Ailur
/
burgerauth
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Added example configuration, updated README.md, updated background image to Public Domain image, updated styles to be in accordance with the New Burgerware Design, fixed pages displaying poorly on phones, fixed server panics being caused by incorrect JSON, made it clear AESKeyShare is not in working order, made the application not hard-code the URL, made the application not hard-code the app name, updated the CAPTCHA module to the newest version and URL, removed crypto-js, removed unneeded broken code left over from Burgernotes, removed unneeded CSS left over from Burgernotes, made page titles consistant, changed some formatting to be using camel instead of snake case, fixed various JS bad-practices, used a really long commit message.

This commit is contained in:
Tracker-Friendly 2024-07-10 18:43:17 +01:00
parent f29a4de59c
commit 9cb2e309de
21 changed files with 425 additions and 2204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -4,7 +4,17 @@ Burgerauth is a free-and-open-source OAuth2/OIDC (or as I've taken to calling it
## Ok, that's great, how do I host my own instance? ## Ok, that's great, how do I host my own instance?
First, replace the domains in the source code and templates with your own (a domain is required, not just an IP). Second, copy config.ini.example to config.ini then tweak to your liking. Third, run `go build`, and fourth, run `./burgerauth`. Read ERRORS.md to see how to handle server errors. First, replace the domains in the source code and templates with your own (a domain is required, not just an IP).
Second, copy config.ini.example to config.ini then tweak to your liking, making sure to point to a valid path for where you are going to generate your RSA keypair.
Third, run `go build`.
Fourth, generate a RSA keypair using
`openssl genpkey -algorithm RSA -out private.pem -pkeyopt rsa_keygen_bits:2048`
`openssl rsa -pubout -in private.pem -out public.pem`
Fifth, run `./burgerauth`. Read ERRORS.md to see how to handle server errors.
## What if I am a developer? ## What if I am a developer?

18
config.ini.example Normal file
View File

@ -0,0 +1,18 @@
[config]
# This is the IP burgerauth runs on. Leave as default to access outside of your server and use 127.0.0.1 for a reverse-proxy.
HOST = 0.0.0.0
# This is the host burgerauth runs on. Use this for an internal reverse-proxy or change to port 80 to allow HTTP communication (not recommended).
PORT = 8080
# Change this to a random stream of characters, as long as possible. It is used for AES security.
SECRET_KEY = supersecretkey
# Change these to the actual path of your keys. To generate them, view README.md.
PUBLIC_KEY = keys/public.pem
PRIVATE_KEY = keys/private.pem
# This is the URI to the privacy policy. Leave as default to use the default burgerauth policy.
PRIVACY_POLICY = https://concord.hectabit.org/Paperwork/Burgerauth/src/commit/3a58ec33ead87aadd542c5838b3162ed6cedc044/Privacy.md
# This is the URL the server is running on. Change this to your URL. This must be the URL in front of your reverse-proxy, and should not be an IP as to enforce HTTPS.
URL = https://auth.hectabit.org
# This is the name of the program you wish users to see.
IDENTIFIER = Burgerauth
# This is the identifier for your key in JWK. It is ok to set it to a random string of characters.
KEY_ID = burgerauth

2
go.mod
View File

@ -3,7 +3,7 @@ module hectabit.org/burgerauth
go 1.22 go 1.22
require ( require (
centrifuge.hectabit.org/HectaBit/captcha v1.4.4 concord.hectabit.org/HectaBit/captcha v1.4.5
github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/gin-contrib/sessions v1.0.1 github.com/gin-contrib/sessions v1.0.1
github.com/gin-gonic/gin v1.9.1 github.com/gin-gonic/gin v1.9.1

4
go.sum
View File

@ -1,5 +1,5 @@
centrifuge.hectabit.org/HectaBit/captcha v1.4.4 h1:WLGIy4hkwwps8V1j+LFCfdMOrSEmhlEzFqvt9xdW/VY= concord.hectabit.org/HectaBit/captcha v1.4.5 h1:kMqT0ZUPb/YZr1VDw9L1Dqpe/hzy3Cw7QhCahW6PNdM=
centrifuge.hectabit.org/HectaBit/captcha v1.4.4/go.mod h1:QptuIyO9HKPi/rXn6g/c7BOWIlq0hjbVGm6V732EVyo= concord.hectabit.org/HectaBit/captcha v1.4.5/go.mod h1:PaJDe3Nrjl2WZOYmkYpefwJ9dMP+BvV+M1VWot4/I04=
github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM= github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM=
github.com/bytedance/sonic v1.10.0-rc/go.mod h1:ElCzW+ufi8qKqNW0FY314xriJhyJhuoJ3gFZdAHF7NM= github.com/bytedance/sonic v1.10.0-rc/go.mod h1:ElCzW+ufi8qKqNW0FY314xriJhyJhuoJ3gFZdAHF7NM=
github.com/bytedance/sonic v1.11.3 h1:jRN+yEjakWh8aK5FzrciUHG8OFXK+4/KrAX/ysEtHAA= github.com/bytedance/sonic v1.11.3 h1:jRN+yEjakWh8aK5FzrciUHG8OFXK+4/KrAX/ysEtHAA=

343
main.go
View File

@ -15,6 +15,7 @@ import (
"encoding/pem" "encoding/pem"
"errors" "errors"
"fmt" "fmt"
"github.com/dgrijalva/jwt-go"
"log" "log"
"math/big" "math/big"
"os" "os"
@ -23,8 +24,7 @@ import (
"strings" "strings"
"time" "time"
"centrifuge.hectabit.org/HectaBit/captcha" "concord.hectabit.org/HectaBit/captcha"
"github.com/dgrijalva/jwt-go"
"github.com/gin-contrib/sessions" "github.com/gin-contrib/sessions"
"github.com/gin-contrib/sessions/cookie" "github.com/gin-contrib/sessions/cookie"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
@ -65,7 +65,7 @@ func BigIntToBase64URL(num *big.Int) (string, error) {
return encoded, nil return encoded, nil
} }
const salt_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" const saltChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
func genSalt(length int) (string, error) { func genSalt(length int) (string, error) {
if length <= 0 { if length <= 0 {
@ -80,7 +80,7 @@ func genSalt(length int) (string, error) {
} }
for i := range salt { for i := range salt {
salt[i] = salt_chars[int(randomBytes[i])%len(salt_chars)] salt[i] = saltChars[int(randomBytes[i])%len(saltChars)]
} }
return string(salt), nil return string(salt), nil
} }
@ -105,8 +105,8 @@ func hash(password, salt string) (string, error) {
return hashString, nil return hashString, nil
} }
func verifyHash(werkzeug_hash, password string) (bool, error) { func verifyHash(werkzeugHash, password string) (bool, error) {
parts := strings.Split(werkzeug_hash, "$") parts := strings.Split(werkzeugHash, "$")
if len(parts) != 3 || parts[0] != "scrypt:32768:8:1" { if len(parts) != 3 || parts[0] != "scrypt:32768:8:1" {
return false, nil return false, nil
} }
@ -116,7 +116,7 @@ func verifyHash(werkzeug_hash, password string) (bool, error) {
return false, err return false, err
} }
return werkzeug_hash == computedHash, nil return werkzeugHash == computedHash, nil
} }
func getUser(id int) (string, string, string, string, error) { func getUser(id int) (string, string, string, string, error) {
@ -156,7 +156,7 @@ func checkUsernameTaken(username string) (int, bool, error) {
return id, true, nil return id, true, nil
} }
func init_db() { func initDb() {
if _, err := os.Stat("database.db"); os.IsNotExist(err) { if _, err := os.Stat("database.db"); os.IsNotExist(err) {
if err := generateDB(); err != nil { if err := generateDB(); err != nil {
log.Println("[ERROR] Unknown while generating database at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown while generating database at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
@ -231,13 +231,17 @@ func main() {
os.Exit(1) os.Exit(1)
} }
HOST := viper.GetString("config.HOST") Host := viper.GetString("config.HOST")
PORT := viper.GetInt("config.PORT") Port := viper.GetInt("config.PORT")
SECRET_KEY := viper.GetString("config.SECRET_KEY") privacyPolicy := viper.GetString("config.PRIVACY_POLICY")
PUBLIC_KEY_PATH := viper.GetString("config.PUBLIC_KEY") hostName := viper.GetString("config.URL")
PRIVATE_KEY_PATH := viper.GetString("config.PRIVATE_KEY") identifier := viper.GetString("config.IDENTIFIER")
keyid := viper.GetString("config.KEY_ID")
SecretKey := viper.GetString("config.SECRET_KEY")
PublicKeyPath := viper.GetString("config.PUBLIC_KEY")
PrivateKeyPath := viper.GetString("config.PRIVATE_KEY")
if SECRET_KEY == "supersecretkey" { if SecretKey == "supersecretkey" {
log.Println("[WARNING] Secret key not set. Please set the secret key to a non-default value.") log.Println("[WARNING] Secret key not set. Please set the secret key to a non-default value.")
} }
@ -254,7 +258,7 @@ func main() {
if len(os.Args) > 1 { if len(os.Args) > 1 {
if os.Args[1] == "init_db" { if os.Args[1] == "init_db" {
init_db() initDb()
os.Exit(0) os.Exit(0)
} }
} }
@ -275,7 +279,7 @@ func main() {
log.Fatalln("[FATAL] Cannot create logins table at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Fatalln("[FATAL] Cannot create logins table at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
} }
privateKeyFile, err := os.ReadFile(PRIVATE_KEY_PATH) privateKeyFile, err := os.ReadFile(PrivateKeyPath)
if err != nil { if err != nil {
log.Fatal("[ERROR] Cannot read private key:", err) log.Fatal("[ERROR] Cannot read private key:", err)
} }
@ -296,7 +300,7 @@ func main() {
log.Fatal("[ERROR] Failed to convert private key to RSA private key") log.Fatal("[ERROR] Failed to convert private key to RSA private key")
} }
pubKeyFile, err := os.ReadFile(PUBLIC_KEY_PATH) pubKeyFile, err := os.ReadFile(PublicKeyPath)
if err != nil { if err != nil {
log.Fatal("[ERROR] Cannot read public key:", err) log.Fatal("[ERROR] Cannot read public key:", err)
} }
@ -321,7 +325,7 @@ func main() {
gin.SetMode(gin.ReleaseMode) gin.SetMode(gin.ReleaseMode)
router := gin.New() router := gin.New()
store := cookie.NewStore([]byte(SECRET_KEY)) store := cookie.NewStore([]byte(SecretKey))
router.Use(sessions.Sessions("currentSession", store)) router.Use(sessions.Sessions("currentSession", store))
// Enable CORS // Enable CORS
@ -348,7 +352,7 @@ func main() {
}) })
router.GET("/login", func(c *gin.Context) { router.GET("/login", func(c *gin.Context) {
c.HTML(200, "login.html", gin.H{}) c.HTML(200, "login.html", gin.H{"privacy": privacyPolicy, "identifier": identifier})
}) })
router.GET("/signup", func(c *gin.Context) { router.GET("/signup", func(c *gin.Context) {
@ -356,7 +360,7 @@ func main() {
sessionId, err := genSalt(512) sessionId, err := genSalt(512)
if err != nil { if err != nil {
fmt.Println("[ERROR] Failed to generate session token at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) fmt.Println("[ERROR] Failed to generate session token at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-SIGNUP-SESSION-GEN") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-SIGNUP-SESSION-GEN")
return return
} }
session.Options(sessions.Options{ session.Options(sessions.Options{
@ -386,11 +390,13 @@ func main() {
c.HTML(200, "signup.html", gin.H{ c.HTML(200, "signup.html", gin.H{
"captcha_image": base64.StdEncoding.EncodeToString(b64bytes.Bytes()), "captcha_image": base64.StdEncoding.EncodeToString(b64bytes.Bytes()),
"unique_token": sessionId, "unique_token": sessionId,
"privacy": privacyPolicy,
"identifier": identifier,
}) })
}) })
router.GET("/logout", func(c *gin.Context) { router.GET("/logout", func(c *gin.Context) {
c.HTML(200, "logout.html", gin.H{}) c.HTML(200, "logout.html", gin.H{"identifier": identifier})
}) })
router.GET("/app", func(c *gin.Context) { router.GET("/app", func(c *gin.Context) {
@ -407,29 +413,37 @@ func main() {
return return
} }
} }
c.HTML(200, "main.html", gin.H{"name": name}) c.HTML(200, "main.html", gin.H{"name": name, "identifier": identifier})
}) })
router.GET("/dashboard", func(c *gin.Context) { router.GET("/dashboard", func(c *gin.Context) {
c.HTML(200, "dashboard.html", gin.H{}) c.HTML(200, "dashboard.html", gin.H{"identifier": identifier})
}) })
router.GET("/account", func(c *gin.Context) { router.GET("/account", func(c *gin.Context) {
c.HTML(200, "acct.html", gin.H{}) c.HTML(200, "acct.html", gin.H{"identifier": identifier})
}) })
router.GET("/aeskeyshare", func(c *gin.Context) { router.GET("/aeskeyshare", func(c *gin.Context) {
c.HTML(200, "aeskeyshare.html", gin.H{}) c.HTML(200, "aeskeyshare.html", gin.H{"identifier": identifier})
})
router.GET("/privacy", func(c *gin.Context) {
c.Redirect(301, privacyPolicy)
}) })
router.GET("/.well-known/openid-configuration", func(c *gin.Context) { router.GET("/.well-known/openid-configuration", func(c *gin.Context) {
c.HTML(200, "openid.html", gin.H{}) c.HTML(200, "openid.html", gin.H{"hostName": hostName})
}) })
router.GET("/api/version", func(c *gin.Context) { router.GET("/api/version", func(c *gin.Context) {
c.String(200, "Burgerauth Version 1.3") c.String(200, "Burgerauth Version 1.3")
}) })
router.GET("/api/servicename", func(c *gin.Context) {
c.JSON(200, gin.H{"name": identifier})
})
router.POST("/api/signup", func(c *gin.Context) { router.POST("/api/signup", func(c *gin.Context) {
var data map[string]interface{} var data map[string]interface{}
err := c.ShouldBindJSON(&data) err := c.ShouldBindJSON(&data)
@ -439,10 +453,20 @@ func main() {
return return
} }
username := data["username"].(string) username, ok := data["username"].(string)
password := data["password"].(string) if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
password, ok := data["password"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
if data["unique_token"].(string) != session.Get("unique_token") { if data["unique_token"].(string) != session.Get("unique_token") {
log.Println("yes, it's this error")
log.Println(session.Get("unique_token"), data["unique_token"])
c.JSON(403, gin.H{"error": "Invalid token"}) c.JSON(403, gin.H{"error": "Invalid token"})
return return
} }
@ -459,7 +483,7 @@ func main() {
_, taken, err := checkUsernameTaken(username) _, taken, err := checkUsernameTaken(username)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/signup checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/signup checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-CHECKUSERNAME"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-CHECKUSERNAME"})
return return
} }
if taken { if taken {
@ -470,20 +494,20 @@ func main() {
salt, err := genSalt(16) salt, err := genSalt(16)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/signup genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/signup genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SALT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SALT"})
return return
} }
hashedPassword, err := hash(password, salt) hashedPassword, err := hash(password, salt)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/signup hash() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/signup hash() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-HASH"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-HASH"})
return return
} }
sub, err := genSalt(255) sub, err := genSalt(255)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/signup genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/signup genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SUB"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SUB"})
return return
} }
_, err = conn.Exec("INSERT INTO users (username, password, created, uniqueid) VALUES (?, ?, ?, ?)", username, hashedPassword, strconv.FormatInt(time.Now().Unix(), 10), sub) _, err = conn.Exec("INSERT INTO users (username, password, created, uniqueid) VALUES (?, ?, ?, ?)", username, hashedPassword, strconv.FormatInt(time.Now().Unix(), 10), sub)
@ -496,21 +520,21 @@ func main() {
userid, _, err := checkUsernameTaken(username) userid, _, err := checkUsernameTaken(username)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/signup checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/signup checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-CHECKUSERNAME"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-CHECKUSERNAME"})
return return
} }
randomChars, err := genSalt(512) randomChars, err := genSalt(512)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/signup token genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/signup token genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SESSIONSALT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SESSIONSALT"})
return return
} }
_, err = conn.Exec("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)", randomChars, userid, c.Request.Header.Get("User-Agent")) _, err = conn.Exec("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)", randomChars, userid, c.Request.Header.Get("User-Agent"))
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/signup session Exec() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/signup session Exec() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SESSIONINSERT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SIGNUP-SESSIONINSERT"})
return return
} }
@ -525,15 +549,30 @@ func main() {
return return
} }
username := data["username"].(string) username, ok := data["username"].(string)
password := data["password"].(string) if !ok {
passwordChange := data["password"].(string) c.JSON(400, gin.H{"error": "Invalid JSON"})
newPass := data["password"].(string) return
}
password, ok := data["password"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
passwordChange, ok := data["password"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
newPass, ok := data["password"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
userid, taken, err := checkUsernameTaken(username) userid, taken, err := checkUsernameTaken(username)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/login checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/login checkUsernameTaken() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-CHECKUSERNAME"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-CHECKUSERNAME"})
return return
} }
if !taken { if !taken {
@ -544,14 +583,14 @@ func main() {
_, _, userPassword, _, err := getUser(userid) _, _, userPassword, _, err := getUser(userid)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/login getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/login getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-GETUSER"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-GETUSER"})
return return
} }
passwordCheck, err := verifyHash(userPassword, password) passwordCheck, err := verifyHash(userPassword, password)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/login password check at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/login password check at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDCHECK"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDCHECK"})
return return
} }
if !passwordCheck { if !passwordCheck {
@ -562,14 +601,14 @@ func main() {
randomChars, err := genSalt(512) randomChars, err := genSalt(512)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/login token genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/login token genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-SESSIONSALT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-SESSIONSALT"})
return return
} }
_, err = conn.Exec("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)", randomChars, userid, c.Request.Header.Get("User-Agent")) _, err = conn.Exec("INSERT INTO sessions (session, id, device) VALUES (?, ?, ?)", randomChars, userid, c.Request.Header.Get("User-Agent"))
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/login session creation at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/login session creation at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-SESSIONINSERT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-SESSIONINSERT"})
return return
} }
@ -577,13 +616,13 @@ func main() {
hashPassword, err := hash(newPass, "") hashPassword, err := hash(newPass, "")
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/login password hash at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/login password hash at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDHASH"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDHASH"})
return return
} }
_, err = conn.Exec("UPDATE users SET password = ? WHERE username = ?", hashPassword, username) _, err = conn.Exec("UPDATE users SET password = ? WHERE username = ?", hashPassword, username)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/login password change at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/login password change at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDCHANGE"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGIN-PASSWORDCHANGE"})
return return
} }
} }
@ -599,7 +638,11 @@ func main() {
return return
} }
secretKey := data["secretKey"].(string) secretKey, ok := data["secretKey"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
_, userid, err := getSession(secretKey) _, userid, err := getSession(secretKey)
if errors.Is(err, sql.ErrNoRows) { if errors.Is(err, sql.ErrNoRows) {
@ -613,7 +656,7 @@ func main() {
return return
} else if err != nil { } else if err != nil {
log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-USERINFO-GETUSER"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-USERINFO-GETUSER"})
return return
} }
@ -642,7 +685,7 @@ func main() {
} else { } else {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /userinfo blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /userinfo blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-USERINFO-BLACKLIST"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-USERINFO-BLACKLIST"})
return return
} }
} }
@ -686,7 +729,7 @@ func main() {
return return
} else if err != nil { } else if err != nil {
log.Println("[ERROR] Unknown in /userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-USERINFO-GETUSER"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-USERINFO-GETUSER"})
return return
} }
@ -701,7 +744,11 @@ func main() {
return return
} }
token := data["access_token"].(string) token, ok := data["access_token"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
var blacklisted bool var blacklisted bool
err = conn.QueryRow("SELECT blacklisted FROM blacklist WHERE token = ? LIMIT 1", token).Scan(&blacklisted) err = conn.QueryRow("SELECT blacklisted FROM blacklist WHERE token = ? LIMIT 1", token).Scan(&blacklisted)
@ -711,7 +758,7 @@ func main() {
} else { } else {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/sub blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/sub blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-UNIQUEID-BLACKLIST"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-UNIQUEID-BLACKLIST"})
return return
} }
} }
@ -726,8 +773,6 @@ func main() {
} }
var claims jwt.MapClaims var claims jwt.MapClaims
var ok bool
if parsedToken.Valid { if parsedToken.Valid {
claims, ok = parsedToken.Claims.(jwt.MapClaims) claims, ok = parsedToken.Claims.(jwt.MapClaims)
if !ok { if !ok {
@ -755,7 +800,7 @@ func main() {
return return
} else if err != nil { } else if err != nil {
log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-UNIQUEID-GETUSER"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-UNIQUEID-GETUSER"})
return return
} }
@ -770,7 +815,11 @@ func main() {
return return
} }
token := data["access_token"].(string) token, ok := data["access_token"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
var blacklisted bool var blacklisted bool
err = conn.QueryRow("SELECT blacklisted FROM blacklist WHERE token = ? LIMIT 1", token).Scan(&blacklisted) err = conn.QueryRow("SELECT blacklisted FROM blacklist WHERE token = ? LIMIT 1", token).Scan(&blacklisted)
if err == nil { if err == nil {
@ -779,7 +828,7 @@ func main() {
} else { } else {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/loggedin blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/loggedin blacklist at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGGEDIN-BLACKLIST"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LOGGEDIN-BLACKLIST"})
return return
} }
} }
@ -794,8 +843,6 @@ func main() {
} }
var claims jwt.MapClaims var claims jwt.MapClaims
var ok bool
if parsedToken.Valid { if parsedToken.Valid {
claims, ok = parsedToken.Claims.(jwt.MapClaims) claims, ok = parsedToken.Claims.(jwt.MapClaims)
if !ok { if !ok {
@ -825,7 +872,7 @@ func main() {
appId := c.Request.URL.Query().Get("client_id") appId := c.Request.URL.Query().Get("client_id")
code := c.Request.URL.Query().Get("code_challenge") code := c.Request.URL.Query().Get("code_challenge")
codeMethod := c.Request.URL.Query().Get("code_challenge_method") codeMethod := c.Request.URL.Query().Get("code_challenge_method")
redirect_uri := c.Request.URL.Query().Get("redirect_uri") redirectUri := c.Request.URL.Query().Get("redirect_uri")
state := c.Request.URL.Query().Get("state") state := c.Request.URL.Query().Get("state")
nonce := c.Request.URL.Query().Get("nonce") nonce := c.Request.URL.Query().Get("nonce")
deny := c.Request.URL.Query().Get("deny") deny := c.Request.URL.Query().Get("deny")
@ -839,18 +886,18 @@ func main() {
c.String(401, "OAuth screening failed") c.String(401, "OAuth screening failed")
} else { } else {
log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-SELECT") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-SELECT")
} }
return return
} }
if !(redirectUriCheck == redirect_uri) { if !(redirectUriCheck == redirectUri) {
c.String(401, "Redirect URI does not match") c.String(401, "Redirect URI does not match")
return return
} }
if deny == "true" { if deny == "true" {
c.Redirect(302, redirect_uri+"?error=access_denied&state="+state) c.Redirect(302, redirectUri+"?error=access_denied&state="+state)
return return
} }
@ -864,7 +911,7 @@ func main() {
nonce, err = genSalt(512) nonce, err = genSalt(512)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/auth nonce genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/auth nonce genSalt() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-NONCE") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-NONCE")
return return
} }
} }
@ -881,13 +928,13 @@ func main() {
return return
} else if err != nil { } else if err != nil {
log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/userinfo getUser() at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-GETUSER") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-GETUSER")
return return
} }
dataTemplate := jwt.MapClaims{ dataTemplate := jwt.MapClaims{
"sub": sub[:255], "sub": sub[:255],
"iss": "https://auth.hectabit.org", "iss": hostName,
"name": username, "name": username,
"aud": appId, "aud": appId,
"exp": time.Now().Unix() + 2592000, "exp": time.Now().Unix() + 2592000,
@ -907,47 +954,47 @@ func main() {
tokenTemp := jwt.NewWithClaims(jwt.SigningMethodRS256, dataTemplate) tokenTemp := jwt.NewWithClaims(jwt.SigningMethodRS256, dataTemplate)
tokenTemp.Header["kid"] = "burgerauth" tokenTemp.Header["kid"] = "burgerauth"
jwt_token, err := tokenTemp.SignedString(privateKey) jwtToken, err := tokenTemp.SignedString(privateKey)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/auth jwt_token at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/auth jwt_token at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-JWTCANNOTSIGN") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-JWTCANNOTSIGN")
return return
} }
secretTemp := jwt.NewWithClaims(jwt.SigningMethodRS256, dataTemplateTwo) secretTemp := jwt.NewWithClaims(jwt.SigningMethodRS256, dataTemplateTwo)
secretTemp.Header["kid"] = "burgerauth" secretTemp.Header["kid"] = "burgerauth"
secret_token, err := secretTemp.SignedString(privateKey) secretToken, err := secretTemp.SignedString(privateKey)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/auth secret_token at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/auth secret_token at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-JWTCANNOTSIGN.") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-JWTCANNOTSIGN.")
return return
} }
randomBytes, err := genSalt(512) randomBytes, err := genSalt(512)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/auth randomBytes at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/auth randomBytes at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-RANDOMBYTES.") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-RANDOMBYTES.")
return return
} }
_, err = mem.Exec("DELETE FROM logins WHERE creator = ?", userid) _, err = mem.Exec("DELETE FROM logins WHERE creator = ?", userid)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/auth delete at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/auth delete at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-DELETE.") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-DELETE.")
return return
} }
_, err = mem.Exec("INSERT INTO logins (appId, exchangeCode, loginToken, creator, openid, pkce, pkcemethod) VALUES (?, ?, ?, ?, ?, ?, ?)", appId, randomBytes, secret_token, userid, jwt_token, code, codeMethod) _, err = mem.Exec("INSERT INTO logins (appId, exchangeCode, loginToken, creator, openid, pkce, pkcemethod) VALUES (?, ?, ?, ?, ?, ?, ?)", appId, randomBytes, secretToken, userid, jwtToken, code, codeMethod)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/auth insert at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/auth insert at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-INSERT.") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-INSERT.")
return return
} }
if randomBytes != "" { if randomBytes != "" {
c.Redirect(302, redirect_uri+"?code="+randomBytes+"&state="+state) c.Redirect(302, redirectUri+"?code="+randomBytes+"&state="+state)
} else { } else {
c.String(500, "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-REDIRECT.") c.String(500, "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-AUTH-REDIRECT.")
log.Println("[ERROR] Secret key not found at", strconv.FormatInt(time.Now().Unix(), 10)) log.Println("[ERROR] Secret key not found at", strconv.FormatInt(time.Now().Unix(), 10))
} }
}) })
@ -962,11 +1009,11 @@ func main() {
appId := data.Get("client_id") appId := data.Get("client_id")
code := data.Get("code") code := data.Get("code")
code_verify := data.Get("code_verifier") codeVerify := data.Get("code_verifier")
secret := data.Get("client_secret") secret := data.Get("client_secret")
var verifyCode bool var verifyCode bool
if code_verify == "" { if codeVerify == "" {
verifyCode = false verifyCode = false
} else { } else {
verifyCode = true verifyCode = true
@ -980,7 +1027,7 @@ func main() {
c.JSON(401, gin.H{"error": "OAuth screening failed"}) c.JSON(401, gin.H{"error": "OAuth screening failed"})
} else { } else {
log.Println("[ERROR] Unknown in /api/tokenauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/tokenauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-SELECT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-SELECT"})
} }
return return
} }
@ -991,7 +1038,7 @@ func main() {
c.JSON(401, gin.H{"error": "OAuth screening failed"}) c.JSON(401, gin.H{"error": "OAuth screening failed"})
} else { } else {
log.Println("[ERROR] Unknown in /api/tokenauth memory query at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/tokenauth memory query at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-MEMSELECT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-MEMSELECT"})
} }
return return
} }
@ -1006,12 +1053,12 @@ func main() {
return return
} else { } else {
if PKCEMethod == "S256" { if PKCEMethod == "S256" {
if sha256Base64(code_verify) != PKCECode { if sha256Base64(codeVerify) != PKCECode {
c.JSON(403, gin.H{"error": "Invalid PKCECode code"}) c.JSON(403, gin.H{"error": "Invalid PKCECode code"})
return return
} }
} else if PKCEMethod == "plain" { } else if PKCEMethod == "plain" {
if code_verify != PKCECode { if codeVerify != PKCECode {
c.JSON(403, gin.H{"error": "Invalid PKCECode code"}) c.JSON(403, gin.H{"error": "Invalid PKCECode code"})
return return
} }
@ -1030,7 +1077,7 @@ func main() {
_, err = mem.Exec("DELETE FROM logins WHERE loginToken = ?", loginCode) _, err = mem.Exec("DELETE FROM logins WHERE loginToken = ?", loginCode)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/tokenauth delete at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/tokenauth delete at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-DELETE"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-TOKENAUTH-DELETE"})
return return
} }
@ -1045,8 +1092,16 @@ func main() {
return return
} }
secretKey := data["secretKey"].(string) secretKey, ok := data["secretKey"].(string)
appId := data["appId"].(string) if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
appId, ok := data["appId"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
_, id, err := getSession(secretKey) _, id, err := getSession(secretKey)
if err != nil { if err != nil {
@ -1060,7 +1115,7 @@ func main() {
c.JSON(400, gin.H{"error": "AppID Not found"}) c.JSON(400, gin.H{"error": "AppID Not found"})
} else { } else {
log.Println("[ERROR] Unknown in /api/deleteauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/deleteauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEAUTH-DELETE"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEAUTH-DELETE"})
} }
} else { } else {
c.JSON(200, gin.H{"success": "true"}) c.JSON(200, gin.H{"success": "true"})
@ -1075,9 +1130,21 @@ func main() {
return return
} }
secretKey := data["secretKey"].(string) secretKey, ok := data["secretKey"].(string)
name := data["name"].(string) if !ok {
redirectUri := data["redirectUri"].(string) c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
name, ok := data["name"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
redirectUri, ok := data["redirectUri"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
_, id, err := getSession(secretKey) _, id, err := getSession(secretKey)
if err != nil { if err != nil {
@ -1089,7 +1156,7 @@ func main() {
secret, err := genSalt(512) secret, err := genSalt(512)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/newauth secretgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/newauth secretgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETGEN"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETGEN"})
return return
} }
for { for {
@ -1099,14 +1166,14 @@ func main() {
break break
} else { } else {
log.Println("[ERROR] Unknown in /api/newauth secretselect at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/newauth secretselect at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETSELECT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETSELECT"})
return return
} }
} else { } else {
secret, err = genSalt(512) secret, err = genSalt(512)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/newauth secretgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/newauth secretgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETGEN"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-SECRETGEN"})
return return
} }
} }
@ -1115,7 +1182,7 @@ func main() {
appId, err := genSalt(32) appId, err := genSalt(32)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/newauth appidgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/newauth appidgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-APPIDGEN"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-APPIDGEN"})
return return
} }
@ -1127,14 +1194,14 @@ func main() {
break break
} else { } else {
log.Println("[ERROR] Unknown in /api/newauth appidcheck at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/newauth appidcheck at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-APPIDCHECK"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-APPIDCHECK"})
return return
} }
} else { } else {
appId, err = genSalt(32) appId, err = genSalt(32)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/newauth appidgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/newauth appidgen at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-LAPPIDGEN"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-LAPPIDGEN"})
return return
} }
} }
@ -1143,7 +1210,7 @@ func main() {
_, err = conn.Exec("INSERT INTO oauth (name, appId, creator, secret, redirectUri) VALUES (?, ?, ?, ?, ?)", name, appId, id, secret, redirectUri) _, err = conn.Exec("INSERT INTO oauth (name, appId, creator, secret, redirectUri) VALUES (?, ?, ?, ?, ?)", name, appId, id, secret, redirectUri)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/newauth insert at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/newauth insert at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-INSERT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-NEWAUTH-INSERT"})
return return
} }
@ -1158,7 +1225,11 @@ func main() {
return return
} }
secretKey := data["secretKey"].(string) secretKey, ok := data["secretKey"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
_, id, err := getSession(secretKey) _, id, err := getSession(secretKey)
if err != nil { if err != nil {
@ -1168,14 +1239,14 @@ func main() {
rows, err := conn.Query("SELECT appId, name, rdiruri FROM oauth WHERE creator = ? ORDER BY creator DESC", id) rows, err := conn.Query("SELECT appId, name, rdiruri FROM oauth WHERE creator = ? ORDER BY creator DESC", id)
if err != nil { if err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-QUERY"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-QUERY"})
return return
} }
defer func(rows *sql.Rows) { defer func(rows *sql.Rows) {
err := rows.Close() err := rows.Close()
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/listauth rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/listauth rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-ROWSCLOSE"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-ROWSCLOSE"})
return return
} }
}(rows) }(rows)
@ -1184,14 +1255,14 @@ func main() {
for rows.Next() { for rows.Next() {
var appId, name, redirectUri string var appId, name, redirectUri string
if err := rows.Scan(&appId, &name, &redirectUri); err != nil { if err := rows.Scan(&appId, &name, &redirectUri); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-SCAN"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-SCAN"})
return return
} }
template := map[string]interface{}{"appId": appId, "name": name, "redirectUri": redirectUri} template := map[string]interface{}{"appId": appId, "name": name, "redirectUri": redirectUri}
dataTemplate = append(dataTemplate, template) dataTemplate = append(dataTemplate, template)
} }
if err := rows.Err(); err != nil { if err := rows.Err(); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-ROWSERR"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTAUTH-ROWSERR"})
return return
} }
@ -1206,7 +1277,11 @@ func main() {
return return
} }
secretKey := data["secretKey"].(string) secretKey, ok := data["secretKey"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
_, id, err := getSession(secretKey) _, id, err := getSession(secretKey)
if err != nil { if err != nil {
@ -1218,7 +1293,7 @@ func main() {
if err != nil { if err != nil {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/deleteaccount userdata at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/deleteaccount userdata at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEACCT-USERDATA"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEACCT-USERDATA"})
return return
} }
} }
@ -1227,7 +1302,7 @@ func main() {
if err != nil { if err != nil {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/deleteaccount logins at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/deleteaccount logins at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEACCT-LOGINS"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEACCT-LOGINS"})
return return
} }
} }
@ -1236,7 +1311,7 @@ func main() {
if err != nil { if err != nil {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/deleteuser oauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/deleteuser oauth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEUSER-OAUTH"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEUSER-OAUTH"})
return return
} }
} }
@ -1245,7 +1320,7 @@ func main() {
if err != nil { if err != nil {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/deleteuser logins at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/deleteuser logins at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEUSER-USERS"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-DELETEUSER-USERS"})
return return
} }
} }
@ -1261,7 +1336,11 @@ func main() {
return return
} }
secretKey := data["secretKey"].(string) secretKey, ok := data["secretKey"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
_, id, err := getSession(secretKey) _, id, err := getSession(secretKey)
if err != nil { if err != nil {
@ -1273,7 +1352,7 @@ func main() {
if err != nil { if err != nil {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/sessions/list at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/sessions/list at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST"})
return return
} }
} }
@ -1281,7 +1360,7 @@ func main() {
err := rows.Close() err := rows.Close()
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/sessions/list rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/sessions/list rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-ROWSCLOSE"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-ROWSCLOSE"})
return return
} }
}(rows) }(rows)
@ -1291,7 +1370,7 @@ func main() {
var id, sessionId, device string var id, sessionId, device string
thisSession := false thisSession := false
if err := rows.Scan(&id, &sessionId, &device); err != nil { if err := rows.Scan(&id, &sessionId, &device); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-SCAN"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-SCAN"})
return return
} }
if sessionId == secretKey { if sessionId == secretKey {
@ -1301,7 +1380,7 @@ func main() {
dataTemplate = append(dataTemplate, template) dataTemplate = append(dataTemplate, template)
} }
if err := rows.Err(); err != nil { if err := rows.Err(); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-ERR"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-LIST-ERR"})
return return
} }
@ -1316,8 +1395,16 @@ func main() {
return return
} }
secretKey := data["secretKey"].(string) secretKey, ok := data["secretKey"].(string)
sessionId := data["sessionId"].(string) if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
sessionId, ok := data["sessionId"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
_, id, err := getSession(secretKey) _, id, err := getSession(secretKey)
if err != nil { if err != nil {
@ -1331,7 +1418,7 @@ func main() {
c.JSON(422, gin.H{"error": "SessionID Not found"}) c.JSON(422, gin.H{"error": "SessionID Not found"})
} else { } else {
log.Println("[ERROR] Unknown in /api/sessions/remove at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/sessions/remove at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-REMOVE"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-SESSIONS-REMOVE"})
} }
} else { } else {
c.JSON(200, gin.H{"success": "true"}) c.JSON(200, gin.H{"success": "true"})
@ -1346,14 +1433,18 @@ func main() {
return return
} }
masterKey := data["masterKey"].(string) masterKey, ok := data["masterKey"].(string)
if !ok {
c.JSON(400, gin.H{"error": "Invalid JSON"})
return
}
if masterKey == SECRET_KEY { if masterKey == SecretKey {
rows, err := conn.Query("SELECT * FROM users ORDER BY id DESC") rows, err := conn.Query("SELECT * FROM users ORDER BY id DESC")
if err != nil { if err != nil {
if !errors.Is(err, sql.ErrNoRows) { if !errors.Is(err, sql.ErrNoRows) {
log.Println("[ERROR] Unknown in /api/listusers at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/listusers at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-QUERY"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-QUERY"})
return return
} }
} }
@ -1361,7 +1452,7 @@ func main() {
err := rows.Close() err := rows.Close()
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /api/listusers rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /api/listusers rows close at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-ROWSCLOSE"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-ROWSCLOSE"})
return return
} }
}(rows) }(rows)
@ -1370,14 +1461,14 @@ func main() {
for rows.Next() { for rows.Next() {
var id, username string var id, username string
if err := rows.Scan(&id, &username); err != nil { if err := rows.Scan(&id, &username); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-SCAN"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-SCAN"})
return return
} }
template := map[string]interface{}{"id": id, "username": username} template := map[string]interface{}{"id": id, "username": username}
datatemplate = append(datatemplate, template) datatemplate = append(datatemplate, template)
} }
if err := rows.Err(); err != nil { if err := rows.Err(); err != nil {
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-ERR"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-API-LISTUSERS-ERR"})
return return
} }
@ -1389,14 +1480,14 @@ func main() {
mod, err := BigIntToBase64URL(modulus) mod, err := BigIntToBase64URL(modulus)
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /well-known/jwks.json modulus at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /well-known/jwks.json modulus at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-JWKS-MODULUS"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-JWKS-MODULUS"})
return return
} }
exp, err := Int64ToBase64URL(int64(exponent)) exp, err := Int64ToBase64URL(int64(exponent))
if err != nil { if err != nil {
log.Println("[ERROR] Unknown in /well-known/jwks.json exponent at", strconv.FormatInt(time.Now().Unix(), 10)+":", err) log.Println("[ERROR] Unknown in /well-known/jwks.json exponent at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://centrifuge.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-JWKS-EXPONENT"}) c.JSON(500, gin.H{"error": "Something went wrong on our end. Please report this bug at https://concord.hectabit.org/hectabit/burgerauth and refer to the docs for more info. Your error code is: UNKNOWN-JWKS-EXPONENT"})
return return
} }
keys := gin.H{ keys := gin.H{
@ -1405,7 +1496,7 @@ func main() {
"kty": "RSA", "kty": "RSA",
"alg": "RS256", "alg": "RS256",
"use": "sig", "use": "sig",
"kid": "burgerauth", "kid": keyid,
"n": mod, "n": mod,
"e": exp, "e": exp,
}, },
@ -1416,8 +1507,8 @@ func main() {
}) })
log.Println("[INFO] Server started at", time.Now().Unix()) log.Println("[INFO] Server started at", time.Now().Unix())
log.Println("[INFO] Welcome to Burgerauth! Today we are running on IP " + HOST + " on port " + strconv.Itoa(PORT) + ".") log.Println("[INFO] Welcome to Burgerauth! Today we are running on IP " + Host + " on port " + strconv.Itoa(Port) + ".")
err = router.Run(HOST + ":" + strconv.Itoa(PORT)) err = router.Run(Host + ":" + strconv.Itoa(Port))
if err != nil { if err != nil {
log.Fatalln("[FATAL] Server failed to begin operations at", time.Now().Unix(), err) log.Fatalln("[FATAL] Server failed to begin operations at", time.Now().Unix(), err)
} }

101
static/css/style.css
View File

@ -1,23 +1,15 @@
@import url("../fonts/inter.css"); @import url("../fonts/inter.css");
:root { :root {
--contrast: #eee;
--contrast2: #fff;
--invertdm: 0%; --invertdm: 0%;
--bar: #f4f4f4;
--editor: #ffffff;
--text-color: #000000; --text-color: #000000;
--editor: #ffffff;
--bar: #f4f4f4;
--border-color: #dadada; --border-color: #dadada;
--theme-color: #157efb; --theme-color: #157efb;
--theme-text-color: #ffffff; --hover-theme-color: #4990e7;
--exit-color: #e9e9e9; --nonimporant-theme-color: #4A4A4A;
--session-color: #f4f4f4; --hover-nonimportant-theme-color: #595959;
--note-button: #ffffff;
--note-button-text-color: #ffffff;
--unselected-note-button-text-color: #000000;
--option-background: #ffffff;
--invert: 100%;
--bottomBarHover: #e4e4e4;
} }
/* dark mode */ /* dark mode */
@ -25,22 +17,10 @@
@media (prefers-color-scheme: dark) { @media (prefers-color-scheme: dark) {
:root { :root {
--invertdm: 100%; --invertdm: 100%;
--contrast: #2d2f21;
--contrast2: #2d2f21;
--bar: #2d2f31; --bar: #2d2f31;
--editor: #202124;
--text-color: #ffffff; --text-color: #ffffff;
--editor: #1E1E1E;
--border-color: #393b3d; --border-color: #393b3d;
--theme-color: #157efb;
--theme-text-color: #ffffff;
--exit-color: #454649;
--session-color: #2d2f31;
--note-button: #202124;
--note-button-text-color: #ffffff;
--unselected-note-button-text-color: #ffffff;
--option-background: #202124;
--invert: 100%;
--bottomBarHover: #e4e4e4;
} }
.inoutdiv p { .inoutdiv p {
@ -96,22 +76,57 @@ input {
border-color: var(--border-color); border-color: var(--border-color);
border-width: 1px; border-width: 1px;
border-radius: 8px; border-radius: 8px;
min-width: 20px;
}
@media only screen and (max-width: 600px) {
body {
background-color: var(--bar);
}
.inoutdiv {
position: absolute;
top: 0;
left: 0;
right: 0;
border-radius: 0;
min-width: 100%;
min-height: 100%;
transform: none;
padding: 5px;
overflow-y: auto;
overflow-x: auto;
margin: 0;
border: 0;
}
.inoutdiv p {
font-size: 14px;
}
.inoutdiv h2 {
font-size: 21px;
}
.background {
display: none;
}
.inoutdiv input {
width: calc(100% - 32px);
}
} }
.inoutdiv button { .inoutdiv button {
background-color: var(--theme-color);
color: white; color: white;
padding: 10px;
margin-right: 5px; margin-right: 5px;
padding-left: 20px; padding: 10px 20px;
padding-right: 20px;
border: none; border: none;
border-radius: 8px; border-radius: 25px;
font-size: 14px; font-size: 14px;
transition: 0.125s;
}
.inoutdiv img {
min-width: 200px;
max-width: 100%;
border-radius: 20px;
background-color: white;
} }
.iframe { .iframe {
@ -188,7 +203,16 @@ button {
} }
button:hover { button:hover {
background-color: #152efb; background-color: var(--hover-theme-color);
transition: all 0.3s ease 0s;
}
.unimportant {
var(--nonimporant-theme-color);
}
.unimportant:hover {
background-color: var(--hover-nonimportant-theme-color);
transition: all 0.3s ease 0s; transition: all 0.3s ease 0s;
} }
@ -208,7 +232,14 @@ h2 {
z-index: -2; z-index: -2;
top: 0; top: 0;
width: 100%; width: 100%;
min-height: 100%; height: 100%;
object-fit: cover;
-webkit-user-drag: none;
user-select: none;
-moz-user-select: none;
-webkit-user-select: none;
-ms-user-select: none;
pointer-events: none;
} }
.hidden { .hidden {

BIN
static/img/background.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.7 MiB

29
static/js/aeskeyshare.js
View File

@ -1,28 +1 @@
window.addEventListener("message", function(event) { // To be implemented in the future
const access_token = event.data;
fetch("https://auth.hectabit.org/api/loggedin", {
method: "POST",
body: JSON.stringify({
access_token: access_token
})
})
.then((response) => response)
.then((response) => {
async function doStuff() {
let responseData = await response.json()
if (response.status === 200) {
console.log("Key is valid")
let key = localStorage.getItem("DONOTSHARE-password").concat(responseData["appId"]);
for (let i = 0; i < 128; i++) {
key = await hashwasm.sha3(key)
}
parent.window.postMessage(key, "*")
}
console.log("Alive check!")
}
console.log("Running doStuff")
doStuff();
})
console.log("The script is running!")
});

1826
static/js/crypto-js.js
View File

File diff suppressed because it is too large Load Diff

2
static/js/dashboard.js
View File

@ -11,7 +11,7 @@ if (remote == null) {
function attempt() { function attempt() {
if (document.getElementById("appidbox").value != "") { if (document.getElementById("appidbox").value !== "") {
fetch(origin + "/api/newauth", { fetch(origin + "/api/newauth", {
method: "POST", method: "POST",
headers: { headers: {

95
static/js/login.js
View File

@ -9,12 +9,6 @@ if (localStorage.getItem("DONOTSHARE-password") !== null) {
throw new Error(); throw new Error();
} }
let remote = localStorage.getItem("homeserverURL")
if (remote == null) {
localStorage.setItem("homeserverURL", "https://auth.hectabit.org")
remote = "https://auth.hectabit.org"
}
let usernameBox = document.getElementById("usernameBox") let usernameBox = document.getElementById("usernameBox")
let passwordBox = document.getElementById("passwordBox") let passwordBox = document.getElementById("passwordBox")
let statusBox = document.getElementById("statusBox") let statusBox = document.getElementById("statusBox")
@ -28,20 +22,26 @@ inputNameBox.innerText = "Username:"
let currentInputType = 0 let currentInputType = 0
function showInput(inputType) { function showInput(inputType) {
if (inputType == 0) { if (inputType === 0) {
usernameBox.classList.remove("hidden") usernameBox.classList.remove("hidden")
passwordBox.classList.add("hidden") passwordBox.classList.add("hidden")
backButton.classList.add("hidden") backButton.classList.add("hidden")
inputNameBox.innerText = "Username:" inputNameBox.innerText = "Username:"
statusBox.innerText = "Login to your Hectabit account!" let serviceName
fetch("/api/servicename")
.then((response) => response.json())
.then((response) => {
serviceName = response["name"]
statusBox.innerText = "Login to your " + serviceName + " account!"
currentInputType = 0 currentInputType = 0
} else if (inputType == 1) { })
} else if (inputType === 1) {
usernameBox.classList.add("hidden") usernameBox.classList.add("hidden")
passwordBox.classList.remove("hidden") passwordBox.classList.remove("hidden")
backButton.classList.remove("hidden") backButton.classList.remove("hidden")
inputNameBox.innerText = "Password:" inputNameBox.innerText = "Password:"
currentInputType = 1 currentInputType = 1
} else if (inputType == 2) { } else if (inputType === 2) {
usernameBox.classList.add("hidden") usernameBox.classList.add("hidden")
passwordBox.classList.add("hidden") passwordBox.classList.add("hidden")
signupButton.classList.add("hidden") signupButton.classList.add("hidden")
@ -75,9 +75,9 @@ document.addEventListener('DOMContentLoaded', function() {
document.getElementById("homeserver").innerText = "Your homeserver is: " + remote + ". " document.getElementById("homeserver").innerText = "Your homeserver is: " + remote + ". "
}); });
signupButton.addEventListener("click", (event) => { signupButton.addEventListener("click", () => {
if (passwordBox.classList.contains("hidden")) { if (passwordBox.classList.contains("hidden")) {
if (usernameBox.value == "") { if (usernameBox.value === "") {
statusBox.innerText = "A username is required!" statusBox.innerText = "A username is required!"
return return
} else { } else {
@ -89,7 +89,7 @@ signupButton.addEventListener("click", (event) => {
let username = usernameBox.value let username = usernameBox.value
let password = passwordBox.value let password = passwordBox.value
if (password == "") { if (password === "") {
statusBox.innerText = "A password is required!" statusBox.innerText = "A password is required!"
return return
} }
@ -98,28 +98,15 @@ signupButton.addEventListener("click", (event) => {
showElements(true) showElements(true)
statusBox.innerText = "Signing in..." statusBox.innerText = "Signing in..."
async function hashpassold(pass) {
const key = await hashwasm.argon2id({
password: pass,
salt: await hashwasm.sha512(pass),
parallelism: 1,
iterations: 256,
memorySize: 512,
hashLength: 32,
outputType: "encoded"
});
return key
};
async function hashpass(pass) { async function hashpass(pass) {
let key = pass let key = pass
for (let i = 0; i < 128; i++) { for (let i = 0; i < 128; i++) {
key = await hashwasm.sha3(key) key = await hashwasm.sha3(key)
} }
return key return key
}; }
fetch(remote + "/api/login", { fetch("/api/login", {
method: "POST", method: "POST",
body: JSON.stringify({ body: JSON.stringify({
username: username, username: username,
@ -135,51 +122,17 @@ signupButton.addEventListener("click", (event) => {
.then((response) => { .then((response) => {
async function doStuff() { async function doStuff() {
let responseData = await response.json() let responseData = await response.json()
if (response.status == 200) { if (response.status === 200) {
localStorage.setItem("DONOTSHARE-secretkey", responseData["key"]) localStorage.setItem("DONOTSHARE-secretkey", responseData["key"])
localStorage.setItem("DONOTSHARE-password", await hashwasm.sha512(password)) localStorage.setItem("DONOTSHARE-password", await hashwasm.sha512(password))
window.location.href = "/app" + window.location.search window.location.href = "/app" + window.location.search
} }
else if (response.status == 401) { else if (response.status === 401) {
console.log("Trying oldhash")
fetch(remote + "/api/login", {
method: "POST",
body: JSON.stringify({
username: username,
password: await hashpassold(password),
passwordchange: "yes",
newpass: await hashpass(password)
}),
headers: {
"Content-Type": "application/json; charset=UTF-8"
}
})
.then((response) => response)
.then((response) => {
async function doStuff2() {
let responseData = await response.json()
if (response.status == 200) {
localStorage.setItem("DONOTSHARE-secretkey", responseData["key"])
localStorage.setItem("DONOTSHARE-password", await hashwasm.sha512(password))
window.location.href = "/app" + window.location.search
}
else if (response.status == 401) {
statusBox.innerText = "Wrong username or password..." statusBox.innerText = "Wrong username or password..."
showInput(1) showInput(1)
showElements(true) showElements(true)
} } else {
else {
statusBox.innerText = "Something went wrong! (error code: " + response.status + ")"
showInput(1)
showElements(true)
}
}
doStuff2()
});
}
else {
statusBox.innerText = "Something went wrong! (error code: " + response.status + ")" statusBox.innerText = "Something went wrong! (error code: " + response.status + ")"
showInput(1) showInput(1)
showElements(true) showElements(true)
@ -192,7 +145,7 @@ signupButton.addEventListener("click", (event) => {
} }
}); });
backButton.addEventListener("click", (event) => { backButton.addEventListener("click", () => {
showInput(0) showInput(0)
}); });
@ -201,15 +154,13 @@ showInput(0)
document.getElementById("signuprdirButton").addEventListener("click", function(event) { document.getElementById("signuprdirButton").addEventListener("click", function(event) {
event.preventDefault(); event.preventDefault();
var queryString = window.location.search; const queryString = window.location.search;
var newURL = "/signup" + queryString; window.location.href = "/signup" + queryString;
window.location.href = newURL;
}); });
document.getElementById("privacyButton").addEventListener("click", function(event) { document.getElementById("privacyButton").addEventListener("click", function(event) {
event.preventDefault(); event.preventDefault();
var queryString = window.location.search; const queryString = window.location.search;
var newURL = "/privacy" + queryString; window.location.href = "/privacy" + queryString;
window.location.href = newURL;
}); });

58
static/js/main.js Normal file
View File

@ -0,0 +1,58 @@
let client_id, redirect_uri, response_type, state, code, codemethod, secret_key, expires, nonce;
if (localStorage.getItem("DONOTSHARE-secretkey") === null) {
window.location.replace("/login" + window.location.search)
document.body.innerHTML = "Redirecting..."
throw new Error();
}
document.addEventListener("DOMContentLoaded", function() {
const urlParams = new URLSearchParams(window.location.search);
const statusBox = document.getElementById("statusBox");
// Get URL parameters
if (urlParams.has('client_id')) {
client_id = urlParams.get('client_id')
let name = document.getElementById("passthrough").innerText;
statusBox.textContent = "Would you like to allow " + name + " to access your user information?";
redirect_uri = urlParams.get('redirect_uri');
response_type = urlParams.get('response_type');
} else {
window.location.replace("/dashboard");
document.body.innerHTML = "Redirecting..."
throw new Error();
}
state = urlParams.has('state') ? urlParams.get('state') : "none";
if (urlParams.has('code_challenge')) {
code = urlParams.get('code_challenge');
codemethod = urlParams.get('code_challenge_method');
} else {
code = "none";
codemethod = "none";
}
if (urlParams.has('nonce')) {
nonce = urlParams.get('nonce');
} else {
nonce = "none";
}
// Get DONOTSHARE-secretkey from localStorage
secret_key = localStorage.getItem("DONOTSHARE-secretkey");
const now = new Date();
const expireTime = now.getTime() + (21 * 1000); // 21 seconds from now
expires = new Date(expireTime).toUTCString();
});
function deny() {
document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
// Redirect to the redirect_uri so that an open redirect is not possible
window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=true");
}
function oauth() {
document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=false");
}

12
static/js/signup.js
View File

@ -9,12 +9,6 @@ if (localStorage.getItem("DONOTSHARE-password") !== null) {
throw new Error(); throw new Error();
} }
let remote = localStorage.getItem("homeserverURL")
if (remote == null) {
localStorage.setItem("homeserverURL", "https://auth.hectabit.org")
remote = "https://auth.hectabit.org"
}
let usernameBox = document.getElementById("usernameBox") let usernameBox = document.getElementById("usernameBox")
let passwordBox = document.getElementById("passwordBox") let passwordBox = document.getElementById("passwordBox")
let statusBox = document.getElementById("statusBox") let statusBox = document.getElementById("statusBox")
@ -35,10 +29,6 @@ function showElements(yesorno) {
} }
} }
document.addEventListener('DOMContentLoaded', function() {
document.getElementById("homeserver").innerText = "Your homeserver is: " + remote + ". "
});
signupButton.addEventListener("click", () => { signupButton.addEventListener("click", () => {
async function doStuff() { async function doStuff() {
let username = usernameBox.value let username = usernameBox.value
@ -78,7 +68,7 @@ signupButton.addEventListener("click", () => {
} }
fetch(remote + "/api/signup", { fetch("/api/signup", {
method: "POST", method: "POST",
body: JSON.stringify({ body: JSON.stringify({
username: username, username: username,

2
templates/acct.html
View File

@ -3,7 +3,7 @@
<head> <head>
<link rel="stylesheet" href="/static/css/style.css" media=""> <link rel="stylesheet" href="/static/css/style.css" media="">
<script src="/static/js/dashboard.js"></script> <script src="/static/js/dashboard.js"></script>
<title>Dashboard</title> <title>User settings - {{ .identifier }}</title>
</head> </head>
<body style="background-color: transparent;"> <body style="background-color: transparent;">
<script> <script>

13
templates/aeskeyshare.html
View File

@ -1,12 +1 @@
<!DOCTYPE html> To be implemented
<html lang="en">
<head>
<title>Burgerauth</title>
<meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<link rel="icon" href="/static/svg/favicon.svg">
<script src="/static/js/hash-wasm.js"></script>
</head>
<p>Sending key...</p>
<script src="/static/js/aeskeyshare.js"></script>

5
templates/dashboard.html
View File

@ -3,11 +3,10 @@
<head> <head>
<link rel="stylesheet" href="/static/css/style.css" media=""> <link rel="stylesheet" href="/static/css/style.css" media="">
<script src="/static/js/dashboard.js"></script> <script src="/static/js/dashboard.js"></script>
<title>Dashboard</title> <title>Dashboard - {{ .identifier }}</title>
</head> </head>
<body> <body>
<p class="credit">Image by perga (@pergagreen on discord)</p> <img src="/static/img/background.png" class="background" alt="">
<img src="/static/img/background.jpg" class="background" alt="">
<div style="position: fixed;top: 5px;"><button onclick="document.getElementById('iframe').classList.toggle('hidden');" class="acctbutton">Account</button><iframe id="iframe" src="/account" class="iframe hidden"></iframe></div> <div style="position: fixed;top: 5px;"><button onclick="document.getElementById('iframe').classList.toggle('hidden');" class="acctbutton">Account</button><iframe id="iframe" src="/account" class="iframe hidden"></iframe></div>
<div class="newoauth"> <div class="newoauth">
<h2>Submit a new OAuth2 App</h2> <h2>Submit a new OAuth2 App</h2>

9
templates/login.html
View File

@ -2,7 +2,7 @@
<html lang="en"> <html lang="en">
<head> <head>
<title>Login - Burgerauth</title> <title>Login - {{ .identifier }}</title>
<meta charset="UTF-8" /> <meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@ -12,8 +12,7 @@
</head> </head>
<body> <body>
<p class="credit">Image by perga (@pergagreen on discord)</p> <img src="/static/img/background.png" class="background" alt="">
<img src="/static/img/background.jpg" class="background" alt="">
<div class="inoutdiv"> <div class="inoutdiv">
<h2 class="w300">Login</h2> <h2 class="w300">Login</h2>
<p id="statusBox"></p> <p id="statusBox"></p>
@ -21,11 +20,11 @@
<input id="usernameBox" class="hidden" type="text" placeholder="Enter your username"> <input id="usernameBox" class="hidden" type="text" placeholder="Enter your username">
<input id="passwordBox" class="hidden" type="password" placeholder="Enter your password"> <input id="passwordBox" class="hidden" type="password" placeholder="Enter your password">
<button id="signupButton">Next</button> <button id="signupButton">Next</button>
<button id="backButton" class="hidden">Back</button> <button id="backButton" class="hidden unimportant">Back</button>
<br> <br>
<br> <br>
<p>Don't have an account? If so, <a href="/signup" id="signuprdirButton">Create one here!</a></p> <p>Don't have an account? If so, <a href="/signup" id="signuprdirButton">Create one here!</a></p>
<a href="https://centrifuge.hectabit.org/Paperwork/Burgerauth/src/commit/ee82f454e69fef5fdf8b8a005f5759fc17e8d8c9/Privacy.md" id="privacyButton">Privacy &amp; Terms</a> <a href="{{ .privacy }}" id="privacyButton">Privacy &amp; Terms</a>
</div> </div>
<script type="text/javascript" src="../static/js/login.js"></script> <script type="text/javascript" src="../static/js/login.js"></script>

3
templates/logout.html
View File

@ -2,7 +2,7 @@
<html lang="en"> <html lang="en">
<head> <head>
<title>Burgerauth</title> <title>Log out - {{ .identifier }}</title>
<meta charset="UTF-8" /> <meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" />
<link rel="icon" href="/static/svg/favicon.svg"> <link rel="icon" href="/static/svg/favicon.svg">
@ -11,6 +11,5 @@
<script> <script>
localStorage.removeItem("DONOTSHARE-secretkey") localStorage.removeItem("DONOTSHARE-secretkey")
localStorage.removeItem("DONOTSHARE-password") localStorage.removeItem("DONOTSHARE-password")
localStorage.removeItem("CACHE-username")
window.location.replace("/login") window.location.replace("/login")
</script> </script>

66
templates/main.html
View File

@ -1,78 +1,18 @@
<html lang="en"> <html lang="en">
<head> <head>
<title>Authorize application</title> <title>Authorize application - {{ .identifier }}</title>
<meta charset="UTF-8"> <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link rel="stylesheet" type="text/css" href="/static/css/style.css" media=""> <link rel="stylesheet" type="text/css" href="/static/css/style.css" media="">
<script src="/static/js/hash-wasm.js"></script> <script src="/static/js/hash-wasm.js"></script>
<link rel="icon" href="/static/svg/favicon.svg"> <link rel="icon" href="/static/svg/favicon.svg">
<script> <script src="/static/js/main.js"></script>
let client_id, redirect_uri, response_type, state, code, codemethod, secret_key, expires, nonce;
if (localStorage.getItem("DONOTSHARE-secretkey") === null) {
window.location.replace("/login" + window.location.search)
document.body.innerHTML = "Redirecting..."
throw new Error();
}
document.addEventListener("DOMContentLoaded", function() {
const urlParams = new URLSearchParams(window.location.search);
const statusBox = document.getElementById("statusBox");
// Get URL parameters
if (urlParams.has('client_id')) {
client_id = urlParams.get('client_id')
let name = document.getElementById("passthrough").innerText;
statusBox.textContent = "Would you like to allow " + name + " to access your user information?";
redirect_uri = urlParams.get('redirect_uri');
response_type = urlParams.get('response_type');
} else {
window.location.replace("/dashboard");
document.body.innerHTML = "Redirecting..."
throw new Error();
}
state = urlParams.has('state') ? urlParams.get('state') : "none";
if (urlParams.has('code_challenge')) {
code = urlParams.get('code_challenge');
codemethod = urlParams.get('code_challenge_method');
} else {
code = "none";
codemethod = "none";
}
if (urlParams.has('nonce')) {
nonce = urlParams.get('nonce');
} else {
nonce = "none";
}
// Get DONOTSHARE-secretkey from localStorage
secret_key = localStorage.getItem("DONOTSHARE-secretkey");
const now = new Date();
const expireTime = now.getTime() + (21 * 1000); // 21 seconds from now
expires = new Date(expireTime).toUTCString();
});
function deny() {
document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
// Redirect to the redirect_uri so that an open redirect is not possible
window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=true");
}
function oauth() {
document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=false");
}
</script>
</head> </head>
<body> <body>
<p id="passthrough" style="display: none;">{{ .name }}</p> <p id="passthrough" style="display: none;">{{ .name }}</p>
<p class="credit">Image by perga (@pergagreen on discord)</p> <img src="/static/img/background.png" class="background" alt="">
<img src="/static/img/background.jpg" class="background" alt="">
<div style="position: fixed;top: 5px;"><button onclick="document.getElementById('iframe').classList.toggle('hidden');" class="acctbutton">Account</button><iframe id="iframe" src="/account" class="iframe hidden"></iframe></div> <div style="position: fixed;top: 5px;"><button onclick="document.getElementById('iframe').classList.toggle('hidden');" class="acctbutton">Account</button><iframe id="iframe" src="/account" class="iframe hidden"></iframe></div>
<div class="inoutdiv"> <div class="inoutdiv">
<h2 class="w300">Authorise Application</h2> <h2 class="w300">Authorise Application</h2>

10
templates/openid.html
View File

@ -1,9 +1,9 @@
{ {
"issuer": "https://auth.hectabit.org", "issuer": "{{ .hostName }}",
"authorization_endpoint": "https://auth.hectabit.org/login", "authorization_endpoint": "{{ .hostName }}/login",
"token_endpoint": "https://auth.hectabit.org/api/tokenauth", "token_endpoint": "{{ .hostName }}/api/tokenauth",
"userinfo_endpoint": "https://auth.hectabit.org/userinfo", "userinfo_endpoint": "{{ .hostName }}/userinfo",
"jwks_uri": "https://auth.hectabit.org/.well-known/jwks.json", "jwks_uri": "{{ .hostName }}/.well-known/jwks.json",
"response_types_supported": ["code"], "response_types_supported": ["code"],
"subject_types_supported": ["public"] "subject_types_supported": ["public"]
} }

9
templates/signup.html
View File

@ -2,7 +2,7 @@
<html lang="en"> <html lang="en">
<head> <head>
<title>Signup - Burgerauth</title> <title>Signup - {{ .identifier }}</title>
<meta charset="UTF-8" /> <meta charset="UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@ -12,12 +12,11 @@
</head> </head>
<body> <body>
<p class="credit">Image by perga (@pergagreen on discord)</p>
<p style="display: none;" id="passthrough">{{ .unique_token }}</p> <p style="display: none;" id="passthrough">{{ .unique_token }}</p>
<img src="/static/img/background.jpg" class="background" alt=""> <img src="/static/img/background.png" class="background" alt="">
<div class="inoutdiv"> <div class="inoutdiv">
<h2 class="w300">Signup</h2> <h2 class="w300">Signup</h2>
<p>Signup for an account</p> <p>Signup to {{ .identifier }}!</p>
<p id="statusBox"></p> <p id="statusBox"></p>
<input id="usernameBox" type="text" placeholder="Username"> <input id="usernameBox" type="text" placeholder="Username">
<input id="passwordBox" type="password" placeholder="Password"> <input id="passwordBox" type="password" placeholder="Password">
@ -27,7 +26,7 @@
<button id="signupButton">Signup</button><br><br> <button id="signupButton">Signup</button><br><br>
<p>Already have an account? If so, <a href="/login" id="loginButton">Login</a> instead!</p> <p>Already have an account? If so, <a href="/login" id="loginButton">Login</a> instead!</p>
<p>Please note that it's impossible to reset your password, do not forget it!</p> <p>Please note that it's impossible to reset your password, do not forget it!</p>
<a href="https://centrifuge.hectabit.org/Paperwork/Burgerauth/src/commit/ee82f454e69fef5fdf8b8a005f5759fc17e8d8c9/Privacy.md" id="privacyButton">Privacy &amp; Terms</a> <a href="{{ .privacy }}" id="privacyButton">Privacy &amp; Terms</a>
</div> </div>
<script type="text/javascript" src="../static/js/signup.js"></script> <script type="text/javascript" src="../static/js/signup.js"></script>
</body> </body>