gtsocial-umbx

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

auth.go (4411B)

      1 // GoToSocial
      2 // Copyright (C) GoToSocial Authors admin@gotosocial.org
      3 // SPDX-License-Identifier: AGPL-3.0-or-later
      4 //
      5 // This program is free software: you can redistribute it and/or modify
      6 // it under the terms of the GNU Affero General Public License as published by
      7 // the Free Software Foundation, either version 3 of the License, or
      8 // (at your option) any later version.
      9 //
     10 // This program is distributed in the hope that it will be useful,
     11 // but WITHOUT ANY WARRANTY; without even the implied warranty of
     12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     13 // GNU Affero General Public License for more details.
     14 //
     15 // You should have received a copy of the GNU Affero General Public License
     16 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
     17 
     18 package auth
     19 
     20 import (
     21 	"net/http"
     22 
     23 	"github.com/gin-contrib/sessions"
     24 	"github.com/gin-gonic/gin"
     25 	"github.com/superseriousbusiness/gotosocial/internal/db"
     26 	"github.com/superseriousbusiness/gotosocial/internal/oidc"
     27 	"github.com/superseriousbusiness/gotosocial/internal/processing"
     28 )
     29 
     30 const (
     31 	/*
     32 		paths prefixed with 'auth'
     33 	*/
     34 
     35 	// AuthSignInPath is the API path for users to sign in through
     36 	AuthSignInPath = "/sign_in"
     37 	// AuthCheckYourEmailPath users land here after registering a new account, instructs them to confirm their email
     38 	AuthCheckYourEmailPath = "/check_your_email"
     39 	// AuthWaitForApprovalPath users land here after confirming their email
     40 	// but before an admin approves their account (if such is required)
     41 	AuthWaitForApprovalPath = "/wait_for_approval"
     42 	// AuthAccountDisabledPath users land here when their account is suspended by an admin
     43 	AuthAccountDisabledPath = "/account_disabled"
     44 	// AuthCallbackPath is the API path for receiving callback tokens from external OIDC providers
     45 	AuthCallbackPath = "/callback"
     46 
     47 	/*
     48 		paths prefixed with 'oauth'
     49 	*/
     50 
     51 	// OauthTokenPath is the API path to use for granting token requests to users with valid credentials
     52 	OauthTokenPath = "/token" // #nosec G101 else we get a hardcoded credentials warning
     53 	// OauthAuthorizePath is the API path for authorization requests (eg., authorize this app to act on my behalf as a user)
     54 	OauthAuthorizePath = "/authorize"
     55 	// OauthFinalizePath is the API path for completing user registration with additional user details
     56 	OauthFinalizePath = "/finalize"
     57 	// OauthOobTokenPath is the path for serving an html representation of an oob token page.
     58 	OauthOobTokenPath = "/oob" // #nosec G101 else we get a hardcoded credentials warning
     59 
     60 	/*
     61 		params / session keys
     62 	*/
     63 
     64 	callbackStateParam   = "state"
     65 	callbackCodeParam    = "code"
     66 	sessionUserID        = "userid"
     67 	sessionClientID      = "client_id"
     68 	sessionRedirectURI   = "redirect_uri"
     69 	sessionForceLogin    = "force_login"
     70 	sessionResponseType  = "response_type"
     71 	sessionScope         = "scope"
     72 	sessionInternalState = "internal_state"
     73 	sessionClientState   = "client_state"
     74 	sessionClaims        = "claims"
     75 	sessionAppID         = "app_id"
     76 )
     77 
     78 type Module struct {
     79 	db        db.DB
     80 	processor *processing.Processor
     81 	idp       oidc.IDP
     82 }
     83 
     84 // New returns an Auth module which provides both 'oauth' and 'auth' endpoints.
     85 //
     86 // It is safe to pass a nil idp if oidc is disabled.
     87 func New(db db.DB, processor *processing.Processor, idp oidc.IDP) *Module {
     88 	return &Module{
     89 		db:        db,
     90 		processor: processor,
     91 		idp:       idp,
     92 	}
     93 }
     94 
     95 // RouteAuth routes all paths that should have an 'auth' prefix
     96 func (m *Module) RouteAuth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
     97 	attachHandler(http.MethodGet, AuthSignInPath, m.SignInGETHandler)
     98 	attachHandler(http.MethodPost, AuthSignInPath, m.SignInPOSTHandler)
     99 	attachHandler(http.MethodGet, AuthCallbackPath, m.CallbackGETHandler)
    100 }
    101 
    102 // RouteOauth routes all paths that should have an 'oauth' prefix
    103 func (m *Module) RouteOauth(attachHandler func(method string, path string, f ...gin.HandlerFunc) gin.IRoutes) {
    104 	attachHandler(http.MethodPost, OauthTokenPath, m.TokenPOSTHandler)
    105 	attachHandler(http.MethodGet, OauthAuthorizePath, m.AuthorizeGETHandler)
    106 	attachHandler(http.MethodPost, OauthAuthorizePath, m.AuthorizePOSTHandler)
    107 	attachHandler(http.MethodPost, OauthFinalizePath, m.FinalizePOSTHandler)
    108 	attachHandler(http.MethodGet, OauthOobTokenPath, m.OobHandler)
    109 }
    110 
    111 func (m *Module) clearSession(s sessions.Session) {
    112 	s.Clear()
    113 	if err := s.Save(); err != nil {
    114 		panic(err)
    115 	}
    116 }