mirrors
/
gitea
镜像来自 https://github.com/go-gitea/gitea.git
關注 1
收藏 0
複製 0
程式碼 問題 0 版本發佈 211 Wiki 活動
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6491 提交
17 分支
目錄樹: f035dcd4f2
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 'f035dcd4f2'
${ noResults }
gitea/routers/user/auth_openid.go

auth_openid.go 12KB
原始文件 Blame 歷史記錄

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"fmt"

  9. 	"net/url"

  10. 

  11. 	"code.gitea.io/gitea/models"

  12. 	"code.gitea.io/gitea/modules/auth"

  13. 	"code.gitea.io/gitea/modules/auth/openid"

  14. 	"code.gitea.io/gitea/modules/base"

  15. 	"code.gitea.io/gitea/modules/context"

  16. 	"code.gitea.io/gitea/modules/generate"

  17. 	"code.gitea.io/gitea/modules/log"

  18. 	"code.gitea.io/gitea/modules/recaptcha"

  19. 	"code.gitea.io/gitea/modules/setting"

  20. 

  21. 	"github.com/go-macaron/captcha"

  22. )

  23. 

  24. const (

  25. 	tplSignInOpenID base.TplName = "user/auth/signin_openid"

  26. 	tplConnectOID   base.TplName = "user/auth/signup_openid_connect"

  27. 	tplSignUpOID    base.TplName = "user/auth/signup_openid_register"

  28. )

  29. 

  30. // SignInOpenID render sign in page

  31. func SignInOpenID(ctx *context.Context) {

  32. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  33. 

  34. 	if ctx.Query("openid.return_to") != "" {

  35. 		signInOpenIDVerify(ctx)

  36. 		return

  37. 	}

  38. 

  39. 	// Check auto-login.

  40. 	isSucceed, err := AutoSignIn(ctx)

  41. 	if err != nil {

  42. 		ctx.ServerError("AutoSignIn", err)

  43. 		return

  44. 	}

  45. 

  46. 	redirectTo := ctx.Query("redirect_to")

  47. 	if len(redirectTo) > 0 {

  48. 		ctx.SetCookie("redirect_to", redirectTo, 0, setting.AppSubURL)

  49. 	} else {

  50. 		redirectTo, _ = url.QueryUnescape(ctx.GetCookie("redirect_to"))

  51. 	}

  52. 

  53. 	if isSucceed {

  54. 		ctx.SetCookie("redirect_to", "", -1, setting.AppSubURL)

  55. 		ctx.RedirectToFirst(redirectTo)

  56. 		return

  57. 	}

  58. 

  59. 	ctx.Data["PageIsSignIn"] = true

  60. 	ctx.Data["PageIsLoginOpenID"] = true

  61. 	ctx.HTML(200, tplSignInOpenID)

  62. }

  63. 

  64. // Check if the given OpenID URI is allowed by blacklist/whitelist

  65. func allowedOpenIDURI(uri string) (err error) {

  66. 

  67. 	// In case a Whitelist is present, URI must be in it

  68. 	// in order to be accepted

  69. 	if len(setting.Service.OpenIDWhitelist) != 0 {

  70. 		for _, pat := range setting.Service.OpenIDWhitelist {

  71. 			if pat.MatchString(uri) {

  72. 				return nil // pass

  73. 			}

  74. 		}

  75. 		// must match one of this or be refused

  76. 		return fmt.Errorf("URI not allowed by whitelist")

  77. 	}

  78. 

  79. 	// A blacklist match expliclty forbids

  80. 	for _, pat := range setting.Service.OpenIDBlacklist {

  81. 		if pat.MatchString(uri) {

  82. 			return fmt.Errorf("URI forbidden by blacklist")

  83. 		}

  84. 	}

  85. 

  86. 	return nil

  87. }

  88. 

  89. // SignInOpenIDPost response for openid sign in request

  90. func SignInOpenIDPost(ctx *context.Context, form auth.SignInOpenIDForm) {

  91. 	ctx.Data["Title"] = ctx.Tr("sign_in")

  92. 	ctx.Data["PageIsSignIn"] = true

  93. 	ctx.Data["PageIsLoginOpenID"] = true

  94. 

  95. 	if ctx.HasError() {

  96. 		ctx.HTML(200, tplSignInOpenID)

  97. 		return

  98. 	}

  99. 

  100. 	id, err := openid.Normalize(form.Openid)

  101. 	if err != nil {

  102. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  103. 		return

  104. 	}

  105. 	form.Openid = id

  106. 

  107. 	log.Trace("OpenID uri: " + id)

  108. 

  109. 	err = allowedOpenIDURI(id)

  110. 	if err != nil {

  111. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  112. 		return

  113. 	}

  114. 

  115. 	redirectTo := setting.AppURL + "user/login/openid"

  116. 	url, err := openid.RedirectURL(id, redirectTo, setting.AppURL)

  117. 	if err != nil {

  118. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &form)

  119. 		return

  120. 	}

  121. 

  122. 	// Request optional nickname and email info

  123. 	// NOTE: change to `openid.sreg.required` to require it

  124. 	url += "&openid.ns.sreg=http%3A%2F%2Fopenid.net%2Fextensions%2Fsreg%2F1.1"

  125. 	url += "&openid.sreg.optional=nickname%2Cemail"

  126. 

  127. 	log.Trace("Form-passed openid-remember: %s", form.Remember)

  128. 	ctx.Session.Set("openid_signin_remember", form.Remember)

  129. 

  130. 	ctx.Redirect(url)

  131. }

  132. 

  133. // signInOpenIDVerify handles response from OpenID provider

  134. func signInOpenIDVerify(ctx *context.Context) {

  135. 

  136. 	log.Trace("Incoming call to: " + ctx.Req.Request.URL.String())

  137. 

  138. 	fullURL := setting.AppURL + ctx.Req.Request.URL.String()[1:]

  139. 	log.Trace("Full URL: " + fullURL)

  140. 

  141. 	var id, err = openid.Verify(fullURL)

  142. 	if err != nil {

  143. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  144. 			Openid: id,

  145. 		})

  146. 		return

  147. 	}

  148. 

  149. 	log.Trace("Verified ID: " + id)

  150. 

  151. 	/* Now we should seek for the user and log him in, or prompt

  152. 	 * to register if not found */

  153. 

  154. 	u, _ := models.GetUserByOpenID(id)

  155. 	if err != nil {

  156. 		if !models.IsErrUserNotExist(err) {

  157. 			ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  158. 				Openid: id,

  159. 			})

  160. 			return

  161. 		}

  162. 	}

  163. 	if u != nil {

  164. 		log.Trace("User exists, logging in")

  165. 		remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  166. 		log.Trace("Session stored openid-remember: %s", remember)

  167. 		handleSignIn(ctx, u, remember)

  168. 		return

  169. 	}

  170. 

  171. 	log.Trace("User with openid " + id + " does not exist, should connect or register")

  172. 

  173. 	parsedURL, err := url.Parse(fullURL)

  174. 	if err != nil {

  175. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  176. 			Openid: id,

  177. 		})

  178. 		return

  179. 	}

  180. 	values, err := url.ParseQuery(parsedURL.RawQuery)

  181. 	if err != nil {

  182. 		ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  183. 			Openid: id,

  184. 		})

  185. 		return

  186. 	}

  187. 	email := values.Get("openid.sreg.email")

  188. 	nickname := values.Get("openid.sreg.nickname")

  189. 

  190. 	log.Trace("User has email=" + email + " and nickname=" + nickname)

  191. 

  192. 	if email != "" {

  193. 		u, _ = models.GetUserByEmail(email)

  194. 		if err != nil {

  195. 			if !models.IsErrUserNotExist(err) {

  196. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  197. 					Openid: id,

  198. 				})

  199. 				return

  200. 			}

  201. 		}

  202. 		if u != nil {

  203. 			log.Trace("Local user " + u.LowerName + " has OpenID provided email " + email)

  204. 		}

  205. 	}

  206. 

  207. 	if u == nil && nickname != "" {

  208. 		u, _ = models.GetUserByName(nickname)

  209. 		if err != nil {

  210. 			if !models.IsErrUserNotExist(err) {

  211. 				ctx.RenderWithErr(err.Error(), tplSignInOpenID, &auth.SignInOpenIDForm{

  212. 					Openid: id,

  213. 				})

  214. 				return

  215. 			}

  216. 		}

  217. 		if u != nil {

  218. 			log.Trace("Local user " + u.LowerName + " has OpenID provided nickname " + nickname)

  219. 		}

  220. 	}

  221. 

  222. 	ctx.Session.Set("openid_verified_uri", id)

  223. 

  224. 	ctx.Session.Set("openid_determined_email", email)

  225. 

  226. 	if u != nil {

  227. 		nickname = u.LowerName

  228. 	}

  229. 

  230. 	ctx.Session.Set("openid_determined_username", nickname)

  231. 

  232. 	if u != nil || !setting.Service.EnableOpenIDSignUp {

  233. 		ctx.Redirect(setting.AppSubURL + "/user/openid/connect")

  234. 	} else {

  235. 		ctx.Redirect(setting.AppSubURL + "/user/openid/register")

  236. 	}

  237. }

  238. 

  239. // ConnectOpenID shows a form to connect an OpenID URI to an existing account

  240. func ConnectOpenID(ctx *context.Context) {

  241. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  242. 	if oid == "" {

  243. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  244. 		return

  245. 	}

  246. 	ctx.Data["Title"] = "OpenID connect"

  247. 	ctx.Data["PageIsSignIn"] = true

  248. 	ctx.Data["PageIsOpenIDConnect"] = true

  249. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  250. 	ctx.Data["OpenID"] = oid

  251. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  252. 	if userName != "" {

  253. 		ctx.Data["user_name"] = userName

  254. 	}

  255. 	ctx.HTML(200, tplConnectOID)

  256. }

  257. 

  258. // ConnectOpenIDPost handles submission of a form to connect an OpenID URI to an existing account

  259. func ConnectOpenIDPost(ctx *context.Context, form auth.ConnectOpenIDForm) {

  260. 

  261. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  262. 	if oid == "" {

  263. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  264. 		return

  265. 	}

  266. 	ctx.Data["Title"] = "OpenID connect"

  267. 	ctx.Data["PageIsSignIn"] = true

  268. 	ctx.Data["PageIsOpenIDConnect"] = true

  269. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  270. 	ctx.Data["OpenID"] = oid

  271. 

  272. 	u, err := models.UserSignIn(form.UserName, form.Password)

  273. 	if err != nil {

  274. 		if models.IsErrUserNotExist(err) {

  275. 			ctx.RenderWithErr(ctx.Tr("form.username_password_incorrect"), tplConnectOID, &form)

  276. 		} else {

  277. 			ctx.ServerError("ConnectOpenIDPost", err)

  278. 		}

  279. 		return

  280. 	}

  281. 

  282. 	// add OpenID for the user

  283. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  284. 	if err = models.AddUserOpenID(userOID); err != nil {

  285. 		if models.IsErrOpenIDAlreadyUsed(err) {

  286. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplConnectOID, &form)

  287. 			return

  288. 		}

  289. 		ctx.ServerError("AddUserOpenID", err)

  290. 		return

  291. 	}

  292. 

  293. 	ctx.Flash.Success(ctx.Tr("settings.add_openid_success"))

  294. 

  295. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  296. 	log.Trace("Session stored openid-remember: %s", remember)

  297. 	handleSignIn(ctx, u, remember)

  298. }

  299. 

  300. // RegisterOpenID shows a form to create a new user authenticated via an OpenID URI

  301. func RegisterOpenID(ctx *context.Context) {

  302. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  303. 	if oid == "" {

  304. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  305. 		return

  306. 	}

  307. 	ctx.Data["Title"] = "OpenID signup"

  308. 	ctx.Data["PageIsSignIn"] = true

  309. 	ctx.Data["PageIsOpenIDRegister"] = true

  310. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  311. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  312. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  313. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  314. 	ctx.Data["OpenID"] = oid

  315. 	userName, _ := ctx.Session.Get("openid_determined_username").(string)

  316. 	if userName != "" {

  317. 		ctx.Data["user_name"] = userName

  318. 	}

  319. 	email, _ := ctx.Session.Get("openid_determined_email").(string)

  320. 	if email != "" {

  321. 		ctx.Data["email"] = email

  322. 	}

  323. 	ctx.HTML(200, tplSignUpOID)

  324. }

  325. 

  326. // RegisterOpenIDPost handles submission of a form to create a new user authenticated via an OpenID URI

  327. func RegisterOpenIDPost(ctx *context.Context, cpt *captcha.Captcha, form auth.SignUpOpenIDForm) {

  328. 	oid, _ := ctx.Session.Get("openid_verified_uri").(string)

  329. 	if oid == "" {

  330. 		ctx.Redirect(setting.AppSubURL + "/user/login/openid")

  331. 		return

  332. 	}

  333. 

  334. 	ctx.Data["Title"] = "OpenID signup"

  335. 	ctx.Data["PageIsSignIn"] = true

  336. 	ctx.Data["PageIsOpenIDRegister"] = true

  337. 	ctx.Data["EnableOpenIDSignUp"] = setting.Service.EnableOpenIDSignUp

  338. 	ctx.Data["EnableCaptcha"] = setting.Service.EnableCaptcha

  339. 	ctx.Data["CaptchaType"] = setting.Service.CaptchaType

  340. 	ctx.Data["RecaptchaSitekey"] = setting.Service.RecaptchaSitekey

  341. 	ctx.Data["OpenID"] = oid

  342. 

  343. 	if setting.Service.EnableCaptcha && setting.Service.CaptchaType == setting.ImageCaptcha && !cpt.VerifyReq(ctx.Req) {

  344. 		ctx.Data["Err_Captcha"] = true

  345. 		ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUpOID, &form)

  346. 		return

  347. 	}

  348. 

  349. 	if setting.Service.EnableCaptcha && setting.Service.CaptchaType == setting.ReCaptcha {

  350. 		ctx.Req.ParseForm()

  351. 		valid, _ := recaptcha.Verify(form.GRecaptchaResponse)

  352. 		if !valid {

  353. 			ctx.Data["Err_Captcha"] = true

  354. 			ctx.RenderWithErr(ctx.Tr("form.captcha_incorrect"), tplSignUpOID, &form)

  355. 			return

  356. 		}

  357. 	}

  358. 

  359. 	len := setting.MinPasswordLength

  360. 	if len < 256 {

  361. 		len = 256

  362. 	}

  363. 	password, err := generate.GetRandomString(len)

  364. 	if err != nil {

  365. 		ctx.RenderWithErr(err.Error(), tplSignUpOID, form)

  366. 		return

  367. 	}

  368. 

  369. 	// TODO: abstract a finalizeSignUp function ?

  370. 	u := &models.User{

  371. 		Name:     form.UserName,

  372. 		Email:    form.Email,

  373. 		Passwd:   password,

  374. 		IsActive: !setting.Service.RegisterEmailConfirm,

  375. 	}

  376. 	if err := models.CreateUser(u); err != nil {

  377. 		switch {

  378. 		case models.IsErrUserAlreadyExist(err):

  379. 			ctx.Data["Err_UserName"] = true

  380. 			ctx.RenderWithErr(ctx.Tr("form.username_been_taken"), tplSignUpOID, &form)

  381. 		case models.IsErrEmailAlreadyUsed(err):

  382. 			ctx.Data["Err_Email"] = true

  383. 			ctx.RenderWithErr(ctx.Tr("form.email_been_used"), tplSignUpOID, &form)

  384. 		case models.IsErrNameReserved(err):

  385. 			ctx.Data["Err_UserName"] = true

  386. 			ctx.RenderWithErr(ctx.Tr("user.form.name_reserved", err.(models.ErrNameReserved).Name), tplSignUpOID, &form)

  387. 		case models.IsErrNamePatternNotAllowed(err):

  388. 			ctx.Data["Err_UserName"] = true

  389. 			ctx.RenderWithErr(ctx.Tr("user.form.name_pattern_not_allowed", err.(models.ErrNamePatternNotAllowed).Pattern), tplSignUpOID, &form)

  390. 		default:

  391. 			ctx.ServerError("CreateUser", err)

  392. 		}

  393. 		return

  394. 	}

  395. 	log.Trace("Account created: %s", u.Name)

  396. 

  397. 	// add OpenID for the user

  398. 	userOID := &models.UserOpenID{UID: u.ID, URI: oid}

  399. 	if err = models.AddUserOpenID(userOID); err != nil {

  400. 		if models.IsErrOpenIDAlreadyUsed(err) {

  401. 			ctx.RenderWithErr(ctx.Tr("form.openid_been_used", oid), tplSignUpOID, &form)

  402. 			return

  403. 		}

  404. 		ctx.ServerError("AddUserOpenID", err)

  405. 		return

  406. 	}

  407. 

  408. 	// Auto-set admin for the only user.

  409. 	if models.CountUsers() == 1 {

  410. 		u.IsAdmin = true

  411. 		u.IsActive = true

  412. 		u.SetLastLogin()

  413. 		if err := models.UpdateUserCols(u, "is_admin", "is_active", "last_login_unix"); err != nil {

  414. 			ctx.ServerError("UpdateUser", err)

  415. 			return

  416. 		}

  417. 	}

  418. 

  419. 	// Send confirmation email, no need for social account.

  420. 	if setting.Service.RegisterEmailConfirm && u.ID > 1 {

  421. 		models.SendActivateAccountMail(ctx.Context, u)

  422. 		ctx.Data["IsSendRegisterMail"] = true

  423. 		ctx.Data["Email"] = u.Email

  424. 		ctx.Data["ActiveCodeLives"] = base.MinutesToFriendly(setting.Service.ActiveCodeLives, ctx.Locale.Language())

  425. 		ctx.HTML(200, TplActivate)

  426. 

  427. 		if err := ctx.Cache.Put("MailResendLimit_"+u.LowerName, u.LowerName, 180); err != nil {

  428. 			log.Error(4, "Set cache(MailResendLimit) fail: %v", err)

  429. 		}

  430. 		return

  431. 	}

  432. 

  433. 	remember, _ := ctx.Session.Get("openid_signin_remember").(bool)

  434. 	log.Trace("Session stored openid-remember: %s", remember)

  435. 	handleSignIn(ctx, u, remember)

  436. }