opengist/internal/web/auth.go

331 lines
8 KiB
Go
Raw Normal View History

2023-03-14 15:22:52 +00:00
package web
import (
"context"
"crypto/md5"
"errors"
"fmt"
2023-03-14 15:22:52 +00:00
"github.com/labstack/echo/v4"
2023-04-17 17:11:32 +00:00
"github.com/markbates/goth"
"github.com/markbates/goth/gothic"
2023-04-17 17:11:32 +00:00
"github.com/markbates/goth/providers/gitea"
"github.com/markbates/goth/providers/github"
"github.com/rs/zerolog/log"
2023-05-15 19:07:29 +00:00
"github.com/thomiceli/opengist/internal/config"
"github.com/thomiceli/opengist/internal/models"
2023-04-26 21:13:11 +00:00
"golang.org/x/text/cases"
"golang.org/x/text/language"
"gorm.io/gorm"
"io"
"net/http"
"strings"
2023-03-14 15:22:52 +00:00
)
2023-04-26 21:13:11 +00:00
var title = cases.Title(language.English)
2023-03-14 15:22:52 +00:00
func register(ctx echo.Context) error {
setData(ctx, "title", "New account")
setData(ctx, "htmlTitle", "New account")
2023-05-06 16:53:59 +00:00
setData(ctx, "disableForm", getData(ctx, "DisableLoginForm"))
2023-03-14 15:22:52 +00:00
return html(ctx, "auth_form.html")
}
func processRegister(ctx echo.Context) error {
2023-04-28 18:31:10 +00:00
if getData(ctx, "DisableSignup") == true {
2023-03-14 15:22:52 +00:00
return errorRes(403, "Signing up is disabled", nil)
}
2023-05-06 16:53:59 +00:00
if getData(ctx, "DisableLoginForm") == true {
return errorRes(403, "Signing up via registration form is disabled", nil)
}
2023-03-14 15:22:52 +00:00
setData(ctx, "title", "New account")
setData(ctx, "htmlTitle", "New account")
sess := getSession(ctx)
2023-03-17 13:56:39 +00:00
var dto = new(models.UserDTO)
if err := ctx.Bind(dto); err != nil {
2023-03-14 15:22:52 +00:00
return errorRes(400, "Cannot bind data", err)
}
2023-03-17 13:56:39 +00:00
if err := ctx.Validate(dto); err != nil {
2023-03-14 15:22:52 +00:00
addFlash(ctx, validationMessages(&err), "error")
return html(ctx, "auth_form.html")
}
2023-03-17 13:56:39 +00:00
if exists, err := models.UserExists(dto.Username); err != nil || exists {
addFlash(ctx, "Username already exists", "error")
return html(ctx, "auth_form.html")
}
user := dto.ToUser()
2023-03-14 15:22:52 +00:00
password, err := argon2id.hash(user.Password)
if err != nil {
return errorRes(500, "Cannot hash password", err)
}
user.Password = password
2023-03-17 13:56:39 +00:00
if err = user.Create(); err != nil {
2023-03-14 15:22:52 +00:00
return errorRes(500, "Cannot create user", err)
}
if user.ID == 1 {
2023-03-17 13:56:39 +00:00
if err = user.SetAdmin(); err != nil {
2023-03-14 15:22:52 +00:00
return errorRes(500, "Cannot set user admin", err)
}
}
sess.Values["user"] = user.ID
saveSession(sess, ctx)
return redirect(ctx, "/")
}
func login(ctx echo.Context) error {
setData(ctx, "title", "Login")
setData(ctx, "htmlTitle", "Login")
2023-05-06 16:53:59 +00:00
setData(ctx, "disableForm", getData(ctx, "DisableLoginForm"))
2023-03-14 15:22:52 +00:00
return html(ctx, "auth_form.html")
}
func processLogin(ctx echo.Context) error {
2023-05-06 16:53:59 +00:00
if getData(ctx, "DisableLoginForm") == true {
return errorRes(403, "Logging in via login form is disabled", nil)
}
2023-03-17 13:56:39 +00:00
var err error
2023-03-14 15:22:52 +00:00
sess := getSession(ctx)
2023-03-17 13:56:39 +00:00
dto := &models.UserDTO{}
if err = ctx.Bind(dto); err != nil {
2023-03-14 15:22:52 +00:00
return errorRes(400, "Cannot bind data", err)
}
2023-03-17 13:56:39 +00:00
password := dto.Password
var user *models.User
2023-03-14 15:22:52 +00:00
2023-03-17 13:56:39 +00:00
if user, err = models.GetUserByUsername(dto.Username); err != nil {
if !errors.Is(err, gorm.ErrRecordNotFound) {
return errorRes(500, "Cannot get user", err)
}
log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
2023-03-14 15:22:52 +00:00
addFlash(ctx, "Invalid credentials", "error")
return redirect(ctx, "/login")
}
if ok, err := argon2id.verify(password, user.Password); !ok {
if err != nil {
return errorRes(500, "Cannot check for password", err)
}
log.Warn().Msg("Invalid HTTP authentication attempt from " + ctx.RealIP())
2023-03-14 15:22:52 +00:00
addFlash(ctx, "Invalid credentials", "error")
return redirect(ctx, "/login")
}
sess.Values["user"] = user.ID
saveSession(sess, ctx)
deleteCsrfCookie(ctx)
return redirect(ctx, "/")
}
func oauthCallback(ctx echo.Context) error {
user, err := gothic.CompleteUserAuth(ctx.Response(), ctx.Request())
if err != nil {
return errorRes(400, "Cannot complete user auth", err)
}
currUser := getUserLogged(ctx)
if currUser != nil {
// if user is logged in, link account to user
switch user.Provider {
case "github":
currUser.GithubID = user.UserID
case "gitea":
currUser.GiteaID = user.UserID
}
if err = currUser.Update(); err != nil {
2023-04-26 21:13:11 +00:00
return errorRes(500, "Cannot update user "+title.String(user.Provider)+" id", err)
}
2023-04-26 21:13:11 +00:00
addFlash(ctx, "Account linked to "+title.String(user.Provider), "success")
return redirect(ctx, "/settings")
}
// if user is not in database, create it
userDB, err := models.GetUserByProvider(user.UserID, user.Provider)
if err != nil {
2023-04-28 18:31:10 +00:00
if getData(ctx, "DisableSignup") == true {
return errorRes(403, "Signing up is disabled", nil)
}
if !errors.Is(err, gorm.ErrRecordNotFound) {
return errorRes(500, "Cannot get user", err)
}
userDB = &models.User{
Username: user.NickName,
Email: user.Email,
MD5Hash: fmt.Sprintf("%x", md5.Sum([]byte(strings.ToLower(strings.TrimSpace(user.Email))))),
}
switch user.Provider {
case "github":
userDB.GithubID = user.UserID
case "gitea":
userDB.GiteaID = user.UserID
}
if err = userDB.Create(); err != nil {
if models.IsUniqueConstraintViolation(err) {
2023-04-17 18:25:35 +00:00
addFlash(ctx, "Username "+user.NickName+" already exists in Opengist", "error")
return redirect(ctx, "/login")
}
return errorRes(500, "Cannot create user", err)
}
if userDB.ID == 1 {
if err = userDB.SetAdmin(); err != nil {
return errorRes(500, "Cannot set user admin", err)
}
}
var resp *http.Response
switch user.Provider {
case "github":
resp, err = http.Get("https://github.com/" + user.NickName + ".keys")
case "gitea":
2023-04-17 19:31:40 +00:00
resp, err = http.Get(trimGiteaUrl() + "/" + user.NickName + ".keys")
}
if err == nil {
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
addFlash(ctx, "Could not get user keys", "error")
log.Error().Err(err).Msg("Could not get user keys")
}
keys := strings.Split(string(body), "\n")
if len(keys[len(keys)-1]) == 0 {
keys = keys[:len(keys)-1]
}
for _, key := range keys {
sshKey := models.SSHKey{
Title: "Added from " + user.Provider,
Content: key,
User: *userDB,
}
if err = sshKey.Create(); err != nil {
addFlash(ctx, "Could not create ssh key", "error")
log.Error().Err(err).Msg("Could not create ssh key")
}
}
}
}
sess := getSession(ctx)
sess.Values["user"] = userDB.ID
saveSession(sess, ctx)
deleteCsrfCookie(ctx)
return redirect(ctx, "/")
}
func oauth(ctx echo.Context) error {
provider := ctx.Param("provider")
2023-04-17 17:11:32 +00:00
httpProtocol := "http"
if ctx.Request().TLS != nil || ctx.Request().Header.Get("X-Forwarded-Proto") == "https" {
httpProtocol = "https"
}
2023-04-17 19:31:40 +00:00
giteaUrl := trimGiteaUrl()
2023-04-30 10:09:42 +00:00
var opengistUrl string
if config.C.ExternalUrl != "" {
opengistUrl = config.C.ExternalUrl
} else {
opengistUrl = httpProtocol + "://" + ctx.Request().Host
}
2023-04-17 17:11:32 +00:00
switch provider {
case "github":
goth.UseProviders(
github.New(
config.C.GithubClientKey,
config.C.GithubSecret,
2023-04-30 10:09:42 +00:00
opengistUrl+"/oauth/github/callback"),
2023-04-17 17:11:32 +00:00
)
case "gitea":
goth.UseProviders(
gitea.NewCustomisedURL(
config.C.GiteaClientKey,
config.C.GiteaSecret,
2023-04-30 10:09:42 +00:00
opengistUrl+"/oauth/gitea/callback",
2023-04-17 17:11:32 +00:00
giteaUrl+"/login/oauth/authorize",
giteaUrl+"/login/oauth/access_token",
giteaUrl+"/api/v1/user"),
)
}
currUser := getUserLogged(ctx)
if currUser != nil {
isDelete := false
var err error
switch provider {
case "github":
if currUser.GithubID != "" {
isDelete = true
2023-04-17 17:11:32 +00:00
err = currUser.DeleteProviderID(provider)
}
case "gitea":
if currUser.GiteaID != "" {
isDelete = true
2023-04-17 17:11:32 +00:00
err = currUser.DeleteProviderID(provider)
}
}
if err != nil {
2023-04-26 21:13:11 +00:00
return errorRes(500, "Cannot unlink account from "+title.String(provider), err)
}
if isDelete {
2023-04-26 21:13:11 +00:00
addFlash(ctx, "Account unlinked from "+title.String(provider), "success")
return redirect(ctx, "/settings")
}
}
2023-04-28 18:31:10 +00:00
ctxValue := context.WithValue(ctx.Request().Context(), gothic.ProviderParamKey, provider)
ctx.SetRequest(ctx.Request().WithContext(ctxValue))
if provider != "github" && provider != "gitea" {
return errorRes(400, "Unsupported provider", nil)
}
gothic.BeginAuthHandler(ctx.Response(), ctx.Request())
return nil
}
2023-03-14 15:22:52 +00:00
func logout(ctx echo.Context) error {
deleteSession(ctx)
deleteCsrfCookie(ctx)
return redirect(ctx, "/all")
}
2023-04-17 19:31:40 +00:00
func trimGiteaUrl() string {
giteaUrl := config.C.GiteaUrl
// remove trailing slash
if giteaUrl[len(giteaUrl)-1] == '/' {
giteaUrl = giteaUrl[:len(giteaUrl)-1]
}
return giteaUrl
}