owncast/auth/persistence.go

package auth

import (
	"context"
	"strings"

	"github.com/owncast/owncast/core/data"
	"github.com/owncast/owncast/core/user"

	"github.com/owncast/owncast/db"
)

var _datastore *data.Datastore

// Setup will initialize auth persistence.
func Setup(db *data.Datastore) {
	_datastore = db

	createTableSQL := `CREATE TABLE IF NOT EXISTS auth (
    "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
		"user_id" TEXT NOT NULL,
    "token" TEXT NOT NULL,
    "type" TEXT NOT NULL,
		"timestamp" DATE DEFAULT CURRENT_TIMESTAMP NOT NULL,
    FOREIGN KEY(user_id) REFERENCES users(id)
	);`
	_datastore.MustExec(createTableSQL)
	_datastore.MustExec(`CREATE INDEX IF NOT EXISTS idx_auth_token ON auth (token);`)
}

// AddAuth will add an external authentication token and type for a user.
func AddAuth(userID, authToken string, authType Type) error {
	return _datastore.GetQueries().AddAuthForUser(context.Background(), db.AddAuthForUserParams{
		UserID: userID,
		Token:  authToken,
		Type:   string(authType),
	})
}

// GetUserByAuth will return an existing user given auth details if a user
// has previously authenticated with that method.
func GetUserByAuth(authToken string, authType Type) *user.User {
	u, err := _datastore.GetQueries().GetUserByAuth(context.Background(), db.GetUserByAuthParams{
		Token: authToken,
		Type:  string(authType),
	})
	if err != nil {
		return nil
	}

	var scopes []string
	if u.Scopes.Valid {
		scopes = strings.Split(u.Scopes.String, ",")
	}

	return &user.User{
		ID:              u.ID,
		DisplayName:     u.DisplayName,
		DisplayColor:    int(u.DisplayColor),
		CreatedAt:       u.CreatedAt.Time,
		DisabledAt:      &u.DisabledAt.Time,
		PreviousNames:   strings.Split(u.PreviousNames.String, ","),
		NameChangedAt:   &u.NamechangedAt.Time,
		AuthenticatedAt: &u.AuthenticatedAt.Time,
		Scopes:          scopes,
	}
}
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-22 00:55:26 +03:00			`package auth`

			`import (`
			`"context"`
			`"strings"`

			`"github.com/owncast/owncast/core/data"`
			`"github.com/owncast/owncast/core/user"`

			`"github.com/owncast/owncast/db"`
			`)`

			`var _datastore *data.Datastore`

			`// Setup will initialize auth persistence.`
			`func Setup(db *data.Datastore) {`
			`_datastore = db`

			createTableSQL := `CREATE TABLE IF NOT EXISTS auth (
			`"id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,`
			`"user_id" TEXT NOT NULL,`
			`"token" TEXT NOT NULL,`
			`"type" TEXT NOT NULL,`
			`"timestamp" DATE DEFAULT CURRENT_TIMESTAMP NOT NULL,`
			`FOREIGN KEY(user_id) REFERENCES users(id)`
Fix creating table indexes 2022-08-03 08:45:15 +03:00			);`
			`_datastore.MustExec(createTableSQL)`
			_datastore.MustExec(`CREATE INDEX IF NOT EXISTS idx_auth_token ON auth (token);`)
IndieAuth support (#1811) * Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * don't redirect unless a URL is present avoids redirecting to `undefined` if there was an error * improve error message if owncast server URL isn't set * fix IndieAuth PKCE implementation use SHA256 instead of SHA1, generates a longer code verifier (must be 43-128 chars long), fixes URL-safe SHA256 encoding * return real profile data for IndieAuth response * check the code verifier in the IndieAuth server * Linting * Add new chat settings modal anad split up indieauth ui * Remove logging error * Update the IndieAuth modal UI. For #1273 * Add IndieAuth repsonse error checking * Disable IndieAuth client if server URL is not set. * Add explicit error messages for specific error types * Fix bad logic * Return OAuth-keyed error responses for indieauth server * Display IndieAuth error in plain text with link to return to main page * Remove redundant check * Add additional detail to error * Hide IndieAuth details behind disclosure details * Break out migration into two steps because some people have been runing dev in production * Add auth option to user dropdown Co-authored-by: Aaron Parecki <aaron@parecki.com> 2022-04-22 00:55:26 +03:00			`}`

			`// AddAuth will add an external authentication token and type for a user.`
			`func AddAuth(userID, authToken string, authType Type) error {`
			`return _datastore.GetQueries().AddAuthForUser(context.Background(), db.AddAuthForUserParams{`
			`UserID: userID,`
			`Token: authToken,`
			`Type: string(authType),`
			`})`
			`}`

			`// GetUserByAuth will return an existing user given auth details if a user`
			`// has previously authenticated with that method.`
			`func GetUserByAuth(authToken string, authType Type) *user.User {`
			`u, err := _datastore.GetQueries().GetUserByAuth(context.Background(), db.GetUserByAuthParams{`
			`Token: authToken,`
			`Type: string(authType),`
			`})`
			`if err != nil {`
			`return nil`
			`}`

			`var scopes []string`
			`if u.Scopes.Valid {`
			`scopes = strings.Split(u.Scopes.String, ",")`
			`}`

			`return &user.User{`
			`ID: u.ID,`
			`DisplayName: u.DisplayName,`
			`DisplayColor: int(u.DisplayColor),`
			`CreatedAt: u.CreatedAt.Time,`
			`DisabledAt: &u.DisabledAt.Time,`
			`PreviousNames: strings.Split(u.PreviousNames.String, ","),`
			`NameChangedAt: &u.NamechangedAt.Time,`
			`AuthenticatedAt: &u.AuthenticatedAt.Time,`
			`Scopes: scopes,`
			`}`
			`}`