feat(backend): implement oauth login

Author: asleepyskye

backend/api/oauth.go

@@ -0,0 +1,177 @@
+package api
+
+import (
+	"context"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/gob"
+	"encoding/json"
+	"io"
+	"log/slog"
+	"net/http"
+	"os"
+	"slices"
+	"time"
+
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/endpoints"
+)
+
+type DiscordUser struct {
+	ID       string `json:"id"`
+	Username string `json:"username"`
+	Avatar   string `json:"avatar"`
+}
+
+var discordOauthConfig *oauth2.Config
+
+func (a *API) oauthInit() {
+	gob.Register(DiscordUser{})
+	baseUrl := ""
+	if a.Config.RunDev {
+		baseUrl = "http://localhost:5173"
+	} else {
+		baseUrl = "https://status.pluralkit.me"
+	}
+	discordOauthConfig = &oauth2.Config{
+		RedirectURL:  baseUrl + "/api/v1/auth/discord/callback",
+		ClientID:     os.Getenv("DISCORD_OAUTH_CLIENT_ID"),
+		ClientSecret: os.Getenv("DISCORD_OAUTH_CLIENT_SECRET"),
+		Scopes:       []string{"identify"},
+		Endpoint:     endpoints.Discord,
+	}
+}
+
+const discordUserEndpoint = "https://discordapp.com/api/users/@me"
+
+func (a *API) logout(w http.ResponseWriter, r *http.Request) {
+	err := a.Sessions.Destroy(r.Context())
+	if err != nil {
+		a.Logger.Error("failed to destroy session", slog.Any("error", err))
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "login_status",
+		Value:    "0",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: false,
+	})
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (a *API) oauthDiscordLogin(w http.ResponseWriter, r *http.Request) {
+	state := a.genState(w)
+
+	url := discordOauthConfig.AuthCodeURL(state)
+	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
+}
+
+func (a *API) oauthDiscordCallback(w http.ResponseWriter, r *http.Request) {
+	state, err := r.Cookie("oauthstate")
+	if err != nil {
+		a.Logger.Warn("error while retrieving oauth state", slog.Any("error", err))
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	if r.FormValue("state") != state.Value {
+		a.Logger.Warn("invalid oauth state", slog.Any("error", err))
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "oauthstate",
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   !a.Config.RunDev,
+		SameSite: http.SameSiteLaxMode,
+	})
+
+	data, err := getUserData(r.Context(), r.FormValue("code"))
+	if err != nil {
+		a.Logger.Error("error while getting user data", slog.Any("error", err))
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	var user DiscordUser
+	if err := json.Unmarshal(data, &user); err != nil {
+		a.Logger.Error("error parsing json", slog.Any("error", err))
+		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+		return
+	}
+
+	if !slices.Contains(a.Config.AuthorizedUsers, user.ID) {
+		http.Error(w, "You are not authorized to access this resource", http.StatusUnauthorized)
+		a.Logger.Info("Unauthorized user attempted access", slog.Any("user", user))
+		return
+	}
+
+	if err := a.Sessions.RenewToken(r.Context()); err != nil {
+		a.Logger.Error("error renewing token", slog.Any("error", err))
+		http.Error(w, "Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	a.Sessions.Put(r.Context(), "user_session", user)
+	http.SetCookie(w, &http.Cookie{
+		Name:     "login_status",
+		Value:    "1",
+		Path:     "/",
+		HttpOnly: false,
+		Secure:   !a.Config.RunDev,
+		MaxAge:   86400,
+	})
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (a *API) genState(w http.ResponseWriter) string {
+	var expiration = time.Now().Add(24 * time.Hour)
+
+	b := make([]byte, 16)
+	rand.Read(b)
+	state := base64.URLEncoding.EncodeToString(b)
+	cookie := http.Cookie{
+		Name:     "oauthstate",
+		Value:    state,
+		Expires:  expiration,
+		HttpOnly: true,
+		Secure:   !a.Config.RunDev,
+		SameSite: http.SameSiteLaxMode,
+	}
+	http.SetCookie(w, &cookie)
+
+	return state
+}
+
+func getUserData(ctx context.Context, code string) ([]byte, error) {
+	token, err := discordOauthConfig.Exchange(ctx, code)
+	if err != nil {
+		return nil, err
+	}
+
+	client := &http.Client{}
+	req, err := http.NewRequest("GET", discordUserEndpoint, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	token.SetAuthHeader(req)
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	content, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return content, nil
+}

backend/api/routes.go

@@ -7,10 +7,12 @@ import (
 	"net/http"
 	"pluralkit/status/db"
 	"pluralkit/status/util"
+	"slices"
 	"strings"
 	"sync"
 	"time"
 
+	"github.com/alexedwards/scs/v2"
 	"github.com/go-chi/chi/v5"
 )
 
@@ -64,6 +66,7 @@ type API struct {
 	Config     util.Config
 	Logger     *slog.Logger
 	Database   *db.DB
+	Sessions   *scs.SessionManager
 	httpClient http.Client
 
 	clustersCache  ClustersInfo
@@ -73,10 +76,19 @@ type API struct {
 
 func NewAPI(config util.Config, logger *slog.Logger, database *db.DB) *API {
 	moduleLogger := logger.With(slog.String("module", "API"))
+
+	sessionManager := scs.New()
+	sessionManager.Lifetime = 24 * time.Hour
+	sessionManager.Cookie.Name = "session_id"
+	sessionManager.Cookie.HttpOnly = true
+	sessionManager.Cookie.Secure = !config.RunDev
+	sessionManager.Cookie.SameSite = http.SameSiteLaxMode
+
 	return &API{
 		Config:     config,
 		Logger:     moduleLogger,
 		Database:   database,
+		Sessions:   sessionManager,
 		httpClient: http.Client{Timeout: 10 * time.Second},
 		clustersCache: ClustersInfo{
 			Clusters:       make([]*Cluster, 0),
@@ -85,9 +97,7 @@ func NewAPI(config util.Config, logger *slog.Logger, database *db.DB) *API {
 	}
 }
 
-// this isn't that secure, and it's not supposed to be.
-// backend should be behind a reverse proxy with only local/certain IPs allowed
-func BasicTokenAuth(token string) func(http.Handler) http.Handler {
+func (a *API) Auth() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			authHeader := r.Header.Get("Authorization")
@@ -101,16 +111,55 @@ func BasicTokenAuth(token string) func(http.Handler) http.Handler {
 				return
 			}
 
-			if split[1] == token {
+			if split[1] == a.Config.AuthToken {
 				next.ServeHTTP(w, r)
-			} else {
+				return
+			}
+
+			val := a.Sessions.Get(r.Context(), "user_session")
+			user, ok := val.(DiscordUser)
+			if !ok {
+				http.Error(w, "Unauthorized", http.StatusUnauthorized)
+				return
+			}
+
+			if user.ID == "" || !slices.Contains(a.Config.AuthorizedUsers, user.ID) {
 				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+				return
 			}
+
+			next.ServeHTTP(w, r)
 		})
 	}
 }
 
+func (a *API) Me(w http.ResponseWriter, r *http.Request) {
+	val := a.Sessions.Get(r.Context(), "user_session")
+	user, ok := val.(DiscordUser)
+
+	if !ok {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	var avatarURL string
+	if user.Avatar != "" {
+		avatarURL = "https://cdn.discordapp.com/avatars/" + user.ID + "/" + user.Avatar + ".png"
+	} else {
+		avatarURL = "https://cdn.discordapp.com/embed/avatars/0.png"
+	}
+
+	response := map[string]string{
+		"id":       user.ID,
+		"username": user.Username,
+		"avatar":   avatarURL,
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(response)
+}
+
 func (a *API) SetupRoutes(router *chi.Mux) {
+	a.oauthInit()
 	router.Route("/api/v1", func(r chi.Router) {
 
 		r.Get("/status", a.GetStatus)
@@ -131,12 +180,15 @@ func (a *API) SetupRoutes(router *chi.Mux) {
 			r.Get("/", a.GetUpdate)
 		})
 
+		r.Route("/auth/discord", func(r chi.Router) {
+			r.Get("/login", a.oauthDiscordLogin)
+			r.Get("/callback", a.oauthDiscordCallback)
+			r.Get("/logout", a.logout)
+		})
+		r.Get("/me", a.Me)
+
 		r.Route("/admin", func(r chi.Router) {
-			if a.Config.AuthToken != "" {
-				r.Use(BasicTokenAuth(a.Config.AuthToken))
-			} else {
-				a.Logger.Warn("auth token is not set! admin endpoint auth disabled!")
-			}
+			r.Use(a.Auth())
 
 			r.Route("/incidents", func(r chi.Router) {
 				r.Post("/create", a.CreateIncident)

backend/go.mod

@@ -17,6 +17,7 @@ require (
 
 require (
 	github.com/ajg/form v1.5.1 // indirect
+	github.com/alexedwards/scs/v2 v2.9.0
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
@@ -34,6 +35,7 @@ require (
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/net v0.34.0 // indirect
+	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

backend/go.sum

@@ -1,5 +1,7 @@
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
+github.com/alexedwards/scs/v2 v2.9.0 h1:xa05mVpwTBm1iLeTMNFfAWpKUm4fXAW7CeAViqBVS90=
+github.com/alexedwards/scs/v2 v2.9.0/go.mod h1:ToaROZxyKukJKT/xLcVQAChi5k6+Pn1Gvmdl7h3RRj8=
 github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA=
 github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
@@ -59,6 +61,8 @@ golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
 golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
 golang.org/x/net v0.34.0 h1:Mb7Mrk043xzHgnRM88suvJFwzVrRfHEHJEl5/71CKw0=
 golang.org/x/net v0.34.0/go.mod h1:di0qlW3YNM5oh6GqDGQr92MyTozJPmybPK4Ev/Gm31k=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=

backend/main.go

@@ -98,6 +98,7 @@ func main() {
 	r.Use(middleware.Timeout(30 * time.Second))
 
 	apiInstance := api.NewAPI(cfg, logger, db)
+	r.Use(apiInstance.Sessions.LoadAndSave)
 	apiInstance.SetupRoutes(r)
 
 	if cfg.RunDev {

backend/util/util.go

@@ -36,4 +36,5 @@ type Config struct {
 	RunDev              bool      `env:"pluralkit__status__run_dev" envDefault:"false"`
 	DBLoc               string    `env:"pluralkit__status__db_location" envDefault:"file:status.db?_foreign_keys=on"`
 	LogLevel            SlogLevel `env:"pluralkit__consoleloglevel" envDefault:"info"`
+	AuthorizedUsers     []string  `env:"pluralkit__status__auth_users"`
 }