From 9344b77b95decedf5e5db7af99f6af4db2b27ffb Mon Sep 17 00:00:00 2001 From: Fire Demon Date: Mon, 7 Sep 2020 19:07:46 -0500 Subject: [SSO, API] Add Matrix auth API (https://monsterware.dev/monsterpit/matrix-synapse-rest-password-provider) --- app/controllers/application_controller.rb | 2 +- app/controllers/matrix/base_controller.rb | 100 +++++++++++++++++++++ .../identity/v1/check_credentials_controller.rb | 53 +++++++++++ 3 files changed, 154 insertions(+), 1 deletion(-) create mode 100644 app/controllers/matrix/base_controller.rb create mode 100644 app/controllers/matrix/identity/v1/check_credentials_controller.rb (limited to 'app') diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 8154924b9..5e12e89c8 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -45,7 +45,7 @@ class ApplicationController < ActionController::Base private def https_enabled? - Rails.env.production? && !request.path.start_with?('/health') + Rails.env.production? && !request.path.start_with?('/health', '/_matrix-internal/') end def authorized_fetch_mode? diff --git a/app/controllers/matrix/base_controller.rb b/app/controllers/matrix/base_controller.rb new file mode 100644 index 000000000..5922501ec --- /dev/null +++ b/app/controllers/matrix/base_controller.rb @@ -0,0 +1,100 @@ +# frozen_string_literal: true + +class Matrix::BaseController < ApplicationController + include RateLimitHeaders + + skip_before_action :store_current_location + skip_before_action :require_functional! + + before_action :set_cache_headers + + protect_from_forgery with: :null_session + + skip_around_action :set_locale + + rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e| + render json: { success: false, error: e.to_s }, status: 422 + end + + rescue_from ActiveRecord::RecordNotUnique do + render json: { success: false, error: 'Duplicate record' }, status: 422 + end + + rescue_from ActiveRecord::RecordNotFound do + render json: { success: false, error: 'Record not found' }, status: 404 + end + + rescue_from HTTP::Error, Mastodon::UnexpectedResponseError do + render json: { success: false, error: 'Remote data could not be fetched' }, status: 503 + end + + rescue_from OpenSSL::SSL::SSLError do + render json: { success: false, error: 'Remote SSL certificate could not be verified' }, status: 503 + end + + rescue_from Mastodon::NotPermittedError do + render json: { success: false, error: 'This action is not allowed' }, status: 403 + end + + rescue_from Mastodon::RaceConditionError do + render json: { success: false, error: 'There was a temporary problem serving your request, please try again' }, status: 503 + end + + rescue_from Mastodon::RateLimitExceededError do + render json: { auth: { success: false }, success: false, error: I18n.t('errors.429') }, status: 429 + end + + rescue_from ActionController::ParameterMissing do |e| + render json: { success: false, error: e.to_s }, status: 400 + end + + def doorkeeper_unauthorized_render_options(error: nil) + { json: { success: false, error: (error.try(:description) || 'Not authorized') } } + end + + def doorkeeper_forbidden_render_options(*) + { json: { success: false, error: 'This action is outside the authorized scopes' } } + end + + protected + + def current_resource_owner + @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token + end + + def current_user + current_resource_owner || super + rescue ActiveRecord::RecordNotFound + nil + end + + def require_authenticated_user! + render json: { success: false, error: 'This method requires an authenticated user' }, status: 401 unless current_user + end + + def require_user! + if !current_user + render json: { success: false, error: 'This method requires an authenticated user' }, status: 422 + elsif current_user.disabled? + render json: { success: false, error: 'Your login is currently disabled' }, status: 403 + elsif !current_user.confirmed? + render json: { success: false, error: 'Your login is missing a confirmed e-mail address' }, status: 403 + elsif !current_user.approved? + render json: { success: false, error: 'Your login is currently pending approval' }, status: 403 + else + set_user_activity + end + end + + def render_empty + render json: {}, status: 200 + end + + def authorize_if_got_token!(*scopes) + doorkeeper_authorize!(*scopes) if doorkeeper_token + end + + def set_cache_headers + response.headers['Cache-Control'] = 'no-cache, no-store, max-age=0, must-revalidate' + end +end diff --git a/app/controllers/matrix/identity/v1/check_credentials_controller.rb b/app/controllers/matrix/identity/v1/check_credentials_controller.rb new file mode 100644 index 000000000..1969d354b --- /dev/null +++ b/app/controllers/matrix/identity/v1/check_credentials_controller.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +class Matrix::Identity::V1::CheckCredentialsController < Matrix::BaseController + def create + matrix_profile = matrix_profile_json + return render json: fail_json, status: 403 if matrix_profile.blank? + + render json: matrix_profile + rescue ActionController::ParameterMissing, ActiveRecord::RecordNotFound + render json: fail_json, status: 403 + end + + private + + def resource_params + params.require(:user).permit(:id, :password) + end + + def matrix_domains + ENV.fetch('MATRIX_AUTH_DOMAINS', '').delete(',').split.to_set + end + + def matrix_profile_json + user_params = resource_params + return unless user_params[:id].present? && user_params[:password].present? && user_params[:id][0] == '@' + + (username, domain) = user_params[:id].downcase.split(':', 2) + return unless matrix_domains.include?(domain) + + user = User.find_by_lower_username!(username[1..-1]) + return unless user.valid_password?(user_params[:password]) + + { + auth: { + success: true, + mxid: user_params[:id], + profile: { + display_name: user.account.display_name.presence || user.username, + three_pids: [ + { + medium: 'email', + address: user.email, + }, + ] + } + } + } + end + + def fail_json + { auth: { success: false } } + end +end -- cgit