dzming.li / core
A vibe coded tangled fork which supports pijul.
fork atom
core / appview / oauth / handler.go
at 35ec689069e46c74c7cfdf55f1b1c91c6239bce5 383 lines 11 kB view raw
oppiliappan appview/oauth: improve logging for default knot failures
35ec6890
1package oauth 2 3import ( 4 "bytes" 5 "context" 6 "encoding/json" 7 "errors" 8 "fmt" 9 "log/slog" 10 "net/http" 11 "slices" 12 "time" 13 14 comatproto "github.com/bluesky-social/indigo/api/atproto" 15 "github.com/bluesky-social/indigo/atproto/auth/oauth" 16 lexutil "github.com/bluesky-social/indigo/lex/util" 17 "github.com/go-chi/chi/v5" 18 "github.com/posthog/posthog-go" 19 "tangled.org/core/api/tangled" 20 "tangled.org/core/appview/db" 21 "tangled.org/core/appview/models" 22 "tangled.org/core/consts" 23 "tangled.org/core/idresolver" 24 "tangled.org/core/orm" 25 "tangled.org/core/tid" 26) 27 28func (o *OAuth) Router() http.Handler { 29 r := chi.NewRouter() 30 31 r.Get("/oauth/client-metadata.json", o.clientMetadata) 32 r.Get("/oauth/jwks.json", o.jwks) 33 r.Get("/oauth/callback", o.callback) 34 return r 35} 36 37func (o *OAuth) clientMetadata(w http.ResponseWriter, r *http.Request) { 38 doc := o.ClientApp.Config.ClientMetadata() 39 doc.JWKSURI = &o.JwksUri 40 doc.ClientName = &o.ClientName 41 doc.ClientURI = &o.ClientUri 42 43 w.Header().Set("Content-Type", "application/json") 44 if err := json.NewEncoder(w).Encode(doc); err != nil { 45 http.Error(w, err.Error(), http.StatusInternalServerError) 46 return 47 } 48} 49 50func (o *OAuth) jwks(w http.ResponseWriter, r *http.Request) { 51 w.Header().Set("Content-Type", "application/json") 52 body := o.ClientApp.Config.PublicJWKS() 53 if err := json.NewEncoder(w).Encode(body); err != nil { 54 http.Error(w, err.Error(), http.StatusInternalServerError) 55 return 56 } 57} 58 59func (o *OAuth) callback(w http.ResponseWriter, r *http.Request) { 60 ctx := r.Context() 61 l := o.Logger.With("query", r.URL.Query()) 62 63 authReturn := o.GetAuthReturn(r) 64 _ = o.ClearAuthReturn(w, r) 65 66 sessData, err := o.ClientApp.ProcessCallback(ctx, r.URL.Query()) 67 if err != nil { 68 var callbackErr *oauth.AuthRequestCallbackError 69 if errors.As(err, &callbackErr) { 70 l.Debug("callback error", "err", callbackErr) 71 http.Redirect(w, r, fmt.Sprintf("/login?error=%s", callbackErr.ErrorCode), http.StatusFound) 72 return 73 } 74 l.Error("failed to process callback", "err", err) 75 http.Redirect(w, r, "/login?error=oauth", http.StatusFound) 76 return 77 } 78 79 if err := o.SaveSession(w, r, sessData); err != nil { 80 l.Error("failed to save session", "data", sessData, "err", err) 81 errorCode := "session" 82 if errors.Is(err, ErrMaxAccountsReached) { 83 errorCode = "max_accounts" 84 } 85 http.Redirect(w, r, fmt.Sprintf("/login?error=%s", errorCode), http.StatusFound) 86 return 87 } 88 89 o.Logger.Debug("session saved successfully") 90 91 go o.addToDefaultKnot(sessData.AccountDID.String()) 92 go o.addToDefaultSpindle(sessData.AccountDID.String()) 93 go o.ensureTangledProfile(sessData) 94 95 if !o.Config.Core.Dev { 96 err = o.Posthog.Enqueue(posthog.Capture{ 97 DistinctId: sessData.AccountDID.String(), 98 Event: "signin", 99 }) 100 if err != nil { 101 o.Logger.Error("failed to enqueue posthog event", "err", err) 102 } 103 } 104 105 redirectURL := "/" 106 if authReturn.ReturnURL != "" { 107 redirectURL = authReturn.ReturnURL 108 } 109 110 http.Redirect(w, r, redirectURL, http.StatusFound) 111} 112 113func (o *OAuth) addToDefaultSpindle(did string) { 114 l := o.Logger.With("subject", did) 115 116 // use the tangled.sh app password to get an accessJwt 117 // and create an sh.tangled.spindle.member record with that 118 spindleMembers, err := db.GetSpindleMembers( 119 o.Db, 120 orm.FilterEq("instance", "spindle.tangled.sh"), 121 orm.FilterEq("subject", did), 122 ) 123 if err != nil { 124 l.Error("failed to get spindle members", "err", err) 125 return 126 } 127 128 if len(spindleMembers) != 0 { 129 l.Warn("already a member of the default spindle") 130 return 131 } 132 133 l.Debug("adding to default spindle") 134 session, err := o.getAppPasswordSession() 135 if err != nil { 136 l.Error("failed to create session", "err", err) 137 return 138 } 139 140 record := tangled.SpindleMember{ 141 LexiconTypeID: tangled.SpindleMemberNSID, 142 Subject: did, 143 Instance: consts.DefaultSpindle, 144 CreatedAt: time.Now().Format(time.RFC3339), 145 } 146 147 if err := session.putRecord(record, tangled.SpindleMemberNSID); err != nil { 148 o.invalidateAppPasswordSession() 149 l.Error("failed to add to default spindle", "err", err) 150 return 151 } 152 153 l.Debug("successfully added to default spindle", "did", did) 154} 155 156func (o *OAuth) addToDefaultKnot(did string) { 157 l := o.Logger.With("subject", did) 158 159 // use the tangled.sh app password to get an accessJwt 160 // and create an sh.tangled.spindle.member record with that 161 162 allKnots, err := o.Enforcer.GetKnotsForUser(did) 163 if err != nil { 164 l.Error("failed to get knot members for did", "err", err) 165 return 166 } 167 168 if slices.Contains(allKnots, consts.DefaultKnot) { 169 l.Warn("already a member of the default knot") 170 return 171 } 172 173 l.Debug("adding to default knot") 174 session, err := o.getAppPasswordSession() 175 if err != nil { 176 l.Error("failed to create session", "err", err) 177 return 178 } 179 180 record := tangled.KnotMember{ 181 LexiconTypeID: tangled.KnotMemberNSID, 182 Subject: did, 183 Domain: consts.DefaultKnot, 184 CreatedAt: time.Now().Format(time.RFC3339), 185 } 186 187 if err := session.putRecord(record, tangled.KnotMemberNSID); err != nil { 188 o.invalidateAppPasswordSession() 189 l.Error("failed to add to default knot", "err", err) 190 return 191 } 192 193 if err := o.Enforcer.AddKnotMember(consts.DefaultKnot, did); err != nil { 194 l.Error("failed to set up enforcer rules", "err", err) 195 return 196 } 197 198 l.Debug("successfully addeds to default Knot") 199} 200 201func (o *OAuth) ensureTangledProfile(sessData *oauth.ClientSessionData) { 202 ctx := context.Background() 203 did := sessData.AccountDID.String() 204 l := o.Logger.With("did", did) 205 206 profile, _ := db.GetProfile(o.Db, did) 207 if profile != nil { 208 l.Debug("profile already exists in DB") 209 return 210 } 211 212 l.Debug("creating empty Tangled profile") 213 214 sess, err := o.ClientApp.ResumeSession(ctx, sessData.AccountDID, sessData.SessionID) 215 if err != nil { 216 l.Error("failed to resume session for profile creation", "err", err) 217 return 218 } 219 client := sess.APIClient() 220 221 _, err = comatproto.RepoPutRecord(ctx, client, &comatproto.RepoPutRecord_Input{ 222 Collection: tangled.ActorProfileNSID, 223 Repo: did, 224 Rkey: "self", 225 Record: &lexutil.LexiconTypeDecoder{Val: &tangled.ActorProfile{}}, 226 }) 227 228 if err != nil { 229 l.Error("failed to create empty profile on PDS", "err", err) 230 return 231 } 232 233 tx, err := o.Db.BeginTx(ctx, nil) 234 if err != nil { 235 l.Error("failed to start transaction", "err", err) 236 return 237 } 238 239 emptyProfile := &models.Profile{Did: did} 240 if err := db.UpsertProfile(tx, emptyProfile); err != nil { 241 l.Error("failed to create empty profile in DB", "err", err) 242 return 243 } 244 245 l.Debug("successfully created empty Tangled profile on PDS and DB") 246} 247 248// create a AppPasswordSession using apppasswords 249type AppPasswordSession struct { 250 AccessJwt string `json:"accessJwt"` 251 PdsEndpoint string 252 Did string 253 Logger *slog.Logger 254} 255 256func CreateAppPasswordSession(res *idresolver.Resolver, appPassword, did string, logger *slog.Logger) (*AppPasswordSession, error) { 257 if appPassword == "" { 258 return nil, fmt.Errorf("no app password configured") 259 } 260 261 resolved, err := res.ResolveIdent(context.Background(), did) 262 if err != nil { 263 return nil, fmt.Errorf("failed to resolve tangled.sh DID %s: %v", did, err) 264 } 265 266 pdsEndpoint := resolved.PDSEndpoint() 267 if pdsEndpoint == "" { 268 return nil, fmt.Errorf("no PDS endpoint found for tangled.sh DID %s", did) 269 } 270 271 sessionPayload := map[string]string{ 272 "identifier": did, 273 "password": appPassword, 274 } 275 sessionBytes, err := json.Marshal(sessionPayload) 276 if err != nil { 277 return nil, fmt.Errorf("failed to marshal session payload: %v", err) 278 } 279 280 sessionURL := pdsEndpoint + "/xrpc/com.atproto.server.createSession" 281 sessionReq, err := http.NewRequestWithContext(context.Background(), "POST", sessionURL, bytes.NewBuffer(sessionBytes)) 282 if err != nil { 283 return nil, fmt.Errorf("failed to create session request: %v", err) 284 } 285 sessionReq.Header.Set("Content-Type", "application/json") 286 287 logger.Debug("creating app password session", "url", sessionURL, "headers", sessionReq.Header) 288 289 client := &http.Client{Timeout: 30 * time.Second} 290 sessionResp, err := client.Do(sessionReq) 291 if err != nil { 292 return nil, fmt.Errorf("failed to create session: %v", err) 293 } 294 defer sessionResp.Body.Close() 295 296 if sessionResp.StatusCode != http.StatusOK { 297 return nil, fmt.Errorf("failed to create session: HTTP %d", sessionResp.StatusCode) 298 } 299 300 var session AppPasswordSession 301 if err := json.NewDecoder(sessionResp.Body).Decode(&session); err != nil { 302 return nil, fmt.Errorf("failed to decode session response: %v", err) 303 } 304 305 session.PdsEndpoint = pdsEndpoint 306 session.Did = did 307 session.Logger = logger 308 309 return &session, nil 310} 311 312func (s *AppPasswordSession) putRecord(record any, collection string) error { 313 recordBytes, err := json.Marshal(record) 314 if err != nil { 315 return fmt.Errorf("failed to marshal knot member record: %w", err) 316 } 317 318 payload := map[string]any{ 319 "repo": s.Did, 320 "collection": collection, 321 "rkey": tid.TID(), 322 "record": json.RawMessage(recordBytes), 323 } 324 325 payloadBytes, err := json.Marshal(payload) 326 if err != nil { 327 return fmt.Errorf("failed to marshal request payload: %w", err) 328 } 329 330 url := s.PdsEndpoint + "/xrpc/com.atproto.repo.putRecord" 331 req, err := http.NewRequestWithContext(context.Background(), "POST", url, bytes.NewBuffer(payloadBytes)) 332 if err != nil { 333 return fmt.Errorf("failed to create HTTP request: %w", err) 334 } 335 336 req.Header.Set("Content-Type", "application/json") 337 req.Header.Set("Authorization", "Bearer "+s.AccessJwt) 338 339 s.Logger.Debug("putting record", "url", url, "collection", collection, "headers", req.Header) 340 341 client := &http.Client{Timeout: 30 * time.Second} 342 resp, err := client.Do(req) 343 if err != nil { 344 return fmt.Errorf("failed to add user to default service: %w", err) 345 } 346 defer resp.Body.Close() 347 348 if resp.StatusCode != http.StatusOK { 349 var errorResponse map[string]any 350 if err := json.NewDecoder(resp.Body).Decode(&errorResponse); err != nil { 351 return fmt.Errorf("failed to add user to default service: HTTP %d (failed to decode error response: %w)", resp.StatusCode, err) 352 } 353 return fmt.Errorf("failed to add user to default service: HTTP %d, response: %v", resp.StatusCode, errorResponse) 354 } 355 356 return nil 357} 358 359// getAppPasswordSession returns a cached AppPasswordSession, creating one if needed. 360func (o *OAuth) getAppPasswordSession() (*AppPasswordSession, error) { 361 o.appPasswordSessionMu.Lock() 362 defer o.appPasswordSessionMu.Unlock() 363 364 if o.appPasswordSession != nil { 365 return o.appPasswordSession, nil 366 } 367 368 session, err := CreateAppPasswordSession(o.IdResolver, o.Config.Core.AppPassword, consts.TangledDid, o.Logger) 369 if err != nil { 370 return nil, err 371 } 372 373 o.appPasswordSession = session 374 return session, nil 375} 376 377// invalidateAppPasswordSession clears the cached session so the next call to 378// getAppPasswordSession will create a fresh one. 379func (o *OAuth) invalidateAppPasswordSession() { 380 o.appPasswordSessionMu.Lock() 381 defer o.appPasswordSessionMu.Unlock() 382 o.appPasswordSession = nil 383}