Implemented OATUH login & multiple backends

This commit is contained in:
choelzl 2023-03-19 12:22:08 +01:00
parent 26ea676b8d
commit a773b6cc9c
No known key found for this signature in database
GPG key ID: A362EA0491E2EEA0
8 changed files with 226 additions and 39 deletions

View file

@ -307,6 +307,40 @@ https_only: false
## ##
#enable_user_notifications: true #enable_user_notifications: true
##
## List of Enabled Authentication Backend
## If not provided falls back to default
##
## Supported Values:
## - invidious
## - google
## - oauth
## - ldap (Not implemented !)
## - saml (Not implemented !)
##
## Default: ["invidious","google","oauth"]
##
# auth_type: ["oauth"]
##
## OAuth Configuration
##
## Notes:
## - Supports multiple OAuth backends
## - Requires external_port and domain to be configured
##
## Default: []
##
# oauth:
# example:
# host: oauth.example.net
# auth_uri: /oauth/authorize/
# token_uri: /oauth/token/
# info_uri: /oauth/userinfo/
# client_id: CLIENT_ID
# client_secret: CLIENT_SECRET
# ----------------------------- # -----------------------------
# Background jobs # Background jobs
# ----------------------------- # -----------------------------

View file

@ -8,6 +8,17 @@ struct DBConfig
property dbname : String property dbname : String
end end
struct OAuthConfig
include YAML::Serializable
property host : String
property auth_uri : String
property token_uri : String
property info_uri : String
property client_id : String
property client_secret : String
end
struct ConfigPreferences struct ConfigPreferences
include YAML::Serializable include YAML::Serializable
@ -129,6 +140,9 @@ class Config
# Use quic transport for youtube api # Use quic transport for youtube api
property use_quic : Bool = false property use_quic : Bool = false
property auth_type : Array(String) = ["invidious", "google", "oauth"]
property oauth = {} of String => OAuthConfig
# Saved cookies in "name1=value1; name2=value2..." format # Saved cookies in "name1=value1; name2=value2..." format
@[YAML::Field(converter: Preferences::StringToCookies)] @[YAML::Field(converter: Preferences::StringToCookies)]
property cookies : HTTP::Cookies = HTTP::Cookies.new property cookies : HTTP::Cookies = HTTP::Cookies.new

View file

@ -0,0 +1,40 @@
require "oauth2"
module Invidious::OAuthHelper
extend self
def get(key)
if HOST_URL == ""
raise Exception.new("Missing domain and port configuration")
end
if provider = CONFIG.oauth[key]?
redirect_uri = "#{HOST_URL}/login/oauth/#{key}"
OAuth2::Client.new(
provider.host,
provider.client_id,
provider.client_secret,
authorize_uri: provider.auth_uri,
token_uri: provider.token_uri,
redirect_uri: redirect_uri
)
else
raise Exception.new("Invalid OAuth Endpoint: " + key)
end
end
def auth(key, authorization_code)
self.get(key).get_access_token_using_authorization_code(authorization_code)
end
def info(key, token)
if provider = CONFIG.oauth[key]?
client = HTTP::Client.new(provider.host, tls: true)
token.authenticate(client)
response = client.get provider.info_uri
client.close
response.body
else
raise Exception.new("Invalid OAuth Endpoint: " + key)
end
end
end

View file

@ -21,6 +21,16 @@ module Invidious::Routes::Login
account_type = env.params.query["type"]? account_type = env.params.query["type"]?
account_type ||= "invidious" account_type ||= "invidious"
if CONFIG.auth_type.find(&.== account_type).nil?
if CONFIG.auth_type.size == 0
account_type = "invidious"
else
account_type = CONFIG.auth_type[0]
end
end
oauth = CONFIG.auth_type.find(&.== "oauth") && (CONFIG.oauth.size > 0)
captcha_type = env.params.query["captcha"]? captcha_type = env.params.query["captcha"]?
captcha_type ||= "image" captcha_type ||= "image"
@ -30,6 +40,35 @@ module Invidious::Routes::Login
templated "user/login" templated "user/login"
end end
def self.login_oauth(env)
locale = env.get("preferences").as(Preferences).locale
referer = get_referer(env, "/feed/subscriptions")
authorization_code = env.params.query["code"]?
provider_k = env.params.url["provider"]
if authorization_code
begin
token = OAuthHelper.auth(provider_k, authorization_code)
info = JSON.parse(OAuthHelper.info(provider_k, token))
email = info["email"].as_s
user = Invidious::Database::Users.select(email: email)
if user
user_flow_existing(env,email)
else
user_flow_new(env,email,nil);
end
rescue
return error_template(403, "Invalid Authorization Code")
end
else
return error_template(403, "Missing Authorization Code")
end
env.redirect referer
end
def self.login(env) def self.login(env)
locale = env.get("preferences").as(Preferences).locale locale = env.get("preferences").as(Preferences).locale
@ -42,10 +81,19 @@ module Invidious::Routes::Login
# https://stackoverflow.com/a/574698 # https://stackoverflow.com/a/574698
email = env.params.body["email"]?.try &.downcase.byte_slice(0, 254) email = env.params.body["email"]?.try &.downcase.byte_slice(0, 254)
password = env.params.body["password"]? password = env.params.body["password"]?
oauth = CONFIG.auth_type.find(&.== "oauth") && (CONFIG.oauth.size > 0)
account_type = env.params.query["type"]? account_type = env.params.query["type"]?
account_type ||= "invidious" account_type ||= "invidious"
if CONFIG.auth_type.size == 0
return error_template(401, "No authentication backend enabled.")
end
if CONFIG.auth_type.find(&.== account_type).nil?
account_type = CONFIG.auth_type[0]
end
case account_type case account_type
when "google" when "google"
tfa_code = env.params.body["tfa"]?.try &.lchop("G-") tfa_code = env.params.body["tfa"]?.try &.lchop("G-")
@ -308,6 +356,13 @@ module Invidious::Routes::Login
error_message = %(#{ex.message}<br/>Traceback:<br/><div style="padding-left:2em" id="traceback">#{traceback.gets_to_end}</div>) error_message = %(#{ex.message}<br/>Traceback:<br/><div style="padding-left:2em" id="traceback">#{traceback.gets_to_end}</div>)
return error_template(500, error_message) return error_template(500, error_message)
end end
when "oauth"
provider_k = env.params.body["provider"]
env.redirect OAuthHelper.get(provider_k).get_authorize_uri("openid email profile")
when "saml"
return error_template(501, "Not implemented")
when "ldap"
return error_template(501, "Not implemented")
when "invidious" when "invidious"
if !email if !email
return error_template(401, "User ID is a required field") return error_template(401, "User ID is a required field")
@ -324,21 +379,10 @@ module Invidious::Routes::Login
return error_template(400, "Please sign in using 'Log in with Google'") return error_template(400, "Please sign in using 'Log in with Google'")
end end
if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) if !Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
Invidious::Database::SessionIDs.insert(sid, email)
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
else
return error_template(401, "Wrong username or password") return error_template(401, "Wrong username or password")
end end
user_flow_existing(env, email)
# Since this user has already registered, we don't want to overwrite their preferences
if env.request.cookies["PREFS"]?
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
else else
if !CONFIG.registration_enabled if !CONFIG.registration_enabled
return error_template(400, "Registration has been disabled by administrator.") return error_template(400, "Registration has been disabled by administrator.")
@ -417,32 +461,7 @@ module Invidious::Routes::Login
end end
end end
end end
user_flow_new(env, email, password);
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email, password)
if language_header = env.request.headers["Accept-Language"]?
if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
user.preferences.locale = language.header
end
end
Invidious::Database::Users.insert(user)
Invidious::Database::SessionIDs.insert(sid, email)
view_name = "subscriptions_#{sha256(user.email)}"
PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
user.preferences = env.get("preferences").as(Preferences)
Invidious::Database::Users.update_preferences(user)
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end end
env.redirect referer env.redirect referer
@ -488,4 +507,49 @@ module Invidious::Routes::Login
env.response.headers["Content-Type"] = response.headers["Content-Type"] env.response.headers["Content-Type"] = response.headers["Content-Type"]
response.body response.body
end end
def self.user_flow_existing(env, email)
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
Invidious::Database::SessionIDs.insert(sid, email)
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
# Since this user has already registered, we don't want to overwrite their preferences
if env.request.cookies["PREFS"]?
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end
def self.user_flow_new(env, email, password)
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
if password
user, sid = create_user(sid, email, password)
else
user, sid = create_user(sid, email)
end
if language_header = env.request.headers["Accept-Language"]?
if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
user.preferences.locale = language.header
end
end
Invidious::Database::Users.insert(user)
Invidious::Database::SessionIDs.insert(sid, email)
view_name = "subscriptions_#{sha256(user.email)}"
PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
user.preferences = env.get("preferences").as(Preferences)
Invidious::Database::Users.update_preferences(user)
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end
end end

View file

@ -55,6 +55,7 @@ module Invidious::Routing
def register_user_routes def register_user_routes
# User login/out # User login/out
get "/login", Routes::Login, :login_page get "/login", Routes::Login, :login_page
get "/login/oauth/:provider", Routes::Login, :login_oauth
post "/login", Routes::Login, :login post "/login", Routes::Login, :login
post "/signout", Routes::Login, :signout post "/signout", Routes::Login, :signout
get "/Captcha", Routes::Login, :captcha get "/Captcha", Routes::Login, :captcha

View file

@ -14,6 +14,7 @@ struct Invidious::User
return HTTP::Cookie.new( return HTTP::Cookie.new(
name: "SID", name: "SID",
domain: domain, domain: domain,
path: "/",
value: sid, value: sid,
expires: Time.utc + 2.years, expires: Time.utc + 2.years,
secure: SECURE, secure: SECURE,
@ -28,6 +29,7 @@ struct Invidious::User
return HTTP::Cookie.new( return HTTP::Cookie.new(
name: "PREFS", name: "PREFS",
domain: domain, domain: domain,
path: "/",
value: URI.encode_www_form(preferences.to_json), value: URI.encode_www_form(preferences.to_json),
expires: Time.utc + 2.years, expires: Time.utc + 2.years,
secure: SECURE, secure: SECURE,

View file

@ -72,6 +72,24 @@ def fetch_user(sid, headers)
return user, sid return user, sid
end end
def create_user(sid, email)
token = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user = Invidious::User.new({
updated: Time.utc,
notifications: [] of String,
subscriptions: [] of String,
email: email,
preferences: Preferences.new(CONFIG.default_user_preferences.to_tuple),
password: nil,
token: token,
watched: [] of String,
feed_needs_update: true,
})
return user, sid
end
def create_user(sid, email, password) def create_user(sid, email, password)
password = Crypto::Bcrypt::Password.create(password, cost: 10) password = Crypto::Bcrypt::Password.create(password, cost: 10)
token = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) token = Base64.urlsafe_encode(Random::Secure.random_bytes(32))

View file

@ -43,6 +43,17 @@
<button type="submit" class="pure-button pure-button-primary"><%= translate(locale, "Sign In") %></button> <button type="submit" class="pure-button pure-button-primary"><%= translate(locale, "Sign In") %></button>
</fieldset> </fieldset>
</form> </form>
<% when "oauth" %>
<form class="pure-form pure-form-stacked" action="/login?referer=<%= URI.encode_www_form(referer) %>&type=oauth" method="post">
<fieldset>
<select name="provider" id="provider">
<% CONFIG.oauth.each_key do |k| %>
<option value="<%= k %>"><%= k %></option>
<% end %>
</select>
<button type="submit" class="pure-button pure-button-primary"><%= translate(locale, "Sign In via OAuth") %></button>
</fieldset>
</form>
<% else # "invidious" %> <% else # "invidious" %>
<form class="pure-form pure-form-stacked" action="/login?referer=<%= URI.encode_www_form(referer) %>&type=invidious" method="post"> <form class="pure-form pure-form-stacked" action="/login?referer=<%= URI.encode_www_form(referer) %>&type=invidious" method="post">
<fieldset> <fieldset>
@ -104,6 +115,9 @@
<%= translate(locale, "Sign In") %>/<%= translate(locale, "Register") %> <%= translate(locale, "Sign In") %>/<%= translate(locale, "Register") %>
</button> </button>
<% end %> <% end %>
<% if oauth %>
<a class="pure-button pure-button-secondary" href="/login?referer=<%= URI.encode_www_form(referer) %>&type=oauth">OAuth</a>
<% end %>
</fieldset> </fieldset>
</form> </form>
<% end %> <% end %>