tokencheck.go (5219B)
1 // GoToSocial 2 // Copyright (C) GoToSocial Authors admin@gotosocial.org 3 // SPDX-License-Identifier: AGPL-3.0-or-later 4 // 5 // This program is free software: you can redistribute it and/or modify 6 // it under the terms of the GNU Affero General Public License as published by 7 // the Free Software Foundation, either version 3 of the License, or 8 // (at your option) any later version. 9 // 10 // This program is distributed in the hope that it will be useful, 11 // but WITHOUT ANY WARRANTY; without even the implied warranty of 12 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 // GNU Affero General Public License for more details. 14 // 15 // You should have received a copy of the GNU Affero General Public License 16 // along with this program. If not, see <http://www.gnu.org/licenses/>. 17 18 package middleware 19 20 import ( 21 "net/http" 22 23 "github.com/gin-gonic/gin" 24 "github.com/superseriousbusiness/gotosocial/internal/db" 25 "github.com/superseriousbusiness/gotosocial/internal/gtsmodel" 26 "github.com/superseriousbusiness/gotosocial/internal/log" 27 "github.com/superseriousbusiness/gotosocial/internal/oauth" 28 "github.com/superseriousbusiness/oauth2/v4" 29 ) 30 31 // TokenCheck returns a new gin middleware for validating oauth tokens in requests. 32 // 33 // The middleware checks the request Authorization header for a valid oauth Bearer token. 34 // 35 // If no token was set in the Authorization header, or the token was invalid, the handler will return. 36 // 37 // If a valid oauth Bearer token was provided, it will be set on the gin context for further use. 38 // 39 // Then, it will check which *gtsmodel.User the token belongs to. If the user is not confirmed, not approved, 40 // or has been disabled, then the middleware will return early. Otherwise, the User will be set on the 41 // gin context for further processing by other functions. 42 // 43 // Next, it will look up the *gtsmodel.Account for the User. If the Account has been suspended, then the 44 // middleware will return early. Otherwise, it will set the Account on the gin context too. 45 // 46 // Finally, it will check the client ID of the token to see if a *gtsmodel.Application can be retrieved 47 // for that client ID. This will also be set on the gin context. 48 // 49 // If an invalid token is presented, or a user/account/application can't be found, then this middleware 50 // won't abort the request, since the server might want to still allow public requests that don't have a 51 // Bearer token set (eg., for public instance information and so on). 52 func TokenCheck(dbConn db.DB, validateBearerToken func(r *http.Request) (oauth2.TokenInfo, error)) func(*gin.Context) { 53 return func(c *gin.Context) { 54 // Acquire context from gin request. 55 ctx := c.Request.Context() 56 57 if c.Request.Header.Get("Authorization") == "" { 58 // no token set in the header, we can just bail 59 return 60 } 61 62 ti, err := validateBearerToken(c.Copy().Request) 63 if err != nil { 64 log.Debugf(ctx, "token was passed in Authorization header but we could not validate it: %s", err) 65 return 66 } 67 c.Set(oauth.SessionAuthorizedToken, ti) 68 69 // check for user-level token 70 if userID := ti.GetUserID(); userID != "" { 71 log.Tracef(ctx, "authenticated user %s with bearer token, scope is %s", userID, ti.GetScope()) 72 73 // fetch user for this token 74 user, err := dbConn.GetUserByID(ctx, userID) 75 if err != nil { 76 if err != db.ErrNoEntries { 77 log.Errorf(ctx, "database error looking for user with id %s: %s", userID, err) 78 return 79 } 80 log.Warnf(ctx, "no user found for userID %s", userID) 81 return 82 } 83 84 if user.ConfirmedAt.IsZero() { 85 log.Warnf(ctx, "authenticated user %s has never confirmed thier email address", userID) 86 return 87 } 88 89 if !*user.Approved { 90 log.Warnf(ctx, "authenticated user %s's account was never approved by an admin", userID) 91 return 92 } 93 94 if *user.Disabled { 95 log.Warnf(ctx, "authenticated user %s's account was disabled'", userID) 96 return 97 } 98 99 c.Set(oauth.SessionAuthorizedUser, user) 100 101 // fetch account for this token 102 if user.Account == nil { 103 acct, err := dbConn.GetAccountByID(ctx, user.AccountID) 104 if err != nil { 105 if err != db.ErrNoEntries { 106 log.Errorf(ctx, "database error looking for account with id %s: %s", user.AccountID, err) 107 return 108 } 109 log.Warnf(ctx, "no account found for userID %s", userID) 110 return 111 } 112 user.Account = acct 113 } 114 115 if !user.Account.SuspendedAt.IsZero() { 116 log.Warnf(ctx, "authenticated user %s's account (accountId=%s) has been suspended", userID, user.AccountID) 117 return 118 } 119 120 c.Set(oauth.SessionAuthorizedAccount, user.Account) 121 } 122 123 // check for application token 124 if clientID := ti.GetClientID(); clientID != "" { 125 log.Tracef(ctx, "authenticated client %s with bearer token, scope is %s", clientID, ti.GetScope()) 126 127 // fetch app for this token 128 app := >smodel.Application{} 129 if err := dbConn.GetWhere(ctx, []db.Where{{Key: "client_id", Value: clientID}}, app); err != nil { 130 if err != db.ErrNoEntries { 131 log.Errorf(ctx, "database error looking for application with clientID %s: %s", clientID, err) 132 return 133 } 134 log.Warnf(ctx, "no app found for client %s", clientID) 135 return 136 } 137 c.Set(oauth.SessionAuthorizedApplication, app) 138 } 139 } 140 }