Close()

-	result, err := stmt.Exec(time.Now(), token)
+	result, err := stmt.Exec(token)
 	if err != nil {
 		return err
 	}
@@ -112,20 +117,20 @@ func GetExternalAPIUserForAccessTokenAndScope(token string, scope string) (*Exte
 	// so we can efficiently find if a token supports a single scope.
 	// This is SQLite specific, so if we ever support other database
 	// backends we need to support other methods.
-	query := `SELECT id, access_token, scopes, display_name, display_color, created_at, last_used FROM (
-		WITH RECURSIVE split(id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at, scope, rest) AS (
-		  SELECT id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at, '', scopes || ',' FROM users
+	query := `SELECT id, scopes, display_name, display_color, created_at, last_used FROM user_access_tokens, (
+		WITH RECURSIVE split(id, scopes, display_name, display_color, created_at, last_used, disabled_at, scope, rest) AS (
+		  SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, '', scopes || ',' FROM users
 		   UNION ALL
-		  SELECT id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at,
+		  SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at,
 				 substr(rest, 0, instr(rest, ',')),
 				 substr(rest, instr(rest, ',')+1)
 			FROM split
 		   WHERE rest <> '')
-		SELECT id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at, scope
+		SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, scope
 		  FROM split
 		 WHERE scope <> ''
-		 ORDER BY access_token, scope
-	  ) AS token WHERE token.access_token = ? AND token.scope = ?`
+		 ORDER BY scope
+	  ) AS token WHERE user_access_tokens.token = ? AND token.scope = ?`

 	row := _datastore.DB.QueryRow(query, token, scope)
 	integration, err := makeExternalAPIUserFromRow(row)
@@ -135,23 +140,18 @@ func GetExternalAPIUserForAccessTokenAndScope(token string, scope string) (*Exte

 // GetIntegrationNameForAccessToken will return the integration name associated with a specific access token.
 func GetIntegrationNameForAccessToken(token string) *string {
-	query := "SELECT display_name FROM users WHERE access_token IS ? AND disabled_at IS NULL"
-	row := _datastore.DB.QueryRow(query, token)
-
-	var name string
-	err := row.Scan(&name)
+	name, err := _datastore.GetQueries().GetUserDisplayNameByToken(context.Background(), token)
 	if err != nil {
-		log.Warnln(err)
 		return nil
 	}

 	return &name
 }

-// GetExternalAPIUser will return all access tokens.
+// GetExternalAPIUser will return all API users with access tokens.
 func GetExternalAPIUser() ([]ExternalAPIUser, error) { //nolint
 	// Get all messages sent within the past day
-	query := "SELECT id, access_token, display_name, display_color, scopes, created_at, last_used FROM users WHERE type IS 'API' AND disabled_at IS NULL"
+	query := "SELECT id, token, display_name, display_color, scopes, created_at, last_used FROM users, user_access_tokens WHERE user_access_tokens.user_id = id  AND type IS 'API' AND disabled_at IS NULL"

 	rows, err := _datastore.DB.Query(query)
 	if err != nil {
@@ -170,7 +170,8 @@ func SetExternalAPIUserAccessTokenAsUsed(token string) error {
 	if err != nil {
 		return err
 	}
-	stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE access_token = ?")
+	// stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE access_token = ?")
+	stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE id = (SELECT user_id FROM user_access_tokens WHERE token = ?)")
 	if err != nil {
 		return err
 	}
@@ -189,14 +190,13 @@ func SetExternalAPIUserAccessTokenAsUsed(token string) error {

 func makeExternalAPIUserFromRow(row *sql.Row) (*ExternalAPIUser, error) {
 	var id string
-	var accessToken string
 	var displayName string
 	var displayColor int
 	var scopes string
 	var createdAt time.Time
 	var lastUsedAt *time.Time

-	err := row.Scan(&id, &accessToken, &scopes, &displayName, &displayColor, &createdAt, &lastUsedAt)
+	err := row.Scan(&id, &scopes, &displayName, &displayColor, &createdAt, &lastUsedAt)
 	if err != nil {
 		log.Debugln("unable to convert row to api user", err)
 		return nil, err
@@ -204,7 +204,6 @@ func makeExternalAPIUserFromRow(row *sql.Row) (*ExternalAPIUser, error) {

 	integration := ExternalAPIUser{
 		ID:           id,
-		AccessToken:  accessToken,
 		DisplayName:  displayName,
 		DisplayColor: displayColor,
 		CreatedAt:    createdAt,
--- a/core/user/user.go
+++ b/core/user/user.go
@@ -1,6 +1,7 @@
 package user

 import (
+	"context"
 	"database/sql"
 	"fmt"
 	"sort"
@@ -8,7 +9,9 @@ import (
 	"time"

 	"github.com/owncast/owncast/core/data"
+	"github.com/owncast/owncast/db"
 	"github.com/owncast/owncast/utils"
+	"github.com/pkg/errors"
 	"github.com/teris-io/shortid"

 	log "github.com/sirupsen/logrus"
@@ -23,16 +26,17 @@ const (

 // User represents a single chat user.
 type User struct {
-	ID            string     `json:"id"`
-	AccessToken   string     `json:"-"`
-	DisplayName   string     `json:"displayName"`
-	DisplayColor  int        `json:"displayColor"`
-	CreatedAt     time.Time  `json:"createdAt"`
-	DisabledAt    *time.Time `json:"disabledAt,omitempty"`
-	PreviousNames []string   `json:"previousNames"`
-	NameChangedAt *time.Time `json:"nameChangedAt,omitempty"`
-	Scopes        []string   `json:"scopes,omitempty"`
-	IsBot         bool       `json:"isBot"`
+	ID              string     `json:"id"`
+	DisplayName     string     `json:"displayName"`
+	DisplayColor    int        `json:"displayColor"`
+	CreatedAt       time.Time  `json:"createdAt"`
+	DisabledAt      *time.Time `json:"disabledAt,omitempty"`
+	PreviousNames   []string   `json:"previousNames"`
+	NameChangedAt   *time.Time `json:"nameChangedAt,omitempty"`
+	Scopes          []string   `json:"scopes,omitempty"`
+	IsBot           bool       `json:"isBot"`
+	AuthenticatedAt *time.Time `json:"-"`
+	Authenticated   bool       `json:"authenticated"`
 }

 // IsEnabled will return if this single user is enabled.
@@ -52,13 +56,8 @@ func SetupUsers() {
 }

 // CreateAnonymousUser will create a new anonymous user with the provided display name.
-func CreateAnonymousUser(displayName string) (*User, error) {
+func CreateAnonymousUser(displayName string) (*User, string, error) {
 	id := shortid.MustGenerate()
-	accessToken, err := utils.GenerateAccessToken()
-	if err != nil {
-		log.Errorln("Unable to create access token for new user")
-		return nil, err
-	}

 	if displayName == "" {
 		suggestedUsernamesList := data.GetSuggestedUsernamesList()
@@ -75,48 +74,62 @@ func CreateAnonymousUser(displayName string) (*User, error) {

 	user := &User{
 		ID:           id,
-		AccessToken:  accessToken,
 		DisplayName:  displayName,
 		DisplayColor: displayColor,
 		CreatedAt:    time.Now(),
 	}

+	// Create new user.
 	if err := create(user); err != nil {
-		return nil, err
+		return nil, "", err
 	}

-	return user, nil
+	// Assign it an access token.
+	accessToken, err := utils.GenerateAccessToken()
+	if err != nil {
+		log.Errorln("Unable to create access token for new user")
+		return nil, "", err
+	}
+	if err := addAccessTokenForUser(accessToken, id); err != nil {
+		return nil, "", errors.Wrap(err, "unable to save access token for new user")
+	}
+
+	return user, accessToken, nil
+}
+
+// IsDisplayNameAvailable will check if the proposed name is available for use.
+func IsDisplayNameAvailable(displayName string) (bool, error) {
+	if available, err := _datastore.GetQueries().IsDisplayNameAvailable(context.Background(), displayName); err != nil {
+		return false, errors.Wrap(err, "unable to check if display name is available")
+	} else if available != 0 {
+		return false, nil
+	}
+
+	return true, nil
 }

 // ChangeUsername will change the user associated to userID from one display name to another.
-func ChangeUsername(userID string, username string) {
+func ChangeUsername(userID string, username string) error {
 	_datastore.DbLock.Lock()
 	defer _datastore.DbLock.Unlock()

-	tx, err := _datastore.DB.Begin()
-	if err != nil {
-		log.Debugln(err)
-	}
-	defer func() {
-		if err := tx.Rollback(); err != nil {
-			log.Debugln(err)
-		}
-	}()
-
-	stmt, err := tx.Prepare("UPDATE users SET display_name = ?, previous_names = previous_names || ?, namechanged_at = ? WHERE id = ?")
-	if err != nil {
-		log.Debugln(err)
-	}
-	defer stmt.Close()
-
-	_, err = stmt.Exec(username, fmt.Sprintf(",%s", username), time.Now(), userID)
-	if err != nil {
-		log.Errorln(err)
+	if err := _datastore.GetQueries().ChangeDisplayName(context.Background(), db.ChangeDisplayNameParams{
+		DisplayName:   username,
+		ID:            userID,
+		PreviousNames: sql.NullString{String: fmt.Sprintf(",%s", username), Valid: true},
+		NamechangedAt: sql.NullTime{Time: time.Now(), Valid: true},
+	}); err != nil {
+		return errors.Wrap(err, "unable to change display name")
 	}

-	if err := tx.Commit(); err != nil {
-		log.Errorln("error changing display name of user", userID, err)
-	}
+	return nil
+}
+
+func addAccessTokenForUser(accessToken, userID string) error {
+	return _datastore.GetQueries().AddAccessTokenForUser(context.Background(), db.AddAccessTokenForUserParams{
+		Token:  accessToken,
+		UserID: userID,
+	})
 }

 func create(user *User) error {
@@ -131,15 +144,16 @@ func create(user *User) error {
 		_ = tx.Rollback()
 	}()

-	stmt, err := tx.Prepare("INSERT INTO users(id, access_token, display_name, display_color, previous_names, created_at) values(?, ?, ?, ?, ?, ?)")
+	stmt, err := tx.Prepare("INSERT INTO users(id, display_name, display_color, previous_names, created_at) values(?, ?, ?, ?, ?)")
 	if err != nil {
 		log.Debugln(err)
 	}
 	defer stmt.Close()

-	_, err = stmt.Exec(user.ID, user.AccessToken, user.DisplayName, user.DisplayColor, user.DisplayName, user.CreatedAt)
+	_, err = stmt.Exec(user.ID, user.DisplayName, user.DisplayColor, user.DisplayName, user.CreatedAt)
 	if err != nil {
 		log.Errorln("error creating new user", err)
+		return err
 	}

 	return tx.Commit()
@@ -179,13 +193,53 @@ func SetEnabled(userID string, enabled bool) error {

 // GetUserByToken will return a user by an access token.
 func GetUserByToken(token string) *User {
-	_datastore.DbLock.Lock()
-	defer _datastore.DbLock.Unlock()
+	u, err := _datastore.GetQueries().GetUserByAccessToken(context.Background(), token)
+	if err != nil {
+		return nil
+	}

-	query := "SELECT id, display_name, display_color, created_at, disabled_at, previous_names, namechanged_at, scopes FROM users WHERE access_token = ?"
-	row := _datastore.DB.QueryRow(query, token)
+	var scopes []string
+	if u.Scopes.Valid {
+		scopes = strings.Split(u.Scopes.String, ",")
+	}

-	return getUserFromRow(row)
+	var disabledAt *time.Time
+	if u.DisabledAt.Valid {
+		disabledAt = &u.DisabledAt.Time
+	}
+
+	var authenticatedAt *time.Time
+	if u.AuthenticatedAt.Valid {
+		authenticatedAt = &u.AuthenticatedAt.Time
+	}
+
+	return &User{
+		ID:              u.ID,
+		DisplayName:     u.DisplayName,
+		DisplayColor:    int(u.DisplayColor),
+		CreatedAt:       u.CreatedAt.Time,
+		DisabledAt:      disabledAt,
+		PreviousNames:   strings.Split(u.PreviousNames.String, ","),
+		NameChangedAt:   &u.NamechangedAt.Time,
+		AuthenticatedAt: authenticatedAt,
+		Authenticated:   authenticatedAt != nil,
+		Scopes:          scopes,
+	}
+}
+
+// SetAccessTokenToOwner will reassign an access token to be owned by a
+// different user. Used for logging in with external auth.
+func SetAccessTokenToOwner(token, userID string) error {
+	return _datastore.GetQueries().SetAccessTokenToOwner(context.Background(), db.SetAccessTokenToOwnerParams{
+		UserID: userID,
+		Token:  token,
+	})
+}
+
+// SetUserAsAuthenticated will mark that a user has been authenticated
+// in some way.
+func SetUserAsAuthenticated(userID string) error {
+	return errors.Wrap(_datastore.GetQueries().SetUserAsAuthenticated(context.Background(), userID), "unable to set user as authenticated")
 }

 // SetModerator will add or remove moderator status for a single user by ID.
@@ -199,6 +253,10 @@ func SetModerator(userID string, isModerator bool) error {

 func addScopeToUser(userID string, scope string) error {
 	u := GetUserByID(userID)
+	if u == nil {
+		return errors.New("user not found when modifying scope")
+	}
+
 	scopesString := u.Scopes
 	scopes := utils.StringSliceToMap(scopesString)
 	scopes[scope] = true