2022-02-13 23:39:27 +08:00
|
|
|
// Copyright 2021 The Casdoor Authors. All Rights Reserved.
|
2021-02-14 00:22:24 +08:00
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
|
|
package controllers
|
|
|
|
|
|
|
|
|
|
import (
|
2021-12-10 00:23:04 +08:00
|
|
|
"encoding/base64"
|
2021-03-15 00:49:16 +08:00
|
|
|
"encoding/json"
|
2021-02-14 00:22:24 +08:00
|
|
|
"fmt"
|
2021-12-06 21:46:50 +08:00
|
|
|
"net/url"
|
2021-06-11 23:34:45 +08:00
|
|
|
"strconv"
|
2021-06-02 13:39:01 +08:00
|
|
|
"strings"
|
2021-07-18 07:54:49 +08:00
|
|
|
"time"
|
2021-02-14 00:22:24 +08:00
|
|
|
|
2022-03-20 23:21:09 +08:00
|
|
|
"github.com/casdoor/casdoor/conf"
|
2022-01-20 14:11:46 +08:00
|
|
|
"github.com/casdoor/casdoor/idp"
|
|
|
|
|
"github.com/casdoor/casdoor/object"
|
|
|
|
|
"github.com/casdoor/casdoor/proxy"
|
|
|
|
|
"github.com/casdoor/casdoor/util"
|
2022-05-31 21:49:56 +08:00
|
|
|
"github.com/google/uuid"
|
2021-02-14 00:22:24 +08:00
|
|
|
)
|
|
|
|
|
|
2021-03-20 22:34:22 +08:00
|
|
|
func codeToResponse(code *object.Code) *Response {
|
|
|
|
|
if code.Code == "" {
|
|
|
|
|
return &Response{Status: "error", Msg: code.Message, Data: code.Code}
|
|
|
|
|
}
|
2021-08-07 22:02:56 +08:00
|
|
|
|
|
|
|
|
return &Response{Status: "ok", Msg: "", Data: code.Code}
|
2021-03-20 22:34:22 +08:00
|
|
|
}
|
|
|
|
|
|
2022-03-01 19:09:59 +08:00
|
|
|
func tokenToResponse(token *object.Token) *Response {
|
|
|
|
|
if token.AccessToken == "" {
|
|
|
|
|
return &Response{Status: "error", Msg: "fail to get accessToken", Data: token.AccessToken}
|
|
|
|
|
}
|
|
|
|
|
return &Response{Status: "ok", Msg: "", Data: token.AccessToken}
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-07 22:02:56 +08:00
|
|
|
// HandleLoggedIn ...
|
|
|
|
|
func (c *ApiController) HandleLoggedIn(application *object.Application, user *object.User, form *RequestForm) (resp *Response) {
|
2021-05-01 19:45:40 +08:00
|
|
|
userId := user.GetId()
|
2022-07-13 00:34:35 +08:00
|
|
|
|
2022-07-13 00:50:32 +08:00
|
|
|
allowed, err := object.CheckAccessPermission(userId, application)
|
2022-07-13 00:34:35 +08:00
|
|
|
if err != nil {
|
|
|
|
|
c.ResponseError(err.Error(), nil)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !allowed {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(c.T("AuthErr.Unauthorized"))
|
2022-07-13 00:34:35 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-20 10:51:00 +08:00
|
|
|
if form.Type == ResponseTypeLogin {
|
2021-07-18 07:15:22 +08:00
|
|
|
c.SetSessionUsername(userId)
|
2021-03-20 10:51:00 +08:00
|
|
|
util.LogInfo(c.Ctx, "API: [%s] signed in", userId)
|
2021-03-20 13:05:34 +08:00
|
|
|
resp = &Response{Status: "ok", Msg: "", Data: userId}
|
2021-03-20 10:51:00 +08:00
|
|
|
} else if form.Type == ResponseTypeCode {
|
|
|
|
|
clientId := c.Input().Get("clientId")
|
|
|
|
|
responseType := c.Input().Get("responseType")
|
|
|
|
|
redirectUri := c.Input().Get("redirectUri")
|
|
|
|
|
scope := c.Input().Get("scope")
|
|
|
|
|
state := c.Input().Get("state")
|
2021-12-15 21:42:16 +08:00
|
|
|
nonce := c.Input().Get("nonce")
|
2022-01-21 09:29:19 +08:00
|
|
|
challengeMethod := c.Input().Get("code_challenge_method")
|
|
|
|
|
codeChallenge := c.Input().Get("code_challenge")
|
|
|
|
|
|
2022-01-30 17:58:54 +08:00
|
|
|
if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(c.T("AuthErr.ChallengeMethodErr"))
|
2022-01-21 09:29:19 +08:00
|
|
|
return
|
|
|
|
|
}
|
2022-10-23 15:16:24 +08:00
|
|
|
code := object.GetOAuthCode(userId, clientId, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
|
2021-03-20 10:51:00 +08:00
|
|
|
resp = codeToResponse(code)
|
2021-06-20 22:17:03 +08:00
|
|
|
|
2021-12-28 17:13:45 +08:00
|
|
|
if application.EnableSigninSession || application.HasPromptPage() {
|
2021-06-20 22:17:03 +08:00
|
|
|
// The prompt page needs the user to be signed in
|
2021-07-18 07:15:22 +08:00
|
|
|
c.SetSessionUsername(userId)
|
2021-06-20 22:17:03 +08:00
|
|
|
}
|
2022-08-07 12:26:14 +08:00
|
|
|
} else if form.Type == ResponseTypeToken || form.Type == ResponseTypeIdToken { // implicit flow
|
2022-03-01 19:09:59 +08:00
|
|
|
if !object.IsGrantTypeValid(form.Type, application.GrantTypes) {
|
|
|
|
|
resp = &Response{Status: "error", Msg: fmt.Sprintf("error: grant_type: %s is not supported in this application", form.Type), Data: ""}
|
|
|
|
|
} else {
|
|
|
|
|
scope := c.Input().Get("scope")
|
|
|
|
|
token, _ := object.GetTokenByUser(application, user, scope, c.Ctx.Request.Host)
|
|
|
|
|
resp = tokenToResponse(token)
|
|
|
|
|
}
|
2022-04-08 23:06:48 +08:00
|
|
|
} else if form.Type == ResponseTypeSaml { // saml flow
|
|
|
|
|
res, redirectUrl, err := object.GetSamlResponse(application, user, form.SamlRequest, c.Ctx.Request.Host)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.ResponseError(err.Error(), nil)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
resp = &Response{Status: "ok", Msg: "", Data: res, Data2: redirectUrl}
|
2022-04-04 00:09:04 +08:00
|
|
|
} else if form.Type == ResponseTypeCas {
|
2022-08-07 12:26:14 +08:00
|
|
|
// not oauth but CAS SSO protocol
|
2022-04-04 00:09:04 +08:00
|
|
|
service := c.Input().Get("service")
|
|
|
|
|
resp = wrapErrorResponse(nil)
|
|
|
|
|
if service != "" {
|
|
|
|
|
st, err := object.GenerateCasToken(userId, service)
|
|
|
|
|
if err != nil {
|
|
|
|
|
resp = wrapErrorResponse(err)
|
|
|
|
|
} else {
|
|
|
|
|
resp.Data = st
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if application.EnableSigninSession || application.HasPromptPage() {
|
|
|
|
|
// The prompt page needs the user to be signed in
|
|
|
|
|
c.SetSessionUsername(userId)
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-20 10:51:00 +08:00
|
|
|
} else {
|
2022-08-09 16:50:49 +08:00
|
|
|
resp = wrapErrorResponse(fmt.Errorf("unknown response type: %s", form.Type))
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
2021-07-18 07:54:49 +08:00
|
|
|
|
|
|
|
|
// if user did not check auto signin
|
|
|
|
|
if resp.Status == "ok" && !form.AutoSignin {
|
|
|
|
|
timestamp := time.Now().Unix()
|
|
|
|
|
timestamp += 3600 * 24
|
|
|
|
|
c.SetSessionData(&SessionData{
|
|
|
|
|
ExpireTime: timestamp,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-20 10:51:00 +08:00
|
|
|
return resp
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-07 22:02:56 +08:00
|
|
|
// GetApplicationLogin ...
|
2021-03-29 23:40:25 +08:00
|
|
|
// @Title GetApplicationLogin
|
2021-12-03 20:42:36 +08:00
|
|
|
// @Tag Login API
|
2021-03-29 23:40:25 +08:00
|
|
|
// @Description get application login
|
|
|
|
|
// @Param clientId query string true "client id"
|
|
|
|
|
// @Param responseType query string true "response type"
|
|
|
|
|
// @Param redirectUri query string true "redirect uri"
|
|
|
|
|
// @Param scope query string true "scope"
|
|
|
|
|
// @Param state query string true "state"
|
2022-06-21 23:11:29 +08:00
|
|
|
// @Success 200 {object} Response The Response object
|
2022-05-04 19:15:13 +08:00
|
|
|
// @router /get-app-login [get]
|
2021-03-20 10:51:00 +08:00
|
|
|
func (c *ApiController) GetApplicationLogin() {
|
|
|
|
|
clientId := c.Input().Get("clientId")
|
|
|
|
|
responseType := c.Input().Get("responseType")
|
|
|
|
|
redirectUri := c.Input().Get("redirectUri")
|
|
|
|
|
scope := c.Input().Get("scope")
|
|
|
|
|
state := c.Input().Get("state")
|
|
|
|
|
|
2022-10-23 15:16:24 +08:00
|
|
|
msg, application := object.CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, c.GetAcceptLanguage())
|
2022-03-02 20:58:16 +08:00
|
|
|
application = object.GetMaskedApplication(application, "")
|
2021-03-20 10:51:00 +08:00
|
|
|
if msg != "" {
|
2021-08-08 16:00:19 +08:00
|
|
|
c.ResponseError(msg, application)
|
2021-03-20 10:51:00 +08:00
|
|
|
} else {
|
2021-08-08 16:00:19 +08:00
|
|
|
c.ResponseOk(application)
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
2021-03-15 19:11:41 +08:00
|
|
|
}
|
|
|
|
|
|
2021-08-01 14:48:29 +08:00
|
|
|
func setHttpClient(idProvider idp.IdProvider, providerType string) {
|
2022-02-16 19:57:46 +08:00
|
|
|
if providerType == "GitHub" || providerType == "Google" || providerType == "Facebook" || providerType == "LinkedIn" || providerType == "Steam" {
|
2021-08-21 22:16:25 +08:00
|
|
|
idProvider.SetHttpClient(proxy.ProxyHttpClient)
|
2021-08-01 14:48:29 +08:00
|
|
|
} else {
|
2021-08-21 22:16:25 +08:00
|
|
|
idProvider.SetHttpClient(proxy.DefaultHttpClient)
|
2021-08-01 14:48:29 +08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-07 22:02:56 +08:00
|
|
|
// Login ...
|
2021-03-29 23:40:25 +08:00
|
|
|
// @Title Login
|
2021-12-03 20:42:36 +08:00
|
|
|
// @Tag Login API
|
2021-03-29 23:40:25 +08:00
|
|
|
// @Description login
|
2022-06-21 23:11:29 +08:00
|
|
|
// @Param clientId query string true clientId
|
|
|
|
|
// @Param responseType query string true responseType
|
|
|
|
|
// @Param redirectUri query string true redirectUri
|
|
|
|
|
// @Param scope query string false scope
|
|
|
|
|
// @Param state query string false state
|
|
|
|
|
// @Param nonce query string false nonce
|
|
|
|
|
// @Param code_challenge_method query string false code_challenge_method
|
|
|
|
|
// @Param code_challenge query string false code_challenge
|
|
|
|
|
// @Param form body controllers.RequestForm true "Login information"
|
|
|
|
|
// @Success 200 {object} Response The Response object
|
2021-03-29 23:40:25 +08:00
|
|
|
// @router /login [post]
|
2021-03-20 00:23:37 +08:00
|
|
|
func (c *ApiController) Login() {
|
2021-08-08 16:00:19 +08:00
|
|
|
resp := &Response{}
|
|
|
|
|
|
2021-03-20 09:11:03 +08:00
|
|
|
var form RequestForm
|
2021-03-15 00:49:16 +08:00
|
|
|
err := json.Unmarshal(c.Ctx.Input.RequestBody, &form)
|
|
|
|
|
if err != nil {
|
2021-08-08 11:06:45 +08:00
|
|
|
c.ResponseError(err.Error())
|
2021-06-09 19:54:26 +08:00
|
|
|
return
|
2021-03-15 00:49:16 +08:00
|
|
|
}
|
2021-02-14 00:22:24 +08:00
|
|
|
|
2021-03-20 00:23:37 +08:00
|
|
|
if form.Username != "" {
|
2021-03-20 13:05:34 +08:00
|
|
|
if form.Type == ResponseTypeLogin {
|
2021-07-18 07:15:22 +08:00
|
|
|
if c.GetSessionUsername() != "" {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(c.T("LoginErr.SignOutFirst"), c.GetSessionUsername())
|
2021-03-20 13:05:34 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-03-20 00:23:37 +08:00
|
|
|
}
|
2021-02-21 22:33:53 +08:00
|
|
|
|
2021-06-02 13:39:01 +08:00
|
|
|
var user *object.User
|
|
|
|
|
var msg string
|
|
|
|
|
|
|
|
|
|
if form.Password == "" {
|
|
|
|
|
var verificationCodeType string
|
2021-12-07 00:05:53 +08:00
|
|
|
var checkResult string
|
2021-06-02 13:39:01 +08:00
|
|
|
|
2022-03-15 12:54:57 +08:00
|
|
|
if form.Name != "" {
|
|
|
|
|
user = object.GetUserByFields(form.Organization, form.Name)
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-02 13:39:01 +08:00
|
|
|
// check result through Email or Phone
|
2021-12-07 00:05:53 +08:00
|
|
|
if strings.Contains(form.Username, "@") {
|
2021-06-02 13:39:01 +08:00
|
|
|
verificationCodeType = "email"
|
2022-03-15 12:54:57 +08:00
|
|
|
if user != nil && util.GetMaskedEmail(user.Email) == form.Username {
|
|
|
|
|
form.Username = user.Email
|
|
|
|
|
}
|
2022-10-23 15:16:24 +08:00
|
|
|
checkResult = object.CheckVerificationCode(form.Username, form.Code, c.GetAcceptLanguage())
|
2021-06-02 13:39:01 +08:00
|
|
|
} else {
|
|
|
|
|
verificationCodeType = "phone"
|
2021-12-07 00:05:53 +08:00
|
|
|
if len(form.PhonePrefix) == 0 {
|
2022-10-23 15:16:24 +08:00
|
|
|
responseText := fmt.Sprintf(c.T("PhoneErr.NoPrefix"), verificationCodeType)
|
2021-06-02 13:39:01 +08:00
|
|
|
c.ResponseError(responseText)
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-03-15 12:54:57 +08:00
|
|
|
if user != nil && util.GetMaskedPhone(user.Phone) == form.Username {
|
|
|
|
|
form.Username = user.Phone
|
|
|
|
|
}
|
2021-12-07 00:05:53 +08:00
|
|
|
checkPhone := fmt.Sprintf("+%s%s", form.PhonePrefix, form.Username)
|
2022-10-23 15:16:24 +08:00
|
|
|
checkResult = object.CheckVerificationCode(checkPhone, form.Code, c.GetAcceptLanguage())
|
2021-06-02 13:39:01 +08:00
|
|
|
}
|
2021-12-07 00:05:53 +08:00
|
|
|
if len(checkResult) != 0 {
|
|
|
|
|
responseText := fmt.Sprintf("%s%s", verificationCodeType, checkResult)
|
|
|
|
|
c.ResponseError(responseText)
|
|
|
|
|
return
|
2021-06-02 13:39:01 +08:00
|
|
|
}
|
|
|
|
|
|
2021-12-07 00:05:53 +08:00
|
|
|
// disable the verification code
|
2022-05-30 18:26:42 +08:00
|
|
|
if strings.Contains(form.Username, "@") {
|
|
|
|
|
object.DisableVerificationCode(form.Username)
|
|
|
|
|
} else {
|
|
|
|
|
object.DisableVerificationCode(fmt.Sprintf("+%s%s", form.PhonePrefix, form.Username))
|
|
|
|
|
}
|
2021-12-07 00:05:53 +08:00
|
|
|
|
|
|
|
|
user = object.GetUserByFields(form.Organization, form.Username)
|
2021-06-02 13:39:01 +08:00
|
|
|
if user == nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.UserDoNotExist"), form.Organization, form.Username))
|
2021-06-02 13:39:01 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
password := form.Password
|
2022-10-23 15:16:24 +08:00
|
|
|
user, msg = object.CheckUserPassword(form.Organization, form.Username, password, c.GetAcceptLanguage())
|
2021-06-02 13:39:01 +08:00
|
|
|
}
|
2021-02-14 00:22:24 +08:00
|
|
|
|
2021-03-20 00:23:37 +08:00
|
|
|
if msg != "" {
|
2021-08-08 11:06:45 +08:00
|
|
|
resp = &Response{Status: "error", Msg: msg}
|
2021-03-20 00:23:37 +08:00
|
|
|
} else {
|
2021-06-20 22:17:03 +08:00
|
|
|
application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
|
2022-03-06 00:09:57 +08:00
|
|
|
if application == nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppDoNotExist"), form.Application))
|
2022-03-06 00:09:57 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-20 22:17:03 +08:00
|
|
|
resp = c.HandleLoggedIn(application, user, &form)
|
2021-07-07 14:59:03 +08:00
|
|
|
|
2021-11-07 16:51:16 +08:00
|
|
|
record := object.NewRecord(c.Ctx)
|
2021-07-07 14:59:03 +08:00
|
|
|
record.Organization = application.Organization
|
2021-11-07 17:20:15 +08:00
|
|
|
record.User = user.Name
|
2022-05-31 21:49:56 +08:00
|
|
|
util.SafeGoroutine(func() { object.AddRecord(record) })
|
2021-03-20 00:23:37 +08:00
|
|
|
}
|
|
|
|
|
} else if form.Provider != "" {
|
|
|
|
|
application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
|
2022-03-06 00:09:57 +08:00
|
|
|
if application == nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppDoNotExist"), form.Application))
|
2022-03-06 00:09:57 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-21 01:01:16 +08:00
|
|
|
organization := object.GetOrganization(fmt.Sprintf("%s/%s", "admin", application.Organization))
|
2021-03-20 00:23:37 +08:00
|
|
|
provider := object.GetProvider(fmt.Sprintf("admin/%s", form.Provider))
|
2021-06-14 21:35:19 +08:00
|
|
|
providerItem := application.GetProviderItem(provider.Name)
|
2021-08-08 10:50:29 +08:00
|
|
|
if !providerItem.IsProviderVisible() {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("ProviderErr.ProviderNotEnabled"), provider.Name))
|
2021-08-08 10:50:29 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-02-14 00:22:24 +08:00
|
|
|
|
2021-12-06 21:46:50 +08:00
|
|
|
userInfo := &idp.UserInfo{}
|
|
|
|
|
if provider.Category == "SAML" {
|
|
|
|
|
// SAML
|
2021-12-13 19:49:30 +08:00
|
|
|
userInfo.Id, err = object.ParseSamlResponse(form.SamlResponse, provider.Type)
|
2021-12-06 21:46:50 +08:00
|
|
|
if err != nil {
|
|
|
|
|
c.ResponseError(err.Error())
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else if provider.Category == "OAuth" {
|
|
|
|
|
// OAuth
|
2021-12-20 23:46:38 +08:00
|
|
|
|
|
|
|
|
clientId := provider.ClientId
|
|
|
|
|
clientSecret := provider.ClientSecret
|
|
|
|
|
if provider.Type == "WeChat" && strings.Contains(c.Ctx.Request.UserAgent(), "MicroMessenger") {
|
|
|
|
|
clientId = provider.ClientId2
|
|
|
|
|
clientSecret = provider.ClientSecret2
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-16 17:17:45 +08:00
|
|
|
idProvider := idp.GetIdProvider(provider.Type, provider.SubType, clientId, clientSecret, provider.AppId, form.RedirectUri, provider.Domain, provider.CustomAuthUrl, provider.CustomTokenUrl, provider.CustomUserInfoUrl)
|
2021-12-06 21:46:50 +08:00
|
|
|
if idProvider == nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("ProviderErr.ProviderNotSupported"), provider.Type))
|
2021-12-06 21:46:50 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-06-06 11:17:37 +08:00
|
|
|
|
2021-12-06 21:46:50 +08:00
|
|
|
setHttpClient(idProvider, provider.Type)
|
2021-02-14 00:22:24 +08:00
|
|
|
|
2022-03-20 23:21:09 +08:00
|
|
|
if form.State != conf.GetConfigString("authState") && form.State != application.Name {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("AuthErr.AuthStateWrong"), conf.GetConfigString("authState"), form.State))
|
2021-12-06 21:46:50 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-02-14 00:22:24 +08:00
|
|
|
|
2021-12-06 21:46:50 +08:00
|
|
|
// https://github.com/golang/oauth2/issues/123#issuecomment-103715338
|
|
|
|
|
token, err := idProvider.GetToken(form.Code)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.ResponseError(err.Error())
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-02-14 00:22:24 +08:00
|
|
|
|
2021-12-06 21:46:50 +08:00
|
|
|
if !token.Valid() {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(c.T("TokenErr.InvalidToken"))
|
2021-12-06 21:46:50 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-02-21 23:51:40 +08:00
|
|
|
|
2021-12-06 21:46:50 +08:00
|
|
|
userInfo, err = idProvider.GetUserInfo(token)
|
|
|
|
|
if err != nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.LoginFail"), err.Error()))
|
2021-12-06 21:46:50 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-03-20 00:23:37 +08:00
|
|
|
}
|
2021-02-21 23:51:40 +08:00
|
|
|
|
2021-03-20 00:23:37 +08:00
|
|
|
if form.Method == "signup" {
|
2021-12-06 21:46:50 +08:00
|
|
|
user := &object.User{}
|
|
|
|
|
if provider.Category == "SAML" {
|
2021-12-13 19:49:30 +08:00
|
|
|
user = object.GetUser(fmt.Sprintf("%s/%s", application.Organization, userInfo.Id))
|
2021-12-06 21:46:50 +08:00
|
|
|
} else if provider.Category == "OAuth" {
|
2021-12-12 20:07:51 +08:00
|
|
|
user = object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
|
2021-06-12 12:46:25 +08:00
|
|
|
}
|
2021-06-01 23:14:49 +08:00
|
|
|
|
2022-08-20 21:09:32 +08:00
|
|
|
if user != nil && !user.IsDeleted {
|
2021-08-08 21:36:19 +08:00
|
|
|
// Sign in via OAuth (want to sign up but already have account)
|
2021-06-14 21:35:19 +08:00
|
|
|
|
2021-08-08 21:36:19 +08:00
|
|
|
if user.IsForbidden {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(c.T("LoginErr.UserIsForbidden"))
|
2021-08-08 21:36:19 +08:00
|
|
|
}
|
2021-02-21 23:51:40 +08:00
|
|
|
|
2021-06-20 22:17:03 +08:00
|
|
|
resp = c.HandleLoggedIn(application, user, &form)
|
2021-07-07 14:59:03 +08:00
|
|
|
|
2021-11-07 16:51:16 +08:00
|
|
|
record := object.NewRecord(c.Ctx)
|
2021-07-07 14:59:03 +08:00
|
|
|
record.Organization = application.Organization
|
2021-11-07 17:20:15 +08:00
|
|
|
record.User = user.Name
|
2022-05-31 21:49:56 +08:00
|
|
|
util.SafeGoroutine(func() { object.AddRecord(record) })
|
2021-12-06 21:46:50 +08:00
|
|
|
} else if provider.Category == "OAuth" {
|
2021-06-14 21:35:19 +08:00
|
|
|
// Sign up via OAuth
|
|
|
|
|
if !application.EnableSignUp {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppNotEnableSignUp"), provider.Type, userInfo.Username, userInfo.DisplayName))
|
2021-03-26 21:55:39 +08:00
|
|
|
return
|
2021-06-14 21:35:19 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !providerItem.CanSignUp {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.ProviderCanNotSignUp"), provider.Type, userInfo.Username, userInfo.DisplayName, provider.Type))
|
2021-03-26 21:55:39 +08:00
|
|
|
return
|
2021-02-21 23:51:40 +08:00
|
|
|
}
|
2021-06-14 21:35:19 +08:00
|
|
|
|
2022-05-31 21:49:56 +08:00
|
|
|
// Handle username conflicts
|
|
|
|
|
tmpUser := object.GetUser(fmt.Sprintf("%s/%s", application.Organization, userInfo.Username))
|
|
|
|
|
if tmpUser != nil {
|
|
|
|
|
uid, err := uuid.NewRandom()
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.ResponseError(err.Error())
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
uidStr := strings.Split(uid.String(), "-")
|
|
|
|
|
userInfo.Username = fmt.Sprintf("%s_%s", userInfo.Username, uidStr[1])
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-14 21:35:19 +08:00
|
|
|
properties := map[string]string{}
|
|
|
|
|
properties["no"] = strconv.Itoa(len(object.GetUsers(application.Organization)) + 2)
|
2022-08-20 21:09:32 +08:00
|
|
|
initScore, err := getInitScore()
|
|
|
|
|
if err != nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Errorf(c.T("InitErr.InitScoreFailed"), err).Error())
|
2022-08-20 21:09:32 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-06 21:46:50 +08:00
|
|
|
user = &object.User{
|
2021-06-21 10:22:47 +08:00
|
|
|
Owner: application.Organization,
|
|
|
|
|
Name: userInfo.Username,
|
|
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Id: util.GenerateId(),
|
|
|
|
|
Type: "normal-user",
|
|
|
|
|
DisplayName: userInfo.DisplayName,
|
|
|
|
|
Avatar: userInfo.AvatarUrl,
|
2021-08-27 23:43:43 +08:00
|
|
|
Address: []string{},
|
2021-06-21 10:22:47 +08:00
|
|
|
Email: userInfo.Email,
|
2022-08-20 21:09:32 +08:00
|
|
|
Score: initScore,
|
2021-06-21 10:22:47 +08:00
|
|
|
IsAdmin: false,
|
|
|
|
|
IsGlobalAdmin: false,
|
|
|
|
|
IsForbidden: false,
|
2021-11-06 15:52:03 +08:00
|
|
|
IsDeleted: false,
|
2021-06-21 10:22:47 +08:00
|
|
|
SignupApplication: application.Name,
|
|
|
|
|
Properties: properties,
|
2021-06-14 21:35:19 +08:00
|
|
|
}
|
|
|
|
|
// sync info from 3rd-party if possible
|
2021-06-21 00:54:07 +08:00
|
|
|
object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
|
2021-06-14 21:35:19 +08:00
|
|
|
|
2021-12-12 19:59:55 +08:00
|
|
|
affected := object.AddUser(user)
|
|
|
|
|
if !affected {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.InvalidUserInformation"), util.StructToJson(user)))
|
2021-12-12 19:59:55 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-12-06 21:46:50 +08:00
|
|
|
|
2021-06-14 21:35:19 +08:00
|
|
|
object.LinkUserAccount(user, provider.Type, userInfo.Id)
|
|
|
|
|
|
2021-06-20 22:17:03 +08:00
|
|
|
resp = c.HandleLoggedIn(application, user, &form)
|
2021-07-07 14:59:03 +08:00
|
|
|
|
2021-11-07 16:51:16 +08:00
|
|
|
record := object.NewRecord(c.Ctx)
|
2021-07-07 14:59:03 +08:00
|
|
|
record.Organization = application.Organization
|
2021-11-07 17:20:15 +08:00
|
|
|
record.User = user.Name
|
2022-05-31 21:49:56 +08:00
|
|
|
util.SafeGoroutine(func() { object.AddRecord(record) })
|
2022-06-01 09:34:56 +08:00
|
|
|
|
|
|
|
|
record2 := object.NewRecord(c.Ctx)
|
|
|
|
|
record2.Action = "signup"
|
|
|
|
|
record2.Organization = application.Organization
|
|
|
|
|
record2.User = user.Name
|
|
|
|
|
util.SafeGoroutine(func() { object.AddRecord(record2) })
|
2021-12-06 21:46:50 +08:00
|
|
|
} else if provider.Category == "SAML" {
|
|
|
|
|
resp = &Response{Status: "error", Msg: "The account does not exist"}
|
2021-02-14 00:22:24 +08:00
|
|
|
}
|
2022-08-07 12:26:14 +08:00
|
|
|
// resp = &Response{Status: "ok", Msg: "", Data: res}
|
2021-06-09 21:27:20 +08:00
|
|
|
} else { // form.Method != "signup"
|
2021-07-18 07:15:22 +08:00
|
|
|
userId := c.GetSessionUsername()
|
2021-03-20 00:23:37 +08:00
|
|
|
if userId == "" {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(c.T("LoginErr.AccountDoNotExist"), userInfo)
|
2021-03-20 00:23:37 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-06-18 23:25:24 +08:00
|
|
|
oldUser := object.GetUserByField(application.Organization, provider.Type, userInfo.Id)
|
|
|
|
|
if oldUser != nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.OldUser"), provider.Type, userInfo.Username, userInfo.DisplayName, oldUser.Name, oldUser.DisplayName))
|
2021-06-18 23:25:24 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-04-18 23:14:46 +08:00
|
|
|
user := object.GetUser(userId)
|
2021-04-27 19:35:40 +08:00
|
|
|
|
|
|
|
|
// sync info from 3rd-party if possible
|
2021-06-21 00:54:07 +08:00
|
|
|
object.SetUserOAuthProperties(organization, user, provider.Type, userInfo)
|
2021-04-27 19:35:40 +08:00
|
|
|
|
2021-05-31 00:55:29 +08:00
|
|
|
isLinked := object.LinkUserAccount(user, provider.Type, userInfo.Id)
|
2021-03-24 00:11:20 +08:00
|
|
|
if isLinked {
|
|
|
|
|
resp = &Response{Status: "ok", Msg: "", Data: isLinked}
|
2021-03-20 00:23:37 +08:00
|
|
|
} else {
|
2021-03-28 08:59:12 +08:00
|
|
|
resp = &Response{Status: "error", Msg: "Failed to link user account", Data: isLinked}
|
2021-03-20 00:23:37 +08:00
|
|
|
}
|
2021-02-14 00:22:24 +08:00
|
|
|
}
|
2021-03-20 00:23:37 +08:00
|
|
|
} else {
|
2021-10-09 21:15:57 +08:00
|
|
|
if c.GetSessionUsername() != "" {
|
|
|
|
|
// user already signed in to Casdoor, so let the user click the avatar button to do the quick sign-in
|
|
|
|
|
application := object.GetApplication(fmt.Sprintf("admin/%s", form.Application))
|
2022-03-06 00:09:57 +08:00
|
|
|
if application == nil {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.AppDoNotExist"), form.Application))
|
2022-03-06 00:09:57 +08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-09 21:15:57 +08:00
|
|
|
user := c.getCurrentUser()
|
|
|
|
|
resp = c.HandleLoggedIn(application, user, &form)
|
2022-06-01 09:34:56 +08:00
|
|
|
|
|
|
|
|
record := object.NewRecord(c.Ctx)
|
|
|
|
|
record.Organization = application.Organization
|
|
|
|
|
record.User = user.Name
|
|
|
|
|
util.SafeGoroutine(func() { object.AddRecord(record) })
|
2021-10-09 21:15:57 +08:00
|
|
|
} else {
|
2022-10-23 15:16:24 +08:00
|
|
|
c.ResponseError(fmt.Sprintf(c.T("LoginErr.UnknownAuthentication"), util.StructToJson(form)))
|
2021-10-09 21:15:57 +08:00
|
|
|
return
|
|
|
|
|
}
|
2021-02-14 00:22:24 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.Data["json"] = resp
|
|
|
|
|
c.ServeJSON()
|
|
|
|
|
}
|
2021-12-06 21:46:50 +08:00
|
|
|
|
|
|
|
|
func (c *ApiController) GetSamlLogin() {
|
|
|
|
|
providerId := c.Input().Get("id")
|
2021-12-15 21:38:00 +08:00
|
|
|
relayState := c.Input().Get("relayState")
|
2022-10-23 15:16:24 +08:00
|
|
|
authURL, method, err := object.GenerateSamlLoginUrl(providerId, relayState, c.GetAcceptLanguage())
|
2021-12-06 21:46:50 +08:00
|
|
|
if err != nil {
|
|
|
|
|
c.ResponseError(err.Error())
|
|
|
|
|
}
|
2021-12-15 21:38:00 +08:00
|
|
|
c.ResponseOk(authURL, method)
|
2021-12-06 21:46:50 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (c *ApiController) HandleSamlLogin() {
|
|
|
|
|
relayState := c.Input().Get("RelayState")
|
|
|
|
|
samlResponse := c.Input().Get("SAMLResponse")
|
2021-12-10 00:23:04 +08:00
|
|
|
decode, err := base64.StdEncoding.DecodeString(relayState)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.ResponseError(err.Error())
|
|
|
|
|
}
|
|
|
|
|
slice := strings.Split(string(decode), "&")
|
|
|
|
|
relayState = url.QueryEscape(relayState)
|
2021-12-06 21:46:50 +08:00
|
|
|
samlResponse = url.QueryEscape(samlResponse)
|
2021-12-10 00:23:04 +08:00
|
|
|
targetUrl := fmt.Sprintf("%s?relayState=%s&samlResponse=%s",
|
|
|
|
|
slice[4], relayState, samlResponse)
|
2021-12-06 21:46:50 +08:00
|
|
|
c.Redirect(targetUrl, 303)
|
|
|
|
|
}
|
