lavender/server/login.go

package server

import (
	"context"
	"crypto/rand"
	"crypto/rsa"
	"crypto/sha256"
	"database/sql"
	"encoding/hex"
	"encoding/json"
	"errors"
	"fmt"
	"github.com/1f349/lavender/database"
	"github.com/1f349/lavender/issuer"
	"github.com/1f349/lavender/pages"
	"github.com/1f349/mjwt/auth"
	"github.com/1f349/mjwt/claims"
	"github.com/golang-jwt/jwt/v4"
	"github.com/google/uuid"
	"github.com/julienschmidt/httprouter"
	"golang.org/x/oauth2"
	"net/http"
	"net/url"
	"strings"
	"time"
)

func (h *HttpServer) loginGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	if !auth.IsGuest() {
		h.SafeRedirect(rw, req)
		return
	}

	cookie, err := req.Cookie("lavender-login-name")
	if err == nil && cookie.Valid() == nil {
		pages.RenderPageTemplate(rw, "login-memory", map[string]any{
			"ServiceName": h.conf.ServiceName,
			"LoginName":   cookie.Value,
			"Redirect":    req.URL.Query().Get("redirect"),
		})
		return
	}
	pages.RenderPageTemplate(rw, "login", map[string]any{
		"ServiceName": h.conf.ServiceName,
		"Redirect":    req.URL.Query().Get("redirect"),
	})
}

func (h *HttpServer) loginPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	if !auth.IsGuest() {
		h.SafeRedirect(rw, req)
		return
	}

	if req.PostFormValue("not-you") == "1" {
		http.SetCookie(rw, &http.Cookie{
			Name:     "lavender-login-name",
			Value:    "",
			Path:     "/",
			MaxAge:   -1,
			Secure:   true,
			SameSite: http.SameSiteLaxMode,
		})
		http.Redirect(rw, req, (&url.URL{
			Path: "/login",
		}).String(), http.StatusFound)
		return
	}
	loginName := req.PostFormValue("loginname")
	login := h.manager.FindServiceFromLogin(loginName)
	if login == nil {
		http.Error(rw, "No login service defined for this username", http.StatusBadRequest)
		return
	}
	// the @ must exist if the service is defined
	n := strings.IndexByte(loginName, '@')
	loginUn := loginName[:n]

	now := time.Now()
	future := now.AddDate(1, 0, 0)
	http.SetCookie(rw, &http.Cookie{
		Name:     "lavender-login-name",
		Value:    loginName,
		Path:     "/",
		Expires:  future,
		MaxAge:   int(future.Sub(now).Seconds()),
		Secure:   true,
		SameSite: http.SameSiteLaxMode,
	})

	// save state for use later
	state := login.Config.Namespace + ":" + uuid.NewString()
	h.flowState.Set(state, flowStateData{login, req.PostFormValue("redirect")}, time.Now().Add(15*time.Minute))

	// generate oauth2 config and redirect to authorize URL
	oa2conf := login.OAuth2Config
	oa2conf.RedirectURL = h.conf.BaseUrl + "/callback"
	nextUrl := oa2conf.AuthCodeURL(state, oauth2.SetAuthURLParam("login_name", loginUn))
	http.Redirect(rw, req, nextUrl, http.StatusFound)
}

func (h *HttpServer) loginCallback(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	flowState, ok := h.flowState.Get(req.FormValue("state"))
	if !ok {
		http.Error(rw, "Invalid flow state", http.StatusBadRequest)
		return
	}
	token, err := flowState.sso.OAuth2Config.Exchange(context.Background(), req.FormValue("code"), oauth2.SetAuthURLParam("redirect_uri", h.conf.BaseUrl+"/callback"))
	if err != nil {
		http.Error(rw, "Failed to exchange code for token", http.StatusInternalServerError)
		return
	}

	sessionData, err := h.fetchUserInfo(flowState.sso, token)
	if sessionData.ID == "" {
		http.Error(rw, "Failed to fetch user info", http.StatusInternalServerError)
		return
	}

	if h.DbTx(rw, func(tx *database.Tx) error {
		jBytes, err := json.Marshal(sessionData.UserInfo)
		if err != nil {
			return err
		}
		_, err = tx.GetUser(sessionData.ID)
		if errors.Is(err, sql.ErrNoRows) {
			uEmail := sessionData.UserInfo.GetStringOrDefault("email", "unknown@localhost")
			uEmailVerified, _ := sessionData.UserInfo.GetBoolean("email_verified")
			return tx.InsertUser(sessionData.ID, uEmail, uEmailVerified, "", string(jBytes), true)
		}
		uEmail := sessionData.UserInfo.GetStringOrDefault("email", "unknown@localhost")
		uEmailVerified, _ := sessionData.UserInfo.GetBoolean("email_verified")
		return tx.UpdateUserInfo(sessionData.ID, uEmail, uEmailVerified, string(jBytes))
	}) {
		return
	}

	// only continues if the above tx succeeds
	auth = sessionData

	if h.DbTx(rw, func(tx *database.Tx) error {
		return tx.UpdateUserToken(auth.ID, token.AccessToken, token.RefreshToken, token.Expiry)
	}) {
		return
	}

	if h.setLoginDataCookie(rw, auth) {
		http.Error(rw, "Failed to save login cookie", http.StatusInternalServerError)
		return
	}
	if flowState.redirect != "" {
		req.Form.Set("redirect", flowState.redirect)
	}
	h.SafeRedirect(rw, req)
}

const oneYear = 365 * 24 * time.Hour

func (h *HttpServer) setLoginDataCookie(rw http.ResponseWriter, authData UserAuth) bool {
	ps := claims.NewPermStorage()
	gen, err := h.signingKey.GenerateJwt(authData.ID, uuid.NewString(), jwt.ClaimStrings{h.conf.BaseUrl}, oneYear, auth.AccessTokenClaims{Perms: ps})
	if err != nil {
		http.Error(rw, "Failed to generate cookie token", http.StatusInternalServerError)
		return true
	}
	http.SetCookie(rw, &http.Cookie{
		Name:     "lavender-login-data",
		Value:    gen,
		Path:     "/",
		Expires:  time.Now().AddDate(0, 3, 0),
		Secure:   true,
		SameSite: http.SameSiteLaxMode,
	})
	return false
}

func (h *HttpServer) readLoginDataCookie(req *http.Request, u *UserAuth) {
	loginCookie, err := req.Cookie("lavender-login-data")
	if err != nil {
		return
	}
	hexData, err := hex.DecodeString(loginCookie.Value)
	if err != nil {
		return
	}
	decData, err := rsa.DecryptOAEP(sha256.New(), rand.Reader, h.signingKey.PrivateKey(), hexData, []byte("lavender-login-data"))
	if err != nil {
		return
	}

	userId := string(decData)
	var token oauth2.Token
	if h.DbTxRaw(func(tx *database.Tx) error {
		return tx.GetUserToken(userId, &token.AccessToken, &token.RefreshToken, &token.Expiry)
	}) {
		return
	}

	sso := h.manager.FindServiceFromLogin(userId)
	if sso == nil {
		return
	}

	*u, _ = h.fetchUserInfo(sso, &token)
}

func (h *HttpServer) fetchUserInfo(sso *issuer.WellKnownOIDC, token *oauth2.Token) (UserAuth, error) {
	res, err := sso.OAuth2Config.Client(context.Background(), token).Get(sso.UserInfoEndpoint)
	if err != nil || res.StatusCode != http.StatusOK {
		return UserAuth{}, fmt.Errorf("request failed")
	}
	defer res.Body.Close()

	var userInfoJson UserInfoFields
	if err := json.NewDecoder(res.Body).Decode(&userInfoJson); err != nil {
		return UserAuth{}, err
	}
	subject, ok := userInfoJson.GetString("sub")
	if !ok {
		return UserAuth{}, fmt.Errorf("invalid subject")
	}
	subject += "@" + sso.Config.Namespace

	displayName := userInfoJson.GetStringOrDefault("name", "Unknown Name")
	return UserAuth{
		ID:          subject,
		DisplayName: displayName,
		UserInfo:    userInfoJson,
	}, nil
}
Add oauth support 2024-02-07 01:18:17 +00:00			`package server`

			`import (`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`"context"`
			`"crypto/rand"`
			`"crypto/rsa"`
			`"crypto/sha256"`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`"database/sql"`
Allow specific permissions to be sent to authorized clients and use JWT access tokens 2024-02-10 16:23:50 +00:00			`"encoding/hex"`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`"encoding/json"`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`"errors"`
Save client tokens for userinfo requests 2024-02-10 11:59:45 +00:00			`"fmt"`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`"github.com/1f349/lavender/database"`
			`"github.com/1f349/lavender/issuer"`
Add oauth support 2024-02-07 01:18:17 +00:00			`"github.com/1f349/lavender/pages"`
Use JWT as login cookie 2024-02-15 15:23:10 +00:00			`"github.com/1f349/mjwt/auth"`
			`"github.com/1f349/mjwt/claims"`
			`"github.com/golang-jwt/jwt/v4"`
Add oauth support 2024-02-07 01:18:17 +00:00			`"github.com/google/uuid"`
			`"github.com/julienschmidt/httprouter"`
			`"golang.org/x/oauth2"`
			`"net/http"`
			`"net/url"`
			`"strings"`
			`"time"`
			`)`

Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`func (h HttpServer) loginGet(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
			`if !auth.IsGuest() {`
			`h.SafeRedirect(rw, req)`
			`return`
			`}`

Add oauth support 2024-02-07 01:18:17 +00:00			`cookie, err := req.Cookie("lavender-login-name")`
			`if err == nil && cookie.Valid() == nil {`
			`pages.RenderPageTemplate(rw, "login-memory", map[string]any{`
			`"ServiceName": h.conf.ServiceName,`
			`"LoginName": cookie.Value,`
Fix correct redirection after login flow, and update test client 2024-02-10 02:53:58 +00:00			`"Redirect": req.URL.Query().Get("redirect"),`
Add oauth support 2024-02-07 01:18:17 +00:00			`})`
			`return`
			`}`
			`pages.RenderPageTemplate(rw, "login", map[string]any{`
			`"ServiceName": h.conf.ServiceName,`
Fix correct redirection after login flow, and update test client 2024-02-10 02:53:58 +00:00			`"Redirect": req.URL.Query().Get("redirect"),`
Add oauth support 2024-02-07 01:18:17 +00:00			`})`
			`}`

Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`func (h HttpServer) loginPost(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
			`if !auth.IsGuest() {`
			`h.SafeRedirect(rw, req)`
			`return`
			`}`

Add oauth support 2024-02-07 01:18:17 +00:00			`if req.PostFormValue("not-you") == "1" {`
			`http.SetCookie(rw, &http.Cookie{`
			`Name: "lavender-login-name",`
			`Value: "",`
			`Path: "/",`
			`MaxAge: -1,`
			`Secure: true,`
Use SameSiteLaxMode 2024-02-15 14:44:58 +00:00			`SameSite: http.SameSiteLaxMode,`
Add oauth support 2024-02-07 01:18:17 +00:00			`})`
			`http.Redirect(rw, req, (&url.URL{`
			`Path: "/login",`
			`}).String(), http.StatusFound)`
			`return`
			`}`
			`loginName := req.PostFormValue("loginname")`
			`login := h.manager.FindServiceFromLogin(loginName)`
			`if login == nil {`
			`http.Error(rw, "No login service defined for this username", http.StatusBadRequest)`
			`return`
			`}`
			`// the @ must exist if the service is defined`
			`n := strings.IndexByte(loginName, '@')`
			`loginUn := loginName[:n]`

			`now := time.Now()`
			`future := now.AddDate(1, 0, 0)`
			`http.SetCookie(rw, &http.Cookie{`
			`Name: "lavender-login-name",`
			`Value: loginName,`
			`Path: "/",`
			`Expires: future,`
			`MaxAge: int(future.Sub(now).Seconds()),`
			`Secure: true,`
Use SameSiteLaxMode 2024-02-15 14:44:58 +00:00			`SameSite: http.SameSiteLaxMode,`
Add oauth support 2024-02-07 01:18:17 +00:00			`})`

			`// save state for use later`
			`state := login.Config.Namespace + ":" + uuid.NewString()`
Fix correct redirection after login flow, and update test client 2024-02-10 02:53:58 +00:00			`h.flowState.Set(state, flowStateData{login, req.PostFormValue("redirect")}, time.Now().Add(15*time.Minute))`
Add oauth support 2024-02-07 01:18:17 +00:00
			`// generate oauth2 config and redirect to authorize URL`
			`oa2conf := login.OAuth2Config`
			`oa2conf.RedirectURL = h.conf.BaseUrl + "/callback"`
			`nextUrl := oa2conf.AuthCodeURL(state, oauth2.SetAuthURLParam("login_name", loginUn))`
			`http.Redirect(rw, req, nextUrl, http.StatusFound)`
			`}`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00
			`func (h HttpServer) loginCallback(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
			`flowState, ok := h.flowState.Get(req.FormValue("state"))`
			`if !ok {`
			`http.Error(rw, "Invalid flow state", http.StatusBadRequest)`
			`return`
			`}`
			`token, err := flowState.sso.OAuth2Config.Exchange(context.Background(), req.FormValue("code"), oauth2.SetAuthURLParam("redirect_uri", h.conf.BaseUrl+"/callback"))`
			`if err != nil {`
			`http.Error(rw, "Failed to exchange code for token", http.StatusInternalServerError)`
			`return`
			`}`

Save client tokens for userinfo requests 2024-02-10 11:59:45 +00:00			`sessionData, err := h.fetchUserInfo(flowState.sso, token)`
Return to logged out with fetchUserInfo fails, updates to test client 2024-02-09 15:25:56 +00:00			`if sessionData.ID == "" {`
			`http.Error(rw, "Failed to fetch user info", http.StatusInternalServerError)`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`return`
			`}`

Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`if h.DbTx(rw, func(tx *database.Tx) error {`
Store userinfo fields to prevent errors with userinfo endpoint 2024-02-22 12:41:21 +00:00			`jBytes, err := json.Marshal(sessionData.UserInfo)`
			`if err != nil {`
			`return err`
			`}`
			`_, err = tx.GetUser(sessionData.ID)`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`if errors.Is(err, sql.ErrNoRows) {`
			`uEmail := sessionData.UserInfo.GetStringOrDefault("email", "unknown@localhost")`
			`uEmailVerified, _ := sessionData.UserInfo.GetBoolean("email_verified")`
Store userinfo fields to prevent errors with userinfo endpoint 2024-02-22 12:41:21 +00:00			`return tx.InsertUser(sessionData.ID, uEmail, uEmailVerified, "", string(jBytes), true)`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`
Store userinfo fields to prevent errors with userinfo endpoint 2024-02-22 12:41:21 +00:00			`uEmail := sessionData.UserInfo.GetStringOrDefault("email", "unknown@localhost")`
			`uEmailVerified, _ := sessionData.UserInfo.GetBoolean("email_verified")`
			`return tx.UpdateUserInfo(sessionData.ID, uEmail, uEmailVerified, string(jBytes))`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}) {`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`return`
			`}`

			`// only continues if the above tx succeeds`
Remove session library 2024-02-15 15:09:14 +00:00			`auth = sessionData`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00
Save client tokens for userinfo requests 2024-02-10 11:59:45 +00:00			`if h.DbTx(rw, func(tx *database.Tx) error {`
Remove session library 2024-02-15 15:09:14 +00:00			`return tx.UpdateUserToken(auth.ID, token.AccessToken, token.RefreshToken, token.Expiry)`
Save client tokens for userinfo requests 2024-02-10 11:59:45 +00:00			`}) {`
			`return`
			`}`

Use JWT as login cookie 2024-02-15 15:23:10 +00:00			`if h.setLoginDataCookie(rw, auth) {`
Allow specific permissions to be sent to authorized clients and use JWT access tokens 2024-02-10 16:23:50 +00:00			`http.Error(rw, "Failed to save login cookie", http.StatusInternalServerError)`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`return`
			`}`
Fix correct redirection after login flow, and update test client 2024-02-10 02:53:58 +00:00			`if flowState.redirect != "" {`
			`req.Form.Set("redirect", flowState.redirect)`
			`}`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`h.SafeRedirect(rw, req)`
			`}`

Use JWT as login cookie 2024-02-15 15:23:10 +00:00			`const oneYear = 365 * 24 * time.Hour`

			`func (h *HttpServer) setLoginDataCookie(rw http.ResponseWriter, authData UserAuth) bool {`
			`ps := claims.NewPermStorage()`
			`gen, err := h.signingKey.GenerateJwt(authData.ID, uuid.NewString(), jwt.ClaimStrings{h.conf.BaseUrl}, oneYear, auth.AccessTokenClaims{Perms: ps})`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`if err != nil {`
Use JWT as login cookie 2024-02-15 15:23:10 +00:00			`http.Error(rw, "Failed to generate cookie token", http.StatusInternalServerError)`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`return true`
			`}`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`http.SetCookie(rw, &http.Cookie{`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`Name: "lavender-login-data",`
Use JWT as login cookie 2024-02-15 15:23:10 +00:00			`Value: gen,`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`Path: "/",`
			`Expires: time.Now().AddDate(0, 3, 0),`
			`Secure: true,`
Use SameSiteLaxMode 2024-02-15 14:44:58 +00:00			`SameSite: http.SameSiteLaxMode,`
Exchange token and fetch userinfo 2024-02-07 10:54:37 +00:00			`})`
			`return false`
			`}`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00
Allow specific permissions to be sent to authorized clients and use JWT access tokens 2024-02-10 16:23:50 +00:00			`func (h HttpServer) readLoginDataCookie(req http.Request, u *UserAuth) {`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`loginCookie, err := req.Cookie("lavender-login-data")`
			`if err != nil {`
Return to logged out with fetchUserInfo fails, updates to test client 2024-02-09 15:25:56 +00:00			`return`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`
Allow specific permissions to be sent to authorized clients and use JWT access tokens 2024-02-10 16:23:50 +00:00			`hexData, err := hex.DecodeString(loginCookie.Value)`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`if err != nil {`
Return to logged out with fetchUserInfo fails, updates to test client 2024-02-09 15:25:56 +00:00			`return`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`
Allow specific permissions to be sent to authorized clients and use JWT access tokens 2024-02-10 16:23:50 +00:00			`decData, err := rsa.DecryptOAEP(sha256.New(), rand.Reader, h.signingKey.PrivateKey(), hexData, []byte("lavender-login-data"))`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`if err != nil {`
Return to logged out with fetchUserInfo fails, updates to test client 2024-02-09 15:25:56 +00:00			`return`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`

Allow specific permissions to be sent to authorized clients and use JWT access tokens 2024-02-10 16:23:50 +00:00			`userId := string(decData)`
			`var token oauth2.Token`
			`if h.DbTxRaw(func(tx *database.Tx) error {`
			`return tx.GetUserToken(userId, &token.AccessToken, &token.RefreshToken, &token.Expiry)`
			`}) {`
Return to logged out with fetchUserInfo fails, updates to test client 2024-02-09 15:25:56 +00:00			`return`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`

			`sso := h.manager.FindServiceFromLogin(userId)`
			`if sso == nil {`
Return to logged out with fetchUserInfo fails, updates to test client 2024-02-09 15:25:56 +00:00			`return`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`

Remove session library 2024-02-15 15:09:14 +00:00			`*u, _ = h.fetchUserInfo(sso, &token)`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`

Remove session library 2024-02-15 15:09:14 +00:00			`func (h HttpServer) fetchUserInfo(sso issuer.WellKnownOIDC, token *oauth2.Token) (UserAuth, error) {`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`res, err := sso.OAuth2Config.Client(context.Background(), token).Get(sso.UserInfoEndpoint)`
			`if err != nil \|\| res.StatusCode != http.StatusOK {`
Remove session library 2024-02-15 15:09:14 +00:00			`return UserAuth{}, fmt.Errorf("request failed")`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`
			`defer res.Body.Close()`

			`var userInfoJson UserInfoFields`
			`if err := json.NewDecoder(res.Body).Decode(&userInfoJson); err != nil {`
Remove session library 2024-02-15 15:09:14 +00:00			`return UserAuth{}, err`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`
			`subject, ok := userInfoJson.GetString("sub")`
			`if !ok {`
Remove session library 2024-02-15 15:09:14 +00:00			`return UserAuth{}, fmt.Errorf("invalid subject")`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`
			`subject += "@" + sso.Config.Namespace`

			`displayName := userInfoJson.GetStringOrDefault("name", "Unknown Name")`
Remove session library 2024-02-15 15:09:14 +00:00			`return UserAuth{`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`ID: subject,`
			`DisplayName: displayName,`
			`UserInfo: userInfoJson,`
Save client tokens for userinfo requests 2024-02-10 11:59:45 +00:00			`}, nil`
Add public to oauth client store and separate fetching user info 2024-02-08 01:16:14 +00:00			`}`