hectabit-oauth2/main

#!/usr/bin/python3
import hashlib
import base64
import jwt
import os
import sqlite3
import time
import secrets
import configparser
import asyncio
from hypercorn.config import Config
from hypercorn.asyncio import serve
from werkzeug.security import generate_password_hash, check_password_hash
from quart import Quart, render_template, request, url_for, flash, redirect, session, make_response, send_from_directory, stream_with_context, Response, request
from urllib.parse import quote

# Parse configuration file, and check if anything is wrong with it
if not os.path.exists("config.ini"):
    print("config.ini does not exist")
    quit(1)

config = configparser.ConfigParser()
config.read("config.ini")

HOST = config["config"]["HOST"]
PORT = config["config"]["PORT"]
SECRET_KEY = config["config"]["SECRET_KEY"]
MAX_STORAGE = config["config"]["MAX_STORAGE"]

if SECRET_KEY == "supersecretkey" or SECRET_KEY == "placeholder":
    print("[WARNING] Secret key not set")

# Define Quart
app = Quart(__name__)
app.config["SECRET_KEY"] = SECRET_KEY

# Hash creation function
def sha256_base64(s: str) -> str:
    hashed = hashlib.sha256(s.encode()).digest()
    encoded = base64.urlsafe_b64encode(hashed).rstrip(b'=').decode()
    return encoded

# Database functions
def get_db_connection():
    conn = sqlite3.connect("database.db")
    conn.row_factory = sqlite3.Row
    return conn

def get_user(id):
    conn = get_db_connection()
    post = conn.execute("SELECT * FROM users WHERE id = ?",
                        (id,)).fetchone()
    conn.close()
    if post is None:
        return None
    return post

def get_session(id):
    conn = get_db_connection()
    post = conn.execute("SELECT * FROM sessions WHERE session = ?",
                        (id,)).fetchone()
    conn.close()
    if post is None:
        return None
    return post

def get_session_from_sessionid(id):
    conn = get_db_connection()
    post = conn.execute("SELECT * FROM sessions WHERE sessionid = ?",
                        (id,)).fetchone()
    conn.close()
    if post is None:
        return None
    return post

def check_username_taken(username):
    conn = get_db_connection()
    post = conn.execute("SELECT * FROM users WHERE lower(username) = ?",
                        (username.lower(),)).fetchone()
    conn.close()
    if post is None:
        return None
    return post["id"]

async def oauth2_token_refresh(openid, appId):
    refreshes = 0
    nextopenid = "nil"
    while refreshes != 720:
        await asyncio.sleep(3600)
        refreshes = refreshes + 1
        conn = get_db_connection()

        # Fetch required data in a single query
        login_data = conn.execute("SELECT nextcode, nextsecret, nextopenid, creator FROM logins WHERE appId = ? AND openid = ?", (str(appId), str(openid))).fetchone()

        user = get_user(int(login_data[3]))

        datatemplate = {
            "sub": user["username"],
            "iss": "https://auth.hectabit.org",
            "name": user["username"],
            "aud": appId,
            "exp": time.time() + 3600,
            "iat": time.time(),
            "auth_time": time.time(),
            "nonce": str(secrets.token_hex(512))
        }

        jwt_token = jwt.encode(datatemplate, SECRET_KEY, algorithm='HS256')

        if login_data:
            nextcode = login_data[0]
            nextsecret = login_data[1]
            nextopenid = login_data[2]
            conn.execute("UPDATE logins SET code = ?, nextcode = ?, secret = ?, nextsecret = ?, openid = ?, nextopenid = ? WHERE appId = ? AND openid = ?", (nextcode, str(secrets.token_hex(512)), nextsecret, str(secrets.token_hex(512)), nextopenid, str(jwt_token), str(appId), str(openid)))
            conn.commit()
            conn.close()
        else:
            conn.close()
            break

    conn = get_db_connection()
    conn.execute("DELETE FROM logins WHERE appId = ? AND openid = ?", (appId, nextopenid))
    conn.commit()
    conn.close()
    # Finally, rest.

# Disable CORS
@app.after_request
async def add_cors_headers(response):
    response.headers.add("Access-Control-Allow-Origin", "*")
    response.headers.add("Access-Control-Allow-Headers", "*")
    response.headers.add("Access-Control-Allow-Methods", "*")
    return response

@app.route("/api/version", methods=("GET", "POST"))
async def apiversion():
    return "Burgerauth Version 1.2"

@app.route("/api/signup", methods=("GET", "POST"))
async def apisignup():
    if request.method == "POST":
        data = await request.get_json()
        username = data["username"]
        password = data["password"]

        if username == "":
            return {}, 422

        if len(username) > 20:
            return {}, 422

        if not username.isalnum():
            return {}, 422

        if password == "":
            return {}, 422

        if len(password) < 14:
            return {}, 422

        if not check_username_taken(username) == None:
            return {}, 409

        hashedpassword = generate_password_hash(password)

        conn = get_db_connection()
        conn.execute("INSERT INTO users (username, password, created) VALUES (?, ?, ?)",
                     (username, hashedpassword, str(time.time())))
        conn.commit()
        conn.close()

        userID = check_username_taken(username)
        user = get_user(userID)

        randomCharacters = secrets.token_hex(512)

        conn = get_db_connection()
        conn.execute("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)",
                     (randomCharacters, userID, request.headers.get("user-agent")))
        conn.commit()
        conn.close()

        return {
            "key": randomCharacters
        }, 200

@app.route("/api/login", methods=("GET", "POST"))
async def apilogin():
    if request.method == "POST":
        data = await request.get_json()
        username = data["username"]
        password = data["password"]
        passwordchange = data["passwordchange"]
        newpass = data["newpass"]

        check_username_thing = check_username_taken(username)

        if check_username_thing == None:
            return {}, 401

        userID = check_username_taken(username)
        user = get_user(userID)

        if not check_password_hash(user["password"], (password)):
            return {}, 401

        randomCharacters = secrets.token_hex(512)

        conn = get_db_connection()
        conn.execute("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)",
                     (randomCharacters, userID, request.headers.get("user-agent")))
        conn.commit()
        conn.close()

        if passwordchange == "yes":
            hashedpassword = generate_password_hash(newpass)
            conn = get_db_connection()
            conn.execute("UPDATE users SET password = ? WHERE username = ?", (hashedpassword, username))
            conn.commit()
            conn.close()

        return {
            "key": randomCharacters,
        }, 200


@app.route("/api/userinfo", methods=("GET", "POST"))
async def apiuserinfo():
    if request.method == "POST":
        data = await request.get_json()
        secretKey = data["secretKey"]

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])
        datatemplate = {
            "username": user["username"],
            "id": user["id"],
            "created": user["created"]
        }
        return datatemplate

@app.route("/userinfo", methods=("GET", "POST"))
async def apiopeniduserinfo():
    if request.method == "GET":
        access_token = request.headers.get('Authorization').split(' ')[1]

        conn = get_db_connection()
        userid = int(conn.execute("SELECT creator FROM logins WHERE code = ?", (str(access_token),)).fetchone()[0])
        user = get_user(userid)

        conn.close()

        datatemplate = {
            "sub": user["username"],
            "name": user["username"]
        }

        return datatemplate

@app.route("/api/auth")
async def apiauthenticate():
    if request.method == "GET":
        secretKey = request.cookies.get("key")
        appId = request.args.get("client_id")
        code = request.args.get("code_challenge")
        codemethod = request.args.get("code_challenge_method")
        redirect_uri = request.args.get("redirect_uri")
        state = request.args.get("state")

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])
        conn = get_db_connection()
        secretkey = str(secrets.token_hex(512))

        appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
        if not str(appidcheck) == str(appId):
            return "AppID is invalid", 401

        rdircheck = str(conn.execute("SELECT rdiruri FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
        if not str(rdircheck) == str(quote(redirect_uri)):
            return str(str(quote(redirect_uri)) + " is not " + str(rdircheck)), 401

        datatemplate = {
            "sub": user["username"],
            "iss": "https://auth.hectabit.org",
            "name": user["username"],
            "aud": appId,
            "exp": time.time() + 3600,
            "iat": time.time(),
            "auth_time": time.time(),
            "nonce": str(secrets.token_hex(512))
        }

        jwt_token = jwt.encode(datatemplate, SECRET_KEY, algorithm='HS256')

        datatemplate2 = {
            "sub": user["username"],
            "iss": "https://auth.hectabit.org",
            "name": user["username"],
            "aud": appId,
            "exp": time.time() + 7200,
            "iat": time.time() + 3600,
            "auth_time": time.time(),
            "nonce": str(secrets.token_hex(512))
        }

        nextjwt_token = jwt.encode(datatemplate2, SECRET_KEY, algorithm='HS256')

        conn.execute("INSERT INTO logins (appId, secret, nextsecret, code, nextcode, creator, openid, nextopenid, pkce, pkcemethod) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
                (str(appId), str(secretkey), str(secrets.token_hex(512)), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"]), str(jwt_token), str(nextjwt_token), str(code), str(codemethod)))

        conn.commit()
        conn.close()

        if secretkey:
            return redirect(redirect_uri + "?code=" + secretkey + "&state=" + state), 302
        else:
            return {}, 400

@app.route("/api/tokenauth", methods=("GET", "POST"))
async def apitokenexchange():
    if request.method == "POST":
        data = await request.form
        appId = data["client_id"]
        code = data["code"]

        if "code_verifier" in data:
            code_verify = data["code_verifier"]
            verifycode = True
        else:
            secret = data["client_secret"]
            verifycode = False

        conn = get_db_connection()

        # Fetch required data in a single query
        oauth_data = conn.execute("SELECT appId, secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()
        if not oauth_data or oauth_data["appId"] != appId:
            return {}, 401

        login_data = conn.execute("SELECT openid, code, pkce, pkcemethod FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()

        if verifycode:
            if str(login_data["pkce"]) == "none":
                return {}, 400
            else:
                if str(login_data["pkcemethod"]) == "S256":
                    if str(sha256_base64(code_verify)) != str(login_data["pkce"]):
                        return {}, 403
                elif str(login_data["pkcemethod"]) == "plain":
                    if str(code_verify) != str(login_data["pkce"]):
                        return {}, 403
                else:
                    return {}, 501
        else:
            if not oauth_data["secret"] == secret:
                return {}, 401

        newkey = str(secrets.token_hex(512))
        conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(newkey), str(secrets.token_hex(512)), str(appId), str(code)))

        conn.close()

        if login_data:
            access_token = {
                "access_token": str(login_data["code"]),
                "token_type": "bearer",
                "expires_in": 3600,
                "refresh_token": newkey,
                "id_token": str(login_data["openid"])
            }
            asyncio.create_task(oauth2_token_refresh(login_data["openid"], appId))
            return access_token, 200
        else:
            return {}, 400

@app.route("/api/deleteauth", methods=("GET", "POST"))
async def apideleteauth():
    if request.method == "POST":
        data = await request.get_json()
        appId = data["appId"]
        secretKey = data["secretKey"]

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])

        conn = get_db_connection()

        try:
            conn.execute("DELETE FROM oauth WHERE appId = ? AND creator = ?", (str(appId), int(user["id"])))
            conn.commit()
            conn.close()
        except:
            return {}, 400
        else:
            return {}, 200

@app.route("/api/newauth", methods=("GET", "POST"))
async def apicreateauth():
    if request.method == "POST":
        data = await request.get_json()
        appId = data["appId"]
        secretKey = data["secretKey"]
        secret = str(secrets.token_hex(512))
        rdiruri = data["rdiruri"]
        conn = get_db_connection()
        while True:
            try:
                conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret),)).fetchone()[0]
            except:
                break
            else:
                secret = str(secrets.token_hex(512))
                continue

        try:
            conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0]
        except:
            print("New Oauth added with ID", appId)
        else:
            return {}, 401

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])

        conn.execute("INSERT INTO oauth (appId, creator, secret, rdiruri) VALUES (?, ?, ?, ?)",
                         (str(appId),int(user["id"]),str(secret),str(quote(rdiruri))))
        conn.commit()
        conn.close()
        secretkey = {
            "key": secret
        }
        return secretkey, 200

@app.route("/api/listauth", methods=("GET", "POST"))
async def apiauthlist():
    if request.method == "POST":
        data = await request.get_json()
        secretKey = data["secretKey"]

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])

        conn = get_db_connection()
        oauths = conn.execute("SELECT * FROM oauth WHERE creator = ? ORDER BY creator DESC;", (user["id"],)).fetchall()
        conn.close()

        datatemplate = []

        for i in oauths:
            template = {
                "appId": i["appId"]
            }
            datatemplate.append(template)

        return datatemplate, 200

@app.route("/api/deleteaccount", methods=("GET", "POST"))
async def apideleteaccount():
    if request.method == "POST":
        data = await request.get_json()
        secretKey = data["secretKey"]

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])

        conn = get_db_connection()
        try:
            conn.execute("DELETE FROM userdata WHERE creator = ?", (userCookie["id"],))
        except:
            pass
        else:
            pass

        try:
            conn.execute("DELETE FROM logins WHERE creator = ?", (userCookie["id"],))
        except:
            pass
        else:
            pass

        try:
            conn.execute("DELETE FROM oauth WHERE creator = ?", (userCookie["id"],))
        except:
            pass
        else:
            pass

        try:
            conn.execute("DELETE FROM users WHERE id = ?", (userCookie["id"],))
        except:
            return {}, 400
        else:
            pass

        conn.commit()
        conn.close()

        return {}, 200

@app.route("/api/sessions/list", methods=("GET", "POST"))
async def apisessionslist():
    if request.method == "POST":
        data = await request.get_json()
        secretKey = data["secretKey"]

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])

        conn = get_db_connection()
        sessions = conn.execute("SELECT * FROM sessions WHERE id = ? ORDER BY id DESC;", (user["id"],)).fetchall()
        conn.close()

        datatemplate = []

        for x in sessions:
            device = x["device"]
            thisSession = False
            if (x["session"] == secretKey):
                thisSession = True
            sessiontemplate = {
                "id": x["sessionid"],
                "thisSession": thisSession,
                "device": device
            }
            datatemplate.append(sessiontemplate)

        return datatemplate, 200

@app.route("/api/sessions/remove", methods=("GET", "POST"))
async def apisessionsremove():
    if request.method == "POST":
        data = await request.get_json()
        secretKey = data["secretKey"]
        sessionId = data["sessionId"]

        userCookie = get_session(secretKey)
        user = get_user(userCookie["id"])

        session = get_session_from_sessionid(sessionId)

        if (session != None):
            if (user["id"] == session["id"]):
                conn = get_db_connection()
                conn.execute("DELETE FROM sessions WHERE sessionid = ?", (session["sessionid"],))
                conn.commit()
                conn.close()

                return {}, 200
            else:
                return {}, 403
        else:
            return {}, 422


@app.route("/listusers/<secretkey>", methods=("GET", "POST"))
def listusers(secretkey):
    if secretkey == SECRET_KEY:
        conn = get_db_connection()
        users = conn.execute("SELECT * FROM users").fetchall()
        conn.close()
        thing = ""
        for x in users:
            thing = str(x["id"]) + " - " + x["username"] + " - " + str(get_space(x["id"])) + "<br>" + thing

        return thing
    else:
        return redirect("/")

@app.errorhandler(500)
async def burger(e):
    return {}, 500

@app.errorhandler(404)
async def burger(e):
    return {}, 404

@app.route("/")
async def index():
    return redirect("/login", code=302)

@app.route("/login")
async def login():
    return await render_template("login.html")

@app.route("/signup")
async def signup():
    return await render_template("signup.html")

@app.route("/logout")
async def logout():
    return await render_template("logout.html")

@app.route("/app")
async def mainapp():
    return await render_template("main.html")

@app.route("/dashboard")
async def dashboard():
    return await render_template("dashboard.html")

@app.route("/.well-known/openid-configuration")
async def openid():
    return await render_template("openid.json")

# Start server
hypercornconfig = Config()
hypercornconfig.bind = (HOST + ":" + PORT)

if __name__ == "__main__":
    print("[INFO] Server started")
    asyncio.run(serve(app, hypercornconfig))
    print("[INFO] Server stopped")