IndieAuth support (#1811)
* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com>
This commit is contained in:
Gabe Kangas
@@ -1,12 +1,13 @@
|
||||
package user
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"errors"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/owncast/owncast/utils"
|
||||
"github.com/pkg/errors"
|
||||
log "github.com/sirupsen/logrus"
|
||||
"github.com/teris-io/shortid"
|
||||
)
|
||||
@@ -55,13 +56,13 @@ func InsertExternalAPIUser(token string, name string, color int, scopes []string
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
stmt, err := tx.Prepare("INSERT INTO users(id, access_token, display_name, display_color, scopes, type, previous_names) values(?, ?, ?, ?, ?, ?, ?)")
|
||||
stmt, err := tx.Prepare("INSERT INTO users(id, display_name, display_color, scopes, type, previous_names) values(?, ?, ?, ?, ?, ?)")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer stmt.Close()
|
||||
|
||||
if _, err = stmt.Exec(id, token, name, color, scopesString, "API", name); err != nil {
|
||||
if _, err = stmt.Exec(id, name, color, scopesString, "API", name); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -69,6 +70,10 @@ func InsertExternalAPIUser(token string, name string, color int, scopes []string
|
||||
return err
|
||||
}
|
||||
|
||||
if err := addAccessTokenForUser(token, id); err != nil {
|
||||
return errors.Wrap(err, "unable to save access token for new external api user")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -83,13 +88,13 @@ func DeleteExternalAPIUser(token string) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
stmt, err := tx.Prepare("UPDATE users SET disabled_at = ? WHERE access_token = ?")
|
||||
stmt, err := tx.Prepare("UPDATE users SET disabled_at = CURRENT_TIMESTAMP WHERE id = (SELECT user_id FROM user_access_tokens WHERE token = ?)")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer stmt.Close()
|
||||
|
||||
result, err := stmt.Exec(time.Now(), token)
|
||||
result, err := stmt.Exec(token)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -112,20 +117,20 @@ func GetExternalAPIUserForAccessTokenAndScope(token string, scope string) (*Exte
|
||||
// so we can efficiently find if a token supports a single scope.
|
||||
// This is SQLite specific, so if we ever support other database
|
||||
// backends we need to support other methods.
|
||||
query := `SELECT id, access_token, scopes, display_name, display_color, created_at, last_used FROM (
|
||||
WITH RECURSIVE split(id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at, scope, rest) AS (
|
||||
SELECT id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at, '', scopes || ',' FROM users
|
||||
query := `SELECT id, scopes, display_name, display_color, created_at, last_used FROM user_access_tokens, (
|
||||
WITH RECURSIVE split(id, scopes, display_name, display_color, created_at, last_used, disabled_at, scope, rest) AS (
|
||||
SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, '', scopes || ',' FROM users
|
||||
UNION ALL
|
||||
SELECT id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at,
|
||||
SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at,
|
||||
substr(rest, 0, instr(rest, ',')),
|
||||
substr(rest, instr(rest, ',')+1)
|
||||
FROM split
|
||||
WHERE rest <> '')
|
||||
SELECT id, access_token, scopes, display_name, display_color, created_at, last_used, disabled_at, scope
|
||||
SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, scope
|
||||
FROM split
|
||||
WHERE scope <> ''
|
||||
ORDER BY access_token, scope
|
||||
) AS token WHERE token.access_token = ? AND token.scope = ?`
|
||||
ORDER BY scope
|
||||
) AS token WHERE user_access_tokens.token = ? AND token.scope = ?`
|
||||
|
||||
row := _datastore.DB.QueryRow(query, token, scope)
|
||||
integration, err := makeExternalAPIUserFromRow(row)
|
||||
@@ -135,23 +140,18 @@ func GetExternalAPIUserForAccessTokenAndScope(token string, scope string) (*Exte
|
||||
|
||||
// GetIntegrationNameForAccessToken will return the integration name associated with a specific access token.
|
||||
func GetIntegrationNameForAccessToken(token string) *string {
|
||||
query := "SELECT display_name FROM users WHERE access_token IS ? AND disabled_at IS NULL"
|
||||
row := _datastore.DB.QueryRow(query, token)
|
||||
|
||||
var name string
|
||||
err := row.Scan(&name)
|
||||
name, err := _datastore.GetQueries().GetUserDisplayNameByToken(context.Background(), token)
|
||||
if err != nil {
|
||||
log.Warnln(err)
|
||||
return nil
|
||||
}
|
||||
|
||||
return &name
|
||||
}
|
||||
|
||||
// GetExternalAPIUser will return all access tokens.
|
||||
// GetExternalAPIUser will return all API users with access tokens.
|
||||
func GetExternalAPIUser() ([]ExternalAPIUser, error) { //nolint
|
||||
// Get all messages sent within the past day
|
||||
query := "SELECT id, access_token, display_name, display_color, scopes, created_at, last_used FROM users WHERE type IS 'API' AND disabled_at IS NULL"
|
||||
query := "SELECT id, token, display_name, display_color, scopes, created_at, last_used FROM users, user_access_tokens WHERE user_access_tokens.user_id = id AND type IS 'API' AND disabled_at IS NULL"
|
||||
|
||||
rows, err := _datastore.DB.Query(query)
|
||||
if err != nil {
|
||||
@@ -170,7 +170,8 @@ func SetExternalAPIUserAccessTokenAsUsed(token string) error {
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE access_token = ?")
|
||||
// stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE access_token = ?")
|
||||
stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE id = (SELECT user_id FROM user_access_tokens WHERE token = ?)")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -189,14 +190,13 @@ func SetExternalAPIUserAccessTokenAsUsed(token string) error {
|
||||
|
||||
func makeExternalAPIUserFromRow(row *sql.Row) (*ExternalAPIUser, error) {
|
||||
var id string
|
||||
var accessToken string
|
||||
var displayName string
|
||||
var displayColor int
|
||||
var scopes string
|
||||
var createdAt time.Time
|
||||
var lastUsedAt *time.Time
|
||||
|
||||
err := row.Scan(&id, &accessToken, &scopes, &displayName, &displayColor, &createdAt, &lastUsedAt)
|
||||
err := row.Scan(&id, &scopes, &displayName, &displayColor, &createdAt, &lastUsedAt)
|
||||
if err != nil {
|
||||
log.Debugln("unable to convert row to api user", err)
|
||||
return nil, err
|
||||
@@ -204,7 +204,6 @@ func makeExternalAPIUserFromRow(row *sql.Row) (*ExternalAPIUser, error) {
|
||||
|
||||
integration := ExternalAPIUser{
|
||||
ID: id,
|
||||
AccessToken: accessToken,
|
||||
DisplayName: displayName,
|
||||
DisplayColor: displayColor,
|
||||
CreatedAt: createdAt,
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package user
|
||||
|
||||
import (
|
||||
"context"
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"sort"
|
||||
@@ -8,7 +9,9 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/owncast/owncast/core/data"
|
||||
"github.com/owncast/owncast/db"
|
||||
"github.com/owncast/owncast/utils"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/teris-io/shortid"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
@@ -23,16 +26,17 @@ const (
|
||||
|
||||
// User represents a single chat user.
|
||||
type User struct {
|
||||
ID string `json:"id"`
|
||||
AccessToken string `json:"-"`
|
||||
DisplayName string `json:"displayName"`
|
||||
DisplayColor int `json:"displayColor"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
DisabledAt *time.Time `json:"disabledAt,omitempty"`
|
||||
PreviousNames []string `json:"previousNames"`
|
||||
NameChangedAt *time.Time `json:"nameChangedAt,omitempty"`
|
||||
Scopes []string `json:"scopes,omitempty"`
|
||||
IsBot bool `json:"isBot"`
|
||||
ID string `json:"id"`
|
||||
DisplayName string `json:"displayName"`
|
||||
DisplayColor int `json:"displayColor"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
DisabledAt *time.Time `json:"disabledAt,omitempty"`
|
||||
PreviousNames []string `json:"previousNames"`
|
||||
NameChangedAt *time.Time `json:"nameChangedAt,omitempty"`
|
||||
Scopes []string `json:"scopes,omitempty"`
|
||||
IsBot bool `json:"isBot"`
|
||||
AuthenticatedAt *time.Time `json:"-"`
|
||||
Authenticated bool `json:"authenticated"`
|
||||
}
|
||||
|
||||
// IsEnabled will return if this single user is enabled.
|
||||
@@ -52,13 +56,8 @@ func SetupUsers() {
|
||||
}
|
||||
|
||||
// CreateAnonymousUser will create a new anonymous user with the provided display name.
|
||||
func CreateAnonymousUser(displayName string) (*User, error) {
|
||||
func CreateAnonymousUser(displayName string) (*User, string, error) {
|
||||
id := shortid.MustGenerate()
|
||||
accessToken, err := utils.GenerateAccessToken()
|
||||
if err != nil {
|
||||
log.Errorln("Unable to create access token for new user")
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if displayName == "" {
|
||||
suggestedUsernamesList := data.GetSuggestedUsernamesList()
|
||||
@@ -75,48 +74,62 @@ func CreateAnonymousUser(displayName string) (*User, error) {
|
||||
|
||||
user := &User{
|
||||
ID: id,
|
||||
AccessToken: accessToken,
|
||||
DisplayName: displayName,
|
||||
DisplayColor: displayColor,
|
||||
CreatedAt: time.Now(),
|
||||
}
|
||||
|
||||
// Create new user.
|
||||
if err := create(user); err != nil {
|
||||
return nil, err
|
||||
return nil, "", err
|
||||
}
|
||||
|
||||
return user, nil
|
||||
// Assign it an access token.
|
||||
accessToken, err := utils.GenerateAccessToken()
|
||||
if err != nil {
|
||||
log.Errorln("Unable to create access token for new user")
|
||||
return nil, "", err
|
||||
}
|
||||
if err := addAccessTokenForUser(accessToken, id); err != nil {
|
||||
return nil, "", errors.Wrap(err, "unable to save access token for new user")
|
||||
}
|
||||
|
||||
return user, accessToken, nil
|
||||
}
|
||||
|
||||
// IsDisplayNameAvailable will check if the proposed name is available for use.
|
||||
func IsDisplayNameAvailable(displayName string) (bool, error) {
|
||||
if available, err := _datastore.GetQueries().IsDisplayNameAvailable(context.Background(), displayName); err != nil {
|
||||
return false, errors.Wrap(err, "unable to check if display name is available")
|
||||
} else if available != 0 {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
// ChangeUsername will change the user associated to userID from one display name to another.
|
||||
func ChangeUsername(userID string, username string) {
|
||||
func ChangeUsername(userID string, username string) error {
|
||||
_datastore.DbLock.Lock()
|
||||
defer _datastore.DbLock.Unlock()
|
||||
|
||||
tx, err := _datastore.DB.Begin()
|
||||
if err != nil {
|
||||
log.Debugln(err)
|
||||
}
|
||||
defer func() {
|
||||
if err := tx.Rollback(); err != nil {
|
||||
log.Debugln(err)
|
||||
}
|
||||
}()
|
||||
|
||||
stmt, err := tx.Prepare("UPDATE users SET display_name = ?, previous_names = previous_names || ?, namechanged_at = ? WHERE id = ?")
|
||||
if err != nil {
|
||||
log.Debugln(err)
|
||||
}
|
||||
defer stmt.Close()
|
||||
|
||||
_, err = stmt.Exec(username, fmt.Sprintf(",%s", username), time.Now(), userID)
|
||||
if err != nil {
|
||||
log.Errorln(err)
|
||||
if err := _datastore.GetQueries().ChangeDisplayName(context.Background(), db.ChangeDisplayNameParams{
|
||||
DisplayName: username,
|
||||
ID: userID,
|
||||
PreviousNames: sql.NullString{String: fmt.Sprintf(",%s", username), Valid: true},
|
||||
NamechangedAt: sql.NullTime{Time: time.Now(), Valid: true},
|
||||
}); err != nil {
|
||||
return errors.Wrap(err, "unable to change display name")
|
||||
}
|
||||
|
||||
if err := tx.Commit(); err != nil {
|
||||
log.Errorln("error changing display name of user", userID, err)
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func addAccessTokenForUser(accessToken, userID string) error {
|
||||
return _datastore.GetQueries().AddAccessTokenForUser(context.Background(), db.AddAccessTokenForUserParams{
|
||||
Token: accessToken,
|
||||
UserID: userID,
|
||||
})
|
||||
}
|
||||
|
||||
func create(user *User) error {
|
||||
@@ -131,15 +144,16 @@ func create(user *User) error {
|
||||
_ = tx.Rollback()
|
||||
}()
|
||||
|
||||
stmt, err := tx.Prepare("INSERT INTO users(id, access_token, display_name, display_color, previous_names, created_at) values(?, ?, ?, ?, ?, ?)")
|
||||
stmt, err := tx.Prepare("INSERT INTO users(id, display_name, display_color, previous_names, created_at) values(?, ?, ?, ?, ?)")
|
||||
if err != nil {
|
||||
log.Debugln(err)
|
||||
}
|
||||
defer stmt.Close()
|
||||
|
||||
_, err = stmt.Exec(user.ID, user.AccessToken, user.DisplayName, user.DisplayColor, user.DisplayName, user.CreatedAt)
|
||||
_, err = stmt.Exec(user.ID, user.DisplayName, user.DisplayColor, user.DisplayName, user.CreatedAt)
|
||||
if err != nil {
|
||||
log.Errorln("error creating new user", err)
|
||||
return err
|
||||
}
|
||||
|
||||
return tx.Commit()
|
||||
@@ -179,13 +193,53 @@ func SetEnabled(userID string, enabled bool) error {
|
||||
|
||||
// GetUserByToken will return a user by an access token.
|
||||
func GetUserByToken(token string) *User {
|
||||
_datastore.DbLock.Lock()
|
||||
defer _datastore.DbLock.Unlock()
|
||||
u, err := _datastore.GetQueries().GetUserByAccessToken(context.Background(), token)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
query := "SELECT id, display_name, display_color, created_at, disabled_at, previous_names, namechanged_at, scopes FROM users WHERE access_token = ?"
|
||||
row := _datastore.DB.QueryRow(query, token)
|
||||
var scopes []string
|
||||
if u.Scopes.Valid {
|
||||
scopes = strings.Split(u.Scopes.String, ",")
|
||||
}
|
||||
|
||||
return getUserFromRow(row)
|
||||
var disabledAt *time.Time
|
||||
if u.DisabledAt.Valid {
|
||||
disabledAt = &u.DisabledAt.Time
|
||||
}
|
||||
|
||||
var authenticatedAt *time.Time
|
||||
if u.AuthenticatedAt.Valid {
|
||||
authenticatedAt = &u.AuthenticatedAt.Time
|
||||
}
|
||||
|
||||
return &User{
|
||||
ID: u.ID,
|
||||
DisplayName: u.DisplayName,
|
||||
DisplayColor: int(u.DisplayColor),
|
||||
CreatedAt: u.CreatedAt.Time,
|
||||
DisabledAt: disabledAt,
|
||||
PreviousNames: strings.Split(u.PreviousNames.String, ","),
|
||||
NameChangedAt: &u.NamechangedAt.Time,
|
||||
AuthenticatedAt: authenticatedAt,
|
||||
Authenticated: authenticatedAt != nil,
|
||||
Scopes: scopes,
|
||||
}
|
||||
}
|
||||
|
||||
// SetAccessTokenToOwner will reassign an access token to be owned by a
|
||||
// different user. Used for logging in with external auth.
|
||||
func SetAccessTokenToOwner(token, userID string) error {
|
||||
return _datastore.GetQueries().SetAccessTokenToOwner(context.Background(), db.SetAccessTokenToOwnerParams{
|
||||
UserID: userID,
|
||||
Token: token,
|
||||
})
|
||||
}
|
||||
|
||||
// SetUserAsAuthenticated will mark that a user has been authenticated
|
||||
// in some way.
|
||||
func SetUserAsAuthenticated(userID string) error {
|
||||
return errors.Wrap(_datastore.GetQueries().SetUserAsAuthenticated(context.Background(), userID), "unable to set user as authenticated")
|
||||
}
|
||||
|
||||
// SetModerator will add or remove moderator status for a single user by ID.
|
||||
@@ -199,6 +253,10 @@ func SetModerator(userID string, isModerator bool) error {
|
||||
|
||||
func addScopeToUser(userID string, scope string) error {
|
||||
u := GetUserByID(userID)
|
||||
if u == nil {
|
||||
return errors.New("user not found when modifying scope")
|
||||
}
|
||||
|
||||
scopesString := u.Scopes
|
||||
scopes := utils.StringSliceToMap(scopesString)
|
||||
scopes[scope] = true
|
||||
|
||||
Reference in New Issue
Block a user