add frontend template + GET /users/{userRef} route

2022-05-04 16:27:16 +02:00 · 2022-05-04 16:27:16 +02:00 · 580449440a
commit 580449440a
parent 5a75f99720
28 changed files with 1393 additions and 12 deletions
--- a/backend/routes/auth/discord.go
+++ b/backend/routes/auth/discord.go
@ -1,12 +1,18 @@
 package auth

 import (
+	"net/http"
 	"os"

+	"github.com/bwmarrin/discordgo"
+	"github.com/go-chi/render"
+	"gitlab.com/1f320/pronouns/backend/db"
+	"gitlab.com/1f320/pronouns/backend/log"
+	"gitlab.com/1f320/pronouns/backend/server"
 	"golang.org/x/oauth2"
 )

-var oauthConfig = oauth2.Config{
+var discordOAuthConfig = oauth2.Config{
 	ClientID:     os.Getenv("DISCORD_CLIENT_ID"),
 	ClientSecret: os.Getenv("DISCORD_CLIENT_SECRET"),
 	Endpoint: oauth2.Endpoint{
@ -16,3 +22,80 @@ var oauthConfig = oauth2.Config{
 	},
 	Scopes: []string{"identify"},
 }
+
+type oauthCallbackRequest struct {
+	Code  string `json:"code"`
+	State string `json:"state"`
+}
+
+type discordCallbackResponse struct {
+	HasAccount bool `json:"has_account"` // if true, Token and User will be set. if false, Ticket and Discord will be set
+
+	Token string   `json:"token,omitempty"`
+	User  *db.User `json:"user,omitempty"`
+
+	Discord string `json:"discord,omitempty"` // username, for UI purposes
+	Ticket  string `json:"ticket,omitempty"`
+}
+
+func (s *Server) discordCallback(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+
+	decoded, err := Decode[oauthCallbackRequest](r)
+	if err != nil {
+		return server.APIError{Code: server.ErrBadRequest}
+	}
+
+	// if the state can't be validated, return
+	if valid, err := s.validateCSRFState(ctx, decoded.State); !valid {
+		if err != nil {
+			return err
+		}
+
+		return server.APIError{Code: server.ErrInvalidState}
+	}
+
+	token, err := discordOAuthConfig.Exchange(r.Context(), decoded.Code)
+	if err != nil {
+		log.Errorf("exchanging oauth code: %v", err)
+
+		return server.APIError{Code: server.ErrInvalidOAuthCode}
+	}
+
+	dg, _ := discordgo.New(token.Type() + " " + token.AccessToken)
+	du, err := dg.User("@me")
+	if err != nil {
+		return err
+	}
+
+	u, err := s.DB.DiscordUser(ctx, du.ID)
+	if err == nil {
+		err = u.UpdateFromDiscord(ctx, s.DB, du)
+		if err != nil {
+			log.Errorf("updating user %v with Discord info: %v", u.ID, err)
+		}
+
+		token, err := s.Auth.CreateToken(u.ID)
+		if err != nil {
+			return err
+		}
+
+		render.JSON(w, r, discordCallbackResponse{
+			HasAccount: true,
+			Token:      token,
+			User:       &u,
+		})
+	} else if err != db.ErrUserNotFound { // internal error
+		return err
+	}
+
+	// no user found, so save a ticket
+
+	return nil
+}
+
+func Decode[T any](r *http.Request) (T, error) {
+	decoded := *new(T)
+
+	return decoded, render.Decode(r, &decoded)
+}
--- a/backend/routes/auth/oauth.go
+++ b/backend/routes/auth/oauth.go
@ -0,0 +1,41 @@
+package auth
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+
+	"github.com/mediocregopher/radix/v4"
+)
+
+// numStates is the number of CSRF states stored in Redis at any one time.
+// This must be an integer.
+const numStates = "1000"
+
+// setCSRFState generates a random string to use as state, then stores that in Redis.
+func (s *Server) setCSRFState(ctx context.Context) (string, error) {
+	b := make([]byte, 32)
+
+	_, err := rand.Read(b)
+	if err != nil {
+		panic(err)
+	}
+
+	state := base64.URLEncoding.EncodeToString(b)
+
+	err = s.DB.MultiCmd(ctx,
+		radix.Cmd(nil, "LPUSH", "csrf", state),
+		radix.Cmd(nil, "LTRIM", "csrf", "0", numStates),
+	)
+	return state, err
+}
+
+// validateCSRFState checks if the given state exists in Redis.
+func (s *Server) validateCSRFState(ctx context.Context, state string) (matched bool, err error) {
+	var num int
+	err = s.DB.Redis.Do(ctx, radix.Cmd(&num, "LREM", "csrf", "1", state))
+	if err != nil {
+		return
+	}
+	return num > 0, nil
+}
--- a/backend/routes/auth/routes.go
+++ b/backend/routes/auth/routes.go
@ -3,7 +3,9 @@ package auth
 import (
 	"net/http"

+	"emperror.dev/errors"
 	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/render"
 	"gitlab.com/1f320/pronouns/backend/server"
 )

@ -13,15 +15,46 @@ type Server struct {

 func Mount(srv *server.Server, r chi.Router) {
 	s := &Server{srv}
-	_ = s

-	r.Route("/auth/discord", func(r chi.Router) {
-		r.Get("/authorize", nil) // generate csrf token, returns URL
-		r.Get("/callback", nil)  // takes code + state, validates it, returns token OR discord signup ticket
-		r.Get("/signup", nil)    // takes discord signup ticket to register account
+	r.Route("/auth", func(r chi.Router) {
+		// generate csrf token, returns all supported OAuth provider URLs
+		r.Get("/urls", server.WrapHandler(s.oauthURLs))

-		r.Get("/test", func(w http.ResponseWriter, r *http.Request) {
-			w.Write([]byte("hello world!"))
+		r.Route("/discord", func(r chi.Router) {
+			// takes code + state, validates it, returns token OR discord signup ticket
+			r.Post("/callback", nil)
+			// takes discord signup ticket to register account
+			r.Post("/signup", nil)
 		})
 	})
 }
+
+type oauthURLsRequest struct {
+	CallbackURL string `json:"callback_url"`
+}
+
+type oauthURLsResponse struct {
+	Discord string `json:"discord"`
+}
+
+func (s *Server) oauthURLs(w http.ResponseWriter, r *http.Request) error {
+	req, err := Decode[oauthURLsRequest](r)
+	if err != nil {
+		return server.APIError{Code: server.ErrBadRequest}
+	}
+
+	// generate CSRF state
+	state, err := s.setCSRFState(r.Context())
+	if err != nil {
+		return errors.Wrap(err, "setting CSRF state")
+	}
+
+	// copy Discord config and set redirect url
+	discordCfg := discordOAuthConfig
+	discordCfg.RedirectURL = req.CallbackURL
+
+	render.JSON(w, r, oauthURLsResponse{
+		Discord: discordCfg.AuthCodeURL(state),
+	})
+	return nil
+}
--- a/backend/routes/user/get_user.go
+++ b/backend/routes/user/get_user.go
@ -0,0 +1,70 @@
+package user
+
+import (
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/render"
+	"github.com/rs/xid"
+	"gitlab.com/1f320/pronouns/backend/db"
+	"gitlab.com/1f320/pronouns/backend/log"
+	"gitlab.com/1f320/pronouns/backend/server"
+)
+
+type GetUserResponse struct {
+	ID          xid.ID   `json:"id"`
+	Username    string   `json:"username"`
+	DisplayName *string  `json:"display_name"`
+	Bio         *string  `json:"bio"`
+	AvatarURL   *string  `json:"avatar_url"`
+	Links       []string `json:"links"`
+}
+
+type PartialMember struct {
+	ID        xid.ID  `json:"id"`
+	Name      string  `json:"name"`
+	AvatarURL *string `json:"avatar_url"`
+}
+
+func dbUserToResponse(u db.User) GetUserResponse {
+	return GetUserResponse{
+		ID:          u.ID,
+		Username:    u.Username,
+		DisplayName: u.DisplayName,
+		Bio:         u.Bio,
+		AvatarURL:   u.AvatarURL,
+		Links:       u.Links,
+	}
+}
+
+func (s *Server) getUser(w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+
+	userRef := chi.URLParamFromCtx(ctx, "userRef")
+
+	if id, err := xid.FromString(userRef); err == nil {
+		u, err := s.DB.User(ctx, id)
+		if err == nil {
+			render.JSON(w, r, dbUserToResponse(u))
+			return nil
+		} else if err != db.ErrUserNotFound {
+			log.Errorf("Error getting user by ID: %v", err)
+			return err
+		}
+		// otherwise, we fall back to checking usernames
+	}
+
+	u, err := s.DB.Username(ctx, userRef)
+	if err == db.ErrUserNotFound {
+		return server.APIError{
+			Code: server.ErrUserNotFound,
+		}
+
+	} else if err != nil {
+		log.Errorf("Error getting user by username: %v", err)
+		return err
+	}
+
+	render.JSON(w, r, dbUserToResponse(u))
+	return nil
+}
--- a/backend/routes/user/routes.go
+++ b/backend/routes/user/routes.go
@ -0,0 +1,20 @@
+package user
+
+import (
+	"github.com/go-chi/chi/v5"
+	"gitlab.com/1f320/pronouns/backend/server"
+)
+
+type Server struct {
+	*server.Server
+}
+
+func Mount(srv *server.Server, r chi.Router) {
+	s := &Server{srv}
+
+	r.Route("/users", func(r chi.Router) {
+		r.With(server.MustAuth).Get("/@me", server.WrapHandler(nil))
+
+		r.Get("/{userRef}", server.WrapHandler(s.getUser))
+	})
+}