portal.go at a4b7890ece29c9be87181ce83d3a86cfec0a6de1 · vvill.dev/caddy-atproto-auth

Caddy module to require at-proto authentication and restrict routes to DIDs
caddy-atproto-auth / portal.go
at a4b7890ece29c9be87181ce83d3a86cfec0a6de1 6.4 kB View raw
Will Garrison docs: Update module path and configuration documentation 3mo ago
  1package caddyatprotoauth
  2
  3import (
  4	"encoding/json"
  5	"fmt"
  6	"net/http"
  7	"time"
  8
  9	"github.com/caddyserver/caddy/v2"
 10	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 11	"github.com/caddyserver/caddy/v2/caddyconfig/httpcaddyfile"
 12	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 13	"go.uber.org/zap"
 14	"tangled.org/vvill.dev/caddy-atproto-auth/internal/oauth"
 15	"tangled.org/vvill.dev/caddy-atproto-auth/internal/session"
 16	"tangled.org/vvill.dev/caddy-atproto-auth/internal/ui"
 17)
 18
 19func init() {
 20	caddy.RegisterModule(Portal{})
 21	httpcaddyfile.RegisterHandlerDirective("atproto_portal", parseCaddyfilePortal)
 22}
 23
 24// Portal is the centralized authentication portal for Path B (Auth Hub).
 25type Portal struct {
 26	Name   string    `json:"name,omitempty"`
 27	Domain string    `json:"domain,omitempty"` // Public domain of the portal (e.g. auth.example.com)
 28	UI     ui.Config `json:"ui,omitempty"`     // Custom UI configuration
 29
 30	// Dependencies
 31	app      *App
 32	oauth    *oauth.Manager
 33	sessions *session.Manager
 34	renderer *ui.Renderer
 35	logger   *zap.Logger
 36}
 37
 38// CaddyModule returns the Caddy module information.
 39func (Portal) CaddyModule() caddy.ModuleInfo {
 40	return caddy.ModuleInfo{
 41		ID:  "http.handlers.atproto_portal",
 42		New: func() caddy.Module { return new(Portal) },
 43	}
 44}
 45
 46// Provision sets up the module.
 47func (p *Portal) Provision(ctx caddy.Context) error {
 48	p.logger = ctx.Logger()
 49
 50	// 1. Get Global App
 51	app, err := ctx.App("atproto")
 52	if err != nil {
 53		return fmt.Errorf("getting atproto app: %w", err)
 54	}
 55	p.app = app.(*App)
 56
 57	// 2. Initialize Session Manager
 58	if p.app.CookieSecret == "" {
 59		return fmt.Errorf("global atproto cookie_secret is required")
 60	}
 61	p.sessions = session.NewManager(p.app.CookieSecret)
 62
 63	// 4. Initialize UI Renderer
 64	renderer, err := ui.NewRenderer(p.UI)
 65	if err != nil {
 66		return fmt.Errorf("failed to init ui renderer: %w", err)
 67	}
 68	p.renderer = renderer
 69
 70	// 5. Initialize OAuth Manager
 71	// We need the domain to construct ClientID and CallbackURL.
 72	// If domain is missing, we might defer initialization? No, Manager needs it.
 73	// User must configure 'domain' in Caddyfile for now.
 74	if p.Domain == "" {
 75		return fmt.Errorf("atproto_portal requires 'domain' to be set (e.g. auth.example.com)")
 76	}
 77
 78	clientID := fmt.Sprintf("https://%s/.well-known/oauth-client-metadata.json", p.Domain)
 79	callbackURL := fmt.Sprintf("https://%s/callback", p.Domain)
 80
 81	mgr, err := oauth.NewManager(p.app.Store, clientID, callbackURL)
 82	if err != nil {
 83		return fmt.Errorf("failed to init oauth manager: %w", err)
 84	}
 85	p.oauth = mgr
 86
 87	return nil
 88}
 89
 90// Validate checks that the configuration is valid.
 91func (p *Portal) Validate() error {
 92	if p.Name == "" {
 93		p.Name = "Authentication Portal"
 94	}
 95	return nil
 96}
 97
 98// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
 99func (p *Portal) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
100	for d.Next() {
101		for nesting := d.Nesting(); d.NextBlock(nesting); {
102			switch d.Val() {
103			case "name":
104				if !d.NextArg() {
105					return d.ArgErr()
106				}
107				p.Name = d.Val()
108			case "domain":
109				if !d.NextArg() {
110					return d.ArgErr()
111				}
112				p.Domain = d.Val()
113			case "ui":
114				for nesting := d.Nesting(); d.NextBlock(nesting); {
115					switch d.Val() {
116					case "login_template":
117						if !d.NextArg() {
118							return d.ArgErr()
119						}
120						p.UI.LoginTemplatePath = d.Val()
121					case "forbidden_template":
122						if !d.NextArg() {
123							return d.ArgErr()
124						}
125						p.UI.ForbiddenTemplatePath = d.Val()
126					default:
127						return d.Errf("unrecognized subdirective '%s'", d.Val())
128					}
129				}
130			default:
131				return d.Errf("unrecognized subdirective '%s'", d.Val())
132			}
133		}
134	}
135	return nil
136}
137
138func parseCaddyfilePortal(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler, error) {
139	var p Portal
140	err := p.UnmarshalCaddyfile(h.Dispenser)
141	return &p, err
142}
143
144// ServeHTTP implements caddyhttp.MiddlewareHandler.
145func (p *Portal) ServeHTTP(w http.ResponseWriter, r *http.Request, next caddyhttp.Handler) error {
146	// 1. Metadata Endpoint
147	if r.URL.Path == "/.well-known/oauth-client-metadata.json" {
148		meta, err := p.oauth.GetClientMetadata()
149		if err != nil {
150			p.logger.Error("failed to get client metadata", zap.Error(err))
151			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
152			return nil
153		}
154		w.Header().Set("Content-Type", "application/json")
155		json.NewEncoder(w).Encode(meta)
156		return nil
157	}
158
159	// 2. Callback Endpoint
160	if r.URL.Path == "/callback" {
161		// Process callback
162		ctx := r.Context()
163		query := r.URL.Query()
164
165		sessionData, handle, err := p.oauth.ProcessCallback(ctx, query)
166		if err != nil {
167			p.logger.Error("oauth callback failed", zap.Error(err))
168			http.Error(w, fmt.Sprintf("Authentication failed: %v", err), http.StatusBadRequest)
169			return nil
170		}
171
172		// Create Session Cookie
173		cookie, err := p.sessions.CreateCookie(
174			sessionData.AccountDID,
175			handle,
176			24*7*time.Hour,
177			p.Domain,
178		)
179		if err != nil {
180			p.logger.Error("failed to create session cookie", zap.Error(err))
181			http.Error(w, "Internal Error", http.StatusInternalServerError)
182			return nil
183		}
184
185		http.SetCookie(w, cookie)
186
187		// Redirect to home or saved location
188		http.Redirect(w, r, "/", http.StatusFound)
189		return nil
190	}
191
192	// 3. Login Start (Form Action)
193	if r.URL.Path == "/login" && r.Method == "POST" {
194		handle := r.FormValue("handle")
195		if handle == "" {
196			http.Error(w, "Handle required", http.StatusBadRequest)
197			return nil
198		}
199
200		// Start Auth Flow
201		redirectURI, err := p.oauth.StartAuthFlow(r.Context(), handle)
202		if err != nil {
203			p.logger.Error("failed to start auth flow", zap.Error(err))
204			http.Error(w, fmt.Sprintf("Failed to resolve identity: %v", err), http.StatusBadRequest)
205			return nil
206		}
207
208		http.Redirect(w, r, redirectURI, http.StatusFound)
209		return nil
210	}
211
212	// 4. Default: Login Page
213	if r.URL.Path == "/" || r.URL.Path == "/login" {
214		w.Header().Set("Content-Type", "text/html; charset=utf-8")
215		if err := p.renderer.RenderLogin(w, ui.LoginData{
216			AppName:  p.Name,
217			Redirect: "/",
218		}); err != nil {
219			p.logger.Error("failed to render login page", zap.Error(err))
220			return caddyhttp.Error(http.StatusInternalServerError, err)
221		}
222		return nil
223	}
224
225	return next.ServeHTTP(w, r)
226}
227
228// Interface guards
229var (
230	_ caddy.Provisioner           = (*Portal)(nil)
231	_ caddy.Validator             = (*Portal)(nil)
232	_ caddyhttp.MiddlewareHandler = (*Portal)(nil)
233	_ caddyfile.Unmarshaler       = (*Portal)(nil)
234)
Configure Feed

Configure Feed
