This repository has been archived on 2024-06-21. You can view files and clone it, but cannot push or open issues or pull requests.
hectabit-oauth2/main

533 lines
16 KiB
Plaintext
Raw Normal View History

2024-03-27 18:51:52 +00:00
#!/usr/bin/python3
2024-03-31 12:38:29 +01:00
import hashlib
import base64
2024-03-30 19:19:57 +00:00
import jwt
2024-03-27 18:51:52 +00:00
import os
import sqlite3
import time
import secrets
import configparser
import asyncio
from hypercorn.config import Config
from hypercorn.asyncio import serve
from werkzeug.security import generate_password_hash, check_password_hash
from quart import Quart, render_template, request, url_for, flash, redirect, session, make_response, send_from_directory, stream_with_context, Response, request
# Parse configuration file, and check if anything is wrong with it
if not os.path.exists("config.ini"):
print("config.ini does not exist")
quit(1)
config = configparser.ConfigParser()
config.read("config.ini")
HOST = config["config"]["HOST"]
PORT = config["config"]["PORT"]
SECRET_KEY = config["config"]["SECRET_KEY"]
MAX_STORAGE = config["config"]["MAX_STORAGE"]
if SECRET_KEY == "supersecretkey" or SECRET_KEY == "placeholder":
print("[WARNING] Secret key not set")
# Define Quart
app = Quart(__name__)
app.config["SECRET_KEY"] = SECRET_KEY
2024-03-31 12:38:29 +01:00
# Hash creation function
def sha256_base64(s: str) -> str:
hashed = hashlib.sha256(s.encode()).digest()
encoded = base64.urlsafe_b64encode(hashed).rstrip(b'=').decode()
return encoded
2024-03-27 18:51:52 +00:00
# Database functions
def get_db_connection():
conn = sqlite3.connect("database.db")
conn.row_factory = sqlite3.Row
return conn
def get_user(id):
conn = get_db_connection()
post = conn.execute("SELECT * FROM users WHERE id = ?",
(id,)).fetchone()
conn.close()
if post is None:
return None
return post
def get_session(id):
conn = get_db_connection()
post = conn.execute("SELECT * FROM sessions WHERE session = ?",
(id,)).fetchone()
conn.close()
if post is None:
return None
return post
def get_session_from_sessionid(id):
conn = get_db_connection()
post = conn.execute("SELECT * FROM sessions WHERE sessionid = ?",
(id,)).fetchone()
conn.close()
if post is None:
return None
return post
def check_username_taken(username):
conn = get_db_connection()
post = conn.execute("SELECT * FROM users WHERE lower(username) = ?",
(username.lower(),)).fetchone()
conn.close()
if post is None:
return None
return post["id"]
async def oauth2_token_refresh(openid, appId):
2024-03-28 17:07:30 +00:00
while True:
2024-03-30 19:53:07 +00:00
await asyncio.sleep(3600)
2024-03-28 17:07:30 +00:00
conn = get_db_connection()
# Fetch required data in a single query
2024-03-30 19:41:00 +00:00
login_data = conn.execute("SELECT nextcode, nextsecret, nextopenid, creator FROM logins WHERE appId = ? AND openid = ?", (str(appId), str(openid))).fetchone()
user = get_user(int(login_data[3]))
2024-03-30 19:19:57 +00:00
datatemplate = {
"sub": user["username"],
"iss": "https://auth.hectabit.org",
"name": user["username"],
"aud": appId,
"exp": time.time() + 3600,
"iat": time.time(),
"auth_time": time.time(),
"nonce": str(secrets.token_hex(512))
}
jwt_token = jwt.encode(datatemplate, SECRET_KEY, algorithm='HS256')
if login_data:
nextcode = login_data[0]
nextsecret = login_data[1]
2024-03-30 19:19:57 +00:00
nextopenid = login_data[2]
conn.execute("UPDATE logins SET code = ?, nextcode = ?, secret = ?, nextsecret = ?, openid = ?, nextopenid = ? WHERE appId = ? AND openid = ?", (nextcode, str(secrets.token_hex(512)), nextsecret, str(secrets.token_hex(512)), nextopenid, str(jwt_token), str(appId), str(openid)))
conn.commit()
conn.close()
else:
conn.close()
return
2024-03-28 17:07:30 +00:00
2024-03-27 18:51:52 +00:00
# Disable CORS
@app.after_request
async def add_cors_headers(response):
response.headers.add("Access-Control-Allow-Origin", "*")
response.headers.add("Access-Control-Allow-Headers", "*")
response.headers.add("Access-Control-Allow-Methods", "*")
return response
@app.route("/api/version", methods=("GET", "POST"))
async def apiversion():
return "Burgerauth Version 1.2"
@app.route("/api/signup", methods=("GET", "POST"))
async def apisignup():
if request.method == "POST":
data = await request.get_json()
username = data["username"]
password = data["password"]
if username == "":
return {}, 422
if len(username) > 20:
return {}, 422
if not username.isalnum():
return {}, 422
if password == "":
return {}, 422
if len(password) < 14:
return {}, 422
if not check_username_taken(username) == None:
return {}, 409
hashedpassword = generate_password_hash(password)
conn = get_db_connection()
conn.execute("INSERT INTO users (username, password, created) VALUES (?, ?, ?)",
(username, hashedpassword, str(time.time())))
conn.commit()
conn.close()
userID = check_username_taken(username)
user = get_user(userID)
randomCharacters = secrets.token_hex(512)
conn = get_db_connection()
conn.execute("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)",
(randomCharacters, userID, request.headers.get("user-agent")))
conn.commit()
conn.close()
return {
"key": randomCharacters
}, 200
@app.route("/api/login", methods=("GET", "POST"))
async def apilogin():
if request.method == "POST":
data = await request.get_json()
username = data["username"]
password = data["password"]
passwordchange = data["passwordchange"]
newpass = data["newpass"]
check_username_thing = check_username_taken(username)
if check_username_thing == None:
return {}, 401
userID = check_username_taken(username)
user = get_user(userID)
if not check_password_hash(user["password"], (password)):
return {}, 401
randomCharacters = secrets.token_hex(512)
conn = get_db_connection()
conn.execute("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)",
(randomCharacters, userID, request.headers.get("user-agent")))
conn.commit()
conn.close()
if passwordchange == "yes":
hashedpassword = generate_password_hash(newpass)
conn = get_db_connection()
conn.execute("UPDATE users SET password = ? WHERE username = ?", (hashedpassword, username))
conn.commit()
conn.close()
return {
"key": randomCharacters,
}, 200
@app.route("/api/userinfo", methods=("GET", "POST"))
async def apiuserinfo():
if request.method == "POST":
data = await request.get_json()
secretKey = data["secretKey"]
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
datatemplate = {
"username": user["username"],
"id": user["id"],
"created": user["created"]
}
return datatemplate
2024-03-28 17:51:21 +00:00
@app.route("/userinfo", methods=("GET", "POST"))
async def apiopeniduserinfo():
if request.method == "GET":
access_token = request.headers.get('Authorization').split(' ')[1]
conn = get_db_connection()
2024-03-30 19:57:31 +00:00
userid = int(conn.execute("SELECT creator FROM logins WHERE code = ?", (str(access_token),)).fetchone()[0])
2024-03-28 17:51:21 +00:00
user = get_user(userid)
2024-03-30 19:44:52 +00:00
conn.close()
2024-03-28 17:51:21 +00:00
datatemplate = {
"sub": user["username"],
"name": user["username"]
}
2024-03-30 19:44:52 +00:00
2024-03-28 17:51:21 +00:00
return datatemplate
2024-03-27 18:51:52 +00:00
@app.route("/api/auth", methods=("GET", "POST"))
async def apiauthenticate():
if request.method == "POST":
data = await request.get_json()
secretKey = data["secretKey"]
appId = data["appId"]
2024-03-31 12:38:29 +01:00
code = data["code"]
codemethod = data["codemethod"]
2024-03-27 18:51:52 +00:00
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
conn = get_db_connection()
2024-03-28 17:07:30 +00:00
secretkey = str(secrets.token_hex(512))
2024-03-29 11:02:22 +00:00
appidcheck = str(conn.execute("SELECT appId FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0])
2024-03-28 18:03:49 +00:00
if not str(appidcheck) == str(appId):
2024-03-28 17:07:30 +00:00
return {}, 401
2024-03-30 19:19:57 +00:00
datatemplate = {
"sub": user["username"],
"iss": "https://auth.hectabit.org",
"name": user["username"],
"aud": appId,
"exp": time.time() + 3600,
"iat": time.time(),
"auth_time": time.time(),
"nonce": str(secrets.token_hex(512))
}
jwt_token = jwt.encode(datatemplate, SECRET_KEY, algorithm='HS256')
2024-03-30 19:37:08 +00:00
datatemplate2 = {
"sub": user["username"],
"iss": "https://auth.hectabit.org",
"name": user["username"],
"aud": appId,
"exp": time.time() + 7200,
"iat": time.time() + 3600,
"auth_time": time.time(),
"nonce": str(secrets.token_hex(512))
}
nextjwt_token = jwt.encode(datatemplate2, SECRET_KEY, algorithm='HS256')
2024-03-31 12:38:29 +01:00
conn.execute("INSERT INTO logins (appId, secret, nextsecret, code, nextcode, creator, openid, nextopenid, pkce, pkcemethod) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
(str(appId), str(secretkey), str(secrets.token_hex(512)), str(secrets.token_hex(512)), str(secrets.token_hex(512)), int(user["id"]), str(jwt_token), str(nextjwt_token), str(code), str(codemethod)))
2024-03-29 11:02:22 +00:00
2024-03-28 17:07:30 +00:00
conn.commit()
conn.close()
2024-03-27 19:19:00 +00:00
2024-03-27 18:51:52 +00:00
if secretkey:
2024-03-27 19:19:00 +00:00
return secretkey, 200
2024-03-27 18:51:52 +00:00
else:
return {}, 400
2024-03-28 17:07:30 +00:00
@app.route("/api/tokenauth", methods=("GET", "POST"))
async def apitokenexchange():
if request.method == "POST":
2024-03-29 11:02:22 +00:00
data = await request.form
2024-03-28 17:07:30 +00:00
appId = data["client_id"]
code = data["code"]
2024-03-31 12:38:29 +01:00
if "code_verifier" in data:
code_verify = data["code_verifier"]
2024-03-31 12:40:31 +01:00
verifycode = True
2024-03-31 12:38:29 +01:00
else:
2024-03-31 13:01:41 +01:00
secret = data["client_secret"]
2024-03-31 12:40:31 +01:00
verifycode = False
2024-03-31 12:38:29 +01:00
2024-03-28 17:07:30 +00:00
conn = get_db_connection()
# Fetch required data in a single query
2024-03-31 12:42:38 +01:00
oauth_data = conn.execute("SELECT appId, secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()
2024-03-31 13:01:41 +01:00
if not oauth_data or oauth_data["appId"] != appId:
2024-03-28 17:07:30 +00:00
return {}, 401
2024-03-31 12:42:38 +01:00
login_data = conn.execute("SELECT openid, code, pkce, pkcemethod FROM logins WHERE appId = ? AND secret = ?", (str(appId), str(code))).fetchone()
2024-03-31 12:38:29 +01:00
if verifycode:
2024-03-31 12:42:38 +01:00
if str(login_data["pkce"]) == "none":
2024-03-31 12:38:29 +01:00
return 400
else:
2024-03-31 12:42:38 +01:00
if str(login_data["pkcemethod"]) == "S256":
if str(sha256_base64(code_verify)) != str(login_data["code"]):
2024-03-31 12:38:29 +01:00
return 403
2024-03-31 12:42:38 +01:00
elif str(login_data["pkcemethod"]) == "plain":
if str(code_verify) != str(login_data["code"]):
2024-03-31 12:38:29 +01:00
return 403
else:
return 501
2024-03-31 13:01:41 +01:00
else:
if not oauth_data["secret"] != secret:
return {}, 401
2024-03-31 12:38:29 +01:00
2024-03-29 11:02:22 +00:00
newkey = str(secrets.token_hex(512))
conn.execute("UPDATE logins SET secret = ?, nextsecret = ? WHERE appId = ? AND secret = ?", (str(newkey), str(secrets.token_hex(512)), str(appId), str(secret)))
2024-03-30 19:44:52 +00:00
conn.close()
if login_data:
access_token = {
"access_token": str(login_data["code"]),
"token_type": "bearer",
"expires_in": 3600,
"refresh_token": newkey,
"id_token": str(login_data["openid"])
}
asyncio.create_task(oauth2_token_refresh(login_data["openid"], appId))
2024-03-28 17:07:30 +00:00
return access_token, 200
else:
return {}, 400
2024-03-27 18:51:52 +00:00
@app.route("/api/newauth", methods=("GET", "POST"))
async def apicreateauth():
if request.method == "POST":
data = await request.get_json()
appId = data["appId"]
secretKey = data["secretKey"]
2024-03-28 17:07:30 +00:00
secret = str(secrets.token_hex(512))
2024-03-28 17:55:01 +00:00
conn = get_db_connection()
2024-03-28 17:07:30 +00:00
while True:
try:
conn.execute("SELECT secret FROM oauth WHERE secret = ?", (str(secret),)).fetchone()[0]
except:
2024-03-28 17:07:30 +00:00
break
else:
secret = str(secrets.token_hex(512))
continue
try:
conn.execute("SELECT secret FROM oauth WHERE appId = ?", (str(appId),)).fetchone()[0]
except:
print("New Oauth added with ID", appId)
else:
2024-03-28 17:07:30 +00:00
return 401
2024-03-27 18:51:52 +00:00
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
2024-03-28 17:51:46 +00:00
conn.execute("INSERT INTO oauth (appId, creator, secret) VALUES (?, ?, ?)",
2024-03-27 19:16:47 +00:00
(str(appId),int(user["id"]),str(secret)))
2024-03-27 18:51:52 +00:00
conn.commit()
conn.close()
2024-03-27 19:19:00 +00:00
secretkey = {
"key": secret
}
return secretkey, 200
2024-03-27 18:51:52 +00:00
@app.route("/api/deleteaccount", methods=("GET", "POST"))
async def apideleteaccount():
if request.method == "POST":
data = await request.get_json()
secretKey = data["secretKey"]
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
conn = get_db_connection()
conn.execute("DELETE FROM userdata WHERE creator = ?", (userCookie["id"],))
conn.commit()
conn.close()
conn = get_db_connection()
conn.execute("DELETE FROM users WHERE id = ?", (userCookie["id"],))
conn.commit()
conn.close()
return {}, 200
@app.route("/api/sessions/list", methods=("GET", "POST"))
async def apisessionslist():
if request.method == "POST":
data = await request.get_json()
secretKey = data["secretKey"]
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
conn = get_db_connection()
sessions = conn.execute("SELECT * FROM sessions WHERE id = ? ORDER BY id DESC;", (user["id"],)).fetchall()
conn.close()
datatemplate = []
for x in sessions:
device = x["device"]
thisSession = False
if (x["session"] == secretKey):
thisSession = True
sessiontemplate = {
"id": x["sessionid"],
"thisSession": thisSession,
"device": device
}
datatemplate.append(sessiontemplate)
return datatemplate, 200
@app.route("/api/sessions/remove", methods=("GET", "POST"))
async def apisessionsremove():
if request.method == "POST":
data = await request.get_json()
secretKey = data["secretKey"]
sessionId = data["sessionId"]
userCookie = get_session(secretKey)
user = get_user(userCookie["id"])
session = get_session_from_sessionid(sessionId)
if (session != None):
if (user["id"] == session["id"]):
conn = get_db_connection()
conn.execute("DELETE FROM sessions WHERE sessionid = ?", (session["sessionid"],))
conn.commit()
conn.close()
return {}, 200
else:
return {}, 403
else:
return {}, 422
@app.route("/listusers/<secretkey>", methods=("GET", "POST"))
def listusers(secretkey):
if secretkey == SECRET_KEY:
conn = get_db_connection()
users = conn.execute("SELECT * FROM users").fetchall()
conn.close()
thing = ""
for x in users:
thing = str(x["id"]) + " - " + x["username"] + " - " + str(get_space(x["id"])) + "<br>" + thing
return thing
else:
return redirect("/")
@app.errorhandler(500)
async def burger(e):
return {}, 500
@app.errorhandler(404)
async def burger(e):
return {}, 404
@app.route("/")
async def index():
return redirect("/login", code=302)
@app.route("/login")
async def login():
return await render_template("login.html")
@app.route("/signup")
async def signup():
return await render_template("signup.html")
@app.route("/logout")
async def logout():
return await render_template("logout.html")
@app.route("/homeserver")
async def homeserver():
return await render_template("homeserver.html")
@app.route("/app")
async def mainapp():
return await render_template("main.html")
2024-03-28 18:13:24 +00:00
@app.route("/.well-known/openid-configuration")
async def openid():
return await render_template("openid.json")
2024-03-27 18:51:52 +00:00
# Start server
hypercornconfig = Config()
hypercornconfig.bind = (HOST + ":" + PORT)
if __name__ == "__main__":
print("[INFO] Server started")
asyncio.run(serve(app, hypercornconfig))
print("[INFO] Server stopped")