appview/oauth/handler/handler.go at push-zqrmrxxvrylu · kot.pink/core

kot.pink / core
Monorepo for Tangled — https://tangled.org
core / appview / oauth / handler / handler.go
at push-zqrmrxxvrylu 14 kB view raw
  1package oauth
  2
  3import (
  4	"bytes"
  5	"context"
  6	"encoding/json"
  7	"fmt"
  8	"log"
  9	"net/http"
 10	"net/url"
 11	"strings"
 12	"time"
 13
 14	"github.com/go-chi/chi/v5"
 15	"github.com/gorilla/sessions"
 16	"github.com/lestrrat-go/jwx/v2/jwk"
 17	"github.com/posthog/posthog-go"
 18	"tangled.sh/icyphox.sh/atproto-oauth/helpers"
 19	tangled "tangled.sh/tangled.sh/core/api/tangled"
 20	sessioncache "tangled.sh/tangled.sh/core/appview/cache/session"
 21	"tangled.sh/tangled.sh/core/appview/config"
 22	"tangled.sh/tangled.sh/core/appview/db"
 23	"tangled.sh/tangled.sh/core/appview/middleware"
 24	"tangled.sh/tangled.sh/core/appview/oauth"
 25	"tangled.sh/tangled.sh/core/appview/oauth/client"
 26	"tangled.sh/tangled.sh/core/appview/pages"
 27	"tangled.sh/tangled.sh/core/idresolver"
 28	"tangled.sh/tangled.sh/core/knotclient"
 29	"tangled.sh/tangled.sh/core/rbac"
 30	"tangled.sh/tangled.sh/core/tid"
 31)
 32
 33const (
 34	oauthScope = "atproto transition:generic"
 35)
 36
 37type OAuthHandler struct {
 38	config     *config.Config
 39	pages      *pages.Pages
 40	idResolver *idresolver.Resolver
 41	sess       *sessioncache.SessionStore
 42	db         *db.DB
 43	store      *sessions.CookieStore
 44	oauth      *oauth.OAuth
 45	enforcer   *rbac.Enforcer
 46	posthog    posthog.Client
 47}
 48
 49func New(
 50	config *config.Config,
 51	pages *pages.Pages,
 52	idResolver *idresolver.Resolver,
 53	db *db.DB,
 54	sess *sessioncache.SessionStore,
 55	store *sessions.CookieStore,
 56	oauth *oauth.OAuth,
 57	enforcer *rbac.Enforcer,
 58	posthog posthog.Client,
 59) *OAuthHandler {
 60	return &OAuthHandler{
 61		config:     config,
 62		pages:      pages,
 63		idResolver: idResolver,
 64		db:         db,
 65		sess:       sess,
 66		store:      store,
 67		oauth:      oauth,
 68		enforcer:   enforcer,
 69		posthog:    posthog,
 70	}
 71}
 72
 73func (o *OAuthHandler) Router() http.Handler {
 74	r := chi.NewRouter()
 75
 76	r.Get("/login", o.login)
 77	r.Post("/login", o.login)
 78
 79	r.With(middleware.AuthMiddleware(o.oauth)).Post("/logout", o.logout)
 80
 81	r.Get("/oauth/client-metadata.json", o.clientMetadata)
 82	r.Get("/oauth/jwks.json", o.jwks)
 83	r.Get("/oauth/callback", o.callback)
 84	return r
 85}
 86
 87func (o *OAuthHandler) clientMetadata(w http.ResponseWriter, r *http.Request) {
 88	w.Header().Set("Content-Type", "application/json")
 89	w.WriteHeader(http.StatusOK)
 90	json.NewEncoder(w).Encode(o.oauth.ClientMetadata())
 91}
 92
 93func (o *OAuthHandler) jwks(w http.ResponseWriter, r *http.Request) {
 94	jwks := o.config.OAuth.Jwks
 95	pubKey, err := pubKeyFromJwk(jwks)
 96	if err != nil {
 97		log.Printf("error parsing public key: %v", err)
 98		http.Error(w, err.Error(), http.StatusInternalServerError)
 99		return
100	}
101
102	response := helpers.CreateJwksResponseObject(pubKey)
103
104	w.Header().Set("Content-Type", "application/json")
105	w.WriteHeader(http.StatusOK)
106	json.NewEncoder(w).Encode(response)
107}
108
109func (o *OAuthHandler) login(w http.ResponseWriter, r *http.Request) {
110	switch r.Method {
111	case http.MethodGet:
112		returnURL := r.URL.Query().Get("return_url")
113		o.pages.Login(w, pages.LoginParams{
114			ReturnUrl: returnURL,
115		})
116	case http.MethodPost:
117		handle := r.FormValue("handle")
118
119		// when users copy their handle from bsky.app, it tends to have these characters around it:
120		//
121		// @nelind.dk:
122		//   \u202a ensures that the handle is always rendered left to right and
123		//   \u202c reverts that so the rest of the page renders however it should
124		handle = strings.TrimPrefix(handle, "\u202a")
125		handle = strings.TrimSuffix(handle, "\u202c")
126
127		// `@` is harmless
128		handle = strings.TrimPrefix(handle, "@")
129
130		// basic handle validation
131		if !strings.Contains(handle, ".") {
132			log.Println("invalid handle format", "raw", handle)
133			o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle. Did you mean %s.bsky.social?", handle, handle))
134			return
135		}
136
137		resolved, err := o.idResolver.ResolveIdent(r.Context(), handle)
138		if err != nil {
139			log.Println("failed to resolve handle:", err)
140			o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle.", handle))
141			return
142		}
143		self := o.oauth.ClientMetadata()
144		oauthClient, err := client.NewClient(
145			self.ClientID,
146			o.config.OAuth.Jwks,
147			self.RedirectURIs[0],
148		)
149
150		if err != nil {
151			log.Println("failed to create oauth client:", err)
152			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
153			return
154		}
155
156		authServer, err := oauthClient.ResolvePdsAuthServer(r.Context(), resolved.PDSEndpoint())
157		if err != nil {
158			log.Println("failed to resolve auth server:", err)
159			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
160			return
161		}
162
163		authMeta, err := oauthClient.FetchAuthServerMetadata(r.Context(), authServer)
164		if err != nil {
165			log.Println("failed to fetch auth server metadata:", err)
166			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
167			return
168		}
169
170		dpopKey, err := helpers.GenerateKey(nil)
171		if err != nil {
172			log.Println("failed to generate dpop key:", err)
173			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
174			return
175		}
176
177		dpopKeyJson, err := json.Marshal(dpopKey)
178		if err != nil {
179			log.Println("failed to marshal dpop key:", err)
180			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
181			return
182		}
183
184		parResp, err := oauthClient.SendParAuthRequest(r.Context(), authServer, authMeta, handle, oauthScope, dpopKey)
185		if err != nil {
186			log.Println("failed to send par auth request:", err)
187			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
188			return
189		}
190
191		err = o.sess.SaveRequest(r.Context(), sessioncache.OAuthRequest{
192			Did:                 resolved.DID.String(),
193			PdsUrl:              resolved.PDSEndpoint(),
194			Handle:              handle,
195			AuthserverIss:       authMeta.Issuer,
196			PkceVerifier:        parResp.PkceVerifier,
197			DpopAuthserverNonce: parResp.DpopAuthserverNonce,
198			DpopPrivateJwk:      string(dpopKeyJson),
199			State:               parResp.State,
200			ReturnUrl:           r.FormValue("return_url"),
201		})
202		if err != nil {
203			log.Println("failed to save oauth request:", err)
204			o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
205			return
206		}
207
208		u, _ := url.Parse(authMeta.AuthorizationEndpoint)
209		query := url.Values{}
210		query.Add("client_id", self.ClientID)
211		query.Add("request_uri", parResp.RequestUri)
212		u.RawQuery = query.Encode()
213		o.pages.HxRedirect(w, u.String())
214	}
215}
216
217func (o *OAuthHandler) callback(w http.ResponseWriter, r *http.Request) {
218	state := r.FormValue("state")
219
220	oauthRequest, err := o.sess.GetRequestByState(r.Context(), state)
221	if err != nil {
222		log.Println("failed to get oauth request:", err)
223		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
224		return
225	}
226
227	defer func() {
228		err := o.sess.DeleteRequestByState(r.Context(), state)
229		if err != nil {
230			log.Println("failed to delete oauth request for state:", state, err)
231		}
232	}()
233
234	error := r.FormValue("error")
235	errorDescription := r.FormValue("error_description")
236	if error != "" || errorDescription != "" {
237		log.Printf("error: %s, %s", error, errorDescription)
238		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
239		return
240	}
241
242	code := r.FormValue("code")
243	if code == "" {
244		log.Println("missing code for state: ", state)
245		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
246		return
247	}
248
249	iss := r.FormValue("iss")
250	if iss == "" {
251		log.Println("missing iss for state: ", state)
252		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
253		return
254	}
255
256	self := o.oauth.ClientMetadata()
257
258	oauthClient, err := client.NewClient(
259		self.ClientID,
260		o.config.OAuth.Jwks,
261		self.RedirectURIs[0],
262	)
263
264	if err != nil {
265		log.Println("failed to create oauth client:", err)
266		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
267		return
268	}
269
270	jwk, err := helpers.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))
271	if err != nil {
272		log.Println("failed to parse jwk:", err)
273		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
274		return
275	}
276
277	tokenResp, err := oauthClient.InitialTokenRequest(
278		r.Context(),
279		code,
280		oauthRequest.AuthserverIss,
281		oauthRequest.PkceVerifier,
282		oauthRequest.DpopAuthserverNonce,
283		jwk,
284	)
285	if err != nil {
286		log.Println("failed to get token:", err)
287		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
288		return
289	}
290
291	if tokenResp.Scope != oauthScope {
292		log.Println("scope doesn't match:", tokenResp.Scope)
293		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
294		return
295	}
296
297	err = o.oauth.SaveSession(w, r, *oauthRequest, tokenResp)
298	if err != nil {
299		log.Println("failed to save session:", err)
300		o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
301		return
302	}
303
304	log.Println("session saved successfully")
305	go o.addToDefaultKnot(oauthRequest.Did)
306	go o.addToDefaultSpindle(oauthRequest.Did)
307
308	if !o.config.Core.Dev {
309		err = o.posthog.Enqueue(posthog.Capture{
310			DistinctId: oauthRequest.Did,
311			Event:      "signin",
312		})
313		if err != nil {
314			log.Println("failed to enqueue posthog event:", err)
315		}
316	}
317
318	returnUrl := oauthRequest.ReturnUrl
319	if returnUrl == "" {
320		returnUrl = "/"
321	}
322
323	http.Redirect(w, r, returnUrl, http.StatusFound)
324}
325
326func (o *OAuthHandler) logout(w http.ResponseWriter, r *http.Request) {
327	err := o.oauth.ClearSession(r, w)
328	if err != nil {
329		log.Println("failed to clear session:", err)
330		http.Redirect(w, r, "/", http.StatusFound)
331		return
332	}
333
334	log.Println("session cleared successfully")
335	o.pages.HxRedirect(w, "/login")
336}
337
338func pubKeyFromJwk(jwks string) (jwk.Key, error) {
339	k, err := helpers.ParseJWKFromBytes([]byte(jwks))
340	if err != nil {
341		return nil, err
342	}
343	pubKey, err := k.PublicKey()
344	if err != nil {
345		return nil, err
346	}
347	return pubKey, nil
348}
349
350func (o *OAuthHandler) addToDefaultSpindle(did string) {
351	// use the tangled.sh app password to get an accessJwt
352	// and create an sh.tangled.spindle.member record with that
353
354	defaultSpindle := "spindle.tangled.sh"
355	appPassword := o.config.Core.AppPassword
356
357	spindleMembers, err := db.GetSpindleMembers(
358		o.db,
359		db.FilterEq("instance", "spindle.tangled.sh"),
360		db.FilterEq("subject", did),
361	)
362	if err != nil {
363		log.Printf("failed to get spindle members for did %s: %v", did, err)
364		return
365	}
366
367	if len(spindleMembers) != 0 {
368		log.Printf("did %s is already a member of the default spindle", did)
369		return
370	}
371
372	// TODO: hardcoded tangled handle and did for now
373	tangledHandle := "tangled.sh"
374	tangledDid := "did:plc:wshs7t2adsemcrrd4snkeqli"
375
376	if appPassword == "" {
377		log.Println("no app password configured, skipping spindle member addition")
378		return
379	}
380
381	log.Printf("adding %s to default spindle", did)
382
383	resolved, err := o.idResolver.ResolveIdent(context.Background(), tangledDid)
384	if err != nil {
385		log.Printf("failed to resolve tangled.sh DID %s: %v", tangledDid, err)
386		return
387	}
388
389	pdsEndpoint := resolved.PDSEndpoint()
390	if pdsEndpoint == "" {
391		log.Printf("no PDS endpoint found for tangled.sh DID %s", tangledDid)
392		return
393	}
394
395	sessionPayload := map[string]string{
396		"identifier": tangledHandle,
397		"password":   appPassword,
398	}
399	sessionBytes, err := json.Marshal(sessionPayload)
400	if err != nil {
401		log.Printf("failed to marshal session payload: %v", err)
402		return
403	}
404
405	sessionURL := pdsEndpoint + "/xrpc/com.atproto.server.createSession"
406	sessionReq, err := http.NewRequestWithContext(context.Background(), "POST", sessionURL, bytes.NewBuffer(sessionBytes))
407	if err != nil {
408		log.Printf("failed to create session request: %v", err)
409		return
410	}
411	sessionReq.Header.Set("Content-Type", "application/json")
412
413	client := &http.Client{Timeout: 30 * time.Second}
414	sessionResp, err := client.Do(sessionReq)
415	if err != nil {
416		log.Printf("failed to create session: %v", err)
417		return
418	}
419	defer sessionResp.Body.Close()
420
421	if sessionResp.StatusCode != http.StatusOK {
422		log.Printf("failed to create session: HTTP %d", sessionResp.StatusCode)
423		return
424	}
425
426	var session struct {
427		AccessJwt string `json:"accessJwt"`
428	}
429	if err := json.NewDecoder(sessionResp.Body).Decode(&session); err != nil {
430		log.Printf("failed to decode session response: %v", err)
431		return
432	}
433
434	record := tangled.SpindleMember{
435		LexiconTypeID: "sh.tangled.spindle.member",
436		Subject:       did,
437		Instance:      defaultSpindle,
438		CreatedAt:     time.Now().Format(time.RFC3339),
439	}
440
441	recordBytes, err := json.Marshal(record)
442	if err != nil {
443		log.Printf("failed to marshal spindle member record: %v", err)
444		return
445	}
446
447	payload := map[string]interface{}{
448		"repo":       tangledDid,
449		"collection": tangled.SpindleMemberNSID,
450		"rkey":       tid.TID(),
451		"record":     json.RawMessage(recordBytes),
452	}
453
454	payloadBytes, err := json.Marshal(payload)
455	if err != nil {
456		log.Printf("failed to marshal request payload: %v", err)
457		return
458	}
459
460	url := pdsEndpoint + "/xrpc/com.atproto.repo.putRecord"
461	req, err := http.NewRequestWithContext(context.Background(), "POST", url, bytes.NewBuffer(payloadBytes))
462	if err != nil {
463		log.Printf("failed to create HTTP request: %v", err)
464		return
465	}
466
467	req.Header.Set("Content-Type", "application/json")
468	req.Header.Set("Authorization", "Bearer "+session.AccessJwt)
469
470	resp, err := client.Do(req)
471	if err != nil {
472		log.Printf("failed to add user to default spindle: %v", err)
473		return
474	}
475	defer resp.Body.Close()
476
477	if resp.StatusCode != http.StatusOK {
478		log.Printf("failed to add user to default spindle: HTTP %d", resp.StatusCode)
479		return
480	}
481
482	log.Printf("successfully added %s to default spindle", did)
483}
484
485func (o *OAuthHandler) addToDefaultKnot(did string) {
486	defaultKnot := "knot1.tangled.sh"
487
488	log.Printf("adding %s to default knot", did)
489	err := o.enforcer.AddKnotMember(defaultKnot, did)
490	if err != nil {
491		log.Println("failed to add user to knot1.tangled.sh: ", err)
492		return
493	}
494	err = o.enforcer.E.SavePolicy()
495	if err != nil {
496		log.Println("failed to add user to knot1.tangled.sh: ", err)
497		return
498	}
499
500	secret, err := db.GetRegistrationKey(o.db, defaultKnot)
501	if err != nil {
502		log.Println("failed to get registration key for knot1.tangled.sh")
503		return
504	}
505	signedClient, err := knotclient.NewSignedClient(defaultKnot, secret, o.config.Core.Dev)
506	resp, err := signedClient.AddMember(did)
507	if err != nil {
508		log.Println("failed to add user to knot1.tangled.sh: ", err)
509		return
510	}
511
512	if resp.StatusCode != http.StatusNoContent {
513		log.Println("failed to add user to knot1.tangled.sh: ", resp.StatusCode)
514		return
515	}
516}