tulip/cmd/red-tulip/server/server.go

284 lines
7.6 KiB
Go
Raw Permalink Normal View History

2024-01-29 23:45:46 +00:00
package server
2023-09-06 22:20:09 +01:00
import (
2023-12-17 15:55:41 +00:00
"bytes"
2023-09-06 22:20:09 +01:00
"crypto/subtle"
_ "embed"
"encoding/json"
"fmt"
2023-09-24 18:24:16 +01:00
"github.com/1f349/cache"
"github.com/1f349/mjwt"
2023-09-06 22:20:09 +01:00
"github.com/1f349/tulip/database"
2024-01-29 23:45:46 +00:00
"github.com/1f349/tulip/oauth"
2023-12-17 15:55:41 +00:00
"github.com/1f349/tulip/theme"
2023-09-06 22:20:09 +01:00
"github.com/go-oauth2/oauth2/v4/errors"
"github.com/go-oauth2/oauth2/v4/manage"
"github.com/go-oauth2/oauth2/v4/server"
2023-09-24 18:24:16 +01:00
"github.com/google/uuid"
2023-09-06 22:20:09 +01:00
"github.com/julienschmidt/httprouter"
"log"
"net/http"
"net/url"
2023-09-24 18:24:16 +01:00
"strings"
2023-09-06 22:20:09 +01:00
"time"
)
2023-09-24 18:24:16 +01:00
var errInvalidScope = errors.New("missing required scope")
2023-09-06 22:20:09 +01:00
type HttpServer struct {
r *httprouter.Router
oauthSrv *server.Server
oauthMgr *manage.Manager
db *database.DB
conf Conf
signingKey mjwt.Signer
2023-09-24 18:24:16 +01:00
// mailLinkCache contains a mapping of verify uuids to user uuids
mailLinkCache *cache.Cache[mailLinkKey, uuid.UUID]
}
const (
mailLinkDelete byte = iota
mailLinkResetPassword
mailLinkVerifyEmail
)
type mailLinkKey struct {
action byte
data uuid.UUID
2023-09-06 22:20:09 +01:00
}
2024-01-29 23:45:46 +00:00
func NewHttpServer(conf Conf, db *database.DB, oauthController *oauth.Controller, signingKey mjwt.Signer) *http.Server {
2023-09-06 22:20:09 +01:00
r := httprouter.New()
2023-10-10 18:06:43 +01:00
// remove last slash from baseUrl
{
l := len(conf.BaseUrl)
if conf.BaseUrl[l-1] == '/' {
conf.BaseUrl = conf.BaseUrl[:l-1]
}
}
2024-01-29 23:45:46 +00:00
openIdBytes, err := json.Marshal(oauthController.OidConf)
2023-09-06 22:20:09 +01:00
if err != nil {
log.Fatalln("Failed to generate OpenID configuration:", err)
}
oauthManager := manage.NewDefaultManager()
oauthSrv := server.NewServer(server.NewConfig(), oauthManager)
hs := &HttpServer{
r: httprouter.New(),
oauthSrv: oauthSrv,
oauthMgr: oauthManager,
db: db,
conf: conf,
signingKey: signingKey,
2023-09-24 18:24:16 +01:00
mailLinkCache: cache.New[mailLinkKey, uuid.UUID](),
2023-09-06 22:20:09 +01:00
}
r.GET("/.well-known/openid-configuration", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
rw.WriteHeader(http.StatusOK)
_, _ = rw.Write(openIdBytes)
})
r.GET("/", hs.OptionalAuthentication(false, hs.Home))
r.POST("/logout", hs.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
2023-09-06 22:20:09 +01:00
lNonce, ok := auth.Session.Get("action-nonce")
if !ok {
http.Error(rw, "Missing nonce", http.StatusInternalServerError)
return
}
if subtle.ConstantTimeCompare([]byte(lNonce.(string)), []byte(req.PostFormValue("nonce"))) == 1 {
auth.Session.Delete("session-data")
2023-09-06 22:20:09 +01:00
if auth.Session.Save() != nil {
http.Error(rw, "Failed to save session", http.StatusInternalServerError)
return
}
http.SetCookie(rw, &http.Cookie{
Name: "login-data",
Path: "/",
MaxAge: -1,
Secure: true,
SameSite: http.SameSiteStrictMode,
})
2023-09-06 22:20:09 +01:00
http.Redirect(rw, req, "/", http.StatusFound)
return
}
http.Error(rw, "Logout failed", http.StatusInternalServerError)
}))
2023-12-17 15:55:41 +00:00
// theme styles
2023-12-17 16:03:13 +00:00
r.GET("/theme/style.css", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
2023-12-17 22:45:31 +00:00
http.ServeContent(rw, req, "style.css", time.Now(), bytes.NewReader(theme.DefaultThemeCss))
2023-12-17 15:55:41 +00:00
})
// login steps
r.GET("/login", hs.OptionalAuthentication(false, hs.LoginGet))
r.POST("/login", hs.OptionalAuthentication(false, hs.LoginPost))
r.GET("/login/otp", hs.OptionalAuthentication(true, hs.LoginOtpGet))
r.POST("/login/otp", hs.OptionalAuthentication(true, hs.LoginOtpPost))
2023-09-24 18:24:16 +01:00
// mail codes
r.GET("/mail/verify/:code", hs.MailVerify)
r.GET("/mail/password/:code", hs.MailPassword)
2023-09-29 16:37:23 +01:00
r.POST("/mail/password", hs.MailPasswordPost)
2023-09-24 18:24:16 +01:00
r.GET("/mail/delete/:code", hs.MailDelete)
2024-01-29 23:45:46 +00:00
// edit profile pages
r.GET("/edit", hs.RequireAuthentication(hs.EditGet))
r.POST("/edit", hs.RequireAuthentication(hs.EditPost))
r.POST("/edit/otp", hs.RequireAuthentication(hs.EditOtpPost))
2024-01-29 23:45:46 +00:00
// management pages
r.GET("/manage/apps", hs.RequireAdminAuthentication(hs.ManageAppsGet))
r.POST("/manage/apps", hs.RequireAdminAuthentication(hs.ManageAppsPost))
r.GET("/manage/users", hs.RequireAdminAuthentication(hs.ManageUsersGet))
r.POST("/manage/users", hs.RequireAdminAuthentication(hs.ManageUsersPost))
2024-01-29 23:45:46 +00:00
// oauth pages
r.GET("/authorize", hs.RequireAuthentication(hs.authorizeEndpoint))
r.POST("/authorize", hs.RequireAuthentication(hs.authorizeEndpoint))
2023-09-06 22:20:09 +01:00
r.POST("/token", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
if err := oauthSrv.HandleTokenRequest(rw, req); err != nil {
http.Error(rw, err.Error(), http.StatusInternalServerError)
}
})
r.GET("/userinfo", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
token, err := oauthSrv.ValidationBearerToken(req)
if err != nil {
http.Error(rw, "403 Forbidden", http.StatusForbidden)
return
}
2023-09-24 18:24:16 +01:00
userId := token.GetUserID()
userUuid, err := uuid.Parse(userId)
if err != nil {
http.Error(rw, "Invalid User ID", http.StatusBadRequest)
return
}
fmt.Printf("Using token for user: %s by app: %s with scope: '%s'\n", userId, token.GetClientID(), token.GetScope())
claims := ParseClaims(token.GetScope())
if !claims["openid"] {
http.Error(rw, "Invalid scope", http.StatusBadRequest)
return
}
var userData *database.User
if hs.DbTx(rw, func(tx *database.Tx) (err error) {
userData, err = tx.GetUser(userUuid)
return err
}) {
return
}
m := map[string]any{}
m["sub"] = userId
m["aud"] = token.GetClientID()
if claims["name"] {
m["name"] = userData.Name
}
if claims["username"] {
2023-10-10 18:06:43 +01:00
m["preferred_username"] = userData.Username
2023-09-24 18:24:16 +01:00
}
if claims["profile"] {
2023-10-10 18:06:43 +01:00
m["profile"] = conf.BaseUrl + "/user/" + userData.Username
2023-09-24 18:24:16 +01:00
m["picture"] = userData.Picture.String()
m["website"] = userData.Website.String()
}
if claims["email"] {
m["email"] = userData.Email
m["email_verified"] = userData.EmailVerified
}
if claims["birthdate"] {
m["birthdate"] = userData.Birthdate.String()
}
if claims["age"] {
m["age"] = CalculateAge(userData.Birthdate.Time.In(userData.ZoneInfo.Location))
}
if claims["zoneinfo"] {
m["zoneinfo"] = userData.ZoneInfo.Location.String()
}
if claims["locale"] {
m["locale"] = userData.Locale.Tag.String()
}
m["updated_at"] = time.Now().Unix()
_ = json.NewEncoder(rw).Encode(m)
2023-09-06 22:20:09 +01:00
})
return &http.Server{
2023-10-10 18:06:43 +01:00
Addr: conf.Listen,
2023-09-06 22:20:09 +01:00
Handler: r,
ReadTimeout: time.Minute,
ReadHeaderTimeout: time.Minute,
WriteTimeout: time.Minute,
IdleTimeout: time.Minute,
MaxHeaderBytes: 2500,
}
}
2023-09-24 18:24:16 +01:00
func (h *HttpServer) SafeRedirect(rw http.ResponseWriter, req *http.Request) {
redirectUrl := req.FormValue("redirect")
if redirectUrl == "" {
http.Redirect(rw, req, "/", http.StatusFound)
return
}
parse, err := url.Parse(redirectUrl)
if err != nil {
http.Error(rw, "Failed to parse redirect url: "+redirectUrl, http.StatusBadRequest)
return
}
if parse.Scheme != "" && parse.Opaque != "" && parse.User != nil && parse.Host != "" {
http.Error(rw, "Invalid redirect url: "+redirectUrl, http.StatusBadRequest)
return
}
http.Redirect(rw, req, parse.String(), http.StatusFound)
}
2023-09-24 18:24:16 +01:00
func ParseClaims(claims string) map[string]bool {
m := make(map[string]bool)
for {
n := strings.IndexByte(claims, ' ')
if n == -1 {
if claims != "" {
m[claims] = true
}
break
}
a := claims[:n]
claims = claims[n+1:]
if a != "" {
m[a] = true
}
}
return m
}
var ageTimeNow = func() time.Time { return time.Now() }
func CalculateAge(t time.Time) int {
n := ageTimeNow()
// the birthday is in the future so the age is 0
if n.Before(t) {
return 0
}
// the year difference
dy := n.Year() - t.Year()
// the birthday in the current year
tCurrent := t.AddDate(dy, 0, 0)
// minus 1 if the birthday has not yet occurred in the current year
if tCurrent.Before(n) {
dy -= 1
}
return dy
}