Fediverse-based authentication (#1846)

* Able to authenticate user against IndieAuth. For #1273 * WIP server indieauth endpoint. For https://github.com/owncast/owncast/issues/1272 * Add migration to remove access tokens from user * Add authenticated bool to user for display purposes * Add indieauth modal and auth flair to display names. For #1273 * Validate URLs and display errors * Renames, cleanups * Handle relative auth endpoint paths. Add error handling for missing redirects. * Disallow using display names in use by registered users. Closes #1810 * Verify code verifier via code challenge on callback * Use relative path to authorization_endpoint * Post-rebase fixes * Use a timestamp instead of a bool for authenticated * Propertly handle and display error in modal * Use auth'ed timestamp to derive authenticated flag to display in chat * Fediverse chat auth via OTP * Increase validity time just in case * Add fediverse auth into auth modal * Text, validation, cleanup updates for fedi auth * Fix typo * Remove unused images * Remove unused file * Add chat display name to auth modal text
2024-11-21 20:28:15 +03:00 · 2022-04-22 17:23:14 -07:00 · 2022-04-22 17:23:14 -07:00 · a082cf3a77
commit a082cf3a77
parent 8b7e2b945e
21 changed files with 855 additions and 81 deletions
--- a/activitypub/activitypub.go
+++ b/activitypub/activitypub.go
@ -40,6 +40,11 @@ func SendPublicFederatedMessage(message string) error {
 	return outbox.SendPublicMessage(message)
 }

+// SendDirectFederatedMessage will send a direct message to a single account.
+func SendDirectFederatedMessage(message, account string) error {
+	return outbox.SendDirectMessageToAccount(message, account)
+}
+
 // GetFollowerCount will return the local tracked follower count.
 func GetFollowerCount() (int64, error) {
 	return persistence.GetFollowerCount()
--- a/activitypub/apmodels/activity.go
+++ b/activitypub/apmodels/activity.go
@ -17,13 +17,76 @@ const (
 	PUBLIC PrivacyAudience = "https://www.w3.org/ns/activitystreams#Public"
 )

-// MakeCreateActivity will return a new Create activity with the provided ID.
-func MakeCreateActivity(activityID *url.URL) vocab.ActivityStreamsCreate {
-	activity := streams.NewActivityStreamsCreate()
-	id := streams.NewJSONLDIdProperty()
-	id.Set(activityID)
-	activity.SetJSONLDId(id)
+// MakeNotePublic ses the required proeprties to make this note seen as public.
+func MakeNotePublic(note vocab.ActivityStreamsNote) vocab.ActivityStreamsNote {
+	public, _ := url.Parse(PUBLIC)
+	to := streams.NewActivityStreamsToProperty()
+	to.AppendIRI(public)
+	note.SetActivityStreamsTo(to)

+	audience := streams.NewActivityStreamsAudienceProperty()
+	audience.AppendIRI(public)
+	note.SetActivityStreamsAudience(audience)
+
+	return note
+}
+
+// MakeNoteDirect sets the required properties to make this note seen as a
+// direct message.
+func MakeNoteDirect(note vocab.ActivityStreamsNote, toIRI *url.URL) vocab.ActivityStreamsNote {
+	to := streams.NewActivityStreamsCcProperty()
+	to.AppendIRI(toIRI)
+	to.AppendIRI(toIRI)
+	note.SetActivityStreamsCc(to)
+
+	// Mastodon requires a tag with a type of "mention" and href of the account
+	// for a message to be a "Direct Message".
+	tagProperty := streams.NewActivityStreamsTagProperty()
+	tag := streams.NewTootHashtag()
+	tagTypeProperty := streams.NewJSONLDTypeProperty()
+	tagTypeProperty.AppendXMLSchemaString("Mention")
+	tag.SetJSONLDType(tagTypeProperty)
+
+	tagHrefProperty := streams.NewActivityStreamsHrefProperty()
+	tagHrefProperty.Set(toIRI)
+	tag.SetActivityStreamsHref(tagHrefProperty)
+	tagProperty.AppendTootHashtag(tag)
+	tagProperty.AppendTootHashtag(tag)
+	note.SetActivityStreamsTag(tagProperty)
+
+	return note
+}
+
+// MakeActivityDirect sets the required properties to make this activity seen
+// as a direct message.
+func MakeActivityDirect(activity vocab.ActivityStreamsCreate, toIRI *url.URL) vocab.ActivityStreamsCreate {
+	to := streams.NewActivityStreamsCcProperty()
+	to.AppendIRI(toIRI)
+	to.AppendIRI(toIRI)
+	activity.SetActivityStreamsCc(to)
+
+	// Mastodon requires a tag with a type of "mention" and href of the account
+	// for a message to be a "Direct Message".
+	tagProperty := streams.NewActivityStreamsTagProperty()
+	tag := streams.NewTootHashtag()
+	tagTypeProperty := streams.NewJSONLDTypeProperty()
+	tagTypeProperty.AppendXMLSchemaString("Mention")
+	tag.SetJSONLDType(tagTypeProperty)
+
+	tagHrefProperty := streams.NewActivityStreamsHrefProperty()
+	tagHrefProperty.Set(toIRI)
+	tag.SetActivityStreamsHref(tagHrefProperty)
+	tagProperty.AppendTootHashtag(tag)
+	tagProperty.AppendTootHashtag(tag)
+
+	activity.SetActivityStreamsTag(tagProperty)
+
+	return activity
+}
+
+// MakeActivityPublic sets the required properties to make this activity
+// seen as public.
+func MakeActivityPublic(activity vocab.ActivityStreamsCreate) vocab.ActivityStreamsCreate {
 	// TO the public if we're not treating ActivityPub as "private".
 	if !data.GetFederationIsPrivate() {
 		public, _ := url.Parse(PUBLIC)
@ -40,6 +103,16 @@ func MakeCreateActivity(activityID *url.URL) vocab.ActivityStreamsCreate {
 	return activity
 }

+// MakeCreateActivity will return a new Create activity with the provided ID.
+func MakeCreateActivity(activityID *url.URL) vocab.ActivityStreamsCreate {
+	activity := streams.NewActivityStreamsCreate()
+	id := streams.NewJSONLDIdProperty()
+	id.Set(activityID)
+	activity.SetJSONLDId(id)
+
+	return activity
+}
+
 // MakeUpdateActivity will return a new Update activity with the provided aID.
 func MakeUpdateActivity(activityID *url.URL) vocab.ActivityStreamsUpdate {
 	activity := streams.NewActivityStreamsUpdate()
@ -61,9 +134,11 @@ func MakeUpdateActivity(activityID *url.URL) vocab.ActivityStreamsUpdate {
 // MakeNote will return a new Note object.
 func MakeNote(text string, noteIRI *url.URL, attributedToIRI *url.URL) vocab.ActivityStreamsNote {
 	note := streams.NewActivityStreamsNote()
+
 	content := streams.NewActivityStreamsContentProperty()
 	content.AppendXMLSchemaString(text)
 	note.SetActivityStreamsContent(content)
+
 	id := streams.NewJSONLDIdProperty()
 	id.Set(noteIRI)
 	note.SetJSONLDId(id)
@ -77,17 +152,5 @@ func MakeNote(text string, noteIRI *url.URL, attributedToIRI *url.URL) vocab.Act
 	attr.AppendIRI(attributedTo)
 	note.SetActivityStreamsAttributedTo(attr)

-	// To the public if we're not treating ActivityPub as "private".
-	if !data.GetFederationIsPrivate() {
-		public, _ := url.Parse(PUBLIC)
-		to := streams.NewActivityStreamsToProperty()
-		to.AppendIRI(public)
-		note.SetActivityStreamsTo(to)
-
-		audience := streams.NewActivityStreamsAudienceProperty()
-		audience.AppendIRI(public)
-		note.SetActivityStreamsAudience(audience)
-	}
-
 	return note
 }
--- a/activitypub/apmodels/webfinger.go
+++ b/activitypub/apmodels/webfinger.go
@ -11,6 +11,11 @@ type WebfingerResponse struct {
 	Links   []Link   `json:"links"`
 }

+// WebfingerProfileRequestResponse represents a Webfinger profile request response.
+type WebfingerProfileRequestResponse struct {
+	Self string
+}
+
 // Link represents a Webfinger response Link entity.
 type Link struct {
 	Rel  string `json:"rel"`
@ -41,3 +46,18 @@ func MakeWebfingerResponse(account string, inbox string, host string) WebfingerR
 		},
 	}
 }
+
+// MakeWebFingerRequestResponseFromData converts WebFinger data to an easier
+// to use model.
+func MakeWebFingerRequestResponseFromData(data []map[string]interface{}) WebfingerProfileRequestResponse {
+	response := WebfingerProfileRequestResponse{}
+	for _, link := range data {
+		if link["rel"] == "self" {
+			return WebfingerProfileRequestResponse{
+				Self: link["href"].(string),
+			}
+		}
+	}
+
+	return response
+}
--- a/activitypub/outbox/outbox.go
+++ b/activitypub/outbox/outbox.go
@ -1,7 +1,6 @@
 package outbox

 import (
-	"errors"
 	"fmt"
 	"net/url"
 	"path/filepath"
@ -13,7 +12,11 @@ import (
 	"github.com/owncast/owncast/activitypub/apmodels"
 	"github.com/owncast/owncast/activitypub/crypto"
 	"github.com/owncast/owncast/activitypub/persistence"
+	"github.com/owncast/owncast/activitypub/requests"
+	"github.com/owncast/owncast/activitypub/resolvers"
+	"github.com/owncast/owncast/activitypub/webfinger"
 	"github.com/owncast/owncast/activitypub/workerpool"
+	"github.com/pkg/errors"

 	"github.com/owncast/owncast/config"
 	"github.com/owncast/owncast/core/data"
@ -61,6 +64,12 @@ func SendLive() error {

 	activity, _, note, noteID := createBaseOutboundMessage(textContent)

+	// To the public if we're not treating ActivityPub as "private".
+	if !data.GetFederationIsPrivate() {
+		note = apmodels.MakeNotePublic(note)
+		activity = apmodels.MakeActivityPublic(activity)
+	}
+
 	note.SetActivityStreamsTag(tagProp)

 	// Attach an image along with the Federated message.
@ -106,6 +115,37 @@ func SendLive() error {
 	return nil
 }

+// SendDirectMessageToAccount will send a direct message to a single account.
+func SendDirectMessageToAccount(textContent, account string) error {
+	links, err := webfinger.GetWebfingerLinks(account)
+	if err != nil {
+		return errors.Wrap(err, "unable to get webfinger links when sending private message")
+	}
+	user := apmodels.MakeWebFingerRequestResponseFromData(links)
+
+	iri := user.Self
+	actor, err := resolvers.GetResolvedActorFromIRI(iri)
+	if err != nil {
+		return errors.Wrap(err, "unable to resolve actor to send message to")
+	}
+
+	activity, _, note, _ := createBaseOutboundMessage(textContent)
+
+	// Set direct message visibility
+	activity = apmodels.MakeActivityDirect(activity, actor.ActorIri)
+	note = apmodels.MakeNoteDirect(note, actor.ActorIri)
+	object := activity.GetActivityStreamsObject()
+	object.SetActivityStreamsNote(0, note)
+
+	b, err := apmodels.Serialize(activity)
+	if err != nil {
+		log.Errorln("unable to serialize custom fediverse message activity", err)
+		return errors.Wrap(err, "unable to serialize custom fediverse message activity")
+	}
+
+	return SendToUser(actor.Inbox, b)
+}
+
 // SendPublicMessage will send a public message to all followers.
 func SendPublicMessage(textContent string) error {
 	originalContent := textContent
@ -191,6 +231,20 @@ func SendToFollowers(payload []byte) error {
 	return nil
 }

+// SendToUser will send a payload to a single specific inbox.
+func SendToUser(inbox *url.URL, payload []byte) error {
+	localActor := apmodels.MakeLocalIRIForAccount(data.GetDefaultFederationUsername())
+
+	req, err := requests.CreateSignedRequest(payload, inbox, localActor)
+	if err != nil {
+		return errors.Wrap(err, "unable to create outbox request")
+	}
+
+	workerpool.AddToOutboundQueue(req)
+
+	return nil
+}
+
 // UpdateFollowersWithAccountUpdates will send an update to all followers alerting of a profile update.
 func UpdateFollowersWithAccountUpdates() error {
 	// Don't do anything if federation is disabled.
--- a/activitypub/requests/http.go
+++ b/activitypub/requests/http.go
@ -1,12 +1,16 @@
 package requests

 import (
+	"bytes"
 	"encoding/json"
+	"fmt"
 	"net/http"
+	"net/url"

 	"github.com/go-fed/activity/streams"
 	"github.com/go-fed/activity/streams/vocab"
 	"github.com/owncast/owncast/activitypub/crypto"
+	"github.com/owncast/owncast/config"

 	log "github.com/sirupsen/logrus"
 )
@ -50,3 +54,21 @@ func WriteResponse(payload []byte, w http.ResponseWriter, publicKey crypto.Publi

 	return nil
 }
+
+// CreateSignedRequest will create a signed POST request of a payload to the provided destination.
+func CreateSignedRequest(payload []byte, url *url.URL, fromActorIRI *url.URL) (*http.Request, error) {
+	log.Debugln("Sending", string(payload), "to", url)
+
+	req, _ := http.NewRequest(http.MethodPost, url.String(), bytes.NewBuffer(payload))
+
+	ua := fmt.Sprintf("%s; https://owncast.online", config.GetReleaseString())
+	req.Header.Set("User-Agent", ua)
+	req.Header.Set("Content-Type", "application/activity+json")
+
+	if err := crypto.SignRequest(req, payload, fromActorIRI); err != nil {
+		log.Errorln("error signing request:", err)
+		return nil, err
+	}
+
+	return req, nil
+}
--- a/activitypub/webfinger/webfinger.go
+++ b/activitypub/webfinger/webfinger.go
@ -0,0 +1,46 @@
+package webfinger
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+// GetWebfingerLinks will return webfinger data for an account.
+func GetWebfingerLinks(account string) ([]map[string]interface{}, error) {
+	type webfingerResponse struct {
+		Links []map[string]interface{} `json:"links"`
+	}
+
+	account = strings.TrimLeft(account, "@") // remove any leading @
+	accountComponents := strings.Split(account, "@")
+	fediverseServer := accountComponents[1]
+
+	// HTTPS is required.
+	requestURL, err := url.Parse("https://" + fediverseServer)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse fediverse server host %s", fediverseServer)
+	}
+
+	requestURL.Path = "/.well-known/webfinger"
+	query := requestURL.Query()
+	query.Add("resource", fmt.Sprintf("acct:%s", account))
+	requestURL.RawQuery = query.Encode()
+
+	response, err := http.DefaultClient.Get(requestURL.String())
+	if err != nil {
+		return nil, err
+	}
+
+	defer response.Body.Close()
+
+	var links webfingerResponse
+	decoder := json.NewDecoder(response.Body)
+	if err := decoder.Decode(&links); err != nil {
+		return nil, err
+	}
+
+	return links.Links, nil
+}
--- a/auth/auth.go
+++ b/auth/auth.go
@ -4,8 +4,8 @@ package auth
 type Type string

 // The different auth types we support.
-// Currently only IndieAuth.
 const (
 	// IndieAuth https://indieauth.spec.indieweb.org/.
 	IndieAuth Type = "indieauth"
+	Fediverse Type = "fediverse"
 )
--- a/auth/fediverse/fediverse.go
+++ b/auth/fediverse/fediverse.go
@ -0,0 +1,63 @@
+package fediverse
+
+import (
+	"crypto/rand"
+	"io"
+	"time"
+)
+
+// OTPRegistration represents a single OTP request.
+type OTPRegistration struct {
+	UserID          string
+	UserDisplayName string
+	Code            string
+	Account         string
+	Timestamp       time.Time
+}
+
+// Key by access token to limit one OTP request for a person
+// to be active at a time.
+var pendingAuthRequests = make(map[string]OTPRegistration)
+
+// RegisterFediverseOTP will start the OTP flow for a user, creating a new
+// code and returning it to be sent to a destination.
+func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) OTPRegistration {
+	code, _ := createCode()
+	r := OTPRegistration{
+		Code:            code,
+		UserID:          userID,
+		UserDisplayName: userDisplayName,
+		Account:         account,
+		Timestamp:       time.Now(),
+	}
+	pendingAuthRequests[accessToken] = r
+
+	return r
+}
+
+// ValidateFediverseOTP will verify a OTP code for a auth request.
+func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {
+	request, ok := pendingAuthRequests[accessToken]
+
+	if !ok || request.Code != code || time.Since(request.Timestamp) > time.Minute*10 {
+		return false, nil
+	}
+
+	delete(pendingAuthRequests, accessToken)
+	return true, &request
+}
+
+func createCode() (string, error) {
+	table := [...]byte{'1', '2', '3', '4', '5', '6', '7', '8', '9', '0'}
+
+	digits := 6
+	b := make([]byte, digits)
+	n, err := io.ReadAtLeast(rand.Reader, b, digits)
+	if n != digits {
+		return "", err
+	}
+	for i := 0; i < len(b); i++ {
+		b[i] = table[int(b[i])%len(table)]
+	}
+	return string(b), nil
+}
--- a/auth/fediverse/fediverse_test.go
+++ b/auth/fediverse/fediverse_test.go
@ -0,0 +1,43 @@
+package fediverse
+
+import "testing"
+
+const (
+	accessToken     = "fake-access-token"
+	account         = "blah"
+	userID          = "fake-user-id"
+	userDisplayName = "fake-user-display-name"
+)
+
+func TestOTPFlowValidation(t *testing.T) {
+	r := RegisterFediverseOTP(accessToken, userID, userDisplayName, account)
+
+	if r.Code == "" {
+		t.Error("Code is empty")
+	}
+
+	if r.Account != account {
+		t.Error("Account is not set correctly")
+	}
+
+	if r.Timestamp.IsZero() {
+		t.Error("Timestamp is empty")
+	}
+
+	valid, registration := ValidateFediverseOTP(accessToken, r.Code)
+	if !valid {
+		t.Error("Code is not valid")
+	}
+
+	if registration.Account != account {
+		t.Error("Account is not set correctly")
+	}
+
+	if registration.UserID != userID {
+		t.Error("UserID is not set correctly")
+	}
+
+	if registration.UserDisplayName != userDisplayName {
+		t.Error("UserDisplayName is not set correctly")
+	}
+}
--- a/auth/persistence.go
+++ b/auth/persistence.go
@ -55,6 +55,7 @@ func GetUserByAuth(authToken string, authType Type) *user.User {
 		Type:  string(authType),
 	})
 	if err != nil {
+		log.Errorln(err)
 		return nil
 	}

--- a/controllers/auth/fediverse/fediverse.go
+++ b/controllers/auth/fediverse/fediverse.go
@ -0,0 +1,98 @@
+package fediverse
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/owncast/owncast/activitypub"
+	"github.com/owncast/owncast/auth"
+	"github.com/owncast/owncast/auth/fediverse"
+	fediverseauth "github.com/owncast/owncast/auth/fediverse"
+	"github.com/owncast/owncast/controllers"
+	"github.com/owncast/owncast/core/chat"
+	"github.com/owncast/owncast/core/data"
+	"github.com/owncast/owncast/core/user"
+	log "github.com/sirupsen/logrus"
+)
+
+// RegisterFediverseOTPRequest registers a new OTP request for the given access token.
+func RegisterFediverseOTPRequest(u user.User, w http.ResponseWriter, r *http.Request) {
+	type request struct {
+		FediverseAccount string `json:"account"`
+	}
+	var req request
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&req); err != nil {
+		controllers.WriteSimpleResponse(w, false, "Could not decode request: "+err.Error())
+		return
+	}
+
+	accessToken := r.URL.Query().Get("accessToken")
+	reg := fediverseauth.RegisterFediverseOTP(accessToken, u.ID, u.DisplayName, req.FediverseAccount)
+	msg := fmt.Sprintf("<p>This is an automated message from %s. If you did not request this message please ignore or block. Your requested one-time code is:</p><p>%s</p>", data.GetServerName(), reg.Code)
+	if err := activitypub.SendDirectFederatedMessage(msg, reg.Account); err != nil {
+		controllers.WriteSimpleResponse(w, false, "Could not send code to fediverse: "+err.Error())
+		return
+	}
+
+	controllers.WriteSimpleResponse(w, true, "")
+}
+
+// VerifyFediverseOTPRequest verifies the given OTP code for the given access token.
+func VerifyFediverseOTPRequest(w http.ResponseWriter, r *http.Request) {
+	type request struct {
+		Code string `json:"code"`
+	}
+
+	var req request
+	decoder := json.NewDecoder(r.Body)
+	if err := decoder.Decode(&req); err != nil {
+		controllers.WriteSimpleResponse(w, false, "Could not decode request: "+err.Error())
+		return
+	}
+	accessToken := r.URL.Query().Get("accessToken")
+	valid, authRegistration := fediverse.ValidateFediverseOTP(accessToken, req.Code)
+	if !valid {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
+	// Check if a user with this auth already exists, if so, log them in.
+	if u := auth.GetUserByAuth(authRegistration.Account, auth.Fediverse); u != nil {
+		// Handle existing auth.
+		log.Debugln("user with provided fedvierse identity already exists, logging them in")
+
+		// Update the current user's access token to point to the existing user id.
+		userID := u.ID
+		if err := user.SetAccessTokenToOwner(accessToken, userID); err != nil {
+			controllers.WriteSimpleResponse(w, false, err.Error())
+			return
+		}
+
+		loginMessage := fmt.Sprintf("**%s** is now authenticated as **%s**", authRegistration.UserDisplayName, u.DisplayName)
+		if err := chat.SendSystemAction(loginMessage, true); err != nil {
+			log.Errorln(err)
+		}
+
+		controllers.WriteSimpleResponse(w, true, "")
+
+		return
+	}
+
+	// Otherwise, save this as new auth.
+	log.Debug("fediverse account does not already exist, saving it as a new one for the current user")
+	if err := auth.AddAuth(authRegistration.UserID, authRegistration.Account, auth.Fediverse); err != nil {
+		controllers.WriteSimpleResponse(w, false, err.Error())
+		return
+	}
+
+	// Update the current user's authenticated flag so we can show it in
+	// the chat UI.
+	if err := user.SetUserAsAuthenticated(authRegistration.UserID); err != nil {
+		log.Errorln(err)
+	}
+
+	controllers.WriteSimpleResponse(w, true, "")
+	w.WriteHeader(http.StatusOK)
+}
--- a/controllers/remoteFollow.go
+++ b/controllers/remoteFollow.go
@ -7,6 +7,7 @@ import (
 	"net/url"
 	"strings"

+	"github.com/owncast/owncast/activitypub/webfinger"
 	"github.com/owncast/owncast/core/data"
 )

@ -35,7 +36,7 @@ func RemoteFollow(w http.ResponseWriter, r *http.Request) {
 	localActorPath, _ := url.Parse(data.GetServerURL())
 	localActorPath.Path = fmt.Sprintf("/federation/user/%s", data.GetDefaultFederationUsername())
 	var template string
-	links, err := getWebfingerLinks(request.Account)
+	links, err := webfinger.GetWebfingerLinks(request.Account)
 	if err != nil {
 		WriteSimpleResponse(w, false, err.Error())
 		return
@ -62,39 +63,3 @@ func RemoteFollow(w http.ResponseWriter, r *http.Request) {

 	WriteResponse(w, response)
 }
-
-func getWebfingerLinks(account string) ([]map[string]interface{}, error) {
-	type webfingerResponse struct {
-		Links []map[string]interface{} `json:"links"`
-	}
-
-	account = strings.TrimLeft(account, "@") // remove any leading @
-	accountComponents := strings.Split(account, "@")
-	fediverseServer := accountComponents[1]
-
-	// HTTPS is required.
-	requestURL, err := url.Parse("https://" + fediverseServer)
-	if err != nil {
-		return nil, fmt.Errorf("unable to parse fediverse server host %s", fediverseServer)
-	}
-
-	requestURL.Path = "/.well-known/webfinger"
-	query := requestURL.Query()
-	query.Add("resource", fmt.Sprintf("acct:%s", account))
-	requestURL.RawQuery = query.Encode()
-
-	response, err := http.DefaultClient.Get(requestURL.String())
-	if err != nil {
-		return nil, err
-	}
-
-	defer response.Body.Close()
-
-	var links webfingerResponse
-	decoder := json.NewDecoder(response.Body)
-	if err := decoder.Decode(&links); err != nil {
-		return nil, err
-	}
-
-	return links.Links, nil
-}
--- a/router/router.go
+++ b/router/router.go
@ -13,6 +13,7 @@ import (
 	"github.com/owncast/owncast/config"
 	"github.com/owncast/owncast/controllers"
 	"github.com/owncast/owncast/controllers/admin"
+	fediverseauth "github.com/owncast/owncast/controllers/auth/fediverse"
 	"github.com/owncast/owncast/controllers/auth/indieauth"
 	"github.com/owncast/owncast/core/chat"
 	"github.com/owncast/owncast/core/data"
@ -355,10 +356,11 @@ func Start() error {
 	// Start auth flow
 	http.HandleFunc("/api/auth/indieauth", middleware.RequireUserAccessToken(indieauth.StartAuthFlow))
 	http.HandleFunc("/api/auth/indieauth/callback", indieauth.HandleRedirect)
-
-	// Handle auth provider requests
 	http.HandleFunc("/api/auth/provider/indieauth", indieauth.HandleAuthEndpoint)

+	http.HandleFunc("/api/auth/fediverse", middleware.RequireUserAccessToken(fediverseauth.RegisterFediverseOTPRequest))
+	http.HandleFunc("/api/auth/fediverse/verify", fediverseauth.VerifyFediverseOTPRequest)
+
 	// ActivityPub has its own router
 	activitypub.Start(data.GetDatastore())

--- a/webroot/img/indieauth.png
+++ b/webroot/img/indieauth.png
--- a/webroot/js/app.js
+++ b/webroot/js/app.js
@ -6,7 +6,6 @@ import { URL_WEBSOCKET } from './utils/constants.js';

 import { OwncastPlayer } from './components/player.js';
 import SocialIconsList from './components/platform-logos-list.js';
-import UsernameForm from './components/chat/username.js';
 import VideoPoster from './components/video-poster.js';
 import Followers from './components/federation/followers.js';
 import Chat from './components/chat/chat.js';
@ -635,7 +634,7 @@ export default class App extends Component {

  showAuthModal() {
    const data = {
-      title: 'Chat',
+      title: 'Authenticate with chat',
    };
    this.setState({ authModalData: data });
  }
@ -664,6 +663,7 @@ export default class App extends Component {
      // user details are so we can display them properly.
      const { user } = e;
      const { displayName, authenticated } = user;
+
      this.setState({
        username: displayName,
        authenticated,
@ -909,6 +909,7 @@ export default class App extends Component {
            authenticated=${authenticated}
            onClose=${this.closeAuthModal}
            indieAuthEnabled=${indieAuthEnabled}
+            federationEnabled=${federation.enabled}
          />`}
        />
      `;
@ -1082,6 +1083,7 @@ export default class App extends Component {

        ${chat} ${externalActionModal} ${fediverseFollowModal}
        ${notificationModal} ${authModal}
+
      </div>
    `;
  }
--- a/webroot/js/chat/indieauth.js
+++ b/webroot/js/chat/indieauth.js
@ -1,3 +0,0 @@
-import { URL_CHAT_INDIEAUTH_BEGIN } from '../utils/constants.js';
-
-export async function beginIndieAuthFlow() {}
--- a/webroot/js/components/auth-fediverse.js
+++ b/webroot/js/components/auth-fediverse.js
@ -0,0 +1,206 @@
+import { h, Component } from '/js/web_modules/preact.js';
+import htm from '/js/web_modules/htm.js';
+
+const html = htm.bind(h);
+
+export default class FediverseAuth extends Component {
+  constructor(props) {
+    super(props);
+
+    this.submitButtonPressed = this.submitButtonPressed.bind(this);
+
+    this.state = {
+      account: '',
+      code: '',
+      errorMessage: null,
+      loading: false,
+      verifying: false,
+      valid: false,
+    };
+  }
+
+  async makeRequest(url, data) {
+    const rawResponse = await fetch(url, {
+      method: 'POST',
+      headers: {
+        Accept: 'application/json',
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(data),
+    });
+
+    const content = await rawResponse.json();
+    if (content.message) {
+      this.setState({ errorMessage: content.message, loading: false });
+      return;
+    }
+  }
+
+  switchToCodeVerify() {
+    this.setState({ verifying: true, loading: false });
+  }
+
+  async validateCodeButtonPressed() {
+    const { accessToken } = this.props;
+    const { code } = this.state;
+
+    this.setState({ loading: true, errorMessage: null });
+
+    const url = `/api/auth/fediverse/verify?accessToken=${accessToken}`;
+    const data = { code: code };
+
+    try {
+      await this.makeRequest(url, data);
+
+      // Success. Reload the page.
+      window.location = '/';
+    } catch (e) {
+      console.error(e);
+      this.setState({ errorMessage: e, loading: false });
+    }
+  }
+
+  async registerAccountButtonPressed() {
+    const { accessToken } = this.props;
+    const { account, valid } = this.state;
+
+    if (!valid) {
+      return;
+    }
+
+    const url = `/api/auth/fediverse?accessToken=${accessToken}`;
+    const normalizedAccount = account.replace(/^@+/, '');
+    const data = { account: normalizedAccount };
+
+    this.setState({ loading: true, errorMessage: null });
+
+    try {
+      await this.makeRequest(url, data);
+      this.switchToCodeVerify();
+    } catch (e) {
+      console.error(e);
+      this.setState({ errorMessage: e, loading: false });
+    }
+  }
+
+  async submitButtonPressed() {
+    const { verifying } = this.state;
+    if (verifying) {
+      this.validateCodeButtonPressed();
+    } else {
+      this.registerAccountButtonPressed();
+    }
+  }
+
+  onInput = (e) => {
+    const { value } = e.target;
+    const { verifying } = this.state;
+
+    if (verifying) {
+      this.setState({ code: value });
+      return;
+    }
+
+    const valid = validateAccount(value);
+    this.setState({ account: value, valid });
+  };
+
+  render() {
+    const { errorMessage, account, code, valid, loading, verifying } =
+      this.state;
+    const { authenticated, username } = this.props;
+    const buttonState = valid ? '' : 'cursor-not-allowed opacity-50';
+
+    const loaderStyle = loading ? 'flex' : 'none';
+    const message = verifying
+      ? 'Paste in the code that was sent to your Fediverse account. If you did not receive a code, make sure you can accept direct messages.'
+      : !authenticated
+      ? html`Receive a direct message from on the Fediverse to ${' '} link your
+          account to ${' '} <span class="font-bold">${username}</span>, or login
+          as a previously linked chat user.`
+      : html`<span
+          ><b>You are already authenticated</b>. However, you can add other
+          accounts or log in as a different user.</span
+        >`;
+    const label = verifying ? 'Code' : 'Your fediverse account';
+    const placeholder = verifying ? '123456' : 'youraccount@fediverse.server';
+    const buttonText = verifying ? 'Verify' : 'Authenticate with Fediverse';
+
+    const error = errorMessage
+      ? html` <div
+          class="bg-red-100 border border-red-400 text-red-700 px-4 py-3 rounded relative"
+          role="alert"
+        >
+          <div class="font-bold mb-2">There was an error.</div>
+          <div class="block mt-2">
+            Server error:
+            <div>${errorMessage}</div>
+          </div>
+        </div>`
+      : null;
+
+    return html`
+      <div class="bg-gray-100 bg-center bg-no-repeat">
+        <p class="text-gray-700 text-md">${message}</p>
+
+        ${error}
+
+        <div class="mb34">
+          <label
+            class="block text-gray-700 text-sm font-semibold mt-6"
+            for="username"
+          >
+            ${label}
+          </label>
+          <input
+            onInput=${this.onInput}
+            type="url"
+            value=${verifying ? code : account}
+            class="border bg-white rounded w-full py-2 px-3 mb-2 mt-2 text-indigo-700 leading-tight focus:outline-none focus:shadow-outline"
+            id="username"
+            type="text"
+            placeholder=${placeholder}
+          />
+          <button
+            class="bg-indigo-500 hover:bg-indigo-600 text-white font-bold py-2 mt-6 px-4 rounded focus:outline-none focus:shadow-outline ${buttonState}"
+            type="button"
+            onClick=${this.submitButtonPressed}
+          >
+            ${buttonText}
+          </button>
+        </div>
+
+        <p class="mt-4">
+          <details>
+            <summary class="cursor-pointer">
+              Learn more about using the Fediverse to authenticate with chat.
+            </summary>
+            <div class="inline">
+              <p class="mt-4">
+                You can link your chat identity with your Fediverse identity.
+                Next time you want to use this chat identity you can again go
+                through the Fediverse authentication.
+              </p>
+            </div>
+          </details>
+        </p>
+
+        <div
+          id="follow-loading-spinner-container"
+          style="display: ${loaderStyle}"
+        >
+          <img id="follow-loading-spinner" src="/img/loading.gif" />
+          <p class="text-gray-700 text-lg">Authenticating.</p>
+          <p class="text-gray-600 text-lg">Please wait...</p>
+        </div>
+      </div>
+    `;
+  }
+}
+
+function validateAccount(account) {
+  account = account.replace(/^@+/, '');
+  var regex =
+    /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
+  return regex.test(String(account).toLowerCase());
+}
--- a/webroot/js/components/auth-indieauth.js
+++ b/webroot/js/components/auth-indieauth.js
@ -16,7 +16,7 @@ export default class IndieAuthForm extends Component {
  }

  async submitButtonPressed() {
-    const { accessToken, authenticated } = this.props;
+    const { accessToken } = this.props;
    const { host, valid } = this.state;

    if (!valid) {
@ -68,17 +68,17 @@ export default class IndieAuthForm extends Component {

  render() {
    const { errorMessage, loading, host, valid } = this.state;
-    const { authenticated } = this.props;
+    const { authenticated, username } = this.props;
    const buttonState = valid ? '' : 'cursor-not-allowed opacity-50';
    const loaderStyle = loading ? 'flex' : 'none';

    const message = !authenticated
-      ? `While you can chat completely anonymously you can also add
-  authentication so you can rejoin with the same chat persona from any
-  device or browser.`
+      ? html`Use your own domain to authenticate ${' '}
+          <span class="font-bold">${username}</span> or login as a previously
+          ${' '} authenticated chat user using IndieAuth.`
      : html`<span
          ><b>You are already authenticated</b>. However, you can add other
-          external sites or log in as a different user.</span
+          domains or log in as a different user.</span
        >`;

    let errorMessageText = errorMessage;
@ -134,7 +134,7 @@ export default class IndieAuthForm extends Component {
      <p class="mt-4">
        <details>
          <summary class="cursor-pointer">
-            Learn more about <span class="text-blue-500">IndieAuth</span>
+            Learn more about using IndieAuth to authenticate with chat.
          </summary>
          <div class="inline">
            <p class="mt-4">
@ -153,11 +153,6 @@ export default class IndieAuthForm extends Component {
        </details>
      </p>

-      <p class="mt-4">
-        <b>Note:</b> This is for authentication purposes only, and no personal
-        information will be accessed or stored.
-      </p>
-
      <div
        id="follow-loading-spinner-container"
        style="display: ${loaderStyle}"
--- a/webroot/js/components/auth-modal.js
+++ b/webroot/js/components/auth-modal.js
@ -0,0 +1,162 @@
+import { h, Component } from '/js/web_modules/preact.js';
+import htm from '/js/web_modules/htm.js';
+import { ExternalActionButton } from './external-action-modal.js';
+
+const html = htm.bind(h);
+
+export default class AuthModal extends Component {
+  constructor(props) {
+    super(props);
+
+    this.submitButtonPressed = this.submitButtonPressed.bind(this);
+
+    this.state = {
+      errorMessage: null,
+      loading: false,
+      valid: false,
+    };
+  }
+
+  async submitButtonPressed() {
+    const { accessToken } = this.props;
+    const { host, valid } = this.state;
+
+    if (!valid) {
+      return;
+    }
+
+    const url = `/api/auth/indieauth?accessToken=${accessToken}`;
+    const data = { authHost: host };
+
+    this.setState({ loading: true });
+
+    try {
+      const rawResponse = await fetch(url, {
+        method: 'POST',
+        headers: {
+          Accept: 'application/json',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(data),
+      });
+
+      const content = await rawResponse.json();
+      if (content.message) {
+        this.setState({ errorMessage: content.message, loading: false });
+        return;
+      } else if (!content.redirect) {
+        this.setState({
+          errorMessage: 'Auth provider did not return a redirect URL.',
+          loading: false,
+        });
+        return;
+      }
+
+      const redirect = content.redirect;
+      window.location = redirect;
+    } catch (e) {
+      console.error(e);
+      this.setState({ errorMessage: e, loading: false });
+    }
+  }
+
+  onInput = (e) => {
+    const { value } = e.target;
+    let valid = validateURL(value);
+    this.setState({ host: value, valid });
+  };
+
+  render() {
+    const { errorMessage, host, valid, loading } = this.state;
+    const { authenticated } = this.props;
+    const buttonState = valid ? '' : 'cursor-not-allowed opacity-50';
+
+    const loaderStyle = loading ? 'flex' : 'none';
+
+    const message = !authenticated
+      ? `While you can chat completely anonymously you can also add
+    authentication so you can rejoin with the same chat persona from any
+    device or browser.`
+      : `You are already authenticated, however you can add other external sites or accounts to your chat account or log in as a different user.`;
+
+    const error = errorMessage
+      ? html` <div
+          class="bg-red-100 border border-red-400 text-red-700 px-4 py-3 rounded relative"
+          role="alert"
+        >
+          <div class="font-bold mb-2">There was an error.</div>
+          <div class="block mt-2">
+            Server error:
+            <div>${errorMessage}</div>
+          </div>
+        </div>`
+      : null;
+
+    return html`
+      <div class="bg-gray-100 bg-center bg-no-repeat p-4">
+        <p class="text-gray-700 text-md">${message}</p>
+
+        ${error}
+
+        <div class="mb34">
+          <label
+            class="block text-gray-700 text-sm font-semibold mt-6"
+            for="username"
+          >
+            IndieAuth with your own site
+          </label>
+          <input
+            onInput=${this.onInput}
+            type="url"
+            value=${host}
+            class="border bg-white rounded w-full py-2 px-3 mb-2 mt-2 text-indigo-700 leading-tight focus:outline-none focus:shadow-outline"
+            id="username"
+            type="text"
+            placeholder="https://yoursite.com"
+          />
+          <button
+            class="bg-indigo-500 hover:bg-indigo-600 text-white font-bold py-2 mt-6 px-4 rounded focus:outline-none focus:shadow-outline ${buttonState}"
+            type="button"
+            onClick=${this.submitButtonPressed}
+          >
+            Authenticate with IndieAuth
+          </button>
+          <p>
+            Learn more about
+            <a class="underline" href="https://indieauth.net/">IndieAuth</a>.
+          </p>
+        </div>
+
+        <div
+          id="follow-loading-spinner-container"
+          style="display: ${loaderStyle}"
+        >
+          <img id="follow-loading-spinner" src="/img/loading.gif" />
+          <p class="text-gray-700 text-lg">Authenticating.</p>
+          <p class="text-gray-600 text-lg">Please wait...</p>
+        </div>
+      </div>
+    `;
+  }
+}
+
+function validateURL(url) {
+  if (!url) {
+    return false;
+  }
+
+  try {
+    const u = new URL(url);
+    if (!u) {
+      return false;
+    }
+
+    if (u.protocol !== 'https:') {
+      return false;
+    }
+  } catch (e) {
+    return false;
+  }
+
+  return true;
+}
--- a/webroot/js/components/chat-settings-modal.js
+++ b/webroot/js/components/chat-settings-modal.js
@ -2,6 +2,7 @@ import { h, Component } from '/js/web_modules/preact.js';
 import htm from '/js/web_modules/htm.js';
 import TabBar from './tab-bar.js';
 import IndieAuthForm from './auth-indieauth.js';
+import FediverseAuth from './auth-fediverse.js';

 const html = htm.bind(h);

@ -10,13 +11,14 @@ export default class ChatSettingsModal extends Component {
    const {
      accessToken,
      authenticated,
+      federationEnabled,
      username,
-      onUsernameChange,
      indieAuthEnabled,
    } = this.props;

-    const TAB_CONTENT = [
-      {
+    const TAB_CONTENT = [];
+    if (indieAuthEnabled) {
+      TAB_CONTENT.push({
        label: html`<span style=${{ display: 'flex', alignItems: 'center' }}
          ><img
            style=${{
@ -31,13 +33,40 @@ export default class ChatSettingsModal extends Component {
        content: html`<${IndieAuthForm}}
          accessToken=${accessToken}
          authenticated=${authenticated}
+          username=${username}
        />`,
-      },
-    ];
+      });
+    }
+
+    if (federationEnabled) {
+      TAB_CONTENT.push({
+        label: html`<span style=${{ display: 'flex', alignItems: 'center' }}
+          ><img
+            style=${{
+              display: 'inline',
+              height: '0.8em',
+              marginRight: '5px',
+            }}
+            src="/img/fediverse-black.png"
+          />
+          FediAuth</span
+        >`,
+        content: html`<${FediverseAuth}}
+          authenticated=${authenticated}
+          accessToken=${accessToken}
+          authenticated=${authenticated}
+          username=${username}
+        />`,
+      });
+    }

    return html`
      <div class="bg-gray-100 bg-center bg-no-repeat p-5">
        <${TabBar} tabs=${TAB_CONTENT} ariaLabel="Chat settings" />
+        <p class="mt-4">
+          <b>Note:</b> This is for authentication purposes only, and no personal
+          information will be accessed or stored.
+        </p>
      </div>
    `;
  }
--- a/webroot/styles/app.css
+++ b/webroot/styles/app.css
@ -572,6 +572,7 @@ header {
  width: 100%;
  height: 100%;
  opacity: 0.7;
+  z-index: 100;
 }

 #follow-loading-spinner {