IndieAuth support (#1811)

* Able to authenticate user against IndieAuth. For #1273

* WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272

* Add migration to remove access tokens from user

* Add authenticated bool to user for display purposes

* Add indieauth modal and auth flair to display names. For #1273

* Validate URLs and display errors

* Renames, cleanups

* Handle relative auth endpoint paths. Add error handling for missing redirects.

* Disallow using display names in use by registered users. Closes #1810

* Verify code verifier via code challenge on callback

* Use relative path to authorization_endpoint

* Post-rebase fixes

* Use a timestamp instead of a bool for authenticated

* Propertly handle and display error in modal

* Use auth'ed timestamp to derive authenticated flag to display in chat

* don't redirect unless a URL is present

avoids redirecting to `undefined` if there was an error

* improve error message if owncast server URL isn't set

* fix IndieAuth PKCE implementation

use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding

* return real profile data for IndieAuth response

* check the code verifier in the IndieAuth server

* Linting

* Add new chat settings modal anad split up indieauth ui

* Remove logging error

* Update the IndieAuth modal UI. For #1273

* Add IndieAuth repsonse error checking

* Disable IndieAuth client if server URL is not set.

* Add explicit error messages for specific error types

* Fix bad logic

* Return OAuth-keyed error responses for indieauth server

* Display IndieAuth error in plain text with link to return to main page

* Remove redundant check

* Add additional detail to error

* Hide IndieAuth details behind disclosure details

* Break out migration into two steps because some people have been runing dev in production

* Add auth option to user dropdown

Co-authored-by: Aaron Parecki <aaron@parecki.com>

db/models.go

@@ -38,6 +38,14 @@ type ApOutbox struct {
 	LiveNotification sql.NullBool
 }
 
+type Auth struct {
+	ID        int32
+	UserID    string
+	Token     string
+	Type      string
+	Timestamp time.Time
+}
+
 type IpBan struct {
 	IpAddress string
 	Notes     sql.NullString
@@ -50,3 +58,23 @@ type Notification struct {
 	Destination string
 	CreatedAt   sql.NullTime
 }
+
+type User struct {
+	ID              string
+	DisplayName     string
+	DisplayColor    int32
+	CreatedAt       sql.NullTime
+	DisabledAt      sql.NullTime
+	PreviousNames   sql.NullString
+	NamechangedAt   sql.NullTime
+	Scopes          sql.NullString
+	AuthenticatedAt sql.NullTime
+	Type            sql.NullString
+	LastUsed        interface{}
+}
+
+type UserAccessToken struct {
+	Token     string
+	UserID    string
+	Timestamp time.Time
+}

db/query.sql

@@ -78,3 +78,29 @@ SELECT destination FROM notifications WHERE channel = $1;
 
 -- name: RemoveNotificationDestinationForChannel :exec
 DELETE FROM notifications WHERE channel = $1 AND destination = $2;
+-- name: AddAuthForUser :exec
+INSERT INTO auth(user_id, token, type) values($1, $2, $3);
+
+-- name: GetUserByAuth :one
+SELECT users.id, display_name, display_color, users.created_at, disabled_at, previous_names, namechanged_at, authenticated_at, scopes FROM auth, users WHERE token = $1 AND auth.type = $2 AND users.id = auth.user_id;
+
+-- name: AddAccessTokenForUser :exec
+INSERT INTO user_access_tokens(token, user_id) values($1, $2);
+
+-- name: GetUserByAccessToken :one
+SELECT users.id, display_name, display_color, users.created_at, disabled_at, previous_names, namechanged_at, authenticated_at, scopes FROM users, user_access_tokens WHERE token = $1 AND users.id = user_id;
+
+-- name: GetUserDisplayNameByToken :one
+SELECT display_name FROM users, user_access_tokens WHERE token = $1 AND users.id = user_id AND disabled_at = NULL;
+
+-- name: SetAccessTokenToOwner :exec
+UPDATE user_access_tokens SET user_id = $1 WHERE token = $2;
+
+-- name: SetUserAsAuthenticated :exec
+UPDATE users SET authenticated_at = CURRENT_TIMESTAMP WHERE id = $1;
+
+-- name: IsDisplayNameAvailable :one
+SELECT count(*) FROM users WHERE display_name = $1 AND authenticated_at is not null AND disabled_at is NULL;
+
+-- name: ChangeDisplayName :exec
+UPDATE users SET display_name = $1, previous_names = previous_names || $2, namechanged_at = $3 WHERE id = $4;

db/query.sql.go

@@ -11,6 +11,35 @@ import (
 	"time"
 )
 
+const addAccessTokenForUser = `-- name: AddAccessTokenForUser :exec
+INSERT INTO user_access_tokens(token, user_id) values($1, $2)
+`
+
+type AddAccessTokenForUserParams struct {
+	Token  string
+	UserID string
+}
+
+func (q *Queries) AddAccessTokenForUser(ctx context.Context, arg AddAccessTokenForUserParams) error {
+	_, err := q.db.ExecContext(ctx, addAccessTokenForUser, arg.Token, arg.UserID)
+	return err
+}
+
+const addAuthForUser = `-- name: AddAuthForUser :exec
+INSERT INTO auth(user_id, token, type) values($1, $2, $3)
+`
+
+type AddAuthForUserParams struct {
+	UserID string
+	Token  string
+	Type   string
+}
+
+func (q *Queries) AddAuthForUser(ctx context.Context, arg AddAuthForUserParams) error {
+	_, err := q.db.ExecContext(ctx, addAuthForUser, arg.UserID, arg.Token, arg.Type)
+	return err
+}
+
 const addFollower = `-- name: AddFollower :exec
 INSERT INTO ap_followers(iri, inbox, request, request_object, name, username, image, approved_at) values($1, $2, $3, $4, $5, $6, $7, $8)
 `
@@ -124,6 +153,27 @@ func (q *Queries) BanIPAddress(ctx context.Context, arg BanIPAddressParams) erro
 	return err
 }
 
+const changeDisplayName = `-- name: ChangeDisplayName :exec
+UPDATE users SET display_name = $1, previous_names = previous_names || $2, namechanged_at = $3 WHERE id = $4
+`
+
+type ChangeDisplayNameParams struct {
+	DisplayName   string
+	PreviousNames sql.NullString
+	NamechangedAt sql.NullTime
+	ID            string
+}
+
+func (q *Queries) ChangeDisplayName(ctx context.Context, arg ChangeDisplayNameParams) error {
+	_, err := q.db.ExecContext(ctx, changeDisplayName,
+		arg.DisplayName,
+		arg.PreviousNames,
+		arg.NamechangedAt,
+		arg.ID,
+	)
+	return err
+}
+
 const doesInboundActivityExist = `-- name: DoesInboundActivityExist :one
 SELECT count(*) FROM ap_accepted_activities WHERE iri = $1 AND actor = $2 AND TYPE = $3
 `
@@ -492,6 +542,99 @@ func (q *Queries) GetRejectedAndBlockedFollowers(ctx context.Context) ([]GetReje
 	return items, nil
 }
 
+const getUserByAccessToken = `-- name: GetUserByAccessToken :one
+SELECT users.id, display_name, display_color, users.created_at, disabled_at, previous_names, namechanged_at, authenticated_at, scopes FROM users, user_access_tokens WHERE token = $1 AND users.id = user_id
+`
+
+type GetUserByAccessTokenRow struct {
+	ID              string
+	DisplayName     string
+	DisplayColor    int32
+	CreatedAt       sql.NullTime
+	DisabledAt      sql.NullTime
+	PreviousNames   sql.NullString
+	NamechangedAt   sql.NullTime
+	AuthenticatedAt sql.NullTime
+	Scopes          sql.NullString
+}
+
+func (q *Queries) GetUserByAccessToken(ctx context.Context, token string) (GetUserByAccessTokenRow, error) {
+	row := q.db.QueryRowContext(ctx, getUserByAccessToken, token)
+	var i GetUserByAccessTokenRow
+	err := row.Scan(
+		&i.ID,
+		&i.DisplayName,
+		&i.DisplayColor,
+		&i.CreatedAt,
+		&i.DisabledAt,
+		&i.PreviousNames,
+		&i.NamechangedAt,
+		&i.AuthenticatedAt,
+		&i.Scopes,
+	)
+	return i, err
+}
+
+const getUserByAuth = `-- name: GetUserByAuth :one
+SELECT users.id, display_name, display_color, users.created_at, disabled_at, previous_names, namechanged_at, authenticated_at, scopes FROM auth, users WHERE token = $1 AND auth.type = $2 AND users.id = auth.user_id
+`
+
+type GetUserByAuthParams struct {
+	Token string
+	Type  string
+}
+
+type GetUserByAuthRow struct {
+	ID              string
+	DisplayName     string
+	DisplayColor    int32
+	CreatedAt       sql.NullTime
+	DisabledAt      sql.NullTime
+	PreviousNames   sql.NullString
+	NamechangedAt   sql.NullTime
+	AuthenticatedAt sql.NullTime
+	Scopes          sql.NullString
+}
+
+func (q *Queries) GetUserByAuth(ctx context.Context, arg GetUserByAuthParams) (GetUserByAuthRow, error) {
+	row := q.db.QueryRowContext(ctx, getUserByAuth, arg.Token, arg.Type)
+	var i GetUserByAuthRow
+	err := row.Scan(
+		&i.ID,
+		&i.DisplayName,
+		&i.DisplayColor,
+		&i.CreatedAt,
+		&i.DisabledAt,
+		&i.PreviousNames,
+		&i.NamechangedAt,
+		&i.AuthenticatedAt,
+		&i.Scopes,
+	)
+	return i, err
+}
+
+const getUserDisplayNameByToken = `-- name: GetUserDisplayNameByToken :one
+SELECT display_name FROM users, user_access_tokens WHERE token = $1 AND users.id = user_id AND disabled_at = NULL
+`
+
+func (q *Queries) GetUserDisplayNameByToken(ctx context.Context, token string) (string, error) {
+	row := q.db.QueryRowContext(ctx, getUserDisplayNameByToken, token)
+	var display_name string
+	err := row.Scan(&display_name)
+	return display_name, err
+}
+
+const isDisplayNameAvailable = `-- name: IsDisplayNameAvailable :one
+SELECT count(*) FROM users WHERE display_name = $1 AND authenticated_at is not null AND disabled_at is NULL
+`
+
+func (q *Queries) IsDisplayNameAvailable(ctx context.Context, displayName string) (int64, error) {
+	row := q.db.QueryRowContext(ctx, isDisplayNameAvailable, displayName)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
 const isIPAddressBlocked = `-- name: IsIPAddressBlocked :one
 SELECT count(*) FROM ip_bans WHERE ip_address = $1
 `
@@ -549,6 +692,29 @@ func (q *Queries) RemoveNotificationDestinationForChannel(ctx context.Context, a
 	return err
 }
 
+const setAccessTokenToOwner = `-- name: SetAccessTokenToOwner :exec
+UPDATE user_access_tokens SET user_id = $1 WHERE token = $2
+`
+
+type SetAccessTokenToOwnerParams struct {
+	UserID string
+	Token  string
+}
+
+func (q *Queries) SetAccessTokenToOwner(ctx context.Context, arg SetAccessTokenToOwnerParams) error {
+	_, err := q.db.ExecContext(ctx, setAccessTokenToOwner, arg.UserID, arg.Token)
+	return err
+}
+
+const setUserAsAuthenticated = `-- name: SetUserAsAuthenticated :exec
+UPDATE users SET authenticated_at = CURRENT_TIMESTAMP WHERE id = $1
+`
+
+func (q *Queries) SetUserAsAuthenticated(ctx context.Context, id string) error {
+	_, err := q.db.ExecContext(ctx, setUserAsAuthenticated, id)
+	return err
+}
+
 const updateFollowerByIRI = `-- name: UpdateFollowerByIRI :exec
 UPDATE ap_followers SET inbox = $1, name = $2, username = $3, image = $4 WHERE iri = $5
 `

db/schema.sql

@@ -49,3 +49,33 @@ CREATE TABLE IF NOT EXISTS notifications (
 		"destination" TEXT NOT NULL,
 		"created_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP);
 		CREATE INDEX channel_index ON notifications (channel);
+
+CREATE TABLE IF NOT EXISTS users (
+		"id" TEXT,
+		"display_name" TEXT NOT NULL,
+		"display_color" INTEGER NOT NULL,
+		"created_at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+		"disabled_at" TIMESTAMP,
+		"previous_names" TEXT DEFAULT '',
+		"namechanged_at" TIMESTAMP,
+		"scopes" TEXT,
+    "authenticated_at" TIMESTAMP,
+		"type" TEXT DEFAULT 'STANDARD',
+		"last_used" DATETIME DEFAULT CURRENT_TIMESTAMP,
+		PRIMARY KEY (id)
+	);
+
+CREATE TABLE IF NOT EXISTS user_access_tokens (
+  "token" TEXT NOT NULL PRIMARY KEY,
+  "user_id" TEXT NOT NULL,
+  "timestamp" DATE DEFAULT CURRENT_TIMESTAMP NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS auth (
+    "id" INTEGER NOT NULL PRIMARY KEY,
+		"user_id" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "type" TEXT NOT NULL,
+		"timestamp" DATE DEFAULT CURRENT_TIMESTAMP NOT NULL
+	);
+  CREATE INDEX auth_token ON auth (token);