appview/oauth/handler/handler.go at push-pwqwlvnsqtqr · kot.pink/core

kot.pink / core
Monorepo for Tangled — https://tangled.org
core / appview / oauth / handler / handler.go
at push-pwqwlvnsqtqr 14 kB view raw
  1package oauth
  2
  3import (
  4	"bytes"
  5	"context"
  6	"encoding/json"
  7	"fmt"
  8	"log"
  9	"net/http"
 10	"net/url"
 11	"strings"
 12	"time"
 13
 14	"github.com/go-chi/chi/v5"
 15	"github.com/gorilla/sessions"
 16	"github.com/lestrrat-go/jwx/v2/jwk"
 17	"github.com/posthog/posthog-go"
 18	"tangled.sh/icyphox.sh/atproto-oauth/helpers"
 19	tangled "tangled.sh/tangled.sh/core/api/tangled"
 20	sessioncache "tangled.sh/tangled.sh/core/appview/cache/session"
 21	"tangled.sh/tangled.sh/core/appview/config"
 22	"tangled.sh/tangled.sh/core/appview/db"
 23	"tangled.sh/tangled.sh/core/appview/middleware"
 24	"tangled.sh/tangled.sh/core/appview/oauth"
 25	"tangled.sh/tangled.sh/core/appview/oauth/client"
 26	"tangled.sh/tangled.sh/core/appview/pages"
 27	"tangled.sh/tangled.sh/core/idresolver"
 28	"tangled.sh/tangled.sh/core/knotclient"
 29	"tangled.sh/tangled.sh/core/rbac"
 30	"tangled.sh/tangled.sh/core/tid"
 31)
 32
 33const (
 34	oauthScope = "atproto transition:generic"
 35)
 36
 37type OAuthHandler struct {
 38	config     *config.Config
 39	pages      *pages.Pages
 40	idResolver *idresolver.Resolver
 41	sess       *sessioncache.SessionStore
 42	db         *db.DB
 43	store      *sessions.CookieStore
 44	oauth      *oauth.OAuth
 45	enforcer   *rbac.Enforcer
 46	posthog    posthog.Client
 47}
 48
 49func New(
 50	config *config.Config,
 51	pages *pages.Pages,
 52	idResolver *idresolver.Resolver,
 53	db *db.DB,
 54	sess *sessioncache.SessionStore,
 55	store *sessions.CookieStore,
 56	oauth *oauth.OAuth,
 57	enforcer *rbac.Enforcer,
 58	posthog posthog.Client,
 59) *OAuthHandler {
 60	return &OAuthHandler{
 61		config:     config,
 62		pages:      pages,
 63		idResolver: idResolver,
 64		db:         db,
 65		sess:       sess,
 66		store:      store,
 67		oauth:      oauth,
 68		enforcer:   enforcer,
 69		posthog:    posthog,
 70	}
 71}
 72
 73func (o *OAuthHandler) Router() http.Handler {
 74	r := chi.NewRouter()
 75
 76	r.Get("/login", o.login)
 77	r.Post("/login", o.login)
 78
 79	r.With(middleware.AuthMiddleware(o.oauth)).Post("/logout", o.logout)
 80
 81	r.Get("/oauth/client-metadata.json", o.clientMetadata)
 82	r.Get("/oauth/jwks.json", o.jwks)
 83	r.Get("/oauth/callback", o.callback)
 84	return r
 85}
 86
 87func (o *OAuthHandler) clientMetadata(w http.ResponseWriter, r *http.Request) {
 88	w.Header().Set("Content-Type", "application/json")
 89	w.WriteHeader(http.StatusOK)
 90	json.NewEncoder(w).Encode(o.oauth.ClientMetadata())
 91}
 92
 93func (o *OAuthHandler) jwks(w http.ResponseWriter, r *http.Request) {
 94	jwks := o.config.OAuth.Jwks
 95	pubKey, err := pubKeyFromJwk(jwks)
 96	if err != nil {
 97		log.Printf("error parsing public key: %v", err)
 98		http.Error(w, err.Error(), http.StatusInternalServerError)
 99		return
100	}
101
102	response := helpers.CreateJwksResponseObject(pubKey)
103
104	w.Header().Set("Content-Type", "application/json")
105	w.WriteHeader(http.StatusOK)
106	json.NewEncoder(w).Encode(response)
107}
108
109func (o *OAuthHandler) login(w http.ResponseWriter, r *http.Request) {
110	switch r.Method {
111	case http.MethodGet:
112		returnURL := r.URL.Query().Get("return_url")
113		o.pages.Login(w, pages.LoginParams{
114			ReturnUrl: returnURL,
115		})
116	case http.MethodPost:
117		handle := r.FormValue("handle")
118
119		// when users copy their handle from bsky.app, it tends to have these characters around it:
120		//
121		// @nelind.dk:
122		//   \u202a ensures that the handle is always rendered left to right and
123		//   \u202c reverts that so the rest of the page renders however it should
124		handle = strings.TrimPrefix(handle, "\u202a")
125		handle = strings.TrimSuffix(handle, "\u202c")
126
127		// `@` is harmless
128		handle = strings.TrimPrefix(handle, "@")
129
130		// basic handle validation
131		if !strings.Contains(handle, ".") {
132			log.Println("invalid handle format", "raw", handle)
133			o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle. Did you mean %s.bsky.social?", handle, handle))
134			return
135		}
136
137		resolved, err := o.idResolver.ResolveIdent(r.Context(), handle)
138		if err != nil {
139			log.Println("failed to resolve handle:", err)
140			o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle.", handle))
141			return
142		}
143		self := o.oauth.ClientMetadata()
144		oauthClient, err := client.NewClient(
145			self.ClientID,
146			o.config.OAuth.Jwks,
147			self.RedirectURIs[0],
148		)
149
150		if err != nil {
151			log.Println("failed to create oauth client:", err)
152			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
153			return
154		}
155
156		authServer, err := oauthClient.ResolvePdsAuthServer(r.Context(), resolved.PDSEndpoint())
157		if err != nil {
158			log.Println("failed to resolve auth server:", err)
159			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
160			return
161		}
162
163		authMeta, err := oauthClient.FetchAuthServerMetadata(r.Context(), authServer)
164		if err != nil {
165			log.Println("failed to fetch auth server metadata:", err)
166			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
167			return
168		}
169
170		dpopKey, err := helpers.GenerateKey(nil)
171		if err != nil {
172			log.Println("failed to generate dpop key:", err)
173			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
174			return
175		}
176
177		dpopKeyJson, err := json.Marshal(dpopKey)
178		if err != nil {
179			log.Println("failed to marshal dpop key:", err)
180			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
181			return
182		}
183
184		parResp, err := oauthClient.SendParAuthRequest(r.Context(), authServer, authMeta, handle, oauthScope, dpopKey)
185		if err != nil {
186			log.Println("failed to send par auth request:", err)
187			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
188			return
189		}
190
191		err = o.sess.SaveRequest(r.Context(), sessioncache.OAuthRequest{
192			Did:                 resolved.DID.String(),
193			PdsUrl:              resolved.PDSEndpoint(),
194			Handle:              handle,
195			AuthserverIss:       authMeta.Issuer,
196			PkceVerifier:        parResp.PkceVerifier,
197			DpopAuthserverNonce: parResp.DpopAuthserverNonce,
198			DpopPrivateJwk:      string(dpopKeyJson),
199			State:               parResp.State,
200			ReturnUrl:           r.FormValue("return_url"),
201		})
202		if err != nil {
203			log.Println("failed to save oauth request:", err)
204			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
205			return
206		}
207
208		u, _ := url.Parse(authMeta.AuthorizationEndpoint)
209		query := url.Values{}
210		query.Add("client_id", self.ClientID)
211		query.Add("request_uri", parResp.RequestUri)
212		u.RawQuery = query.Encode()
213		o.pages.HxRedirect(w, u.String())
214	}
215}
216
217func (o *OAuthHandler) callback(w http.ResponseWriter, r *http.Request) {
218	state := r.FormValue("state")
219
220	oauthRequest, err := o.sess.GetRequestByState(r.Context(), state)
221	if err != nil {
222		log.Println("failed to get oauth request:", err)
223		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
224		return
225	}
226
227	defer func() {
228		err := o.sess.DeleteRequestByState(r.Context(), state)
229		if err != nil {
230			log.Println("failed to delete oauth request for state:", state, err)
231		}
232	}()
233
234	error := r.FormValue("error")
235	errorDescription := r.FormValue("error_description")
236	if error != "" || errorDescription != "" {
237		log.Printf("error: %s, %s", error, errorDescription)
238		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
239		return
240	}
241
242	code := r.FormValue("code")
243	if code == "" {
244		log.Println("missing code for state: ", state)
245		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
246		return
247	}
248
249	iss := r.FormValue("iss")
250	if iss == "" {
251		log.Println("missing iss for state: ", state)
252		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
253		return
254	}
255
256	if iss != oauthRequest.AuthserverIss {
257		log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state)
258		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
259		return
260	}
261
262	self := o.oauth.ClientMetadata()
263
264	oauthClient, err := client.NewClient(
265		self.ClientID,
266		o.config.OAuth.Jwks,
267		self.RedirectURIs[0],
268	)
269
270	if err != nil {
271		log.Println("failed to create oauth client:", err)
272		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
273		return
274	}
275
276	jwk, err := helpers.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))
277	if err != nil {
278		log.Println("failed to parse jwk:", err)
279		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
280		return
281	}
282
283	tokenResp, err := oauthClient.InitialTokenRequest(
284		r.Context(),
285		code,
286		oauthRequest.AuthserverIss,
287		oauthRequest.PkceVerifier,
288		oauthRequest.DpopAuthserverNonce,
289		jwk,
290	)
291	if err != nil {
292		log.Println("failed to get token:", err)
293		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
294		return
295	}
296
297	if tokenResp.Scope != oauthScope {
298		log.Println("scope doesn't match:", tokenResp.Scope)
299		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
300		return
301	}
302
303	err = o.oauth.SaveSession(w, r, *oauthRequest, tokenResp)
304	if err != nil {
305		log.Println("failed to save session:", err)
306		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
307		return
308	}
309
310	log.Println("session saved successfully")
311	go o.addToDefaultKnot(oauthRequest.Did)
312	go o.addToDefaultSpindle(oauthRequest.Did)
313
314	if !o.config.Core.Dev {
315		err = o.posthog.Enqueue(posthog.Capture{
316			DistinctId: oauthRequest.Did,
317			Event:      "signin",
318		})
319		if err != nil {
320			log.Println("failed to enqueue posthog event:", err)
321		}
322	}
323
324	returnUrl := oauthRequest.ReturnUrl
325	if returnUrl == "" {
326		returnUrl = "/"
327	}
328
329	http.Redirect(w, r, returnUrl, http.StatusFound)
330}
331
332func (o *OAuthHandler) logout(w http.ResponseWriter, r *http.Request) {
333	err := o.oauth.ClearSession(r, w)
334	if err != nil {
335		log.Println("failed to clear session:", err)
336		http.Redirect(w, r, "/", http.StatusFound)
337		return
338	}
339
340	log.Println("session cleared successfully")
341	o.pages.HxRedirect(w, "/login")
342}
343
344func pubKeyFromJwk(jwks string) (jwk.Key, error) {
345	k, err := helpers.ParseJWKFromBytes([]byte(jwks))
346	if err != nil {
347		return nil, err
348	}
349	pubKey, err := k.PublicKey()
350	if err != nil {
351		return nil, err
352	}
353	return pubKey, nil
354}
355
356func (o *OAuthHandler) addToDefaultSpindle(did string) {
357	// use the tangled.sh app password to get an accessJwt
358	// and create an sh.tangled.spindle.member record with that
359
360	defaultSpindle := "spindle.tangled.sh"
361	appPassword := o.config.Core.AppPassword
362
363	spindleMembers, err := db.GetSpindleMembers(
364		o.db,
365		db.FilterEq("instance", "spindle.tangled.sh"),
366		db.FilterEq("subject", did),
367	)
368	if err != nil {
369		log.Printf("failed to get spindle members for did %s: %v", did, err)
370		return
371	}
372
373	if len(spindleMembers) != 0 {
374		log.Printf("did %s is already a member of the default spindle", did)
375		return
376	}
377
378	// TODO: hardcoded tangled handle and did for now
379	tangledHandle := "tangled.sh"
380	tangledDid := "did:plc:wshs7t2adsemcrrd4snkeqli"
381
382	if appPassword == "" {
383		log.Println("no app password configured, skipping spindle member addition")
384		return
385	}
386
387	log.Printf("adding %s to default spindle", did)
388
389	resolved, err := o.idResolver.ResolveIdent(context.Background(), tangledDid)
390	if err != nil {
391		log.Printf("failed to resolve tangled.sh DID %s: %v", tangledDid, err)
392		return
393	}
394
395	pdsEndpoint := resolved.PDSEndpoint()
396	if pdsEndpoint == "" {
397		log.Printf("no PDS endpoint found for tangled.sh DID %s", tangledDid)
398		return
399	}
400
401	sessionPayload := map[string]string{
402		"identifier": tangledHandle,
403		"password":   appPassword,
404	}
405	sessionBytes, err := json.Marshal(sessionPayload)
406	if err != nil {
407		log.Printf("failed to marshal session payload: %v", err)
408		return
409	}
410
411	sessionURL := pdsEndpoint + "/xrpc/com.atproto.server.createSession"
412	sessionReq, err := http.NewRequestWithContext(context.Background(), "POST", sessionURL, bytes.NewBuffer(sessionBytes))
413	if err != nil {
414		log.Printf("failed to create session request: %v", err)
415		return
416	}
417	sessionReq.Header.Set("Content-Type", "application/json")
418
419	client := &http.Client{Timeout: 30 * time.Second}
420	sessionResp, err := client.Do(sessionReq)
421	if err != nil {
422		log.Printf("failed to create session: %v", err)
423		return
424	}
425	defer sessionResp.Body.Close()
426
427	if sessionResp.StatusCode != http.StatusOK {
428		log.Printf("failed to create session: HTTP %d", sessionResp.StatusCode)
429		return
430	}
431
432	var session struct {
433		AccessJwt string `json:"accessJwt"`
434	}
435	if err := json.NewDecoder(sessionResp.Body).Decode(&session); err != nil {
436		log.Printf("failed to decode session response: %v", err)
437		return
438	}
439
440	record := tangled.SpindleMember{
441		LexiconTypeID: "sh.tangled.spindle.member",
442		Subject:       did,
443		Instance:      defaultSpindle,
444		CreatedAt:     time.Now().Format(time.RFC3339),
445	}
446
447	recordBytes, err := json.Marshal(record)
448	if err != nil {
449		log.Printf("failed to marshal spindle member record: %v", err)
450		return
451	}
452
453	payload := map[string]interface{}{
454		"repo":       tangledDid,
455		"collection": tangled.SpindleMemberNSID,
456		"rkey":       tid.TID(),
457		"record":     json.RawMessage(recordBytes),
458	}
459
460	payloadBytes, err := json.Marshal(payload)
461	if err != nil {
462		log.Printf("failed to marshal request payload: %v", err)
463		return
464	}
465
466	url := pdsEndpoint + "/xrpc/com.atproto.repo.putRecord"
467	req, err := http.NewRequestWithContext(context.Background(), "POST", url, bytes.NewBuffer(payloadBytes))
468	if err != nil {
469		log.Printf("failed to create HTTP request: %v", err)
470		return
471	}
472
473	req.Header.Set("Content-Type", "application/json")
474	req.Header.Set("Authorization", "Bearer "+session.AccessJwt)
475
476	resp, err := client.Do(req)
477	if err != nil {
478		log.Printf("failed to add user to default spindle: %v", err)
479		return
480	}
481	defer resp.Body.Close()
482
483	if resp.StatusCode != http.StatusOK {
484		log.Printf("failed to add user to default spindle: HTTP %d", resp.StatusCode)
485		return
486	}
487
488	log.Printf("successfully added %s to default spindle", did)
489}
490
491func (o *OAuthHandler) addToDefaultKnot(did string) {
492	defaultKnot := "knot1.tangled.sh"
493
494	log.Printf("adding %s to default knot", did)
495	err := o.enforcer.AddKnotMember(defaultKnot, did)
496	if err != nil {
497		log.Println("failed to add user to knot1.tangled.sh: ", err)
498		return
499	}
500	err = o.enforcer.E.SavePolicy()
501	if err != nil {
502		log.Println("failed to add user to knot1.tangled.sh: ", err)
503		return
504	}
505
506	secret, err := db.GetRegistrationKey(o.db, defaultKnot)
507	if err != nil {
508		log.Println("failed to get registration key for knot1.tangled.sh")
509		return
510	}
511	signedClient, err := knotclient.NewSignedClient(defaultKnot, secret, o.config.Core.Dev)
512	resp, err := signedClient.AddMember(did)
513	if err != nil {
514		log.Println("failed to add user to knot1.tangled.sh: ", err)
515		return
516	}
517
518	if resp.StatusCode != http.StatusNoContent {
519		log.Println("failed to add user to knot1.tangled.sh: ", resp.StatusCode)
520		return
521	}
522}