diff --git a/pages/pages.go b/pages/pages.go
index 71b01a5..963e2cd 100644
--- a/pages/pages.go
+++ b/pages/pages.go
@@ -16,7 +16,9 @@ var (
)
func LoadPageTemplates() (err error) {
- pageTemplate, err = template.New("pages").ParseFS(embeddedTemplates, "*.go.html")
+ pageTemplate, err = template.New("pages").Funcs(template.FuncMap{
+ "emailHide": EmailHide,
+ }).ParseFS(embeddedTemplates, "*.go.html")
return
}
@@ -26,3 +28,13 @@ func RenderPageTemplate(wr io.Writer, name string, data any) {
log.Printf("Failed to render page: %s: %s\n", name, err)
}
}
+
+func EmailHide(a string) string {
+ b := []byte(a)
+ for i := range b {
+ if b[i] != '@' && b[i] != '.' {
+ b[i] = 'x'
+ }
+ }
+ return string(b)
+}
diff --git a/pages/pages_test.go b/pages/pages_test.go
new file mode 100644
index 0000000..7d0c445
--- /dev/null
+++ b/pages/pages_test.go
@@ -0,0 +1,11 @@
+package pages
+
+import (
+ "github.com/stretchr/testify/assert"
+ "testing"
+)
+
+func TestEmailHide(t *testing.T) {
+ assert.Equal(t, "xx", EmailHide("hi"))
+ assert.Equal(t, "xxxxxxx@xxxxxxx.xxx", EmailHide("example@example.com"))
+}
diff --git a/pages/verification-code.go.html b/pages/verification-code.go.html
new file mode 100644
index 0000000..c8ca642
--- /dev/null
+++ b/pages/verification-code.go.html
@@ -0,0 +1,26 @@
+
+
+
+
{{.Title}}
+
+
+
+
+
{{.Title}}
+
Hi {{.Name}},
+
Here is your email verification code: {{.Code}}
+
{{.ServiceName}}
+
+
+
diff --git a/password/secret.go b/password/secret.go
new file mode 100644
index 0000000..1eec1de
--- /dev/null
+++ b/password/secret.go
@@ -0,0 +1,19 @@
+package password
+
+import "crypto/rand"
+
+func GenerateApiSecret(length int) (string, error) {
+ const secretChars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_."
+ var _ = secretChars[63] // compiler check: ensure there is at least 64 chars here
+
+ b := make([]byte, length)
+ _, err := rand.Read(b)
+ if err != nil {
+ return "", err
+ }
+
+ for i := range b {
+ b[i] = secretChars[b[i]&0x3f] // only use the lower 6 bits
+ }
+ return string(b), nil
+}
diff --git a/server/auth.go b/server/auth.go
index c2e0314..4127188 100644
--- a/server/auth.go
+++ b/server/auth.go
@@ -2,6 +2,7 @@ package server
import (
"fmt"
+ "github.com/1f349/tulip/database"
"github.com/go-session/session"
"github.com/google/uuid"
"github.com/julienschmidt/httprouter"
@@ -37,8 +38,25 @@ func (u UserAuth) SaveSessionData() error {
return u.Session.Save()
}
-func (h *HttpServer) RequireAuthentication(next UserHandler) httprouter.Handle {
- return h.OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
+func (h *HttpServer) RequireAdminAuthentication(next UserHandler) httprouter.Handle {
+ return RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
+ var role database.UserRole
+ if h.DbTx(rw, func(tx *database.Tx) (err error) {
+ role, err = tx.GetUserRole(auth.Data.ID)
+ return
+ }) {
+ return
+ }
+ if role != database.RoleAdmin {
+ http.Error(rw, "403 Forbidden", http.StatusForbidden)
+ return
+ }
+ next(rw, req, params, auth)
+ })
+}
+
+func RequireAuthentication(next UserHandler) httprouter.Handle {
+ return OptionalAuthentication(false, func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
if auth.IsGuest() {
redirectUrl := PrepareRedirectUrl("/login", req.URL)
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
@@ -48,9 +66,9 @@ func (h *HttpServer) RequireAuthentication(next UserHandler) httprouter.Handle {
})
}
-func (h *HttpServer) OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {
+func OptionalAuthentication(flowPart bool, next UserHandler) httprouter.Handle {
return func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
- auth, err := h.internalAuthenticationHandler(rw, req)
+ auth, err := internalAuthenticationHandler(rw, req)
if err != nil {
http.Error(rw, err.Error(), http.StatusInternalServerError)
return
@@ -63,7 +81,7 @@ func (h *HttpServer) OptionalAuthentication(flowPart bool, next UserHandler) htt
}
}
-func (h *HttpServer) internalAuthenticationHandler(rw http.ResponseWriter, req *http.Request) (UserAuth, error) {
+func internalAuthenticationHandler(rw http.ResponseWriter, req *http.Request) (UserAuth, error) {
ss, err := session.Start(req.Context(), rw, req)
if err != nil {
return UserAuth{}, fmt.Errorf("failed to start session")
diff --git a/server/auth_test.go b/server/auth_test.go
index a4a06bb..660b9c6 100644
--- a/server/auth_test.go
+++ b/server/auth_test.go
@@ -1,11 +1,117 @@
package server
import (
+ "context"
+ "fmt"
+ "github.com/google/uuid"
"github.com/stretchr/testify/assert"
+ "net/http"
+ "net/http/httptest"
+ "net/url"
"testing"
)
+func TestUserAuth_NextFlowUrl(t *testing.T) {
+ u := UserAuth{Data: SessionData{NeedOtp: true}}
+ assert.Equal(t, url.URL{Path: "/login/otp"}, *u.NextFlowUrl(&url.URL{}))
+ assert.Equal(t, url.URL{Path: "/login/otp", RawQuery: url.Values{"redirect": {"/hello"}}.Encode()}, *u.NextFlowUrl(&url.URL{Path: "/hello"}))
+ assert.Equal(t, url.URL{Path: "/login/otp", RawQuery: url.Values{"redirect": {"/hello?a=A"}}.Encode()}, *u.NextFlowUrl(&url.URL{Path: "/hello", RawQuery: url.Values{"a": {"A"}}.Encode()}))
+ u.Data.NeedOtp = false
+ assert.Nil(t, u.NextFlowUrl(&url.URL{}))
+}
+
func TestUserAuth_IsGuest(t *testing.T) {
var u UserAuth
assert.True(t, u.IsGuest())
+ u.Data.ID = uuid.New()
+ assert.False(t, u.IsGuest())
+}
+
+type fakeSessionStore struct {
+ m map[string]any
+ saveFunc func(map[string]any) error
+}
+
+func (f *fakeSessionStore) Context() context.Context { return context.Background() }
+func (f *fakeSessionStore) SessionID() string { return "fakeSessionStore" }
+func (f *fakeSessionStore) Set(key string, value interface{}) { f.m[key] = value }
+
+func (f *fakeSessionStore) Get(key string) (a interface{}, ok bool) {
+ if a, ok = f.m[key]; false {
+ }
+ return
+}
+
+func (f *fakeSessionStore) Delete(key string) (i interface{}) {
+ i = f.m[key]
+ delete(f.m, key)
+ return
+}
+
+func (f *fakeSessionStore) Save() error {
+ return f.saveFunc(f.m)
+}
+
+func (f *fakeSessionStore) Flush() error {
+ return nil
+}
+
+func TestUserAuth_SaveSessionData(t *testing.T) {
+ f := &fakeSessionStore{m: make(map[string]any)}
+ u := UserAuth{Data: SessionData{ID: uuid.UUID{5, 6, 7}, NeedOtp: true}, Session: f}
+
+ // fail to save
+ f.saveFunc = func(m map[string]any) error { return fmt.Errorf("failed") }
+ assert.Error(t, u.SaveSessionData())
+
+ // try with success
+ var m2 map[string]any
+ f.saveFunc = func(m map[string]any) error {
+ m2 = m
+ return nil
+ }
+ assert.NoError(t, u.SaveSessionData())
+ assert.Equal(t, map[string]any{"session-data": SessionData{ID: uuid.UUID{5, 6, 7}, NeedOtp: true}}, m2)
+}
+
+func TestRequireAuthentication(t *testing.T) {
+}
+
+func TestOptionalAuthentication(t *testing.T) {
+ req, err := http.NewRequest(http.MethodGet, "https://example.com/hello", nil)
+ assert.NoError(t, err)
+ rec := httptest.NewRecorder()
+ auth, err := internalAuthenticationHandler(rec, req)
+ assert.NoError(t, err)
+ assert.True(t, auth.IsGuest())
+ auth.Data.ID = uuid.UUID{5, 6, 7}
+ assert.NoError(t, auth.SaveSessionData())
+}
+
+func Test_internalAuthenticationHandler(t *testing.T) {
+ req, err := http.NewRequest(http.MethodGet, "https://example.com/hello", nil)
+ assert.NoError(t, err)
+ rec := httptest.NewRecorder()
+ auth, err := internalAuthenticationHandler(rec, req)
+ assert.NoError(t, err)
+ assert.True(t, auth.IsGuest())
+ auth.Data.ID = uuid.UUID{5, 6, 7}
+ assert.NoError(t, auth.SaveSessionData())
+
+ req, err = http.NewRequest(http.MethodGet, "https://example.com/world", nil)
+ assert.NoError(t, err)
+ req.Header.Set("Cookie", rec.Header().Get("Set-Cookie"))
+ rec = httptest.NewRecorder()
+ auth, err = internalAuthenticationHandler(rec, req)
+ assert.NoError(t, err)
+ assert.False(t, auth.IsGuest())
+ assert.Equal(t, uuid.UUID{5, 6, 7}, auth.Data.ID)
+}
+
+func TestPrepareRedirectUrl(t *testing.T) {
+ assert.Equal(t, url.URL{Path: "/hello"}, *PrepareRedirectUrl("/hello", &url.URL{}))
+ assert.Equal(t, url.URL{Path: "/world"}, *PrepareRedirectUrl("/world", &url.URL{}))
+ assert.Equal(t, url.URL{Path: "/a", RawQuery: url.Values{"redirect": {"/hello"}}.Encode()}, *PrepareRedirectUrl("/a", &url.URL{Path: "/hello"}))
+ assert.Equal(t, url.URL{Path: "/a", RawQuery: url.Values{"redirect": {"/hello?a=A"}}.Encode()}, *PrepareRedirectUrl("/a", &url.URL{Path: "/hello", RawQuery: url.Values{"a": {"A"}}.Encode()}))
+ assert.Equal(t, url.URL{Path: "/a", RawQuery: url.Values{"redirect": {"/hello?a=A&b=B"}}.Encode()}, *PrepareRedirectUrl("/a", &url.URL{Path: "/hello", RawQuery: url.Values{"a": {"A"}, "b": {"B"}}.Encode()}))
}
diff --git a/server/edit.go b/server/edit.go
index 13048b7..058c862 100644
--- a/server/edit.go
+++ b/server/edit.go
@@ -31,6 +31,7 @@ func (h *HttpServer) EditGet(rw http.ResponseWriter, _ *http.Request, _ httprout
return
}
pages.RenderPageTemplate(rw, "edit", map[string]any{
+ "ServiceName": h.serviceName,
"User": user,
"Nonce": lNonce,
"FieldPronoun": user.Pronouns.String(),
diff --git a/server/home.go b/server/home.go
index 01e9426..b2353e1 100644
--- a/server/home.go
+++ b/server/home.go
@@ -13,7 +13,9 @@ func (h *HttpServer) Home(rw http.ResponseWriter, req *http.Request, _ httproute
rw.Header().Set("Content-Type", "text/html")
rw.WriteHeader(http.StatusOK)
if auth.IsGuest() {
- pages.RenderPageTemplate(rw, "index-guest", nil)
+ pages.RenderPageTemplate(rw, "index-guest", map[string]any{
+ "ServiceName": h.serviceName,
+ })
return
}
@@ -35,8 +37,9 @@ func (h *HttpServer) Home(rw http.ResponseWriter, req *http.Request, _ httproute
return
}
pages.RenderPageTemplate(rw, "index", map[string]any{
- "Auth": auth,
- "User": userWithName,
- "Nonce": lNonce,
+ "ServiceName": h.serviceName,
+ "Auth": auth,
+ "User": userWithName,
+ "Nonce": lNonce,
})
}
diff --git a/server/login.go b/server/login.go
index e9f5d38..01fe4ee 100644
--- a/server/login.go
+++ b/server/login.go
@@ -21,7 +21,8 @@ func (h *HttpServer) LoginGet(rw http.ResponseWriter, req *http.Request, _ httpr
rw.Header().Set("Content-Type", "text/html")
rw.WriteHeader(http.StatusOK)
pages.RenderPageTemplate(rw, "login", map[string]any{
- "Redirect": req.URL.Query().Get("redirect"),
+ "ServiceName": h.serviceName,
+ "Redirect": req.URL.Query().Get("redirect"),
})
}
diff --git a/server/manage-apps.go b/server/manage-apps.go
new file mode 100644
index 0000000..5638edb
--- /dev/null
+++ b/server/manage-apps.go
@@ -0,0 +1,113 @@
+package server
+
+import (
+ "github.com/1f349/tulip/database"
+ "github.com/1f349/tulip/pages"
+ "github.com/google/uuid"
+ "github.com/julienschmidt/httprouter"
+ "net/http"
+ "net/url"
+ "strconv"
+)
+
+func (h *HttpServer) ManageAppsGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
+ offset := 0
+ q := req.URL.Query()
+ if q.Has("offset") {
+ var err error
+ offset, err = strconv.Atoi(q.Get("offset"))
+ if err != nil {
+ http.Error(rw, "400 Bad Request: Invalid offset", http.StatusBadRequest)
+ return
+ }
+ }
+
+ var role database.UserRole
+ var appList []database.ClientInfoDbOutput
+ if h.DbTx(rw, func(tx *database.Tx) (err error) {
+ role, err = tx.GetUserRole(auth.Data.ID)
+ if err != nil {
+ return
+ }
+ appList, err = tx.GetAppList(offset)
+ return
+ }) {
+ return
+ }
+
+ m := map[string]any{
+ "ServiceName": h.serviceName,
+ "Apps": appList,
+ "Offset": offset,
+ "IsAdmin": role == database.RoleAdmin,
+ }
+ if q.Has("edit") {
+ for _, i := range appList {
+ if i.Sub == q.Get("edit") {
+ m["Edit"] = i
+ goto validEdit
+ }
+ }
+ http.Error(rw, "400 Bad Request: Invalid client app to edit", http.StatusBadRequest)
+ return
+ }
+
+validEdit:
+ rw.Header().Set("Content-Type", "text/html")
+ rw.WriteHeader(http.StatusOK)
+ pages.RenderPageTemplate(rw, "manage-apps", m)
+}
+
+func (h *HttpServer) ManageAppsPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
+ err := req.ParseForm()
+ if err != nil {
+ http.Error(rw, "400 Bad Request: Failed to parse form", http.StatusBadRequest)
+ return
+ }
+
+ offset := req.Form.Get("offset")
+ action := req.Form.Get("action")
+ name := req.Form.Get("name")
+ domain := req.Form.Get("domain")
+ sso := req.Form.Has("sso")
+ active := req.Form.Has("active")
+
+ if sso {
+ var role database.UserRole
+ if h.DbTx(rw, func(tx *database.Tx) (err error) {
+ role, err = tx.GetUserRole(auth.Data.ID)
+ return
+ }) {
+ return
+ }
+ if role != database.RoleAdmin {
+ http.Error(rw, "400 Bad Request: Only admin users can create SSO client applications", http.StatusBadRequest)
+ return
+ }
+ }
+
+ switch action {
+ case "create":
+ if h.DbTx(rw, func(tx *database.Tx) error {
+ return tx.InsertClientApp(name, domain, sso, active, auth.Data.ID)
+ }) {
+ return
+ }
+ case "edit":
+ if h.DbTx(rw, func(tx *database.Tx) error {
+ sub, err := uuid.Parse(req.Form.Get("subject"))
+ if err != nil {
+ return err
+ }
+ return tx.UpdateClientApp(sub, name, domain, sso, active)
+ }) {
+ return
+ }
+ default:
+ http.Error(rw, "400 Bad Request: Invalid action", http.StatusBadRequest)
+ return
+ }
+
+ redirectUrl := url.URL{Path: "/manage/apps", RawQuery: url.Values{"offset": []string{offset}}.Encode()}
+ http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
+}
diff --git a/server/manage-users.go b/server/manage-users.go
new file mode 100644
index 0000000..76b3b1b
--- /dev/null
+++ b/server/manage-users.go
@@ -0,0 +1,132 @@
+package server
+
+import (
+ "errors"
+ "github.com/1f349/tulip/database"
+ "github.com/1f349/tulip/pages"
+ "github.com/google/uuid"
+ "github.com/julienschmidt/httprouter"
+ "net/http"
+ "net/url"
+ "strconv"
+)
+
+func (h *HttpServer) ManageUsersGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
+ offset := 0
+ q := req.URL.Query()
+ if q.Has("offset") {
+ var err error
+ offset, err = strconv.Atoi(q.Get("offset"))
+ if err != nil {
+ http.Error(rw, "400 Bad Request: Invalid offset", http.StatusBadRequest)
+ return
+ }
+ }
+
+ var role database.UserRole
+ var userList []database.User
+ if h.DbTx(rw, func(tx *database.Tx) (err error) {
+ role, err = tx.GetUserRole(auth.Data.ID)
+ if err != nil {
+ return
+ }
+ userList, err = tx.GetUserList(offset)
+ return
+ }) {
+ return
+ }
+ if role != database.RoleAdmin {
+ http.Error(rw, "403 Forbidden", http.StatusForbidden)
+ return
+ }
+
+ m := map[string]any{
+ "ServiceName": h.serviceName,
+ "Users": userList,
+ "Offset": offset,
+ "EmailShow": req.URL.Query().Has("show-email"),
+ "CurrentAdmin": auth.Data.ID,
+ }
+ if q.Has("edit") {
+ for _, i := range userList {
+ if i.Sub.String() == q.Get("edit") {
+ m["Edit"] = i
+ goto validEdit
+ }
+ }
+ http.Error(rw, "400 Bad Request: Invalid user to edit", http.StatusBadRequest)
+ return
+ }
+
+validEdit:
+ rw.Header().Set("Content-Type", "text/html")
+ rw.WriteHeader(http.StatusOK)
+ pages.RenderPageTemplate(rw, "manage-users", m)
+}
+
+func (h *HttpServer) ManageUsersPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
+ err := req.ParseForm()
+ if err != nil {
+ http.Error(rw, "400 Bad Request: Failed to parse form", http.StatusBadRequest)
+ return
+ }
+
+ var role database.UserRole
+ if h.DbTx(rw, func(tx *database.Tx) (err error) {
+ role, err = tx.GetUserRole(auth.Data.ID)
+ return
+ }) {
+ return
+ }
+ if role != database.RoleAdmin {
+ http.Error(rw, "400 Bad Request: Only admin users can create SSO client applications", http.StatusBadRequest)
+ return
+ }
+
+ offset := req.Form.Get("offset")
+ action := req.Form.Get("action")
+ name := req.Form.Get("name")
+ username := req.Form.Get("username")
+ email := req.Form.Get("email")
+ newRole, err := parseRoleValue(req.Form.Get("role"))
+ if err != nil {
+ http.Error(rw, "400 Bad Request: Invalid role", http.StatusBadRequest)
+ return
+ }
+ active := req.Form.Has("active")
+
+ switch action {
+ case "create":
+ if h.DbTx(rw, func(tx *database.Tx) error {
+ return tx.InsertUser(name, username, "", email, newRole, active)
+ }) {
+ return
+ }
+ case "edit":
+ if h.DbTx(rw, func(tx *database.Tx) error {
+ sub, err := uuid.Parse(req.Form.Get("subject"))
+ if err != nil {
+ return err
+ }
+ return tx.UpdateUser(sub, newRole, active)
+ }) {
+ return
+ }
+ default:
+ http.Error(rw, "400 Bad Request: Invalid action", http.StatusBadRequest)
+ return
+ }
+
+ redirectUrl := url.URL{Path: "/manage/users", RawQuery: url.Values{"offset": []string{offset}}.Encode()}
+ http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
+}
+
+func parseRoleValue(role string) (database.UserRole, error) {
+ switch role {
+ case "member":
+ return database.RoleMember, nil
+ case "admin":
+ return database.RoleAdmin, nil
+ }
+ return 0, errors.New("invalid role value")
+}
diff --git a/server/oauth.go b/server/oauth.go
index 62fa257..770bc98 100644
--- a/server/oauth.go
+++ b/server/oauth.go
@@ -78,16 +78,24 @@ func (h *HttpServer) authorizeEndpoint(rw http.ResponseWriter, req *http.Request
}
var user *database.User
- if h.DbTx(rw, func(tx *database.Tx) error {
- var err error
+ var hasOtp bool
+ if h.DbTx(rw, func(tx *database.Tx) (err error) {
user, err = tx.GetUserDisplayName(auth.Data.ID)
- return err
+ if err != nil {
+ return
+ }
+ hasOtp, err = tx.HasTwoFactor(auth.Data.ID)
+ if err != nil {
+ return
+ }
+ return
}) {
return
}
rw.WriteHeader(http.StatusOK)
pages.RenderPageTemplate(rw, "oauth-authorize", map[string]any{
+ "ServiceName": h.serviceName,
"AppName": appName,
"AppDomain": appDomain,
"User": user,
@@ -99,27 +107,35 @@ func (h *HttpServer) authorizeEndpoint(rw http.ResponseWriter, req *http.Request
"State": form.Get("state"),
"Scope": form.Get("scope"),
"Nonce": form.Get("nonce"),
+ "HasOtp": hasOtp,
})
return
}
- // redirect with an error if the action is not authorize
- if form.Get("oauth_action") != "authorize" {
- redirectUri, err := url.Parse(form.Get("redirect_uri"))
- if err != nil {
- http.Error(rw, "400 Bad Request: Invalid redirect URI", http.StatusBadRequest)
+ if !isSSO {
+ otpInput := req.FormValue("code")
+ if h.fetchAndValidateOtp(rw, auth.Data.ID, otpInput) {
return
}
- q := redirectUri.Query()
- q.Set("error", "user_cancelled")
- redirectUri.RawQuery = q.Encode()
- http.Redirect(rw, req, redirectUri.String(), http.StatusFound)
+ }
+
+ // redirect with an error if the action is not authorize
+ if form.Get("oauth_action") == "authorize" || isSSO {
+ if err := h.oauthSrv.HandleAuthorizeRequest(rw, req); err != nil {
+ http.Error(rw, err.Error(), http.StatusBadRequest)
+ }
return
}
- if err := h.oauthSrv.HandleAuthorizeRequest(rw, req); err != nil {
- http.Error(rw, err.Error(), http.StatusBadRequest)
+ parsedRedirect, err := url.Parse(redirectUri)
+ if err != nil {
+ http.Error(rw, "400 Bad Request: Invalid redirect URI", http.StatusBadRequest)
+ return
}
+ q := parsedRedirect.Query()
+ q.Set("error", "user_cancelled")
+ parsedRedirect.RawQuery = q.Encode()
+ http.Redirect(rw, req, parsedRedirect.String(), http.StatusFound)
}
func (h *HttpServer) oauthUserAuthorization(rw http.ResponseWriter, req *http.Request) (string, error) {
@@ -128,7 +144,7 @@ func (h *HttpServer) oauthUserAuthorization(rw http.ResponseWriter, req *http.Re
return "", err
}
- auth, err := h.internalAuthenticationHandler(rw, req)
+ auth, err := internalAuthenticationHandler(rw, req)
if err != nil {
return "", err
}
diff --git a/server/otp.go b/server/otp.go
index 5c03c07..cfd4ce6 100644
--- a/server/otp.go
+++ b/server/otp.go
@@ -6,6 +6,7 @@ import (
"github.com/1f349/tulip/database"
"github.com/1f349/tulip/pages"
"github.com/1f349/twofactor"
+ "github.com/google/uuid"
"github.com/julienschmidt/httprouter"
"html/template"
"net/http"
@@ -18,7 +19,8 @@ func (h *HttpServer) LoginOtpGet(rw http.ResponseWriter, req *http.Request, _ ht
}
pages.RenderPageTemplate(rw, "login-otp", map[string]any{
- "Redirect": req.URL.Query().Get("redirect"),
+ "ServiceName": h.serviceName,
+ "Redirect": req.URL.Query().Get("redirect"),
})
}
@@ -29,18 +31,7 @@ func (h *HttpServer) LoginOtpPost(rw http.ResponseWriter, req *http.Request, _ h
}
otpInput := req.FormValue("code")
-
- var otp *twofactor.Totp
- if h.DbTx(rw, func(tx *database.Tx) (err error) {
- otp, err = tx.GetTwoFactor(auth.Data.ID, h.otpIssuer)
- return err
- }) {
- return
- }
-
- err := otp.Validate(otpInput)
- if err != nil {
-
+ if h.fetchAndValidateOtp(rw, auth.Data.ID, otpInput) {
return
}
@@ -53,6 +44,39 @@ func (h *HttpServer) LoginOtpPost(rw http.ResponseWriter, req *http.Request, _ h
h.SafeRedirect(rw, req)
}
+func (h *HttpServer) fetchAndValidateOtp(rw http.ResponseWriter, sub uuid.UUID, code string) bool {
+ var hasOtp bool
+ var otp *twofactor.Totp
+ if h.DbTx(rw, func(tx *database.Tx) (err error) {
+ hasOtp, err = tx.HasTwoFactor(sub)
+ if err != nil {
+ return
+ }
+ if hasOtp {
+ otp, err = tx.GetTwoFactor(sub, h.otpIssuer)
+ }
+ return
+ }) {
+ return true
+ }
+
+ if hasOtp {
+ defer func() {
+ h.DbTx(rw, func(tx *database.Tx) error {
+ return tx.SetTwoFactor(sub, otp)
+ })
+ }()
+
+ err := otp.Validate(code)
+ if err != nil {
+ http.Error(rw, "400 Bad Request: Invalid OTP code", http.StatusBadRequest)
+ return true
+ }
+ }
+
+ return false
+}
+
func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
var digits = 0
switch req.URL.Query().Get("digits") {
@@ -126,8 +150,9 @@ func (h *HttpServer) EditOtpGet(rw http.ResponseWriter, req *http.Request, _ htt
// render page
pages.RenderPageTemplate(rw, "edit-otp", map[string]any{
- "OtpQr": template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(otpQr)),
- "OtpUrl": otpUrl,
+ "ServiceName": h.serviceName,
+ "OtpQr": template.URL("data:image/png;base64," + base64.StdEncoding.EncodeToString(otpQr)),
+ "OtpUrl": otpUrl,
})
}
@@ -155,5 +180,5 @@ func (h *HttpServer) EditOtpPost(rw http.ResponseWriter, req *http.Request, _ ht
return
}
- http.Redirect(rw, req, "/edit", http.StatusFound)
+ http.Redirect(rw, req, "/", http.StatusFound)
}
diff --git a/server/server.go b/server/server.go
index 9a0e31b..e0219a5 100644
--- a/server/server.go
+++ b/server/server.go
@@ -24,13 +24,14 @@ import (
var errMissingRequiredScope = errors.New("missing required scope")
type HttpServer struct {
- r *httprouter.Router
- oauthSrv *server.Server
- oauthMgr *manage.Manager
- db *database.DB
- domain string
- privKey []byte
- otpIssuer string
+ r *httprouter.Router
+ oauthSrv *server.Server
+ oauthMgr *manage.Manager
+ db *database.DB
+ domain string
+ privKey []byte
+ otpIssuer string
+ serviceName string
}
func (h *HttpServer) SafeRedirect(rw http.ResponseWriter, req *http.Request) {
@@ -51,7 +52,7 @@ func (h *HttpServer) SafeRedirect(rw http.ResponseWriter, req *http.Request) {
http.Redirect(rw, req, parse.String(), http.StatusFound)
}
-func NewHttpServer(listen, domain, otpIssuer string, db *database.DB, privKey []byte) *http.Server {
+func NewHttpServer(listen, domain, otpIssuer, serviceName string, db *database.DB, privKey []byte) *http.Server {
r := httprouter.New()
openIdConf := openid.GenConfig(domain, []string{"openid", "email"}, []string{"sub", "name", "preferred_username", "profile", "picture", "website", "email", "email_verified", "gender", "birthdate", "zoneinfo", "locale", "updated_at"})
@@ -67,13 +68,14 @@ func NewHttpServer(listen, domain, otpIssuer string, db *database.DB, privKey []
oauthManager := manage.NewDefaultManager()
oauthSrv := server.NewServer(server.NewConfig(), oauthManager)
hs := &HttpServer{
- r: httprouter.New(),
- oauthSrv: oauthSrv,
- oauthMgr: oauthManager,
- db: db,
- domain: domain,
- privKey: privKey,
- otpIssuer: otpIssuer,
+ r: httprouter.New(),
+ oauthSrv: oauthSrv,
+ oauthMgr: oauthManager,
+ db: db,
+ domain: domain,
+ privKey: privKey,
+ otpIssuer: otpIssuer,
+ serviceName: serviceName,
}
oauthManager.SetAuthorizeCodeTokenCfg(manage.DefaultAuthorizeCodeTokenCfg)
@@ -113,8 +115,8 @@ func NewHttpServer(listen, domain, otpIssuer string, db *database.DB, privKey []
rw.WriteHeader(http.StatusOK)
_, _ = rw.Write(openIdBytes)
})
- r.GET("/", hs.OptionalAuthentication(false, hs.Home))
- r.POST("/logout", hs.RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
+ r.GET("/", OptionalAuthentication(false, hs.Home))
+ r.POST("/logout", RequireAuthentication(func(rw http.ResponseWriter, req *http.Request, params httprouter.Params, auth UserAuth) {
lNonce, ok := auth.Session.Get("action-nonce")
if !ok {
http.Error(rw, "Missing nonce", http.StatusInternalServerError)
@@ -131,21 +133,33 @@ func NewHttpServer(listen, domain, otpIssuer string, db *database.DB, privKey []
}
http.Error(rw, "Logout failed", http.StatusInternalServerError)
}))
- r.GET("/login", hs.OptionalAuthentication(false, hs.LoginGet))
- r.POST("/login", hs.OptionalAuthentication(false, hs.LoginPost))
- r.GET("/login/otp", hs.OptionalAuthentication(true, hs.LoginOtpGet))
- r.POST("/login/otp", hs.OptionalAuthentication(true, hs.LoginOtpPost))
- r.GET("/authorize", hs.RequireAuthentication(hs.authorizeEndpoint))
- r.POST("/authorize", hs.RequireAuthentication(hs.authorizeEndpoint))
+
+ // login steps
+ r.GET("/login", OptionalAuthentication(false, hs.LoginGet))
+ r.POST("/login", OptionalAuthentication(false, hs.LoginPost))
+ r.GET("/login/otp", OptionalAuthentication(true, hs.LoginOtpGet))
+ r.POST("/login/otp", OptionalAuthentication(true, hs.LoginOtpPost))
+
+ // edit profile pages
+ r.GET("/edit", RequireAuthentication(hs.EditGet))
+ r.POST("/edit", RequireAuthentication(hs.EditPost))
+ r.GET("/edit/otp", RequireAuthentication(hs.EditOtpGet))
+ r.POST("/edit/otp", RequireAuthentication(hs.EditOtpPost))
+
+ // management pages
+ r.GET("/manage/apps", hs.RequireAdminAuthentication(hs.ManageAppsGet))
+ r.POST("/manage/apps", hs.RequireAdminAuthentication(hs.ManageAppsPost))
+ r.GET("/manage/users", hs.RequireAdminAuthentication(hs.ManageUsersGet))
+ r.POST("/manage/users", hs.RequireAdminAuthentication(hs.ManageUsersPost))
+
+ // oauth pages
+ r.GET("/authorize", RequireAuthentication(hs.authorizeEndpoint))
+ r.POST("/authorize", RequireAuthentication(hs.authorizeEndpoint))
r.POST("/token", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
if err := oauthSrv.HandleTokenRequest(rw, req); err != nil {
http.Error(rw, err.Error(), http.StatusInternalServerError)
}
})
- r.GET("/edit", hs.RequireAuthentication(hs.EditGet))
- r.POST("/edit", hs.RequireAuthentication(hs.EditPost))
- r.GET("/edit/otp", hs.RequireAuthentication(hs.EditOtpGet))
- r.POST("/edit/otp", hs.RequireAuthentication(hs.EditOtpPost))
r.GET("/userinfo", func(rw http.ResponseWriter, req *http.Request, params httprouter.Params) {
token, err := oauthSrv.ValidationBearerToken(req)
if err != nil {