feat: initial working discord authentication
This commit is contained in:
parent
6186eda092
commit
a7950671e1
12 changed files with 262 additions and 25 deletions
|
@ -1,4 +1,5 @@
|
||||||
using System.Web;
|
using System.Web;
|
||||||
|
using Foxnouns.Backend.Extensions;
|
||||||
using Foxnouns.Backend.Services;
|
using Foxnouns.Backend.Services;
|
||||||
using Microsoft.AspNetCore.Mvc;
|
using Microsoft.AspNetCore.Mvc;
|
||||||
using NodaTime;
|
using NodaTime;
|
||||||
|
@ -34,11 +35,19 @@ public class AuthController(Config config, KeyCacheService keyCacheSvc, ILogger
|
||||||
string? Tumblr
|
string? Tumblr
|
||||||
);
|
);
|
||||||
|
|
||||||
internal record AuthResponse(
|
public record AuthResponse(
|
||||||
UserRendererService.UserResponse User,
|
UserRendererService.UserResponse User,
|
||||||
string Token,
|
string Token,
|
||||||
Instant ExpiresAt
|
Instant ExpiresAt
|
||||||
);
|
);
|
||||||
|
|
||||||
|
public record CallbackResponse(
|
||||||
|
bool HasAccount, // If true, user has an account, but it's deleted
|
||||||
|
string Ticket,
|
||||||
|
string? RemoteUsername
|
||||||
|
);
|
||||||
|
|
||||||
|
public record OauthRegisterRequest(string Ticket, string Username);
|
||||||
|
|
||||||
public record CallbackRequest(string Code, string State);
|
public record CallbackRequest(string Code, string State);
|
||||||
}
|
}
|
|
@ -1,7 +1,10 @@
|
||||||
using Foxnouns.Backend.Database;
|
using Foxnouns.Backend.Database;
|
||||||
using Foxnouns.Backend.Database.Models;
|
using Foxnouns.Backend.Database.Models;
|
||||||
|
using Foxnouns.Backend.Extensions;
|
||||||
using Foxnouns.Backend.Services;
|
using Foxnouns.Backend.Services;
|
||||||
|
using Foxnouns.Backend.Utils;
|
||||||
using Microsoft.AspNetCore.Mvc;
|
using Microsoft.AspNetCore.Mvc;
|
||||||
|
using Microsoft.EntityFrameworkCore;
|
||||||
using NodaTime;
|
using NodaTime;
|
||||||
|
|
||||||
namespace Foxnouns.Backend.Controllers.Authentication;
|
namespace Foxnouns.Backend.Controllers.Authentication;
|
||||||
|
@ -18,6 +21,10 @@ public class DiscordAuthController(
|
||||||
UserRendererService userRendererSvc) : ApiControllerBase
|
UserRendererService userRendererSvc) : ApiControllerBase
|
||||||
{
|
{
|
||||||
[HttpPost("callback")]
|
[HttpPost("callback")]
|
||||||
|
// TODO: duplicating attribute doesn't work, find another way to mark both as possible response
|
||||||
|
// leaving it here for documentation purposes
|
||||||
|
[ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]
|
||||||
|
[ProducesResponseType<AuthController.CallbackResponse>(StatusCodes.Status200OK)]
|
||||||
public async Task<IActionResult> CallbackAsync([FromBody] AuthController.CallbackRequest req)
|
public async Task<IActionResult> CallbackAsync([FromBody] AuthController.CallbackRequest req)
|
||||||
{
|
{
|
||||||
CheckRequirements();
|
CheckRequirements();
|
||||||
|
@ -30,7 +37,29 @@ public class DiscordAuthController(
|
||||||
logger.Debug("Discord user {Username} ({Id}) authenticated with no local account", remoteUser.Username,
|
logger.Debug("Discord user {Username} ({Id}) authenticated with no local account", remoteUser.Username,
|
||||||
remoteUser.Id);
|
remoteUser.Id);
|
||||||
|
|
||||||
throw new NotImplementedException();
|
var ticket = OauthUtils.RandomToken();
|
||||||
|
await keyCacheSvc.SetKeyAsync($"discord:{ticket}", remoteUser, Duration.FromMinutes(20));
|
||||||
|
|
||||||
|
return Ok(new AuthController.CallbackResponse(false, ticket, remoteUser.Username));
|
||||||
|
}
|
||||||
|
|
||||||
|
[HttpPost("register")]
|
||||||
|
[ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]
|
||||||
|
public async Task<IActionResult> RegisterAsync([FromBody] AuthController.OauthRegisterRequest req)
|
||||||
|
{
|
||||||
|
var remoteUser = await keyCacheSvc.GetKeyAsync<RemoteAuthService.RemoteUser>($"discord:{req.Ticket}");
|
||||||
|
if (remoteUser == null) throw new ApiError.BadRequest("Invalid ticket");
|
||||||
|
if (await db.AuthMethods.AnyAsync(a => a.AuthType == AuthType.Discord && a.RemoteId == remoteUser.Id))
|
||||||
|
{
|
||||||
|
logger.Error("Discord user {Id} has valid ticket but is already linked to an existing account",
|
||||||
|
remoteUser.Id);
|
||||||
|
throw new FoxnounsError("Discord ticket was issued for user with existing link");
|
||||||
|
}
|
||||||
|
|
||||||
|
var user = await authSvc.CreateUserWithRemoteAuthAsync(req.Username, AuthType.Discord, remoteUser.Id,
|
||||||
|
remoteUser.Username);
|
||||||
|
|
||||||
|
return Ok(await GenerateUserTokenAsync(user));
|
||||||
}
|
}
|
||||||
|
|
||||||
private async Task<AuthController.AuthResponse> GenerateUserTokenAsync(User user)
|
private async Task<AuthController.AuthResponse> GenerateUserTokenAsync(User user)
|
||||||
|
|
21
Foxnouns.Backend/Extensions/KeyCacheExtensions.cs
Normal file
21
Foxnouns.Backend/Extensions/KeyCacheExtensions.cs
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
using Foxnouns.Backend.Services;
|
||||||
|
using Foxnouns.Backend.Utils;
|
||||||
|
using NodaTime;
|
||||||
|
|
||||||
|
namespace Foxnouns.Backend.Extensions;
|
||||||
|
|
||||||
|
public static class KeyCacheExtensions
|
||||||
|
{
|
||||||
|
public static async Task<string> GenerateAuthStateAsync(this KeyCacheService keyCacheSvc)
|
||||||
|
{
|
||||||
|
var state = OauthUtils.RandomToken();
|
||||||
|
await keyCacheSvc.SetKeyAsync($"oauth_state:{state}", "", Duration.FromMinutes(10));
|
||||||
|
return state;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static async Task ValidateAuthStateAsync(this KeyCacheService keyCacheSvc, string state)
|
||||||
|
{
|
||||||
|
var val = await keyCacheSvc.GetKeyAsync($"oauth_state:{state}", delete: true);
|
||||||
|
if (val == null) throw new ApiError.BadRequest("Invalid OAuth state");
|
||||||
|
}
|
||||||
|
}
|
|
@ -6,7 +6,6 @@ using Foxnouns.Backend.Services;
|
||||||
using Microsoft.AspNetCore.Mvc;
|
using Microsoft.AspNetCore.Mvc;
|
||||||
using Newtonsoft.Json;
|
using Newtonsoft.Json;
|
||||||
using Newtonsoft.Json.Serialization;
|
using Newtonsoft.Json.Serialization;
|
||||||
using NodaTime;
|
|
||||||
|
|
||||||
// Read version information from .version in the repository root
|
// Read version information from .version in the repository root
|
||||||
await BuildInfo.ReadBuildInfo();
|
await BuildInfo.ReadBuildInfo();
|
||||||
|
|
|
@ -34,6 +34,37 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
|
||||||
|
|
||||||
return user;
|
return user;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Creates a new user with the given username and remote authentication method.
|
||||||
|
/// To create a user with email authentication, use <see cref="CreateUserWithPasswordAsync" />
|
||||||
|
/// This method does <i>not</i> save the resulting user, the caller must still call <see cref="M:Microsoft.EntityFrameworkCore.DbContext.SaveChanges" />.
|
||||||
|
/// </summary>
|
||||||
|
public async Task<User> CreateUserWithRemoteAuthAsync(string username, AuthType authType, string remoteId,
|
||||||
|
string remoteUsername, FediverseApplication? instance = null)
|
||||||
|
{
|
||||||
|
AssertValidAuthType(authType, instance);
|
||||||
|
|
||||||
|
if (await db.Users.AnyAsync(u => u.Username == username))
|
||||||
|
throw new ApiError.BadRequest("Username is already taken");
|
||||||
|
|
||||||
|
var user = new User
|
||||||
|
{
|
||||||
|
Id = snowflakeGenerator.GenerateSnowflake(),
|
||||||
|
Username = username,
|
||||||
|
AuthMethods =
|
||||||
|
{
|
||||||
|
new AuthMethod
|
||||||
|
{
|
||||||
|
Id = snowflakeGenerator.GenerateSnowflake(), AuthType = authType, RemoteId = remoteId,
|
||||||
|
RemoteUsername = remoteUsername, FediverseApplication = instance
|
||||||
|
}
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
db.Add(user);
|
||||||
|
return user;
|
||||||
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Authenticates a user with email and password.
|
/// Authenticates a user with email and password.
|
||||||
|
@ -81,10 +112,7 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
|
||||||
public async Task<User?> AuthenticateUserAsync(AuthType authType, string remoteId,
|
public async Task<User?> AuthenticateUserAsync(AuthType authType, string remoteId,
|
||||||
FediverseApplication? instance = null)
|
FediverseApplication? instance = null)
|
||||||
{
|
{
|
||||||
if (authType == AuthType.Fediverse && instance == null)
|
AssertValidAuthType(authType, instance);
|
||||||
throw new FoxnounsError("Fediverse authentication requires an instance.");
|
|
||||||
if (authType != AuthType.Fediverse && instance != null)
|
|
||||||
throw new FoxnounsError("Non-Fediverse authentication does not require an instance.");
|
|
||||||
|
|
||||||
return await db.Users.FirstOrDefaultAsync(u =>
|
return await db.Users.FirstOrDefaultAsync(u =>
|
||||||
u.AuthMethods.Any(a =>
|
u.AuthMethods.Any(a =>
|
||||||
|
@ -115,4 +143,12 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
|
||||||
|
|
||||||
return (token, hash);
|
return (token, hash);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private static void AssertValidAuthType(AuthType authType, FediverseApplication? instance)
|
||||||
|
{
|
||||||
|
if (authType == AuthType.Fediverse && instance == null)
|
||||||
|
throw new FoxnounsError("Fediverse authentication requires an instance.");
|
||||||
|
if (authType != AuthType.Fediverse && instance != null)
|
||||||
|
throw new FoxnounsError("Non-Fediverse authentication does not require an instance.");
|
||||||
|
}
|
||||||
}
|
}
|
|
@ -2,6 +2,7 @@ using Foxnouns.Backend.Database;
|
||||||
using Foxnouns.Backend.Database.Models;
|
using Foxnouns.Backend.Database.Models;
|
||||||
using Foxnouns.Backend.Utils;
|
using Foxnouns.Backend.Utils;
|
||||||
using Microsoft.EntityFrameworkCore;
|
using Microsoft.EntityFrameworkCore;
|
||||||
|
using Newtonsoft.Json;
|
||||||
using NodaTime;
|
using NodaTime;
|
||||||
|
|
||||||
namespace Foxnouns.Backend.Services;
|
namespace Foxnouns.Backend.Services;
|
||||||
|
@ -42,16 +43,18 @@ public class KeyCacheService(DatabaseContext db, IClock clock, ILogger logger)
|
||||||
if (count != 0) logger.Information("Removed {Count} expired keys from the database", count);
|
if (count != 0) logger.Information("Removed {Count} expired keys from the database", count);
|
||||||
}
|
}
|
||||||
|
|
||||||
public async Task<string> GenerateAuthStateAsync()
|
public Task SetKeyAsync<T>(string key, T obj, Duration expiresAt) where T : class =>
|
||||||
|
SetKeyAsync(key, obj, clock.GetCurrentInstant() + expiresAt);
|
||||||
|
|
||||||
|
public async Task SetKeyAsync<T>(string key, T obj, Instant expires) where T : class
|
||||||
{
|
{
|
||||||
var state = OauthUtils.RandomToken();
|
var value = JsonConvert.SerializeObject(obj);
|
||||||
await SetKeyAsync($"oauth_state:{state}", "", Duration.FromMinutes(10));
|
await SetKeyAsync(key, value, expires);
|
||||||
return state;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public async Task ValidateAuthStateAsync(string state)
|
public async Task<T?> GetKeyAsync<T>(string key, bool delete = false) where T : class
|
||||||
{
|
{
|
||||||
var val = await GetKeyAsync($"oauth_state:{state}", delete: true);
|
var value = await GetKeyAsync(key, delete: false);
|
||||||
if (val == null) throw new ApiError.BadRequest("Invalid OAuth state");
|
return value == null ? default : JsonConvert.DeserializeObject<T>(value);
|
||||||
}
|
}
|
||||||
}
|
}
|
18
Foxnouns.Frontend/src/lib/api/auth.ts
Normal file
18
Foxnouns.Frontend/src/lib/api/auth.ts
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
import type { User } from "./user";
|
||||||
|
|
||||||
|
export type CallbackRequest = {
|
||||||
|
code: string;
|
||||||
|
state: string;
|
||||||
|
};
|
||||||
|
|
||||||
|
export type CallbackResponse = {
|
||||||
|
has_account: boolean;
|
||||||
|
ticket: string;
|
||||||
|
remote_username: string | null;
|
||||||
|
};
|
||||||
|
|
||||||
|
export type AuthResponse = {
|
||||||
|
user: User;
|
||||||
|
token: string;
|
||||||
|
expires_at: string;
|
||||||
|
};
|
|
@ -2,12 +2,12 @@ import type Meta from "$lib/api/meta";
|
||||||
import type { User } from "$lib/api/user";
|
import type { User } from "$lib/api/user";
|
||||||
import request from "$lib/request";
|
import request from "$lib/request";
|
||||||
|
|
||||||
export async function load({ fetch }) {
|
export async function load({ fetch, locals }) {
|
||||||
const meta = await request<Meta>(fetch, "GET", "/meta");
|
const meta = await request<Meta>(fetch, "GET", "/meta");
|
||||||
let user: User | undefined;
|
let user: User | undefined;
|
||||||
try {
|
try {
|
||||||
user = await request<User>(fetch, "GET", "/users/@me");
|
user = await request<User>(fetch, "GET", "/users/@me");
|
||||||
} catch {}
|
} catch {}
|
||||||
|
|
||||||
return { meta, user };
|
return { meta, user, token: locals.token };
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
<div class="grid">
|
<div class="grid">
|
||||||
<div class="cell">
|
<div class="cell">
|
||||||
<p class="title">Log in with email address</p>
|
<p class="title">Log in with email address</p>
|
||||||
<form action="?/login">
|
<form method="POST" action="?/login">
|
||||||
<div class="field">
|
<div class="field">
|
||||||
<label for="email" class="label">Email address</label>
|
<label for="email" class="label">Email address</label>
|
||||||
<div class="control">
|
<div class="control">
|
||||||
|
|
|
@ -1,10 +1,55 @@
|
||||||
import { fastRequest } from "$lib/request";
|
import request from "$lib/request";
|
||||||
|
import type { AuthResponse, CallbackResponse } from "$lib/api/auth";
|
||||||
|
|
||||||
export const load = async ({ fetch, url }) => {
|
export const load = async ({ fetch, url, cookies, parent }) => {
|
||||||
await fastRequest(fetch, "POST", "/auth/discord/callback", {
|
const data = await parent();
|
||||||
body: {
|
if (data.user) {
|
||||||
code: url.searchParams.get("code"),
|
return { loggedIn: true, token: data.token, user: data.user };
|
||||||
state: url.searchParams.get("state"),
|
}
|
||||||
|
|
||||||
|
const resp = await request<AuthResponse | CallbackResponse>(
|
||||||
|
fetch,
|
||||||
|
"POST",
|
||||||
|
"/auth/discord/callback",
|
||||||
|
{
|
||||||
|
body: {
|
||||||
|
code: url.searchParams.get("code"),
|
||||||
|
state: url.searchParams.get("state"),
|
||||||
|
},
|
||||||
},
|
},
|
||||||
});
|
);
|
||||||
|
|
||||||
|
console.log(JSON.stringify(resp));
|
||||||
|
|
||||||
|
if ("token" in resp) {
|
||||||
|
const authResp = resp as AuthResponse;
|
||||||
|
cookies.set("pronounscc-token", authResp.token, { path: "/" });
|
||||||
|
return { loggedIn: true, token: authResp.token, user: authResp.user };
|
||||||
|
}
|
||||||
|
|
||||||
|
const callbackResp = resp as CallbackResponse;
|
||||||
|
return {
|
||||||
|
loggedIn: false,
|
||||||
|
hasAccount: callbackResp.has_account,
|
||||||
|
ticket: resp.ticket,
|
||||||
|
remoteUsername: resp.remote_username,
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
export const actions = {
|
||||||
|
register: async ({ cookies, request: req, fetch, locals }) => {
|
||||||
|
const data = await req.formData();
|
||||||
|
const username = data.get("username");
|
||||||
|
const ticket = data.get("ticket");
|
||||||
|
|
||||||
|
console.log(JSON.stringify({ username, ticket }));
|
||||||
|
|
||||||
|
const resp = await request<AuthResponse>(fetch, "POST", "/auth/discord/register", {
|
||||||
|
body: { username, ticket },
|
||||||
|
});
|
||||||
|
cookies.set("pronounscc-token", resp.token, { path: "/" });
|
||||||
|
locals.token = resp.token;
|
||||||
|
|
||||||
|
return { token: resp.token, user: resp.user };
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,5 +1,79 @@
|
||||||
<script lang="ts">
|
<script lang="ts">
|
||||||
|
import { onMount } from "svelte";
|
||||||
|
import { goto } from "$app/navigation";
|
||||||
|
import { enhance } from "$app/forms";
|
||||||
|
import type { PageData, ActionData } from "./$types";
|
||||||
|
export let data: PageData;
|
||||||
|
|
||||||
|
export let form: ActionData;
|
||||||
|
|
||||||
|
onMount(async () => {
|
||||||
|
if (data.user) {
|
||||||
|
await new Promise((r) => setTimeout(r, 3000));
|
||||||
|
await goto(`/@${data.user.username}`);
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
|
const redirectOnForm = async (action: ActionData) => {
|
||||||
|
if (form?.user) {
|
||||||
|
await new Promise((r) => setTimeout(r, 3000));
|
||||||
|
await goto(`/@${form.user.username}`);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
$: redirectOnForm(form);
|
||||||
</script>
|
</script>
|
||||||
|
|
||||||
<p>omg its a login page</p>
|
<div class="container">
|
||||||
|
{#if form?.user}
|
||||||
|
<h1 class="title">Successfully created account!</h1>
|
||||||
|
<p>Welcome, <strong>@{form.user.username}</strong>!</p>
|
||||||
|
<p>
|
||||||
|
You should automatically be redirected to your profile in a few seconds. If you're not
|
||||||
|
redirected, please press the link above.
|
||||||
|
</p>
|
||||||
|
{:else if data.loggedIn}
|
||||||
|
<h1 class="title">Successfully logged in!</h1>
|
||||||
|
<p>You are now logged in as <a href="/@{data.user?.username}">@{data.user?.username}</a>.</p>
|
||||||
|
<p>
|
||||||
|
You should automatically be redirected to your profile in a few seconds. If you're not
|
||||||
|
redirected, please press the link above.
|
||||||
|
</p>
|
||||||
|
{:else}
|
||||||
|
<h1 class="title">Finish signing up with a Discord account</h1>
|
||||||
|
<form method="POST" action="?/register" use:enhance>
|
||||||
|
<div class="field">
|
||||||
|
<label for="remote_username" class="label">Discord username</label>
|
||||||
|
<div class="control">
|
||||||
|
<input
|
||||||
|
type="text"
|
||||||
|
name="remote_username"
|
||||||
|
id="remote_username"
|
||||||
|
class="input"
|
||||||
|
value={data.remoteUsername}
|
||||||
|
disabled
|
||||||
|
/>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="field">
|
||||||
|
<label for="username" class="label">Username</label>
|
||||||
|
<div class="control">
|
||||||
|
<input type="text" name="username" id="username" class="input" placeholder="Username" />
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<input
|
||||||
|
type="text"
|
||||||
|
name="ticket"
|
||||||
|
id="ticket"
|
||||||
|
class="hidden"
|
||||||
|
style="display: hidden;"
|
||||||
|
value={data.ticket}
|
||||||
|
/>
|
||||||
|
<div class="field">
|
||||||
|
<div class="control">
|
||||||
|
<button class="button is-primary">Sign up</button>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</form>
|
||||||
|
{/if}
|
||||||
|
</div>
|
||||||
|
|
|
@ -15,6 +15,9 @@ const config = {
|
||||||
env: {
|
env: {
|
||||||
privatePrefix: "PRIVATE_",
|
privatePrefix: "PRIVATE_",
|
||||||
},
|
},
|
||||||
|
csrf: {
|
||||||
|
checkOrigin: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue