owncast/controllers/auth/indieauth/server.go

package indieauth

import (
	"net/http"
	"net/url"

	ia "github.com/owncast/owncast/auth/indieauth"
	"github.com/owncast/owncast/controllers"
	"github.com/owncast/owncast/router/middleware"
)

// HandleAuthEndpoint will handle the IndieAuth auth endpoint.
func HandleAuthEndpoint(w http.ResponseWriter, r *http.Request) {
	if r.Method == http.MethodGet {
		// Require the GET request for IndieAuth to be behind admin login.
		f := middleware.RequireAdminAuth(handleAuthEndpointGet)
		f(w, r)
		return
	} else if r.Method == http.MethodPost {
		handleAuthEndpointPost(w, r)
	} else {
		w.WriteHeader(http.StatusMethodNotAllowed)
		return
	}
}

func handleAuthEndpointGet(w http.ResponseWriter, r *http.Request) {
	clientID := r.URL.Query().Get("client_id")
	redirectURI := r.URL.Query().Get("redirect_uri")
	codeChallenge := r.URL.Query().Get("code_challenge")
	state := r.URL.Query().Get("state")
	me := r.URL.Query().Get("me")

	request, err := ia.StartServerAuth(clientID, redirectURI, codeChallenge, state, me)
	if err != nil {
		_ = controllers.WriteString(w, err.Error(), http.StatusInternalServerError)
		return
	}

	// Redirect the client browser with the values we generated to continue
	// the IndieAuth flow.
	// If the URL is invalid then return with specific "invalid_request" error.
	u, err := url.Parse(redirectURI)
	if err != nil {
		controllers.WriteResponse(w, ia.Response{
			Error:            "invalid_request",
			ErrorDescription: err.Error(),
		})
		return
	}

	redirectParams := u.Query()
	redirectParams.Set("code", request.Code)
	redirectParams.Set("state", request.State)
	u.RawQuery = redirectParams.Encode()

	http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)
}

func handleAuthEndpointPost(w http.ResponseWriter, r *http.Request) {
	if err := r.ParseForm(); err != nil {
		controllers.WriteSimpleResponse(w, false, err.Error())
		return
	}

	code := r.PostForm.Get("code")
	redirectURI := r.PostForm.Get("redirect_uri")
	clientID := r.PostForm.Get("client_id")
	codeVerifier := r.PostForm.Get("code_verifier")

	// If the server auth flow cannot be completed then return with specific
	// "invalid_client" error.
	response, err := ia.CompleteServerAuth(code, redirectURI, clientID, codeVerifier)
	if err != nil {
		controllers.WriteResponse(w, ia.Response{
			Error:            "invalid_client",
			ErrorDescription: err.Error(),
		})
		return
	}

	controllers.WriteResponse(w, response)
}
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-22 00:55:26 +03:00			`package indieauth`

			`import (`
			`"net/http"`
			`"net/url"`

			`ia "github.com/owncast/owncast/auth/indieauth"`
			`"github.com/owncast/owncast/controllers"`
Require auth middleware only on GET requests 2022-06-06 08:46:46 +03:00			`"github.com/owncast/owncast/router/middleware"`
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-22 00:55:26 +03:00			`)`

			`// HandleAuthEndpoint will handle the IndieAuth auth endpoint.`
			`func HandleAuthEndpoint(w http.ResponseWriter, r *http.Request) {`
			`if r.Method == http.MethodGet {`
			`// Require the GET request for IndieAuth to be behind admin login.`
Require auth middleware only on GET requests 2022-06-06 08:46:46 +03:00			`f := middleware.RequireAdminAuth(handleAuthEndpointGet)`
			`f(w, r)`
			`return`
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-22 00:55:26 +03:00			`} else if r.Method == http.MethodPost {`
			`handleAuthEndpointPost(w, r)`
			`} else {`
			`w.WriteHeader(http.StatusMethodNotAllowed)`
			`return`
			`}`
			`}`

			`func handleAuthEndpointGet(w http.ResponseWriter, r *http.Request) {`
			`clientID := r.URL.Query().Get("client_id")`
			`redirectURI := r.URL.Query().Get("redirect_uri")`
			`codeChallenge := r.URL.Query().Get("code_challenge")`
			`state := r.URL.Query().Get("state")`
			`me := r.URL.Query().Get("me")`

			`request, err := ia.StartServerAuth(clientID, redirectURI, codeChallenge, state, me)`
			`if err != nil {`
Prune expired auth requests + add global max limit. Closes #2490 2022-12-24 07:20:59 +03:00			`_ = controllers.WriteString(w, err.Error(), http.StatusInternalServerError)`
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-22 00:55:26 +03:00			`return`
			`}`

			`// Redirect the client browser with the values we generated to continue`
			`// the IndieAuth flow.`
			`// If the URL is invalid then return with specific "invalid_request" error.`
			`u, err := url.Parse(redirectURI)`
			`if err != nil {`
			`controllers.WriteResponse(w, ia.Response{`
			`Error: "invalid_request",`
			`ErrorDescription: err.Error(),`
			`})`
			`return`
			`}`

			`redirectParams := u.Query()`
			`redirectParams.Set("code", request.Code)`
			`redirectParams.Set("state", request.State)`
			`u.RawQuery = redirectParams.Encode()`

			`http.Redirect(w, r, u.String(), http.StatusTemporaryRedirect)`
			`}`

			`func handleAuthEndpointPost(w http.ResponseWriter, r *http.Request) {`
			`if err := r.ParseForm(); err != nil {`
			`controllers.WriteSimpleResponse(w, false, err.Error())`
			`return`
			`}`

			`code := r.PostForm.Get("code")`
			`redirectURI := r.PostForm.Get("redirect_uri")`
			`clientID := r.PostForm.Get("client_id")`
			`codeVerifier := r.PostForm.Get("code_verifier")`

			`// If the server auth flow cannot be completed then return with specific`
			`// "invalid_client" error.`
			`response, err := ia.CompleteServerAuth(code, redirectURI, clientID, codeVerifier)`
			`if err != nil {`
			`controllers.WriteResponse(w, ia.Response{`
			`Error: "invalid_client",`
			`ErrorDescription: err.Error(),`
			`})`
			`return`
			`}`

			`controllers.WriteResponse(w, response)`
			`}`