kot.pink
1package oauth
2
3import (
4 "bytes"
5 "context"
6 "encoding/json"
7 "fmt"
8 "log"
9 "net/http"
10 "net/url"
11 "slices"
12 "strings"
13 "time"
14
15 "github.com/go-chi/chi/v5"
16 "github.com/gorilla/sessions"
17 "github.com/lestrrat-go/jwx/v2/jwk"
18 "github.com/posthog/posthog-go"
19 "tangled.sh/icyphox.sh/atproto-oauth/helpers"
20 tangled "tangled.sh/tangled.sh/core/api/tangled"
21 sessioncache "tangled.sh/tangled.sh/core/appview/cache/session"
22 "tangled.sh/tangled.sh/core/appview/config"
23 "tangled.sh/tangled.sh/core/appview/db"
24 "tangled.sh/tangled.sh/core/appview/middleware"
25 "tangled.sh/tangled.sh/core/appview/oauth"
26 "tangled.sh/tangled.sh/core/appview/oauth/client"
27 "tangled.sh/tangled.sh/core/appview/pages"
28 "tangled.sh/tangled.sh/core/idresolver"
29 "tangled.sh/tangled.sh/core/rbac"
30 "tangled.sh/tangled.sh/core/tid"
31)
32
33const (
34 oauthScope = "atproto transition:generic"
35)
36
37type OAuthHandler struct {
38 config *config.Config
39 pages *pages.Pages
40 idResolver *idresolver.Resolver
41 sess *sessioncache.SessionStore
42 db *db.DB
43 store *sessions.CookieStore
44 oauth *oauth.OAuth
45 enforcer *rbac.Enforcer
46 posthog posthog.Client
47}
48
49func New(
50 config *config.Config,
51 pages *pages.Pages,
52 idResolver *idresolver.Resolver,
53 db *db.DB,
54 sess *sessioncache.SessionStore,
55 store *sessions.CookieStore,
56 oauth *oauth.OAuth,
57 enforcer *rbac.Enforcer,
58 posthog posthog.Client,
59) *OAuthHandler {
60 return &OAuthHandler{
61 config: config,
62 pages: pages,
63 idResolver: idResolver,
64 db: db,
65 sess: sess,
66 store: store,
67 oauth: oauth,
68 enforcer: enforcer,
69 posthog: posthog,
70 }
71}
72
73func (o *OAuthHandler) Router() http.Handler {
74 r := chi.NewRouter()
75
76 r.Get("/login", o.login)
77 r.Post("/login", o.login)
78
79 r.With(middleware.AuthMiddleware(o.oauth)).Post("/logout", o.logout)
80
81 r.Get("/oauth/client-metadata.json", o.clientMetadata)
82 r.Get("/oauth/jwks.json", o.jwks)
83 r.Get("/oauth/callback", o.callback)
84 return r
85}
86
87func (o *OAuthHandler) clientMetadata(w http.ResponseWriter, r *http.Request) {
88 w.Header().Set("Content-Type", "application/json")
89 w.WriteHeader(http.StatusOK)
90 json.NewEncoder(w).Encode(o.oauth.ClientMetadata())
91}
92
93func (o *OAuthHandler) jwks(w http.ResponseWriter, r *http.Request) {
94 jwks := o.config.OAuth.Jwks
95 pubKey, err := pubKeyFromJwk(jwks)
96 if err != nil {
97 log.Printf("error parsing public key: %v", err)
98 http.Error(w, err.Error(), http.StatusInternalServerError)
99 return
100 }
101
102 response := helpers.CreateJwksResponseObject(pubKey)
103
104 w.Header().Set("Content-Type", "application/json")
105 w.WriteHeader(http.StatusOK)
106 json.NewEncoder(w).Encode(response)
107}
108
109func (o *OAuthHandler) login(w http.ResponseWriter, r *http.Request) {
110 switch r.Method {
111 case http.MethodGet:
112 returnURL := r.URL.Query().Get("return_url")
113 o.pages.Login(w, pages.LoginParams{
114 ReturnUrl: returnURL,
115 })
116 case http.MethodPost:
117 handle := r.FormValue("handle")
118
119 // when users copy their handle from bsky.app, it tends to have these characters around it:
120 //
121 // @nelind.dk:
122 // \u202a ensures that the handle is always rendered left to right and
123 // \u202c reverts that so the rest of the page renders however it should
124 handle = strings.TrimPrefix(handle, "\u202a")
125 handle = strings.TrimSuffix(handle, "\u202c")
126
127 // `@` is harmless
128 handle = strings.TrimPrefix(handle, "@")
129
130 // basic handle validation
131 if !strings.Contains(handle, ".") {
132 log.Println("invalid handle format", "raw", handle)
133 o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle. Did you mean %s.bsky.social?", handle, handle))
134 return
135 }
136
137 resolved, err := o.idResolver.ResolveIdent(r.Context(), handle)
138 if err != nil {
139 log.Println("failed to resolve handle:", err)
140 o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle.", handle))
141 return
142 }
143 self := o.oauth.ClientMetadata()
144 oauthClient, err := client.NewClient(
145 self.ClientID,
146 o.config.OAuth.Jwks,
147 self.RedirectURIs[0],
148 )
149
150 if err != nil {
151 log.Println("failed to create oauth client:", err)
152 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
153 return
154 }
155
156 authServer, err := oauthClient.ResolvePdsAuthServer(r.Context(), resolved.PDSEndpoint())
157 if err != nil {
158 log.Println("failed to resolve auth server:", err)
159 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
160 return
161 }
162
163 authMeta, err := oauthClient.FetchAuthServerMetadata(r.Context(), authServer)
164 if err != nil {
165 log.Println("failed to fetch auth server metadata:", err)
166 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
167 return
168 }
169
170 dpopKey, err := helpers.GenerateKey(nil)
171 if err != nil {
172 log.Println("failed to generate dpop key:", err)
173 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
174 return
175 }
176
177 dpopKeyJson, err := json.Marshal(dpopKey)
178 if err != nil {
179 log.Println("failed to marshal dpop key:", err)
180 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
181 return
182 }
183
184 parResp, err := oauthClient.SendParAuthRequest(r.Context(), authServer, authMeta, handle, oauthScope, dpopKey)
185 if err != nil {
186 log.Println("failed to send par auth request:", err)
187 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
188 return
189 }
190
191 err = o.sess.SaveRequest(r.Context(), sessioncache.OAuthRequest{
192 Did: resolved.DID.String(),
193 PdsUrl: resolved.PDSEndpoint(),
194 Handle: handle,
195 AuthserverIss: authMeta.Issuer,
196 PkceVerifier: parResp.PkceVerifier,
197 DpopAuthserverNonce: parResp.DpopAuthserverNonce,
198 DpopPrivateJwk: string(dpopKeyJson),
199 State: parResp.State,
200 ReturnUrl: r.FormValue("return_url"),
201 })
202 if err != nil {
203 log.Println("failed to save oauth request:", err)
204 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
205 return
206 }
207
208 u, _ := url.Parse(authMeta.AuthorizationEndpoint)
209 query := url.Values{}
210 query.Add("client_id", self.ClientID)
211 query.Add("request_uri", parResp.RequestUri)
212 u.RawQuery = query.Encode()
213 o.pages.HxRedirect(w, u.String())
214 }
215}
216
217func (o *OAuthHandler) callback(w http.ResponseWriter, r *http.Request) {
218 state := r.FormValue("state")
219
220 oauthRequest, err := o.sess.GetRequestByState(r.Context(), state)
221 if err != nil {
222 log.Println("failed to get oauth request:", err)
223 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
224 return
225 }
226
227 defer func() {
228 err := o.sess.DeleteRequestByState(r.Context(), state)
229 if err != nil {
230 log.Println("failed to delete oauth request for state:", state, err)
231 }
232 }()
233
234 error := r.FormValue("error")
235 errorDescription := r.FormValue("error_description")
236 if error != "" || errorDescription != "" {
237 log.Printf("error: %s, %s", error, errorDescription)
238 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
239 return
240 }
241
242 code := r.FormValue("code")
243 if code == "" {
244 log.Println("missing code for state: ", state)
245 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
246 return
247 }
248
249 iss := r.FormValue("iss")
250 if iss == "" {
251 log.Println("missing iss for state: ", state)
252 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
253 return
254 }
255
256 if iss != oauthRequest.AuthserverIss {
257 log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state)
258 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
259 return
260 }
261
262 self := o.oauth.ClientMetadata()
263
264 oauthClient, err := client.NewClient(
265 self.ClientID,
266 o.config.OAuth.Jwks,
267 self.RedirectURIs[0],
268 )
269
270 if err != nil {
271 log.Println("failed to create oauth client:", err)
272 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
273 return
274 }
275
276 jwk, err := helpers.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))
277 if err != nil {
278 log.Println("failed to parse jwk:", err)
279 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
280 return
281 }
282
283 tokenResp, err := oauthClient.InitialTokenRequest(
284 r.Context(),
285 code,
286 oauthRequest.AuthserverIss,
287 oauthRequest.PkceVerifier,
288 oauthRequest.DpopAuthserverNonce,
289 jwk,
290 )
291 if err != nil {
292 log.Println("failed to get token:", err)
293 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
294 return
295 }
296
297 if tokenResp.Scope != oauthScope {
298 log.Println("scope doesn't match:", tokenResp.Scope)
299 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
300 return
301 }
302
303 err = o.oauth.SaveSession(w, r, *oauthRequest, tokenResp)
304 if err != nil {
305 log.Println("failed to save session:", err)
306 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
307 return
308 }
309
310 log.Println("session saved successfully")
311 go o.addToDefaultKnot(oauthRequest.Did)
312 go o.addToDefaultSpindle(oauthRequest.Did)
313
314 if !o.config.Core.Dev {
315 err = o.posthog.Enqueue(posthog.Capture{
316 DistinctId: oauthRequest.Did,
317 Event: "signin",
318 })
319 if err != nil {
320 log.Println("failed to enqueue posthog event:", err)
321 }
322 }
323
324 returnUrl := oauthRequest.ReturnUrl
325 if returnUrl == "" {
326 returnUrl = "/"
327 }
328
329 http.Redirect(w, r, returnUrl, http.StatusFound)
330}
331
332func (o *OAuthHandler) logout(w http.ResponseWriter, r *http.Request) {
333 err := o.oauth.ClearSession(r, w)
334 if err != nil {
335 log.Println("failed to clear session:", err)
336 http.Redirect(w, r, "/", http.StatusFound)
337 return
338 }
339
340 log.Println("session cleared successfully")
341 o.pages.HxRedirect(w, "/login")
342}
343
344func pubKeyFromJwk(jwks string) (jwk.Key, error) {
345 k, err := helpers.ParseJWKFromBytes([]byte(jwks))
346 if err != nil {
347 return nil, err
348 }
349 pubKey, err := k.PublicKey()
350 if err != nil {
351 return nil, err
352 }
353 return pubKey, nil
354}
355
356var (
357 tangledHandle = "tangled.sh"
358 tangledDid = "did:plc:wshs7t2adsemcrrd4snkeqli"
359 defaultSpindle = "spindle.tangled.sh"
360 defaultKnot = "knot1.tangled.sh"
361)
362
363func (o *OAuthHandler) addToDefaultSpindle(did string) {
364 // use the tangled.sh app password to get an accessJwt
365 // and create an sh.tangled.spindle.member record with that
366 spindleMembers, err := db.GetSpindleMembers(
367 o.db,
368 db.FilterEq("instance", "spindle.tangled.sh"),
369 db.FilterEq("subject", did),
370 )
371 if err != nil {
372 log.Printf("failed to get spindle members for did %s: %v", did, err)
373 return
374 }
375
376 if len(spindleMembers) != 0 {
377 log.Printf("did %s is already a member of the default spindle", did)
378 return
379 }
380
381 log.Printf("adding %s to default spindle", did)
382 session, err := o.createAppPasswordSession()
383 if err != nil {
384 log.Printf("failed to create session: %s", err)
385 return
386 }
387
388 record := tangled.SpindleMember{
389 LexiconTypeID: "sh.tangled.spindle.member",
390 Subject: did,
391 Instance: defaultSpindle,
392 CreatedAt: time.Now().Format(time.RFC3339),
393 }
394
395 if err := session.putRecord(record); err != nil {
396 log.Printf("failed to add member to default knot: %s", err)
397 return
398 }
399
400 log.Printf("successfully added %s to default spindle", did)
401}
402
403func (o *OAuthHandler) addToDefaultKnot(did string) {
404 // use the tangled.sh app password to get an accessJwt
405 // and create an sh.tangled.spindle.member record with that
406
407 allKnots, err := o.enforcer.GetKnotsForUser(did)
408 if err != nil {
409 log.Printf("failed to get knot members for did %s: %v", did, err)
410 return
411 }
412
413 if slices.Contains(allKnots, defaultKnot) {
414 log.Printf("did %s is already a member of the default knot", did)
415 return
416 }
417
418 log.Printf("adding %s to default knot", did)
419 session, err := o.createAppPasswordSession()
420 if err != nil {
421 log.Printf("failed to create session: %s", err)
422 return
423 }
424
425 record := tangled.KnotMember{
426 LexiconTypeID: "sh.tangled.knot.member",
427 Subject: did,
428 Domain: defaultKnot,
429 CreatedAt: time.Now().Format(time.RFC3339),
430 }
431
432 if err := session.putRecord(record); err != nil {
433 log.Printf("failed to add member to default knot: %s", err)
434 return
435 }
436
437 log.Printf("successfully added %s to default Knot", did)
438}
439
440// create a session using apppasswords
441type session struct {
442 AccessJwt string `json:"accessJwt"`
443 PdsEndpoint string
444}
445
446func (o *OAuthHandler) createAppPasswordSession() (*session, error) {
447 appPassword := o.config.Core.AppPassword
448 if appPassword == "" {
449 return nil, fmt.Errorf("no app password configured, skipping member addition")
450 }
451
452 resolved, err := o.idResolver.ResolveIdent(context.Background(), tangledDid)
453 if err != nil {
454 return nil, fmt.Errorf("failed to resolve tangled.sh DID %s: %v", tangledDid, err)
455 }
456
457 pdsEndpoint := resolved.PDSEndpoint()
458 if pdsEndpoint == "" {
459 return nil, fmt.Errorf("no PDS endpoint found for tangled.sh DID %s", tangledDid)
460 }
461
462 sessionPayload := map[string]string{
463 "identifier": tangledHandle,
464 "password": appPassword,
465 }
466 sessionBytes, err := json.Marshal(sessionPayload)
467 if err != nil {
468 return nil, fmt.Errorf("failed to marshal session payload: %v", err)
469 }
470
471 sessionURL := pdsEndpoint + "/xrpc/com.atproto.server.createSession"
472 sessionReq, err := http.NewRequestWithContext(context.Background(), "POST", sessionURL, bytes.NewBuffer(sessionBytes))
473 if err != nil {
474 return nil, fmt.Errorf("failed to create session request: %v", err)
475 }
476 sessionReq.Header.Set("Content-Type", "application/json")
477
478 client := &http.Client{Timeout: 30 * time.Second}
479 sessionResp, err := client.Do(sessionReq)
480 if err != nil {
481 return nil, fmt.Errorf("failed to create session: %v", err)
482 }
483 defer sessionResp.Body.Close()
484
485 if sessionResp.StatusCode != http.StatusOK {
486 return nil, fmt.Errorf("failed to create session: HTTP %d", sessionResp.StatusCode)
487 }
488
489 var session session
490 if err := json.NewDecoder(sessionResp.Body).Decode(&session); err != nil {
491 return nil, fmt.Errorf("failed to decode session response: %v", err)
492 }
493
494 session.PdsEndpoint = pdsEndpoint
495
496 return &session, nil
497}
498
499func (s *session) putRecord(record any) error {
500 recordBytes, err := json.Marshal(record)
501 if err != nil {
502 return fmt.Errorf("failed to marshal knot member record: %w", err)
503 }
504
505 payload := map[string]any{
506 "repo": tangledDid,
507 "collection": tangled.KnotMemberNSID,
508 "rkey": tid.TID(),
509 "record": json.RawMessage(recordBytes),
510 }
511
512 payloadBytes, err := json.Marshal(payload)
513 if err != nil {
514 return fmt.Errorf("failed to marshal request payload: %w", err)
515 }
516
517 url := s.PdsEndpoint + "/xrpc/com.atproto.repo.putRecord"
518 req, err := http.NewRequestWithContext(context.Background(), "POST", url, bytes.NewBuffer(payloadBytes))
519 if err != nil {
520 return fmt.Errorf("failed to create HTTP request: %w", err)
521 }
522
523 req.Header.Set("Content-Type", "application/json")
524 req.Header.Set("Authorization", "Bearer "+s.AccessJwt)
525
526 client := &http.Client{Timeout: 30 * time.Second}
527 resp, err := client.Do(req)
528 if err != nil {
529 return fmt.Errorf("failed to add user to default Knot: %w", err)
530 }
531 defer resp.Body.Close()
532
533 if resp.StatusCode != http.StatusOK {
534 return fmt.Errorf("failed to add user to default Knot: HTTP %d", resp.StatusCode)
535 }
536
537 return nil
538}