// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. // See License.txt for license information. package api4 import ( "net/http" "net/url" "strings" l4g "github.com/alecthomas/log4go" "github.com/mattermost/mattermost-server/app" "github.com/mattermost/mattermost-server/model" "github.com/mattermost/mattermost-server/utils" ) func InitOAuth() { l4g.Debug(utils.T("api.oauth.init.debug")) BaseRoutes.OAuthApps.Handle("", ApiSessionRequired(createOAuthApp)).Methods("POST") BaseRoutes.OAuthApps.Handle("", ApiSessionRequired(getOAuthApps)).Methods("GET") BaseRoutes.OAuthApp.Handle("", ApiSessionRequired(getOAuthApp)).Methods("GET") BaseRoutes.OAuthApp.Handle("/info", ApiSessionRequired(getOAuthAppInfo)).Methods("GET") BaseRoutes.OAuthApp.Handle("", ApiSessionRequired(deleteOAuthApp)).Methods("DELETE") BaseRoutes.OAuthApp.Handle("/regen_secret", ApiSessionRequired(regenerateOAuthAppSecret)).Methods("POST") BaseRoutes.User.Handle("/oauth/apps/authorized", ApiSessionRequired(getAuthorizedOAuthApps)).Methods("GET") // API version independent OAuth 2.0 as a service provider endpoints BaseRoutes.Root.Handle("/oauth/authorize", ApiHandlerTrustRequester(authorizeOAuthPage)).Methods("GET") BaseRoutes.Root.Handle("/oauth/authorize", ApiSessionRequired(authorizeOAuthApp)).Methods("POST") BaseRoutes.Root.Handle("/oauth/deauthorize", ApiSessionRequired(deauthorizeOAuthApp)).Methods("POST") BaseRoutes.Root.Handle("/oauth/access_token", ApiHandlerTrustRequester(getAccessToken)).Methods("POST") // API version independent OAuth as a client endpoints BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/login", ApiHandler(loginWithOAuth)).Methods("GET") BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/mobile_login", ApiHandler(mobileLoginWithOAuth)).Methods("GET") BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/signup", ApiHandler(signupWithOAuth)).Methods("GET") // Old endpoints for backwards compatibility, needed to not break SSO for any old setups BaseRoutes.Root.Handle("/api/v3/oauth/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") BaseRoutes.Root.Handle("/signup/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") BaseRoutes.Root.Handle("/login/{service:[A-Za-z0-9]+}/complete", ApiHandler(completeOAuth)).Methods("GET") } func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { oauthApp := model.OAuthAppFromJson(r.Body) if oauthApp == nil { c.SetInvalidParam("oauth_app") return } if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) return } if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { oauthApp.IsTrusted = false } oauthApp.CreatorId = c.Session.UserId rapp, err := c.App.CreateOAuthApp(oauthApp) if err != nil { c.Err = err return } c.LogAudit("client_id=" + rapp.Id) w.WriteHeader(http.StatusCreated) w.Write([]byte(rapp.ToJson())) } func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.Err = model.NewAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "", http.StatusForbidden) return } var apps []*model.OAuthApp var err *model.AppError if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { apps, err = c.App.GetOAuthApps(c.Params.Page, c.Params.PerPage) } else if app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { apps, err = c.App.GetOAuthAppsByCreator(c.Session.UserId, c.Params.Page, c.Params.PerPage) } else { c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) return } if err != nil { c.Err = err return } w.Write([]byte(model.OAuthAppListToJson(apps))) } func getOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireAppId() if c.Err != nil { return } if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) return } oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) if err != nil { c.Err = err return } if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) return } w.Write([]byte(oauthApp.ToJson())) } func getOAuthAppInfo(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireAppId() if c.Err != nil { return } oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) if err != nil { c.Err = err return } oauthApp.Sanitize() w.Write([]byte(oauthApp.ToJson())) } func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireAppId() if c.Err != nil { return } c.LogAudit("attempt") if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) return } oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) if err != nil { c.Err = err return } if c.Session.UserId != oauthApp.CreatorId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) return } err = c.App.DeleteOAuthApp(oauthApp.Id) if err != nil { c.Err = err return } c.LogAudit("success") ReturnStatusOK(w) } func regenerateOAuthAppSecret(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireAppId() if c.Err != nil { return } if !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) { c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH) return } oauthApp, err := c.App.GetOAuthApp(c.Params.AppId) if err != nil { c.Err = err return } if oauthApp.CreatorId != c.Session.UserId && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) { c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) return } oauthApp, err = c.App.RegenerateOAuthAppSecret(oauthApp) if err != nil { c.Err = err return } c.LogAudit("success") w.Write([]byte(oauthApp.ToJson())) } func getAuthorizedOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireUserId() if c.Err != nil { return } if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) { c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) return } apps, err := c.App.GetAuthorizedAppsForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) if err != nil { c.Err = err return } w.Write([]byte(model.OAuthAppListToJson(apps))) } func authorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { authRequest := model.AuthorizeRequestFromJson(r.Body) if authRequest == nil { c.SetInvalidParam("authorize_request") } if err := authRequest.IsValid(); err != nil { c.Err = err return } c.LogAudit("attempt") redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) if err != nil { c.Err = err return } c.LogAudit("") w.Write([]byte(model.MapToJson(map[string]string{"redirect": redirectUrl}))) } func deauthorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { requestData := model.MapFromJson(r.Body) clientId := requestData["client_id"] if len(clientId) != 26 { c.SetInvalidParam("client_id") return } err := c.App.DeauthorizeOAuthAppForUser(c.Session.UserId, clientId) if err != nil { c.Err = err return } c.LogAudit("success") ReturnStatusOK(w) } func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) { if !utils.Cfg.ServiceSettings.EnableOAuthServiceProvider { err := model.NewAppError("authorizeOAuth", "api.oauth.authorize_oauth.disabled.app_error", nil, "", http.StatusNotImplemented) utils.RenderWebError(err, w, r) return } authRequest := &model.AuthorizeRequest{ ResponseType: r.URL.Query().Get("response_type"), ClientId: r.URL.Query().Get("client_id"), RedirectUri: r.URL.Query().Get("redirect_uri"), Scope: r.URL.Query().Get("scope"), State: r.URL.Query().Get("state"), } if err := authRequest.IsValid(); err != nil { utils.RenderWebError(err, w, r) return } oauthApp, err := c.App.GetOAuthApp(authRequest.ClientId) if err != nil { utils.RenderWebError(err, w, r) return } // here we should check if the user is logged in if len(c.Session.UserId) == 0 { http.Redirect(w, r, c.GetSiteURLHeader()+"/login?redirect_to="+url.QueryEscape(r.RequestURI), http.StatusFound) return } if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) { utils.RenderWebError(model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest), w, r) return } isAuthorized := false if _, err := c.App.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil { // when we support scopes we should check if the scopes match isAuthorized = true } // Automatically allow if the app is trusted if oauthApp.IsTrusted || isAuthorized { authRequest.ResponseType = model.AUTHCODE_RESPONSE_TYPE redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) if err != nil { utils.RenderWebError(err, w, r) return } http.Redirect(w, r, redirectUrl, http.StatusFound) return } w.Header().Set("X-Frame-Options", "SAMEORIGIN") w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'") w.Header().Set("Content-Type", "text/html; charset=utf-8") w.Header().Set("Cache-Control", "no-cache, max-age=31556926, public") staticDir, _ := utils.FindDir(model.CLIENT_DIR) http.ServeFile(w, r, staticDir+"root.html") } func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { r.ParseForm() code := r.FormValue("code") refreshToken := r.FormValue("refresh_token") grantType := r.FormValue("grant_type") switch grantType { case model.ACCESS_TOKEN_GRANT_TYPE: if len(code) == 0 { c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_code.app_error", nil, "", http.StatusBadRequest) return } case model.REFRESH_TOKEN_GRANT_TYPE: if len(refreshToken) == 0 { c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_refresh_token.app_error", nil, "", http.StatusBadRequest) return } default: c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_grant.app_error", nil, "", http.StatusBadRequest) return } clientId := r.FormValue("client_id") if len(clientId) != 26 { c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_id.app_error", nil, "", http.StatusBadRequest) return } secret := r.FormValue("client_secret") if len(secret) == 0 { c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_secret.app_error", nil, "", http.StatusBadRequest) return } redirectUri := r.FormValue("redirect_uri") c.LogAudit("attempt") accessRsp, err := c.App.GetOAuthAccessToken(clientId, grantType, redirectUri, code, secret, refreshToken) if err != nil { c.Err = err return } w.Header().Set("Content-Type", "application/json") w.Header().Set("Cache-Control", "no-store") w.Header().Set("Pragma", "no-cache") c.LogAudit("success") w.Write([]byte(accessRsp.ToJson())) } func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireService() if c.Err != nil { return } service := c.Params.Service code := r.URL.Query().Get("code") if len(code) == 0 { http.Redirect(w, r, c.GetSiteURLHeader()+"/error?type=oauth_missing_code&service="+strings.Title(service), http.StatusTemporaryRedirect) return } state := r.URL.Query().Get("state") uri := c.GetSiteURLHeader() + "/signup/" + service + "/complete" body, teamId, props, err := c.App.AuthorizeOAuthUser(w, r, service, code, state, uri) action := "" if props != nil { action = props["action"] } if err != nil { err.Translate(c.T) l4g.Error(err.Error()) if action == model.OAUTH_ACTION_MOBILE { w.Write([]byte(err.ToJson())) } else { http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) } return } user, err := c.App.CompleteOAuth(service, body, teamId, props) if err != nil { err.Translate(c.T) l4g.Error(err.Error()) if action == model.OAUTH_ACTION_MOBILE { w.Write([]byte(err.ToJson())) } else { http.Redirect(w, r, c.GetSiteURLHeader()+"/error?message="+err.Message, http.StatusTemporaryRedirect) } return } var redirectUrl string if action == model.OAUTH_ACTION_EMAIL_TO_SSO { redirectUrl = c.GetSiteURLHeader() + "/login?extra=signin_change" } else if action == model.OAUTH_ACTION_SSO_TO_EMAIL { redirectUrl = app.GetProtocol(r) + "://" + r.Host + "/claim?email=" + url.QueryEscape(props["email"]) } else { session, err := c.App.DoLogin(w, r, user, "") if err != nil { err.Translate(c.T) c.Err = err if action == model.OAUTH_ACTION_MOBILE { w.Write([]byte(err.ToJson())) } return } c.Session = *session redirectUrl = c.GetSiteURLHeader() } if action == model.OAUTH_ACTION_MOBILE { ReturnStatusOK(w) return } else { http.Redirect(w, r, redirectUrl, http.StatusTemporaryRedirect) } } func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireService() if c.Err != nil { return } loginHint := r.URL.Query().Get("login_hint") redirectTo := r.URL.Query().Get("redirect_to") teamId, err := c.App.GetTeamIdFromQuery(r.URL.Query()) if err != nil { c.Err = err return } if authUrl, err := c.App.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil { c.Err = err return } else { http.Redirect(w, r, authUrl, http.StatusFound) } } func mobileLoginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireService() if c.Err != nil { return } teamId, err := c.App.GetTeamIdFromQuery(r.URL.Query()) if err != nil { c.Err = err return } if authUrl, err := c.App.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil { c.Err = err return } else { http.Redirect(w, r, authUrl, http.StatusFound) } } func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) { c.RequireService() if c.Err != nil { return } if !utils.Cfg.TeamSettings.EnableUserCreation { c.Err = model.NewAppError("signupWithOAuth", "api.oauth.singup_with_oauth.disabled.app_error", nil, "", http.StatusNotImplemented) return } teamId, err := c.App.GetTeamIdFromQuery(r.URL.Query()) if err != nil { c.Err = err return } if authUrl, err := c.App.GetOAuthSignupEndpoint(w, r, c.Params.Service, teamId); err != nil { c.Err = err return } else { http.Redirect(w, r, authUrl, http.StatusFound) } }