owncast/auth/fediverse/fediverse.go

package fediverse

import (
	"crypto/rand"
	"io"
	"time"
)

// OTPRegistration represents a single OTP request.
type OTPRegistration struct {
	UserID          string
	UserDisplayName string
	Code            string
	Account         string
	Timestamp       time.Time
}

// Key by access token to limit one OTP request for a person
// to be active at a time.
var pendingAuthRequests = make(map[string]OTPRegistration)

const registrationTimeout = time.Minute * 10

// RegisterFediverseOTP will start the OTP flow for a user, creating a new
// code and returning it to be sent to a destination.
func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool) {
	request, requestExists := pendingAuthRequests[accessToken]

	// If a request is already registered and has not expired then return that
	// existing request.
	if requestExists && time.Since(request.Timestamp) < registrationTimeout {
		return request, false
	}

	code, _ := createCode()
	r := OTPRegistration{
		Code:            code,
		UserID:          userID,
		UserDisplayName: userDisplayName,
		Account:         account,
		Timestamp:       time.Now(),
	}
	pendingAuthRequests[accessToken] = r

	return r, true
}

// ValidateFediverseOTP will verify a OTP code for a auth request.
func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {
	request, ok := pendingAuthRequests[accessToken]

	if !ok || request.Code != code || time.Since(request.Timestamp) > registrationTimeout {
		return false, nil
	}

	delete(pendingAuthRequests, accessToken)
	return true, &request
}

func createCode() (string, error) {
	table := [...]byte{'1', '2', '3', '4', '5', '6', '7', '8', '9', '0'}

	digits := 6
	b := make([]byte, digits)
	n, err := io.ReadAtLeast(rand.Reader, b, digits)
	if n != digits {
		return "", err
	}
	for i := 0; i < len(b); i++ {
		b[i] = table[int(b[i])%len(table)]
	}
	return string(b), nil
}
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`package fediverse`

			`import (`
			`"crypto/rand"`
			`"io"`
			`"time"`
			`)`

			`// OTPRegistration represents a single OTP request.`
			`type OTPRegistration struct {`
			`UserID string`
			`UserDisplayName string`
			`Code string`
			`Account string`
			`Timestamp time.Time`
			`}`

			`// Key by access token to limit one OTP request for a person`
			`// to be active at a time.`
			`var pendingAuthRequests = make(map[string]OTPRegistration)`

Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00			`const registrationTimeout = time.Minute * 10`

Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`// RegisterFediverseOTP will start the OTP flow for a user, creating a new`
			`// code and returning it to be sent to a destination.`
Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00			`func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool) {`
			`request, requestExists := pendingAuthRequests[accessToken]`

			`// If a request is already registered and has not expired then return that`
			`// existing request.`
			`if requestExists && time.Since(request.Timestamp) < registrationTimeout {`
			`return request, false`
			`}`

Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`code, _ := createCode()`
			`r := OTPRegistration{`
			`Code: code,`
			`UserID: userID,`
			`UserDisplayName: userDisplayName,`
			`Account: account,`
			`Timestamp: time.Now(),`
			`}`
			`pendingAuthRequests[accessToken] = r`

Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00			`return r, true`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`}`

			`// ValidateFediverseOTP will verify a OTP code for a auth request.`
			`func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {`
			`request, ok := pendingAuthRequests[accessToken]`

Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00			`if !ok \|\| request.Code != code \|\| time.Since(request.Timestamp) > registrationTimeout {`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`return false, nil`
			`}`

			`delete(pendingAuthRequests, accessToken)`
			`return true, &request`
			`}`

			`func createCode() (string, error) {`
			`table := [...]byte{'1', '2', '3', '4', '5', '6', '7', '8', '9', '0'}`

			`digits := 6`
			`b := make([]byte, digits)`
			`n, err := io.ReadAtLeast(rand.Reader, b, digits)`
			`if n != digits {`
			`return "", err`
			`}`
			`for i := 0; i < len(b); i++ {`
			`b[i] = table[int(b[i])%len(table)]`
			`}`
			`return string(b), nil`
			`}`