From 9344b77b95decedf5e5db7af99f6af4db2b27ffb Mon Sep 17 00:00:00 2001 From: Fire Demon Date: Mon, 7 Sep 2020 19:07:46 -0500 Subject: [SSO, API] Add Matrix auth API (https://monsterware.dev/monsterpit/matrix-synapse-rest-password-provider) --- app/controllers/application_controller.rb | 2 +- app/controllers/matrix/base_controller.rb | 100 +++++++++++++++++++++ .../identity/v1/check_credentials_controller.rb | 53 +++++++++++ config/initializers/rack_attack.rb | 4 + config/routes.rb | 8 ++ 5 files changed, 166 insertions(+), 1 deletion(-) create mode 100644 app/controllers/matrix/base_controller.rb create mode 100644 app/controllers/matrix/identity/v1/check_credentials_controller.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8154924b9..5e12e89c8 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -45,7 +45,7 @@ class ApplicationController < ActionController::Base private def https_enabled? - Rails.env.production? && !request.path.start_with?('/health') + Rails.env.production? && !request.path.start_with?('/health', '/_matrix-internal/') end def authorized_fetch_mode? diff --git a/app/controllers/matrix/base_controller.rb b/app/controllers/matrix/base_controller.rb new file mode 100644 index 000000000..5922501ec --- /dev/null +++ b/app/controllers/matrix/base_controller.rb @@ -0,0 +1,100 @@ +# frozen_string_literal: true + +class Matrix::BaseController < ApplicationController + include RateLimitHeaders + + skip_before_action :store_current_location + skip_before_action :require_functional! + + before_action :set_cache_headers + + protect_from_forgery with: :null_session + + skip_around_action :set_locale + + rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e| + render json: { success: false, error: e.to_s }, status: 422 + end + + rescue_from ActiveRecord::RecordNotUnique do + render json: { success: false, error: 'Duplicate record' }, status: 422 + end + + rescue_from ActiveRecord::RecordNotFound do + render json: { success: false, error: 'Record not found' }, status: 404 + end + + rescue_from HTTP::Error, Mastodon::UnexpectedResponseError do + render json: { success: false, error: 'Remote data could not be fetched' }, status: 503 + end + + rescue_from OpenSSL::SSL::SSLError do + render json: { success: false, error: 'Remote SSL certificate could not be verified' }, status: 503 + end + + rescue_from Mastodon::NotPermittedError do + render json: { success: false, error: 'This action is not allowed' }, status: 403 + end + + rescue_from Mastodon::RaceConditionError do + render json: { success: false, error: 'There was a temporary problem serving your request, please try again' }, status: 503 + end + + rescue_from Mastodon::RateLimitExceededError do + render json: { auth: { success: false }, success: false, error: I18n.t('errors.429') }, status: 429 + end + + rescue_from ActionController::ParameterMissing do |e| + render json: { success: false, error: e.to_s }, status: 400 + end + + def doorkeeper_unauthorized_render_options(error: nil) + { json: { success: false, error: (error.try(:description) || 'Not authorized') } } + end + + def doorkeeper_forbidden_render_options(*) + { json: { success: false, error: 'This action is outside the authorized scopes' } } + end + + protected + + def current_resource_owner + @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token + end + + def current_user + current_resource_owner || super + rescue ActiveRecord::RecordNotFound + nil + end + + def require_authenticated_user! + render json: { success: false, error: 'This method requires an authenticated user' }, status: 401 unless current_user + end + + def require_user! + if !current_user + render json: { success: false, error: 'This method requires an authenticated user' }, status: 422 + elsif current_user.disabled? + render json: { success: false, error: 'Your login is currently disabled' }, status: 403 + elsif !current_user.confirmed? + render json: { success: false, error: 'Your login is missing a confirmed e-mail address' }, status: 403 + elsif !current_user.approved? + render json: { success: false, error: 'Your login is currently pending approval' }, status: 403 + else + set_user_activity + end + end + + def render_empty + render json: {}, status: 200 + end + + def authorize_if_got_token!(*scopes) + doorkeeper_authorize!(*scopes) if doorkeeper_token + end + + def set_cache_headers + response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' + end +end diff --git a/app/controllers/matrix/identity/v1/check_credentials_controller.rb b/app/controllers/matrix/identity/v1/check_credentials_controller.rb new file mode 100644 index 000000000..1969d354b --- /dev/null +++ b/app/controllers/matrix/identity/v1/check_credentials_controller.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +class Matrix::Identity::V1::CheckCredentialsController < Matrix::BaseController + def create + matrix_profile = matrix_profile_json + return render json: fail_json, status: 403 if matrix_profile.blank? + + render json: matrix_profile + rescue ActionController::ParameterMissing, ActiveRecord::RecordNotFound + render json: fail_json, status: 403 + end + + private + + def resource_params + params.require(:user).permit(:id, :password) + end + + def matrix_domains + ENV.fetch('MATRIX_AUTH_DOMAINS', '').delete(',').split.to_set + end + + def matrix_profile_json + user_params = resource_params + return unless user_params[:id].present? && user_params[:password].present? && user_params[:id][0] == '@' + + (username, domain) = user_params[:id].downcase.split(':', 2) + return unless matrix_domains.include?(domain) + + user = User.find_by_lower_username!(username[1..-1]) + return unless user.valid_password?(user_params[:password]) + + { + auth: { + success: true, + mxid: user_params[:id], + profile: { + display_name: user.account.display_name.presence || user.username, + three_pids: [ + { + medium: 'email', + address: user.email, + }, + ] + } + } + } + end + + def fail_json + { auth: { success: false } } + end +end diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb index cd29afac5..f11e87b11 100644 --- a/config/initializers/rack_attack.rb +++ b/config/initializers/rack_attack.rb @@ -105,6 +105,10 @@ class Rack::Attack req.session[:attempt_user_id] || req.params.dig('user', 'email').presence if req.post? && req.path == '/auth/sign_in' end + throttle('throttle_matrix_auth_attempts/ip', limit: 5, period: 1.minute) do |req| + req.remote_ip if req.path == '/_matrix-internal/identity/v1/check_credentials' + end + self.throttled_response = lambda do |env| now = Time.now.utc match_data = env['rack.attack.match_data'] diff --git a/config/routes.rb b/config/routes.rb index a6b9f6981..33343625c 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -531,6 +531,14 @@ Rails.application.routes.draw do end end + namespace :matrix, path: '_matrix-internal' do + namespace :identity do + namespace :v1 do + resource :check_credentials, only: [:create] + end + end + end + get '/web/(*any)', to: 'home#index', as: :web get '/about', to: 'about#show' -- cgit