dendrite/clientapi/auth/auth.go

// Copyright 2017 Vector Creations Ltd
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

// Package auth implements authentication checks and storage.
package auth

import (
	"context"
	"crypto/rand"
	"encoding/base64"
	"fmt"
	"net/http"
	"strings"

	"github.com/matrix-org/dendrite/clientapi/jsonerror"
	"github.com/matrix-org/dendrite/userapi/api"
	"github.com/matrix-org/util"
)

// OWASP recommends at least 128 bits of entropy for tokens: https://www.owasp.org/index.php/Insufficient_Session-ID_Length
// 32 bytes => 256 bits
var tokenByteLength = 32

// DeviceDatabase represents a device database.
type DeviceDatabase interface {
	// Look up the device matching the given access token.
	GetDeviceByAccessToken(ctx context.Context, token string) (*api.Device, error)
}

// AccountDatabase represents an account database.
type AccountDatabase interface {
	// Look up the account matching the given localpart.
	GetAccountByLocalpart(ctx context.Context, localpart string) (*api.Account, error)
	GetAccountByPassword(ctx context.Context, localpart, password string) (*api.Account, error)
}

// VerifyUserFromRequest authenticates the HTTP request,
// on success returns Device of the requester.
// Finds local user or an application service user.
// Note: For an AS user, AS dummy device is returned.
// On failure returns an JSON error response which can be sent to the client.
func VerifyUserFromRequest(
	req *http.Request, userAPI api.QueryAcccessTokenAPI,
) (*api.Device, *util.JSONResponse) {
	// Try to find the Application Service user
	token, err := ExtractAccessToken(req)
	if err != nil {
		return nil, &util.JSONResponse{
			Code: http.StatusUnauthorized,
			JSON: jsonerror.MissingToken(err.Error()),
		}
	}
	var res api.QueryAccessTokenResponse
	err = userAPI.QueryAccessToken(req.Context(), &api.QueryAccessTokenRequest{
		AccessToken:      token,
		AppServiceUserID: req.URL.Query().Get("user_id"),
	}, &res)
	if err != nil {
		util.GetLogger(req.Context()).WithError(err).Error("userAPI.QueryAccessToken failed")
		jsonErr := jsonerror.InternalServerError()
		return nil, &jsonErr
	}
	if res.Err != "" {
		if strings.HasPrefix(strings.ToLower(res.Err), "forbidden:") { // TODO: use actual error and no string comparison
			return nil, &util.JSONResponse{
				Code: http.StatusForbidden,
				JSON: jsonerror.Forbidden(res.Err),
			}
		}
	}
	if res.Device == nil {
		return nil, &util.JSONResponse{
			Code: http.StatusUnauthorized,
			JSON: jsonerror.UnknownToken("Unknown token"),
		}
	}
	return res.Device, nil
}

// GenerateAccessToken creates a new access token. Returns an error if failed to generate
// random bytes.
func GenerateAccessToken() (string, error) {
	b := make([]byte, tokenByteLength)
	if _, err := rand.Read(b); err != nil {
		return "", err
	}
	// url-safe no padding
	return base64.RawURLEncoding.EncodeToString(b), nil
}

// ExtractAccessToken from a request, or return an error detailing what went wrong. The
// error message MUST be human-readable and comprehensible to the client.
func ExtractAccessToken(req *http.Request) (string, error) {
	// cf https://github.com/matrix-org/synapse/blob/v0.19.2/synapse/api/auth.py#L631
	authBearer := req.Header.Get("Authorization")
	queryToken := req.URL.Query().Get("access_token")
	if authBearer != "" && queryToken != "" {
		return "", fmt.Errorf("mixing Authorization headers and access_token query parameters")
	}

	if queryToken != "" {
		return queryToken, nil
	}

	if authBearer != "" {
		parts := strings.SplitN(authBearer, " ", 2)
		if len(parts) != 2 || parts[0] != "Bearer" {
			return "", fmt.Errorf("invalid Authorization header")
		}
		return parts[1], nil
	}

	return "", fmt.Errorf("missing access token")
}
Add Apache Version 2.0 license and headers to all golang files 2017-04-21 00:40:52 +02:00			`// Copyright 2017 Vector Creations Ltd`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`// Package auth implements authentication checks and storage.`
Extract access tokens from HTTP requests (#15) 2017-03-07 14:43:32 +01:00			`package auth`

			`import (`
Add contexts to device database (#233) * Add contexts to device database * Remove spurious whitespace 2017-09-18 16:51:26 +02:00			`"context"`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`"crypto/rand"`
			`"encoding/base64"`
Extract access tokens from HTTP requests (#15) 2017-03-07 14:43:32 +01:00			`"fmt"`
			`"net/http"`
			`"strings"`

			`"github.com/matrix-org/dendrite/clientapi/jsonerror"`
Make userapi responsible for checking access tokens (#1133) * Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix 2020-06-16 15:10:55 +02:00			`"github.com/matrix-org/dendrite/userapi/api"`
Extract access tokens from HTTP requests (#15) 2017-03-07 14:43:32 +01:00			`"github.com/matrix-org/util"`
			`)`

Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`// OWASP recommends at least 128 bits of entropy for tokens: https://www.owasp.org/index.php/Insufficient_Session-ID_Length`
			`// 32 bytes => 256 bits`
			`var tokenByteLength = 32`

Factor out runTransaction to common code (#162) 2017-07-17 18:20:57 +02:00			`// DeviceDatabase represents a device database.`
			`type DeviceDatabase interface {`
Add query API for listing active invites (#196) * Add query API for listing active invites This lists the invites for a user in a room that could be used to join the room over federation. * s/Lookup/Look up/ * Fix implements comments 2017-08-23 16:08:48 +02:00			`// Look up the device matching the given access token.`
Make userapi responsible for checking access tokens (#1133) * Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix 2020-06-16 15:10:55 +02:00			`GetDeviceByAccessToken(ctx context.Context, token string) (*api.Device, error)`
Factor out runTransaction to common code (#162) 2017-07-17 18:20:57 +02:00			`}`

Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`// AccountDatabase represents an account database.`
			`type AccountDatabase interface {`
			`// Look up the account matching the given localpart.`
Make userapi control account creation entirely (#1139) This makes a chokepoint with which we can finally fix 'database is locked' errors on sqlite during account creation 2020-06-17 12:22:26 +02:00			`GetAccountByLocalpart(ctx context.Context, localpart string) (*api.Account, error)`
Support for `m.login.token` (#2014) * Add GOPATH to PATH in find-lint.sh. The user doesn't necessarily have it in PATH. * Refactor LoginTypePassword and Type to support m.login.token and m.login.sso. For login token: * m.login.token will require deleting the token after completeAuth has generated an access token, so a cleanup function is returned by Type.Login. * Allowing different login types will require parsing the /login body twice: first to extract the "type" and then the type-specific parsing. Thus, we will have to buffer the request JSON in /login, like UserInteractive already does. For SSO: * NewUserInteractive will have to also use GetAccountByLocalpart. It makes more sense to just pass a (narrowed-down) accountDB interface to it than adding more function pointers. Code quality: * Passing around (and down-casting) interface{} for login request types has drawbacks in terms of type-safety, and no inherent benefits. We always decode JSON anyway. Hence renaming to Type.LoginFromJSON. Code that directly uses LoginTypePassword with parsed data can still use Login. * Removed a TODO for SSO. This is already tracked in #1297. * httputil.UnmarshalJSON is useful because it returns a JSONResponse. This change is intended to have no functional changes. * Support login tokens in User API. This adds full lifecycle functions for login tokens: create, query, delete. * Support m.login.token in /login. * Fixes for PR review. * Set @matrix-org/dendrite-core as repository code owner * Return event NID from `StoreEvent`, match PSQL vs SQLite behaviour, tweak backfill persistence (#2071) Co-authored-by: kegsay <kegan@matrix.org> Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2022-02-10 11:27:26 +01:00			`GetAccountByPassword(ctx context.Context, localpart, password string) (*api.Account, error)`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`}`

			`// VerifyUserFromRequest authenticates the HTTP request,`
Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00			`// on success returns Device of the requester.`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`// Finds local user or an application service user.`
Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00			`// Note: For an AS user, AS dummy device is returned.`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`// On failure returns an JSON error response which can be sent to the client.`
			`func VerifyUserFromRequest(`
syncapi: define specific interfaces for internal HTTP communications (#2416) * syncapi: use finer-grained interfaces when making the syncapi * Use specific interfaces for syncapi-roomserver interactions * Define query access token api for shared http auth code 2022-05-05 10:56:03 +02:00			`req *http.Request, userAPI api.QueryAcccessTokenAPI,`
Make userapi responsible for checking access tokens (#1133) * Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix 2020-06-16 15:10:55 +02:00			`) (api.Device, util.JSONResponse) {`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`// Try to find the Application Service user`
Handle AS with auth header (#548) * Handle AS with auth header * fix lint (gocyclo) 2018-07-23 15:40:35 +02:00			`token, err := ExtractAccessToken(req)`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`if err != nil {`
Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00			`return nil, &util.JSONResponse{`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`Code: http.StatusUnauthorized,`
			`JSON: jsonerror.MissingToken(err.Error()),`
			`}`
			`}`
Make userapi responsible for checking access tokens (#1133) * Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix 2020-06-16 15:10:55 +02:00			`var res api.QueryAccessTokenResponse`
			`err = userAPI.QueryAccessToken(req.Context(), &api.QueryAccessTokenRequest{`
			`AccessToken: token,`
			`AppServiceUserID: req.URL.Query().Get("user_id"),`
			`}, &res)`
			`if err != nil {`
			`util.GetLogger(req.Context()).WithError(err).Error("userAPI.QueryAccessToken failed")`
			`jsonErr := jsonerror.InternalServerError()`
			`return nil, &jsonErr`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`}`
Add missing HTTP mode for userapi (#1982) * Add missing internal api endpoint Signed-off-by: Till Faelligen <tfaelligen@gmail.com> * Add missing performKeyBackup endpoint * Add missing http mode for userapi * Fix failing tests * Add error checks * Fix sytest * Update startup logic for HTTP mode * Use userImpl for AS (annoying) * Don't send device list updates for appservice devices * Fix build Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2021-12-03 18:18:35 +01:00			`if res.Err != "" {`
			`if strings.HasPrefix(strings.ToLower(res.Err), "forbidden:") { // TODO: use actual error and no string comparison`
Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00			`return nil, &util.JSONResponse{`
			`Code: http.StatusForbidden,`
Add missing HTTP mode for userapi (#1982) * Add missing internal api endpoint Signed-off-by: Till Faelligen <tfaelligen@gmail.com> * Add missing performKeyBackup endpoint * Add missing http mode for userapi * Fix failing tests * Add error checks * Fix sytest * Update startup logic for HTTP mode * Use userImpl for AS (annoying) * Don't send device list updates for appservice devices * Fix build Co-authored-by: Neil Alexander <neilalexander@users.noreply.github.com> 2021-12-03 18:18:35 +01:00			`JSON: jsonerror.Forbidden(res.Err),`
Add AS support to common.MakeAuthAPI (#427) * Add AS support to MakeAuthAPI Make clientapi utilize the same Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add user parameter support to MakeAuthAPI * Make VerifyAccessToken private, let VerifyUserFromRequest return the device if present * Make a dummy device for AS users * Refactor arguments into auth.Data * Update routing of all components * Update code comment * Use const AppServiceDeviceID * Handle cases when AS is not masquerading 2018-07-17 00:17:03 +02:00			`}`
Add app service authentication functions (#433) * Add support for AS ?user= parameter in auth Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Fix typo 2018-06-01 13:16:19 +02:00			`}`
Ensure appservices have their devices checked (#554) The regular device check will return the device for the appservice's bot user instead of going through the user_id branch. The check has been moved to below the user_id check to ensure the right virtual user's device is chosen. 2019-03-21 15:48:21 +01:00			`}`
Make userapi responsible for checking access tokens (#1133) * Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix 2020-06-16 15:10:55 +02:00			`if res.Device == nil {`
			`return nil, &util.JSONResponse{`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`Code: http.StatusUnauthorized,`
Make userapi responsible for checking access tokens (#1133) * Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix 2020-06-16 15:10:55 +02:00			`JSON: jsonerror.UnknownToken("Unknown token"),`
Glue together devices and auth with the current HTTP code (#117) - Renamed `clientapi/auth/types` to `clientapi/auth/authtypes` for the same horrible namespace clashing reasons as `storage`. - Factored out `makeAPI` to `common`. - Added in `makeAuthAPI`. 2017-05-23 18:43:05 +02:00			`}`
Extract access tokens from HTTP requests (#15) 2017-03-07 14:43:32 +01:00			`}`
Make userapi responsible for checking access tokens (#1133) * Make userapi responsible for checking access tokens There's still plenty of dependencies on account/device DBs, but this is a start. This is a breaking change as it adds a required config value `listen.user_api`. * Cleanup * Review comments and test fix 2020-06-16 15:10:55 +02:00			`return res.Device, nil`
Extract access tokens from HTTP requests (#15) 2017-03-07 14:43:32 +01:00			`}`

Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`// GenerateAccessToken creates a new access token. Returns an error if failed to generate`
			`// random bytes.`
			`func GenerateAccessToken() (string, error) {`
			`b := make([]byte, tokenByteLength)`
			`if _, err := rand.Read(b); err != nil {`
			`return "", err`
			`}`
			`// url-safe no padding`
			`return base64.RawURLEncoding.EncodeToString(b), nil`
			`}`

Handle AS with auth header (#548) * Handle AS with auth header * fix lint (gocyclo) 2018-07-23 15:40:35 +02:00			`// ExtractAccessToken from a request, or return an error detailing what went wrong. The`
Extract access tokens from HTTP requests (#15) 2017-03-07 14:43:32 +01:00			`// error message MUST be human-readable and comprehensible to the client.`
Handle AS with auth header (#548) * Handle AS with auth header * fix lint (gocyclo) 2018-07-23 15:40:35 +02:00			`func ExtractAccessToken(req *http.Request) (string, error) {`
Extract access tokens from HTTP requests (#15) 2017-03-07 14:43:32 +01:00			`// cf https://github.com/matrix-org/synapse/blob/v0.19.2/synapse/api/auth.py#L631`
			`authBearer := req.Header.Get("Authorization")`
			`queryToken := req.URL.Query().Get("access_token")`
			`if authBearer != "" && queryToken != "" {`
			`return "", fmt.Errorf("mixing Authorization headers and access_token query parameters")`
			`}`

			`if queryToken != "" {`
			`return queryToken, nil`
			`}`

			`if authBearer != "" {`
			`parts := strings.SplitN(authBearer, " ", 2)`
			`if len(parts) != 2 \|\| parts[0] != "Bearer" {`
			`return "", fmt.Errorf("invalid Authorization header")`
			`}`
			`return parts[1], nil`
			`}`

			`return "", fmt.Errorf("missing access token")`
			`}`