This repository has been archived on 2024-09-28. You can view files and clone it, but cannot push or open issues or pull requests.
burgerauth/main.go

1443 lines
51 KiB
Go
Raw Normal View History

2024-05-13 11:38:09 +01:00
// This code is licensed under the latest version of the GNU Affero General Public License
2024-04-26 21:12:56 +01:00
package main
import (
2024-05-09 17:27:47 +01:00
"bytes"
"crypto/rand"
"crypto/rsa"
2024-04-26 21:12:56 +01:00
"crypto/sha256"
"crypto/x509"
2024-04-26 21:12:56 +01:00
"database/sql"
"encoding/base64"
2024-05-04 16:15:40 +01:00
"encoding/binary"
2024-04-26 21:12:56 +01:00
"encoding/hex"
"encoding/json"
"encoding/pem"
2024-04-28 21:24:50 +01:00
"errors"
2024-04-26 21:12:56 +01:00
"fmt"
"log"
"math/big"
"net/http"
2024-04-26 21:12:56 +01:00
"os"
"regexp"
"strconv"
"strings"
"time"
2024-05-09 17:27:47 +01:00
"centrifuge.hectabit.org/HectaBit/captcha"
2024-04-26 21:12:56 +01:00
"github.com/dgrijalva/jwt-go"
"github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/cookie"
2024-04-26 21:12:56 +01:00
"github.com/gin-gonic/gin"
_ "github.com/mattn/go-sqlite3"
"github.com/spf13/viper"
"golang.org/x/crypto/scrypt"
)
var (
conn *sql.DB
2024-05-03 20:15:46 +01:00
privateKey *rsa.PrivateKey
publicKey *rsa.PublicKey
modulus *big.Int
exponent int
)
func Int64ToBase64URL(num int64) (string, error) {
2024-05-04 16:15:40 +01:00
numBytes := make([]byte, 8)
binary.BigEndian.PutUint64(numBytes, uint64(num))
startIndex := 0
for startIndex < len(numBytes) && numBytes[startIndex] == 0 {
startIndex++
}
trimmedBytes := numBytes[startIndex:]
encoded := base64.URLEncoding.EncodeToString(trimmedBytes)
return encoded, nil
}
func BigIntToBase64URL(num *big.Int) (string, error) {
numBytes := num.Bytes()
startIndex := 0
for startIndex < len(numBytes) && numBytes[startIndex] == 0 {
startIndex++
}
trimmedBytes := numBytes[startIndex:]
encoded := base64.URLEncoding.EncodeToString(trimmedBytes)
2024-05-04 16:15:40 +01:00
return encoded, nil
2024-05-03 20:38:08 +01:00
}
2024-05-04 16:15:40 +01:00
const salt_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
func genSalt(length int) (string, error) {
2024-04-26 21:12:56 +01:00
if length <= 0 {
return "", errors.New("salt length must be greater than 0")
2024-04-26 21:12:56 +01:00
}
salt := make([]byte, length)
randomBytes := make([]byte, length)
_, err := rand.Read(randomBytes)
if err != nil {
return "", err
}
2024-04-26 21:12:56 +01:00
for i := range salt {
2024-04-28 21:24:50 +01:00
salt[i] = salt_chars[int(randomBytes[i])%len(salt_chars)]
2024-04-26 21:12:56 +01:00
}
return string(salt), nil
2024-04-26 21:12:56 +01:00
}
func sha256Base64(s string) string {
hashed := sha256.Sum256([]byte(s))
encoded := base64.URLEncoding.EncodeToString(hashed[:])
encoded = strings.TrimRight(encoded, "=")
return encoded
}
func hash(password, salt string) (string, error) {
2024-04-26 21:12:56 +01:00
passwordBytes := []byte(password)
saltBytes := []byte(salt)
derivedKey, err := scrypt.Key(passwordBytes, saltBytes, 32768, 8, 1, 64)
if err != nil {
return "", err
}
2024-04-26 21:12:56 +01:00
2024-05-06 10:24:18 +01:00
hashString := fmt.Sprintf("scrypt:32768:8:1$%s$%s", salt, hex.EncodeToString(derivedKey))
return hashString, nil
2024-04-26 21:12:56 +01:00
}
func verifyHash(werkzeug_hash, password string) (bool, error) {
parts := strings.Split(werkzeug_hash, "$")
2024-04-26 21:12:56 +01:00
if len(parts) != 3 || parts[0] != "scrypt:32768:8:1" {
return false, nil
2024-04-26 21:12:56 +01:00
}
salt := parts[1]
computedHash, err := hash(password, salt)
if err != nil {
return false, err
}
2024-04-26 21:12:56 +01:00
return werkzeug_hash == computedHash, nil
2024-04-26 21:12:56 +01:00
}
func getUser(id int) (string, string, string, string, error) {
var created, username, password, uniqueId string
err := conn.QueryRow("SELECT created, username, uniqueId, password FROM users WHERE id = ? LIMIT 1", id).Scan(&created, &username, &uniqueId, &password)
2024-04-26 21:12:56 +01:00
if err != nil {
2024-04-28 21:24:50 +01:00
if errors.Is(err, sql.ErrNoRows) {
return "", "", "", "", sql.ErrNoRows
2024-04-26 21:12:56 +01:00
} else {
return "", "", "", "", err
2024-04-26 21:12:56 +01:00
}
}
return created, username, password, uniqueId, nil
2024-04-26 21:12:56 +01:00
}
func getSession(session string) (int, int, error) {
var id, sessionId int
err := conn.QueryRow("SELECT sessionid, id FROM sessions WHERE session = ? LIMIT 1", session).Scan(&sessionId, &id)
2024-04-26 21:12:56 +01:00
if err != nil {
return 0, 0, err
2024-04-26 21:12:56 +01:00
}
return sessionId, id, nil
2024-04-26 21:12:56 +01:00
}
func checkUsernameTaken(username string) (int, bool, error) {
2024-04-26 21:12:56 +01:00
var id int
err := conn.QueryRow("SELECT id FROM users WHERE lower(username) = ? LIMIT 1", username).Scan(&id)
if err != nil {
2024-04-28 21:24:50 +01:00
if errors.Is(err, sql.ErrNoRows) {
return 0, true, nil
2024-04-26 21:12:56 +01:00
} else {
return 0, true, err
2024-04-26 21:12:56 +01:00
}
}
return id, false, nil
2024-04-26 21:12:56 +01:00
}
func init_db() {
if _, err := os.Stat("database.db"); os.IsNotExist(err) {
if err := generateDB(); err != nil {
log.Println("[ERROR] Unknown while generating database at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
2024-04-26 21:12:56 +01:00
return
}
} else {
log.Print("Proceeding will overwrite the database. Proceed? (y/n) ")
2024-04-26 21:12:56 +01:00
var answer string
2024-04-28 21:24:50 +01:00
_, err := fmt.Scanln(&answer)
if err != nil {
log.Println("[ERROR] Unknown while scanning input at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
2024-04-28 21:24:50 +01:00
return
}
2024-04-26 21:12:56 +01:00
if answer == "y" || answer == "Y" {
if err := generateDB(); err != nil {
log.Println("[ERROR] Unknown while generating database at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
2024-04-26 21:12:56 +01:00
return
}
} else if answer == ":3" {
log.Println("[:3] :3")
2024-04-26 21:12:56 +01:00
} else {
log.Println("[INFO] Stopped")
2024-04-26 21:12:56 +01:00
}
}
}
func generateDB() error {
db, err := sql.Open("sqlite3", "database.db")
if err != nil {
return err
}
2024-04-28 21:24:50 +01:00
defer func(db *sql.DB) {
err := db.Close()
if err != nil {
log.Println("[ERROR] Unknown in generateDB() defer at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
return
2024-04-28 21:24:50 +01:00
}
}(db)
2024-04-26 21:12:56 +01:00
schemaBytes, err := os.ReadFile("schema.sql")
2024-04-26 21:12:56 +01:00
if err != nil {
return err
}
_, err = db.Exec(string(schemaBytes))
if err != nil {
return err
}
log.Println("[INFO] Generated database")
2024-04-26 21:12:56 +01:00
return nil
}
func main() {
if _, err := os.Stat("config.ini"); err == nil {
log.Println("[INFO] Config loaded at", time.Now().Unix())
2024-04-26 21:12:56 +01:00
} else if os.IsNotExist(err) {
log.Println("[FATAL] config.ini does not exist")
2024-04-26 21:12:56 +01:00
os.Exit(1)
} else {
log.Println("[FATAL] File is in quantum uncertainty:", err)
2024-04-26 21:12:56 +01:00
os.Exit(1)
}
viper.SetConfigName("config")
viper.AddConfigPath("./")
viper.AutomaticEnv()
err := viper.ReadInConfig()
if err != nil {
log.Println("[FATAL] Error in config file at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
2024-04-26 21:12:56 +01:00
os.Exit(1)
}
HOST := viper.GetString("config.HOST")
PORT := viper.GetInt("config.PORT")
SECRET_KEY := viper.GetString("config.SECRET_KEY")
PUBLIC_KEY_PATH := viper.GetString("config.PUBLIC_KEY")
PRIVATE_KEY_PATH := viper.GetString("config.PRIVATE_KEY")
2024-04-26 21:12:56 +01:00
if SECRET_KEY == "supersecretkey" {
log.Println("[WARNING] Secret key not set. Please set the secret key to a non-default value.")
}
conn, err = sql.Open("sqlite3", "database.db")
if err != nil {
log.Fatalln("[FATAL] Cannot open database at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
defer func(conn *sql.DB) {
err := conn.Close()
if err != nil {
log.Println("[ERROR] Unknown in main() defer at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
}(conn)
if len(os.Args) > 1 {
if os.Args[1] == "init_db" {
init_db()
os.Exit(0)
}
}
privateKeyFile, err := os.ReadFile(PRIVATE_KEY_PATH)
if err != nil {
log.Fatal("[ERROR] Cannot read private key:", err)
}
block, _ := pem.Decode(privateKeyFile)
2024-05-03 20:15:46 +01:00
if block == nil {
log.Fatal("[ERROR] Failed to parse PEM block containing the private key")
}
privateKeyRaw, err := x509.ParsePKCS8PrivateKey(block.Bytes)
2024-05-03 20:15:46 +01:00
if err != nil {
log.Fatal("[ERROR] Failed to parse private key:", err)
}
2024-05-03 20:18:45 +01:00
var ok bool
privateKey, ok = privateKeyRaw.(*rsa.PrivateKey)
2024-05-03 20:18:45 +01:00
if !ok {
log.Fatal("[ERROR] Failed to convert private key to RSA private key")
}
2024-05-03 20:15:46 +01:00
pubKeyFile, err := os.ReadFile(PUBLIC_KEY_PATH)
if err != nil {
log.Fatal("[ERROR] Cannot read public key:", err)
}
2024-05-03 20:15:46 +01:00
block, _ = pem.Decode(pubKeyFile)
if block == nil {
log.Fatal("[ERROR] Failed to parse PEM block containing the public key")
}
pubKey, err := x509.ParsePKIXPublicKey(block.Bytes)
if err != nil {
log.Fatal("[ERROR] Failed to parse public key:", err)
}
2024-05-03 20:15:46 +01:00
publicKey, ok = pubKey.(*rsa.PublicKey)
if !ok {
log.Fatal("[ERROR] Failed to convert public key to RSA public key")
2024-04-26 21:12:56 +01:00
}
2024-05-04 16:37:43 +01:00
modulus = privateKey.N
exponent = privateKey.E
2024-04-26 21:12:56 +01:00
gin.SetMode(gin.ReleaseMode)
router := gin.New()
store := cookie.NewStore([]byte(SECRET_KEY))
store.Options(sessions.Options{
MaxAge: 300,
HttpOnly: true,
Secure: true,
SameSite: 3,
})
router.Use(sessions.Sessions("currentSession", store))
2024-04-26 21:12:56 +01:00
2024-04-28 10:55:38 +01:00
// Enable CORS
router.Use(func(c *gin.Context) {
c.Writer.Header().Set("Access-Control-Allow-Origin", "*")
c.Writer.Header().Set("Access-Control-Allow-Headers", "*, Authorization")
2024-04-28 10:55:38 +01:00
c.Writer.Header().Set("Access-Control-Allow-Methods", "*")
// Handle preflight requests
if c.Request.Method == "OPTIONS" {
c.AbortWithStatus(200)
return
}
c.Next()
})
2024-04-26 21:12:56 +01:00
router.Static("/static", "./static")
router.LoadHTMLGlob("templates/*.html")
router.GET("/", func(c *gin.Context) {
c.Redirect(302, "/login")
})
router.GET("/login", func(c *gin.Context) {
c.HTML(200, "login.html", gin.H{})
})
router.GET("/signup", func(c *gin.Context) {
2024-05-09 17:27:47 +01:00
session := sessions.Default(c)
sessionId, err := genSalt(512)
if err != nil {
fmt.Println("[ERROR] Failed to generate session token at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-SIGNUP-SESSION-GEN")
return
}
2024-05-09 17:27:47 +01:00
session.Options(sessions.Options{
SameSite: 3,
})
data, err := captcha.New(500, 100)
if err != nil {
fmt.Println("[ERROR] Failed to generate captcha at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Failed to generate captcha")
return
}
session.Set("captcha", data.Text)
session.Set("unique_token", sessionId)
2024-05-09 17:27:47 +01:00
err = session.Save()
if err != nil {
fmt.Println("[ERROR] Failed to save session in /login at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Failed to save session")
return
}
var b64bytes bytes.Buffer
err = data.WriteImage(&b64bytes)
if err != nil {
fmt.Println("[ERROR] Failed to encode captcha at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Failed to encode captcha")
return
}
c.HTML(200, "signup.html", gin.H{
"captcha_image": base64.StdEncoding.EncodeToString(b64bytes.Bytes()),
"unique_token": sessionId,
2024-05-09 17:27:47 +01:00
})
2024-04-26 21:12:56 +01:00
})
router.GET("/logout", func(c *gin.Context) {
c.HTML(200, "logout.html", gin.H{})
})
router.GET("/app", func(c *gin.Context) {
2024-05-06 12:55:04 +01:00
name := ""
if c.Request.URL.Query().Get("client_id") != "" {
appId := c.Request.URL.Query().Get("client_id")
err := conn.QueryRow("SELECT name FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&name)
if err != nil {
2024-05-06 12:55:04 +01:00
if errors.Is(err, sql.ErrNoRows) {
c.String(404, "App not found")
} else {
log.Println("[ERROR] Unknown in /app at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
return
}
}
c.HTML(200, "main.html", gin.H{"name": name})
2024-04-26 21:12:56 +01:00
})
router.GET("/dashboard", func(c *gin.Context) {
c.HTML(200, "dashboard.html", gin.H{})
})
2024-05-16 17:34:51 +01:00
router.GET("/account", func(c *gin.Context) {
c.HTML(200, "acct.html", gin.H{})
})
router.GET("/aeskeyshare", func(c *gin.Context) {
2024-04-29 21:23:15 +01:00
c.HTML(200, "aeskeyshare.html", gin.H{})
})
2024-04-26 21:12:56 +01:00
router.GET("/.well-known/openid-configuration", func(c *gin.Context) {
c.HTML(200, "openid.html", gin.H{})
})
router.GET("/api/version", func(c *gin.Context) {
c.String(200, "Burgerauth Version 1.3")
})
router.POST("/api/signup", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
2024-05-09 17:27:47 +01:00
session := sessions.Default(c)
2024-04-28 21:24:50 +01:00
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
username := data["username"].(string)
password := data["password"].(string)
2024-05-09 17:27:47 +01:00
if data["unique_token"].(string) != session.Get("unique_token") {
c.JSON(403, gin.H{"error": "Invalid token"})
return
}
if data["captcha"].(string) != session.Get("captcha") {
c.JSON(401, gin.H{"error": "Captcha failed"})
return
}
2024-04-26 21:12:56 +01:00
if username == "" || password == "" || len(username) > 20 || !regexp.MustCompile("^[a-zA-Z0-9]+$").MatchString(username) {
c.JSON(422, gin.H{"error": "Invalid username or password"})
return
}
_, taken, err := checkUsernameTaken(username)
if err != nil {
log.Println("[ERROR] Unknown in /api/signup checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-CHECKUSERNAME"})
return
}
if taken {
2024-04-26 21:12:56 +01:00
c.JSON(409, gin.H{"error": "Username taken"})
return
}
salt, err := genSalt(16)
if err != nil {
log.Println("[ERROR] Unknown in /api/signup genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SALT"})
return
}
hashedPassword, err := hash(password, salt)
if err != nil {
log.Println("[ERROR] Unknown in /api/signup hash() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-HASH"})
return
}
2024-04-26 21:12:56 +01:00
sub, err := genSalt(255)
if err != nil {
log.Println("[ERROR] Unknown in /api/signup genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SUB"})
return
}
_, err = conn.Exec("INSERT INTO users (username, password, created, uniqueid) VALUES (?, ?, ?, ?)", username, hashedPassword, strconv.FormatInt(time.Now().Unix(), 10), sub)
2024-04-28 21:24:50 +01:00
if err != nil {
log.Println("[ERROR] Unknown in /api/signup user creation at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
2024-04-28 21:24:50 +01:00
return
}
log.Println("[INFO] Added new user at", time.Now().Unix())
2024-04-26 21:12:56 +01:00
userid, _, err := checkUsernameTaken(username)
if err != nil {
log.Println("[ERROR] Unknown in /api/signup checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-CHECKUSERNAME"})
return
}
2024-04-26 21:12:56 +01:00
randomChars, err := genSalt(512)
if err != nil {
log.Println("[ERROR] Unknown in /api/signup token genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SESSIONSALT"})
return
}
2024-04-26 21:12:56 +01:00
_, err = conn.Exec("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)", randomChars, userid, c.Request.Header.Get("User-Agent"))
2024-04-28 21:24:50 +01:00
if err != nil {
log.Println("[ERROR] Unknown in /api/signup session Exec() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SESSIONINSERT"})
2024-04-28 21:24:50 +01:00
return
}
2024-04-26 21:12:56 +01:00
c.JSON(200, gin.H{"key": randomChars})
2024-04-26 21:12:56 +01:00
})
router.POST("/api/login", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
username := data["username"].(string)
password := data["password"].(string)
passwordChange := data["password"].(string)
newPass := data["password"].(string)
2024-04-26 21:12:56 +01:00
userid, taken, err := checkUsernameTaken(username)
if err != nil {
log.Println("[ERROR] Unknown in /api/login checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-CHECKUSERNAME"})
return
}
if !taken {
2024-04-26 21:12:56 +01:00
c.JSON(401, gin.H{"error": "User does not exist"})
return
}
_, _, userPassword, _, err := getUser(userid)
if err != nil {
log.Println("[ERROR] Unknown in /api/login getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-GETUSER"})
return
}
2024-04-26 21:12:56 +01:00
passwordCheck, err := verifyHash(userPassword, password)
if err != nil {
log.Println("[ERROR] Unknown in /api/login password check at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDCHECK"})
return
}
if !passwordCheck {
2024-04-26 21:12:56 +01:00
c.JSON(401, gin.H{"error": "Incorrect password"})
return
}
randomChars, err := genSalt(512)
if err != nil {
log.Println("[ERROR] Unknown in /api/login token genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-SESSIONSALT"})
return
}
2024-04-26 21:12:56 +01:00
_, err = conn.Exec("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)", randomChars, userid, c.Request.Header.Get("User-Agent"))
2024-04-28 21:24:50 +01:00
if err != nil {
log.Println("[ERROR] Unknown in /api/login session creation at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-SESSIONINSERT"})
2024-04-28 21:24:50 +01:00
return
}
2024-04-26 21:12:56 +01:00
if passwordChange == "yes" {
hashPassword, err := hash(newPass, "")
if err != nil {
log.Println("[ERROR] Unknown in /api/login password hash at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDHASH"})
return
}
_, err = conn.Exec("UPDATE users SET password = ? WHERE username = ?", hashPassword, username)
2024-04-28 21:24:50 +01:00
if err != nil {
log.Println("[ERROR] Unknown in /api/login password change at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDCHANGE"})
2024-04-28 21:24:50 +01:00
return
}
2024-04-26 21:12:56 +01:00
}
c.JSON(200, gin.H{"key": randomChars})
2024-04-26 21:12:56 +01:00
})
router.POST("/api/userinfo", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
secretKey := data["secretKey"].(string)
2024-04-26 21:12:56 +01:00
_, userid, err := getSession(secretKey)
if errors.Is(err, sql.ErrNoRows) {
c.JSON(401, gin.H{"error": "Invalid session"})
2024-04-26 21:12:56 +01:00
return
}
created, username, _, _, err := getUser(userid)
if errors.Is(err, sql.ErrNoRows) {
2024-04-26 21:12:56 +01:00
c.JSON(400, gin.H{"error": "User does not exist"})
return
} else if err != nil {
log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-USERINFO-GETUSER"})
return
2024-04-26 21:12:56 +01:00
}
c.JSON(200, gin.H{"username": username, "id": userid, "created": created})
})
router.GET("/userinfo", func(c *gin.Context) {
var token string
if len(c.Request.Header["Authorization"]) > 0 {
if len(strings.Fields(c.Request.Header["Authorization"][0])) > 1 {
token = strings.Fields(c.Request.Header["Authorization"][0])[1]
} else {
c.JSON(400, gin.H{"error": "Invalid token"})
return
}
} else {
c.JSON(400, gin.H{"error": "Invalid token"})
return
}
2024-04-28 10:45:58 +01:00
var blacklisted bool
err := conn.QueryRow("SELECT blacklisted FROM blacklist WHERE openid = ? LIMIT 1", token).Scan(&blacklisted)
if err == nil {
c.JSON(400, gin.H{"error": "Token is in blacklist"})
return
} else {
2024-04-28 21:24:50 +01:00
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /userinfo blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-USERINFO-BLACKLIST"})
2024-04-28 10:45:58 +01:00
return
}
}
parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
return publicKey, nil
2024-04-28 10:45:58 +01:00
})
if err != nil {
c.JSON(401, gin.H{"error": "Malformed token"})
return
}
var claims jwt.MapClaims
var ok bool
if parsedToken.Valid {
claims, ok = parsedToken.Claims.(jwt.MapClaims)
2024-04-28 10:45:58 +01:00
if !ok {
c.JSON(401, gin.H{"error": "Invalid token claims"})
return
}
}
session := claims["session"].(string)
2024-04-28 11:20:54 +01:00
exp := claims["exp"].(float64)
if int64(exp) < time.Now().Unix() {
2024-04-28 10:45:58 +01:00
c.JSON(403, gin.H{"error": "Expired token"})
return
}
_, userid, err := getSession(session)
if err != nil {
c.JSON(401, gin.H{"error": "Invalid session"})
2024-04-28 10:45:58 +01:00
return
}
2024-04-26 21:12:56 +01:00
_, username, _, sub, err := getUser(userid)
if errors.Is(err, sql.ErrNoRows) {
2024-04-26 21:12:56 +01:00
c.JSON(400, gin.H{"error": "User does not exist"})
return
} else if err != nil {
log.Println("[ERROR] Unknown in /userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-USERINFO-GETUSER"})
return
2024-04-26 21:12:56 +01:00
}
c.JSON(200, gin.H{"sub": sub[:255], "name": username})
2024-04-26 21:12:56 +01:00
})
2024-04-28 10:45:58 +01:00
router.POST("/api/uniqueid", func(c *gin.Context) {
2024-04-28 11:01:04 +01:00
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-28 10:45:58 +01:00
2024-04-28 11:01:04 +01:00
token := data["access_token"].(string)
2024-04-28 10:45:58 +01:00
var blacklisted bool
2024-04-28 21:24:50 +01:00
err = conn.QueryRow("SELECT blacklisted FROM blacklist WHERE token = ? LIMIT 1", token).Scan(&blacklisted)
2024-04-28 10:45:58 +01:00
if err == nil {
c.JSON(400, gin.H{"error": "Token is in blacklist"})
return
} else {
2024-04-28 21:24:50 +01:00
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/sub blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-UNIQUEID-BLACKLIST"})
return
}
}
parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
return publicKey, nil
})
if err != nil {
c.JSON(401, gin.H{"error": "Malformed token"})
return
}
var claims jwt.MapClaims
var ok bool
if parsedToken.Valid {
claims, ok = parsedToken.Claims.(jwt.MapClaims)
if !ok {
c.JSON(401, gin.H{"error": "Invalid token claims"})
2024-04-28 10:45:58 +01:00
return
}
}
session := claims["session"].(string)
exp := claims["exp"].(float64)
if int64(exp) < time.Now().Unix() {
c.JSON(403, gin.H{"error": "Expired token"})
return
}
_, userid, err := getSession(session)
if err != nil {
c.JSON(401, gin.H{"error": "Invalid session"})
return
}
_, _, _, sub, err := getUser(userid)
if errors.Is(err, sql.ErrNoRows) {
c.JSON(400, gin.H{"error": "User does not exist"})
return
} else if err != nil {
log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-UNIQUEID-GETUSER"})
return
}
c.JSON(200, gin.H{"sub": sub})
})
router.POST("/api/loggedin", func(c *gin.Context) {
var data map[string]interface{}
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
token := data["access_token"].(string)
var blacklisted bool
err = conn.QueryRow("SELECT blacklisted FROM blacklist WHERE token = ? LIMIT 1", token).Scan(&blacklisted)
if err == nil {
c.JSON(400, gin.H{"error": "Token is in blacklist"})
return
} else {
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/loggedin blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGGEDIN-BLACKLIST"})
return
}
}
2024-04-28 10:45:58 +01:00
parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
return publicKey, nil
2024-04-28 10:45:58 +01:00
})
if err != nil {
c.JSON(401, gin.H{"error": "Malformed token"})
return
}
var claims jwt.MapClaims
var ok bool
if parsedToken.Valid {
claims, ok = parsedToken.Claims.(jwt.MapClaims)
2024-04-28 10:45:58 +01:00
if !ok {
c.JSON(401, gin.H{"error": "Invalid token claims"})
return
}
}
session := claims["session"].(string)
2024-04-28 11:20:54 +01:00
exp := claims["exp"].(float64)
if int64(exp) < time.Now().Unix() {
2024-04-28 10:45:58 +01:00
c.JSON(403, gin.H{"error": "Expired token"})
return
}
_, _, err = getSession(session)
if err != nil {
c.JSON(401, gin.H{"error": "Invalid session"})
2024-04-28 10:45:58 +01:00
return
}
c.JSON(200, gin.H{"appId": claims["aud"]})
2024-04-28 10:45:58 +01:00
})
2024-04-26 21:12:56 +01:00
router.GET("/api/auth", func(c *gin.Context) {
secretKey, _ := c.Cookie("key")
appId := c.Request.URL.Query().Get("client_id")
code := c.Request.URL.Query().Get("code_challenge")
codeMethod := c.Request.URL.Query().Get("code_challenge_method")
2024-04-26 21:12:56 +01:00
redirect_uri := c.Request.URL.Query().Get("redirect_uri")
state := c.Request.URL.Query().Get("state")
nonce := c.Request.URL.Query().Get("nonce")
deny := c.Request.URL.Query().Get("deny")
2024-04-26 21:12:56 +01:00
session := sessions.Default(c)
var appIdCheck, redirectUriCheck string
2024-04-26 21:12:56 +01:00
err := conn.QueryRow("SELECT appId, rdiruri FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&appIdCheck, &redirectUriCheck)
2024-04-28 21:24:50 +01:00
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
fmt.Println(appId)
2024-04-28 21:24:50 +01:00
c.String(401, "OAuth screening failed")
} else {
log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-SELECT")
2024-04-28 21:24:50 +01:00
}
return
}
2024-04-26 21:12:56 +01:00
if !(redirectUriCheck == redirect_uri) {
c.String(401, "Redirect URI does not match")
return
}
if deny == "true" {
c.Redirect(302, redirect_uri+"?error=access_denied&state="+state)
return
}
if !(appIdCheck == appId) {
fmt.Println(appIdCheck, appId)
2024-04-26 21:12:56 +01:00
c.String(401, "OAuth screening failed")
return
}
if nonce == "none" {
nonce, err = genSalt(512)
if err != nil {
log.Println("[ERROR] Unknown in /api/auth nonce genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-NONCE")
return
}
}
_, userId, err := getSession(secretKey)
if err != nil {
c.String(401, "Invalid session")
return
}
_, username, _, sub, err := getUser(userId)
if errors.Is(err, sql.ErrNoRows) {
c.String(400, "User does not exist")
return
} else if err != nil {
log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-GETUSER")
return
}
dataTemplate := jwt.MapClaims{
"sub": sub[:255],
2024-04-26 21:15:43 +01:00
"iss": "https://auth.hectabit.org",
2024-04-26 21:12:56 +01:00
"name": username,
"aud": appId,
"exp": time.Now().Unix() + 2592000,
"iat": time.Now().Unix(),
"auth_time": time.Now().Unix(),
2024-04-28 10:45:58 +01:00
"session": secretKey,
"nonce": nonce,
2024-04-26 21:12:56 +01:00
}
secondNonce, err := genSalt(512)
dataTemplateTwo := jwt.MapClaims{
2024-04-28 10:45:58 +01:00
"exp": time.Now().Unix() + 2592000,
"iat": time.Now().Unix(),
"session": secretKey,
"nonce": secondNonce,
2024-04-26 21:12:56 +01:00
}
tokenTemp := jwt.NewWithClaims(jwt.SigningMethodRS256, dataTemplate)
tokenTemp.Header["kid"] = "burgerauth"
openIdToken, err := tokenTemp.SignedString(privateKey)
if err != nil {
log.Println("[ERROR] Unknown in /api/auth openIdToken at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-JWTCANNOTSIGN")
return
}
2024-05-04 16:32:49 +01:00
secretTemp := jwt.NewWithClaims(jwt.SigningMethodRS256, dataTemplateTwo)
secretTemp.Header["kid"] = "burgerauth"
oauthToken, err := secretTemp.SignedString(privateKey)
if err != nil {
log.Println("[ERROR] Unknown in /api/auth oauthToken at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-JWTCANNOTSIGN.")
return
}
exchangeKey, err := genSalt(512)
if err != nil {
log.Println("[ERROR] Unknown in /api/auth exchangeKey at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-RANDOMBYTES.")
return
}
2024-04-26 21:12:56 +01:00
sessionInfo := map[string]any{
"iat": time.Now().Unix(),
"session": secretKey,
"appId": appId,
"exchangeKey": exchangeKey,
"creator": userId,
"PKCECode": code,
"PKCEMethod": codeMethod,
}
c.SetSameSite(3)
c.SetCookie("oauthToken", oauthToken, 300, "/", "", true, true)
c.SetCookie("openIdToken", openIdToken, 300, "/", "", true, true)
sessionInfoStr, err := json.Marshal(sessionInfo)
if err != nil {
log.Println("[ERROR] Unknown in /api/auth sessionInfoStr at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-SESSIONINFO.")
return
}
session.Set("activeLogin", sessionInfoStr)
err = session.Save()
2024-04-28 21:24:50 +01:00
if err != nil {
log.Println("[ERROR] Client-Server unknown in /api/auth session save at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(400, "Something went wrong, but we don't know who's fault it is (because we are mean coders, the error code says it's yours). If you deliberately caused this error (well done), please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and give us more info on how it happened. Your error code is: UNKNOWN-API-AUTH-SESSIONSAVE.")
2024-04-28 21:24:50 +01:00
return
}
2024-04-26 21:12:56 +01:00
if exchangeKey != "" {
c.Redirect(302, redirect_uri+"?code="+exchangeKey+"&state="+state)
2024-04-26 21:12:56 +01:00
} else {
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-REDIRECT.")
log.Println("[ERROR] Secret key not found at", strconv.FormatInt(time.Now().Unix(), 10))
2024-04-26 21:12:56 +01:00
}
})
router.POST("/api/tokenauth", func(c *gin.Context) {
2024-04-28 21:24:50 +01:00
err := c.Request.ParseForm()
if err != nil {
c.JSON(400, gin.H{"error": "Invalid form data"})
return
}
2024-04-26 21:12:56 +01:00
data := c.Request.Form
appId := data.Get("client_id")
code := data.Get("code")
code_verify := data.Get("code_verifier")
secret := data.Get("client_secret")
session := sessions.Default(c)
var verifyCode bool
2024-04-26 21:12:56 +01:00
if code_verify == "" {
verifyCode = false
2024-04-26 21:39:57 +01:00
} else {
verifyCode = true
2024-04-26 21:12:56 +01:00
}
var appIdCheck, secretCheck string
err = conn.QueryRow("SELECT appId, secret FROM oauth WHERE appId = ? LIMIT 1;", appId).Scan(&appIdCheck, &secretCheck)
2024-04-28 21:24:50 +01:00
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
c.JSON(401, gin.H{"error": "OAuth screening failed"})
} else {
log.Println("[ERROR] Unknown in /api/tokenauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-SELECT"})
2024-04-28 21:24:50 +01:00
}
return
}
if appIdCheck != appId {
2024-04-26 21:12:56 +01:00
c.JSON(401, gin.H{"error": "OAuth screening failed"})
return
}
activeLogin := session.Get("activeLogin")
if activeLogin == nil {
c.JSON(401, gin.H{"error": "The token has expired or was never created"})
return
}
var activeLoginMap map[string]any
err = json.Unmarshal([]byte(activeLogin.(string)), &activeLoginMap)
PKCECode, PKCEMethod, loginCode := activeLoginMap["PKCECode"].(string), activeLoginMap["PKCEMethod"].(string), activeLoginMap["exchangeKey"].(string)
if loginCode != code {
c.JSON(401, gin.H{"error": "Another login attempt is in progress or the login was never started"})
return
}
oauthCode, err := c.Cookie("oauthToken")
if err != nil {
if errors.Is(err, http.ErrNoCookie) {
c.JSON(401, gin.H{"error": "The token has expired or was never created"})
return
} else {
log.Println("[ERROR] Unknown in /api/tokenauth oauth cookie at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-OAUTHTOKEN"})
return
}
}
openid, err := c.Cookie("openIdToken")
if err != nil {
if errors.Is(err, http.ErrNoCookie) {
c.JSON(401, gin.H{"error": "The token has expired or was never created"})
return
} else {
log.Println("[ERROR] Unknown in /api/tokenauth openid cookie at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-OAUTHTOKEN"})
return
}
}
if verifyCode {
if PKCECode == "none" {
c.JSON(400, gin.H{"error": "Attempted PKCECode exchange with non-PKCECode authentication"})
2024-04-26 21:12:56 +01:00
return
} else {
if PKCEMethod == "S256" {
if sha256Base64(code_verify) != PKCECode {
c.JSON(403, gin.H{"error": "Invalid PKCECode"})
2024-04-26 21:12:56 +01:00
return
}
} else if PKCEMethod == "plain" {
if code_verify != PKCECode {
c.JSON(403, gin.H{"error": "Invalid PKCECode"})
2024-04-26 21:12:56 +01:00
return
}
} else {
c.JSON(403, gin.H{"error": "Attempted PKCECode exchange without supported PKCECode verification method"})
2024-04-26 21:12:56 +01:00
return
}
}
} else {
if secret != secretCheck {
2024-04-26 21:12:56 +01:00
c.JSON(401, gin.H{"error": "Invalid secret"})
return
}
}
c.JSON(200, gin.H{"access_token": oauthCode, "token_type": "bearer", "expires_in": 2592000, "id_token": openid})
2024-04-26 21:12:56 +01:00
})
router.POST("/api/deleteauth", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
secretKey := data["secretKey"].(string)
appId := data["appId"].(string)
_, id, err := getSession(secretKey)
if err != nil {
c.JSON(401, gin.H{"error": "Invalid session"})
2024-04-26 21:12:56 +01:00
return
}
2024-04-28 21:24:50 +01:00
_, err = conn.Exec("DELETE FROM oauth WHERE appId = ? AND creator = ?", appId, id)
2024-04-26 21:12:56 +01:00
if err != nil {
2024-04-28 21:24:50 +01:00
if errors.Is(err, sql.ErrNoRows) {
2024-04-26 21:12:56 +01:00
c.JSON(400, gin.H{"error": "AppID Not found"})
} else {
log.Println("[ERROR] Unknown in /api/deleteauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEAUTH-DELETE"})
2024-04-26 21:12:56 +01:00
}
} else {
c.JSON(200, gin.H{"success": "true"})
}
})
router.POST("/api/newauth", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
secretKey := data["secretKey"].(string)
name := data["name"].(string)
redirectUri := data["redirectUri"].(string)
2024-04-26 21:12:56 +01:00
_, id, err := getSession(secretKey)
if err != nil {
c.JSON(401, gin.H{"error": "Invalid session"})
2024-04-26 21:12:56 +01:00
return
}
var testsecret, testappid string
secret, err := genSalt(512)
if err != nil {
log.Println("[ERROR] Unknown in /api/newauth secretgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETGEN"})
return
}
2024-04-26 21:12:56 +01:00
for {
err := conn.QueryRow("SELECT secret FROM oauth WHERE secret = ?", secret).Scan(&testsecret)
if err != nil {
2024-04-28 21:24:50 +01:00
if errors.Is(err, sql.ErrNoRows) {
2024-04-26 21:12:56 +01:00
break
} else {
log.Println("[ERROR] Unknown in /api/newauth secretselect at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETSELECT"})
2024-04-26 21:12:56 +01:00
return
}
} else {
secret, err = genSalt(512)
if err != nil {
log.Println("[ERROR] Unknown in /api/newauth secretgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETGEN"})
return
}
2024-04-26 21:12:56 +01:00
}
}
appId, err := genSalt(32)
if err != nil {
log.Println("[ERROR] Unknown in /api/newauth appidgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-APPIDGEN"})
return
}
for {
err = conn.QueryRow("SELECT appId FROM oauth WHERE appId = ?", appId).Scan(&testappid)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
log.Println("[Info] New Oauth source added with ID:", appId)
break
} else {
log.Println("[ERROR] Unknown in /api/newauth appidcheck at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-APPIDCHECK"})
return
}
2024-04-26 21:12:56 +01:00
} else {
appId, err = genSalt(32)
if err != nil {
log.Println("[ERROR] Unknown in /api/newauth appidgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-LAPPIDGEN"})
return
}
2024-04-26 21:12:56 +01:00
}
}
_, err = conn.Exec("INSERT INTO oauth (name, appId, creator, secret, redirectUri) VALUES (?, ?, ?, ?, ?)", name, appId, id, secret, redirectUri)
2024-04-28 21:24:50 +01:00
if err != nil {
log.Println("[ERROR] Unknown in /api/newauth insert at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-INSERT"})
2024-04-28 21:24:50 +01:00
return
}
2024-04-26 21:12:56 +01:00
c.JSON(200, gin.H{"key": secret, "appId": appId})
2024-04-26 21:12:56 +01:00
})
router.POST("/api/listauth", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
secretKey := data["secretKey"].(string)
_, id, err := getSession(secretKey)
if err != nil {
c.JSON(401, gin.H{"error": "Invalid session"})
2024-04-26 21:12:56 +01:00
return
}
rows, err := conn.Query("SELECT appId, name, rdiruri FROM oauth WHERE creator = ? ORDER BY creator DESC", id)
2024-04-26 21:12:56 +01:00
if err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-QUERY"})
2024-04-26 21:12:56 +01:00
return
}
2024-04-28 21:24:50 +01:00
defer func(rows *sql.Rows) {
err := rows.Close()
if err != nil {
log.Println("[ERROR] Unknown in /api/listauth rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-ROWSCLOSE"})
return
2024-04-28 21:24:50 +01:00
}
}(rows)
2024-04-26 21:12:56 +01:00
var dataTemplate []map[string]interface{}
2024-04-26 21:12:56 +01:00
for rows.Next() {
var appId, name, redirectUri string
if err := rows.Scan(&appId, &name, &redirectUri); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-SCAN"})
2024-04-26 21:12:56 +01:00
return
}
template := map[string]interface{}{"appId": appId, "name": name, "redirectUri": redirectUri}
dataTemplate = append(dataTemplate, template)
2024-04-26 21:12:56 +01:00
}
if err := rows.Err(); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-ROWSERR"})
2024-04-26 21:12:56 +01:00
return
}
c.JSON(200, dataTemplate)
2024-04-26 21:12:56 +01:00
})
router.POST("/api/deleteaccount", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
secretKey := data["secretKey"].(string)
_, id, err := getSession(secretKey)
if err != nil {
c.JSON(401, gin.H{"error": "Session does not exist"})
2024-04-26 21:12:56 +01:00
return
}
2024-04-28 21:24:50 +01:00
_, err = conn.Exec("DELETE FROM userdata WHERE creator = ?", id)
2024-04-26 21:12:56 +01:00
if err != nil {
2024-04-28 21:24:50 +01:00
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/deleteaccount userdata at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEACCT-USERDATA"})
return
2024-04-26 21:12:56 +01:00
}
}
_, err = conn.Exec("DELETE FROM oauth WHERE creator = ?", id)
if err != nil {
2024-04-28 21:24:50 +01:00
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/deleteuser oauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEUSER-OAUTH"})
return
2024-04-26 21:12:56 +01:00
}
}
_, err = conn.Exec("DELETE FROM users WHERE id = ?", id)
if err != nil {
2024-04-28 21:24:50 +01:00
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/deleteuser users at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEUSER-USERS"})
return
2024-04-26 21:12:56 +01:00
}
}
c.JSON(200, gin.H{"success": "true"})
})
router.POST("/api/sessions/list", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
secretKey := data["secretKey"].(string)
_, id, err := getSession(secretKey)
if err != nil {
c.JSON(401, gin.H{"error": "Session does not exist"})
2024-04-26 21:12:56 +01:00
return
}
rows, err := conn.Query("SELECT sessionid, session, device FROM sessions WHERE id = ? ORDER BY id DESC", id)
if err != nil {
2024-04-28 21:24:50 +01:00
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/sessions/list at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST"})
return
2024-04-26 21:12:56 +01:00
}
}
2024-04-28 21:24:50 +01:00
defer func(rows *sql.Rows) {
err := rows.Close()
if err != nil {
log.Println("[ERROR] Unknown in /api/sessions/list rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-ROWSCLOSE"})
return
2024-04-28 21:24:50 +01:00
}
}(rows)
2024-04-26 21:12:56 +01:00
var dataTemplate []map[string]interface{}
2024-04-26 21:12:56 +01:00
for rows.Next() {
var id, sessionId, device string
2024-04-26 21:12:56 +01:00
thisSession := false
if err := rows.Scan(&id, &sessionId, &device); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-SCAN"})
2024-04-26 21:12:56 +01:00
return
}
if sessionId == secretKey {
2024-04-26 21:12:56 +01:00
thisSession = true
}
template := map[string]interface{}{"id": sessionId, "thisSession": thisSession, "device": device}
dataTemplate = append(dataTemplate, template)
2024-04-26 21:12:56 +01:00
}
if err := rows.Err(); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-ERR"})
2024-04-26 21:12:56 +01:00
return
}
c.JSON(200, dataTemplate)
2024-04-26 21:12:56 +01:00
})
router.POST("/api/sessions/remove", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
secretKey := data["secretKey"].(string)
sessionId := data["sessionId"].(string)
_, id, err := getSession(secretKey)
if err != nil {
c.JSON(401, gin.H{"error": "Session does not exist"})
2024-04-26 21:12:56 +01:00
return
}
2024-04-28 21:24:50 +01:00
_, err = conn.Exec("DELETE FROM sessions WHERE sessionid = ? AND id = ?", sessionId, id)
2024-04-26 21:12:56 +01:00
if err != nil {
2024-04-28 21:24:50 +01:00
if errors.Is(err, sql.ErrNoRows) {
2024-04-26 21:12:56 +01:00
c.JSON(422, gin.H{"error": "SessionID Not found"})
} else {
log.Println("[ERROR] Unknown in /api/sessions/remove at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-REMOVE"})
2024-04-26 21:12:56 +01:00
}
} else {
c.JSON(200, gin.H{"success": "true"})
}
})
router.POST("/api/listusers", func(c *gin.Context) {
var data map[string]interface{}
2024-04-28 21:24:50 +01:00
err := c.ShouldBindJSON(&data)
if err != nil {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
2024-04-26 21:12:56 +01:00
masterKey := data["masterKey"].(string)
2024-04-26 21:12:56 +01:00
if masterKey == SECRET_KEY {
2024-04-26 21:12:56 +01:00
rows, err := conn.Query("SELECT * FROM users ORDER BY id DESC")
if err != nil {
2024-04-28 21:24:50 +01:00
if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/listusers at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-QUERY"})
return
2024-04-26 21:12:56 +01:00
}
}
2024-04-28 21:24:50 +01:00
defer func(rows *sql.Rows) {
err := rows.Close()
if err != nil {
log.Println("[ERROR] Unknown in /api/listusers rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-ROWSCLOSE"})
return
2024-04-28 21:24:50 +01:00
}
}(rows)
2024-04-26 21:12:56 +01:00
var datatemplate []map[string]interface{}
for rows.Next() {
var id, username string
if err := rows.Scan(&id, &username); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-SCAN"})
2024-04-26 21:12:56 +01:00
return
}
template := map[string]interface{}{"id": id, "username": username}
datatemplate = append(datatemplate, template)
}
if err := rows.Err(); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-ERR"})
2024-04-26 21:12:56 +01:00
return
}
c.JSON(200, datatemplate)
}
})
router.GET("/.well-known/jwks.json", func(c *gin.Context) {
mod, err := BigIntToBase64URL(modulus)
2024-05-04 16:15:40 +01:00
if err != nil {
log.Println("[ERROR] Unknown in /well-known/jwks.json modulus at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-JWKS-MODULUS"})
2024-05-04 16:15:40 +01:00
return
}
exp, err := Int64ToBase64URL(int64(exponent))
2024-05-04 16:15:40 +01:00
if err != nil {
log.Println("[ERROR] Unknown in /well-known/jwks.json exponent at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-JWKS-EXPONENT"})
2024-05-04 16:15:40 +01:00
return
}
keys := gin.H{
"keys": []gin.H{
{
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"kid": "burgerauth",
2024-05-04 16:15:40 +01:00
"n": mod,
"e": exp,
},
},
}
c.JSON(200, keys)
})
log.Println("[INFO] Server started at", time.Now().Unix())
log.Println("[INFO] Welcome to Burgerauth! Today we are running on IP " + HOST + " on port " + strconv.Itoa(PORT) + ".")
err = router.Run(HOST + ":" + strconv.Itoa(PORT))
2024-04-28 21:24:50 +01:00
if err != nil {
log.Fatalln("[FATAL] Server failed to begin operations at", time.Now().Unix(), err)
2024-04-28 21:24:50 +01:00
}
2024-04-26 21:12:56 +01:00
}