feat: initial working discord authentication

This commit is contained in:
sam 2024-06-13 02:23:55 +02:00
parent 6186eda092
commit a7950671e1
Signed by: sam
GPG key ID: B4EF20DDE721CAA1
12 changed files with 262 additions and 25 deletions

View file

@ -1,4 +1,5 @@
using System.Web;
using Foxnouns.Backend.Extensions;
using Foxnouns.Backend.Services;
using Microsoft.AspNetCore.Mvc;
using NodaTime;
@ -34,11 +35,19 @@ public class AuthController(Config config, KeyCacheService keyCacheSvc, ILogger
string? Tumblr
);
internal record AuthResponse(
public record AuthResponse(
UserRendererService.UserResponse User,
string Token,
Instant ExpiresAt
);
public record CallbackResponse(
bool HasAccount, // If true, user has an account, but it's deleted
string Ticket,
string? RemoteUsername
);
public record OauthRegisterRequest(string Ticket, string Username);
public record CallbackRequest(string Code, string State);
}

View file

@ -1,7 +1,10 @@
using Foxnouns.Backend.Database;
using Foxnouns.Backend.Database.Models;
using Foxnouns.Backend.Extensions;
using Foxnouns.Backend.Services;
using Foxnouns.Backend.Utils;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using NodaTime;
namespace Foxnouns.Backend.Controllers.Authentication;
@ -18,6 +21,10 @@ public class DiscordAuthController(
UserRendererService userRendererSvc) : ApiControllerBase
{
[HttpPost("callback")]
// TODO: duplicating attribute doesn't work, find another way to mark both as possible response
// leaving it here for documentation purposes
[ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]
[ProducesResponseType<AuthController.CallbackResponse>(StatusCodes.Status200OK)]
public async Task<IActionResult> CallbackAsync([FromBody] AuthController.CallbackRequest req)
{
CheckRequirements();
@ -30,7 +37,29 @@ public class DiscordAuthController(
logger.Debug("Discord user {Username} ({Id}) authenticated with no local account", remoteUser.Username,
remoteUser.Id);
throw new NotImplementedException();
var ticket = OauthUtils.RandomToken();
await keyCacheSvc.SetKeyAsync($"discord:{ticket}", remoteUser, Duration.FromMinutes(20));
return Ok(new AuthController.CallbackResponse(false, ticket, remoteUser.Username));
}
[HttpPost("register")]
[ProducesResponseType<AuthController.AuthResponse>(StatusCodes.Status200OK)]
public async Task<IActionResult> RegisterAsync([FromBody] AuthController.OauthRegisterRequest req)
{
var remoteUser = await keyCacheSvc.GetKeyAsync<RemoteAuthService.RemoteUser>($"discord:{req.Ticket}");
if (remoteUser == null) throw new ApiError.BadRequest("Invalid ticket");
if (await db.AuthMethods.AnyAsync(a => a.AuthType == AuthType.Discord && a.RemoteId == remoteUser.Id))
{
logger.Error("Discord user {Id} has valid ticket but is already linked to an existing account",
remoteUser.Id);
throw new FoxnounsError("Discord ticket was issued for user with existing link");
}
var user = await authSvc.CreateUserWithRemoteAuthAsync(req.Username, AuthType.Discord, remoteUser.Id,
remoteUser.Username);
return Ok(await GenerateUserTokenAsync(user));
}
private async Task<AuthController.AuthResponse> GenerateUserTokenAsync(User user)

View file

@ -0,0 +1,21 @@
using Foxnouns.Backend.Services;
using Foxnouns.Backend.Utils;
using NodaTime;
namespace Foxnouns.Backend.Extensions;
public static class KeyCacheExtensions
{
public static async Task<string> GenerateAuthStateAsync(this KeyCacheService keyCacheSvc)
{
var state = OauthUtils.RandomToken();
await keyCacheSvc.SetKeyAsync($"oauth_state:{state}", "", Duration.FromMinutes(10));
return state;
}
public static async Task ValidateAuthStateAsync(this KeyCacheService keyCacheSvc, string state)
{
var val = await keyCacheSvc.GetKeyAsync($"oauth_state:{state}", delete: true);
if (val == null) throw new ApiError.BadRequest("Invalid OAuth state");
}
}

View file

@ -6,7 +6,6 @@ using Foxnouns.Backend.Services;
using Microsoft.AspNetCore.Mvc;
using Newtonsoft.Json;
using Newtonsoft.Json.Serialization;
using NodaTime;
// Read version information from .version in the repository root
await BuildInfo.ReadBuildInfo();

View file

@ -35,6 +35,37 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
return user;
}
/// <summary>
/// Creates a new user with the given username and remote authentication method.
/// To create a user with email authentication, use <see cref="CreateUserWithPasswordAsync" />
/// This method does <i>not</i> save the resulting user, the caller must still call <see cref="M:Microsoft.EntityFrameworkCore.DbContext.SaveChanges" />.
/// </summary>
public async Task<User> CreateUserWithRemoteAuthAsync(string username, AuthType authType, string remoteId,
string remoteUsername, FediverseApplication? instance = null)
{
AssertValidAuthType(authType, instance);
if (await db.Users.AnyAsync(u => u.Username == username))
throw new ApiError.BadRequest("Username is already taken");
var user = new User
{
Id = snowflakeGenerator.GenerateSnowflake(),
Username = username,
AuthMethods =
{
new AuthMethod
{
Id = snowflakeGenerator.GenerateSnowflake(), AuthType = authType, RemoteId = remoteId,
RemoteUsername = remoteUsername, FediverseApplication = instance
}
}
};
db.Add(user);
return user;
}
/// <summary>
/// Authenticates a user with email and password.
/// </summary>
@ -81,10 +112,7 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
public async Task<User?> AuthenticateUserAsync(AuthType authType, string remoteId,
FediverseApplication? instance = null)
{
if (authType == AuthType.Fediverse && instance == null)
throw new FoxnounsError("Fediverse authentication requires an instance.");
if (authType != AuthType.Fediverse && instance != null)
throw new FoxnounsError("Non-Fediverse authentication does not require an instance.");
AssertValidAuthType(authType, instance);
return await db.Users.FirstOrDefaultAsync(u =>
u.AuthMethods.Any(a =>
@ -115,4 +143,12 @@ public class AuthService(ILogger logger, DatabaseContext db, ISnowflakeGenerator
return (token, hash);
}
private static void AssertValidAuthType(AuthType authType, FediverseApplication? instance)
{
if (authType == AuthType.Fediverse && instance == null)
throw new FoxnounsError("Fediverse authentication requires an instance.");
if (authType != AuthType.Fediverse && instance != null)
throw new FoxnounsError("Non-Fediverse authentication does not require an instance.");
}
}

View file

@ -2,6 +2,7 @@ using Foxnouns.Backend.Database;
using Foxnouns.Backend.Database.Models;
using Foxnouns.Backend.Utils;
using Microsoft.EntityFrameworkCore;
using Newtonsoft.Json;
using NodaTime;
namespace Foxnouns.Backend.Services;
@ -42,16 +43,18 @@ public class KeyCacheService(DatabaseContext db, IClock clock, ILogger logger)
if (count != 0) logger.Information("Removed {Count} expired keys from the database", count);
}
public async Task<string> GenerateAuthStateAsync()
public Task SetKeyAsync<T>(string key, T obj, Duration expiresAt) where T : class =>
SetKeyAsync(key, obj, clock.GetCurrentInstant() + expiresAt);
public async Task SetKeyAsync<T>(string key, T obj, Instant expires) where T : class
{
var state = OauthUtils.RandomToken();
await SetKeyAsync($"oauth_state:{state}", "", Duration.FromMinutes(10));
return state;
var value = JsonConvert.SerializeObject(obj);
await SetKeyAsync(key, value, expires);
}
public async Task ValidateAuthStateAsync(string state)
public async Task<T?> GetKeyAsync<T>(string key, bool delete = false) where T : class
{
var val = await GetKeyAsync($"oauth_state:{state}", delete: true);
if (val == null) throw new ApiError.BadRequest("Invalid OAuth state");
var value = await GetKeyAsync(key, delete: false);
return value == null ? default : JsonConvert.DeserializeObject<T>(value);
}
}

View file

@ -0,0 +1,18 @@
import type { User } from "./user";
export type CallbackRequest = {
code: string;
state: string;
};
export type CallbackResponse = {
has_account: boolean;
ticket: string;
remote_username: string | null;
};
export type AuthResponse = {
user: User;
token: string;
expires_at: string;
};

View file

@ -2,12 +2,12 @@ import type Meta from "$lib/api/meta";
import type { User } from "$lib/api/user";
import request from "$lib/request";
export async function load({ fetch }) {
export async function load({ fetch, locals }) {
const meta = await request<Meta>(fetch, "GET", "/meta");
let user: User | undefined;
try {
user = await request<User>(fetch, "GET", "/users/@me");
} catch {}
return { meta, user };
return { meta, user, token: locals.token };
}

View file

@ -9,7 +9,7 @@
<div class="grid">
<div class="cell">
<p class="title">Log in with email address</p>
<form action="?/login">
<form method="POST" action="?/login">
<div class="field">
<label for="email" class="label">Email address</label>
<div class="control">

View file

@ -1,10 +1,55 @@
import { fastRequest } from "$lib/request";
import request from "$lib/request";
import type { AuthResponse, CallbackResponse } from "$lib/api/auth";
export const load = async ({ fetch, url }) => {
await fastRequest(fetch, "POST", "/auth/discord/callback", {
body: {
code: url.searchParams.get("code"),
state: url.searchParams.get("state"),
export const load = async ({ fetch, url, cookies, parent }) => {
const data = await parent();
if (data.user) {
return { loggedIn: true, token: data.token, user: data.user };
}
const resp = await request<AuthResponse | CallbackResponse>(
fetch,
"POST",
"/auth/discord/callback",
{
body: {
code: url.searchParams.get("code"),
state: url.searchParams.get("state"),
},
},
});
);
console.log(JSON.stringify(resp));
if ("token" in resp) {
const authResp = resp as AuthResponse;
cookies.set("pronounscc-token", authResp.token, { path: "/" });
return { loggedIn: true, token: authResp.token, user: authResp.user };
}
const callbackResp = resp as CallbackResponse;
return {
loggedIn: false,
hasAccount: callbackResp.has_account,
ticket: resp.ticket,
remoteUsername: resp.remote_username,
};
};
export const actions = {
register: async ({ cookies, request: req, fetch, locals }) => {
const data = await req.formData();
const username = data.get("username");
const ticket = data.get("ticket");
console.log(JSON.stringify({ username, ticket }));
const resp = await request<AuthResponse>(fetch, "POST", "/auth/discord/register", {
body: { username, ticket },
});
cookies.set("pronounscc-token", resp.token, { path: "/" });
locals.token = resp.token;
return { token: resp.token, user: resp.user };
},
};

View file

@ -1,5 +1,79 @@
<script lang="ts">
import { onMount } from "svelte";
import { goto } from "$app/navigation";
import { enhance } from "$app/forms";
import type { PageData, ActionData } from "./$types";
export let data: PageData;
export let form: ActionData;
onMount(async () => {
if (data.user) {
await new Promise((r) => setTimeout(r, 3000));
await goto(`/@${data.user.username}`);
}
});
const redirectOnForm = async (action: ActionData) => {
if (form?.user) {
await new Promise((r) => setTimeout(r, 3000));
await goto(`/@${form.user.username}`);
}
};
$: redirectOnForm(form);
</script>
<p>omg its a login page</p>
<div class="container">
{#if form?.user}
<h1 class="title">Successfully created account!</h1>
<p>Welcome, <strong>@{form.user.username}</strong>!</p>
<p>
You should automatically be redirected to your profile in a few seconds. If you're not
redirected, please press the link above.
</p>
{:else if data.loggedIn}
<h1 class="title">Successfully logged in!</h1>
<p>You are now logged in as <a href="/@{data.user?.username}">@{data.user?.username}</a>.</p>
<p>
You should automatically be redirected to your profile in a few seconds. If you're not
redirected, please press the link above.
</p>
{:else}
<h1 class="title">Finish signing up with a Discord account</h1>
<form method="POST" action="?/register" use:enhance>
<div class="field">
<label for="remote_username" class="label">Discord username</label>
<div class="control">
<input
type="text"
name="remote_username"
id="remote_username"
class="input"
value={data.remoteUsername}
disabled
/>
</div>
</div>
<div class="field">
<label for="username" class="label">Username</label>
<div class="control">
<input type="text" name="username" id="username" class="input" placeholder="Username" />
</div>
</div>
<input
type="text"
name="ticket"
id="ticket"
class="hidden"
style="display: hidden;"
value={data.ticket}
/>
<div class="field">
<div class="control">
<button class="button is-primary">Sign up</button>
</div>
</div>
</form>
{/if}
</div>

View file

@ -15,6 +15,9 @@ const config = {
env: {
privatePrefix: "PRIVATE_",
},
csrf: {
checkOrigin: false,
},
},
};