IndieAuth support (#1811)

* Able to authenticate user against IndieAuth. For #1273

* WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272

* Add migration to remove access tokens from user

* Add authenticated bool to user for display purposes

* Add indieauth modal and auth flair to display names. For #1273

* Validate URLs and display errors

* Renames, cleanups

* Handle relative auth endpoint paths. Add error handling for missing redirects.

* Disallow using display names in use by registered users. Closes #1810

* Verify code verifier via code challenge on callback

* Use relative path to authorization_endpoint

* Post-rebase fixes

* Use a timestamp instead of a bool for authenticated

* Propertly handle and display error in modal

* Use auth'ed timestamp to derive authenticated flag to display in chat

* don't redirect unless a URL is present

avoids redirecting to `undefined` if there was an error

* improve error message if owncast server URL isn't set

* fix IndieAuth PKCE implementation

use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding

* return real profile data for IndieAuth response

* check the code verifier in the IndieAuth server

* Linting

* Add new chat settings modal anad split up indieauth ui

* Remove logging error

* Update the IndieAuth modal UI. For #1273

* Add IndieAuth repsonse error checking

* Disable IndieAuth client if server URL is not set.

* Add explicit error messages for specific error types

* Fix bad logic

* Return OAuth-keyed error responses for indieauth server

* Display IndieAuth error in plain text with link to return to main page

* Remove redundant check

* Add additional detail to error

* Hide IndieAuth details behind disclosure details

* Break out migration into two steps because some people have been runing dev in production

* Add auth option to user dropdown

Co-authored-by: Aaron Parecki <aaron@parecki.com>

core/data/data.go

@@ -17,7 +17,7 @@ import (
 )
 
 const (
-	schemaVersion = 4
+	schemaVersion = 5
 )
 
 var (
@@ -75,6 +75,7 @@ func SetupPersistence(file string) error {
 
 	createWebhooksTable()
 	createUsersTable(db)
+	createAccessTokenTable(db)
 
 	if _, err := db.Exec(`CREATE TABLE IF NOT EXISTS config (
 		"key" string NOT NULL PRIMARY KEY,
@@ -141,6 +142,8 @@ func migrateDatabase(db *sql.DB, from, to int) error {
 			migrateToSchema3(db)
 		case 3:
 			migrateToSchema4(db)
+		case 4:
+			migrateToSchema5(db)
 		default:
 			log.Fatalln("missing database migration step")
 		}

core/data/migrations.go

@@ -2,6 +2,8 @@ package data
 
 import (
 	"database/sql"
+	"fmt"
+	"strings"
 	"time"
 
 	"github.com/owncast/owncast/utils"
@@ -9,7 +11,75 @@ import (
 	"github.com/teris-io/shortid"
 )
 
+func migrateToSchema5(db *sql.DB) {
+	// Access tokens have been broken into its own table.
+
+	// Authenticated bool added to the users table.
+	stmt, err := db.Prepare("ALTER TABLE users ADD authenticated_at timestamp DEFAULT null ")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer stmt.Close()
+	_, err = stmt.Exec()
+	if err != nil {
+		log.Warnln(err)
+	}
+
+	// Migrate the access tokens from the users table to the access tokens table.
+	query := `SELECT id, access_token, created_at FROM users`
+	rows, err := db.Query(query)
+	if err != nil || rows.Err() != nil {
+		log.Errorln("error migrating access tokens to schema v5", err, rows.Err())
+		return
+	}
+	defer rows.Close()
+
+	valueStrings := []string{}
+	valueArgs := []interface{}{}
+
+	var token string
+	var userID string
+	var timestamp time.Time
+	for rows.Next() {
+		if err := rows.Scan(&userID, &token, &timestamp); err != nil {
+			log.Error("There is a problem reading the database.", err)
+			return
+		}
+
+		valueStrings = append(valueStrings, "(?, ?, ?)")
+		valueArgs = append(valueArgs, userID, token, timestamp)
+	}
+
+	smt := `INSERT INTO user_access_tokens(token, user_id, timestamp) VALUES %s ON CONFLICT DO NOTHING`
+	smt = fmt.Sprintf(smt, strings.Join(valueStrings, ","))
+	// fmt.Println(smt)
+	tx, err := db.Begin()
+	if err != nil {
+		log.Fatalln("Error starting transaction", err)
+	}
+	_, err = tx.Exec(smt, valueArgs...)
+	if err != nil {
+		_ = tx.Rollback()
+		log.Fatalln("Error inserting access tokens", err)
+	}
+	if err := tx.Commit(); err != nil {
+		log.Fatalln("Error committing transaction", err)
+	}
+
+	// Remove old access token column from the users table.
+	stmt, err = db.Prepare("ALTER TABLE users DROP COLUMN access_token;")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer stmt.Close()
+	_, err = stmt.Exec()
+	if err != nil {
+		log.Warnln(err)
+	}
+}
+
 func migrateToSchema4(db *sql.DB) {
+	// Access tokens have been broken into its own table.
 	stmt, err := db.Prepare("ALTER TABLE ap_followers ADD COLUMN request_object BLOB")
 	if err != nil {
 		log.Fatal(err)

core/data/users.go

@@ -6,18 +6,37 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+func createAccessTokenTable(db *sql.DB) {
+	createTableSQL := `CREATE TABLE IF NOT EXISTS user_access_tokens (
+    "token" TEXT NOT NULL PRIMARY KEY,
+    "user_id" TEXT NOT NULL,
+    "timestamp" DATE DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    FOREIGN KEY(user_id) REFERENCES users(id)
+  );`
+
+	stmt, err := db.Prepare(createTableSQL)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer stmt.Close()
+	_, err = stmt.Exec()
+	if err != nil {
+		log.Warnln(err)
+	}
+}
+
 func createUsersTable(db *sql.DB) {
 	log.Traceln("Creating users table...")
 
 	createTableSQL := `CREATE TABLE IF NOT EXISTS users (
 		"id" TEXT,
-		"access_token" string NOT NULL,
 		"display_name" TEXT NOT NULL,
 		"display_color" NUMBER NOT NULL,
 		"created_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
 		"disabled_at" TIMESTAMP,
 		"previous_names" TEXT DEFAULT '',
 		"namechanged_at" TIMESTAMP,
+    "authenticated_at" TIMESTAMP,
 		"scopes" TEXT,
 		"type" TEXT DEFAULT 'STANDARD',
 		"last_used" DATETIME DEFAULT CURRENT_TIMESTAMP,