dendrite/src/github.com/matrix-org/dendrite/clientapi/routing/login.go

// Copyright 2017 Vector Creations Ltd
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package routing

import (
	"net/http"
	"strings"

	"github.com/matrix-org/dendrite/clientapi/auth"
	"github.com/matrix-org/dendrite/clientapi/auth/storage/accounts"
	"github.com/matrix-org/dendrite/clientapi/auth/storage/devices"
	"github.com/matrix-org/dendrite/clientapi/httputil"
	"github.com/matrix-org/dendrite/clientapi/jsonerror"
	"github.com/matrix-org/dendrite/common/config"
	"github.com/matrix-org/gomatrixserverlib"
	"github.com/matrix-org/util"
)

type loginFlows struct {
	Flows []flow `json:"flows"`
}

type flow struct {
	Type   string   `json:"type"`
	Stages []string `json:"stages"`
}

type passwordRequest struct {
	User               string  `json:"user"`
	Password           string  `json:"password"`
	InitialDisplayName *string `json:"initial_device_display_name"`
}

type loginResponse struct {
	UserID      string                       `json:"user_id"`
	AccessToken string                       `json:"access_token"`
	HomeServer  gomatrixserverlib.ServerName `json:"home_server"`
	DeviceID    string                       `json:"device_id"`
}

func passwordLogin() loginFlows {
	f := loginFlows{}
	s := flow{"m.login.password", []string{"m.login.password"}}
	f.Flows = append(f.Flows, s)
	return f
}

// Login implements GET and POST /login
func Login(
	req *http.Request, accountDB *accounts.Database, deviceDB *devices.Database,
	cfg config.Dendrite,
) util.JSONResponse {
	if req.Method == "GET" { // TODO: support other forms of login other than password, depending on config options
		return util.JSONResponse{
			Code: 200,
			JSON: passwordLogin(),
		}
	} else if req.Method == "POST" {
		var r passwordRequest
		resErr := httputil.UnmarshalJSONRequest(req, &r)
		if resErr != nil {
			return *resErr
		}
		if r.User == "" {
			return util.JSONResponse{
				Code: 400,
				JSON: jsonerror.BadJSON("'user' must be supplied."),
			}
		}

		util.GetLogger(req.Context()).WithField("user", r.User).Info("Processing login request")

		// r.User can either be a user ID or just the localpart... or other things maybe.
		localpart := r.User
		if strings.HasPrefix(r.User, "@") {
			var domain gomatrixserverlib.ServerName
			var err error
			localpart, domain, err = gomatrixserverlib.SplitID('@', r.User)
			if err != nil {
				return util.JSONResponse{
					Code: 400,
					JSON: jsonerror.InvalidUsername("Invalid username"),
				}
			}

			if domain != cfg.Matrix.ServerName {
				return util.JSONResponse{
					Code: 400,
					JSON: jsonerror.InvalidUsername("User ID not ours"),
				}
			}
		}

		acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password)
		if err != nil {
			// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
			// but that would leak the existence of the user.
			return util.JSONResponse{
				Code: 403,
				JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),
			}
		}

		token, err := auth.GenerateAccessToken()
		if err != nil {
			httputil.LogThenError(req, err)
		}

		// TODO: Use the device ID in the request
		dev, err := deviceDB.CreateDevice(
			req.Context(), acc.Localpart, nil, token, r.InitialDisplayName,
		)
		if err != nil {
			return util.JSONResponse{
				Code: 500,
				JSON: jsonerror.Unknown("failed to create device: " + err.Error()),
			}
		}

		return util.JSONResponse{
			Code: 200,
			JSON: loginResponse{
				UserID:      dev.UserID,
				AccessToken: dev.AccessToken,
				HomeServer:  cfg.Matrix.ServerName,
				DeviceID:    dev.ID,
			},
		}
	}
	return util.JSONResponse{
		Code: 405,
		JSON: jsonerror.NotFound("Bad method"),
	}
}
Add Apache Version 2.0 license and headers to all golang files 2017-04-20 23:40:52 +01:00			`// Copyright 2017 Vector Creations Ltd`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Merge readers/writers/routing packages (#295) The HTTP handlers in the components are split into reader and writer directories. This was a fairly arbitrary distinction, and turns out to not be so helpful. Most read APIs have a corresponding write API, and it is more natural for them to be in the same file rather than in different directories. 2017-10-11 18:16:53 +01:00			`package routing`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00
			`import (`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00			`"net/http"`
Make login support logging in via user id (#260) 2017-09-22 17:08:16 +01:00			`"strings"`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00
			`"github.com/matrix-org/dendrite/clientapi/auth"`
			`"github.com/matrix-org/dendrite/clientapi/auth/storage/accounts"`
			`"github.com/matrix-org/dendrite/clientapi/auth/storage/devices"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00			`"github.com/matrix-org/dendrite/clientapi/httputil"`
			`"github.com/matrix-org/dendrite/clientapi/jsonerror"`
Replace the cmd specific config with common config. (#144) * Move all the dendrite config in to a single place * Add tests for config parsing * replace syncserver config with common config * Replace client API config with common config * Replace federation API config with common config * Replace media api config with common config * Replace room server config with common config * Remove unused readKey function * Fix the integration tests * Comment on hardcoding roomserver to HTTP * Add a method for getting RoomServerURL This moves the hardcoding of HTTPs into one place. 2017-06-19 15:21:04 +01:00			`"github.com/matrix-org/dendrite/common/config"`
Update gomatrixserverlib (#90) 2017-05-05 17:43:42 +01:00			`"github.com/matrix-org/gomatrixserverlib"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00			`"github.com/matrix-org/util"`
			`)`

			`type loginFlows struct {`
			Flows []flow `json:"flows"`
			`}`

			`type flow struct {`
			Type string `json:"type"`
			Stages []string `json:"stages"`
			`}`

			`type passwordRequest struct {`
Add device display names (#319) 2017-11-14 09:59:02 +00:00			User string `json:"user"`
			Password string `json:"password"`
			InitialDisplayName *string `json:"initial_device_display_name"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00			`}`

			`type loginResponse struct {`
Update gomatrixserverlib (#90) 2017-05-05 17:43:42 +01:00			UserID string `json:"user_id"`
			AccessToken string `json:"access_token"`
			HomeServer gomatrixserverlib.ServerName `json:"home_server"`
Generate new devices for each new /login (#281) 2017-10-10 10:40:52 +01:00			DeviceID string `json:"device_id"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00			`}`

			`func passwordLogin() loginFlows {`
			`f := loginFlows{}`
			`s := flow{"m.login.password", []string{"m.login.password"}}`
			`f.Flows = append(f.Flows, s)`
			`return f`
			`}`

			`// Login implements GET and POST /login`
Replace the cmd specific config with common config. (#144) * Move all the dendrite config in to a single place * Add tests for config parsing * replace syncserver config with common config * Replace client API config with common config * Replace federation API config with common config * Replace media api config with common config * Replace room server config with common config * Remove unused readKey function * Fix the integration tests * Comment on hardcoding roomserver to HTTP * Add a method for getting RoomServerURL This moves the hardcoding of HTTPs into one place. 2017-06-19 15:21:04 +01:00			`func Login(`
			`req http.Request, accountDB accounts.Database, deviceDB *devices.Database,`
			`cfg config.Dendrite,`
			`) util.JSONResponse {`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00			`if req.Method == "GET" { // TODO: support other forms of login other than password, depending on config options`
			`return util.JSONResponse{`
			`Code: 200,`
			`JSON: passwordLogin(),`
			`}`
			`} else if req.Method == "POST" {`
			`var r passwordRequest`
			`resErr := httputil.UnmarshalJSONRequest(req, &r)`
			`if resErr != nil {`
			`return *resErr`
			`}`
			`if r.User == "" {`
			`return util.JSONResponse{`
			`Code: 400,`
			`JSON: jsonerror.BadJSON("'user' must be supplied."),`
			`}`
			`}`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00
			`util.GetLogger(req.Context()).WithField("user", r.User).Info("Processing login request")`

Make login support logging in via user id (#260) 2017-09-22 17:08:16 +01:00			`// r.User can either be a user ID or just the localpart... or other things maybe.`
			`localpart := r.User`
			`if strings.HasPrefix(r.User, "@") {`
			`var domain gomatrixserverlib.ServerName`
			`var err error`
			`localpart, domain, err = gomatrixserverlib.SplitID('@', r.User)`
			`if err != nil {`
			`return util.JSONResponse{`
			`Code: 400,`
			`JSON: jsonerror.InvalidUsername("Invalid username"),`
			`}`
			`}`

			`if domain != cfg.Matrix.ServerName {`
			`return util.JSONResponse{`
			`Code: 400,`
			`JSON: jsonerror.InvalidUsername("User ID not ours"),`
			`}`
			`}`
			`}`

			`acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password)`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00			`if err != nil {`
			`// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows`
			`// but that would leak the existence of the user.`
			`return util.JSONResponse{`
			`Code: 403,`
Fix typo (#402) accouqnt -> account Signed-off-by: Andrew Morgan (https://amorgan.xyz) <andrew@amorgan.xyz> 2018-03-02 09:08:02 +00:00			`JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00			`}`
			`}`

			`token, err := auth.GenerateAccessToken()`
			`if err != nil {`
Generate new devices for each new /login (#281) 2017-10-10 10:40:52 +01:00			`httputil.LogThenError(req, err)`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00			`}`

			`// TODO: Use the device ID in the request`
Add contexts to device database (#233) * Add contexts to device database * Remove spurious whitespace 2017-09-18 15:51:26 +01:00			`dev, err := deviceDB.CreateDevice(`
Add device display names (#319) 2017-11-14 09:59:02 +00:00			`req.Context(), acc.Localpart, nil, token, r.InitialDisplayName,`
Add contexts to device database (#233) * Add contexts to device database * Remove spurious whitespace 2017-09-18 15:51:26 +01:00			`)`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00			`if err != nil {`
			`return util.JSONResponse{`
			`Code: 500,`
			`JSON: jsonerror.Unknown("failed to create device: " + err.Error()),`
			`}`
			`}`

Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00			`return util.JSONResponse{`
			`Code: 200,`
			`JSON: loginResponse{`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 17:51:40 +01:00			`UserID: dev.UserID,`
			`AccessToken: dev.AccessToken,`
Replace the cmd specific config with common config. (#144) * Move all the dendrite config in to a single place * Add tests for config parsing * replace syncserver config with common config * Replace client API config with common config * Replace federation API config with common config * Replace media api config with common config * Replace room server config with common config * Remove unused readKey function * Fix the integration tests * Comment on hardcoding roomserver to HTTP * Add a method for getting RoomServerURL This moves the hardcoding of HTTPs into one place. 2017-06-19 15:21:04 +01:00			`HomeServer: cfg.Matrix.ServerName,`
Generate new devices for each new /login (#281) 2017-10-10 10:40:52 +01:00			`DeviceID: dev.ID,`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 17:11:53 +01:00			`},`
			`}`
			`}`
			`return util.JSONResponse{`
			`Code: 405,`
			`JSON: jsonerror.NotFound("Bad method"),`
			`}`
			`}`