All checks were successful
release-tag / release-image (push) Successful in 1m41s
396 lines
12 KiB
Go
396 lines
12 KiB
Go
package web
|
|
|
|
import (
|
|
"context"
|
|
"crypto/hmac"
|
|
"crypto/rand"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"log/slog"
|
|
"net/http"
|
|
"net/url"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"go-htmx-chat/internal/store"
|
|
)
|
|
|
|
type AuthMode string
|
|
|
|
const (
|
|
AuthModeLocal AuthMode = "local"
|
|
AuthModeOIDC AuthMode = "oidc"
|
|
)
|
|
|
|
type AuthConfig struct {
|
|
Mode AuthMode
|
|
Issuer string
|
|
ClientID string
|
|
ClientSecret string
|
|
RedirectURL string
|
|
Scopes []string
|
|
SessionSecret []byte
|
|
AdminMatchers []string
|
|
RoomCreatorRoles []store.Role
|
|
}
|
|
|
|
type oidcDiscovery struct {
|
|
AuthorizationEndpoint string `json:"authorization_endpoint"`
|
|
TokenEndpoint string `json:"token_endpoint"`
|
|
UserInfoEndpoint string `json:"userinfo_endpoint"`
|
|
Issuer string `json:"issuer"`
|
|
}
|
|
|
|
type oauthTokenResponse struct {
|
|
AccessToken string `json:"access_token"`
|
|
TokenType string `json:"token_type"`
|
|
IDToken string `json:"id_token"`
|
|
ExpiresIn int `json:"expires_in"`
|
|
}
|
|
|
|
type userClaims struct {
|
|
Subject string `json:"sub"`
|
|
PreferredUsername string `json:"preferred_username"`
|
|
Name string `json:"name"`
|
|
Email string `json:"email"`
|
|
}
|
|
|
|
type sessionData struct {
|
|
Username string `json:"username"`
|
|
Subject string `json:"sub,omitempty"`
|
|
Email string `json:"email,omitempty"`
|
|
Expires int64 `json:"exp"`
|
|
}
|
|
|
|
func AuthConfigFromEnv(logger *slog.Logger) (AuthConfig, error) {
|
|
mode := AuthMode(strings.ToLower(strings.TrimSpace(getenv("AUTH_MODE", "local"))))
|
|
if mode != AuthModeLocal && mode != AuthModeOIDC {
|
|
return AuthConfig{}, fmt.Errorf("unsupported AUTH_MODE %q", mode)
|
|
}
|
|
|
|
secret := strings.TrimSpace(os.Getenv("SESSION_SECRET"))
|
|
var secretBytes []byte
|
|
if secret == "" {
|
|
secretBytes = make([]byte, 32)
|
|
if _, err := rand.Read(secretBytes); err != nil {
|
|
return AuthConfig{}, err
|
|
}
|
|
logger.Warn("SESSION_SECRET is not set; generated a temporary secret. Existing sessions will be invalid after restart")
|
|
} else {
|
|
decoded, err := base64.StdEncoding.DecodeString(secret)
|
|
if err == nil && len(decoded) >= 32 {
|
|
secretBytes = decoded
|
|
} else {
|
|
secretBytes = []byte(secret)
|
|
}
|
|
if len(secretBytes) < 32 {
|
|
return AuthConfig{}, errors.New("SESSION_SECRET must be at least 32 bytes or a base64 encoded 32 byte value")
|
|
}
|
|
}
|
|
|
|
cfg := AuthConfig{
|
|
Mode: mode,
|
|
Issuer: strings.TrimRight(strings.TrimSpace(os.Getenv("OIDC_ISSUER")), "/"),
|
|
ClientID: strings.TrimSpace(os.Getenv("OIDC_CLIENT_ID")),
|
|
ClientSecret: strings.TrimSpace(os.Getenv("OIDC_CLIENT_SECRET")),
|
|
RedirectURL: strings.TrimSpace(os.Getenv("OIDC_REDIRECT_URL")),
|
|
Scopes: splitScopes(getenv("OIDC_SCOPES", "openid profile email")),
|
|
SessionSecret: secretBytes,
|
|
AdminMatchers: splitCSV(os.Getenv("CHAT_ADMINS")),
|
|
RoomCreatorRoles: parseRoles(getenv("ROOM_CREATE_ROLES", "admin,moderator")),
|
|
}
|
|
if cfg.Mode == AuthModeOIDC {
|
|
if cfg.Issuer == "" || cfg.ClientID == "" || cfg.ClientSecret == "" || cfg.RedirectURL == "" {
|
|
return AuthConfig{}, errors.New("AUTH_MODE=oidc requires OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET and OIDC_REDIRECT_URL")
|
|
}
|
|
}
|
|
return cfg, nil
|
|
}
|
|
|
|
func (s *Server) discoverOIDC() error {
|
|
if s.auth.Mode != AuthModeOIDC {
|
|
return nil
|
|
}
|
|
discoveryURL := s.auth.Issuer + "/.well-known/openid-configuration"
|
|
req, err := http.NewRequest(http.MethodGet, discoveryURL, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
resp, err := http.DefaultClient.Do(req)
|
|
if err != nil {
|
|
return fmt.Errorf("OIDC discovery failed: %w", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
if resp.StatusCode < 200 || resp.StatusCode > 299 {
|
|
return fmt.Errorf("OIDC discovery returned %s", resp.Status)
|
|
}
|
|
var d oidcDiscovery
|
|
if err := json.NewDecoder(io.LimitReader(resp.Body, 1<<20)).Decode(&d); err != nil {
|
|
return err
|
|
}
|
|
if d.AuthorizationEndpoint == "" || d.TokenEndpoint == "" || d.UserInfoEndpoint == "" {
|
|
return errors.New("OIDC discovery response is missing required endpoints")
|
|
}
|
|
s.oidc = d
|
|
return nil
|
|
}
|
|
|
|
func (s *Server) handleOIDCLogin(w http.ResponseWriter, r *http.Request) {
|
|
if s.auth.Mode != AuthModeOIDC {
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
return
|
|
}
|
|
state, err := randomString(32)
|
|
if err != nil {
|
|
http.Error(w, "could not create login state", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
setCookie(w, &http.Cookie{Name: "oauth_state", Value: state, MaxAge: 10 * 60, Path: "/auth", HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: isSecure(r)})
|
|
|
|
q := url.Values{}
|
|
q.Set("response_type", "code")
|
|
q.Set("client_id", s.auth.ClientID)
|
|
q.Set("redirect_uri", s.auth.RedirectURL)
|
|
q.Set("scope", strings.Join(s.auth.Scopes, " "))
|
|
q.Set("state", state)
|
|
authURL := s.oidc.AuthorizationEndpoint + "?" + q.Encode()
|
|
http.Redirect(w, r, authURL, http.StatusFound)
|
|
}
|
|
|
|
func (s *Server) handleOIDCCallback(w http.ResponseWriter, r *http.Request) {
|
|
if s.auth.Mode != AuthModeOIDC {
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
return
|
|
}
|
|
if errText := r.URL.Query().Get("error"); errText != "" {
|
|
s.renderStatus(w, r, http.StatusUnauthorized, "login.html", map[string]any{"Title": "Login", "AuthMode": s.auth.Mode, "Error": "Login abgebrochen: " + errText})
|
|
return
|
|
}
|
|
stateCookie, err := r.Cookie("oauth_state")
|
|
if err != nil || stateCookie.Value == "" || stateCookie.Value != r.URL.Query().Get("state") {
|
|
http.Error(w, "invalid oauth state", http.StatusBadRequest)
|
|
return
|
|
}
|
|
clearCookie(w, "oauth_state", "/auth")
|
|
code := r.URL.Query().Get("code")
|
|
if code == "" {
|
|
http.Error(w, "missing authorization code", http.StatusBadRequest)
|
|
return
|
|
}
|
|
tok, err := s.exchangeCode(r.Context(), code)
|
|
if err != nil {
|
|
s.logger.Error("oauth token exchange", "error", err)
|
|
http.Error(w, "token exchange failed", http.StatusBadGateway)
|
|
return
|
|
}
|
|
claims, err := s.fetchUserInfo(r.Context(), tok.AccessToken)
|
|
if err != nil {
|
|
s.logger.Error("oauth userinfo", "error", err)
|
|
http.Error(w, "could not fetch user info", http.StatusBadGateway)
|
|
return
|
|
}
|
|
username := normalizeUsername(claims)
|
|
if username == "" {
|
|
http.Error(w, "identity provider did not return a usable username", http.StatusBadGateway)
|
|
return
|
|
}
|
|
if err := s.setSession(w, r, sessionData{Username: username, Subject: claims.Subject, Email: claims.Email, Expires: time.Now().Add(30 * 24 * time.Hour).Unix()}); err != nil {
|
|
http.Error(w, "could not create session", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
http.Redirect(w, r, "/rooms", http.StatusSeeOther)
|
|
}
|
|
|
|
func (s *Server) exchangeCode(ctx context.Context, code string) (oauthTokenResponse, error) {
|
|
// Keep the public signature simple for Go 1.22 without adding external OAuth dependencies.
|
|
values := url.Values{}
|
|
values.Set("grant_type", "authorization_code")
|
|
values.Set("code", code)
|
|
values.Set("redirect_uri", s.auth.RedirectURL)
|
|
values.Set("client_id", s.auth.ClientID)
|
|
values.Set("client_secret", s.auth.ClientSecret)
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodPost, s.oidc.TokenEndpoint, strings.NewReader(values.Encode()))
|
|
if err != nil {
|
|
return oauthTokenResponse{}, err
|
|
}
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("Accept", "application/json")
|
|
resp, err := http.DefaultClient.Do(req)
|
|
if err != nil {
|
|
return oauthTokenResponse{}, err
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
|
if err != nil {
|
|
return oauthTokenResponse{}, err
|
|
}
|
|
if resp.StatusCode < 200 || resp.StatusCode > 299 {
|
|
return oauthTokenResponse{}, fmt.Errorf("token endpoint returned %s: %s", resp.Status, string(body))
|
|
}
|
|
var tok oauthTokenResponse
|
|
if err := json.Unmarshal(body, &tok); err != nil {
|
|
return oauthTokenResponse{}, err
|
|
}
|
|
if tok.AccessToken == "" {
|
|
return oauthTokenResponse{}, errors.New("token endpoint did not return access_token")
|
|
}
|
|
return tok, nil
|
|
}
|
|
|
|
func (s *Server) fetchUserInfo(ctx context.Context, accessToken string) (userClaims, error) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, s.oidc.UserInfoEndpoint, nil)
|
|
if err != nil {
|
|
return userClaims{}, err
|
|
}
|
|
req.Header.Set("Authorization", "Bearer "+accessToken)
|
|
req.Header.Set("Accept", "application/json")
|
|
resp, err := http.DefaultClient.Do(req)
|
|
if err != nil {
|
|
return userClaims{}, err
|
|
}
|
|
defer resp.Body.Close()
|
|
body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20))
|
|
if err != nil {
|
|
return userClaims{}, err
|
|
}
|
|
if resp.StatusCode < 200 || resp.StatusCode > 299 {
|
|
return userClaims{}, fmt.Errorf("userinfo endpoint returned %s: %s", resp.Status, string(body))
|
|
}
|
|
var claims userClaims
|
|
if err := json.Unmarshal(body, &claims); err != nil {
|
|
return userClaims{}, err
|
|
}
|
|
return claims, nil
|
|
}
|
|
|
|
func (s *Server) setSession(w http.ResponseWriter, r *http.Request, data sessionData) error {
|
|
b, err := json.Marshal(data)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
payload := base64.RawURLEncoding.EncodeToString(b)
|
|
sig := sign(payload, s.auth.SessionSecret)
|
|
setCookie(w, &http.Cookie{Name: "chat_session", Value: payload + "." + sig, Path: "/", MaxAge: 60 * 60 * 24 * 30, HttpOnly: true, SameSite: http.SameSiteLaxMode, Secure: isSecure(r)})
|
|
return nil
|
|
}
|
|
|
|
func (s *Server) readSession(r *http.Request) (sessionData, bool) {
|
|
c, err := r.Cookie("chat_session")
|
|
if err != nil || c.Value == "" {
|
|
return sessionData{}, false
|
|
}
|
|
parts := strings.Split(c.Value, ".")
|
|
if len(parts) != 2 || !verify(parts[0], parts[1], s.auth.SessionSecret) {
|
|
return sessionData{}, false
|
|
}
|
|
b, err := base64.RawURLEncoding.DecodeString(parts[0])
|
|
if err != nil {
|
|
return sessionData{}, false
|
|
}
|
|
var data sessionData
|
|
if err := json.Unmarshal(b, &data); err != nil {
|
|
return sessionData{}, false
|
|
}
|
|
if data.Expires < time.Now().Unix() || strings.TrimSpace(data.Username) == "" {
|
|
return sessionData{}, false
|
|
}
|
|
return data, true
|
|
}
|
|
|
|
func sign(payload string, secret []byte) string {
|
|
mac := hmac.New(sha256.New, secret)
|
|
_, _ = mac.Write([]byte(payload))
|
|
return base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
|
|
}
|
|
|
|
func verify(payload, got string, secret []byte) bool {
|
|
expected := sign(payload, secret)
|
|
return hmac.Equal([]byte(expected), []byte(got))
|
|
}
|
|
|
|
func randomString(n int) (string, error) {
|
|
b := make([]byte, n)
|
|
if _, err := rand.Read(b); err != nil {
|
|
return "", err
|
|
}
|
|
return base64.RawURLEncoding.EncodeToString(b), nil
|
|
}
|
|
|
|
func normalizeUsername(c userClaims) string {
|
|
for _, v := range []string{c.PreferredUsername, c.Name, c.Email, c.Subject} {
|
|
v = strings.TrimSpace(v)
|
|
if v != "" {
|
|
if strings.Contains(v, "@") {
|
|
v = strings.Split(v, "@")[0]
|
|
}
|
|
if len(v) > 40 {
|
|
v = v[:40]
|
|
}
|
|
return v
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
func splitScopes(s string) []string {
|
|
fields := strings.Fields(s)
|
|
if len(fields) == 0 {
|
|
return []string{"openid", "profile", "email"}
|
|
}
|
|
return fields
|
|
}
|
|
|
|
func getenv(key, fallback string) string {
|
|
if v := os.Getenv(key); v != "" {
|
|
return v
|
|
}
|
|
return fallback
|
|
}
|
|
|
|
func setCookie(w http.ResponseWriter, c *http.Cookie) { http.SetCookie(w, c) }
|
|
|
|
func clearCookie(w http.ResponseWriter, name, path string) {
|
|
http.SetCookie(w, &http.Cookie{Name: name, Value: "", Path: path, MaxAge: -1, HttpOnly: true, SameSite: http.SameSiteLaxMode})
|
|
}
|
|
|
|
func isSecure(r *http.Request) bool {
|
|
return r.TLS != nil || strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https")
|
|
}
|
|
|
|
func splitCSV(s string) []string {
|
|
parts := strings.Split(s, ",")
|
|
out := make([]string, 0, len(parts))
|
|
for _, p := range parts {
|
|
p = strings.TrimSpace(p)
|
|
if p != "" {
|
|
out = append(out, p)
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
func parseRoles(s string) []store.Role {
|
|
parts := strings.Split(s, ",")
|
|
out := make([]store.Role, 0, len(parts))
|
|
for _, p := range parts {
|
|
switch store.Role(strings.ToLower(strings.TrimSpace(p))) {
|
|
case store.RoleAdmin:
|
|
out = append(out, store.RoleAdmin)
|
|
case store.RoleModerator:
|
|
out = append(out, store.RoleModerator)
|
|
case store.RoleUser:
|
|
out = append(out, store.RoleUser)
|
|
}
|
|
}
|
|
if len(out) == 0 {
|
|
return []store.Role{store.RoleAdmin}
|
|
}
|
|
return out
|
|
}
|