focalboard/server/api/auth.go

505 lines
13 KiB
Go
Raw Normal View History

2020-11-06 16:46:35 +01:00
package api
import (
2020-12-02 21:12:14 +01:00
"context"
2020-11-06 16:46:35 +01:00
"encoding/json"
"fmt"
"io"
2020-11-06 16:46:35 +01:00
"io/ioutil"
2021-01-22 23:14:12 +01:00
"net"
2020-11-06 16:46:35 +01:00
"net/http"
"strings"
2020-12-02 21:12:14 +01:00
2021-01-21 19:16:40 +01:00
"github.com/gorilla/mux"
2021-01-26 23:13:46 +01:00
"github.com/mattermost/focalboard/server/model"
"github.com/mattermost/focalboard/server/services/audit"
2021-01-26 23:13:46 +01:00
"github.com/mattermost/focalboard/server/services/auth"
"github.com/mattermost/focalboard/server/utils"
"github.com/mattermost/mattermost-server/v6/shared/mlog"
2020-11-06 16:46:35 +01:00
)
const (
MinimumPasswordLength = 8
)
type ParamError struct {
msg string
}
func (pe ParamError) Error() string {
return pe.msg
}
2021-02-17 20:29:20 +01:00
// LoginRequest is a login request
// swagger:model
type LoginRequest struct {
// Type of login, currently must be set to "normal"
// required: true
Type string `json:"type"`
// If specified, login using username
// required: false
2020-11-06 16:46:35 +01:00
Username string `json:"username"`
2021-02-17 20:29:20 +01:00
// If specified, login using email
// required: false
Email string `json:"email"`
// Password
// required: true
2020-11-06 16:46:35 +01:00
Password string `json:"password"`
2021-02-17 20:29:20 +01:00
// MFA token
// required: false
// swagger:ignore
2020-11-06 16:46:35 +01:00
MfaToken string `json:"mfa_token"`
}
2021-02-17 20:29:20 +01:00
// LoginResponse is a login response
// swagger:model
type LoginResponse struct {
// Session token
// required: true
Token string `json:"token"`
}
func LoginResponseFromJSON(data io.Reader) (*LoginResponse, error) {
var resp LoginResponse
if err := json.NewDecoder(data).Decode(&resp); err != nil {
return nil, err
}
return &resp, nil
}
2021-02-17 20:29:20 +01:00
// RegisterRequest is a user registration request
// swagger:model
type RegisterRequest struct {
// User name
// required: true
2020-11-06 16:46:35 +01:00
Username string `json:"username"`
2021-02-17 20:29:20 +01:00
// User's email
// required: true
Email string `json:"email"`
// Password
// required: true
2020-11-06 16:46:35 +01:00
Password string `json:"password"`
2021-02-17 20:29:20 +01:00
// Registration authorization token
// required: true
Token string `json:"token"`
2020-11-06 16:46:35 +01:00
}
2021-02-17 20:29:20 +01:00
func (rd *RegisterRequest) IsValid() error {
2021-03-18 08:32:23 +01:00
if strings.TrimSpace(rd.Username) == "" {
return ParamError{"username is required"}
2020-11-06 16:46:35 +01:00
}
2021-03-18 08:32:23 +01:00
if strings.TrimSpace(rd.Email) == "" {
return ParamError{"email is required"}
2020-11-06 16:46:35 +01:00
}
2021-03-18 13:34:42 +01:00
if !auth.IsEmailValid(rd.Email) {
return ParamError{"invalid email format"}
2020-11-06 16:46:35 +01:00
}
2021-01-21 19:16:40 +01:00
if rd.Password == "" {
return ParamError{"password is required"}
2020-11-06 16:46:35 +01:00
}
return isValidPassword(rd.Password)
2021-01-21 19:16:40 +01:00
}
2021-02-17 20:29:20 +01:00
// ChangePasswordRequest is a user password change request
// swagger:model
type ChangePasswordRequest struct {
// Old password
// required: true
2021-01-21 19:16:40 +01:00
OldPassword string `json:"oldPassword"`
2021-02-17 20:29:20 +01:00
// New password
// required: true
2021-01-21 19:16:40 +01:00
NewPassword string `json:"newPassword"`
}
// IsValid validates a password change request.
2021-02-17 20:29:20 +01:00
func (rd *ChangePasswordRequest) IsValid() error {
2021-01-21 19:16:40 +01:00
if rd.OldPassword == "" {
return ParamError{"old password is required"}
2021-01-21 19:16:40 +01:00
}
if rd.NewPassword == "" {
return ParamError{"new password is required"}
2021-01-21 19:16:40 +01:00
}
return isValidPassword(rd.NewPassword)
2021-01-21 19:16:40 +01:00
}
func isValidPassword(password string) error {
if len(password) < MinimumPasswordLength {
return ParamError{fmt.Sprintf("password must be at least %d characters", MinimumPasswordLength)}
2021-01-21 19:16:40 +01:00
}
2020-11-06 16:46:35 +01:00
return nil
}
func (a *API) handleLogin(w http.ResponseWriter, r *http.Request) {
2021-02-17 20:29:20 +01:00
// swagger:operation POST /api/v1/login login
//
// Login user
//
// ---
// produces:
// - application/json
// parameters:
// - name: body
// in: body
// description: Login request
// required: true
// schema:
// "$ref": "#/definitions/LoginRequest"
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/LoginResponse"
// '401':
// description: invalid login
// schema:
// "$ref": "#/definitions/ErrorResponse"
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
2020-11-06 16:46:35 +01:00
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
2021-02-17 20:29:20 +01:00
var loginData LoginRequest
2020-11-06 16:46:35 +01:00
err = json.Unmarshal(requestBody, &loginData)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
auditRec := a.makeAuditRecord(r, "login", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("username", loginData.Username)
auditRec.AddMeta("type", loginData.Type)
2020-11-06 16:46:35 +01:00
if loginData.Type == "normal" {
token, err := a.app.Login(loginData.Username, loginData.Email, loginData.Password, loginData.MfaToken)
2020-11-06 16:46:35 +01:00
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "incorrect login", err)
2020-11-06 16:46:35 +01:00
return
}
2021-02-17 20:29:20 +01:00
json, err := json.Marshal(LoginResponse{Token: token})
2020-11-06 16:46:35 +01:00
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
jsonBytesResponse(w, http.StatusOK, json)
auditRec.Success()
2020-12-02 21:12:14 +01:00
return
2020-11-06 16:46:35 +01:00
}
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, "invalid login type", nil)
2020-11-06 16:46:35 +01:00
}
func (a *API) handleLogout(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /api/v1/logout logout
//
// Logout user
//
// ---
// produces:
// - application/json
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
ctx := r.Context()
session := ctx.Value(sessionContextKey).(*model.Session)
auditRec := a.makeAuditRecord(r, "logout", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("userID", session.UserID)
if err := a.app.Logout(session.ID); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "incorrect login", err)
return
}
auditRec.AddMeta("sessionID", session.ID)
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
}
2020-11-06 16:46:35 +01:00
func (a *API) handleRegister(w http.ResponseWriter, r *http.Request) {
2021-02-17 20:29:20 +01:00
// swagger:operation POST /api/v1/register register
//
// Register new user
//
// ---
// produces:
// - application/json
// parameters:
// - name: body
// in: body
// description: Register request
// required: true
// schema:
// "$ref": "#/definitions/RegisterRequest"
// responses:
// '200':
// description: success
// '401':
// description: invalid registration token
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
2020-11-06 16:46:35 +01:00
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
2021-02-17 20:29:20 +01:00
var registerData RegisterRequest
2020-11-06 16:46:35 +01:00
err = json.Unmarshal(requestBody, &registerData)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
2021-12-08 15:07:28 +01:00
registerData.Email = strings.TrimSpace(registerData.Email)
registerData.Username = strings.TrimSpace(registerData.Username)
2020-11-06 16:46:35 +01:00
2021-01-14 01:56:01 +01:00
// Validate token
if len(registerData.Token) > 0 {
workspace, err2 := a.app.GetRootWorkspace()
if err2 != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err2)
2021-01-14 01:56:01 +01:00
return
}
if registerData.Token != workspace.SignupToken {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "invalid token", nil)
2021-01-14 01:56:01 +01:00
return
}
} else {
// No signup token, check if no active users
userCount, err2 := a.app.GetRegisteredUserCount()
if err2 != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err2)
2021-01-14 01:56:01 +01:00
return
}
if userCount > 0 {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "no sign-up token and user(s) already exist", nil)
2021-01-14 01:56:01 +01:00
return
}
}
2020-11-06 16:46:35 +01:00
if err = registerData.IsValid(); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2020-11-06 16:46:35 +01:00
return
}
auditRec := a.makeAuditRecord(r, "register", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("username", registerData.Username)
err = a.app.RegisterUser(registerData.Username, registerData.Email, registerData.Password)
2020-11-06 16:46:35 +01:00
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2020-11-06 16:46:35 +01:00
return
}
2021-01-14 01:56:01 +01:00
2021-02-17 20:29:20 +01:00
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
2020-11-06 16:46:35 +01:00
}
2020-12-02 21:12:14 +01:00
2021-01-21 19:16:40 +01:00
func (a *API) handleChangePassword(w http.ResponseWriter, r *http.Request) {
2021-02-17 20:29:20 +01:00
// swagger:operation POST /api/v1/users/{userID}/changepassword changePassword
//
// Change a user's password
//
// ---
// produces:
// - application/json
// parameters:
// - name: userID
// in: path
// description: User ID
// required: true
// type: string
// - name: body
// in: body
// description: Change password request
// required: true
// schema:
// "$ref": "#/definitions/ChangePasswordRequest"
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// '400':
// description: invalid request
// schema:
// "$ref": "#/definitions/ErrorResponse"
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
2021-01-21 19:16:40 +01:00
vars := mux.Vars(r)
userID := vars["userID"]
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2021-01-21 19:16:40 +01:00
return
}
2021-02-17 20:29:20 +01:00
var requestData ChangePasswordRequest
if err = json.Unmarshal(requestBody, &requestData); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2021-01-21 19:16:40 +01:00
return
}
if err = requestData.IsValid(); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2021-01-21 19:16:40 +01:00
return
}
auditRec := a.makeAuditRecord(r, "changePassword", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
if err = a.app.ChangePassword(userID, requestData.OldPassword, requestData.NewPassword); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2021-01-21 19:16:40 +01:00
return
}
2021-02-17 20:29:20 +01:00
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
2021-01-21 19:16:40 +01:00
}
2020-12-02 21:12:14 +01:00
func (a *API) sessionRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
2021-01-13 03:49:08 +01:00
return a.attachSession(handler, true)
}
func (a *API) attachSession(handler func(w http.ResponseWriter, r *http.Request), required bool) func(w http.ResponseWriter, r *http.Request) {
2020-12-02 21:12:14 +01:00
return func(w http.ResponseWriter, r *http.Request) {
2021-02-09 21:27:34 +01:00
token, _ := auth.ParseAuthTokenFromRequest(r)
a.logger.Debug(`attachSession`, mlog.Bool("single_user", len(a.singleUserToken) > 0))
2021-02-09 21:27:34 +01:00
if len(a.singleUserToken) > 0 {
if required && (token != a.singleUserToken) {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "invalid single user token", nil)
2021-02-09 21:27:34 +01:00
return
}
now := utils.GetMillis()
2020-12-04 11:28:35 +01:00
session := &model.Session{
ID: SingleUser,
2021-03-26 19:01:54 +01:00
Token: token,
UserID: SingleUser,
2021-03-26 19:01:54 +01:00
AuthService: a.authService,
Props: map[string]interface{}{},
CreateAt: now,
UpdateAt: now,
2020-12-04 11:28:35 +01:00
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
handler(w, r.WithContext(ctx))
return
}
if a.MattermostAuth && r.Header.Get("Mattermost-User-Id") != "" {
userID := r.Header.Get("Mattermost-User-Id")
now := utils.GetMillis()
session := &model.Session{
ID: userID,
Token: userID,
UserID: userID,
AuthService: a.authService,
Props: map[string]interface{}{},
CreateAt: now,
UpdateAt: now,
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
2020-12-04 11:28:35 +01:00
handler(w, r.WithContext(ctx))
return
}
session, err := a.app.GetSession(token)
2020-12-02 21:12:14 +01:00
if err != nil {
2021-01-13 03:49:08 +01:00
if required {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
2021-01-13 03:49:08 +01:00
return
}
handler(w, r)
2020-12-02 21:12:14 +01:00
return
}
2021-03-26 19:01:54 +01:00
authService := session.AuthService
if authService != a.authService {
a.logger.Error(`Session authService mismatch`,
mlog.String("sessionID", session.ID),
mlog.String("want", a.authService),
mlog.String("got", authService),
)
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
2021-03-26 19:01:54 +01:00
return
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
2020-12-02 21:12:14 +01:00
handler(w, r.WithContext(ctx))
}
}
2021-01-22 23:14:12 +01:00
func (a *API) adminRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
// Currently, admin APIs require local unix connections
conn := GetContextConn(r)
2021-01-22 23:14:12 +01:00
if _, isUnix := conn.(*net.UnixConn); !isUnix {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not a local unix connection", nil)
2021-01-22 23:14:12 +01:00
return
}
handler(w, r)
}
}