2023-10-01 21:44:49 +01:00
|
|
|
package server
|
|
|
|
|
|
|
|
|
|
import (
|
2024-09-13 15:31:40 +01:00
|
|
|
"errors"
|
2023-10-03 23:20:28 +01:00
|
|
|
"github.com/1f349/cache"
|
2024-10-25 15:08:56 +01:00
|
|
|
"github.com/1f349/lavender/auth"
|
2024-12-06 18:41:03 +00:00
|
|
|
"github.com/1f349/lavender/auth/providers"
|
2024-08-19 22:37:30 +01:00
|
|
|
"github.com/1f349/lavender/conf"
|
2024-02-07 01:18:17 +00:00
|
|
|
"github.com/1f349/lavender/database"
|
2023-10-01 21:44:49 +01:00
|
|
|
"github.com/1f349/lavender/issuer"
|
2024-10-05 21:08:02 +01:00
|
|
|
"github.com/1f349/lavender/logger"
|
2025-01-11 00:38:01 +00:00
|
|
|
"github.com/1f349/lavender/mail"
|
2024-12-02 00:40:19 +00:00
|
|
|
"github.com/1f349/lavender/web"
|
2023-11-03 07:39:58 +00:00
|
|
|
"github.com/1f349/mjwt"
|
2024-02-07 01:18:17 +00:00
|
|
|
"github.com/go-oauth2/oauth2/v4/manage"
|
|
|
|
|
"github.com/go-oauth2/oauth2/v4/server"
|
2023-10-01 21:44:49 +01:00
|
|
|
"github.com/julienschmidt/httprouter"
|
|
|
|
|
"net/http"
|
2024-02-07 01:18:17 +00:00
|
|
|
"net/url"
|
2023-12-14 23:50:09 +00:00
|
|
|
"strings"
|
2023-10-01 21:44:49 +01:00
|
|
|
)
|
|
|
|
|
|
2024-02-07 01:18:17 +00:00
|
|
|
var errInvalidScope = errors.New("missing required scope")
|
|
|
|
|
|
2024-09-13 15:31:40 +01:00
|
|
|
type httpServer struct {
|
2024-02-07 01:18:17 +00:00
|
|
|
r *httprouter.Router
|
|
|
|
|
oauthSrv *server.Server
|
|
|
|
|
oauthMgr *manage.Manager
|
2024-05-17 21:40:31 +01:00
|
|
|
db *database.Queries
|
2024-08-19 22:37:30 +01:00
|
|
|
conf conf.Conf
|
2024-07-27 21:46:58 +01:00
|
|
|
signingKey *mjwt.Issuer
|
2025-01-11 00:38:01 +00:00
|
|
|
mailSender *mail.Mail
|
2024-02-07 01:18:17 +00:00
|
|
|
manager *issuer.Manager
|
2024-09-13 15:31:40 +01:00
|
|
|
|
|
|
|
|
// mailLinkCache contains a mapping of verify uuids to user uuids
|
|
|
|
|
mailLinkCache *cache.Cache[mailLinkKey, string]
|
2023-10-03 23:20:28 +01:00
|
|
|
|
2024-10-25 15:08:56 +01:00
|
|
|
authSources []auth.Provider
|
2025-01-19 12:04:25 +00:00
|
|
|
authButtons []auth.Button
|
2023-10-01 21:44:49 +01:00
|
|
|
}
|
|
|
|
|
|
2024-09-13 15:31:40 +01:00
|
|
|
type mailLink byte
|
2023-10-01 21:44:49 +01:00
|
|
|
|
2024-09-13 15:31:40 +01:00
|
|
|
const (
|
|
|
|
|
mailLinkDelete mailLink = iota
|
|
|
|
|
mailLinkResetPassword
|
|
|
|
|
mailLinkVerifyEmail
|
|
|
|
|
)
|
2023-10-03 01:14:25 +01:00
|
|
|
|
2024-09-13 15:31:40 +01:00
|
|
|
type mailLinkKey struct {
|
|
|
|
|
action mailLink
|
|
|
|
|
data string
|
|
|
|
|
}
|
2024-02-07 01:18:17 +00:00
|
|
|
|
2025-01-11 00:38:01 +00:00
|
|
|
func SetupRouter(r *httprouter.Router, config conf.Conf, mailSender *mail.Mail, db *database.Queries, signingKey *mjwt.Issuer) {
|
2025-01-19 12:04:25 +00:00
|
|
|
// TODO: move auth provider init to main function
|
|
|
|
|
// TODO: allow dynamically changing the providers based on database information
|
2024-12-06 18:41:03 +00:00
|
|
|
authBasic := &providers.BasicLogin{DB: db}
|
|
|
|
|
authOtp := &providers.OtpLogin{DB: db}
|
2025-01-19 12:04:25 +00:00
|
|
|
authOAuth := &providers.OAuthLogin{DB: db, BaseUrl: &config.BaseUrl}
|
2024-10-25 15:08:56 +01:00
|
|
|
authOAuth.Init()
|
2025-01-19 12:04:25 +00:00
|
|
|
authPasskey := &providers.PasskeyLogin{DB: db}
|
|
|
|
|
|
|
|
|
|
authSources := []auth.Provider{
|
|
|
|
|
authBasic,
|
|
|
|
|
authOtp,
|
|
|
|
|
authOAuth,
|
|
|
|
|
authPasskey,
|
|
|
|
|
}
|
|
|
|
|
authButtons := make([]auth.Button, 0)
|
|
|
|
|
for _, source := range authSources {
|
|
|
|
|
if button, isButton := source.(auth.Button); isButton {
|
|
|
|
|
authButtons = append(authButtons, button)
|
|
|
|
|
}
|
|
|
|
|
}
|
2024-10-25 15:08:56 +01:00
|
|
|
|
2024-09-13 15:31:40 +01:00
|
|
|
hs := &httpServer{
|
|
|
|
|
r: r,
|
2024-02-07 01:18:17 +00:00
|
|
|
db: db,
|
2024-08-19 22:37:30 +01:00
|
|
|
conf: config,
|
2024-02-07 01:18:17 +00:00
|
|
|
signingKey: signingKey,
|
2025-01-11 00:38:01 +00:00
|
|
|
mailSender: mailSender,
|
2024-02-07 01:18:17 +00:00
|
|
|
|
2024-09-13 15:31:40 +01:00
|
|
|
mailLinkCache: cache.New[mailLinkKey, string](),
|
2024-10-25 15:08:56 +01:00
|
|
|
|
2025-01-19 12:04:25 +00:00
|
|
|
authSources: authSources,
|
|
|
|
|
authButtons: authButtons,
|
2023-10-01 21:44:49 +01:00
|
|
|
}
|
|
|
|
|
|
2024-10-05 21:08:02 +01:00
|
|
|
var err error
|
2024-10-25 15:08:56 +01:00
|
|
|
hs.manager, err = issuer.NewManager(config.Namespace, config.SsoServices)
|
2024-10-05 21:08:02 +01:00
|
|
|
if err != nil {
|
|
|
|
|
logger.Logger.Fatal("Failed to load SSO services", "err", err)
|
|
|
|
|
}
|
2024-02-07 01:18:17 +00:00
|
|
|
|
2025-01-19 12:04:25 +00:00
|
|
|
SetupOpenId(r, &config.BaseUrl, signingKey)
|
2024-10-05 21:08:02 +01:00
|
|
|
r.GET("/", hs.OptionalAuthentication(false, hs.Home))
|
|
|
|
|
r.POST("/logout", hs.RequireAuthentication(hs.logoutPost))
|
2024-02-07 01:18:17 +00:00
|
|
|
|
|
|
|
|
// theme styles
|
2024-05-16 03:06:10 +01:00
|
|
|
r.GET("/assets/*filepath", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
|
|
|
|
|
name := params.ByName("filepath")
|
|
|
|
|
if strings.Contains(name, "..") {
|
|
|
|
|
http.Error(rw, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
2024-12-02 00:40:19 +00:00
|
|
|
web.RenderWebAsset(rw, req, name)
|
2023-12-17 22:46:58 +00:00
|
|
|
})
|
|
|
|
|
|
2024-10-05 21:08:02 +01:00
|
|
|
// login steps
|
|
|
|
|
r.GET("/login", hs.OptionalAuthentication(false, hs.loginGet))
|
|
|
|
|
r.POST("/login", hs.OptionalAuthentication(false, hs.loginPost))
|
|
|
|
|
r.GET("/callback", hs.OptionalAuthentication(false, hs.loginCallback))
|
|
|
|
|
|
|
|
|
|
SetupManageApps(r, hs)
|
|
|
|
|
SetupManageUsers(r, hs)
|
|
|
|
|
SetupOAuth2(r, hs, signingKey, db)
|
2023-11-15 09:21:09 +00:00
|
|
|
}
|
2023-10-01 21:44:49 +01:00
|
|
|
|
2024-09-13 15:31:40 +01:00
|
|
|
func (h *httpServer) SafeRedirect(rw http.ResponseWriter, req *http.Request) {
|
2024-02-07 01:18:17 +00:00
|
|
|
redirectUrl := req.FormValue("redirect")
|
|
|
|
|
if redirectUrl == "" {
|
|
|
|
|
http.Redirect(rw, req, "/", http.StatusFound)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
parse, err := url.Parse(redirectUrl)
|
2023-11-15 09:21:09 +00:00
|
|
|
if err != nil {
|
2024-02-07 01:18:17 +00:00
|
|
|
http.Error(rw, "Failed to parse redirect url: "+redirectUrl, http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if parse.Scheme != "" && parse.Opaque != "" && parse.User != nil && parse.Host != "" {
|
|
|
|
|
http.Error(rw, "Invalid redirect url: "+redirectUrl, http.StatusBadRequest)
|
|
|
|
|
return
|
2023-10-01 21:44:49 +01:00
|
|
|
}
|
2024-02-07 01:18:17 +00:00
|
|
|
http.Redirect(rw, req, parse.String(), http.StatusFound)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func ParseClaims(claims string) map[string]bool {
|
|
|
|
|
m := make(map[string]bool)
|
|
|
|
|
for {
|
|
|
|
|
n := strings.IndexByte(claims, ' ')
|
|
|
|
|
if n == -1 {
|
|
|
|
|
if claims != "" {
|
|
|
|
|
m[claims] = true
|
|
|
|
|
}
|
|
|
|
|
break
|
|
|
|
|
}
|
2023-11-15 09:21:09 +00:00
|
|
|
|
2024-02-07 01:18:17 +00:00
|
|
|
a := claims[:n]
|
|
|
|
|
claims = claims[n+1:]
|
|
|
|
|
if a != "" {
|
|
|
|
|
m[a] = true
|
|
|
|
|
}
|
2023-11-15 09:21:09 +00:00
|
|
|
}
|
|
|
|
|
|
2024-02-07 01:18:17 +00:00
|
|
|
return m
|
2023-10-01 21:44:49 +01:00
|
|
|
}
|
