julien.rbrt.fr
forked from
tangled.org/core
Monorepo for Tangled — https://tangled.org
1package oauth
2
3import (
4 "bytes"
5 "context"
6 "encoding/json"
7 "fmt"
8 "log"
9 "net/http"
10 "net/url"
11 "slices"
12 "strings"
13 "time"
14
15 "github.com/go-chi/chi/v5"
16 "github.com/gorilla/sessions"
17 "github.com/lestrrat-go/jwx/v2/jwk"
18 "github.com/posthog/posthog-go"
19 "tangled.sh/icyphox.sh/atproto-oauth/helpers"
20 tangled "tangled.sh/tangled.sh/core/api/tangled"
21 sessioncache "tangled.sh/tangled.sh/core/appview/cache/session"
22 "tangled.sh/tangled.sh/core/appview/config"
23 "tangled.sh/tangled.sh/core/appview/db"
24 "tangled.sh/tangled.sh/core/appview/middleware"
25 "tangled.sh/tangled.sh/core/appview/oauth"
26 "tangled.sh/tangled.sh/core/appview/oauth/client"
27 "tangled.sh/tangled.sh/core/appview/pages"
28 "tangled.sh/tangled.sh/core/idresolver"
29 "tangled.sh/tangled.sh/core/rbac"
30 "tangled.sh/tangled.sh/core/tid"
31)
32
33const (
34 oauthScope = "atproto transition:generic"
35)
36
37type OAuthHandler struct {
38 config *config.Config
39 pages *pages.Pages
40 idResolver *idresolver.Resolver
41 sess *sessioncache.SessionStore
42 db *db.DB
43 store *sessions.CookieStore
44 oauth *oauth.OAuth
45 enforcer *rbac.Enforcer
46 posthog posthog.Client
47}
48
49func New(
50 config *config.Config,
51 pages *pages.Pages,
52 idResolver *idresolver.Resolver,
53 db *db.DB,
54 sess *sessioncache.SessionStore,
55 store *sessions.CookieStore,
56 oauth *oauth.OAuth,
57 enforcer *rbac.Enforcer,
58 posthog posthog.Client,
59) *OAuthHandler {
60 return &OAuthHandler{
61 config: config,
62 pages: pages,
63 idResolver: idResolver,
64 db: db,
65 sess: sess,
66 store: store,
67 oauth: oauth,
68 enforcer: enforcer,
69 posthog: posthog,
70 }
71}
72
73func (o *OAuthHandler) Router() http.Handler {
74 r := chi.NewRouter()
75
76 r.Get("/login", o.login)
77 r.Post("/login", o.login)
78
79 r.With(middleware.AuthMiddleware(o.oauth)).Post("/logout", o.logout)
80
81 r.Get("/oauth/client-metadata.json", o.clientMetadata)
82 r.Get("/oauth/jwks.json", o.jwks)
83 r.Get("/oauth/callback", o.callback)
84 return r
85}
86
87func (o *OAuthHandler) clientMetadata(w http.ResponseWriter, r *http.Request) {
88 w.Header().Set("Content-Type", "application/json")
89 w.WriteHeader(http.StatusOK)
90 json.NewEncoder(w).Encode(o.oauth.ClientMetadata())
91}
92
93func (o *OAuthHandler) jwks(w http.ResponseWriter, r *http.Request) {
94 jwks := o.config.OAuth.Jwks
95 pubKey, err := pubKeyFromJwk(jwks)
96 if err != nil {
97 log.Printf("error parsing public key: %v", err)
98 http.Error(w, err.Error(), http.StatusInternalServerError)
99 return
100 }
101
102 response := helpers.CreateJwksResponseObject(pubKey)
103
104 w.Header().Set("Content-Type", "application/json")
105 w.WriteHeader(http.StatusOK)
106 json.NewEncoder(w).Encode(response)
107}
108
109func (o *OAuthHandler) login(w http.ResponseWriter, r *http.Request) {
110 switch r.Method {
111 case http.MethodGet:
112 returnURL := r.URL.Query().Get("return_url")
113 o.pages.Login(w, pages.LoginParams{
114 ReturnUrl: returnURL,
115 })
116 case http.MethodPost:
117 handle := r.FormValue("handle")
118
119 // when users copy their handle from bsky.app, it tends to have these characters around it:
120 //
121 // @nelind.dk:
122 // \u202a ensures that the handle is always rendered left to right and
123 // \u202c reverts that so the rest of the page renders however it should
124 handle = strings.TrimPrefix(handle, "\u202a")
125 handle = strings.TrimSuffix(handle, "\u202c")
126
127 // `@` is harmless
128 handle = strings.TrimPrefix(handle, "@")
129
130 // basic handle validation
131 if !strings.Contains(handle, ".") {
132 log.Println("invalid handle format", "raw", handle)
133 o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle. Did you mean %s.bsky.social?", handle, handle))
134 return
135 }
136
137 resolved, err := o.idResolver.ResolveIdent(r.Context(), handle)
138 if err != nil {
139 log.Println("failed to resolve handle:", err)
140 o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle.", handle))
141 return
142 }
143 self := o.oauth.ClientMetadata()
144 oauthClient, err := client.NewClient(
145 self.ClientID,
146 o.config.OAuth.Jwks,
147 self.RedirectURIs[0],
148 )
149
150 if err != nil {
151 log.Println("failed to create oauth client:", err)
152 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
153 return
154 }
155
156 authServer, err := oauthClient.ResolvePdsAuthServer(r.Context(), resolved.PDSEndpoint())
157 if err != nil {
158 log.Println("failed to resolve auth server:", err)
159 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
160 return
161 }
162
163 authMeta, err := oauthClient.FetchAuthServerMetadata(r.Context(), authServer)
164 if err != nil {
165 log.Println("failed to fetch auth server metadata:", err)
166 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
167 return
168 }
169
170 dpopKey, err := helpers.GenerateKey(nil)
171 if err != nil {
172 log.Println("failed to generate dpop key:", err)
173 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
174 return
175 }
176
177 dpopKeyJson, err := json.Marshal(dpopKey)
178 if err != nil {
179 log.Println("failed to marshal dpop key:", err)
180 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
181 return
182 }
183
184 parResp, err := oauthClient.SendParAuthRequest(r.Context(), authServer, authMeta, handle, oauthScope, dpopKey)
185 if err != nil {
186 log.Println("failed to send par auth request:", err)
187 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
188 return
189 }
190
191 err = o.sess.SaveRequest(r.Context(), sessioncache.OAuthRequest{
192 Did: resolved.DID.String(),
193 PdsUrl: resolved.PDSEndpoint(),
194 Handle: handle,
195 AuthserverIss: authMeta.Issuer,
196 PkceVerifier: parResp.PkceVerifier,
197 DpopAuthserverNonce: parResp.DpopAuthserverNonce,
198 DpopPrivateJwk: string(dpopKeyJson),
199 State: parResp.State,
200 ReturnUrl: r.FormValue("return_url"),
201 })
202 if err != nil {
203 log.Println("failed to save oauth request:", err)
204 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
205 return
206 }
207
208 u, _ := url.Parse(authMeta.AuthorizationEndpoint)
209 query := url.Values{}
210 query.Add("client_id", self.ClientID)
211 query.Add("request_uri", parResp.RequestUri)
212 u.RawQuery = query.Encode()
213 o.pages.HxRedirect(w, u.String())
214 }
215}
216
217func (o *OAuthHandler) callback(w http.ResponseWriter, r *http.Request) {
218 state := r.FormValue("state")
219
220 oauthRequest, err := o.sess.GetRequestByState(r.Context(), state)
221 if err != nil {
222 log.Println("failed to get oauth request:", err)
223 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
224 return
225 }
226
227 defer func() {
228 err := o.sess.DeleteRequestByState(r.Context(), state)
229 if err != nil {
230 log.Println("failed to delete oauth request for state:", state, err)
231 }
232 }()
233
234 error := r.FormValue("error")
235 errorDescription := r.FormValue("error_description")
236 if error != "" || errorDescription != "" {
237 log.Printf("error: %s, %s", error, errorDescription)
238 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
239 return
240 }
241
242 code := r.FormValue("code")
243 if code == "" {
244 log.Println("missing code for state: ", state)
245 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
246 return
247 }
248
249 iss := r.FormValue("iss")
250 if iss == "" {
251 log.Println("missing iss for state: ", state)
252 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
253 return
254 }
255
256 if iss != oauthRequest.AuthserverIss {
257 log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state)
258 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
259 return
260 }
261
262 self := o.oauth.ClientMetadata()
263
264 oauthClient, err := client.NewClient(
265 self.ClientID,
266 o.config.OAuth.Jwks,
267 self.RedirectURIs[0],
268 )
269
270 if err != nil {
271 log.Println("failed to create oauth client:", err)
272 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
273 return
274 }
275
276 jwk, err := helpers.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))
277 if err != nil {
278 log.Println("failed to parse jwk:", err)
279 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
280 return
281 }
282
283 tokenResp, err := oauthClient.InitialTokenRequest(
284 r.Context(),
285 code,
286 oauthRequest.AuthserverIss,
287 oauthRequest.PkceVerifier,
288 oauthRequest.DpopAuthserverNonce,
289 jwk,
290 )
291 if err != nil {
292 log.Println("failed to get token:", err)
293 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
294 return
295 }
296
297 if tokenResp.Scope != oauthScope {
298 log.Println("scope doesn't match:", tokenResp.Scope)
299 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
300 return
301 }
302
303 err = o.oauth.SaveSession(w, r, *oauthRequest, tokenResp)
304 if err != nil {
305 log.Println("failed to save session:", err)
306 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
307 return
308 }
309
310 log.Println("session saved successfully")
311 go o.addToDefaultKnot(oauthRequest.Did)
312 go o.addToDefaultSpindle(oauthRequest.Did)
313
314 if !o.config.Core.Dev {
315 err = o.posthog.Enqueue(posthog.Capture{
316 DistinctId: oauthRequest.Did,
317 Event: "signin",
318 })
319 if err != nil {
320 log.Println("failed to enqueue posthog event:", err)
321 }
322 }
323
324 returnUrl := oauthRequest.ReturnUrl
325 if returnUrl == "" {
326 returnUrl = "/"
327 }
328
329 http.Redirect(w, r, returnUrl, http.StatusFound)
330}
331
332func (o *OAuthHandler) logout(w http.ResponseWriter, r *http.Request) {
333 err := o.oauth.ClearSession(r, w)
334 if err != nil {
335 log.Println("failed to clear session:", err)
336 http.Redirect(w, r, "/", http.StatusFound)
337 return
338 }
339
340 log.Println("session cleared successfully")
341 o.pages.HxRedirect(w, "/login")
342}
343
344func pubKeyFromJwk(jwks string) (jwk.Key, error) {
345 k, err := helpers.ParseJWKFromBytes([]byte(jwks))
346 if err != nil {
347 return nil, err
348 }
349 pubKey, err := k.PublicKey()
350 if err != nil {
351 return nil, err
352 }
353 return pubKey, nil
354}
355
356var (
357 tangledHandle = "tangled.sh"
358 tangledDid = "did:plc:wshs7t2adsemcrrd4snkeqli"
359
360 icyHandle = "icyphox.sh"
361 icyDid = "did:plc:hwevmowznbiukdf6uk5dwrrq"
362
363 defaultSpindle = "spindle.tangled.sh"
364 defaultKnot = "knot1.tangled.sh"
365)
366
367func (o *OAuthHandler) addToDefaultSpindle(did string) {
368 // use the tangled.sh app password to get an accessJwt
369 // and create an sh.tangled.spindle.member record with that
370 spindleMembers, err := db.GetSpindleMembers(
371 o.db,
372 db.FilterEq("instance", "spindle.tangled.sh"),
373 db.FilterEq("subject", did),
374 )
375 if err != nil {
376 log.Printf("failed to get spindle members for did %s: %v", did, err)
377 return
378 }
379
380 if len(spindleMembers) != 0 {
381 log.Printf("did %s is already a member of the default spindle", did)
382 return
383 }
384
385 log.Printf("adding %s to default spindle", did)
386 session, err := o.createAppPasswordSession(o.config.Core.AppPassword, tangledHandle, tangledDid)
387 if err != nil {
388 log.Printf("failed to create session: %s", err)
389 return
390 }
391
392 record := tangled.SpindleMember{
393 LexiconTypeID: "sh.tangled.spindle.member",
394 Subject: did,
395 Instance: defaultSpindle,
396 CreatedAt: time.Now().Format(time.RFC3339),
397 }
398
399 if err := session.putRecord(record); err != nil {
400 log.Printf("failed to add member to default spindle: %s", err)
401 return
402 }
403
404 log.Printf("successfully added %s to default spindle", did)
405}
406
407func (o *OAuthHandler) addToDefaultKnot(did string) {
408 // use the tangled.sh app password to get an accessJwt
409 // and create an sh.tangled.spindle.member record with that
410
411 allKnots, err := o.enforcer.GetKnotsForUser(did)
412 if err != nil {
413 log.Printf("failed to get knot members for did %s: %v", did, err)
414 return
415 }
416
417 if slices.Contains(allKnots, defaultKnot) {
418 log.Printf("did %s is already a member of the default knot", did)
419 return
420 }
421
422 log.Printf("adding %s to default knot", did)
423 session, err := o.createAppPasswordSession(o.config.Core.TmpAltAppPassword, icyHandle, icyDid)
424 if err != nil {
425 log.Printf("failed to create session: %s", err)
426 return
427 }
428
429 record := tangled.KnotMember{
430 LexiconTypeID: "sh.tangled.knot.member",
431 Subject: did,
432 Domain: defaultKnot,
433 CreatedAt: time.Now().Format(time.RFC3339),
434 }
435
436 if err := session.putRecord(record); err != nil {
437 log.Printf("failed to add member to default knot: %s", err)
438 return
439 }
440
441 log.Printf("successfully added %s to default Knot", did)
442}
443
444// create a session using apppasswords
445type session struct {
446 AccessJwt string `json:"accessJwt"`
447 PdsEndpoint string
448 Did string
449}
450
451func (o *OAuthHandler) createAppPasswordSession(appPassword, handle, did string) (*session, error) {
452 if appPassword == "" {
453 return nil, fmt.Errorf("no app password configured, skipping member addition")
454 }
455
456 resolved, err := o.idResolver.ResolveIdent(context.Background(), did)
457 if err != nil {
458 return nil, fmt.Errorf("failed to resolve tangled.sh DID %s: %v", did, err)
459 }
460
461 pdsEndpoint := resolved.PDSEndpoint()
462 if pdsEndpoint == "" {
463 return nil, fmt.Errorf("no PDS endpoint found for tangled.sh DID %s", did)
464 }
465
466 sessionPayload := map[string]string{
467 "identifier": handle,
468 "password": appPassword,
469 }
470 sessionBytes, err := json.Marshal(sessionPayload)
471 if err != nil {
472 return nil, fmt.Errorf("failed to marshal session payload: %v", err)
473 }
474
475 sessionURL := pdsEndpoint + "/xrpc/com.atproto.server.createSession"
476 sessionReq, err := http.NewRequestWithContext(context.Background(), "POST", sessionURL, bytes.NewBuffer(sessionBytes))
477 if err != nil {
478 return nil, fmt.Errorf("failed to create session request: %v", err)
479 }
480 sessionReq.Header.Set("Content-Type", "application/json")
481
482 client := &http.Client{Timeout: 30 * time.Second}
483 sessionResp, err := client.Do(sessionReq)
484 if err != nil {
485 return nil, fmt.Errorf("failed to create session: %v", err)
486 }
487 defer sessionResp.Body.Close()
488
489 if sessionResp.StatusCode != http.StatusOK {
490 return nil, fmt.Errorf("failed to create session: HTTP %d", sessionResp.StatusCode)
491 }
492
493 var session session
494 if err := json.NewDecoder(sessionResp.Body).Decode(&session); err != nil {
495 return nil, fmt.Errorf("failed to decode session response: %v", err)
496 }
497
498 session.PdsEndpoint = pdsEndpoint
499 session.Did = did
500
501 return &session, nil
502}
503
504func (s *session) putRecord(record any) error {
505 recordBytes, err := json.Marshal(record)
506 if err != nil {
507 return fmt.Errorf("failed to marshal knot member record: %w", err)
508 }
509
510 payload := map[string]any{
511 "repo": s.Did,
512 "collection": tangled.KnotMemberNSID,
513 "rkey": tid.TID(),
514 "record": json.RawMessage(recordBytes),
515 }
516
517 payloadBytes, err := json.Marshal(payload)
518 if err != nil {
519 return fmt.Errorf("failed to marshal request payload: %w", err)
520 }
521
522 url := s.PdsEndpoint + "/xrpc/com.atproto.repo.putRecord"
523 req, err := http.NewRequestWithContext(context.Background(), "POST", url, bytes.NewBuffer(payloadBytes))
524 if err != nil {
525 return fmt.Errorf("failed to create HTTP request: %w", err)
526 }
527
528 req.Header.Set("Content-Type", "application/json")
529 req.Header.Set("Authorization", "Bearer "+s.AccessJwt)
530
531 client := &http.Client{Timeout: 30 * time.Second}
532 resp, err := client.Do(req)
533 if err != nil {
534 return fmt.Errorf("failed to add user to default service: %w", err)
535 }
536 defer resp.Body.Close()
537
538 if resp.StatusCode != http.StatusOK {
539 return fmt.Errorf("failed to add user to default service: HTTP %d", resp.StatusCode)
540 }
541
542 return nil
543}