owncast/auth/indieauth/random.go

package indieauth

import (
	"math/rand"
	"time"
	"unsafe"
)

const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
const (
	letterIdxBits = 6                    // 6 bits to represent a letter index
	letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits
	letterIdxMax  = 63 / letterIdxBits   // # of letter indices fitting in 63 bits
)

var src = rand.NewSource(time.Now().UnixNano())

func randString(n int) string {
	b := make([]byte, n)
	// A src.Int63() generates 63 random bits, enough for letterIdxMax characters!
	for i, cache, remain := n-1, src.Int63(), letterIdxMax; i >= 0; {
		if remain == 0 {
			cache, remain = src.Int63(), letterIdxMax
		}
		if idx := int(cache & letterIdxMask); idx < len(letterBytes) {
			b[i] = letterBytes[idx]
			i--
		}
		cache >>= letterIdxBits
		remain--
	}

	return *(*string)(unsafe.Pointer(&b)) // nolint:gosec
}
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-22 00:55:26 +03:00			`package indieauth`

			`import (`
			`"math/rand"`
			`"time"`
			`"unsafe"`
			`)`

			`const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"`
			`const (`
			`letterIdxBits = 6 // 6 bits to represent a letter index`
			`letterIdxMask = 1<<letterIdxBits - 1 // All 1-bits, as many as letterIdxBits`
			`letterIdxMax = 63 / letterIdxBits // # of letter indices fitting in 63 bits`
			`)`

			`var src = rand.NewSource(time.Now().UnixNano())`

			`func randString(n int) string {`
			`b := make([]byte, n)`
			`// A src.Int63() generates 63 random bits, enough for letterIdxMax characters!`
			`for i, cache, remain := n-1, src.Int63(), letterIdxMax; i >= 0; {`
			`if remain == 0 {`
			`cache, remain = src.Int63(), letterIdxMax`
			`}`
			`if idx := int(cache & letterIdxMask); idx < len(letterBytes) {`
			`b[i] = letterBytes[idx]`
			`i--`
			`}`
			`cache >>= letterIdxBits`
			`remain--`
			`}`

			`return (string)(unsafe.Pointer(&b)) // nolint:gosec`
			`}`