mirror of
https://github.com/pocketbase/pocketbase.git
synced 2025-02-15 09:12:58 +02:00
361 lines
12 KiB
Go
361 lines
12 KiB
Go
package apis
|
|
|
|
import (
|
|
"context"
|
|
"database/sql"
|
|
"errors"
|
|
"fmt"
|
|
"log/slog"
|
|
"maps"
|
|
"net/http"
|
|
"time"
|
|
|
|
validation "github.com/go-ozzo/ozzo-validation/v4"
|
|
"github.com/pocketbase/dbx"
|
|
"github.com/pocketbase/pocketbase/core"
|
|
"github.com/pocketbase/pocketbase/tools/auth"
|
|
"github.com/pocketbase/pocketbase/tools/dbutils"
|
|
"github.com/pocketbase/pocketbase/tools/filesystem"
|
|
"github.com/pocketbase/pocketbase/tools/security"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
func recordAuthWithOAuth2(e *core.RequestEvent) error {
|
|
collection, err := findAuthCollection(e)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if !collection.OAuth2.Enabled {
|
|
return e.ForbiddenError("The collection is not configured to allow OAuth2 authentication.", nil)
|
|
}
|
|
|
|
var fallbackAuthRecord *core.Record
|
|
if e.Auth != nil && e.Auth.Collection().Id == collection.Id {
|
|
fallbackAuthRecord = e.Auth
|
|
}
|
|
|
|
form := new(recordOAuth2LoginForm)
|
|
form.collection = collection
|
|
if err = e.BindBody(form); err != nil {
|
|
return firstApiError(err, e.BadRequestError("An error occurred while loading the submitted data.", err))
|
|
}
|
|
|
|
if form.RedirectUrl != "" && form.RedirectURL == "" {
|
|
e.App.Logger().Warn("[recordAuthWithOAuth2] redirectUrl body param is deprecated and will be removed in the future. Please replace it with redirectURL.")
|
|
form.RedirectURL = form.RedirectUrl
|
|
}
|
|
|
|
if err = form.validate(); err != nil {
|
|
return firstApiError(err, e.BadRequestError("An error occurred while loading the submitted data.", err))
|
|
}
|
|
|
|
// exchange token for OAuth2 user info and locate existing ExternalAuth rel
|
|
// ---------------------------------------------------------------
|
|
|
|
// load provider configuration
|
|
providerConfig, ok := collection.OAuth2.GetProviderConfig(form.Provider)
|
|
if !ok {
|
|
return e.InternalServerError("Missing or invalid provider config.", nil)
|
|
}
|
|
|
|
provider, err := providerConfig.InitProvider()
|
|
if err != nil {
|
|
return firstApiError(err, e.InternalServerError("Failed to init provider "+form.Provider, err))
|
|
}
|
|
|
|
ctx, cancel := context.WithTimeout(e.Request.Context(), 30*time.Second)
|
|
defer cancel()
|
|
|
|
provider.SetContext(ctx)
|
|
provider.SetRedirectURL(form.RedirectURL)
|
|
|
|
var opts []oauth2.AuthCodeOption
|
|
|
|
if provider.PKCE() {
|
|
opts = append(opts, oauth2.SetAuthURLParam("code_verifier", form.CodeVerifier))
|
|
}
|
|
|
|
// fetch token
|
|
token, err := provider.FetchToken(form.Code, opts...)
|
|
if err != nil {
|
|
return firstApiError(err, e.BadRequestError("Failed to fetch OAuth2 token.", err))
|
|
}
|
|
|
|
// fetch external auth user
|
|
authUser, err := provider.FetchAuthUser(token)
|
|
if err != nil {
|
|
return firstApiError(err, e.BadRequestError("Failed to fetch OAuth2 user.", err))
|
|
}
|
|
|
|
var authRecord *core.Record
|
|
|
|
// check for existing relation with the auth collection
|
|
externalAuthRel, err := e.App.FindFirstExternalAuthByExpr(dbx.HashExp{
|
|
"collectionRef": form.collection.Id,
|
|
"provider": form.Provider,
|
|
"providerId": authUser.Id,
|
|
})
|
|
if err != nil && !errors.Is(err, sql.ErrNoRows) {
|
|
return e.InternalServerError("Failed OAuth2 relation check.", err)
|
|
}
|
|
|
|
switch {
|
|
case err == nil && externalAuthRel != nil:
|
|
authRecord, err = e.App.FindRecordById(form.collection, externalAuthRel.RecordRef())
|
|
if err != nil {
|
|
return err
|
|
}
|
|
case fallbackAuthRecord != nil && fallbackAuthRecord.Collection().Id == form.collection.Id:
|
|
// fallback to the logged auth record (if any)
|
|
authRecord = fallbackAuthRecord
|
|
case authUser.Email != "":
|
|
// look for an existing auth record by the external auth record's email
|
|
authRecord, err = e.App.FindAuthRecordByEmail(form.collection.Id, authUser.Email)
|
|
if err != nil && !errors.Is(err, sql.ErrNoRows) {
|
|
return e.InternalServerError("Failed OAuth2 auth record check.", err)
|
|
}
|
|
}
|
|
|
|
// ---------------------------------------------------------------
|
|
|
|
event := new(core.RecordAuthWithOAuth2RequestEvent)
|
|
event.RequestEvent = e
|
|
event.Collection = collection
|
|
event.ProviderName = form.Provider
|
|
event.ProviderClient = provider
|
|
event.OAuth2User = authUser
|
|
event.CreateData = form.CreateData
|
|
event.Record = authRecord
|
|
event.IsNewRecord = authRecord == nil
|
|
|
|
return e.App.OnRecordAuthWithOAuth2Request().Trigger(event, func(e *core.RecordAuthWithOAuth2RequestEvent) error {
|
|
if err := oauth2Submit(e, externalAuthRel); err != nil {
|
|
return firstApiError(err, e.BadRequestError("Failed to authenticate.", err))
|
|
}
|
|
|
|
meta := struct {
|
|
*auth.AuthUser
|
|
IsNew bool `json:"isNew"`
|
|
}{
|
|
AuthUser: e.OAuth2User,
|
|
IsNew: e.IsNewRecord,
|
|
}
|
|
|
|
return RecordAuthResponse(e.RequestEvent, e.Record, core.MFAMethodOAuth2, meta)
|
|
})
|
|
}
|
|
|
|
// -------------------------------------------------------------------
|
|
|
|
type recordOAuth2LoginForm struct {
|
|
collection *core.Collection
|
|
|
|
// Additional data that will be used for creating a new auth record
|
|
// if an existing OAuth2 account doesn't exist.
|
|
CreateData map[string]any `form:"createData" json:"createData"`
|
|
|
|
// The name of the OAuth2 client provider (eg. "google")
|
|
Provider string `form:"provider" json:"provider"`
|
|
|
|
// The authorization code returned from the initial request.
|
|
Code string `form:"code" json:"code"`
|
|
|
|
// The optional PKCE code verifier as part of the code_challenge sent with the initial request.
|
|
CodeVerifier string `form:"codeVerifier" json:"codeVerifier"`
|
|
|
|
// The redirect url sent with the initial request.
|
|
RedirectURL string `form:"redirectURL" json:"redirectURL"`
|
|
|
|
// @todo
|
|
// deprecated: use RedirectURL instead
|
|
// RedirectUrl will be removed after dropping v0.22 support
|
|
RedirectUrl string `form:"redirectUrl" json:"redirectUrl"`
|
|
}
|
|
|
|
func (form *recordOAuth2LoginForm) validate() error {
|
|
return validation.ValidateStruct(form,
|
|
validation.Field(&form.Provider, validation.Required, validation.By(form.checkProviderName)),
|
|
validation.Field(&form.Code, validation.Required),
|
|
validation.Field(&form.RedirectURL, validation.Required),
|
|
)
|
|
}
|
|
|
|
func (form *recordOAuth2LoginForm) checkProviderName(value any) error {
|
|
name, _ := value.(string)
|
|
|
|
_, ok := form.collection.OAuth2.GetProviderConfig(name)
|
|
if !ok {
|
|
return validation.NewError("validation_invalid_provider", fmt.Sprintf("Provider with name %q is missing or is not enabled.", name)).
|
|
SetParams(map[string]any{"name": name})
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func oldCanAssignUsername(txApp core.App, collection *core.Collection, username string) bool {
|
|
// ensure that username is unique
|
|
checkUnique := dbutils.HasSingleColumnUniqueIndex(collection.OAuth2.MappedFields.Username, collection.Indexes)
|
|
if checkUnique {
|
|
if _, err := txApp.FindFirstRecordByData(collection, collection.OAuth2.MappedFields.Username, username); err == nil {
|
|
return false // already exist
|
|
}
|
|
}
|
|
|
|
// ensure that the value matches the pattern of the username field (if text)
|
|
txtField, _ := collection.Fields.GetByName(collection.OAuth2.MappedFields.Username).(*core.TextField)
|
|
|
|
return txtField != nil && txtField.ValidatePlainValue(username) == nil
|
|
}
|
|
|
|
func oauth2Submit(e *core.RecordAuthWithOAuth2RequestEvent, optExternalAuth *core.ExternalAuth) error {
|
|
return e.App.RunInTransaction(func(txApp core.App) error {
|
|
if e.Record == nil {
|
|
// extra check to prevent creating a superuser record via
|
|
// OAuth2 in case the method is used by another action
|
|
if e.Collection.Name == core.CollectionNameSuperusers {
|
|
return errors.New("superusers are not allowed to sign-up with OAuth2")
|
|
}
|
|
|
|
payload := maps.Clone(e.CreateData)
|
|
if payload == nil {
|
|
payload = map[string]any{}
|
|
}
|
|
|
|
payload[core.FieldNameEmail] = e.OAuth2User.Email
|
|
|
|
// set a random password if none is set
|
|
if v, _ := payload[core.FieldNamePassword].(string); v == "" {
|
|
payload[core.FieldNamePassword] = security.RandomString(30)
|
|
payload[core.FieldNamePassword+"Confirm"] = payload[core.FieldNamePassword]
|
|
}
|
|
|
|
// map known fields (unless the field was explicitly submitted as part of CreateData)
|
|
if _, ok := payload[e.Collection.OAuth2.MappedFields.Id]; !ok && e.Collection.OAuth2.MappedFields.Id != "" {
|
|
payload[e.Collection.OAuth2.MappedFields.Id] = e.OAuth2User.Id
|
|
}
|
|
if _, ok := payload[e.Collection.OAuth2.MappedFields.Name]; !ok && e.Collection.OAuth2.MappedFields.Name != "" {
|
|
payload[e.Collection.OAuth2.MappedFields.Name] = e.OAuth2User.Name
|
|
}
|
|
if _, ok := payload[e.Collection.OAuth2.MappedFields.Username]; !ok &&
|
|
// no explicit username payload value and existing OAuth2 mapping
|
|
e.Collection.OAuth2.MappedFields.Username != "" &&
|
|
// extra checks for backward compatibility with earlier versions
|
|
oldCanAssignUsername(txApp, e.Collection, e.OAuth2User.Username) {
|
|
payload[e.Collection.OAuth2.MappedFields.Username] = e.OAuth2User.Username
|
|
}
|
|
if _, ok := payload[e.Collection.OAuth2.MappedFields.AvatarURL]; !ok &&
|
|
// no explicit avatar payload value and existing OAuth2 mapping
|
|
e.Collection.OAuth2.MappedFields.AvatarURL != "" &&
|
|
// non-empty OAuth2 avatar url
|
|
e.OAuth2User.AvatarURL != "" {
|
|
mappedField := e.Collection.Fields.GetByName(e.Collection.OAuth2.MappedFields.AvatarURL)
|
|
if mappedField != nil && mappedField.Type() == core.FieldTypeFile {
|
|
// download the avatar if the mapped field is a file
|
|
avatarFile, err := func() (*filesystem.File, error) {
|
|
ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
|
|
defer cancel()
|
|
return filesystem.NewFileFromURL(ctx, e.OAuth2User.AvatarURL)
|
|
}()
|
|
if err != nil {
|
|
txApp.Logger().Warn("Failed to retrieve OAuth2 avatar", slog.String("error", err.Error()))
|
|
} else {
|
|
payload[e.Collection.OAuth2.MappedFields.AvatarURL] = avatarFile
|
|
}
|
|
} else {
|
|
// otherwise - assign the url string
|
|
payload[e.Collection.OAuth2.MappedFields.AvatarURL] = e.OAuth2User.AvatarURL
|
|
}
|
|
}
|
|
|
|
createdRecord, err := sendOAuth2RecordCreateRequest(txApp, e, payload)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
e.Record = createdRecord
|
|
|
|
if e.Record.Email() == e.OAuth2User.Email && !e.Record.Verified() {
|
|
// mark as verified as long as it matches the OAuth2 data (even if the email is empty)
|
|
e.Record.SetVerified(true)
|
|
if err := txApp.Save(e.Record); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
} else {
|
|
var needUpdate bool
|
|
|
|
isLoggedAuthRecord := e.Auth != nil &&
|
|
e.Auth.Id == e.Record.Id &&
|
|
e.Auth.Collection().Id == e.Record.Collection().Id
|
|
|
|
// set random password for users with unverified email
|
|
// (this is in case a malicious actor has registered previously with the user email)
|
|
if !isLoggedAuthRecord && e.Record.Email() != "" && !e.Record.Verified() {
|
|
e.Record.SetPassword(security.RandomString(30))
|
|
needUpdate = true
|
|
}
|
|
|
|
// update the existing auth record empty email if the data.OAuth2User has one
|
|
// (this is in case previously the auth record was created
|
|
// with an OAuth2 provider that didn't return an email address)
|
|
if e.Record.Email() == "" && e.OAuth2User.Email != "" {
|
|
e.Record.SetEmail(e.OAuth2User.Email)
|
|
needUpdate = true
|
|
}
|
|
|
|
// update the existing auth record verified state
|
|
// (only if the auth record doesn't have an email or the auth record email match with the one in data.OAuth2User)
|
|
if !e.Record.Verified() && (e.Record.Email() == "" || e.Record.Email() == e.OAuth2User.Email) {
|
|
e.Record.SetVerified(true)
|
|
needUpdate = true
|
|
}
|
|
|
|
if needUpdate {
|
|
if err := txApp.Save(e.Record); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
}
|
|
|
|
// create ExternalAuth relation if missing
|
|
if optExternalAuth == nil {
|
|
optExternalAuth = core.NewExternalAuth(txApp)
|
|
optExternalAuth.SetCollectionRef(e.Record.Collection().Id)
|
|
optExternalAuth.SetRecordRef(e.Record.Id)
|
|
optExternalAuth.SetProvider(e.ProviderName)
|
|
optExternalAuth.SetProviderId(e.OAuth2User.Id)
|
|
|
|
if err := txApp.Save(optExternalAuth); err != nil {
|
|
return fmt.Errorf("failed to save linked rel: %w", err)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
})
|
|
}
|
|
|
|
func sendOAuth2RecordCreateRequest(txApp core.App, e *core.RecordAuthWithOAuth2RequestEvent, payload map[string]any) (*core.Record, error) {
|
|
ir := &core.InternalRequest{
|
|
Method: http.MethodPost,
|
|
URL: "/api/collections/" + e.Collection.Name + "/records",
|
|
Body: payload,
|
|
}
|
|
|
|
var createdRecord *core.Record
|
|
response, err := processInternalRequest(txApp, e.RequestEvent, ir, core.RequestInfoContextOAuth2, func(data any) error {
|
|
createdRecord, _ = data.(*core.Record)
|
|
|
|
return nil
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if response.Status != http.StatusOK || createdRecord == nil {
|
|
return nil, errors.New("failed to create OAuth2 auth record")
|
|
}
|
|
|
|
return createdRecord, nil
|
|
}
|