mirrors/dendrite
1
0
Fork 0
mirror of https://github.com/matrix-org/dendrite.git synced 2025-12-12 17:33:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

Login: Add Token based authentication

Browse source 
Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com>
This commit is contained in:
Anant Prakash 2018-03-03 21:34:30 +00:00
parent 6b55972183
commit a85743b00c
No known key found for this signature in database
GPG key ID: C5D399F626523045
1 changed files with 114 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

160
src/github.com/matrix-org/dendrite/clientapi/routing/login.go
View file

@ -15,6 +15,7 @@
package routing package routing
import ( import (
"database/sql"
"net/http" "net/http"
"strings" "strings"
@ -28,6 +29,14 @@ import (
"github.com/matrix-org/util" "github.com/matrix-org/util"
) )
type loginType string
// https://matrix.org/docs/spec/client_server/r0.3.0.html#login
const (
PasswordBased loginType = "m.login.password"
TokenBased loginType = "m.login.token"
)
type loginFlows struct { type loginFlows struct {
Flows []flow `json:"flows"` Flows []flow `json:"flows"`
} }
@ -37,10 +46,15 @@ type flow struct {
Stages []string `json:"stages"` Stages []string `json:"stages"`
} }
type passwordRequest struct { type loginRequest struct {
User string `json:"user"` Type loginType `json:"type"`
Password string `json:"password"` User string `json:"user"`
InitialDisplayName *string `json:"initial_device_display_name"` Medium string `json:"medium"`
Address string `json:"address"`
Password string `json:"password"`
Token string `json:"token"`
DeviceID string `json:"device_id"`
InitialDisplayName *string `json:"initial_device_display_name"`
} }
type loginResponse struct { type loginResponse struct {
@ -50,25 +64,112 @@ type loginResponse struct {
DeviceID string `json:"device_id"` DeviceID string `json:"device_id"`
} }
func passwordLogin() loginFlows { func defaultPasswordLogin() loginFlows {
f := loginFlows{} f := loginFlows{}
s := flow{"m.login.password", []string{"m.login.password"}} s := flow{string(PasswordBased), []string{string(PasswordBased)}}
f.Flows = append(f.Flows, s) f.Flows = append(f.Flows, s)
return f return f
} }
func handlePasswordLogin(
r loginRequest, accountDB *accounts.Database, deviceDB *devices.Database,
req *http.Request, cfg config.Dendrite) *util.JSONResponse {
localpart := r.User
acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password)
if err != nil {
// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
// but that would leak the existence of the user.
return &util.JSONResponse{
Code: 403,
JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),
}
}
token, err := auth.GenerateAccessToken()
if err != nil {
httputil.LogThenError(req, err)
}
// TODO: Use the device ID in the request
dev, err := deviceDB.CreateDevice(
req.Context(), acc.Localpart, nil, token, r.InitialDisplayName,
)
if err != nil {
return &util.JSONResponse{
Code: 500,
JSON: jsonerror.Unknown("failed to create device: " + err.Error()),
}
}
return &util.JSONResponse{
Code: 200,
JSON: loginResponse{
UserID: dev.UserID,
AccessToken: dev.AccessToken,
HomeServer: cfg.Matrix.ServerName,
DeviceID: dev.ID,
},
}
}
func handleTokenLogin(
r loginRequest, deviceDB *devices.Database,
req *http.Request, cfg config.Dendrite) *util.JSONResponse {
if r.Token == "" {
return &util.JSONResponse{
Code: 401,
JSON: jsonerror.MissingToken("missing access token"),
}
}
dev, err := deviceDB.GetDeviceByAccessToken(req.Context(), r.Token)
if err != nil {
if err == sql.ErrNoRows {
return &util.JSONResponse{
Code: 401,
JSON: jsonerror.UnknownToken("Unknown token"),
}
}
return &util.JSONResponse{
Code: 401,
JSON: jsonerror.Unknown("Unexpected Server error occurred"),
}
}
if dev.ID != r.DeviceID {
// The access token specified in the request was generated for a
// different device.
return &util.JSONResponse{
Code: 403,
JSON: jsonerror.Forbidden("The access token was generated for a different device."),
}
}
return &util.JSONResponse{
Code: 200,
JSON: loginResponse{
UserID: dev.UserID,
AccessToken: dev.AccessToken,
HomeServer: cfg.Matrix.ServerName,
DeviceID: dev.ID,
},
}
}
// Login implements GET and POST /login // Login implements GET and POST /login
func Login( func Login(
req *http.Request, accountDB *accounts.Database, deviceDB *devices.Database, req *http.Request, accountDB *accounts.Database, deviceDB *devices.Database,
cfg config.Dendrite, cfg config.Dendrite,
) util.JSONResponse { ) util.JSONResponse {
if req.Method == "GET" { // TODO: support other forms of login other than password, depending on config options if req.Method == "GET" {
return util.JSONResponse{ return util.JSONResponse{
Code: 200, Code: 200,
JSON: passwordLogin(), JSON: defaultPasswordLogin(),
} }
} else if req.Method == "POST" { } else if req.Method == "POST" {
var r passwordRequest var r loginRequest
resErr := httputil.UnmarshalJSONRequest(req, &r) resErr := httputil.UnmarshalJSONRequest(req, &r)
if resErr != nil { if resErr != nil {
return *resErr return *resErr
@ -82,12 +183,10 @@ func Login(
util.GetLogger(req.Context()).WithField("user", r.User).Info("Processing login request") util.GetLogger(req.Context()).WithField("user", r.User).Info("Processing login request")
// r.User can either be a user ID or just the localpart... or other things maybe.
localpart := r.User
if strings.HasPrefix(r.User, "@") { if strings.HasPrefix(r.User, "@") {
var domain gomatrixserverlib.ServerName var domain gomatrixserverlib.ServerName
var err error var err error
localpart, domain, err = gomatrixserverlib.SplitID('@', r.User) _, domain, err = gomatrixserverlib.SplitID('@', r.User)
if err != nil { if err != nil {
return util.JSONResponse{ return util.JSONResponse{
Code: 400, Code: 400,
@ -103,41 +202,10 @@ func Login(
} }
} }
acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password) if r.Type == PasswordBased {
if err != nil { return *handleTokenLogin(r, deviceDB, req, cfg)
// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
// but that would leak the existence of the user.
return util.JSONResponse{
Code: 403,
JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),
}
}
token, err := auth.GenerateAccessToken()
if err != nil {
httputil.LogThenError(req, err)
}
// TODO: Use the device ID in the request
dev, err := deviceDB.CreateDevice(
req.Context(), acc.Localpart, nil, token, r.InitialDisplayName,
)
if err != nil {
return util.JSONResponse{
Code: 500,
JSON: jsonerror.Unknown("failed to create device: " + err.Error()),
}
}
return util.JSONResponse{
Code: 200,
JSON: loginResponse{
UserID: dev.UserID,
AccessToken: dev.AccessToken,
HomeServer: cfg.Matrix.ServerName,
DeviceID: dev.ID,
},
} }
return *handlePasswordLogin(r, accountDB, deviceDB, req, cfg)
} }
return util.JSONResponse{ return util.JSONResponse{
Code: 405, Code: 405,