stereo.cat/backend
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

logging out & fix state (?)

Browse source
This commit is contained in:
grngxd 2025-07-31 10:58:25 +01:00
parent 96320c3cc4
commit b906736af8
2 changed files with 61 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

29
internal/api/routes/auth.go
View file

@ -23,6 +23,7 @@ import (
"fmt" "fmt"
"net/http" "net/http"
"net/url" "net/url"
"sync"
"time" "time"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
@ -33,6 +34,9 @@ import (
"stereo.cat/backend/internal/types" "stereo.cat/backend/internal/types"
) )
var oauthStates = make(map[string]struct{})
var oauthStatesMu sync.Mutex
func generateState(length int) (string, error) { func generateState(length int) (string, error) {
b := make([]byte, length) b := make([]byte, length)
_, err := rand.Read(b) _, err := rand.Read(b)
@ -50,7 +54,9 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
return return
} }
c.SetCookie("oauth_state", state, 300, "", cfg.Domain, true, true) oauthStatesMu.Lock()
oauthStates[state] = struct{}{}
oauthStatesMu.Unlock()
discordURL := fmt.Sprintf( discordURL := fmt.Sprintf(
"https://discord.com/oauth2/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=identify%%20email&state=%s", "https://discord.com/oauth2/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=identify%%20email&state=%s",
@ -62,16 +68,25 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
c.Redirect(http.StatusTemporaryRedirect, discordURL) c.Redirect(http.StatusTemporaryRedirect, discordURL)
}) })
api.GET("/auth/logout", session.SessionMiddleware(cfg.JWTSecret), func(c *gin.Context) {
c.SetCookie("jwt", "", -1, "", cfg.Domain, true, true)
c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri)
})
api.GET("/auth/callback", func(c *gin.Context) { api.GET("/auth/callback", func(c *gin.Context) {
code := c.Query("code") code := c.Query("code")
state := c.Query("state") state := c.Query("state")
cookieState, err := c.Cookie("oauth_state") oauthStatesMu.Lock()
if err != nil || state != cookieState { _, ok := oauthStates[state]
if ok {
delete(oauthStates, state)
}
oauthStatesMu.Unlock()
if !ok {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid state"}) c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid state"})
return return
} }
c.SetCookie("oauth_state", "", -1, "", cfg.Domain, true, true)
t, err := cfg.Client.ExchangeCode(code) t, err := cfg.Client.ExchangeCode(code)
if err != nil { if err != nil {
@ -93,12 +108,6 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
panic(res.Error) panic(res.Error)
} }
// TODO: redirect to dashboard
/*c.JSON(http.StatusOK, gin.H{
"jwt": jwt,
"known": res.RowsAffected == 0,
})
*/
c.SetCookie("jwt", jwt, int(t.ExpiresIn), "", cfg.Domain, true, true) c.SetCookie("jwt", jwt, int(t.ExpiresIn), "", cfg.Domain, true, true)
c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard") c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard")
}) })

53
internal/api/routes/files.go
View file

@ -1,18 +1,18 @@
/* /*
Copyright (C) 2025 hexlocation (hex@iwakura.rip) & grngxd (grng@iwakura.rip) Copyright (C) 2025 hexlocation (hex@iwakura.rip) & grngxd (grng@iwakura.rip)
This program is free software: you can redistribute it and/or modify This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details. GNU General Public License for more details.
You should have received a copy of the GNU General Public License You should have received a copy of the GNU General Public License
along with this program. If not, see <https://www.gnu.org/licenses/>. along with this program. If not, see <https://www.gnu.org/licenses/>.
*/ */
package routes package routes
@ -20,6 +20,7 @@ package routes
import ( import (
"bytes" "bytes"
"io" "io"
"strconv"
"strings" "strings"
"time" "time"
@ -179,8 +180,38 @@ func RegisterFileRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
claims := c.MustGet("claims").(jwt.MapClaims) claims := c.MustGet("claims").(jwt.MapClaims)
user := claims["user"].(auth.User) user := claims["user"].(auth.User)
if c.Query("page") == "" || c.Query("size") == "" {
var files []types.File
if err := cfg.Database.Where("owner = ?", user.ID).Find(&files).Error; err != nil {
types.ErrorDatabase.Throw(c, err)
return
}
c.JSON(200, files)
return
}
page := c.Query("page")
size := c.Query("size")
pageNum, err := strconv.Atoi(page)
if err != nil || pageNum < 0 {
types.ErrorInvalidParams.Throw(c, err)
return
}
sizeNum, err := strconv.Atoi(size)
if err != nil || sizeNum <= 0 {
types.ErrorInvalidParams.Throw(c, err)
return
}
var files []types.File var files []types.File
if err := cfg.Database.Where("owner = ?", user.ID).Find(&files).Error; err != nil { offset := (pageNum - 1) * sizeNum
if offset < 0 {
offset = 0
}
if err := cfg.Database.Where("owner = ?", user.ID).Offset(offset).Limit(sizeNum).Find(&files).Error; err != nil {
types.ErrorDatabase.Throw(c, err) types.ErrorDatabase.Throw(c, err)
return return
} }