package user import ( "context" "database/sql" "strings" "time" "github.com/owncast/owncast/utils" "github.com/pkg/errors" log "github.com/sirupsen/logrus" "github.com/teris-io/shortid" ) // ExternalAPIUser represents a single 3rd party integration that uses an access token. // This struct mostly matches the User struct so they can be used interchangeably. type ExternalAPIUser struct { CreatedAt time.Time `json:"createdAt"` LastUsedAt *time.Time `json:"lastUsedAt,omitempty"` ID string `json:"id"` AccessToken string `json:"accessToken"` DisplayName string `json:"displayName"` Type string `json:"type,omitempty"` // Should be API Scopes []string `json:"scopes"` DisplayColor int `json:"displayColor"` IsBot bool `json:"isBot"` } const ( // ScopeCanSendChatMessages will allow sending chat messages as itself. ScopeCanSendChatMessages = "CAN_SEND_MESSAGES" // ScopeCanSendSystemMessages will allow sending chat messages as the system. ScopeCanSendSystemMessages = "CAN_SEND_SYSTEM_MESSAGES" // ScopeHasAdminAccess will allow performing administrative actions on the server. ScopeHasAdminAccess = "HAS_ADMIN_ACCESS" ) // For a scope to be seen as "valid" it must live in this slice. var validAccessTokenScopes = []string{ ScopeCanSendChatMessages, ScopeCanSendSystemMessages, ScopeHasAdminAccess, } // InsertExternalAPIUser will add a new API user to the database. func InsertExternalAPIUser(token string, name string, color int, scopes []string) error { log.Traceln("Adding new API user") _datastore.DbLock.Lock() defer _datastore.DbLock.Unlock() scopesString := strings.Join(scopes, ",") id := shortid.MustGenerate() tx, err := _datastore.DB.Begin() if err != nil { return err } stmt, err := tx.Prepare("INSERT INTO users(id, display_name, display_color, scopes, type, previous_names) values(?, ?, ?, ?, ?, ?)") if err != nil { return err } defer stmt.Close() if _, err = stmt.Exec(id, name, color, scopesString, "API", name); err != nil { return err } if err = tx.Commit(); err != nil { return err } if err := addAccessTokenForUser(token, id); err != nil { return errors.Wrap(err, "unable to save access token for new external api user") } return nil } // DeleteExternalAPIUser will delete a token from the database. func DeleteExternalAPIUser(token string) error { log.Traceln("Deleting access token") _datastore.DbLock.Lock() defer _datastore.DbLock.Unlock() tx, err := _datastore.DB.Begin() if err != nil { return err } stmt, err := tx.Prepare("UPDATE users SET disabled_at = CURRENT_TIMESTAMP WHERE id = (SELECT user_id FROM user_access_tokens WHERE token = ?)") if err != nil { return err } defer stmt.Close() result, err := stmt.Exec(token) if err != nil { return err } if rowsDeleted, _ := result.RowsAffected(); rowsDeleted == 0 { tx.Rollback() //nolint return errors.New(token + " not found") } if err = tx.Commit(); err != nil { return err } return nil } // GetExternalAPIUserForAccessTokenAndScope will determine if a specific token has access to perform a scoped action. func GetExternalAPIUserForAccessTokenAndScope(token string, scope string) (*ExternalAPIUser, error) { // This will split the scopes from comma separated to individual rows // so we can efficiently find if a token supports a single scope. // This is SQLite specific, so if we ever support other database // backends we need to support other methods. query := `SELECT id, scopes, display_name, display_color, created_at, last_used FROM user_access_tokens INNER JOIN ( WITH RECURSIVE split( id, scopes, display_name, display_color, created_at, last_used, disabled_at, scope, rest ) AS ( SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, '', scopes || ',' FROM users AS u UNION ALL SELECT id, scopes, display_name, display_color, created_at, last_used, disabled_at, substr(rest, 0, instr(rest, ',')), substr(rest, instr(rest, ',') + 1) FROM split WHERE rest <> '' ) SELECT id, display_name, display_color, created_at, last_used, disabled_at, scopes, scope FROM split WHERE scope <> '' ) ON user_access_tokens.user_id = id WHERE disabled_at IS NULL AND token = ? AND scope = ?;` row := _datastore.DB.QueryRow(query, token, scope) integration, err := makeExternalAPIUserFromRow(row) return integration, err } // GetIntegrationNameForAccessToken will return the integration name associated with a specific access token. func GetIntegrationNameForAccessToken(token string) *string { name, err := _datastore.GetQueries().GetUserDisplayNameByToken(context.Background(), token) if err != nil { return nil } return &name } // GetExternalAPIUser will return all API users with access tokens. func GetExternalAPIUser() ([]ExternalAPIUser, error) { //nolint query := "SELECT id, token, display_name, display_color, scopes, created_at, last_used FROM users, user_access_tokens WHERE user_access_tokens.user_id = id AND type IS 'API' AND disabled_at IS NULL" rows, err := _datastore.DB.Query(query) if err != nil { return []ExternalAPIUser{}, err } defer rows.Close() integrations, err := makeExternalAPIUsersFromRows(rows) return integrations, err } // SetExternalAPIUserAccessTokenAsUsed will update the last used timestamp for a token. func SetExternalAPIUserAccessTokenAsUsed(token string) error { tx, err := _datastore.DB.Begin() if err != nil { return err } stmt, err := tx.Prepare("UPDATE users SET last_used = CURRENT_TIMESTAMP WHERE id = (SELECT user_id FROM user_access_tokens WHERE token = ?)") if err != nil { return err } defer stmt.Close() if _, err := stmt.Exec(token); err != nil { return err } if err = tx.Commit(); err != nil { return err } return nil } func makeExternalAPIUserFromRow(row *sql.Row) (*ExternalAPIUser, error) { var id string var displayName string var displayColor int var scopes string var createdAt time.Time var lastUsedAt *time.Time err := row.Scan(&id, &scopes, &displayName, &displayColor, &createdAt, &lastUsedAt) if err != nil { log.Debugln("unable to convert row to api user", err) return nil, err } integration := ExternalAPIUser{ ID: id, DisplayName: displayName, DisplayColor: displayColor, CreatedAt: createdAt, Scopes: strings.Split(scopes, ","), LastUsedAt: lastUsedAt, } return &integration, nil } func makeExternalAPIUsersFromRows(rows *sql.Rows) ([]ExternalAPIUser, error) { integrations := make([]ExternalAPIUser, 0) for rows.Next() { var id string var accessToken string var displayName string var displayColor int var scopes string var createdAt time.Time var lastUsedAt *time.Time err := rows.Scan(&id, &accessToken, &displayName, &displayColor, &scopes, &createdAt, &lastUsedAt) if err != nil { log.Errorln(err) return nil, err } integration := ExternalAPIUser{ ID: id, AccessToken: accessToken, DisplayName: displayName, DisplayColor: displayColor, CreatedAt: createdAt, Scopes: strings.Split(scopes, ","), LastUsedAt: lastUsedAt, IsBot: true, } integrations = append(integrations, integration) } return integrations, nil } // HasValidScopes will verify that all the scopes provided are valid. func HasValidScopes(scopes []string) bool { for _, scope := range scopes { _, foundInSlice := utils.FindInSlice(validAccessTokenScopes, scope) if !foundInSlice { return false } } return true }