Optional password protection for the web server
This commit is contained in:
		
							parent
							
								
									3bc37857bb
								
							
						
					
					
						commit
						3b034dd6e5
					
				
					 9 changed files with 103 additions and 32 deletions
				
			
		|  | @ -71,7 +71,7 @@ server { | ||||||
| 	client_max_body_size 5M; | 	client_max_body_size 5M; | ||||||
| 
 | 
 | ||||||
| 	location / { | 	location / { | ||||||
| 		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; | 		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; | ||||||
| 		proxy_pass http://127.0.0.1:6693; | 		proxy_pass http://127.0.0.1:6693; | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  |  | ||||||
|  | @ -141,6 +141,7 @@ function defineEchoHandler() { | ||||||
| 		console.log("OOYE has its own web server. It needs to be accessible on the public internet.") | 		console.log("OOYE has its own web server. It needs to be accessible on the public internet.") | ||||||
| 		console.log("You need to enter a public URL where you will be able to host this web server.") | 		console.log("You need to enter a public URL where you will be able to host this web server.") | ||||||
| 		console.log("OOYE listens on localhost:6693, so you will probably have to set up a reverse proxy.") | 		console.log("OOYE listens on localhost:6693, so you will probably have to set up a reverse proxy.") | ||||||
|  | 		console.log("Examples: https://gitdab.com/cadence/out-of-your-element/src/branch/main/docs/get-started.md#appendix") | ||||||
| 		console.log("Now listening on port 6693. Feel free to send some test requests.") | 		console.log("Now listening on port 6693. Feel free to send some test requests.") | ||||||
| 		/** @type {{bridge_origin: string}} */ | 		/** @type {{bridge_origin: string}} */ | ||||||
| 		const bridgeOriginResponse = await prompt({ | 		const bridgeOriginResponse = await prompt({ | ||||||
|  | @ -207,6 +208,15 @@ function defineEchoHandler() { | ||||||
| 			}) | 			}) | ||||||
| 		} | 		} | ||||||
| 
 | 
 | ||||||
|  | 		console.log("Would you like to require a password to add your bot to servers? This will discourage others from using your bridge.") | ||||||
|  | 		console.log("Important: To make it truly private, you MUST ALSO disable Public Bot in the Discord bot configuration page.") | ||||||
|  | 		/** @type {{web_password: string}} */ | ||||||
|  | 		const passwordResponse = await prompt({ | ||||||
|  | 			type: "text", | ||||||
|  | 			name: "web_password", | ||||||
|  | 			message: "Choose a simple password (optional)" | ||||||
|  | 		}) | ||||||
|  | 
 | ||||||
| 		console.log("What is your Discord client secret?") | 		console.log("What is your Discord client secret?") | ||||||
| 		console.log(`You can find it in the application's OAuth2 section: https://discord.com/developers/applications/${client.id}/oauth2`) | 		console.log(`You can find it in the application's OAuth2 section: https://discord.com/developers/applications/${client.id}/oauth2`) | ||||||
| 		/** @type {{discord_client_secret: string}} */ | 		/** @type {{discord_client_secret: string}} */ | ||||||
|  | @ -244,7 +254,8 @@ function defineEchoHandler() { | ||||||
| 				...bridgeOriginResponse, | 				...bridgeOriginResponse, | ||||||
| 				server_origin: serverOrigin, | 				server_origin: serverOrigin, | ||||||
| 				...discordTokenResponse, | 				...discordTokenResponse, | ||||||
| 				...clientSecretResponse | 				...clientSecretResponse, | ||||||
|  | 				...passwordResponse | ||||||
| 			} | 			} | ||||||
| 		} | 		} | ||||||
| 		registration.reg = reg | 		registration.reg = reg | ||||||
|  |  | ||||||
							
								
								
									
										3
									
								
								src/types.d.ts
									
										
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								src/types.d.ts
									
										
									
									
										vendored
									
									
								
							|  | @ -29,7 +29,8 @@ export type AppServiceRegistrationConfig = { | ||||||
| 		include_user_id_in_mxid: boolean | 		include_user_id_in_mxid: boolean | ||||||
| 		invite: string[] | 		invite: string[] | ||||||
| 		discord_origin?: string | 		discord_origin?: string | ||||||
| 		discord_cdn_origin?: string | 		discord_cdn_origin?: string, | ||||||
|  | 		web_password: string | ||||||
| 	} | 	} | ||||||
| 	old_bridge?: { | 	old_bridge?: { | ||||||
| 		as_token: string | 		as_token: string | ||||||
|  |  | ||||||
|  | @ -23,7 +23,7 @@ async function getManagedGuilds(event) { | ||||||
| 
 | 
 | ||||||
| /** | /** | ||||||
|  * @param {h3.H3Event} event |  * @param {h3.H3Event} event | ||||||
|  * @returns {ReturnType<typeof h3.useSession<{userID?: string, mxid?: string, managedGuilds?: string[], state?: string, selfService?: boolean}>>} |  * @returns {ReturnType<typeof h3.useSession<{userID?: string, mxid?: string, managedGuilds?: string[], state?: string, selfService?: boolean, password?: string}>>} | ||||||
|  */ |  */ | ||||||
| function useSession(event) { | function useSession(event) { | ||||||
| 	return h3.useSession(event, {password: reg.as_token}) | 	return h3.useSession(event, {password: reg.as_token}) | ||||||
|  |  | ||||||
|  | @ -1,10 +1,27 @@ | ||||||
| extends includes/template.pug | extends includes/template.pug | ||||||
| 
 | 
 | ||||||
| block body | block body | ||||||
|  |   - let locked = reg.ooye.web_password && reg.ooye.web_password !== session.data.password | ||||||
|  | 
 | ||||||
|  |   if locked | ||||||
|  |     aside.s-notice.s-notice__warning.p8 | ||||||
|  |       .d-flex.flex__center.jc-space-between.s-banner--container.g8(class="md:fw-wrap") | ||||||
|  |         .d-flex.ai-center.g8 | ||||||
|  |           .flex--item!= icons.Icons.IconLock | ||||||
|  |           p.m0 <strong>Private instance.</strong> You need the password to use this instance of Out Of Your Element. | ||||||
|  |         form(method="post" action="/api/password") | ||||||
|  |           input.s-input(placeholder="Enter password" name="password") | ||||||
|  | 
 | ||||||
|  |     .h32 | ||||||
|  | 
 | ||||||
|  |     .s-page-title.mb24 | ||||||
|  |       h1.s-page-title--header Out Of Your Element | ||||||
|  | 
 | ||||||
|  |   else | ||||||
|     .s-page-title.mb24 |     .s-page-title.mb24 | ||||||
|       h1.s-page-title--header Bridge a Discord server |       h1.s-page-title--header Bridge a Discord server | ||||||
| 
 | 
 | ||||||
|   .d-grid.g24.grid__2(class="sm:grid__1") |     .d-grid.g24.grid__2.mb24(class="sm:grid__1") | ||||||
|       .s-card.bs-md.d-flex.fd-column |       .s-card.bs-md.d-flex.fd-column | ||||||
|         h2 Easy mode |         h2 Easy mode | ||||||
|         p Add the bot to your Discord server. |         p Add the bot to your Discord server. | ||||||
|  | @ -22,3 +39,18 @@ block body | ||||||
|         a.s-btn.s-btn__outlined.s-btn__icon(href=rel("/oauth?action=add-self-service")) |         a.s-btn.s-btn__outlined.s-btn__icon(href=rel("/oauth?action=add-self-service")) | ||||||
|           != icons.Icons.IconUnorderedList |           != icons.Icons.IconUnorderedList | ||||||
|           = ` Set up self-service` |           = ` Set up self-service` | ||||||
|  | 
 | ||||||
|  |   .s-prose | ||||||
|  |     h2 What is this? | ||||||
|  |     p #[a(href="https://gitdab.com/cadence/out-of-your-element") Out Of Your Element] is a bridge between the Discord and Matrix chat apps. It lets people on both platforms chat with each other without needing to get everyone on the same app. | ||||||
|  |     p Just chat like usual, and the bridge will forward messages back and forth between the two platforms, so everyone sees the whole conversation. | ||||||
|  |     p All kinds of content are supported, including pictures, threads, emojis, and @mentions. | ||||||
|  |     p It's really easy to set up, even if you only have Discord. Just add the bot to your server, and it'll make everything available on Matrix automatically. | ||||||
|  | 
 | ||||||
|  |     if locked | ||||||
|  |       h2 This is a private instance | ||||||
|  |       p Anybody can run their own instance of the Out Of Your Element software. The person running this instance has made it private, so you can't add it to your server just yet. If you know the people in charge of #{reg.ooye.server_name}, ask them for the password. | ||||||
|  | 
 | ||||||
|  |       h2 Run your own instance | ||||||
|  |       p You can still use Out Of Your Element by running your own copy of the software, but this requires some technical skill. | ||||||
|  |       p To get started, #[a(href="https://gitdab.com/cadence/out-of-your-element/src/branch/main/docs/get-started.md") check the installation instructions.] | ||||||
|  |  | ||||||
|  | @ -61,6 +61,9 @@ html(lang="en") | ||||||
|     <link rel="icon" href="data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22 viewBox=%220 0 100 80%22><text y=%22.83em%22 font-size=%2283%22>💬</text></svg>"> |     <link rel="icon" href="data:image/svg+xml,<svg xmlns=%22http://www.w3.org/2000/svg%22 viewBox=%220 0 100 80%22><text y=%22.83em%22 font-size=%2283%22>💬</text></svg>"> | ||||||
|     meta(name="htmx-config" content='{"requestClass":"is-loading"}') |     meta(name="htmx-config" content='{"requestClass":"is-loading"}') | ||||||
|     style. |     style. | ||||||
|  |       .s-prose a { | ||||||
|  |         text-decoration: underline; | ||||||
|  |       } | ||||||
|       .themed { |       .themed { | ||||||
|         --theme-base-primary-color-h: 266; |         --theme-base-primary-color-h: 266; | ||||||
|         --theme-base-primary-color-s: 53%; |         --theme-base-primary-color-s: 53%; | ||||||
|  |  | ||||||
|  | @ -37,6 +37,7 @@ as.router.get("/oauth", defineEventHandler(async event => { | ||||||
| 	const session = await auth.useSession(event) | 	const session = await auth.useSession(event) | ||||||
| 	let scope = "guilds" | 	let scope = "guilds" | ||||||
| 
 | 
 | ||||||
|  | 	if (!reg.ooye.web_password || reg.ooye.web_password === session.data.password) { | ||||||
| 		const parsedFirstQuery = await getValidatedQuery(event, schema.first.safeParse) | 		const parsedFirstQuery = await getValidatedQuery(event, schema.first.safeParse) | ||||||
| 		if (parsedFirstQuery.data?.action === "add") { | 		if (parsedFirstQuery.data?.action === "add") { | ||||||
| 			scope = "bot+guilds" | 			scope = "bot+guilds" | ||||||
|  | @ -45,6 +46,7 @@ as.router.get("/oauth", defineEventHandler(async event => { | ||||||
| 			scope = "bot+guilds" | 			scope = "bot+guilds" | ||||||
| 			await session.update({selfService: true}) | 			await session.update({selfService: true}) | ||||||
| 		} | 		} | ||||||
|  | 	} | ||||||
| 
 | 
 | ||||||
| 	async function tryAgain() { | 	async function tryAgain() { | ||||||
| 		const newState = randomUUID() | 		const newState = randomUUID() | ||||||
|  |  | ||||||
							
								
								
									
										21
									
								
								src/web/routes/password.js
									
										
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								src/web/routes/password.js
									
										
									
									
									
										Normal file
									
								
							|  | @ -0,0 +1,21 @@ | ||||||
|  | // @ts-check
 | ||||||
|  | 
 | ||||||
|  | const {z} = require("zod") | ||||||
|  | const {defineEventHandler, readValidatedBody, sendRedirect} = require("h3") | ||||||
|  | const {as, sync} = require("../../passthrough") | ||||||
|  | 
 | ||||||
|  | /** @type {import("../auth")} */ | ||||||
|  | const auth = sync.require("../auth") | ||||||
|  | 
 | ||||||
|  | const schema = { | ||||||
|  | 	password: z.object({ | ||||||
|  | 		password: z.string() | ||||||
|  | 	}) | ||||||
|  | } | ||||||
|  | 
 | ||||||
|  | as.router.post("/api/password", defineEventHandler(async event => { | ||||||
|  | 	const {password} = await readValidatedBody(event, schema.password.parse) | ||||||
|  | 	const session = await auth.useSession(event) | ||||||
|  | 	await session.update({password}) | ||||||
|  | 	return sendRedirect(event, "../") | ||||||
|  | })) | ||||||
|  | @ -30,8 +30,9 @@ sync.require("./routes/download-discord") | ||||||
| sync.require("./routes/guild-settings") | sync.require("./routes/guild-settings") | ||||||
| sync.require("./routes/guild") | sync.require("./routes/guild") | ||||||
| sync.require("./routes/link") | sync.require("./routes/link") | ||||||
| sync.require("./routes/oauth") |  | ||||||
| sync.require("./routes/log-in-with-matrix") | sync.require("./routes/log-in-with-matrix") | ||||||
|  | sync.require("./routes/oauth") | ||||||
|  | sync.require("./routes/password") | ||||||
| 
 | 
 | ||||||
| // Files
 | // Files
 | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue