From 6a08afbf52a5f1f0965d086072b928b71cf6cb7b Mon Sep 17 00:00:00 2001
From: grngxd <36968271+grngxd@users.noreply.github.com>
Date: Wed, 30 Jul 2025 11:12:22 +0100
Subject: [PATCH 1/4] add state validation to oauth flow
---
internal/api/routes/auth.go | 68 +++++++++++++++++++++++++++----------
1 file changed, 51 insertions(+), 17 deletions(-)
diff --git a/internal/api/routes/auth.go b/internal/api/routes/auth.go
index 2c98b6c..4ed3f2c 100644
--- a/internal/api/routes/auth.go
+++ b/internal/api/routes/auth.go
@@ -1,26 +1,28 @@
/*
Copyright (C) 2025 hexlocation (hex@iwakura.rip) & grngxd (grng@iwakura.rip)
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program. If not, see .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
*/
package routes
import (
- "errors"
+ "crypto/rand"
+ "encoding/base64"
"fmt"
"net/http"
+ "net/url"
"time"
"github.com/gin-gonic/gin"
@@ -31,30 +33,62 @@ import (
"stereo.cat/backend/internal/types"
)
+func generateState(length int) (string, error) {
+ b := make([]byte, length)
+ _, err := rand.Read(b)
+ if err != nil {
+ return "", err
+ }
+ return base64.URLEncoding.EncodeToString(b), nil
+}
+
func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
+ api.GET("/auth/login", func(c *gin.Context) {
+ state, err := generateState(32)
+ if err != nil {
+ c.AbortWithStatus(http.StatusInternalServerError)
+ return
+ }
+
+ c.SetCookie("oauth_state", state, 300, "", cfg.Domain, true, true)
+
+ discordURL := fmt.Sprintf(
+ "https://discord.com/oauth2/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=identify%%20email&state=%s",
+ cfg.Client.ClientId,
+ url.QueryEscape(cfg.Client.RedirectUri),
+ state,
+ )
+
+ c.Redirect(http.StatusTemporaryRedirect, discordURL)
+ })
+
api.GET("/auth/callback", func(c *gin.Context) {
code := c.Query("code")
+ state := c.Query("state")
+
+ cookieState, err := c.Cookie("oauth_state")
+ if err != nil || state != cookieState {
+ c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid state"})
+ return
+ }
+ c.SetCookie("oauth_state", "", -1, "", cfg.Domain, true, true)
t, err := cfg.Client.ExchangeCode(code)
-
if err != nil {
panic(err)
}
user, err := cfg.Client.GetUser(t)
-
if err != nil {
panic(err)
}
jwt, err := session.GenerateSessionJWT(cfg.JWTSecret, user, uint64(time.Now().Add(time.Second*time.Duration(t.ExpiresIn)).Unix()))
-
if err != nil {
panic(err)
}
res := cfg.Database.FirstOrCreate(&user)
-
if res.Error != nil {
panic(res.Error)
}
@@ -66,7 +100,7 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
})
*/
c.SetCookie("jwt", jwt, int(t.ExpiresIn), "", cfg.Domain, true, true)
- c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"?jwt_set=true")
+ c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard?jwt_set=true")
})
api.GET("/auth/me", session.SessionMiddleware(cfg.JWTSecret), func(c *gin.Context) {
@@ -80,7 +114,7 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
user, ok := claims["user"].(auth.User)
if !ok {
- types.ErrorUserNotFound.Throw(c, errors.New(fmt.Sprintf("got data with type %T but wanted claims.User", claims["user"])))
+ types.ErrorUserNotFound.Throw(c, fmt.Errorf("got data with type %T but wanted claims.User", claims["user"]))
return
}
--
2.47.2
From 96320c3cc483309a3674f85bee65a6324686995e Mon Sep 17 00:00:00 2001
From: grngxd <36968271+grngxd@users.noreply.github.com>
Date: Wed, 30 Jul 2025 11:17:23 +0100
Subject: [PATCH 2/4] clean up callback to dashboard url :sob:
---
internal/api/routes/auth.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/internal/api/routes/auth.go b/internal/api/routes/auth.go
index 4ed3f2c..5b56d56 100644
--- a/internal/api/routes/auth.go
+++ b/internal/api/routes/auth.go
@@ -100,7 +100,7 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
})
*/
c.SetCookie("jwt", jwt, int(t.ExpiresIn), "", cfg.Domain, true, true)
- c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard?jwt_set=true")
+ c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard")
})
api.GET("/auth/me", session.SessionMiddleware(cfg.JWTSecret), func(c *gin.Context) {
--
2.47.2
From b906736af8c964a467b30fc123f964cd0aa67d56 Mon Sep 17 00:00:00 2001
From: grngxd <36968271+grngxd@users.noreply.github.com>
Date: Thu, 31 Jul 2025 10:58:25 +0100
Subject: [PATCH 3/4] logging out & fix state (?)
---
internal/api/routes/auth.go | 29 +++++++++++++-------
internal/api/routes/files.go | 53 ++++++++++++++++++++++++++++--------
2 files changed, 61 insertions(+), 21 deletions(-)
diff --git a/internal/api/routes/auth.go b/internal/api/routes/auth.go
index 5b56d56..b3208c4 100644
--- a/internal/api/routes/auth.go
+++ b/internal/api/routes/auth.go
@@ -23,6 +23,7 @@ import (
"fmt"
"net/http"
"net/url"
+ "sync"
"time"
"github.com/gin-gonic/gin"
@@ -33,6 +34,9 @@ import (
"stereo.cat/backend/internal/types"
)
+var oauthStates = make(map[string]struct{})
+var oauthStatesMu sync.Mutex
+
func generateState(length int) (string, error) {
b := make([]byte, length)
_, err := rand.Read(b)
@@ -50,7 +54,9 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
return
}
- c.SetCookie("oauth_state", state, 300, "", cfg.Domain, true, true)
+ oauthStatesMu.Lock()
+ oauthStates[state] = struct{}{}
+ oauthStatesMu.Unlock()
discordURL := fmt.Sprintf(
"https://discord.com/oauth2/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=identify%%20email&state=%s",
@@ -62,16 +68,25 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
c.Redirect(http.StatusTemporaryRedirect, discordURL)
})
+ api.GET("/auth/logout", session.SessionMiddleware(cfg.JWTSecret), func(c *gin.Context) {
+ c.SetCookie("jwt", "", -1, "", cfg.Domain, true, true)
+ c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri)
+ })
+
api.GET("/auth/callback", func(c *gin.Context) {
code := c.Query("code")
state := c.Query("state")
- cookieState, err := c.Cookie("oauth_state")
- if err != nil || state != cookieState {
+ oauthStatesMu.Lock()
+ _, ok := oauthStates[state]
+ if ok {
+ delete(oauthStates, state)
+ }
+ oauthStatesMu.Unlock()
+ if !ok {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid state"})
return
}
- c.SetCookie("oauth_state", "", -1, "", cfg.Domain, true, true)
t, err := cfg.Client.ExchangeCode(code)
if err != nil {
@@ -93,12 +108,6 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
panic(res.Error)
}
- // TODO: redirect to dashboard
- /*c.JSON(http.StatusOK, gin.H{
- "jwt": jwt,
- "known": res.RowsAffected == 0,
- })
- */
c.SetCookie("jwt", jwt, int(t.ExpiresIn), "", cfg.Domain, true, true)
c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard")
})
diff --git a/internal/api/routes/files.go b/internal/api/routes/files.go
index 2aed6fe..3007193 100644
--- a/internal/api/routes/files.go
+++ b/internal/api/routes/files.go
@@ -1,18 +1,18 @@
/*
Copyright (C) 2025 hexlocation (hex@iwakura.rip) & grngxd (grng@iwakura.rip)
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
- You should have received a copy of the GNU General Public License
- along with this program. If not, see .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
*/
package routes
@@ -20,6 +20,7 @@ package routes
import (
"bytes"
"io"
+ "strconv"
"strings"
"time"
@@ -179,8 +180,38 @@ func RegisterFileRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
claims := c.MustGet("claims").(jwt.MapClaims)
user := claims["user"].(auth.User)
+ if c.Query("page") == "" || c.Query("size") == "" {
+ var files []types.File
+ if err := cfg.Database.Where("owner = ?", user.ID).Find(&files).Error; err != nil {
+ types.ErrorDatabase.Throw(c, err)
+ return
+ }
+
+ c.JSON(200, files)
+ return
+ }
+
+ page := c.Query("page")
+ size := c.Query("size")
+
+ pageNum, err := strconv.Atoi(page)
+ if err != nil || pageNum < 0 {
+ types.ErrorInvalidParams.Throw(c, err)
+ return
+ }
+
+ sizeNum, err := strconv.Atoi(size)
+ if err != nil || sizeNum <= 0 {
+ types.ErrorInvalidParams.Throw(c, err)
+ return
+ }
+
var files []types.File
- if err := cfg.Database.Where("owner = ?", user.ID).Find(&files).Error; err != nil {
+ offset := (pageNum - 1) * sizeNum
+ if offset < 0 {
+ offset = 0
+ }
+ if err := cfg.Database.Where("owner = ?", user.ID).Offset(offset).Limit(sizeNum).Find(&files).Error; err != nil {
types.ErrorDatabase.Throw(c, err)
return
}
--
2.47.2
From 8ca089ecfbcc7817f4f090bc950301a71c949b89 Mon Sep 17 00:00:00 2001
From: grngxd <36968271+grngxd@users.noreply.github.com>
Date: Thu, 31 Jul 2025 11:07:46 +0100
Subject: [PATCH 4/4] use array instead of map
---
internal/api/routes/auth.go | 29 ++++++++++++++++++-----------
1 file changed, 18 insertions(+), 11 deletions(-)
diff --git a/internal/api/routes/auth.go b/internal/api/routes/auth.go
index b3208c4..b687110 100644
--- a/internal/api/routes/auth.go
+++ b/internal/api/routes/auth.go
@@ -34,8 +34,8 @@ import (
"stereo.cat/backend/internal/types"
)
-var oauthStates = make(map[string]struct{})
-var oauthStatesMu sync.Mutex
+var states []string
+var statesMutex sync.Mutex
func generateState(length int) (string, error) {
b := make([]byte, length)
@@ -54,9 +54,9 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
return
}
- oauthStatesMu.Lock()
- oauthStates[state] = struct{}{}
- oauthStatesMu.Unlock()
+ statesMutex.Lock()
+ states = append(states, state)
+ statesMutex.Unlock()
discordURL := fmt.Sprintf(
"https://discord.com/oauth2/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=identify%%20email&state=%s",
@@ -77,13 +77,20 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
code := c.Query("code")
state := c.Query("state")
- oauthStatesMu.Lock()
- _, ok := oauthStates[state]
- if ok {
- delete(oauthStates, state)
+ statesMutex.Lock()
+
+ found := false
+ for i, s := range states {
+ if s == state {
+ states = append(states[:i], states[i+1:]...)
+ found = true
+ break
+ }
}
- oauthStatesMu.Unlock()
- if !ok {
+
+ statesMutex.Unlock()
+
+ if !found {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid state"})
return
}
--
2.47.2