نسخ من khaledmahfouz5/Maqtaa
Display a form to create an Opengist account coming from a OAuth provider (#623)
هذا الالتزام موجود في:
Thomas Miceli
@@ -110,6 +110,10 @@ func (p *GiteaCallbackProvider) UpdateUserDB(user *db.User) {
|
|||||||
user.AvatarURL = field.(string)
|
user.AvatarURL = field.(string)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *GiteaCallbackProvider) IsAdmin() bool {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func NewGiteaCallbackProvider(user *goth.User) CallbackProvider {
|
func NewGiteaCallbackProvider(user *goth.User) CallbackProvider {
|
||||||
return &GiteaCallbackProvider{
|
return &GiteaCallbackProvider{
|
||||||
User: user,
|
User: user,
|
||||||
|
|||||||
@@ -77,6 +77,10 @@ func (p *GitHubCallbackProvider) UpdateUserDB(user *db.User) {
|
|||||||
user.AvatarURL = "https://avatars.githubusercontent.com/u/" + p.User.UserID + "?v=4"
|
user.AvatarURL = "https://avatars.githubusercontent.com/u/" + p.User.UserID + "?v=4"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *GitHubCallbackProvider) IsAdmin() bool {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func NewGitHubCallbackProvider(user *goth.User) CallbackProvider {
|
func NewGitHubCallbackProvider(user *goth.User) CallbackProvider {
|
||||||
return &GitHubCallbackProvider{
|
return &GitHubCallbackProvider{
|
||||||
User: user,
|
User: user,
|
||||||
|
|||||||
@@ -111,6 +111,10 @@ func (p *GitLabCallbackProvider) UpdateUserDB(user *db.User) {
|
|||||||
user.AvatarURL = field.(string)
|
user.AvatarURL = field.(string)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *GitLabCallbackProvider) IsAdmin() bool {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func NewGitLabCallbackProvider(user *goth.User) CallbackProvider {
|
func NewGitLabCallbackProvider(user *goth.User) CallbackProvider {
|
||||||
return &GitLabCallbackProvider{
|
return &GitLabCallbackProvider{
|
||||||
User: user,
|
User: user,
|
||||||
|
|||||||
@@ -3,6 +3,8 @@ package oauth
|
|||||||
import (
|
import (
|
||||||
gocontext "context"
|
gocontext "context"
|
||||||
"errors"
|
"errors"
|
||||||
|
"slices"
|
||||||
|
|
||||||
"github.com/markbates/goth"
|
"github.com/markbates/goth"
|
||||||
"github.com/markbates/goth/gothic"
|
"github.com/markbates/goth/gothic"
|
||||||
"github.com/markbates/goth/providers/openidConnect"
|
"github.com/markbates/goth/providers/openidConnect"
|
||||||
@@ -79,6 +81,31 @@ func (p *OIDCCallbackProvider) UpdateUserDB(user *db.User) {
|
|||||||
user.AvatarURL = p.User.AvatarURL
|
user.AvatarURL = p.User.AvatarURL
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (p *OIDCCallbackProvider) IsAdmin() bool {
|
||||||
|
if config.C.OIDCAdminGroup == "" {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
groupClaimName := config.C.OIDCGroupClaimName
|
||||||
|
if groupClaimName == "" {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
groups, ok := p.User.RawData[groupClaimName].([]interface{})
|
||||||
|
if !ok {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
var groupNames []string
|
||||||
|
for _, group := range groups {
|
||||||
|
if groupName, ok := group.(string); ok {
|
||||||
|
groupNames = append(groupNames, groupName)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return slices.Contains(groupNames, config.C.OIDCAdminGroup)
|
||||||
|
}
|
||||||
|
|
||||||
func NewOIDCCallbackProvider(user *goth.User) CallbackProvider {
|
func NewOIDCCallbackProvider(user *goth.User) CallbackProvider {
|
||||||
return &OIDCCallbackProvider{
|
return &OIDCCallbackProvider{
|
||||||
User: user,
|
User: user,
|
||||||
|
|||||||
@@ -2,15 +2,16 @@ package oauth
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io"
|
||||||
|
"net/http"
|
||||||
|
"net/url"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/markbates/goth"
|
"github.com/markbates/goth"
|
||||||
"github.com/markbates/goth/gothic"
|
"github.com/markbates/goth/gothic"
|
||||||
"github.com/rs/zerolog/log"
|
"github.com/rs/zerolog/log"
|
||||||
"github.com/thomiceli/opengist/internal/db"
|
"github.com/thomiceli/opengist/internal/db"
|
||||||
"github.com/thomiceli/opengist/internal/web/context"
|
"github.com/thomiceli/opengist/internal/web/context"
|
||||||
"io"
|
|
||||||
"net/http"
|
|
||||||
"net/url"
|
|
||||||
"strings"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@@ -32,6 +33,7 @@ type CallbackProvider interface {
|
|||||||
GetProviderUserID(user *db.User) bool
|
GetProviderUserID(user *db.User) bool
|
||||||
GetProviderUserSSHKeys() ([]string, error)
|
GetProviderUserSSHKeys() ([]string, error)
|
||||||
UpdateUserDB(user *db.User)
|
UpdateUserDB(user *db.User)
|
||||||
|
IsAdmin() bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func DefineProvider(provider string, url string) (Provider, error) {
|
func DefineProvider(provider string, url string) (Provider, error) {
|
||||||
@@ -69,6 +71,29 @@ func CompleteUserAuth(ctx *context.Context) (CallbackProvider, error) {
|
|||||||
return nil, fmt.Errorf("unsupported provider %s", user.Provider)
|
return nil, fmt.Errorf("unsupported provider %s", user.Provider)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func NewCallbackProviderFromSession(provider string, userID string, nickname string, email string, avatarURL string) (CallbackProvider, error) {
|
||||||
|
user := &goth.User{
|
||||||
|
Provider: provider,
|
||||||
|
UserID: userID,
|
||||||
|
NickName: nickname,
|
||||||
|
Email: email,
|
||||||
|
AvatarURL: avatarURL,
|
||||||
|
}
|
||||||
|
|
||||||
|
switch provider {
|
||||||
|
case GitHubProviderString:
|
||||||
|
return NewGitHubCallbackProvider(user), nil
|
||||||
|
case GitLabProviderString:
|
||||||
|
return NewGitLabCallbackProvider(user), nil
|
||||||
|
case GiteaProviderString:
|
||||||
|
return NewGiteaCallbackProvider(user), nil
|
||||||
|
case OpenIDConnectString:
|
||||||
|
return NewOIDCCallbackProvider(user), nil
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil, fmt.Errorf("unsupported provider %s", provider)
|
||||||
|
}
|
||||||
|
|
||||||
func urlJoin(base string, elem ...string) string {
|
func urlJoin(base string, elem ...string) string {
|
||||||
joined, err := url.JoinPath(base, elem...)
|
joined, err := url.JoinPath(base, elem...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -258,6 +258,11 @@ type UserDTO struct {
|
|||||||
Password string `form:"password" validate:"required"`
|
Password string `form:"password" validate:"required"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type OAuthRegisterDTO struct {
|
||||||
|
Username string `form:"username" validate:"required,max=24,alphanumdash,notreserved"`
|
||||||
|
Email string `form:"email" validate:"omitempty,email"`
|
||||||
|
}
|
||||||
|
|
||||||
func (dto *UserDTO) ToUser() *User {
|
func (dto *UserDTO) ToUser() *User {
|
||||||
return &User{
|
return &User{
|
||||||
Username: dto.Username,
|
Username: dto.Username,
|
||||||
|
|||||||
@@ -200,6 +200,13 @@ auth.password: Password
|
|||||||
auth.register-instead: Register instead
|
auth.register-instead: Register instead
|
||||||
auth.login-instead: Login instead
|
auth.login-instead: Login instead
|
||||||
auth.oauth: Continue with %s account
|
auth.oauth: Continue with %s account
|
||||||
|
auth.oauth.no-provider: OAuth provider not found
|
||||||
|
auth.oauth.complete-registration: Complete your registration
|
||||||
|
auth.oauth.complete-registration-button: Create account
|
||||||
|
auth.oauth.signing-in-with: Signing in with %s
|
||||||
|
auth.oauth.cancel: Cancel
|
||||||
|
auth.oauth.existing-account: Existing account?
|
||||||
|
auth.oauth.already-have-account: If you already have an Opengist account, login first and link your %s account from your settings.
|
||||||
auth.mfa: Multi-factor authentication
|
auth.mfa: Multi-factor authentication
|
||||||
auth.mfa.passkey: Passkey
|
auth.mfa.passkey: Passkey
|
||||||
auth.mfa.passkeys: Passkeys
|
auth.mfa.passkeys: Passkeys
|
||||||
@@ -241,7 +248,7 @@ error.signup-disabled: Signing up is disabled
|
|||||||
error.signup-disabled-form: Signing up via registration form is disabled
|
error.signup-disabled-form: Signing up via registration form is disabled
|
||||||
error.login-disabled-form: Logging in via login form is disabled
|
error.login-disabled-form: Logging in via login form is disabled
|
||||||
error.complete-oauth-login: "Cannot complete user auth: %s"
|
error.complete-oauth-login: "Cannot complete user auth: %s"
|
||||||
error.oauth-unsupported: Unsupported provider
|
error.oauth-unsupported: Unsupported OAuth2 provider
|
||||||
error.cannot-bind-data: Cannot bind data
|
error.cannot-bind-data: Cannot bind data
|
||||||
error.invalid-number: Invalid number
|
error.invalid-number: Invalid number
|
||||||
error.invalid-character-unescaped: Invalid character unescaped
|
error.invalid-character-unescaped: Invalid character unescaped
|
||||||
@@ -343,6 +350,8 @@ flash.auth.user-sshkeys-not-created: Could not create ssh key
|
|||||||
flash.auth.must-be-logged-in: You must be logged in to access gists
|
flash.auth.must-be-logged-in: You must be logged in to access gists
|
||||||
flash.auth.passkey-registred: Passkey %s registered
|
flash.auth.passkey-registred: Passkey %s registered
|
||||||
flash.auth.passkey-deleted: Passkey deleted
|
flash.auth.passkey-deleted: Passkey deleted
|
||||||
|
flash.auth.oauth-session-expired: OAuth2 session expired, please try again
|
||||||
|
flash.auth.oauth-already-linked: This %s account is already linked to another user
|
||||||
|
|
||||||
flash.gist.visibility-changed: Gist visibility has been changed
|
flash.gist.visibility-changed: Gist visibility has been changed
|
||||||
flash.gist.deleted: Gist has been deleted
|
flash.gist.deleted: Gist has been deleted
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ func validateReservedKeywords(fl validator.FieldLevel) bool {
|
|||||||
name := fl.Field().String()
|
name := fl.Field().String()
|
||||||
|
|
||||||
restrictedNames := map[string]struct{}{}
|
restrictedNames := map[string]struct{}{}
|
||||||
for _, restrictedName := range []string{"assets", "register", "login", "logout", "settings", "admin-panel", "all", "search", "init", "healthcheck", "preview", "metrics", "mfa", "webauthn"} {
|
for _, restrictedName := range []string{"assets", "register", "login", "logout", "settings", "admin-panel", "all", "search", "init", "healthcheck", "preview", "metrics", "mfa", "webauthn", "oauth"} {
|
||||||
restrictedNames[restrictedName] = struct{}{}
|
restrictedNames[restrictedName] = struct{}{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -4,16 +4,15 @@ import (
|
|||||||
"crypto/md5"
|
"crypto/md5"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"slices"
|
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/rs/zerolog/log"
|
"github.com/rs/zerolog/log"
|
||||||
"github.com/thomiceli/opengist/internal/auth/oauth"
|
"github.com/thomiceli/opengist/internal/auth/oauth"
|
||||||
"github.com/thomiceli/opengist/internal/config"
|
"github.com/thomiceli/opengist/internal/config"
|
||||||
"github.com/thomiceli/opengist/internal/db"
|
"github.com/thomiceli/opengist/internal/db"
|
||||||
|
"github.com/thomiceli/opengist/internal/i18n"
|
||||||
|
"github.com/thomiceli/opengist/internal/validator"
|
||||||
"github.com/thomiceli/opengist/internal/web/context"
|
"github.com/thomiceli/opengist/internal/web/context"
|
||||||
"golang.org/x/text/cases"
|
|
||||||
"golang.org/x/text/language"
|
|
||||||
"gorm.io/gorm"
|
"gorm.io/gorm"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -48,7 +47,8 @@ func Oauth(ctx *context.Context) error {
|
|||||||
|
|
||||||
provider, err := oauth.DefineProvider(providerStr, opengistUrl)
|
provider, err := oauth.DefineProvider(providerStr, opengistUrl)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ctx.ErrorRes(400, ctx.Tr("error.oauth-unsupported"), nil)
|
ctx.AddFlash(ctx.Tr("error.oauth-unsupported"), "error")
|
||||||
|
return ctx.Redirect(302, "/login")
|
||||||
}
|
}
|
||||||
|
|
||||||
if err = provider.RegisterProvider(); err != nil {
|
if err = provider.RegisterProvider(); err != nil {
|
||||||
@@ -62,28 +62,37 @@ func Oauth(ctx *context.Context) error {
|
|||||||
func OauthCallback(ctx *context.Context) error {
|
func OauthCallback(ctx *context.Context) error {
|
||||||
provider, err := oauth.CompleteUserAuth(ctx)
|
provider, err := oauth.CompleteUserAuth(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return ctx.ErrorRes(400, ctx.Tr("error.complete-oauth-login", err.Error()), err)
|
ctx.AddFlash(ctx.Tr("auth.oauth.no-provider"), "error")
|
||||||
|
return ctx.Redirect(302, "/login")
|
||||||
}
|
}
|
||||||
|
|
||||||
currUser := ctx.User
|
currUser := ctx.User
|
||||||
|
user := provider.GetProviderUser()
|
||||||
|
|
||||||
// if user is logged in, link account to user and update its avatar URL
|
// if user is logged in, link account to user and update its avatar URL
|
||||||
if currUser != nil {
|
if currUser != nil {
|
||||||
|
// check if this OAuth account is already linked to another user
|
||||||
|
if existingUser, err := db.GetUserByProvider(user.UserID, provider.GetProvider()); err == nil && existingUser != nil {
|
||||||
|
ctx.AddFlash(ctx.Tr("flash.auth.oauth-already-linked", config.C.OIDCProviderName), "error")
|
||||||
|
return ctx.RedirectTo("/settings")
|
||||||
|
}
|
||||||
|
|
||||||
provider.UpdateUserDB(currUser)
|
provider.UpdateUserDB(currUser)
|
||||||
|
|
||||||
if err = currUser.Update(); err != nil {
|
if err = currUser.Update(); err != nil {
|
||||||
return ctx.ErrorRes(500, "Cannot update user "+cases.Title(language.English).String(provider.GetProvider())+" id", err)
|
return ctx.ErrorRes(500, "Cannot update user "+config.C.OIDCProviderName+" id", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.AddFlash(ctx.Tr("flash.auth.account-linked-oauth", cases.Title(language.English).String(provider.GetProvider())), "success")
|
ctx.AddFlash(ctx.Tr("flash.auth.account-linked-oauth", config.C.OIDCProviderName), "success")
|
||||||
return ctx.RedirectTo("/settings")
|
return ctx.RedirectTo("/settings")
|
||||||
}
|
}
|
||||||
|
|
||||||
user := provider.GetProviderUser()
|
|
||||||
userDB, err := db.GetUserByProvider(user.UserID, provider.GetProvider())
|
userDB, err := db.GetUserByProvider(user.UserID, provider.GetProvider())
|
||||||
// if user is not in database, create it
|
// if user is not in database, redirect to OAuth registration page
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if ctx.GetData("DisableSignup") == true {
|
if ctx.GetData("DisableSignup") == true {
|
||||||
return ctx.ErrorRes(403, ctx.Tr("error.signup-disabled"), nil)
|
ctx.AddFlash(ctx.Tr("error.signup-disabled"), "error")
|
||||||
|
return ctx.Redirect(302, "/login")
|
||||||
}
|
}
|
||||||
|
|
||||||
if !errors.Is(err, gorm.ErrRecordNotFound) {
|
if !errors.Is(err, gorm.ErrRecordNotFound) {
|
||||||
@@ -94,74 +103,25 @@ func OauthCallback(ctx *context.Context) error {
|
|||||||
user.NickName = strings.Split(user.Email, "@")[0]
|
user.NickName = strings.Split(user.Email, "@")[0]
|
||||||
}
|
}
|
||||||
|
|
||||||
userDB = &db.User{
|
sess := ctx.GetSession()
|
||||||
Username: user.NickName,
|
sess.Values["oauthProvider"] = provider.GetProvider()
|
||||||
Email: user.Email,
|
sess.Values["oauthUserID"] = user.UserID
|
||||||
MD5Hash: fmt.Sprintf("%x", md5.Sum([]byte(strings.ToLower(strings.TrimSpace(user.Email))))),
|
sess.Values["oauthNickname"] = user.NickName
|
||||||
}
|
sess.Values["oauthEmail"] = user.Email
|
||||||
|
sess.Values["oauthAvatarURL"] = user.AvatarURL
|
||||||
|
sess.Values["oauthIsAdmin"] = provider.IsAdmin()
|
||||||
|
|
||||||
// set provider id and avatar URL
|
sess.Options.MaxAge = 10 * 60 // 10 minutes
|
||||||
provider.UpdateUserDB(userDB)
|
ctx.SaveSession(sess)
|
||||||
|
|
||||||
if err = userDB.Create(); err != nil {
|
return ctx.RedirectTo("/oauth/register")
|
||||||
if db.IsUniqueConstraintViolation(err) {
|
|
||||||
ctx.AddFlash(ctx.Tr("flash.auth.username-exists"), "error")
|
|
||||||
return ctx.RedirectTo("/login")
|
|
||||||
}
|
|
||||||
|
|
||||||
return ctx.ErrorRes(500, "Cannot create user", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// if oidc admin group is not configured set first user as admin
|
|
||||||
if config.C.OIDCAdminGroup == "" && userDB.ID == 1 {
|
|
||||||
if err = userDB.SetAdmin(); err != nil {
|
|
||||||
return ctx.ErrorRes(500, "Cannot set user admin", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
keys, err := provider.GetProviderUserSSHKeys()
|
|
||||||
if err != nil {
|
|
||||||
ctx.AddFlash(ctx.Tr("flash.auth.user-sshkeys-not-retrievable"), "error")
|
|
||||||
log.Error().Err(err).Msg("Could not get user keys")
|
|
||||||
} else {
|
|
||||||
for _, key := range keys {
|
|
||||||
sshKey := db.SSHKey{
|
|
||||||
Title: "Added from " + user.Provider,
|
|
||||||
Content: key,
|
|
||||||
User: *userDB,
|
|
||||||
}
|
|
||||||
|
|
||||||
if err = sshKey.Create(); err != nil {
|
|
||||||
ctx.AddFlash(ctx.Tr("flash.auth.user-sshkeys-not-created"), "error")
|
|
||||||
log.Error().Err(err).Msg("Could not create ssh key")
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// update is admin status from oidc group
|
// promote user to admin from oidc group
|
||||||
if config.C.OIDCAdminGroup != "" {
|
if !userDB.IsAdmin && provider.IsAdmin() {
|
||||||
groupClaimName := config.C.OIDCGroupClaimName
|
userDB.IsAdmin = true
|
||||||
if groupClaimName == "" {
|
if err = userDB.Update(); err != nil {
|
||||||
log.Error().Msg("No OIDC group claim name configured")
|
return ctx.ErrorRes(500, "Cannot set user admin", err)
|
||||||
} else if groups, ok := user.RawData[groupClaimName].([]interface{}); ok {
|
|
||||||
var groupNames []string
|
|
||||||
for _, group := range groups {
|
|
||||||
if groupName, ok := group.(string); ok {
|
|
||||||
groupNames = append(groupNames, groupName)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
isOIDCAdmin := slices.Contains(groupNames, config.C.OIDCAdminGroup)
|
|
||||||
log.Debug().Bool("isOIDCAdmin", isOIDCAdmin).Str("user", user.Name).Msg("User is in admin group")
|
|
||||||
|
|
||||||
if userDB.IsAdmin != isOIDCAdmin {
|
|
||||||
userDB.IsAdmin = isOIDCAdmin
|
|
||||||
if err = userDB.Update(); err != nil {
|
|
||||||
return ctx.ErrorRes(500, "Cannot set user admin", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
log.Error().Msg("No groups found in user data")
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -173,6 +133,150 @@ func OauthCallback(ctx *context.Context) error {
|
|||||||
return ctx.RedirectTo("/")
|
return ctx.RedirectTo("/")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func OauthRegister(ctx *context.Context) error {
|
||||||
|
if ctx.GetData("DisableSignup") == true {
|
||||||
|
ctx.AddFlash(ctx.Tr("error.signup-disabled"), "error")
|
||||||
|
return ctx.Redirect(302, "/login")
|
||||||
|
}
|
||||||
|
|
||||||
|
sess := ctx.GetSession()
|
||||||
|
|
||||||
|
ctx.SetData("title", ctx.TrH("auth.oauth.complete-registration"))
|
||||||
|
ctx.SetData("htmlTitle", ctx.TrH("auth.oauth.complete-registration"))
|
||||||
|
ctx.SetData("oauthProvider", config.C.OIDCProviderName)
|
||||||
|
ctx.SetData("oauthNickname", sess.Values["oauthNickname"])
|
||||||
|
ctx.SetData("oauthEmail", sess.Values["oauthEmail"])
|
||||||
|
ctx.SetData("oauthAvatarURL", sess.Values["oauthAvatarURL"])
|
||||||
|
|
||||||
|
return ctx.Html("oauth_register.html")
|
||||||
|
}
|
||||||
|
|
||||||
|
func ProcessOauthRegister(ctx *context.Context) error {
|
||||||
|
if ctx.GetData("DisableSignup") == true {
|
||||||
|
ctx.AddFlash(ctx.Tr("error.signup-disabled"), "error")
|
||||||
|
return ctx.Redirect(302, "/login")
|
||||||
|
}
|
||||||
|
|
||||||
|
sess := ctx.GetSession()
|
||||||
|
|
||||||
|
providerStr := sess.Values["oauthProvider"].(string)
|
||||||
|
oauthUserID := sess.Values["oauthUserID"].(string)
|
||||||
|
|
||||||
|
setOauthRegisterData := func(dto *db.OAuthRegisterDTO) {
|
||||||
|
ctx.SetData("title", ctx.TrH("auth.oauth.complete-registration"))
|
||||||
|
ctx.SetData("htmlTitle", ctx.TrH("auth.oauth.complete-registration"))
|
||||||
|
ctx.SetData("oauthProvider", config.C.OIDCProviderName)
|
||||||
|
if dto != nil {
|
||||||
|
ctx.SetData("oauthNickname", dto.Username)
|
||||||
|
ctx.SetData("oauthEmail", dto.Email)
|
||||||
|
} else {
|
||||||
|
ctx.SetData("oauthNickname", sess.Values["oauthNickname"])
|
||||||
|
ctx.SetData("oauthEmail", sess.Values["oauthEmail"])
|
||||||
|
}
|
||||||
|
ctx.SetData("oauthAvatarURL", sess.Values["oauthAvatarURL"])
|
||||||
|
}
|
||||||
|
|
||||||
|
// Bind and validate form data
|
||||||
|
dto := new(db.OAuthRegisterDTO)
|
||||||
|
if err := ctx.Bind(dto); err != nil {
|
||||||
|
return ctx.ErrorRes(400, ctx.Tr("error.cannot-bind-data"), err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := ctx.Validate(dto); err != nil {
|
||||||
|
ctx.AddFlash(validator.ValidationMessages(&err, ctx.GetData("locale").(*i18n.Locale)), "error")
|
||||||
|
setOauthRegisterData(dto)
|
||||||
|
return ctx.Html("oauth_register.html")
|
||||||
|
}
|
||||||
|
|
||||||
|
if exists, err := db.UserExists(dto.Username); err != nil || exists {
|
||||||
|
ctx.AddFlash(ctx.Tr("flash.auth.username-exists"), "error")
|
||||||
|
setOauthRegisterData(dto)
|
||||||
|
return ctx.Html("oauth_register.html")
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check if OAuth account is already linked to another user (race condition protection)
|
||||||
|
if existingUser, err := db.GetUserByProvider(oauthUserID, providerStr); err == nil && existingUser != nil {
|
||||||
|
ctx.AddFlash(ctx.Tr("flash.auth.oauth-already-linked", config.C.OIDCProviderName), "error")
|
||||||
|
setOauthRegisterData(dto)
|
||||||
|
return ctx.Html("oauth_register.html")
|
||||||
|
}
|
||||||
|
|
||||||
|
userDB := &db.User{
|
||||||
|
Username: dto.Username,
|
||||||
|
Email: dto.Email,
|
||||||
|
}
|
||||||
|
if dto.Email != "" {
|
||||||
|
userDB.MD5Hash = fmt.Sprintf("%x", md5.Sum([]byte(strings.ToLower(strings.TrimSpace(dto.Email)))))
|
||||||
|
}
|
||||||
|
|
||||||
|
nickname := ""
|
||||||
|
if n, ok := sess.Values["oauthNickname"].(string); ok {
|
||||||
|
nickname = n
|
||||||
|
}
|
||||||
|
avatarURL := ""
|
||||||
|
if av, ok := sess.Values["oauthAvatarURL"].(string); ok {
|
||||||
|
avatarURL = av
|
||||||
|
}
|
||||||
|
|
||||||
|
callbackProvider, err := oauth.NewCallbackProviderFromSession(providerStr, oauthUserID, nickname, dto.Email, avatarURL)
|
||||||
|
if err != nil {
|
||||||
|
return ctx.ErrorRes(500, "Cannot create provider", err)
|
||||||
|
}
|
||||||
|
callbackProvider.UpdateUserDB(userDB)
|
||||||
|
|
||||||
|
if err := userDB.Create(); err != nil {
|
||||||
|
if db.IsUniqueConstraintViolation(err) {
|
||||||
|
ctx.AddFlash(ctx.Tr("flash.auth.username-exists"), "error")
|
||||||
|
setOauthRegisterData(dto)
|
||||||
|
return ctx.Html("oauth_register.html")
|
||||||
|
}
|
||||||
|
return ctx.ErrorRes(500, "Cannot create user", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if config.C.OIDCAdminGroup == "" && userDB.ID == 1 {
|
||||||
|
if err := userDB.SetAdmin(); err != nil {
|
||||||
|
return ctx.ErrorRes(500, "Cannot set user admin", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if isAdmin, ok := sess.Values["oauthIsAdmin"].(bool); ok && isAdmin {
|
||||||
|
userDB.IsAdmin = true
|
||||||
|
_ = userDB.Update()
|
||||||
|
}
|
||||||
|
|
||||||
|
keys, err := callbackProvider.GetProviderUserSSHKeys()
|
||||||
|
if err != nil {
|
||||||
|
ctx.AddFlash(ctx.Tr("flash.auth.user-sshkeys-not-retrievable"), "error")
|
||||||
|
log.Error().Err(err).Msg("Could not get user keys")
|
||||||
|
} else {
|
||||||
|
for _, key := range keys {
|
||||||
|
sshKey := db.SSHKey{
|
||||||
|
Title: "Added from " + providerStr,
|
||||||
|
Content: key,
|
||||||
|
User: *userDB,
|
||||||
|
}
|
||||||
|
if err = sshKey.Create(); err != nil {
|
||||||
|
ctx.AddFlash(ctx.Tr("flash.auth.user-sshkeys-not-created"), "error")
|
||||||
|
log.Error().Err(err).Msg("Could not create ssh key")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
delete(sess.Values, "oauthProvider")
|
||||||
|
delete(sess.Values, "oauthUserID")
|
||||||
|
delete(sess.Values, "oauthNickname")
|
||||||
|
delete(sess.Values, "oauthEmail")
|
||||||
|
delete(sess.Values, "oauthAvatarURL")
|
||||||
|
delete(sess.Values, "oauthIsAdmin")
|
||||||
|
|
||||||
|
sess.Values["user"] = userDB.ID
|
||||||
|
sess.Options.MaxAge = 60 * 60 * 24 * 365 // 1 year
|
||||||
|
ctx.SaveSession(sess)
|
||||||
|
ctx.DeleteCsrfCookie()
|
||||||
|
|
||||||
|
return ctx.RedirectTo("/")
|
||||||
|
}
|
||||||
|
|
||||||
func OauthUnlink(ctx *context.Context) error {
|
func OauthUnlink(ctx *context.Context) error {
|
||||||
providerStr := ctx.Param("provider")
|
providerStr := ctx.Param("provider")
|
||||||
provider, err := oauth.DefineProvider(ctx.Param("provider"), "")
|
provider, err := oauth.DefineProvider(ctx.Param("provider"), "")
|
||||||
@@ -184,10 +288,10 @@ func OauthUnlink(ctx *context.Context) error {
|
|||||||
|
|
||||||
if provider.UserHasProvider(currUser) {
|
if provider.UserHasProvider(currUser) {
|
||||||
if err := currUser.DeleteProviderID(providerStr); err != nil {
|
if err := currUser.DeleteProviderID(providerStr); err != nil {
|
||||||
return ctx.ErrorRes(500, "Cannot unlink account from "+cases.Title(language.English).String(providerStr), err)
|
return ctx.ErrorRes(500, "Cannot unlink account from "+config.C.OIDCProviderName, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.AddFlash(ctx.Tr("flash.auth.account-unlinked-oauth", cases.Title(language.English).String(providerStr)), "success")
|
ctx.AddFlash(ctx.Tr("flash.auth.account-unlinked-oauth", config.C.OIDCProviderName), "success")
|
||||||
return ctx.RedirectTo("/settings")
|
return ctx.RedirectTo("/settings")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -199,6 +199,17 @@ func inMFASession(next Handler) Handler {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func inOAuthRegisterSession(next Handler) Handler {
|
||||||
|
return func(ctx *context.Context) error {
|
||||||
|
sess := ctx.GetSession()
|
||||||
|
_, ok := sess.Values["oauthProvider"].(string)
|
||||||
|
if !ok {
|
||||||
|
return ctx.RedirectTo("/login")
|
||||||
|
}
|
||||||
|
return next(ctx)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func makeCheckRequireLogin(isSingleGistAccess bool) Middleware {
|
func makeCheckRequireLogin(isSingleGistAccess bool) Middleware {
|
||||||
return func(next Handler) Handler {
|
return func(next Handler) Handler {
|
||||||
return func(ctx *context.Context) error {
|
return func(ctx *context.Context) error {
|
||||||
|
|||||||
@@ -38,6 +38,8 @@ func (s *Server) registerRoutes() {
|
|||||||
r.GET("/login", auth.Login)
|
r.GET("/login", auth.Login)
|
||||||
r.POST("/login", auth.ProcessLogin)
|
r.POST("/login", auth.ProcessLogin)
|
||||||
r.GET("/logout", auth.Logout)
|
r.GET("/logout", auth.Logout)
|
||||||
|
r.GET("/oauth/register", auth.OauthRegister, inOAuthRegisterSession)
|
||||||
|
r.POST("/oauth/register", auth.ProcessOauthRegister, inOAuthRegisterSession)
|
||||||
r.GET("/oauth/:provider", auth.Oauth)
|
r.GET("/oauth/:provider", auth.Oauth)
|
||||||
r.GET("/oauth/:provider/callback", auth.OauthCallback)
|
r.GET("/oauth/:provider/callback", auth.OauthCallback)
|
||||||
r.GET("/oauth/:provider/unlink", auth.OauthUnlink, logged)
|
r.GET("/oauth/:provider/unlink", auth.OauthUnlink, logged)
|
||||||
|
|||||||
85
templates/pages/oauth_register.html
مباع
Normal file
85
templates/pages/oauth_register.html
مباع
Normal file
@@ -0,0 +1,85 @@
|
|||||||
|
{{ template "header" .}}
|
||||||
|
<div class="py-10">
|
||||||
|
<header>
|
||||||
|
<h1 class="text-2xl font-bold leading-tight text-slate-700 dark:text-slate-300">
|
||||||
|
{{ .title }}
|
||||||
|
</h1>
|
||||||
|
</header>
|
||||||
|
<main class="mt-4">
|
||||||
|
<div class="grid sm:grid-cols-2">
|
||||||
|
<div class="">
|
||||||
|
<div class="mt-8 sm:w-full sm:max-w-md">
|
||||||
|
<div class="bg-white dark:bg-gray-900 rounded-md border border-1 border-gray-200 dark:border-gray-700 py-8 px-4 shadow sm:rounded-lg sm:px-10">
|
||||||
|
|
||||||
|
<div class="mb-6 text-center">
|
||||||
|
{{ if .oauthAvatarURL }}
|
||||||
|
<img src="{{ .oauthAvatarURL }}" alt="Avatar" class="w-16 h-16 rounded-full mx-auto mb-2">
|
||||||
|
{{ end }}
|
||||||
|
<p class="text-sm text-gray-600 dark:text-gray-400">
|
||||||
|
{{ .locale.Tr "auth.oauth.signing-in-with" $.c.OIDCProviderName }}
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<form class="space-y-6" method="post">
|
||||||
|
<div>
|
||||||
|
<label for="username" class="block text-sm font-medium text-slate-700 dark:text-slate-300">
|
||||||
|
{{ .locale.Tr "auth.username" }}
|
||||||
|
</label>
|
||||||
|
<div class="mt-1">
|
||||||
|
<input id="username" name="username" type="text" value="{{ .oauthNickname }}" required
|
||||||
|
class="dark:bg-gray-800 appearance-none block w-full px-3 py-2 border border-gray-200 dark:border-gray-700 rounded-md shadow-sm placeholder-gray-600 dark:placeholder-gray-400 focus:outline-none focus:ring-primary-500 focus:border-primary-500 sm:text-sm">
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div class="mt-8">
|
||||||
|
<label for="email" class="block text-sm font-medium text-slate-700 dark:text-slate-300">
|
||||||
|
{{ .locale.Tr "settings.email" }}
|
||||||
|
</label>
|
||||||
|
<div class="mt-1">
|
||||||
|
<input id="email" name="email" type="email" value="{{ .oauthEmail }}"
|
||||||
|
class="dark:bg-gray-800 appearance-none block w-full px-3 py-2 border border-gray-200 dark:border-gray-700 rounded-md shadow-sm placeholder-gray-600 dark:placeholder-gray-400 focus:outline-none focus:ring-primary-500 focus:border-primary-500 sm:text-sm">
|
||||||
|
</div>
|
||||||
|
<p class="mt-1 text-xs text-gray-500 dark:text-gray-400">
|
||||||
|
{{ .locale.Tr "settings.email-help" }}
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
|
||||||
|
<div class="flex">
|
||||||
|
<div class="flex-auto">
|
||||||
|
<button type="submit" class="inline-flex items-center px-4 py-2 border border-transparent border-gray-200 dark:border-gray-700 text-sm font-medium rounded-md shadow-sm text-white dark:text-white bg-primary-500 hover:bg-primary-600 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-500">
|
||||||
|
{{ .locale.Tr "auth.oauth.complete-registration-button" }}
|
||||||
|
</button>
|
||||||
|
</div>
|
||||||
|
<span class="float-right text-sm py-2 underline">
|
||||||
|
<a href="{{ $.c.ExternalUrl }}/login">{{ .locale.Tr "auth.oauth.cancel" }}</a>
|
||||||
|
</span>
|
||||||
|
</div>
|
||||||
|
{{ .csrfHtml }}
|
||||||
|
</form>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
<div class="">
|
||||||
|
<div class="mt-8 sm:w-full sm:max-w-md">
|
||||||
|
<div class="bg-white dark:bg-gray-900 rounded-md border border-1 border-gray-200 dark:border-gray-700 py-8 px-4 shadow sm:rounded-lg sm:px-10">
|
||||||
|
<p class="block text-sm font-medium text-slate-700 dark:text-slate-300">{{ .locale.Tr "auth.oauth.existing-account" }}</p>
|
||||||
|
<div class="flex items-center justify-center mt-4">
|
||||||
|
<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="1.5" stroke="currentColor" class="size-14 text-gray-400">
|
||||||
|
<path stroke-linecap="round" stroke-linejoin="round" d="M13.19 8.688a4.5 4.5 0 0 1 1.242 7.244l-4.5 4.5a4.5 4.5 0 0 1-6.364-6.364l1.757-1.757m13.35-.622 1.757-1.757a4.5 4.5 0 0 0-6.364-6.364l-4.5 4.5a4.5 4.5 0 0 0 1.242 7.244" />
|
||||||
|
</svg>
|
||||||
|
</div>
|
||||||
|
<p class="mt-4 text-sm text-center">
|
||||||
|
{{ .locale.Tr "auth.oauth.already-have-account" $.c.OIDCProviderName }}
|
||||||
|
</p>
|
||||||
|
<div class="flex items-center justify-center mt-4">
|
||||||
|
<a href="{{ $.c.ExternalUrl }}/login" class="inline-flex items-center px-4 py-2 border border-gray-200 dark:border-gray-700 text-sm font-medium rounded-md shadow-sm text-slate-700 dark:text-slate-300 bg-gray-50 dark:bg-gray-800 hover:bg-gray-100 dark:hover:bg-gray-700 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-primary-500">
|
||||||
|
{{ .locale.Tr "auth.login" }}
|
||||||
|
</a>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</main>
|
||||||
|
</div>
|
||||||
|
{{ template "footer" .}}
|
||||||
المرجع في مشكلة جديدة
حظر مستخدم