veryroundbird.house
1package oauth
2
3import (
4 "bytes"
5 "context"
6 "encoding/json"
7 "fmt"
8 "log"
9 "net/http"
10 "net/url"
11 "strings"
12 "time"
13
14 "github.com/go-chi/chi/v5"
15 "github.com/gorilla/sessions"
16 "github.com/lestrrat-go/jwx/v2/jwk"
17 "github.com/posthog/posthog-go"
18 "tangled.sh/icyphox.sh/atproto-oauth/helpers"
19 tangled "tangled.sh/tangled.sh/core/api/tangled"
20 sessioncache "tangled.sh/tangled.sh/core/appview/cache/session"
21 "tangled.sh/tangled.sh/core/appview/config"
22 "tangled.sh/tangled.sh/core/appview/db"
23 "tangled.sh/tangled.sh/core/appview/middleware"
24 "tangled.sh/tangled.sh/core/appview/oauth"
25 "tangled.sh/tangled.sh/core/appview/oauth/client"
26 "tangled.sh/tangled.sh/core/appview/pages"
27 "tangled.sh/tangled.sh/core/idresolver"
28 "tangled.sh/tangled.sh/core/knotclient"
29 "tangled.sh/tangled.sh/core/rbac"
30 "tangled.sh/tangled.sh/core/tid"
31)
32
33const (
34 oauthScope = "atproto transition:generic"
35)
36
37type OAuthHandler struct {
38 config *config.Config
39 pages *pages.Pages
40 idResolver *idresolver.Resolver
41 sess *sessioncache.SessionStore
42 db *db.DB
43 store *sessions.CookieStore
44 oauth *oauth.OAuth
45 enforcer *rbac.Enforcer
46 posthog posthog.Client
47}
48
49func New(
50 config *config.Config,
51 pages *pages.Pages,
52 idResolver *idresolver.Resolver,
53 db *db.DB,
54 sess *sessioncache.SessionStore,
55 store *sessions.CookieStore,
56 oauth *oauth.OAuth,
57 enforcer *rbac.Enforcer,
58 posthog posthog.Client,
59) *OAuthHandler {
60 return &OAuthHandler{
61 config: config,
62 pages: pages,
63 idResolver: idResolver,
64 db: db,
65 sess: sess,
66 store: store,
67 oauth: oauth,
68 enforcer: enforcer,
69 posthog: posthog,
70 }
71}
72
73func (o *OAuthHandler) Router() http.Handler {
74 r := chi.NewRouter()
75
76 r.Get("/login", o.login)
77 r.Post("/login", o.login)
78
79 r.With(middleware.AuthMiddleware(o.oauth)).Post("/logout", o.logout)
80
81 r.Get("/oauth/client-metadata.json", o.clientMetadata)
82 r.Get("/oauth/jwks.json", o.jwks)
83 r.Get("/oauth/callback", o.callback)
84 return r
85}
86
87func (o *OAuthHandler) clientMetadata(w http.ResponseWriter, r *http.Request) {
88 w.Header().Set("Content-Type", "application/json")
89 w.WriteHeader(http.StatusOK)
90 json.NewEncoder(w).Encode(o.oauth.ClientMetadata())
91}
92
93func (o *OAuthHandler) jwks(w http.ResponseWriter, r *http.Request) {
94 jwks := o.config.OAuth.Jwks
95 pubKey, err := pubKeyFromJwk(jwks)
96 if err != nil {
97 log.Printf("error parsing public key: %v", err)
98 http.Error(w, err.Error(), http.StatusInternalServerError)
99 return
100 }
101
102 response := helpers.CreateJwksResponseObject(pubKey)
103
104 w.Header().Set("Content-Type", "application/json")
105 w.WriteHeader(http.StatusOK)
106 json.NewEncoder(w).Encode(response)
107}
108
109func (o *OAuthHandler) login(w http.ResponseWriter, r *http.Request) {
110 switch r.Method {
111 case http.MethodGet:
112 returnURL := r.URL.Query().Get("return_url")
113 o.pages.Login(w, pages.LoginParams{
114 ReturnUrl: returnURL,
115 })
116 case http.MethodPost:
117 handle := r.FormValue("handle")
118
119 // when users copy their handle from bsky.app, it tends to have these characters around it:
120 //
121 // @nelind.dk:
122 // \u202a ensures that the handle is always rendered left to right and
123 // \u202c reverts that so the rest of the page renders however it should
124 handle = strings.TrimPrefix(handle, "\u202a")
125 handle = strings.TrimSuffix(handle, "\u202c")
126
127 // `@` is harmless
128 handle = strings.TrimPrefix(handle, "@")
129
130 // basic handle validation
131 if !strings.Contains(handle, ".") {
132 log.Println("invalid handle format", "raw", handle)
133 o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle. Did you mean %s.bsky.social?", handle, handle))
134 return
135 }
136
137 resolved, err := o.idResolver.ResolveIdent(r.Context(), handle)
138 if err != nil {
139 log.Println("failed to resolve handle:", err)
140 o.pages.Notice(w, "login-msg", fmt.Sprintf("\"%s\" is an invalid handle.", handle))
141 return
142 }
143 self := o.oauth.ClientMetadata()
144 oauthClient, err := client.NewClient(
145 self.ClientID,
146 o.config.OAuth.Jwks,
147 self.RedirectURIs[0],
148 )
149
150 if err != nil {
151 log.Println("failed to create oauth client:", err)
152 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
153 return
154 }
155
156 authServer, err := oauthClient.ResolvePdsAuthServer(r.Context(), resolved.PDSEndpoint())
157 if err != nil {
158 log.Println("failed to resolve auth server:", err)
159 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
160 return
161 }
162
163 authMeta, err := oauthClient.FetchAuthServerMetadata(r.Context(), authServer)
164 if err != nil {
165 log.Println("failed to fetch auth server metadata:", err)
166 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
167 return
168 }
169
170 dpopKey, err := helpers.GenerateKey(nil)
171 if err != nil {
172 log.Println("failed to generate dpop key:", err)
173 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
174 return
175 }
176
177 dpopKeyJson, err := json.Marshal(dpopKey)
178 if err != nil {
179 log.Println("failed to marshal dpop key:", err)
180 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
181 return
182 }
183
184 parResp, err := oauthClient.SendParAuthRequest(r.Context(), authServer, authMeta, handle, oauthScope, dpopKey)
185 if err != nil {
186 log.Println("failed to send par auth request:", err)
187 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
188 return
189 }
190
191 err = o.sess.SaveRequest(r.Context(), sessioncache.OAuthRequest{
192 Did: resolved.DID.String(),
193 PdsUrl: resolved.PDSEndpoint(),
194 Handle: handle,
195 AuthserverIss: authMeta.Issuer,
196 PkceVerifier: parResp.PkceVerifier,
197 DpopAuthserverNonce: parResp.DpopAuthserverNonce,
198 DpopPrivateJwk: string(dpopKeyJson),
199 State: parResp.State,
200 ReturnUrl: r.FormValue("return_url"),
201 })
202 if err != nil {
203 log.Println("failed to save oauth request:", err)
204 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
205 return
206 }
207
208 u, _ := url.Parse(authMeta.AuthorizationEndpoint)
209 query := url.Values{}
210 query.Add("client_id", self.ClientID)
211 query.Add("request_uri", parResp.RequestUri)
212 u.RawQuery = query.Encode()
213 o.pages.HxRedirect(w, u.String())
214 }
215}
216
217func (o *OAuthHandler) callback(w http.ResponseWriter, r *http.Request) {
218 state := r.FormValue("state")
219
220 oauthRequest, err := o.sess.GetRequestByState(r.Context(), state)
221 if err != nil {
222 log.Println("failed to get oauth request:", err)
223 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
224 return
225 }
226
227 defer func() {
228 err := o.sess.DeleteRequestByState(r.Context(), state)
229 if err != nil {
230 log.Println("failed to delete oauth request for state:", state, err)
231 }
232 }()
233
234 error := r.FormValue("error")
235 errorDescription := r.FormValue("error_description")
236 if error != "" || errorDescription != "" {
237 log.Printf("error: %s, %s", error, errorDescription)
238 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
239 return
240 }
241
242 code := r.FormValue("code")
243 if code == "" {
244 log.Println("missing code for state: ", state)
245 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
246 return
247 }
248
249 iss := r.FormValue("iss")
250 if iss == "" {
251 log.Println("missing iss for state: ", state)
252 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
253 return
254 }
255
256 if iss != oauthRequest.AuthserverIss {
257 log.Println("mismatched iss:", iss, "!=", oauthRequest.AuthserverIss, "for state:", state)
258 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
259 return
260 }
261
262 self := o.oauth.ClientMetadata()
263
264 oauthClient, err := client.NewClient(
265 self.ClientID,
266 o.config.OAuth.Jwks,
267 self.RedirectURIs[0],
268 )
269
270 if err != nil {
271 log.Println("failed to create oauth client:", err)
272 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
273 return
274 }
275
276 jwk, err := helpers.ParseJWKFromBytes([]byte(oauthRequest.DpopPrivateJwk))
277 if err != nil {
278 log.Println("failed to parse jwk:", err)
279 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
280 return
281 }
282
283 tokenResp, err := oauthClient.InitialTokenRequest(
284 r.Context(),
285 code,
286 oauthRequest.AuthserverIss,
287 oauthRequest.PkceVerifier,
288 oauthRequest.DpopAuthserverNonce,
289 jwk,
290 )
291 if err != nil {
292 log.Println("failed to get token:", err)
293 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
294 return
295 }
296
297 if tokenResp.Scope != oauthScope {
298 log.Println("scope doesn't match:", tokenResp.Scope)
299 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
300 return
301 }
302
303 err = o.oauth.SaveSession(w, r, *oauthRequest, tokenResp)
304 if err != nil {
305 log.Println("failed to save session:", err)
306 o.pages.Notice(w, "login-msg", "Failed to authenticate. Try again later.")
307 return
308 }
309
310 log.Println("session saved successfully")
311 go o.addToDefaultKnot(oauthRequest.Did)
312 go o.addToDefaultSpindle(oauthRequest.Did)
313
314 if !o.config.Core.Dev {
315 err = o.posthog.Enqueue(posthog.Capture{
316 DistinctId: oauthRequest.Did,
317 Event: "signin",
318 })
319 if err != nil {
320 log.Println("failed to enqueue posthog event:", err)
321 }
322 }
323
324 returnUrl := oauthRequest.ReturnUrl
325 if returnUrl == "" {
326 returnUrl = "/"
327 }
328
329 http.Redirect(w, r, returnUrl, http.StatusFound)
330}
331
332func (o *OAuthHandler) logout(w http.ResponseWriter, r *http.Request) {
333 err := o.oauth.ClearSession(r, w)
334 if err != nil {
335 log.Println("failed to clear session:", err)
336 http.Redirect(w, r, "/", http.StatusFound)
337 return
338 }
339
340 log.Println("session cleared successfully")
341 o.pages.HxRedirect(w, "/login")
342}
343
344func pubKeyFromJwk(jwks string) (jwk.Key, error) {
345 k, err := helpers.ParseJWKFromBytes([]byte(jwks))
346 if err != nil {
347 return nil, err
348 }
349 pubKey, err := k.PublicKey()
350 if err != nil {
351 return nil, err
352 }
353 return pubKey, nil
354}
355
356func (o *OAuthHandler) addToDefaultSpindle(did string) {
357 // use the tangled.sh app password to get an accessJwt
358 // and create an sh.tangled.spindle.member record with that
359
360 defaultSpindle := "spindle.tangled.sh"
361 appPassword := o.config.Core.AppPassword
362
363 spindleMembers, err := db.GetSpindleMembers(
364 o.db,
365 db.FilterEq("instance", "spindle.tangled.sh"),
366 db.FilterEq("subject", did),
367 )
368 if err != nil {
369 log.Printf("failed to get spindle members for did %s: %v", did, err)
370 return
371 }
372
373 if len(spindleMembers) != 0 {
374 log.Printf("did %s is already a member of the default spindle", did)
375 return
376 }
377
378 // TODO: hardcoded tangled handle and did for now
379 tangledHandle := "tangled.sh"
380 tangledDid := "did:plc:wshs7t2adsemcrrd4snkeqli"
381
382 if appPassword == "" {
383 log.Println("no app password configured, skipping spindle member addition")
384 return
385 }
386
387 log.Printf("adding %s to default spindle", did)
388
389 resolved, err := o.idResolver.ResolveIdent(context.Background(), tangledDid)
390 if err != nil {
391 log.Printf("failed to resolve tangled.sh DID %s: %v", tangledDid, err)
392 return
393 }
394
395 pdsEndpoint := resolved.PDSEndpoint()
396 if pdsEndpoint == "" {
397 log.Printf("no PDS endpoint found for tangled.sh DID %s", tangledDid)
398 return
399 }
400
401 sessionPayload := map[string]string{
402 "identifier": tangledHandle,
403 "password": appPassword,
404 }
405 sessionBytes, err := json.Marshal(sessionPayload)
406 if err != nil {
407 log.Printf("failed to marshal session payload: %v", err)
408 return
409 }
410
411 sessionURL := pdsEndpoint + "/xrpc/com.atproto.server.createSession"
412 sessionReq, err := http.NewRequestWithContext(context.Background(), "POST", sessionURL, bytes.NewBuffer(sessionBytes))
413 if err != nil {
414 log.Printf("failed to create session request: %v", err)
415 return
416 }
417 sessionReq.Header.Set("Content-Type", "application/json")
418
419 client := &http.Client{Timeout: 30 * time.Second}
420 sessionResp, err := client.Do(sessionReq)
421 if err != nil {
422 log.Printf("failed to create session: %v", err)
423 return
424 }
425 defer sessionResp.Body.Close()
426
427 if sessionResp.StatusCode != http.StatusOK {
428 log.Printf("failed to create session: HTTP %d", sessionResp.StatusCode)
429 return
430 }
431
432 var session struct {
433 AccessJwt string `json:"accessJwt"`
434 }
435 if err := json.NewDecoder(sessionResp.Body).Decode(&session); err != nil {
436 log.Printf("failed to decode session response: %v", err)
437 return
438 }
439
440 record := tangled.SpindleMember{
441 LexiconTypeID: "sh.tangled.spindle.member",
442 Subject: did,
443 Instance: defaultSpindle,
444 CreatedAt: time.Now().Format(time.RFC3339),
445 }
446
447 recordBytes, err := json.Marshal(record)
448 if err != nil {
449 log.Printf("failed to marshal spindle member record: %v", err)
450 return
451 }
452
453 payload := map[string]interface{}{
454 "repo": tangledDid,
455 "collection": tangled.SpindleMemberNSID,
456 "rkey": tid.TID(),
457 "record": json.RawMessage(recordBytes),
458 }
459
460 payloadBytes, err := json.Marshal(payload)
461 if err != nil {
462 log.Printf("failed to marshal request payload: %v", err)
463 return
464 }
465
466 url := pdsEndpoint + "/xrpc/com.atproto.repo.putRecord"
467 req, err := http.NewRequestWithContext(context.Background(), "POST", url, bytes.NewBuffer(payloadBytes))
468 if err != nil {
469 log.Printf("failed to create HTTP request: %v", err)
470 return
471 }
472
473 req.Header.Set("Content-Type", "application/json")
474 req.Header.Set("Authorization", "Bearer "+session.AccessJwt)
475
476 resp, err := client.Do(req)
477 if err != nil {
478 log.Printf("failed to add user to default spindle: %v", err)
479 return
480 }
481 defer resp.Body.Close()
482
483 if resp.StatusCode != http.StatusOK {
484 log.Printf("failed to add user to default spindle: HTTP %d", resp.StatusCode)
485 return
486 }
487
488 log.Printf("successfully added %s to default spindle", did)
489}
490
491func (o *OAuthHandler) addToDefaultKnot(did string) {
492 defaultKnot := "knot1.tangled.sh"
493
494 log.Printf("adding %s to default knot", did)
495 err := o.enforcer.AddKnotMember(defaultKnot, did)
496 if err != nil {
497 log.Println("failed to add user to knot1.tangled.sh: ", err)
498 return
499 }
500 err = o.enforcer.E.SavePolicy()
501 if err != nil {
502 log.Println("failed to add user to knot1.tangled.sh: ", err)
503 return
504 }
505
506 secret, err := db.GetRegistrationKey(o.db, defaultKnot)
507 if err != nil {
508 log.Println("failed to get registration key for knot1.tangled.sh")
509 return
510 }
511 signedClient, err := knotclient.NewSignedClient(defaultKnot, secret, o.config.Core.Dev)
512 resp, err := signedClient.AddMember(did)
513 if err != nil {
514 log.Println("failed to add user to knot1.tangled.sh: ", err)
515 return
516 }
517
518 if resp.StatusCode != http.StatusNoContent {
519 log.Println("failed to add user to knot1.tangled.sh: ", resp.StatusCode)
520 return
521 }
522}