aiden
/
synctv
mirror of https://github.com/synctv-org/synctv
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Opt: oauth2 state handler

Browse Source
pull/41/head
zijiren233 2 years ago
parent b46e1f501f
commit 688f093558
3 changed files with 99 additions and 87 deletions
Show Stats Download Patch File Download Diff File

130
server/oauth2/auth.go
Unescape Escape View File

@ -1,8 +1,6 @@
package auth package auth
import ( import (
"context"
"errors"
"fmt" "fmt"
"net/http" "net/http"
"time" "time"
@ -30,11 +28,7 @@ func OAuth2(ctx *gin.Context) {
} }
state := utils.RandString(16) state := utils.RandString(16)
states.Store(state, stateMeta{ states.Store(state, newAuthFunc(ctx.Query("redirect")), time.Minute*5)
OAuth2Req: model.OAuth2Req{
Redirect: ctx.Query("redirect"),
},
}, time.Minute*5)
RenderRedirect(ctx, pi.NewAuthURL(state)) RenderRedirect(ctx, pi.NewAuthURL(state))
} }
@ -53,9 +47,7 @@ func OAuth2Api(ctx *gin.Context) {
} }
state := utils.RandString(16) state := utils.RandString(16)
states.Store(state, stateMeta{ states.Store(state, newAuthFunc(meta.Redirect), time.Minute*5)
OAuth2Req: meta,
}, time.Minute*5)
ctx.JSON(http.StatusOK, model.NewApiDataResp(gin.H{ ctx.JSON(http.StatusOK, model.NewApiDataResp(gin.H{
"url": pi.NewAuthURL(state), "url": pi.NewAuthURL(state),
@ -77,17 +69,15 @@ func OAuth2Callback(ctx *gin.Context) {
return return
} }
ld, err := login(ctx, ctx.Query("state"), code, pi) meta, loaded := states.LoadAndDelete(ctx.Query("state"))
if err != nil { if !loaded {
if err == op.ErrUserBanned || err == op.ErrUserPending { ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorStringResp("invalid oauth2 state"))
ctx.AbortWithStatusJSON(http.StatusForbidden, model.NewApiErrorResp(err))
return
}
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return return
} }
RenderToken(ctx, ld.redirect, ld.token) if meta.Value() != nil {
meta.Value()(ctx, pi, code)
}
} }
// POST // POST
@ -104,77 +94,65 @@ func OAuth2CallbackApi(ctx *gin.Context) {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err)) ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
} }
ld, err := login(ctx, req.State, req.Code, pi) meta, loaded := states.LoadAndDelete(req.State)
if err != nil { if !loaded {
if err == op.ErrUserBanned || err == op.ErrUserPending { ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorStringResp("invalid oauth2 state"))
ctx.AbortWithStatusJSON(http.StatusForbidden, model.NewApiErrorResp(err))
return
}
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return return
} }
ctx.JSON(http.StatusOK, model.NewApiDataResp(gin.H{ if meta.Value() != nil {
"token": ld.token, meta.Value()(ctx, pi, req.Code)
"redirect": ld.redirect,
}))
}
type loginData struct {
token, redirect string
}
func login(ctx context.Context, state, code string, pi provider.ProviderInterface) (*loginData, error) {
meta, loaded := states.LoadAndDelete(state)
if !loaded {
return nil, errors.New("invalid oauth2 state")
} }
}
t, err := pi.GetToken(ctx, code) func newAuthFunc(redirect string) stateHandler {
if err != nil { return func(ctx *gin.Context, pi provider.ProviderInterface, code string) {
return nil, err t, err := pi.GetToken(ctx, code)
} if err != nil {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
}
ui, err := pi.GetUserInfo(ctx, t) ui, err := pi.GetUserInfo(ctx, t)
if err != nil { if err != nil {
return nil, err ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
} return
}
pgs, loaded := bootstrap.ProviderGroupSettings[dbModel.SettingGroup(fmt.Sprintf("%s_%s", dbModel.SettingGroupOauth2, pi.Provider()))] pgs, loaded := bootstrap.ProviderGroupSettings[dbModel.SettingGroup(fmt.Sprintf("%s_%s", dbModel.SettingGroupOauth2, pi.Provider()))]
if !loaded { if !loaded {
return nil, errors.New("invalid oauth2 provider") ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorStringResp("invalid oauth2 provider"))
} return
}
var user *op.User var user *op.User
if meta.Value().BindUserId != "" { if settings.DisableUserSignup.Get() || pgs.DisableUserSignup.Get() {
user, err = op.LoadOrInitUserByID(meta.Value().BindUserId) user, err = op.GetUserByProvider(pi.Provider(), ui.ProviderUserID)
} else if settings.DisableUserSignup.Get() || pgs.DisableUserSignup.Get() {
user, err = op.GetUserByProvider(pi.Provider(), ui.ProviderUserID)
} else {
if settings.SignupNeedReview.Get() || pgs.SignupNeedReview.Get() {
user, err = op.CreateOrLoadUserWithProvider(ui.Username, utils.RandString(16), pi.Provider(), ui.ProviderUserID, db.WithRole(dbModel.RolePending))
} else { } else {
user, err = op.CreateOrLoadUserWithProvider(ui.Username, utils.RandString(16), pi.Provider(), ui.ProviderUserID) if settings.SignupNeedReview.Get() || pgs.SignupNeedReview.Get() {
user, err = op.CreateOrLoadUserWithProvider(ui.Username, utils.RandString(16), pi.Provider(), ui.ProviderUserID, db.WithRole(dbModel.RolePending))
} else {
user, err = op.CreateOrLoadUserWithProvider(ui.Username, utils.RandString(16), pi.Provider(), ui.ProviderUserID)
}
}
if err != nil {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
} }
}
if err != nil {
return nil, err
}
if meta.Value().BindUserId != "" { token, err := middlewares.NewAuthUserToken(user)
err = user.BindProvider(pi.Provider(), ui.ProviderUserID)
if err != nil { if err != nil {
return nil, err ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
} }
}
token, err := middlewares.NewAuthUserToken(user) if ctx.Request.Method == http.MethodGet {
if err != nil { RenderToken(ctx, redirect, token)
return nil, err } else if ctx.Request.Method == http.MethodPost {
ctx.JSON(http.StatusOK, model.NewApiDataResp(gin.H{
"token": token,
"redirect": redirect,
}))
}
} }
return &loginData{
token: token,
redirect: meta.Value().Redirect,
}, nil
} }

45
server/oauth2/bind.go
Unescape Escape View File

@ -9,6 +9,7 @@ import (
"github.com/synctv-org/synctv/internal/op" "github.com/synctv-org/synctv/internal/op"
"github.com/synctv-org/synctv/internal/provider" "github.com/synctv-org/synctv/internal/provider"
"github.com/synctv-org/synctv/internal/provider/providers" "github.com/synctv-org/synctv/internal/provider/providers"
"github.com/synctv-org/synctv/server/middlewares"
"github.com/synctv-org/synctv/server/model" "github.com/synctv-org/synctv/server/model"
"github.com/synctv-org/synctv/utils" "github.com/synctv-org/synctv/utils"
) )
@ -28,10 +29,7 @@ func BindApi(ctx *gin.Context) {
} }
state := utils.RandString(16) state := utils.RandString(16)
states.Store(state, stateMeta{ states.Store(state, newBindFunc(user.ID, meta.Redirect), time.Minute*5)
OAuth2Req: meta,
BindUserId: user.ID,
}, time.Minute*5)
ctx.JSON(http.StatusOK, model.NewApiDataResp(gin.H{ ctx.JSON(http.StatusOK, model.NewApiDataResp(gin.H{
"url": pi.NewAuthURL(state), "url": pi.NewAuthURL(state),
@ -55,3 +53,42 @@ func UnBindApi(ctx *gin.Context) {
ctx.Status(http.StatusNoContent) ctx.Status(http.StatusNoContent)
} }
func newBindFunc(userID, redirect string) stateHandler {
return func(ctx *gin.Context, pi provider.ProviderInterface, code string) {
t, err := pi.GetToken(ctx, code)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
}
ui, err := pi.GetUserInfo(ctx, t)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
}
user, err := op.LoadOrInitUserByID(userID)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
}
err = user.BindProvider(pi.Provider(), ui.ProviderUserID)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
}
token, err := middlewares.NewAuthUserToken(user)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusBadRequest, model.NewApiErrorResp(err))
return
}
ctx.JSON(http.StatusOK, model.NewApiDataResp(gin.H{
"token": token,
"redirect": redirect,
}))
}
}

11
server/oauth2/render.go
Unescape Escape View File

@ -6,7 +6,7 @@ import (
"time" "time"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/synctv-org/synctv/server/model" "github.com/synctv-org/synctv/internal/provider"
"github.com/zijiren233/gencontainer/synccache" "github.com/zijiren233/gencontainer/synccache"
) )
@ -16,13 +16,10 @@ var temp embed.FS
var ( var (
redirectTemplate *template.Template redirectTemplate *template.Template
tokenTemplate *template.Template tokenTemplate *template.Template
states *synccache.SyncCache[string, stateMeta] states *synccache.SyncCache[string, stateHandler]
) )
type stateMeta struct { type stateHandler func(ctx *gin.Context, pi provider.ProviderInterface, code string)
model.OAuth2Req
BindUserId string
}
func RenderRedirect(ctx *gin.Context, url string) error { func RenderRedirect(ctx *gin.Context, url string) error {
ctx.Header("Content-Type", "text/html; charset=utf-8") ctx.Header("Content-Type", "text/html; charset=utf-8")
@ -37,5 +34,5 @@ func RenderToken(ctx *gin.Context, url, token string) error {
func init() { func init() {
redirectTemplate = template.Must(template.ParseFS(temp, "templates/redirect.html")) redirectTemplate = template.Must(template.ParseFS(temp, "templates/redirect.html"))
tokenTemplate = template.Must(template.ParseFS(temp, "templates/token.html")) tokenTemplate = template.Must(template.ParseFS(temp, "templates/token.html"))
states = synccache.NewSyncCache[string, stateMeta](time.Minute * 10) states = synccache.NewSyncCache[string, stateHandler](time.Minute * 10)
} }

Write Preview
Loading…
Cancel
Save