julien.rbrt.fr
forked from
tangled.org/core
Monorepo for Tangled — https://tangled.org
1package signup
2
3import (
4 "bufio"
5 "context"
6 "encoding/json"
7 "errors"
8 "fmt"
9 "log/slog"
10 "net/http"
11 "net/url"
12 "os"
13 "strings"
14
15 "github.com/go-chi/chi/v5"
16 "github.com/posthog/posthog-go"
17 "tangled.org/core/appview/config"
18 "tangled.org/core/appview/db"
19 "tangled.org/core/appview/dns"
20 "tangled.org/core/appview/email"
21 "tangled.org/core/appview/models"
22 "tangled.org/core/appview/pages"
23 "tangled.org/core/appview/state/userutil"
24 "tangled.org/core/idresolver"
25)
26
27type Signup struct {
28 config *config.Config
29 db *db.DB
30 cf *dns.Cloudflare
31 posthog posthog.Client
32 idResolver *idresolver.Resolver
33 pages *pages.Pages
34 l *slog.Logger
35 disallowedNicknames map[string]bool
36}
37
38func New(cfg *config.Config, database *db.DB, pc posthog.Client, idResolver *idresolver.Resolver, pages *pages.Pages, l *slog.Logger) *Signup {
39 var cf *dns.Cloudflare
40 if cfg.Cloudflare.ApiToken != "" && cfg.Cloudflare.ZoneId != "" {
41 var err error
42 cf, err = dns.NewCloudflare(cfg)
43 if err != nil {
44 l.Warn("failed to create cloudflare client, signup will be disabled", "error", err)
45 }
46 }
47
48 disallowedNicknames := loadDisallowedNicknames(cfg.Core.DisallowedNicknamesFile, l)
49
50 return &Signup{
51 config: cfg,
52 db: database,
53 posthog: pc,
54 idResolver: idResolver,
55 cf: cf,
56 pages: pages,
57 l: l,
58 disallowedNicknames: disallowedNicknames,
59 }
60}
61
62func loadDisallowedNicknames(filepath string, logger *slog.Logger) map[string]bool {
63 disallowed := make(map[string]bool)
64
65 if filepath == "" {
66 logger.Warn("no disallowed nicknames file configured")
67 return disallowed
68 }
69
70 file, err := os.Open(filepath)
71 if err != nil {
72 logger.Warn("failed to open disallowed nicknames file", "file", filepath, "error", err)
73 return disallowed
74 }
75 defer file.Close()
76
77 scanner := bufio.NewScanner(file)
78 lineNum := 0
79 for scanner.Scan() {
80 lineNum++
81 line := strings.TrimSpace(scanner.Text())
82 if line == "" || strings.HasPrefix(line, "#") {
83 continue // skip empty lines and comments
84 }
85
86 nickname := strings.ToLower(line)
87 if userutil.IsValidSubdomain(nickname) {
88 disallowed[nickname] = true
89 } else {
90 logger.Warn("invalid nickname format in disallowed nicknames file",
91 "file", filepath, "line", lineNum, "nickname", nickname)
92 }
93 }
94
95 if err := scanner.Err(); err != nil {
96 logger.Error("error reading disallowed nicknames file", "file", filepath, "error", err)
97 }
98
99 logger.Info("loaded disallowed nicknames", "count", len(disallowed), "file", filepath)
100 return disallowed
101}
102
103// isNicknameAllowed checks if a nickname is allowed (not in the disallowed list)
104func (s *Signup) isNicknameAllowed(nickname string) bool {
105 return !s.disallowedNicknames[strings.ToLower(nickname)]
106}
107
108func (s *Signup) Router() http.Handler {
109 r := chi.NewRouter()
110 r.Get("/", s.signup)
111 r.Post("/", s.signup)
112 r.Get("/complete", s.complete)
113 r.Post("/complete", s.complete)
114
115 return r
116}
117
118func (s *Signup) signup(w http.ResponseWriter, r *http.Request) {
119 switch r.Method {
120 case http.MethodGet:
121 s.pages.Signup(w, pages.SignupParams{
122 CloudflareSiteKey: s.config.Cloudflare.TurnstileSiteKey,
123 })
124 case http.MethodPost:
125 if s.cf == nil {
126 http.Error(w, "signup is disabled", http.StatusFailedDependency)
127 return
128 }
129 emailId := r.FormValue("email")
130 cfToken := r.FormValue("cf-turnstile-response")
131
132 noticeId := "signup-msg"
133
134 if err := s.validateCaptcha(cfToken, r); err != nil {
135 s.l.Warn("turnstile validation failed", "error", err, "email", emailId)
136 s.pages.Notice(w, noticeId, "Captcha validation failed.")
137 return
138 }
139
140 if !email.IsValidEmail(emailId) {
141 s.pages.Notice(w, noticeId, "Invalid email address.")
142 return
143 }
144
145 exists, err := db.CheckEmailExistsAtAll(s.db, emailId)
146 if err != nil {
147 s.l.Error("failed to check email existence", "error", err)
148 s.pages.Notice(w, noticeId, "Failed to complete signup. Try again later.")
149 return
150 }
151 if exists {
152 s.pages.Notice(w, noticeId, "Email already exists.")
153 return
154 }
155
156 code, err := s.inviteCodeRequest()
157 if err != nil {
158 s.l.Error("failed to create invite code", "error", err)
159 s.pages.Notice(w, noticeId, "Failed to create invite code.")
160 return
161 }
162
163 em := email.Email{
164 APIKey: s.config.Resend.ApiKey,
165 From: s.config.Resend.SentFrom,
166 To: emailId,
167 Subject: "Verify your Tangled account",
168 Text: `Copy and paste this code below to verify your account on Tangled.
169 ` + code,
170 Html: `<p>Copy and paste this code below to verify your account on Tangled.</p>
171<p><code>` + code + `</code></p>`,
172 }
173
174 err = email.SendEmail(em)
175 if err != nil {
176 s.l.Error("failed to send email", "error", err)
177 s.pages.Notice(w, noticeId, "Failed to send email.")
178 return
179 }
180 err = db.AddInflightSignup(s.db, models.InflightSignup{
181 Email: emailId,
182 InviteCode: code,
183 })
184 if err != nil {
185 s.l.Error("failed to add inflight signup", "error", err)
186 s.pages.Notice(w, noticeId, "Failed to complete sign up. Try again later.")
187 return
188 }
189
190 s.pages.HxRedirect(w, "/signup/complete")
191 }
192}
193
194func (s *Signup) complete(w http.ResponseWriter, r *http.Request) {
195 switch r.Method {
196 case http.MethodGet:
197 s.pages.CompleteSignup(w)
198 case http.MethodPost:
199 username := r.FormValue("username")
200 password := r.FormValue("password")
201 code := r.FormValue("code")
202
203 if !userutil.IsValidSubdomain(username) {
204 s.pages.Notice(w, "signup-error", "Invalid username. Username must be 4–63 characters, lowercase letters, digits, or hyphens, and can't start or end with a hyphen.")
205 return
206 }
207
208 if !s.isNicknameAllowed(username) {
209 s.pages.Notice(w, "signup-error", "This username is not available. Please choose a different one.")
210 return
211 }
212
213 email, err := db.GetEmailForCode(s.db, code)
214 if err != nil {
215 s.l.Error("failed to get email for code", "error", err)
216 s.pages.Notice(w, "signup-error", "Failed to complete sign up. Try again later.")
217 return
218 }
219
220 if s.cf == nil {
221 s.l.Error("cloudflare client is nil", "error", "Cloudflare integration is not enabled in configuration")
222 s.pages.Notice(w, "signup-error", "Account signup is currently disabled. DNS record creation is not available. Please contact support.")
223 return
224 }
225
226 // Execute signup transactionally with rollback capability
227 err = s.executeSignupTransaction(r.Context(), username, password, email, code, w)
228 if err != nil {
229 // Error already logged and notice already sent
230 return
231 }
232 }
233}
234
235// executeSignupTransaction performs the signup process transactionally with rollback
236func (s *Signup) executeSignupTransaction(ctx context.Context, username, password, email, code string, w http.ResponseWriter) error {
237 var recordID string
238 var did string
239 var emailAdded bool
240
241 success := false
242 defer func() {
243 if !success {
244 s.l.Info("rolling back signup transaction", "username", username, "did", did)
245
246 // Rollback DNS record
247 if recordID != "" {
248 if err := s.cf.DeleteDNSRecord(ctx, recordID); err != nil {
249 s.l.Error("failed to rollback DNS record", "error", err, "recordID", recordID)
250 } else {
251 s.l.Info("successfully rolled back DNS record", "recordID", recordID)
252 }
253 }
254
255 // Rollback PDS account
256 if did != "" {
257 if err := s.deleteAccountRequest(did); err != nil {
258 s.l.Error("failed to rollback PDS account", "error", err, "did", did)
259 } else {
260 s.l.Info("successfully rolled back PDS account", "did", did)
261 }
262 }
263
264 // Rollback email from database
265 if emailAdded {
266 if err := db.DeleteEmail(s.db, did, email); err != nil {
267 s.l.Error("failed to rollback email from database", "error", err, "email", email)
268 } else {
269 s.l.Info("successfully rolled back email from database", "email", email)
270 }
271 }
272 }
273 }()
274
275 // step 1: create account in PDS
276 did, err := s.createAccountRequest(username, password, email, code)
277 if err != nil {
278 s.l.Error("failed to create account", "error", err)
279 s.pages.Notice(w, "signup-error", err.Error())
280 return err
281 }
282
283 // step 2: create DNS record with actual DID
284 recordID, err = s.cf.CreateDNSRecord(ctx, dns.Record{
285 Type: "TXT",
286 Name: "_atproto." + username,
287 Content: fmt.Sprintf(`"did=%s"`, did),
288 TTL: 6400,
289 Proxied: false,
290 })
291 if err != nil {
292 s.l.Error("failed to create DNS record", "error", err)
293 s.pages.Notice(w, "signup-error", "Failed to create DNS record for your handle. Please contact support.")
294 return err
295 }
296
297 // step 3: add email to database
298 err = db.AddEmail(s.db, models.Email{
299 Did: did,
300 Address: email,
301 Verified: true,
302 Primary: true,
303 })
304 if err != nil {
305 s.l.Error("failed to add email", "error", err)
306 s.pages.Notice(w, "signup-error", "Failed to complete sign up. Try again later.")
307 return err
308 }
309 emailAdded = true
310
311 // if we get here, we've successfully created the account and added the email
312 success = true
313
314 s.pages.Notice(w, "signup-msg", fmt.Sprintf(`Account created successfully. You can now
315 <a class="underline text-black dark:text-white" href="/login">login</a>
316 with <code>%s.tngl.sh</code>.`, username))
317
318 // clean up inflight signup asynchronously
319 go func() {
320 if err := db.DeleteInflightSignup(s.db, email); err != nil {
321 s.l.Error("failed to delete inflight signup", "error", err)
322 }
323 }()
324
325 return nil
326}
327
328type turnstileResponse struct {
329 Success bool `json:"success"`
330 ErrorCodes []string `json:"error-codes,omitempty"`
331 ChallengeTs string `json:"challenge_ts,omitempty"`
332 Hostname string `json:"hostname,omitempty"`
333}
334
335func (s *Signup) validateCaptcha(cfToken string, r *http.Request) error {
336 if cfToken == "" {
337 return errors.New("captcha token is empty")
338 }
339
340 if s.config.Cloudflare.TurnstileSecretKey == "" {
341 return errors.New("turnstile secret key not configured")
342 }
343
344 data := url.Values{}
345 data.Set("secret", s.config.Cloudflare.TurnstileSecretKey)
346 data.Set("response", cfToken)
347
348 // include the client IP if we have it
349 if remoteIP := r.Header.Get("CF-Connecting-IP"); remoteIP != "" {
350 data.Set("remoteip", remoteIP)
351 } else if remoteIP := r.Header.Get("X-Forwarded-For"); remoteIP != "" {
352 if ips := strings.Split(remoteIP, ","); len(ips) > 0 {
353 data.Set("remoteip", strings.TrimSpace(ips[0]))
354 }
355 } else {
356 data.Set("remoteip", r.RemoteAddr)
357 }
358
359 resp, err := http.PostForm("https://challenges.cloudflare.com/turnstile/v0/siteverify", data)
360 if err != nil {
361 return fmt.Errorf("failed to verify turnstile token: %w", err)
362 }
363 defer resp.Body.Close()
364
365 var turnstileResp turnstileResponse
366 if err := json.NewDecoder(resp.Body).Decode(&turnstileResp); err != nil {
367 return fmt.Errorf("failed to decode turnstile response: %w", err)
368 }
369
370 if !turnstileResp.Success {
371 s.l.Warn("turnstile validation failed", "error_codes", turnstileResp.ErrorCodes)
372 return errors.New("turnstile validation failed")
373 }
374
375 return nil
376}