dendrite/clientapi/routing/login.go

// Copyright 2017 Vector Creations Ltd
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

package routing

import (
	"net/http"

	"context"

	"github.com/matrix-org/dendrite/clientapi/auth"
	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
	"github.com/matrix-org/dendrite/clientapi/auth/storage/accounts"
	"github.com/matrix-org/dendrite/clientapi/auth/storage/devices"
	"github.com/matrix-org/dendrite/clientapi/httputil"
	"github.com/matrix-org/dendrite/clientapi/jsonerror"
	"github.com/matrix-org/dendrite/clientapi/userutil"
	"github.com/matrix-org/dendrite/common/config"
	"github.com/matrix-org/gomatrixserverlib"
	"github.com/matrix-org/util"
)

type loginFlows struct {
	Flows []flow `json:"flows"`
}

type flow struct {
	Type   string   `json:"type"`
	Stages []string `json:"stages"`
}

type passwordRequest struct {
	User     string `json:"user"`
	Password string `json:"password"`
	// Both DeviceID and InitialDisplayName can be omitted, or empty strings ("")
	// Thus a pointer is needed to differentiate between the two
	InitialDisplayName *string `json:"initial_device_display_name"`
	DeviceID           *string `json:"device_id"`
}

type loginResponse struct {
	UserID      string                       `json:"user_id"`
	AccessToken string                       `json:"access_token"`
	HomeServer  gomatrixserverlib.ServerName `json:"home_server"`
	DeviceID    string                       `json:"device_id"`
}

func passwordLogin() loginFlows {
	f := loginFlows{}
	s := flow{"m.login.password", []string{"m.login.password"}}
	f.Flows = append(f.Flows, s)
	return f
}

// Login implements GET and POST /login
func Login(
	req *http.Request, accountDB *accounts.Database, deviceDB *devices.Database,
	cfg config.Dendrite,
) util.JSONResponse {
	if req.Method == http.MethodGet { // TODO: support other forms of login other than password, depending on config options
		return util.JSONResponse{
			Code: http.StatusOK,
			JSON: passwordLogin(),
		}
	} else if req.Method == http.MethodPost {
		var r passwordRequest
		resErr := httputil.UnmarshalJSONRequest(req, &r)
		if resErr != nil {
			return *resErr
		}
		if r.User == "" {
			return util.JSONResponse{
				Code: http.StatusBadRequest,
				JSON: jsonerror.BadJSON("'user' must be supplied."),
			}
		}

		util.GetLogger(req.Context()).WithField("user", r.User).Info("Processing login request")

		localpart, err := userutil.ParseUsernameParam(r.User, &cfg.Matrix.ServerName)
		if err != nil {
			return util.JSONResponse{
				Code: http.StatusBadRequest,
				JSON: jsonerror.InvalidUsername(err.Error()),
			}
		}

		acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password)
		if err != nil {
			// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
			// but that would leak the existence of the user.
			return util.JSONResponse{
				Code: http.StatusForbidden,
				JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),
			}
		}

		token, err := auth.GenerateAccessToken()
		if err != nil {
			return httputil.LogThenError(req, err)
		}

		dev, err := getDevice(req.Context(), r, deviceDB, acc, token)
		if err != nil {
			return util.JSONResponse{
				Code: http.StatusInternalServerError,
				JSON: jsonerror.Unknown("failed to create device: " + err.Error()),
			}
		}

		return util.JSONResponse{
			Code: http.StatusOK,
			JSON: loginResponse{
				UserID:      dev.UserID,
				AccessToken: dev.AccessToken,
				HomeServer:  cfg.Matrix.ServerName,
				DeviceID:    dev.ID,
			},
		}
	}
	return util.JSONResponse{
		Code: http.StatusMethodNotAllowed,
		JSON: jsonerror.NotFound("Bad method"),
	}
}

// getDevice returns a new or existing device
func getDevice(
	ctx context.Context,
	r passwordRequest,
	deviceDB *devices.Database,
	acc *authtypes.Account,
	token string,
) (dev *authtypes.Device, err error) {
	dev, err = deviceDB.CreateDevice(
		ctx, acc.Localpart, r.DeviceID, token, r.InitialDisplayName,
	)
	return
}
Add Apache Version 2.0 license and headers to all golang files 2017-04-21 00:40:52 +02:00			`// Copyright 2017 Vector Creations Ltd`
			`//`
			`// Licensed under the Apache License, Version 2.0 (the "License");`
			`// you may not use this file except in compliance with the License.`
			`// You may obtain a copy of the License at`
			`//`
			`// http://www.apache.org/licenses/LICENSE-2.0`
			`//`
			`// Unless required by applicable law or agreed to in writing, software`
			`// distributed under the License is distributed on an "AS IS" BASIS,`
			`// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`// See the License for the specific language governing permissions and`
			`// limitations under the License.`

Merge readers/writers/routing packages (#295) The HTTP handlers in the components are split into reader and writer directories. This was a fairly arbitrary distinction, and turns out to not be so helpful. Most read APIs have a corresponding write API, and it is more natural for them to be in the same file rather than in different directories. 2017-10-11 19:16:53 +02:00			`package routing`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00
			`import (`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`"net/http"`

return same device as sent from client if it exists in db (#414) Signed-off-by: mohit kumar singh <mohitkumarsingh907@gmail.com> 2018-08-20 11:22:06 +02:00			`"context"`
Fix pipeline, emoji and syntax (#713) Fixes #697 Switched to golangci-lint, fixes issues with buildkite and does some linting fixes to appease the new linters. 2019-06-19 15:05:03 +02:00
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`"github.com/matrix-org/dendrite/clientapi/auth"`
return same device as sent from client if it exists in db (#414) Signed-off-by: mohit kumar singh <mohitkumarsingh907@gmail.com> 2018-08-20 11:22:06 +02:00			`"github.com/matrix-org/dendrite/clientapi/auth/authtypes"`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`"github.com/matrix-org/dendrite/clientapi/auth/storage/accounts"`
			`"github.com/matrix-org/dendrite/clientapi/auth/storage/devices"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`"github.com/matrix-org/dendrite/clientapi/httputil"`
			`"github.com/matrix-org/dendrite/clientapi/jsonerror"`
Refactor username parsing function of clientapi:login (#432) * Refactor username parse function of login Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add tests for userutil Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> 2018-04-20 16:52:21 +02:00			`"github.com/matrix-org/dendrite/clientapi/userutil"`
Replace the cmd specific config with common config. (#144) * Move all the dendrite config in to a single place * Add tests for config parsing * replace syncserver config with common config * Replace client API config with common config * Replace federation API config with common config * Replace media api config with common config * Replace room server config with common config * Remove unused readKey function * Fix the integration tests * Comment on hardcoding roomserver to HTTP * Add a method for getting RoomServerURL This moves the hardcoding of HTTPs into one place. 2017-06-19 16:21:04 +02:00			`"github.com/matrix-org/dendrite/common/config"`
Update gomatrixserverlib (#90) 2017-05-05 18:43:42 +02:00			`"github.com/matrix-org/gomatrixserverlib"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`"github.com/matrix-org/util"`
			`)`

			`type loginFlows struct {`
			Flows []flow `json:"flows"`
			`}`

			`type flow struct {`
			Type string `json:"type"`
			Stages []string `json:"stages"`
			`}`

			`type passwordRequest struct {`
Correctly create new device when device_id is passed to /login (#753) Fixes https://github.com/matrix-org/dendrite/issues/401 Currently when passing a `device_id` parameter to `/login`, which is [supposed](https://matrix.org/docs/spec/client_server/unstable#post-matrix-client-r0-login) to return a device with that ID set, it instead just generates a random `device_id` and hands that back to you. The code was already there to do this correctly, it looks like it had just been broken during some change. Hopefully sytest will prevent this from becoming broken again. 2019-07-22 16:05:38 +02:00			User string `json:"user"`
			Password string `json:"password"`
			`// Both DeviceID and InitialDisplayName can be omitted, or empty strings ("")`
			`// Thus a pointer is needed to differentiate between the two`
Add device display names (#319) 2017-11-14 10:59:02 +01:00			InitialDisplayName *string `json:"initial_device_display_name"`
Correctly create new device when device_id is passed to /login (#753) Fixes https://github.com/matrix-org/dendrite/issues/401 Currently when passing a `device_id` parameter to `/login`, which is [supposed](https://matrix.org/docs/spec/client_server/unstable#post-matrix-client-r0-login) to return a device with that ID set, it instead just generates a random `device_id` and hands that back to you. The code was already there to do this correctly, it looks like it had just been broken during some change. Hopefully sytest will prevent this from becoming broken again. 2019-07-22 16:05:38 +02:00			DeviceID *string `json:"device_id"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`}`

			`type loginResponse struct {`
Update gomatrixserverlib (#90) 2017-05-05 18:43:42 +02:00			UserID string `json:"user_id"`
			AccessToken string `json:"access_token"`
			HomeServer gomatrixserverlib.ServerName `json:"home_server"`
Generate new devices for each new /login (#281) 2017-10-10 11:40:52 +02:00			DeviceID string `json:"device_id"`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`}`

			`func passwordLogin() loginFlows {`
			`f := loginFlows{}`
			`s := flow{"m.login.password", []string{"m.login.password"}}`
			`f.Flows = append(f.Flows, s)`
			`return f`
			`}`

			`// Login implements GET and POST /login`
Replace the cmd specific config with common config. (#144) * Move all the dendrite config in to a single place * Add tests for config parsing * replace syncserver config with common config * Replace client API config with common config * Replace federation API config with common config * Replace media api config with common config * Replace room server config with common config * Remove unused readKey function * Fix the integration tests * Comment on hardcoding roomserver to HTTP * Add a method for getting RoomServerURL This moves the hardcoding of HTTPs into one place. 2017-06-19 16:21:04 +02:00			`func Login(`
			`req http.Request, accountDB accounts.Database, deviceDB *devices.Database,`
			`cfg config.Dendrite,`
			`) util.JSONResponse {`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`if req.Method == http.MethodGet { // TODO: support other forms of login other than password, depending on config options`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`return util.JSONResponse{`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`Code: http.StatusOK,`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`JSON: passwordLogin(),`
			`}`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`} else if req.Method == http.MethodPost {`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`var r passwordRequest`
			`resErr := httputil.UnmarshalJSONRequest(req, &r)`
			`if resErr != nil {`
			`return *resErr`
			`}`
			`if r.User == "" {`
			`return util.JSONResponse{`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`Code: http.StatusBadRequest,`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`JSON: jsonerror.BadJSON("'user' must be supplied."),`
			`}`
			`}`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00
			`util.GetLogger(req.Context()).WithField("user", r.User).Info("Processing login request")`

Refactor username parsing function of clientapi:login (#432) * Refactor username parse function of login Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> * Add tests for userutil Signed-off-by: Anant Prakash <anantprakashjsr@gmail.com> 2018-04-20 16:52:21 +02:00			`localpart, err := userutil.ParseUsernameParam(r.User, &cfg.Matrix.ServerName)`
			`if err != nil {`
			`return util.JSONResponse{`
			`Code: http.StatusBadRequest,`
			`JSON: jsonerror.InvalidUsername(err.Error()),`
Make login support logging in via user id (#260) 2017-09-22 18:08:16 +02:00			`}`
			`}`

			`acc, err := accountDB.GetAccountByPassword(req.Context(), localpart, r.Password)`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`if err != nil {`
			`// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows`
			`// but that would leak the existence of the user.`
			`return util.JSONResponse{`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`Code: http.StatusForbidden,`
Fix typo (#402) accouqnt -> account Signed-off-by: Andrew Morgan (https://amorgan.xyz) <andrew@amorgan.xyz> 2018-03-02 10:08:02 +01:00			`JSON: jsonerror.Forbidden("username or password was incorrect, or the account does not exist"),`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`}`
			`}`

			`token, err := auth.GenerateAccessToken()`
			`if err != nil {`
Add back missing returns for httputil.LogThenError calls (#730) Signed-off-by: Alex Chen <minecnly@gmail.com> 2019-07-09 18:33:52 +02:00			`return httputil.LogThenError(req, err)`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`}`

Correctly create new device when device_id is passed to /login (#753) Fixes https://github.com/matrix-org/dendrite/issues/401 Currently when passing a `device_id` parameter to `/login`, which is [supposed](https://matrix.org/docs/spec/client_server/unstable#post-matrix-client-r0-login) to return a device with that ID set, it instead just generates a random `device_id` and hands that back to you. The code was already there to do this correctly, it looks like it had just been broken during some change. Hopefully sytest will prevent this from becoming broken again. 2019-07-22 16:05:38 +02:00			`dev, err := getDevice(req.Context(), r, deviceDB, acc, token)`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`if err != nil {`
			`return util.JSONResponse{`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`Code: http.StatusInternalServerError,`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`JSON: jsonerror.Unknown("failed to create device: " + err.Error()),`
			`}`
			`}`

Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`return util.JSONResponse{`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`Code: http.StatusOK,`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`JSON: loginResponse{`
Hook up registration/login APIs and implement access token generation (#122) 2017-05-30 18:51:40 +02:00			`UserID: dev.UserID,`
			`AccessToken: dev.AccessToken,`
Replace the cmd specific config with common config. (#144) * Move all the dendrite config in to a single place * Add tests for config parsing * replace syncserver config with common config * Replace client API config with common config * Replace federation API config with common config * Replace media api config with common config * Replace room server config with common config * Remove unused readKey function * Fix the integration tests * Comment on hardcoding roomserver to HTTP * Add a method for getting RoomServerURL This moves the hardcoding of HTTPs into one place. 2017-06-19 16:21:04 +02:00			`HomeServer: cfg.Matrix.ServerName,`
Generate new devices for each new /login (#281) 2017-10-10 11:40:52 +02:00			`DeviceID: dev.ID,`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`},`
			`}`
			`}`
			`return util.JSONResponse{`
Use http.Status* and http.Method* where appropriate (#417) Signed-off-by: Scott Raine <me@nylar.io> 2018-03-13 16:55:45 +01:00			`Code: http.StatusMethodNotAllowed,`
Make it possible to point Riot at Dendrite (#74) 2017-04-20 18:11:53 +02:00			`JSON: jsonerror.NotFound("Bad method"),`
			`}`
			`}`
return same device as sent from client if it exists in db (#414) Signed-off-by: mohit kumar singh <mohitkumarsingh907@gmail.com> 2018-08-20 11:22:06 +02:00
Correctly create new device when device_id is passed to /login (#753) Fixes https://github.com/matrix-org/dendrite/issues/401 Currently when passing a `device_id` parameter to `/login`, which is [supposed](https://matrix.org/docs/spec/client_server/unstable#post-matrix-client-r0-login) to return a device with that ID set, it instead just generates a random `device_id` and hands that back to you. The code was already there to do this correctly, it looks like it had just been broken during some change. Hopefully sytest will prevent this from becoming broken again. 2019-07-22 16:05:38 +02:00			`// getDevice returns a new or existing device`
return same device as sent from client if it exists in db (#414) Signed-off-by: mohit kumar singh <mohitkumarsingh907@gmail.com> 2018-08-20 11:22:06 +02:00			`func getDevice(`
			`ctx context.Context,`
			`r passwordRequest,`
			`deviceDB *devices.Database,`
			`acc *authtypes.Account,`
Correctly create new device when device_id is passed to /login (#753) Fixes https://github.com/matrix-org/dendrite/issues/401 Currently when passing a `device_id` parameter to `/login`, which is [supposed](https://matrix.org/docs/spec/client_server/unstable#post-matrix-client-r0-login) to return a device with that ID set, it instead just generates a random `device_id` and hands that back to you. The code was already there to do this correctly, it looks like it had just been broken during some change. Hopefully sytest will prevent this from becoming broken again. 2019-07-22 16:05:38 +02:00			`token string,`
return same device as sent from client if it exists in db (#414) Signed-off-by: mohit kumar singh <mohitkumarsingh907@gmail.com> 2018-08-20 11:22:06 +02:00			`) (dev *authtypes.Device, err error) {`
Correctly create new device when device_id is passed to /login (#753) Fixes https://github.com/matrix-org/dendrite/issues/401 Currently when passing a `device_id` parameter to `/login`, which is [supposed](https://matrix.org/docs/spec/client_server/unstable#post-matrix-client-r0-login) to return a device with that ID set, it instead just generates a random `device_id` and hands that back to you. The code was already there to do this correctly, it looks like it had just been broken during some change. Hopefully sytest will prevent this from becoming broken again. 2019-07-22 16:05:38 +02:00			`dev, err = deviceDB.CreateDevice(`
			`ctx, acc.Localpart, r.DeviceID, token, r.InitialDisplayName,`
			`)`
return same device as sent from client if it exists in db (#414) Signed-off-by: mohit kumar singh <mohitkumarsingh907@gmail.com> 2018-08-20 11:22:06 +02:00			`return`
			`}`