owncast/auth/fediverse/fediverse.go

package fediverse

import (
	"crypto/rand"
	"errors"
	"io"
	"strings"
	"sync"
	"time"

	log "github.com/sirupsen/logrus"
)

// OTPRegistration represents a single OTP request.
type OTPRegistration struct {
	Timestamp       time.Time
	UserID          string
	UserDisplayName string
	Code            string
	Account         string
}

// Key by access token to limit one OTP request for a person
// to be active at a time.
var (
	pendingAuthRequests = make(map[string]OTPRegistration)
	lock                = sync.Mutex{}
)

const (
	registrationTimeout = time.Minute * 10
	maxPendingRequests  = 1000
)

func init() {
	go setupExpiredRequestPruner()
}

// Clear out any pending requests that have been pending for greater than
// the specified timeout value.
func setupExpiredRequestPruner() {
	pruneExpiredRequestsTimer := time.NewTicker(registrationTimeout)

	for range pruneExpiredRequestsTimer.C {
		lock.Lock()
		log.Debugln("Pruning expired OTP requests.")
		for k, v := range pendingAuthRequests {
			if time.Since(v.Timestamp) > registrationTimeout {
				delete(pendingAuthRequests, k)
			}
		}
		lock.Unlock()
	}
}

// RegisterFediverseOTP will start the OTP flow for a user, creating a new
// code and returning it to be sent to a destination.
func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool, error) {
	request, requestExists := pendingAuthRequests[accessToken]

	// If a request is already registered and has not expired then return that
	// existing request.
	if requestExists && time.Since(request.Timestamp) < registrationTimeout {
		return request, false, nil
	}

	lock.Lock()
	defer lock.Unlock()

	if len(pendingAuthRequests)+1 > maxPendingRequests {
		return request, false, errors.New("Please try again later. Too many pending requests.")
	}

	code, _ := createCode()
	r := OTPRegistration{
		Code:            code,
		UserID:          userID,
		UserDisplayName: userDisplayName,
		Account:         strings.ToLower(account),
		Timestamp:       time.Now(),
	}
	pendingAuthRequests[accessToken] = r

	return r, true, nil
}

// ValidateFediverseOTP will verify a OTP code for a auth request.
func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {
	request, ok := pendingAuthRequests[accessToken]

	if !ok || request.Code != code || time.Since(request.Timestamp) > registrationTimeout {
		return false, nil
	}

	lock.Lock()
	defer lock.Unlock()

	delete(pendingAuthRequests, accessToken)
	return true, &request
}

func createCode() (string, error) {
	table := [...]byte{'1', '2', '3', '4', '5', '6', '7', '8', '9', '0'}

	digits := 6
	b := make([]byte, digits)
	n, err := io.ReadAtLeast(rand.Reader, b, digits)
	if n != digits {
		return "", err
	}
	for i := 0; i < len(b); i++ {
		b[i] = table[int(b[i])%len(table)]
	}
	return string(b), nil
}
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`package fediverse`

			`import (`
			`"crypto/rand"`
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`"errors"`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`"io"`
Treat fediverse usernames as case-insensitive (#2155) * treat fediverse usernames as case-insensitive for auth * add test for case insensitive, clean up duplicate import in federverse auth controller * fix test, there was an issue with state when all the tests were run 2022-10-02 21:16:46 +03:00			`"strings"`
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`"sync"`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`"time"`
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00
			`log "github.com/sirupsen/logrus"`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`)`

			`// OTPRegistration represents a single OTP request.`
			`type OTPRegistration struct {`
Update to Go 1.20 + run better align (#2927) * chore(go): update go version to 1.20. Closes #2185 * chore(go): run better align against project To optimize struct field order. Closes #2870 * chore(go): update CI jobs to use Go 1.20 * fix(go): linter warnings for Go 1.20 update 2023-05-30 20:31:43 +03:00			`Timestamp time.Time`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`UserID string`
			`UserDisplayName string`
			`Code string`
			`Account string`
			`}`

			`// Key by access token to limit one OTP request for a person`
			`// to be active at a time.`
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`var (`
			`pendingAuthRequests = make(map[string]OTPRegistration)`
			`lock = sync.Mutex{}`
			`)`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`const (`
			`registrationTimeout = time.Minute * 10`
			`maxPendingRequests = 1000`
			`)`

			`func init() {`
			`go setupExpiredRequestPruner()`
			`}`

			`// Clear out any pending requests that have been pending for greater than`
			`// the specified timeout value.`
			`func setupExpiredRequestPruner() {`
			`pruneExpiredRequestsTimer := time.NewTicker(registrationTimeout)`

			`for range pruneExpiredRequestsTimer.C {`
			`lock.Lock()`
			`log.Debugln("Pruning expired OTP requests.")`
			`for k, v := range pendingAuthRequests {`
			`if time.Since(v.Timestamp) > registrationTimeout {`
			`delete(pendingAuthRequests, k)`
			`}`
			`}`
			`lock.Unlock()`
			`}`
			`}`
Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`// RegisterFediverseOTP will start the OTP flow for a user, creating a new`
			`// code and returning it to be sent to a destination.`
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool, error) {`
Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00			`request, requestExists := pendingAuthRequests[accessToken]`

			`// If a request is already registered and has not expired then return that`
			`// existing request.`
			`if requestExists && time.Since(request.Timestamp) < registrationTimeout {`
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`return request, false, nil`
			`}`

			`lock.Lock()`
			`defer lock.Unlock()`

			`if len(pendingAuthRequests)+1 > maxPendingRequests {`
			`return request, false, errors.New("Please try again later. Too many pending requests.")`
Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00			`}`

Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`code, _ := createCode()`
			`r := OTPRegistration{`
			`Code: code,`
			`UserID: userID,`
			`UserDisplayName: userDisplayName,`
Treat fediverse usernames as case-insensitive (#2155) * treat fediverse usernames as case-insensitive for auth * add test for case insensitive, clean up duplicate import in federverse auth controller * fix test, there was an issue with state when all the tests were run 2022-10-02 21:16:46 +03:00			`Account: strings.ToLower(account),`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`Timestamp: time.Now(),`
			`}`
			`pendingAuthRequests[accessToken] = r`

Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`return r, true, nil`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`}`

			`// ValidateFediverseOTP will verify a OTP code for a auth request.`
			`func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {`
			`request, ok := pendingAuthRequests[accessToken]`

Limit OTP requests to one per expiry window. Closes #2000 2022-08-02 23:29:06 +03:00			`if !ok \|\| request.Code != code \|\| time.Since(request.Timestamp) > registrationTimeout {`
Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`return false, nil`
			`}`

Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`lock.Lock()`
			`defer lock.Unlock()`

Fediverse-based authentication (#1846) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text 2022-04-23 03:23:14 +03:00			`delete(pendingAuthRequests, accessToken)`
			`return true, &request`
			`}`

			`func createCode() (string, error) {`
			`table := [...]byte{'1', '2', '3', '4', '5', '6', '7', '8', '9', '0'}`

			`digits := 6`
			`b := make([]byte, digits)`
			`n, err := io.ReadAtLeast(rand.Reader, b, digits)`
			`if n != digits {`
			`return "", err`
			`}`
			`for i := 0; i < len(b); i++ {`
			`b[i] = table[int(b[i])%len(table)]`
			`}`
			`return string(b), nil`
			`}`