From bee301a6f4f77b822c272667cd6929d407313828 Mon Sep 17 00:00:00 2001 From: soraefir Date: Wed, 12 Jul 2023 00:36:47 +0200 Subject: [PATCH] Implemented Oauth --- config/config.example.yml | 34 +++++++++++ src/invidious/config.cr | 15 +++++ src/invidious/helpers/oauth.cr | 55 ++++++++++++++++++ src/invidious/routes/login.cr | 90 +++++++++++++++++++----------- src/invidious/routing.cr | 1 + src/invidious/users.cr | 18 ++++++ src/invidious/views/user/login.ecr | 14 +++++ 7 files changed, 194 insertions(+), 33 deletions(-) create mode 100644 src/invidious/helpers/oauth.cr diff --git a/config/config.example.yml b/config/config.example.yml index 34070fe5..4d96a4f4 100644 --- a/config/config.example.yml +++ b/config/config.example.yml @@ -306,6 +306,40 @@ https_only: false ## #enable_user_notifications: true +## +## List of Enabled Authentication Backend +## If not provided falls back to default +## +## Supported Values: +## - invidious +## - oauth +## - ldap (Not implemented !) +## - saml (Not implemented !) +## +## Default: ["invidious","oauth"] +## +# auth_type: ["oauth"] + +## +## OAuth Configuration +## +## Notes: +## - Supports multiple OAuth backends +## - Requires external_port and domain to be configured +## +## Default: [] +## +# oauth: +# example: +# host: oauth.example.net +# field : email +# auth_uri: /oauth/authorize/ +# token_uri: /oauth/token/ +# info_uri: https://api.example.net/oauth/userinfo/ +# client_id: CLIENT_ID +# client_secret: CLIENT_SECRET + + # ----------------------------- # Background jobs # ----------------------------- diff --git a/src/invidious/config.cr b/src/invidious/config.cr index e5f1e822..96963c5a 100644 --- a/src/invidious/config.cr +++ b/src/invidious/config.cr @@ -8,6 +8,18 @@ struct DBConfig property dbname : String end +struct OAuthConfig + include YAML::Serializable + + property host : String + property field : String = "email" + property auth_uri : String + property token_uri : String + property info_uri : String + property client_id : String + property client_secret : String +end + struct ConfigPreferences include YAML::Serializable @@ -129,6 +141,9 @@ class Config # Use quic transport for youtube api property use_quic : Bool = false + property auth_type : Array(String) = ["invidious", "oauth"] + property oauth = {} of String => OAuthConfig + # Saved cookies in "name1=value1; name2=value2..." format @[YAML::Field(converter: Preferences::StringToCookies)] property cookies : HTTP::Cookies = HTTP::Cookies.new diff --git a/src/invidious/helpers/oauth.cr b/src/invidious/helpers/oauth.cr new file mode 100644 index 00000000..2a372b7c --- /dev/null +++ b/src/invidious/helpers/oauth.cr @@ -0,0 +1,55 @@ +require "oauth2" + +module Invidious::OAuthHelper + extend self + + def get_provider(key) + if provider = CONFIG.oauth[key]? + provider + else + raise Exception.new("Invalid OAuth Endpoint: " + key) + end + end + + def get(key) + if HOST_URL == "" + raise Exception.new("Missing domain and port configuration") + end + provider = get_provider(key) + redirect_uri = "#{HOST_URL}/login/oauth/#{key}" + OAuth2::Client.new( + provider.host, + provider.client_id, + provider.client_secret, + authorize_uri: provider.auth_uri, + token_uri: provider.token_uri, + redirect_uri: redirect_uri + ) + end + + def get_uri_host_pair(host, uri) + if (uri.starts_with?("https://")) + res = uri.gsub(/https*\:\/\//, "").split('/', 2) + [res[0], "/" + res[1]] + else + [host, uri] + end + end + + def get_info(key, token) + provider = self.get_provider(key) + uri_host_pair = self.get_uri_host_pair(provider.host, provider.info_uri) + LOGGER.info(uri_host_pair[0] + " " + uri_host_pair[1]) + client = HTTP::Client.new(uri_host_pair[0], tls: true) + token.authenticate(client) + response = client.get uri_host_pair[1] + client.close + LOGGER.info(response.body) + response.body + end + + def info_field(key, token) + info = JSON.parse(self.get_info(key, token)) + info[self.get_provider(key).field].as_s? + end +end diff --git a/src/invidious/routes/login.cr b/src/invidious/routes/login.cr index d0f7ac22..109d363b 100644 --- a/src/invidious/routes/login.cr +++ b/src/invidious/routes/login.cr @@ -21,12 +21,51 @@ module Invidious::Routes::Login account_type = env.params.query["type"]? account_type ||= "invidious" + if CONFIG.auth_type.find(&.== account_type).nil? + if CONFIG.auth_type.size == 0 + account_type = "invidious" + else + account_type = CONFIG.auth_type[0] + end + end + + oauth = CONFIG.auth_type.find(&.== "oauth") && (CONFIG.oauth.size > 0) + captcha_type = env.params.query["captcha"]? captcha_type ||= "image" templated "user/login" end + def self.login_oauth(env) + locale = env.get("preferences").as(Preferences).locale + + referer = get_referer(env, "/feed/subscriptions") + + authorization_code = env.params.query["code"]? + provider_k = env.params.url["provider"] + if authorization_code + begin + token = OAuthHelper.get(provider_k).get_access_token_using_authorization_code(authorization_code) + email = OAuthHelper.info_field(provider_k, token) + + if email + user = Invidious::Database::Users.select(email: email) + if user + user_flow_existing(env, email) + else + user_flow_new(env, email, nil) + end + end + rescue ex + return error_template(500, "Internal Error" + (ex.message || "")) + end + else + return error_template(403, "Missing Authorization Code") + end + env.redirect referer + end + def self.login(env) locale = env.get("preferences").as(Preferences).locale @@ -39,11 +78,27 @@ module Invidious::Routes::Login # https://stackoverflow.com/a/574698 email = env.params.body["email"]?.try &.downcase.byte_slice(0, 254) password = env.params.body["password"]? + oauth = CONFIG.auth_type.find(&.== "oauth") && (CONFIG.oauth.size > 0) account_type = env.params.query["type"]? account_type ||= "invidious" + if CONFIG.auth_type.size == 0 + return error_template(401, "No authentication backend enabled.") + end + + if CONFIG.auth_type.find(&.== account_type).nil? + account_type = CONFIG.auth_type[0] + end + case account_type + when "oauth" + provider_k = env.params.body["provider"] + env.redirect OAuthHelper.get(provider_k).get_authorize_uri("openid email profile") + when "saml" + return error_template(501, "Not implemented") + when "ldap" + return error_template(501, "Not implemented") when "invidious" if email.nil? || email.empty? return error_template(401, "User ID is a required field") @@ -64,13 +119,7 @@ module Invidious::Routes::Login else return error_template(401, "Wrong username or password") end - - # Since this user has already registered, we don't want to overwrite their preferences - if env.request.cookies["PREFS"]? - cookie = env.request.cookies["PREFS"] - cookie.expires = Time.utc(1990, 1, 1) - env.response.cookies << cookie - end + user_flow_existing(env, email) else if !CONFIG.registration_enabled return error_template(400, "Registration has been disabled by administrator.") @@ -147,32 +196,7 @@ module Invidious::Routes::Login end end end - - sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) - user, sid = create_user(sid, email, password) - - if language_header = env.request.headers["Accept-Language"]? - if language = ANG.language_negotiator.best(language_header, LOCALES.keys) - user.preferences.locale = language.header - end - end - - Invidious::Database::Users.insert(user) - Invidious::Database::SessionIDs.insert(sid, email) - - view_name = "subscriptions_#{sha256(user.email)}" - PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}") - - env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid) - - if env.request.cookies["PREFS"]? - user.preferences = env.get("preferences").as(Preferences) - Invidious::Database::Users.update_preferences(user) - - cookie = env.request.cookies["PREFS"] - cookie.expires = Time.utc(1990, 1, 1) - env.response.cookies << cookie - end + user_flow_new(env, email, password) end env.redirect referer diff --git a/src/invidious/routing.cr b/src/invidious/routing.cr index daaf4d88..2c66338c 100644 --- a/src/invidious/routing.cr +++ b/src/invidious/routing.cr @@ -55,6 +55,7 @@ module Invidious::Routing def register_user_routes # User login/out get "/login", Routes::Login, :login_page + get "/login/oauth/:provider", Routes::Login, :login_oauth post "/login", Routes::Login, :login post "/signout", Routes::Login, :signout diff --git a/src/invidious/users.cr b/src/invidious/users.cr index 65566d20..d78d4561 100644 --- a/src/invidious/users.cr +++ b/src/invidious/users.cr @@ -3,6 +3,24 @@ require "crypto/bcrypt/password" # Materialized views may not be defined using bound parameters (`$1` as used elsewhere) MATERIALIZED_VIEW_SQL = ->(email : String) { "SELECT cv.* FROM channel_videos cv WHERE EXISTS (SELECT subscriptions FROM users u WHERE cv.ucid = ANY (u.subscriptions) AND u.email = E'#{email.gsub({'\'' => "\\'", '\\' => "\\\\"})}') ORDER BY published DESC" } +def create_user(sid, email) + token = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) + + user = Invidious::User.new({ + updated: Time.utc, + notifications: [] of String, + subscriptions: [] of String, + email: email, + preferences: Preferences.new(CONFIG.default_user_preferences.to_tuple), + password: nil, + token: token, + watched: [] of String, + feed_needs_update: true, + }) + + return user, sid +end + def create_user(sid, email, password) password = Crypto::Bcrypt::Password.create(password, cost: 10) token = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) diff --git a/src/invidious/views/user/login.ecr b/src/invidious/views/user/login.ecr index 2b03d280..ae71240a 100644 --- a/src/invidious/views/user/login.ecr +++ b/src/invidious/views/user/login.ecr @@ -7,6 +7,17 @@
<% case account_type when %> + <% when "oauth" %> +
+
+ + +
+
<% else # "invidious" %>
@@ -68,6 +79,9 @@ <%= translate(locale, "Sign In") %>/<%= translate(locale, "Register") %> <% end %> + <% if oauth %> + OAuth + <% end %>
<% end %>