2023-03-14 15:22:52 +00:00
|
|
|
package web
|
|
|
|
|
|
|
|
import (
|
2023-04-17 12:25:39 +00:00
|
|
|
"context"
|
|
|
|
"crypto/md5"
|
2023-04-03 23:16:22 +00:00
|
|
|
"errors"
|
2023-04-17 12:25:39 +00:00
|
|
|
"fmt"
|
2023-03-14 15:22:52 +00:00
|
|
|
"github.com/labstack/echo/v4"
|
2023-04-17 17:11:32 +00:00
|
|
|
"github.com/markbates/goth"
|
2023-04-17 12:25:39 +00:00
|
|
|
"github.com/markbates/goth/gothic"
|
2023-04-17 17:11:32 +00:00
|
|
|
"github.com/markbates/goth/providers/gitea"
|
|
|
|
"github.com/markbates/goth/providers/github"
|
2023-04-03 23:16:22 +00:00
|
|
|
"github.com/rs/zerolog/log"
|
|
|
|
"gorm.io/gorm"
|
2023-04-17 12:25:39 +00:00
|
|
|
"io"
|
|
|
|
"net/http"
|
2023-04-17 17:11:32 +00:00
|
|
|
"opengist/internal/config"
|
2023-03-14 15:22:52 +00:00
|
|
|
"opengist/internal/models"
|
2023-04-17 12:25:39 +00:00
|
|
|
"strings"
|
2023-03-14 15:22:52 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func register(ctx echo.Context) error {
|
|
|
|
setData(ctx, "title", "New account")
|
|
|
|
setData(ctx, "htmlTitle", "New account")
|
|
|
|
return html(ctx, "auth_form.html")
|
|
|
|
}
|
|
|
|
|
|
|
|
func processRegister(ctx echo.Context) error {
|
2023-04-16 22:17:06 +00:00
|
|
|
if getData(ctx, "signupDisabled") == true {
|
2023-03-14 15:22:52 +00:00
|
|
|
return errorRes(403, "Signing up is disabled", nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
setData(ctx, "title", "New account")
|
|
|
|
setData(ctx, "htmlTitle", "New account")
|
|
|
|
|
|
|
|
sess := getSession(ctx)
|
|
|
|
|
2023-03-17 13:56:39 +00:00
|
|
|
var dto = new(models.UserDTO)
|
|
|
|
if err := ctx.Bind(dto); err != nil {
|
2023-03-14 15:22:52 +00:00
|
|
|
return errorRes(400, "Cannot bind data", err)
|
|
|
|
}
|
|
|
|
|
2023-03-17 13:56:39 +00:00
|
|
|
if err := ctx.Validate(dto); err != nil {
|
2023-03-14 15:22:52 +00:00
|
|
|
addFlash(ctx, validationMessages(&err), "error")
|
|
|
|
return html(ctx, "auth_form.html")
|
|
|
|
}
|
|
|
|
|
2023-03-17 13:56:39 +00:00
|
|
|
if exists, err := models.UserExists(dto.Username); err != nil || exists {
|
|
|
|
addFlash(ctx, "Username already exists", "error")
|
|
|
|
return html(ctx, "auth_form.html")
|
|
|
|
}
|
|
|
|
|
|
|
|
user := dto.ToUser()
|
|
|
|
|
2023-03-14 15:22:52 +00:00
|
|
|
password, err := argon2id.hash(user.Password)
|
|
|
|
if err != nil {
|
|
|
|
return errorRes(500, "Cannot hash password", err)
|
|
|
|
}
|
|
|
|
user.Password = password
|
|
|
|
|
2023-03-17 13:56:39 +00:00
|
|
|
if err = user.Create(); err != nil {
|
2023-03-14 15:22:52 +00:00
|
|
|
return errorRes(500, "Cannot create user", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if user.ID == 1 {
|
2023-03-17 13:56:39 +00:00
|
|
|
if err = user.SetAdmin(); err != nil {
|
2023-03-14 15:22:52 +00:00
|
|
|
return errorRes(500, "Cannot set user admin", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
sess.Values["user"] = user.ID
|
|
|
|
saveSession(sess, ctx)
|
|
|
|
|
|
|
|
return redirect(ctx, "/")
|
|
|
|
}
|
|
|
|
|
|
|
|
func login(ctx echo.Context) error {
|
|
|
|
setData(ctx, "title", "Login")
|
|
|
|
setData(ctx, "htmlTitle", "Login")
|
|
|
|
return html(ctx, "auth_form.html")
|
|
|
|
}
|
|
|
|
|
|
|
|
func processLogin(ctx echo.Context) error {
|
2023-03-17 13:56:39 +00:00
|
|
|
var err error
|
2023-03-14 15:22:52 +00:00
|
|
|
sess := getSession(ctx)
|
|
|
|
|
2023-03-17 13:56:39 +00:00
|
|
|
dto := &models.UserDTO{}
|
|
|
|
if err = ctx.Bind(dto); err != nil {
|
2023-03-14 15:22:52 +00:00
|
|
|
return errorRes(400, "Cannot bind data", err)
|
|
|
|
}
|
2023-03-17 13:56:39 +00:00
|
|
|
password := dto.Password
|
|
|
|
|
|
|
|
var user *models.User
|
2023-03-14 15:22:52 +00:00
|
|
|
|
2023-03-17 13:56:39 +00:00
|
|
|
if user, err = models.GetUserByUsername(dto.Username); err != nil {
|
2023-04-03 23:16:22 +00:00
|
|
|
if !errors.Is(err, gorm.ErrRecordNotFound) {
|
|
|
|
return errorRes(500, "Cannot get user", err)
|
|
|
|
}
|
|
|
|
log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
|
2023-03-14 15:22:52 +00:00
|
|
|
addFlash(ctx, "Invalid credentials", "error")
|
|
|
|
return redirect(ctx, "/login")
|
|
|
|
}
|
|
|
|
|
|
|
|
if ok, err := argon2id.verify(password, user.Password); !ok {
|
|
|
|
if err != nil {
|
|
|
|
return errorRes(500, "Cannot check for password", err)
|
|
|
|
}
|
2023-04-03 23:16:22 +00:00
|
|
|
log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
|
2023-03-14 15:22:52 +00:00
|
|
|
addFlash(ctx, "Invalid credentials", "error")
|
|
|
|
return redirect(ctx, "/login")
|
|
|
|
}
|
|
|
|
|
|
|
|
sess.Values["user"] = user.ID
|
|
|
|
saveSession(sess, ctx)
|
|
|
|
deleteCsrfCookie(ctx)
|
|
|
|
|
|
|
|
return redirect(ctx, "/")
|
|
|
|
}
|
|
|
|
|
2023-04-17 12:25:39 +00:00
|
|
|
func oauthCallback(ctx echo.Context) error {
|
|
|
|
user, err := gothic.CompleteUserAuth(ctx.Response(), ctx.Request())
|
|
|
|
if err != nil {
|
|
|
|
return errorRes(400, "Cannot complete user auth", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
currUser := getUserLogged(ctx)
|
|
|
|
if currUser != nil {
|
|
|
|
// if user is logged in, link account to user
|
|
|
|
switch user.Provider {
|
|
|
|
case "github":
|
|
|
|
currUser.GithubID = user.UserID
|
|
|
|
case "gitea":
|
|
|
|
currUser.GiteaID = user.UserID
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = currUser.Update(); err != nil {
|
|
|
|
return errorRes(500, "Cannot update user "+strings.Title(user.Provider)+" id", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
addFlash(ctx, "Account linked to "+strings.Title(user.Provider), "success")
|
|
|
|
return redirect(ctx, "/settings")
|
|
|
|
}
|
|
|
|
|
|
|
|
// if user is not in database, create it
|
|
|
|
userDB, err := models.GetUserByProvider(user.UserID, user.Provider)
|
|
|
|
if err != nil {
|
|
|
|
if !errors.Is(err, gorm.ErrRecordNotFound) {
|
|
|
|
return errorRes(500, "Cannot get user", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
userDB = &models.User{
|
|
|
|
Username: user.NickName,
|
|
|
|
Email: user.Email,
|
|
|
|
MD5Hash: fmt.Sprintf("%x", md5.Sum([]byte(strings.ToLower(strings.TrimSpace(user.Email))))),
|
|
|
|
}
|
|
|
|
|
|
|
|
switch user.Provider {
|
|
|
|
case "github":
|
|
|
|
userDB.GithubID = user.UserID
|
|
|
|
case "gitea":
|
|
|
|
userDB.GiteaID = user.UserID
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = userDB.Create(); err != nil {
|
|
|
|
if models.IsUniqueConstraintViolation(err) {
|
2023-04-17 18:25:35 +00:00
|
|
|
addFlash(ctx, "Username "+user.NickName+" already exists in Opengist", "error")
|
2023-04-17 12:25:39 +00:00
|
|
|
return redirect(ctx, "/login")
|
|
|
|
}
|
|
|
|
|
|
|
|
return errorRes(500, "Cannot create user", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var resp *http.Response
|
|
|
|
switch user.Provider {
|
|
|
|
case "github":
|
|
|
|
resp, err = http.Get("https://github.com/" + user.NickName + ".keys")
|
|
|
|
case "gitea":
|
|
|
|
resp, err = http.Get("https://gitea.com/" + user.NickName + ".keys")
|
|
|
|
}
|
|
|
|
|
|
|
|
if err == nil {
|
|
|
|
defer resp.Body.Close()
|
|
|
|
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
|
|
if err != nil {
|
|
|
|
addFlash(ctx, "Could not get user keys", "error")
|
|
|
|
log.Error().Err(err).Msg("Could not get user keys")
|
|
|
|
}
|
|
|
|
|
|
|
|
keys := strings.Split(string(body), "\n")
|
|
|
|
if len(keys[len(keys)-1]) == 0 {
|
|
|
|
keys = keys[:len(keys)-1]
|
|
|
|
}
|
|
|
|
for _, key := range keys {
|
|
|
|
sshKey := models.SSHKey{
|
|
|
|
Title: "Added from " + user.Provider,
|
|
|
|
Content: key,
|
|
|
|
User: *userDB,
|
|
|
|
}
|
|
|
|
|
|
|
|
if err = sshKey.Create(); err != nil {
|
|
|
|
addFlash(ctx, "Could not create ssh key", "error")
|
|
|
|
log.Error().Err(err).Msg("Could not create ssh key")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
sess := getSession(ctx)
|
|
|
|
sess.Values["user"] = userDB.ID
|
|
|
|
saveSession(sess, ctx)
|
|
|
|
deleteCsrfCookie(ctx)
|
|
|
|
|
|
|
|
return redirect(ctx, "/")
|
|
|
|
}
|
|
|
|
|
|
|
|
func oauth(ctx echo.Context) error {
|
|
|
|
provider := ctx.Param("provider")
|
|
|
|
|
2023-04-17 17:11:32 +00:00
|
|
|
httpProtocol := "http"
|
|
|
|
if ctx.Request().TLS != nil || ctx.Request().Header.Get("X-Forwarded-Proto") == "https" {
|
|
|
|
httpProtocol = "https"
|
|
|
|
}
|
|
|
|
|
|
|
|
httpDomain := httpProtocol + "://" + ctx.Request().Host
|
|
|
|
giteaUrl := config.C.GiteaUrl
|
|
|
|
// remove trailing slash
|
|
|
|
if giteaUrl[len(giteaUrl)-1] == '/' {
|
|
|
|
giteaUrl = giteaUrl[:len(giteaUrl)-1]
|
|
|
|
}
|
|
|
|
|
|
|
|
switch provider {
|
|
|
|
case "github":
|
|
|
|
goth.UseProviders(
|
|
|
|
github.New(
|
|
|
|
config.C.GithubClientKey,
|
|
|
|
config.C.GithubSecret,
|
|
|
|
httpDomain+"/oauth/github/callback"),
|
|
|
|
)
|
|
|
|
|
|
|
|
case "gitea":
|
|
|
|
goth.UseProviders(
|
|
|
|
gitea.NewCustomisedURL(
|
|
|
|
config.C.GiteaClientKey,
|
|
|
|
config.C.GiteaSecret,
|
|
|
|
httpDomain+"/oauth/gitea/callback",
|
|
|
|
giteaUrl+"/login/oauth/authorize",
|
|
|
|
giteaUrl+"/login/oauth/access_token",
|
|
|
|
giteaUrl+"/api/v1/user"),
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
2023-04-17 12:25:39 +00:00
|
|
|
currUser := getUserLogged(ctx)
|
|
|
|
if currUser != nil {
|
|
|
|
isDelete := false
|
|
|
|
var err error
|
|
|
|
switch provider {
|
|
|
|
case "github":
|
|
|
|
if currUser.GithubID != "" {
|
|
|
|
isDelete = true
|
2023-04-17 17:11:32 +00:00
|
|
|
err = currUser.DeleteProviderID(provider)
|
2023-04-17 12:25:39 +00:00
|
|
|
}
|
|
|
|
case "gitea":
|
|
|
|
if currUser.GiteaID != "" {
|
|
|
|
isDelete = true
|
2023-04-17 17:11:32 +00:00
|
|
|
err = currUser.DeleteProviderID(provider)
|
2023-04-17 12:25:39 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return errorRes(500, "Cannot unlink account from "+strings.Title(provider), err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if isDelete {
|
|
|
|
addFlash(ctx, "Account unlinked from "+strings.Title(provider), "success")
|
|
|
|
return redirect(ctx, "/settings")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
ctxValue := context.WithValue(ctx.Request().Context(), "provider", provider)
|
|
|
|
ctx.SetRequest(ctx.Request().WithContext(ctxValue))
|
|
|
|
if provider != "github" && provider != "gitea" {
|
|
|
|
return errorRes(400, "Unsupported provider", nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
gothic.BeginAuthHandler(ctx.Response(), ctx.Request())
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-03-14 15:22:52 +00:00
|
|
|
func logout(ctx echo.Context) error {
|
|
|
|
deleteSession(ctx)
|
|
|
|
deleteCsrfCookie(ctx)
|
|
|
|
return redirect(ctx, "/all")
|
|
|
|
}
|