iv-org-mirror/invidious-copy-2022-08-14
1
0
Fork 0
mirror of https://gitea.invidious.io/iv-org/invidious-copy-2022-08-14.git synced 2024-08-15 00:53:20 +00:00
Code Issues Projects Releases Packages Wiki Activity

Support for multiple oauth backends

Browse source
This commit is contained in:
choelzl 2022-08-07 23:27:57 +02:00
parent b468a9dacc
commit 77ad2a5818
No known key found for this signature in database
GPG key ID: A362EA0491E2EEA0
7 changed files with 78 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

28
config/config.example.yml
View file

@ -296,8 +296,8 @@ https_only: false
#admins: [""]
##
## Force Authentication Backend
## If not provided falls back to the type query parameter
## List of Enabled Authentication Backend
## If not provided falls back to enabling all
##
## Supported Values:
## - invidious
@ -306,21 +306,27 @@ https_only: false
## - ldap (Not implemented !)
## - saml (Not implemented !)
##
## Default: nil
## Default: ["invidious","google","oauth"]
##
# auth_type: oauth
# auth_type: ["oauth"]
##
## OAuth Configuration
##
## Notes:
## - Supports multiple OAuth backends
## - Requires external_port and domain to be configured
##
## Default: []
##
# oauth:
# host: oauth.example.net
# auth_uri: /oauth/authorize
# token_uri: /oauth/token
# info_uri: /oauth/userinfo
# client_id: CLIENT_ID
# client_secret: CLIENT_SECRET
# redirect_uri: https://invidious.example.net/login/oauth
# - host: oauth.example.net
# auth_uri: /oauth/authorize/
# token_uri: /oauth/token/
# info_uri: /oauth/userinfo/
# client_id: CLIENT_ID
# client_secret: CLIENT_SECRET
# redirect_uri: https://invidious.example.net/login/oauth
# -----------------------------

5
src/invidious/config.cr
View file

@ -17,7 +17,6 @@ struct OAuthConfig
property info_uri : String
property client_id : String
property client_secret : String
property redirect_uri : String
end
struct ConfigPreferences
@ -135,8 +134,8 @@ class Config
# Use quic transport for youtube api
property use_quic : Bool = false
property auth_type : String? = nil
property oauth : OAuthConfig? = nil
property auth_type : Array(String) = ["invidious", "google", "oauth"] of String
property oauth : Array(OAuthConfig) = [] of OAuthConfig
# Saved cookies in "name1=value1; name2=value2..." format
@[YAML::Field(converter: Preferences::StringToCookies)]

29
src/invidious/helpers/oauth.cr
View file

@ -1,27 +1,38 @@
def oauth_get()
if oauth = CONFIG.oauth
def oauth_get(idx)
if HOST_URL == ""
raise Exception.new("Missing domain and port configuration")
end
if idx > CONFIG.oauth.size
raise Exception.new("Invalid OAuth Endpoint Index: " + idx.to_s)
end
if oauth = CONFIG.oauth[idx]
oauth_host = oauth.host
oauth_auth_uri = oauth.auth_uri
oauth_token_uri = oauth.token_uri
oauth_info_uri = oauth.info_uri
oauth_client_id = oauth.client_id
oauth_client_secret = oauth.client_secret
oauth_redirect_uri = oauth.redirect_uri
oauth_redirect_uri = HOST_URL + "/login/oauth/" + idx.to_s
OAuth2::Client.new(oauth_host, oauth_client_id, oauth_client_secret,
authorize_uri: oauth_auth_uri, token_uri: oauth_token_uri,
redirect_uri: oauth_redirect_uri)
authorize_uri: oauth_auth_uri, token_uri: oauth_token_uri,
redirect_uri: oauth_redirect_uri)
else
raise Exception.new("Missing OAuth Config")
end
end
def oauth_auth(authorization_code)
oauth_get().get_access_token_using_authorization_code(authorization_code)
def oauth_auth(idx, authorization_code)
oauth_get(idx).get_access_token_using_authorization_code(authorization_code)
end
def oauth_info(token)
if oauth = CONFIG.oauth
def oauth_info(idx, token)
if idx > CONFIG.oauth.size
raise Exception.new("Invalid OAuth Endpoint Index: " + idx.to_s)
end
if oauth = CONFIG.oauth[idx]
oauth_host = oauth.host
oauth_info_uri = oauth.info_uri

38
src/invidious/routes/login.cr
View file

@ -21,10 +21,17 @@ module Invidious::Routes::Login
account_type = env.params.query["type"]?
account_type ||= "invidious"
if CONFIG.auth_type
account_type = CONFIG.auth_type
if CONFIG.auth_type.find { |i| i == account_type } == nil
if CONFIG.auth_type.size == 0
account_type = "invidious"
else
account_type = CONFIG.auth_type[0]
end
end
oauth = CONFIG.auth_type.find { |i| i == "oauth" } && (CONFIG.oauth.size > 0)
oauth_providers = CONFIG.oauth
captcha_type = env.params.query["captcha"]?
captcha_type ||= "image"
@ -43,10 +50,12 @@ module Invidious::Routes::Login
referer = get_referer(env, "/feed/subscriptions")
authorization_code = env.params.query["code"]?
provider_idx = env.params.url["provider"].to_i
if authorization_code
begin
token = oauth_auth(authorization_code)
info = JSON.parse(oauth_info(token))
token = oauth_auth(provider_idx, authorization_code)
info = JSON.parse(oauth_info(provider_idx, token))
email = info["email"].as_s
user = Invidious::Database::Users.select(email: email)
if user
@ -60,10 +69,6 @@ module Invidious::Routes::Login
env.response.cookies << cookie
end
else
if !CONFIG.registration_enabled
return error_template(400, "Registration has been disabled by administrator.")
end
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email)
@ -91,10 +96,10 @@ module Invidious::Routes::Login
env.redirect referer
rescue
return error_template(403, "Invalid Authorization Code");
return error_template(403, "Invalid Authorization Code")
end
else
return error_template(403, "Missing Authorization Code");
return error_template(403, "Missing Authorization Code")
end
end
@ -110,12 +115,18 @@ module Invidious::Routes::Login
# https://stackoverflow.com/a/574698
email = env.params.body["email"]?.try &.downcase.byte_slice(0, 254)
password = env.params.body["password"]?
oauth = CONFIG.auth_type.find { |i| i == "oauth" } && (CONFIG.oauth.size > 0)
oauth_providers = CONFIG.oauth
account_type = env.params.query["type"]?
account_type ||= "invidious"
if CONFIG.auth_type
account_type = CONFIG.auth_type
if CONFIG.auth_type.size == 0
return error_template(401, "No authentication backend enabled.")
end
if CONFIG.auth_type.find { |i| i == account_type } == nil
account_type = CONFIG.auth_type[0]
end
case account_type
@ -381,7 +392,8 @@ module Invidious::Routes::Login
return error_template(500, error_message)
end
when "oauth"
env.redirect oauth_get().get_authorize_uri("openid email profile")
provider_idx = env.params.body["provider"].to_i
env.redirect oauth_get(provider_idx).get_authorize_uri("openid email profile")
when "saml"
return error_template(500, "Not implemented")
when "ldap"

2
src/invidious/routing.cr
View file

@ -13,7 +13,7 @@ end
macro define_user_routes
# User login/out
Invidious::Routing.get "/login", Invidious::Routes::Login, :login_page
Invidious::Routing.get "/login/oauth", Invidious::Routes::Login, :login_oauth
Invidious::Routing.get "/login/oauth/:provider", Invidious::Routes::Login, :login_oauth
Invidious::Routing.post "/login", Invidious::Routes::Login, :login
Invidious::Routing.post "/signout", Invidious::Routes::Login, :signout
Invidious::Routing.get "/Captcha", Invidious::Routes::Login, :captcha

1
src/invidious/users.cr
View file

@ -90,7 +90,6 @@ def create_user(sid, email)
return user, sid
end
def create_user(sid, email, password)
password = Crypto::Bcrypt::Password.create(password, cost: 10)
token = Base64.urlsafe_encode(Random::Secure.random_bytes(32))

8
src/invidious/views/user/login.ecr
View file

@ -46,6 +46,11 @@
<% when "oauth" %>
<form class="pure-form pure-form-stacked" action="/login?referer=<%= URI.encode_www_form(referer) %>&type=oauth" method="post">
<fieldset>
<select name="provider" id="provider">
<% oauth_providers.each_index do |idx| %>
<option value="<%= idx %>"><%= oauth_providers[idx].host %></option>
<% end %>
</select>
<button type="submit" class="pure-button pure-button-primary"><%= translate(locale, "Sign In via OAuth") %></button>
</fieldset>
</form>
@ -110,6 +115,9 @@
<%= translate(locale, "Sign In") %>/<%= translate(locale, "Register") %>
</button>
<% end %>
<% if oauth %>
<a class="pure-button pure-button-secondary" href="/login?referer=<%= URI.encode_www_form(referer) %>&type=oauth">OAuth</a>
<% end %>
</fieldset>
</form>
<% end %>