listmonk/internal/auth/auth.go

package auth

import (
	"context"
	"crypto/rand"
	"crypto/subtle"
	"encoding/base64"
	"fmt"
	"io"
	"net/http"
	"sync"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/labstack/echo/v4"
	"github.com/labstack/echo/v4/middleware"
	"golang.org/x/oauth2"
)

// UserKey is the key on which the User profile is set on echo handlers.
const UserKey = "auth_user"

// User struct holds the email and name of the authenticatd user.
// It's attached to the echo handler.
type User struct {
	Email   string `json:"name"`
	Name    string `json:"email"`
	Picture string `json:"picture"`
}

type OIDCConfig struct {
	Enabled      bool   `json:"enabled"`
	ProviderURL  string `json:"provider_url"`
	RedirectURL  string `json:"redirect_url"`
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`

	// Skipper defines a function to skip middleware.
	Skipper middleware.Skipper
}

type BasicAuthConfig struct {
	Enabled  bool   `json:"enabled"`
	Username string `json:"username"`
	Password string `json:"password"`
}

type Config struct {
	OIDC      OIDCConfig
	BasicAuth BasicAuthConfig
}

type Auth struct {
	tokens map[string][]byte
	sync.RWMutex

	cfg      oauth2.Config
	verifier *oidc.IDTokenVerifier
	skipper  middleware.Skipper
}

func New(cfg Config) *Auth {
	provider, err := oidc.NewProvider(context.Background(), cfg.OIDC.ProviderURL)
	if err != nil {
		panic(err)
	}
	verifier := provider.Verifier(&oidc.Config{
		ClientID: cfg.OIDC.ClientID,
	})

	oidcConfig := oauth2.Config{
		ClientID:     cfg.OIDC.ClientID,
		ClientSecret: cfg.OIDC.ClientSecret,
		Endpoint:     provider.Endpoint(),
		RedirectURL:  cfg.OIDC.RedirectURL,
		Scopes:       []string{oidc.ScopeOpenID, "profile", "email"},
	}

	return &Auth{
		verifier: verifier,
		cfg:      oidcConfig,
		skipper:  cfg.OIDC.Skipper,
	}
}

// SetTokens caches tokens for authenticating API client calls.
func (o *Auth) SetAPITokens(tokens map[string][]byte) {
	o.Lock()
	defer o.Unlock()

	o.tokens = make(map[string][]byte, len(tokens))
	for user, token := range tokens {
		o.tokens[user] = []byte{}
		copy(o.tokens[user], token)
	}
}

// CheckAPIToken validates an API user+token.
func (o *Auth) CheckAPIToken(user string, token []byte) bool {
	o.RLock()
	t, ok := o.tokens[user]
	o.RUnlock()

	return ok && subtle.ConstantTimeCompare(t, token) == 1
}

// HandleOIDCCallback is the HTTP handler that handles the post-OIDC provider redirect callback.
func (o *Auth) HandleOIDCCallback(c echo.Context) error {
	tk, err := o.cfg.Exchange(c.Request().Context(), c.Request().URL.Query().Get("code"))
	if err != nil {
		return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("error exchanging token: %v", err))
	}

	rawIDTk, ok := tk.Extra("id_token").(string)
	if !ok {
		return echo.NewHTTPError(http.StatusUnauthorized, "`id_token` missing.")
	}

	// idTk, err := o.verifier.Verify(c.Request().Context(), rawIDTk)
	// if err != nil {
	// 	return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("error verifying ID token: %v", err))
	// }

	// nonce, err := c.Cookie("nonce")
	// if err != nil {
	// 	return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("nonce cookie not found: %v", err))
	// }

	// if idTk.Nonce != nonce.Value {
	// 	return echo.NewHTTPError(http.StatusUnauthorized, "nonce did not match")
	// }

	c.SetCookie(&http.Cookie{
		Name:     "id_token",
		Value:    rawIDTk,
		Secure:   true,
		SameSite: http.SameSiteLaxMode,
		Path:     "/",
	})

	return c.Redirect(http.StatusTemporaryRedirect, c.Request().URL.Query().Get("state"))
}

func (o *Auth) Middleware(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
		if o.skipper != nil && o.skipper(c) {
			return next(c)
		}

		rawIDTk, err := c.Cookie("id_token")
		if err == nil {
			// Verify the token.
			idTk, err := o.verifier.Verify(c.Request().Context(), rawIDTk.Value)
			if err == nil {
				var user User
				if err := idTk.Claims(&user); err != nil {
					return echo.NewHTTPError(http.StatusInternalServerError,
						fmt.Sprintf("error verifying OIDC claim: %v", user))
				}
				fmt.Println(user)
				c.Set(UserKey, user)

				return next(c)
			}
		} else if err != http.ErrNoCookie {
			return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
		}

		// If the verification failed, redirect to the provider for auth.
		nonce, err := randString(16)
		if err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, err.Error())
		}
		c.SetCookie(&http.Cookie{
			Name:     "nonce",
			Value:    nonce,
			Secure:   true,
			SameSite: http.SameSiteLaxMode,
			Path:     "/",
		})
		return c.Redirect(http.StatusTemporaryRedirect, o.cfg.AuthCodeURL(c.Request().URL.RequestURI(), oidc.Nonce(nonce)))
	}
}

func randString(nByte int) (string, error) {
	b := make([]byte, nByte)
	if _, err := io.ReadFull(rand.Reader, b); err != nil {
		return "", err
	}
	return base64.RawURLEncoding.EncodeToString(b), nil
}
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`package auth`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00
			`import (`
			`"context"`
			`"crypto/rand"`
Add `api` type user. 2024-05-07 13:38:31 +08:00			`"crypto/subtle"`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`"encoding/base64"`
			`"fmt"`
			`"io"`
			`"net/http"`
Add API token authentication. 2024-04-28 01:31:23 +08:00			`"sync"`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00
			`"github.com/coreos/go-oidc/v3/oidc"`
			`"github.com/labstack/echo/v4"`
			`"github.com/labstack/echo/v4/middleware"`
			`"golang.org/x/oauth2"`
			`)`

Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`// UserKey is the key on which the User profile is set on echo handlers.`
			`const UserKey = "auth_user"`

			`// User struct holds the email and name of the authenticatd user.`
			`// It's attached to the echo handler.`
			`type User struct {`
			Email string `json:"name"`
			Name string `json:"email"`
			Picture string `json:"picture"`
			`}`

			`type OIDCConfig struct {`
			Enabled bool `json:"enabled"`
			ProviderURL string `json:"provider_url"`
			RedirectURL string `json:"redirect_url"`
			ClientID string `json:"client_id"`
			ClientSecret string `json:"client_secret"`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00
			`// Skipper defines a function to skip middleware.`
			`Skipper middleware.Skipper`
			`}`

Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`type BasicAuthConfig struct {`
			Enabled bool `json:"enabled"`
			Username string `json:"username"`
			Password string `json:"password"`
			`}`

			`type Config struct {`
			`OIDC OIDCConfig`
			`BasicAuth BasicAuthConfig`
			`}`

			`type Auth struct {`
Add `api` type user. 2024-05-07 13:38:31 +08:00			`tokens map[string][]byte`
			`sync.RWMutex`
Add API token authentication. 2024-04-28 01:31:23 +08:00
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`cfg oauth2.Config`
			`verifier *oidc.IDTokenVerifier`
			`skipper middleware.Skipper`
			`}`

Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`func New(cfg Config) *Auth {`
			`provider, err := oidc.NewProvider(context.Background(), cfg.OIDC.ProviderURL)`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`if err != nil {`
			`panic(err)`
			`}`
			`verifier := provider.Verifier(&oidc.Config{`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`ClientID: cfg.OIDC.ClientID,`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`})`

			`oidcConfig := oauth2.Config{`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`ClientID: cfg.OIDC.ClientID,`
			`ClientSecret: cfg.OIDC.ClientSecret,`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`Endpoint: provider.Endpoint(),`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`RedirectURL: cfg.OIDC.RedirectURL,`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`Scopes: []string{oidc.ScopeOpenID, "profile", "email"},`
			`}`

Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`return &Auth{`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`verifier: verifier,`
			`cfg: oidcConfig,`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`skipper: cfg.OIDC.Skipper,`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`}`
			`}`

Add `api` type user. 2024-05-07 13:38:31 +08:00			`// SetTokens caches tokens for authenticating API client calls.`
			`func (o *Auth) SetAPITokens(tokens map[string][]byte) {`
			`o.Lock()`
			`defer o.Unlock()`
Add API token authentication. 2024-04-28 01:31:23 +08:00
Add `api` type user. 2024-05-07 13:38:31 +08:00			`o.tokens = make(map[string][]byte, len(tokens))`
			`for user, token := range tokens {`
			`o.tokens[user] = []byte{}`
			`copy(o.tokens[user], token)`
Add API token authentication. 2024-04-28 01:31:23 +08:00			`}`
			`}`

Add `api` type user. 2024-05-07 13:38:31 +08:00			`// CheckAPIToken validates an API user+token.`
			`func (o *Auth) CheckAPIToken(user string, token []byte) bool {`
			`o.RLock()`
			`t, ok := o.tokens[user]`
			`o.RUnlock()`

			`return ok && subtle.ConstantTimeCompare(t, token) == 1`
Add API token authentication. 2024-04-28 01:31:23 +08:00			`}`

			`// HandleOIDCCallback is the HTTP handler that handles the post-OIDC provider redirect callback.`
			`func (o *Auth) HandleOIDCCallback(c echo.Context) error {`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`tk, err := o.cfg.Exchange(c.Request().Context(), c.Request().URL.Query().Get("code"))`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`if err != nil {`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("error exchanging token: %v", err))`
			`}`

			`rawIDTk, ok := tk.Extra("id_token").(string)`
			`if !ok {`
			return echo.NewHTTPError(http.StatusUnauthorized, "`id_token` missing.")
			`}`

Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`// idTk, err := o.verifier.Verify(c.Request().Context(), rawIDTk)`
			`// if err != nil {`
			`// return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("error verifying ID token: %v", err))`
			`// }`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`// nonce, err := c.Cookie("nonce")`
			`// if err != nil {`
			`// return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("nonce cookie not found: %v", err))`
			`// }`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`// if idTk.Nonce != nonce.Value {`
			`// return echo.NewHTTPError(http.StatusUnauthorized, "nonce did not match")`
			`// }`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`c.SetCookie(&http.Cookie{`
			`Name: "id_token",`
			`Value: rawIDTk,`
			`Secure: true,`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`SameSite: http.SameSiteLaxMode,`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`Path: "/",`
			`})`

Fix bug in OIDC cookie check. 2024-04-02 17:20:45 +08:00			`return c.Redirect(http.StatusTemporaryRedirect, c.Request().URL.Query().Get("state"))`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`}`

Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`func (o *Auth) Middleware(next echo.HandlerFunc) echo.HandlerFunc {`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`return func(c echo.Context) error {`
			`if o.skipper != nil && o.skipper(c) {`
			`return next(c)`
			`}`

			`rawIDTk, err := c.Cookie("id_token")`
			`if err == nil {`
Fix bug in OIDC cookie check. 2024-04-02 17:20:45 +08:00			`// Verify the token.`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`idTk, err := o.verifier.Verify(c.Request().Context(), rawIDTk.Value)`
Fix bug in OIDC cookie check. 2024-04-02 17:20:45 +08:00			`if err == nil {`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`var user User`
			`if err := idTk.Claims(&user); err != nil {`
			`return echo.NewHTTPError(http.StatusInternalServerError,`
			`fmt.Sprintf("error verifying OIDC claim: %v", user))`
			`}`
			`fmt.Println(user)`
			`c.Set(UserKey, user)`

Fix bug in OIDC cookie check. 2024-04-02 17:20:45 +08:00			`return next(c)`
			`}`
			`} else if err != http.ErrNoCookie {`
			`return echo.NewHTTPError(http.StatusInternalServerError, err.Error())`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`}`

			`// If the verification failed, redirect to the provider for auth.`
			`nonce, err := randString(16)`
			`if err != nil {`
			`return echo.NewHTTPError(http.StatusInternalServerError, err.Error())`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`}`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`c.SetCookie(&http.Cookie{`
			`Name: "nonce",`
			`Value: nonce,`
			`Secure: true,`
Add create/add/delete user management UI and database schema. 2024-04-03 02:43:57 +08:00			`SameSite: http.SameSiteLaxMode,`
Refactor the `oidc` package and separate out handlers. 2024-04-02 17:00:12 +08:00			`Path: "/",`
			`})`
Fix bug in OIDC cookie check. 2024-04-02 17:20:45 +08:00			`return c.Redirect(http.StatusTemporaryRedirect, o.cfg.AuthCodeURL(c.Request().URL.RequestURI(), oidc.Nonce(nonce)))`
Implement OIDC This is a simple OIDC implementation. It's very basic and just logs the user in. Access control needs to be done on the IDP side. 2024-02-05 00:32:57 +08:00			`}`
			`}`

			`func randString(nByte int) (string, error) {`
			`b := make([]byte, nByte)`
			`if _, err := io.ReadFull(rand.Reader, b); err != nil {`
			`return "", err`
			`}`
			`return base64.RawURLEncoding.EncodeToString(b), nil`
			`}`