commit 7e904629226cffa9374ff978d0c46f5c1815a5a0 · kot.pink/core

+59 -1

appview/auth/auth.go

···

       13
       13
        
       	"github.com/sotangled/tangled/appview"

     

       14
       14
        
       )

     

       15
       15
        
       

     

       16
       16
       +
       const ExpiryDuration = 15 * time.Minute

     

       17
       17
       +
       

     

       16
       18
        
       type Auth struct {

     

       17
       19
        
       	Store *sessions.CookieStore

     

       18
       20
        
       }

     
···

       61
       63
        
       	GetStatus() *string

     

       62
       64
        
       }

     

       63
       65
        
       

     

       66
       66
       +
       type ClientSessionish struct {

     

       67
       67
       +
       	sessions.Session

     

       68
       68
       +
       }

     

       69
       69
       +
       

     

       70
       70
       +
       func (c *ClientSessionish) GetAccessJwt() string {

     

       71
       71
       +
       	return c.Values[appview.SessionAccessJwt].(string)

     

       72
       72
       +
       }

     

       73
       73
       +
       

     

       74
       74
       +
       func (c *ClientSessionish) GetActive() *bool {

     

       75
       75
       +
       	return c.Values[appview.SessionAuthenticated].(*bool)

     

       76
       76
       +
       }

     

       77
       77
       +
       

     

       78
       78
       +
       func (c *ClientSessionish) GetDid() string {

     

       79
       79
       +
       	return c.Values[appview.SessionDid].(string)

     

       80
       80
       +
       }

     

       81
       81
       +
       

     

       82
       82
       +
       func (c *ClientSessionish) GetDidDoc() *interface{} {

     

       83
       83
       +
       	return nil

     

       84
       84
       +
       }

     

       85
       85
       +
       

     

       86
       86
       +
       func (c *ClientSessionish) GetHandle() string {

     

       87
       87
       +
       	return c.Values[appview.SessionHandle].(string)

     

       88
       88
       +
       }

     

       89
       89
       +
       

     

       90
       90
       +
       func (c *ClientSessionish) GetRefreshJwt() string {

     

       91
       91
       +
       	return c.Values[appview.SessionRefreshJwt].(string)

     

       92
       92
       +
       }

     

       93
       93
       +
       

     

       94
       94
       +
       func (c *ClientSessionish) GetStatus() *string {

     

       95
       95
       +
       	return nil

     

       96
       96
       +
       }

     

       97
       97
       +
       

     

       64
       98
        
       // Create a wrapper type for ServerRefreshSession_Output

     

       65
       99
        
       type RefreshSessionWrapper struct {

     

       66
       100
        
       	*comatproto.ServerRefreshSession_Output

     
···

       140
       174
        
       	clientSession.Values[appview.SessionPds] = pdsEndpoint

     

       141
       175
        
       	clientSession.Values[appview.SessionAccessJwt] = atSessionish.GetAccessJwt()

     

       142
       176
        
       	clientSession.Values[appview.SessionRefreshJwt] = atSessionish.GetRefreshJwt()

     

       143
       143
       -
       	clientSession.Values[appview.SessionExpiry] = time.Now().Add(time.Minute * 15).Format(time.RFC3339)

     

       177
       177
       +
       	clientSession.Values[appview.SessionExpiry] = time.Now().Add(ExpiryDuration).Format(time.RFC3339)

     

       144
       178
        
       	clientSession.Values[appview.SessionAuthenticated] = true

     

       145
       179
        
       	return clientSession.Save(r, w)

     

       180
       180
       +
       }

     

       181
       181
       +
       

     

       182
       182
       +
       func (a *Auth) RefreshSession(ctx context.Context, r *http.Request, w http.ResponseWriter, atSessionish Sessionish, pdsEndpoint string) error {

     

       183
       183
       +
       	client := xrpc.Client{

     

       184
       184
       +
       		Host: pdsEndpoint,

     

       185
       185
       +
       		Auth: &xrpc.AuthInfo{

     

       186
       186
       +
       			Did:        atSessionish.GetDid(),

     

       187
       187
       +
       			AccessJwt:  atSessionish.GetRefreshJwt(),

     

       188
       188
       +
       			RefreshJwt: atSessionish.GetRefreshJwt(),

     

       189
       189
       +
       		},

     

       190
       190
       +
       	}

     

       191
       191
       +
       

     

       192
       192
       +
       	atSession, err := comatproto.ServerRefreshSession(ctx, &client)

     

       193
       193
       +
       	if err != nil {

     

       194
       194
       +
       		return fmt.Errorf("failed to refresh session: %w", err)

     

       195
       195
       +
       	}

     

       196
       196
       +
       

     

       197
       197
       +
       	newAtSessionish := &RefreshSessionWrapper{atSession}

     

       198
       198
       +
       	err = a.StoreSession(r, w, newAtSessionish, pdsEndpoint)

     

       199
       199
       +
       	if err != nil {

     

       200
       200
       +
       		return fmt.Errorf("failed to store refreshed session: %w", err)

     

       201
       201
       +
       	}

     

       202
       202
       +
       

     

       203
       203
       +
       	return nil

     

       146
       204
        
       }

     

       147
       205
        
       

     

       148
       206
        
       func (a *Auth) AuthorizedClient(r *http.Request) (*xrpc.Client, error) {

+9 -44

appview/state/middleware.go

···

       5
       5
        
       	"log"

     

       6
       6
        
       	"net/http"

     

       7
       7
        
       	"strings"

     

       8
       8
       -
       	"time"

     

       9
       8
        
       

     

       10
       10
       -
       	comatproto "github.com/bluesky-social/indigo/api/atproto"

     

       11
       9
        
       	"github.com/bluesky-social/indigo/atproto/identity"

     

       12
       12
       -
       	"github.com/bluesky-social/indigo/xrpc"

     

       13
       10
        
       	"github.com/go-chi/chi/v5"

     

       14
       11
        
       	"github.com/sotangled/tangled/appview"

     

       15
       15
       -
       	"github.com/sotangled/tangled/appview/auth"

     

       16
       12
        
       	"github.com/sotangled/tangled/appview/db"

     

       17
       13
        
       )

     

       18
       14
        
       

     
···

       21
       17
        
       func AuthMiddleware(s *State) Middleware {

     

       22
       18
        
       	return func(next http.Handler) http.Handler {

     

       23
       19
        
       		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

     

       24
       24
       -
       			session, _ := s.auth.Store.Get(r, appview.SessionName)

     

       25
       25
       -
       			authorized, ok := session.Values[appview.SessionAuthenticated].(bool)

     

       26
       26
       -
       			if !ok || !authorized {

     

       27
       27
       -
       				log.Printf("not logged in, redirecting")

     

       20
       20
       +
       			if s.auth == nil {

     

       28
       21
        
       				http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)

     

       29
       22
        
       				return

     

       30
       23
        
       			}

     

       31
       31
       -
       

     

       32
       32
       -
       			// refresh if nearing expiry

     

       33
       33
       -
       			// TODO: dedup with /login

     

       34
       34
       -
       			expiryStr := session.Values[appview.SessionExpiry].(string)

     

       35
       35
       -
       			expiry, err := time.Parse(time.RFC3339, expiryStr)

     

       24
       24
       +
       			err := s.RestoreSessionIfNeeded(r, w)

     

       36
       25
        
       			if err != nil {

     

       37
       37
       -
       				log.Println("invalid expiry time", err)

     

       38
       26
        
       				http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)

     

       39
       27
        
       				return

     

       40
       28
        
       			}

     

       41
       41
       -
       			pdsUrl := session.Values[appview.SessionPds].(string)

     

       42
       42
       -
       			did := session.Values[appview.SessionDid].(string)

     

       43
       43
       -
       			refreshJwt := session.Values[appview.SessionRefreshJwt].(string)

     

       44
       29
        
       

     

       45
       45
       -
       			if time.Now().After(expiry) {

     

       46
       46
       -
       				log.Println("token expired, refreshing ...")

     

       47
       47
       -
       

     

       48
       48
       -
       				client := xrpc.Client{

     

       49
       49
       -
       					Host: pdsUrl,

     

       50
       50
       -
       					Auth: &xrpc.AuthInfo{

     

       51
       51
       -
       						Did:        did,

     

       52
       52
       -
       						AccessJwt:  refreshJwt,

     

       53
       53
       -
       						RefreshJwt: refreshJwt,

     

       54
       54
       -
       					},

     

       55
       55
       -
       				}

     

       56
       56
       -
       				atSession, err := comatproto.ServerRefreshSession(r.Context(), &client)

     

       57
       57
       -
       				if err != nil {

     

       58
       58
       -
       					log.Println("failed to refresh session", err)

     

       59
       59
       -
       					http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)

     

       60
       60
       -
       					return

     

       61
       61
       -
       				}

     

       62
       62
       -
       

     

       63
       63
       -
       				sessionish := auth.RefreshSessionWrapper{atSession}

     

       64
       64
       -
       

     

       65
       65
       -
       				err = s.auth.StoreSession(r, w, &sessionish, pdsUrl)

     

       66
       66
       -
       				if err != nil {

     

       67
       67
       -
       					log.Printf("failed to store session for did: %s\n: %s", atSession.Did, err)

     

       68
       68
       -
       					return

     

       69
       69
       -
       				}

     

       70
       70
       -
       

     

       71
       71
       -
       				log.Println("successfully refreshed token")

     

       30
       30
       +
       			session, _ := s.auth.Store.Get(r, appview.SessionName)

     

       31
       31
       +
       			authorized, ok := session.Values[appview.SessionAuthenticated].(bool)

     

       32
       32
       +
       			if !ok || !authorized {

     

       33
       33
       +
       				log.Printf("not logged in, redirecting")

     

       34
       34
       +
       				http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)

     

       35
       35
       +
       				return

     

       72
       36
        
       			}

     

       73
       37
        
       

     

       38
       38
       +
       			// refresh if nearing expiry

     

       74
       39
        
       			next.ServeHTTP(w, r)

     

       75
       40
        
       		})

     

       76
       41
        
       	}

+72

appview/state/session.go

···

       1
       1
       +
       package state

     

       2
       2
       +
       

     

       3
       3
       +
       import (

     

       4
       4
       +
       	"context"

     

       5
       5
       +
       	"fmt"

     

       6
       6
       +
       	"log"

     

       7
       7
       +
       	"net/http"

     

       8
       8
       +
       	"time"

     

       9
       9
       +
       

     

       10
       10
       +
       	"github.com/gorilla/sessions"

     

       11
       11
       +
       	"github.com/sotangled/tangled/appview"

     

       12
       12
       +
       	"github.com/sotangled/tangled/appview/auth"

     

       13
       13
       +
       )

     

       14
       14
       +
       

     

       15
       15
       +
       func (s *State) StartTokenRefresher(

     

       16
       16
       +
       	ctx context.Context,

     

       17
       17
       +
       	refreshInterval time.Duration,

     

       18
       18
       +
       	r *http.Request,

     

       19
       19
       +
       	w http.ResponseWriter,

     

       20
       20
       +
       	atSessionish auth.Sessionish,

     

       21
       21
       +
       	pdsEndpoint string,

     

       22
       22
       +
       ) {

     

       23
       23
       +
       	go func() {

     

       24
       24
       +
       		ticker := time.NewTicker(refreshInterval)

     

       25
       25
       +
       		defer ticker.Stop()

     

       26
       26
       +
       

     

       27
       27
       +
       		for {

     

       28
       28
       +
       			select {

     

       29
       29
       +
       			case <-ticker.C:

     

       30
       30
       +
       				err := s.auth.RefreshSession(ctx, r, w, atSessionish, pdsEndpoint)

     

       31
       31
       +
       				if err != nil {

     

       32
       32
       +
       					log.Printf("token refresh failed: %v", err)

     

       33
       33
       +
       				} else {

     

       34
       34
       +
       					log.Println("token refreshed successfully")

     

       35
       35
       +
       				}

     

       36
       36
       +
       			case <-ctx.Done():

     

       37
       37
       +
       				log.Println("stopping token refresher")

     

       38
       38
       +
       				return

     

       39
       39
       +
       			}

     

       40
       40
       +
       		}

     

       41
       41
       +
       	}()

     

       42
       42
       +
       }

     

       43
       43
       +
       

     

       44
       44
       +
       // RestoreSessionIfNeeded checks if a session exists in the request and starts a

     

       45
       45
       +
       // token refresher if it doesn't have one running already.

     

       46
       46
       +
       func (s *State) RestoreSessionIfNeeded(r *http.Request, w http.ResponseWriter) error {

     

       47
       47
       +
       	var session *sessions.Session

     

       48
       48
       +
       	var err error

     

       49
       49
       +
       	session, err = s.auth.GetSession(r)

     

       50
       50
       +
       	if err != nil {

     

       51
       51
       +
       		fmt.Errorf("error getting session: %w", err)

     

       52
       52
       +
       	}

     

       53
       53
       +
       

     

       54
       54
       +
       	did, ok := session.Values[appview.SessionDid].(string)

     

       55
       55
       +
       	if !ok {

     

       56
       56
       +
       		return fmt.Errorf("session did not contain a did")

     

       57
       57
       +
       	}

     

       58
       58
       +
       	sessionish := auth.ClientSessionish{Session: *session}

     

       59
       59
       +
       	pdsEndpoint := session.Values[appview.SessionPds].(string)

     

       60
       60
       +
       

     

       61
       61
       +
       	// If no refresher is running for this session, start one

     

       62
       62
       +
       	if _, exists := s.sessionCancelFuncs[did]; !exists {

     

       63
       63
       +
       		sessionCtx, cancel := context.WithCancel(context.Background())

     

       64
       64
       +
       		s.sessionCancelFuncs[did] = cancel

     

       65
       65
       +
       

     

       66
       66
       +
       		s.StartTokenRefresher(sessionCtx, auth.ExpiryDuration, r, w, &sessionish, pdsEndpoint)

     

       67
       67
       +
       

     

       68
       68
       +
       		log.Printf("restored session refresher for %s", did)

     

       69
       69
       +
       	}

     

       70
       70
       +
       

     

       71
       71
       +
       	return nil

     

       72
       72
       +
       }

+27 -1

appview/state/state.go

···

       36
       36
        
       	resolver *appview.Resolver

     

       37
       37
        
       	jc       *jetstream.JetstreamClient

     

       38
       38
        
       	config   *appview.Config

     

       39
       39
       +
       

     

       40
       40
       +
       	sessionCancelFuncs map[string]context.CancelFunc

     

       39
       41
        
       }

     

       40
       42
        
       

     

       41
       43
        
       func Make(config *appview.Config) (*State, error) {

     
···

       70
       72
        
       		return nil, fmt.Errorf("failed to start jetstream watcher: %w", err)

     

       71
       73
        
       	}

     

       72
       74
        
       

     

       75
       75
       +
       	sessionCancelFuncs := make(map[string]context.CancelFunc)

     

       76
       76
       +
       

     

       73
       77
        
       	state := &State{

     

       74
       78
        
       		d,

     

       75
       79
        
       		auth,

     
···

       79
       83
        
       		resolver,

     

       80
       84
        
       		jc,

     

       81
       85
        
       		config,

     

       86
       86
       +
       		sessionCancelFuncs,

     

       82
       87
        
       	}

     

       83
       88
        
       

     

       84
       89
        
       	return state, nil

     
···

       123
       128
        
       		}

     

       124
       129
        
       

     

       125
       130
        
       		log.Printf("successfully saved session for %s (%s)", atSession.Handle, atSession.Did)

     

       131
       131
       +
       

     

       132
       132
       +
       		sessionCtx, cancel := context.WithCancel(context.Background())

     

       133
       133
       +
       		s.sessionCancelFuncs[sessionish.GetDid()] = cancel

     

       134
       134
       +
       		expiry := auth.ExpiryDuration

     

       135
       135
       +
       

     

       136
       136
       +
       		go s.StartTokenRefresher(sessionCtx, expiry, r, w, &sessionish, resolved.PDSEndpoint())

     

       137
       137
       +
       

     

       126
       138
        
       		s.pages.HxRedirect(w, "/")

     

       127
       139
        
       		return

     

       128
       140
        
       	}

     

       129
       141
        
       }

     

       130
       142
        
       

     

       131
       143
        
       func (s *State) Logout(w http.ResponseWriter, r *http.Request) {

     

       144
       144
       +
       	session, err := s.auth.GetSession(r)

     

       145
       145
       +
       	did := session.Values[appview.SessionDid].(string)

     

       146
       146
       +
       	if err == nil {

     

       147
       147
       +
       		if cancel, exists := s.sessionCancelFuncs[did]; exists {

     

       148
       148
       +
       			cancel()

     

       149
       149
       +
       			delete(s.sessionCancelFuncs, did)

     

       150
       150
       +
       		}

     

       151
       151
       +
       	}

     

       152
       152
       +
       

     

       132
       153
        
       	s.auth.ClearSession(r, w)

     

       133
       154
        
       	http.Redirect(w, r, "/login", http.StatusTemporaryRedirect)

     

       134
       155
        
       }

     
···

       512
       533
        
       	switch r.Method {

     

       513
       534
        
       	case http.MethodGet:

     

       514
       535
        
       		user := s.auth.GetUser(r)

     

       536
       536
       +
       		err := s.enforcer.AddMember("knot1.tangled.sh", user.Did)

     

       537
       537
       +
       		if err != nil {

     

       538
       538
       +
       			log.Println("failed to add user to knot1.tangled.sh: ", err)

     

       539
       539
       +
       			s.pages.Notice(w, "repo", "Failed to add user to knot1.tangled.sh. You should be able to use your own knot however.")

     

       540
       540
       +
       		}

     

       541
       541
       +
       

     

       515
       542
        
       		knots, err := s.enforcer.GetDomainsForUser(user.Did)

     

       516
       516
       -
       

     

       517
       543
        
       		if err != nil {

     

       518
       544
        
       			s.pages.Notice(w, "repo", "Invalid user account.")

     

       519
       545
        
       			return