gsathecat
/
lemmy
mirror of https://github.com/LemmyNet/lemmy.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge 45c0a0030a into 78702b59fd

pull/4881/merge
privacyguard 2024-07-07 02:31:35 +03:00 committed by GitHub
parent 78702b59fd 45c0a0030a
commit ce191709d3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
60 changed files with 1532 additions and 611 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

774
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

13
Cargo.toml
View File

@ -44,7 +44,7 @@ console = [
"opentelemetry",
"opentelemetry-otlp",
"tracing-opentelemetry",
"reqwest-tracing/opentelemetry_0_16",
"reqwest-tracing/opentelemetry_0_19",
]
json-log = ["tracing-subscriber/json"]
default = []
@ -121,9 +121,14 @@ tracing-error = "0.2.0"
tracing-log = "0.2.0"
tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
url = { version = "2.5.0", features = ["serde"] }
reqwest = { version = "0.11.27", features = ["json", "blocking", "gzip"] }
reqwest = { version = "0.11.27", features = [
"json",
"blocking",
"gzip",
"rustls-tls-native-roots",
] }
reqwest-middleware = "0.2.5"
reqwest-tracing = "0.4.8"
reqwest-tracing = { version = "0.4.8", features = ["opentelemetry_0_19"] }
clokwerk = "0.4.0"
doku = { version = "0.21.1", features = ["url-2"] }
bcrypt = "0.15.1"
@ -168,6 +173,8 @@ i-love-jesus = { version = "0.1.0" }
clap = { version = "4.5.6", features = ["derive", "env"] }
pretty_assertions = "1.4.0"
derive-new = "0.6.0"
sha3 = "0.10.8"
rand = "0.8.5"
[dependencies]
lemmy_api = { workspace = true }

3
config/defaults.hjson
View File

@ -102,6 +102,9 @@
}
# the domain name of your instance (mandatory)
hostname: "unset"
# the domain name of your lemmy-ui instance used for OAUTH2 (defaults to the backend instance
# hostname)
hostname_ui: "example.com"
# Address where lemmy should listen for incoming requests
bind: "0.0.0.0"
# Port where lemmy should listen for incoming requests

12
crates/api/src/local_user/change_password.rs
View File

@ -28,11 +28,13 @@ pub async fn change_password(
}
// Check the old password
let valid: bool = verify(
&data.old_password,
&local_user_view.local_user.password_encrypted,
)
.unwrap_or(false);
let valid: bool = if let Some(password_encrypted) = &local_user_view.local_user.password_encrypted
{
verify(&data.old_password, password_encrypted).unwrap_or(false)
} else {
data.old_password.is_empty()
};
if !valid {
Err(LemmyErrorType::IncorrectLogin)?
}

46
crates/api/src/local_user/login.rs
View File

@ -1,4 +1,4 @@
use crate::{check_totp_2fa_valid, local_user::check_email_verified};
use crate::check_totp_2fa_valid;
use actix_web::{
web::{Data, Json},
HttpRequest,
@ -8,12 +8,7 @@ use lemmy_api_common::{
claims::Claims,
context::LemmyContext,
person::{Login, LoginResponse},
utils::check_user_valid,
};
use lemmy_db_schema::{
source::{local_site::LocalSite, registration_application::RegistrationApplication},
utils::DbPool,
RegistrationMode,
utils::{check_email_verified, check_registration_application, check_user_valid},
};
use lemmy_db_views::structs::{LocalUserView, SiteView};
use lemmy_utils::error::{LemmyErrorType, LemmyResult};
@ -36,11 +31,13 @@ pub async fn login(
.ok_or(LemmyErrorType::IncorrectLogin)?;
// Verify the password
let valid: bool = verify(
&data.password,
&local_user_view.local_user.password_encrypted,
)
.unwrap_or(false);
let valid: bool = if let Some(password_encrypted) = &local_user_view.local_user.password_encrypted
{
verify(&data.password, password_encrypted).unwrap_or(false)
} else {
false
};
if !valid {
Err(LemmyErrorType::IncorrectLogin)?
}
@ -67,28 +64,3 @@ pub async fn login(
registration_created: false,
}))
}
async fn check_registration_application(
local_user_view: &LocalUserView,
local_site: &LocalSite,
pool: &mut DbPool<'_>,
) -> LemmyResult<()> {
if (local_site.registration_mode == RegistrationMode::RequireApplication
|| local_site.registration_mode == RegistrationMode::Closed)
&& !local_user_view.local_user.accepted_application
&& !local_user_view.local_user.admin
{
// Fetch the registration application. If no admin id is present its still pending. Otherwise it
// was processed (either accepted or denied).
let local_user_id = local_user_view.local_user.id;
let registration = RegistrationApplication::find_by_local_user_id(pool, local_user_id)
.await?
.ok_or(LemmyErrorType::CouldntFindRegistrationApplication)?;
if registration.admin_id.is_some() {
Err(LemmyErrorType::RegistrationDenied(registration.deny_reason))?
} else {
Err(LemmyErrorType::RegistrationApplicationIsPending)?
}
}
Ok(())
}

15
crates/api/src/local_user/mod.rs
View File

@ -1,6 +1,3 @@
use lemmy_db_views::structs::{LocalUserView, SiteView};
use lemmy_utils::{error::LemmyResult, LemmyErrorType};
pub mod add_admin;
pub mod ban_person;
pub mod block;
@ -20,15 +17,3 @@ pub mod save_settings;
pub mod update_totp;
pub mod validate_auth;
pub mod verify_email;
/// Check if the user's email is verified if email verification is turned on
/// However, skip checking verification if the user is an admin
fn check_email_verified(local_user_view: &LocalUserView, site_view: &SiteView) -> LemmyResult<()> {
if !local_user_view.local_user.admin
&& site_view.local_site.require_email_verification
&& !local_user_view.local_user.email_verified
{
Err(LemmyErrorType::EmailNotVerified)?
}
Ok(())
}

3
crates/api/src/local_user/reset_password.rs
View File

@ -1,9 +1,8 @@
use crate::local_user::check_email_verified;
use actix_web::web::{Data, Json};
use lemmy_api_common::{
context::LemmyContext,
person::PasswordReset,
utils::send_password_reset_email,
utils::{check_email_verified, send_password_reset_email},
SuccessResponse,
};
use lemmy_db_views::structs::{LocalUserView, SiteView};

3
crates/api/src/site/leave_admin.rs
View File

@ -7,6 +7,7 @@ use lemmy_db_schema::{
local_site_url_blocklist::LocalSiteUrlBlocklist,
local_user::{LocalUser, LocalUserUpdateForm},
moderator::{ModAdd, ModAddForm},
oauth_provider::OAuthProvider,
tagline::Tagline,
},
traits::Crud,
@ -65,6 +66,7 @@ pub async fn leave_admin(
let taglines = Tagline::get_all(&mut context.pool(), site_view.local_site.id).await?;
let custom_emojis =
CustomEmojiView::get_all(&mut context.pool(), site_view.local_site.id).await?;
let oauth_providers = OAuthProvider::get_all(&mut context.pool()).await?;
let blocked_urls = LocalSiteUrlBlocklist::get_all(&mut context.pool()).await?;
Ok(Json(GetSiteResponse {
@ -76,6 +78,7 @@ pub async fn leave_admin(
discussion_languages,
taglines,
custom_emojis,
oauth_providers,
blocked_urls,
}))
}

2
crates/api_common/src/claims.rs
View File

@ -118,7 +118,7 @@ mod tests {
let local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_person.id)
.password_encrypted("123456".to_string())
.password_encrypted(Some("123456".to_string()))
.build();
let inserted_local_user = LocalUser::create(pool, &local_user_form, vec![])

1
crates/api_common/src/lib.rs
View File

@ -7,6 +7,7 @@ pub mod community;
#[cfg(feature = "full")]
pub mod context;
pub mod custom_emoji;
pub mod oauth_provider;
pub mod person;
pub mod post;
pub mod private_message;

83
crates/api_common/src/oauth_provider.rs 100644
View File

@ -0,0 +1,83 @@
use lemmy_db_schema::newtypes::OAuthProviderId;
use serde::{Deserialize, Serialize};
use serde_with::skip_serializing_none;
#[cfg(feature = "full")]
use ts_rs::TS;
use url::Url;
#[derive(Debug, Serialize, Deserialize, Clone)]
#[cfg_attr(feature = "full", derive(TS))]
#[cfg_attr(feature = "full", ts(export))]
/// Create an external auth method.
pub struct CreateOAuthProvider {
pub display_name: String,
pub issuer: String,
pub authorization_endpoint: String,
pub token_endpoint: String,
pub userinfo_endpoint: String,
pub id_claim: String,
pub name_claim: String,
pub client_id: String,
pub client_secret: String,
pub scopes: String,
pub auto_verify_email: bool,
pub auto_approve_application: bool,
pub account_linking_enabled: bool,
pub enabled: bool,
}
#[derive(Debug, Serialize, Deserialize, Clone)]
#[cfg_attr(feature = "full", derive(TS))]
#[cfg_attr(feature = "full", ts(export))]
/// Edit an external auth method.
pub struct EditOAuthProvider {
#[cfg_attr(feature = "full", ts(type = "string"))]
pub id: OAuthProviderId,
pub display_name: String,
pub authorization_endpoint: String,
pub token_endpoint: String,
pub userinfo_endpoint: String,
pub id_claim: String,
pub name_claim: String,
pub client_secret: String,
pub scopes: String,
pub auto_verify_email: bool,
pub auto_approve_application: bool,
pub account_linking_enabled: bool,
pub enabled: bool,
}
#[derive(Debug, Serialize, Deserialize, Clone, Default)]
#[cfg_attr(feature = "full", derive(TS))]
#[cfg_attr(feature = "full", ts(export))]
/// Delete an external auth method.
pub struct DeleteOAuthProvider {
#[cfg_attr(feature = "full", ts(type = "string"))]
pub id: OAuthProviderId,
}
#[skip_serializing_none]
#[derive(Debug, Serialize, Deserialize, Clone)]
#[cfg_attr(feature = "full", derive(TS))]
#[cfg_attr(feature = "full", ts(export))]
/// Logging in with an OAuth 2.0 authorization
pub struct AuthenticateWithOauth {
pub code: String,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub oauth_provider_id: OAuthProviderId,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub redirect_uri: Url,
}
#[skip_serializing_none]
#[derive(Debug, Serialize, Deserialize, Clone, Default)]
#[cfg_attr(feature = "full", derive(TS))]
#[cfg_attr(feature = "full", ts(export))]
/// Response from OAuth token endpoint
pub struct TokenResponse {
pub access_token: String,
pub token_type: String,
pub expires_in: Option<i64>,
pub refresh_token: Option<String>,
pub scope: Option<String>,
}

1
crates/api_common/src/request.rs
View File

@ -38,6 +38,7 @@ pub fn client_builder(settings: &Settings) -> ClientBuilder {
.user_agent(user_agent.clone())
.timeout(REQWEST_TIMEOUT)
.connect_timeout(REQWEST_TIMEOUT)
.use_rustls_tls()
}
/// Fetches metadata for the given link and optionally generates thumbnail.

6
crates/api_common/src/site.rs
View File

@ -7,6 +7,7 @@ use lemmy_db_schema::{
instance::Instance,
language::Language,
local_site_url_blocklist::LocalSiteUrlBlocklist,
oauth_provider::OAuthProvider,
tagline::Tagline,
},
ListingType,
@ -192,6 +193,7 @@ pub struct CreateSite {
pub blocked_instances: Option<Vec<String>>,
pub taglines: Option<Vec<String>>,
pub registration_mode: Option<RegistrationMode>,
pub oauth_registration: Option<bool>,
pub content_warning: Option<String>,
pub default_post_listing_mode: Option<PostListingMode>,
}
@ -274,6 +276,8 @@ pub struct EditSite {
/// A list of taglines shown at the top of the front page.
pub taglines: Option<Vec<String>>,
pub registration_mode: Option<RegistrationMode>,
/// Whether or not external auth methods can auto-register users.
pub oauth_registration: Option<bool>,
/// Whether to email admins for new reports.
pub reports_email_admins: Option<bool>,
/// If present, nsfw content is visible by default. Should be displayed by frontends/clients
@ -308,6 +312,8 @@ pub struct GetSiteResponse {
pub taglines: Vec<Tagline>,
/// A list of custom emojis your site supports.
pub custom_emojis: Vec<CustomEmojiView>,
/// A list of external auth methods your site supports.
pub oauth_providers: Vec<OAuthProvider>,
pub blocked_urls: Vec<LocalSiteUrlBlocklist>,
}

44
crates/api_common/src/utils.rs
View File

@ -27,14 +27,16 @@ use lemmy_db_schema::{
person::{Person, PersonUpdateForm},
person_block::PersonBlock,
post::{Post, PostRead},
registration_application::RegistrationApplication,
site::Site,
},
traits::Crud,
utils::DbPool,
RegistrationMode,
};
use lemmy_db_views::{
comment_view::CommentQuery,
structs::{LocalImageView, LocalUserView},
structs::{LocalImageView, LocalUserView, SiteView},
};
use lemmy_db_views_actor::structs::{
CommunityModeratorView,
@ -192,6 +194,46 @@ pub fn check_user_valid(person: &Person) -> LemmyResult<()> {
}
}
/// Check if the user's email is verified if email verification is turned on
/// However, skip checking verification if the user is an admin
pub fn check_email_verified(
local_user_view: &LocalUserView,
site_view: &SiteView,
) -> LemmyResult<()> {
if !local_user_view.local_user.admin
&& site_view.local_site.require_email_verification
&& !local_user_view.local_user.email_verified
{
Err(LemmyErrorType::EmailNotVerified)?
}
Ok(())
}
pub async fn check_registration_application(
local_user_view: &LocalUserView,
local_site: &LocalSite,
pool: &mut DbPool<'_>,
) -> LemmyResult<()> {
if (local_site.registration_mode == RegistrationMode::RequireApplication
|| local_site.registration_mode == RegistrationMode::Closed)
&& !local_user_view.local_user.accepted_application
&& !local_user_view.local_user.admin
{
// Fetch the registration application. If no admin id is present its still pending. Otherwise it
// was processed (either accepted or denied).
let local_user_id = local_user_view.local_user.id;
let registration = RegistrationApplication::find_by_local_user_id(pool, local_user_id)
.await?
.ok_or(LemmyErrorType::CouldntFindRegistrationApplication)?;
if registration.admin_id.is_some() {
Err(LemmyErrorType::RegistrationDenied(registration.deny_reason))?
} else {
Err(LemmyErrorType::RegistrationApplicationIsPending)?
}
}
Ok(())
}
/// Checks that a normal user action (eg posting or voting) is allowed in a given community.
///
/// In particular it checks that neither the user nor community are banned or deleted, and that

3
crates/api_crud/Cargo.toml
View File

@ -30,6 +30,9 @@ once_cell.workspace = true
anyhow.workspace = true
webmention = "0.5.0"
accept-language = "3.1.0"
serde_json = { workspace = true }
sha3 = { workspace = true }
rand = { workspace = true }
[package.metadata.cargo-machete]
ignored = ["futures"]

1
crates/api_crud/src/lib.rs
View File

@ -1,6 +1,7 @@
pub mod comment;
pub mod community;
pub mod custom_emoji;
pub mod oauth_provider;
pub mod post;
pub mod private_message;
pub mod site;

59
crates/api_crud/src/oauth_provider/create.rs 100644
View File

@ -0,0 +1,59 @@
use activitypub_federation::config::Data;
use actix_web::web::Json;
use lemmy_api_common::{
context::LemmyContext,
oauth_provider::CreateOAuthProvider,
utils::is_admin,
};
use lemmy_db_schema::{
newtypes::OAuthProviderId,
source::oauth_provider::{OAuthProvider, OAuthProviderInsertForm, UnsafeOAuthProvider},
traits::Crud,
};
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::error::LemmyError;
use sha3::{
digest::{ExtendableOutput, Update, XofReader},
Shake128,
};
use url::Url;
#[tracing::instrument(skip(context))]
pub async fn create_oauth_provider(
data: Json<CreateOAuthProvider>,
context: Data<LemmyContext>,
local_user_view: LocalUserView,
) -> Result<Json<OAuthProvider>, LemmyError> {
// Make sure user is an admin
is_admin(&local_user_view)?;
// hash the issuer and client_id to create a deterministic i64 id
let mut hasher = Shake128::default();
hasher.update(data.issuer.as_bytes());
hasher.update(data.client_id.as_bytes());
let mut reader = hasher.finalize_xof();
let mut id_bytes = [0u8; 8];
reader.read(&mut id_bytes);
let cloned_data = data.clone();
let oauth_provider_form = OAuthProviderInsertForm {
id: OAuthProviderId(i64::from_ne_bytes(id_bytes)),
display_name: cloned_data.display_name,
issuer: Url::parse(&cloned_data.issuer)?.into(),
authorization_endpoint: Url::parse(&cloned_data.authorization_endpoint)?.into(),
token_endpoint: Url::parse(&cloned_data.token_endpoint)?.into(),
userinfo_endpoint: Url::parse(&cloned_data.userinfo_endpoint)?.into(),
id_claim: cloned_data.id_claim,
name_claim: cloned_data.name_claim,
client_id: data.client_id.to_string(),
client_secret: data.client_secret.to_string(),
scopes: data.scopes.to_string(),
auto_verify_email: data.auto_verify_email,
auto_approve_application: data.auto_approve_application,
account_linking_enabled: data.account_linking_enabled,
enabled: data.enabled,
};
let unsafe_oauth_provider =
UnsafeOAuthProvider::create(&mut context.pool(), &oauth_provider_form).await?;
Ok(Json(OAuthProvider::from_unsafe(&unsafe_oauth_provider)))
}

23
crates/api_crud/src/oauth_provider/delete.rs 100644
View File

@ -0,0 +1,23 @@
use activitypub_federation::config::Data;
use actix_web::web::Json;
use lemmy_api_common::{
context::LemmyContext,
oauth_provider::DeleteOAuthProvider,
utils::is_admin,
SuccessResponse,
};
use lemmy_db_schema::{source::oauth_provider::UnsafeOAuthProvider, traits::Crud};
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::error::LemmyError;
#[tracing::instrument(skip(context))]
pub async fn delete_oauth_provider(
data: Json<DeleteOAuthProvider>,
context: Data<LemmyContext>,
local_user_view: LocalUserView,
) -> Result<Json<SuccessResponse>, LemmyError> {
// Make sure user is an admin
is_admin(&local_user_view)?;
UnsafeOAuthProvider::delete(&mut context.pool(), data.id).await?;
Ok(Json(SuccessResponse::default()))
}

3
crates/api_crud/src/oauth_provider/mod.rs 100644
View File

@ -0,0 +1,3 @@
pub mod create;
pub mod delete;
pub mod update;

49
crates/api_crud/src/oauth_provider/update.rs 100644
View File

@ -0,0 +1,49 @@
use activitypub_federation::config::Data;
use actix_web::web::Json;
use lemmy_api_common::{context::LemmyContext, oauth_provider::EditOAuthProvider, utils::is_admin};
use lemmy_db_schema::{
source::oauth_provider::{OAuthProvider, OAuthProviderUpdateForm, UnsafeOAuthProvider},
traits::Crud,
utils::naive_now,
};
use lemmy_db_views::structs::LocalUserView;
use lemmy_utils::{error::LemmyError, LemmyErrorType};
use url::Url;
#[tracing::instrument(skip(context))]
pub async fn update_oauth_provider(
data: Json<EditOAuthProvider>,
context: Data<LemmyContext>,
local_user_view: LocalUserView,
) -> Result<Json<OAuthProvider>, LemmyError> {
// Make sure user is an admin
is_admin(&local_user_view)?;
let cloned_data = data.clone();
let oauth_provider_form = OAuthProviderUpdateForm {
display_name: cloned_data.display_name,
authorization_endpoint: Url::parse(&cloned_data.authorization_endpoint)?.into(),
token_endpoint: Url::parse(&cloned_data.token_endpoint)?.into(),
userinfo_endpoint: Url::parse(&cloned_data.userinfo_endpoint)?.into(),
id_claim: data.id_claim.to_string(),
name_claim: data.name_claim.to_string(),
client_secret: if !data.client_secret.is_empty() {
Some(data.client_secret.to_string())
} else {
None
},
scopes: data.scopes.to_string(),
auto_verify_email: data.auto_verify_email,
auto_approve_application: data.auto_approve_application,
account_linking_enabled: data.account_linking_enabled,
enabled: data.enabled,
updated: naive_now(),
};
let update_result =
UnsafeOAuthProvider::update(&mut context.pool(), data.id, &oauth_provider_form).await?;
let unsafe_oauth_provider = UnsafeOAuthProvider::read(&mut context.pool(), update_result.id)
.await?
.ok_or(LemmyErrorType::CouldntFindOauthProvider)?;
Ok(Json(OAuthProvider::from_unsafe(&unsafe_oauth_provider)))
}

13
crates/api_crud/src/site/create.rs
View File

@ -231,6 +231,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -255,6 +256,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -279,6 +281,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -303,6 +306,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -327,6 +331,7 @@ mod tests {
Some(true),
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -351,6 +356,7 @@ mod tests {
Some(true),
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -375,6 +381,7 @@ mod tests {
None::<bool>,
None::<String>,
Some(RegistrationMode::RequireApplication),
None::<bool>,
),
),
];
@ -433,6 +440,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -456,6 +464,7 @@ mod tests {
Some(true),
Some(String::new()),
Some(RegistrationMode::Open),
None::<bool>,
),
),
(
@ -479,6 +488,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -502,6 +512,7 @@ mod tests {
None::<bool>,
None::<String>,
Some(RegistrationMode::RequireApplication),
None::<bool>,
),
),
];
@ -552,6 +563,7 @@ mod tests {
site_is_federated: Option<bool>,
site_application_question: Option<String>,
site_registration_mode: Option<RegistrationMode>,
site_oauth_registration: Option<bool>,
) -> CreateSite {
CreateSite {
name: site_name,
@ -594,6 +606,7 @@ mod tests {
blocked_instances: None,
taglines: None,
registration_mode: site_registration_mode,
oauth_registration: site_oauth_registration,
content_warning: None,
default_post_listing_mode: None,
}

33
crates/api_crud/src/site/read.rs
View File

@ -7,6 +7,7 @@ use lemmy_db_schema::source::{
actor_language::{LocalUserLanguage, SiteLanguage},
language::Language,
local_site_url_blocklist::LocalSiteUrlBlocklist,
oauth_provider::OAuthProvider,
tagline::Tagline,
};
use lemmy_db_views::structs::{CustomEmojiView, LocalUserView, SiteView};
@ -44,13 +45,14 @@ pub async fn get_site(
let site_view = SiteView::read_local(&mut context.pool())
.await?
.ok_or(LemmyErrorType::LocalSiteNotSetup)?;
let admins = PersonView::admins(&mut context.pool()).await?;
let admins: Vec<PersonView> = PersonView::admins(&mut context.pool()).await?;
let all_languages = Language::read_all(&mut context.pool()).await?;
let discussion_languages = SiteLanguage::read_local_raw(&mut context.pool()).await?;
let taglines = Tagline::get_all(&mut context.pool(), site_view.local_site.id).await?;
let custom_emojis =
CustomEmojiView::get_all(&mut context.pool(), site_view.local_site.id).await?;
let blocked_urls = LocalSiteUrlBlocklist::get_all(&mut context.pool()).await?;
let oauth_providers = OAuthProvider::get_all(&mut context.pool()).await?;
Ok(GetSiteResponse {
site_view,
admins,
@ -61,6 +63,7 @@ pub async fn get_site(
taglines,
custom_emojis,
blocked_urls,
oauth_providers,
})
})
.await
@ -89,6 +92,11 @@ pub async fn get_site(
))
.with_lemmy_type(LemmyErrorType::SystemErrLogin)?;
// filter oauth_providers for normal users
if !local_user_view.local_user.admin {
filter_oauth_providers(&mut site_response.oauth_providers);
}
Some(MyUserInfo {
local_user_view,
follows,
@ -99,8 +107,31 @@ pub async fn get_site(
discussion_languages,
})
} else {
// filter oauth_providers for public access
filter_oauth_providers(&mut site_response.oauth_providers);
None
};
Ok(Json(site_response))
}
fn filter_oauth_providers(oauth_providers: &mut Vec<OAuthProvider>) {
oauth_providers.retain_mut(|oauth_provider| {
if oauth_provider.enabled.unwrap_or(false) {
oauth_provider.issuer = None;
oauth_provider.token_endpoint = None;
oauth_provider.userinfo_endpoint = None;
oauth_provider.id_claim = None;
oauth_provider.name_claim = None;
oauth_provider.auto_verify_email = None;
oauth_provider.auto_approve_application = None;
oauth_provider.account_linking_enabled = None;
oauth_provider.enabled = None;
oauth_provider.published = None;
oauth_provider.updated = None;
true
} else {
false
}
})
}

13
crates/api_crud/src/site/update.rs
View File

@ -122,6 +122,7 @@ pub async fn update_site(
captcha_difficulty: data.captcha_difficulty.clone(),
reports_email_admins: data.reports_email_admins,
default_post_listing_mode: data.default_post_listing_mode,
oauth_registration: data.oauth_registration,
..Default::default()
};
@ -283,6 +284,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -306,6 +308,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -329,6 +332,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -352,6 +356,7 @@ mod tests {
Some(true),
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -375,6 +380,7 @@ mod tests {
Some(true),
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -398,6 +404,7 @@ mod tests {
None::<bool>,
None::<String>,
Some(RegistrationMode::RequireApplication),
None::<bool>,
),
),
];
@ -452,6 +459,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -474,6 +482,7 @@ mod tests {
Some(true),
Some(String::new()),
Some(RegistrationMode::Open),
None::<bool>,
),
),
(
@ -496,6 +505,7 @@ mod tests {
None::<bool>,
None::<String>,
None::<RegistrationMode>,
None::<bool>,
),
),
(
@ -518,6 +528,7 @@ mod tests {
None::<bool>,
None::<String>,
Some(RegistrationMode::RequireApplication),
None::<bool>,
),
),
];
@ -566,6 +577,7 @@ mod tests {
site_is_federated: Option<bool>,
site_application_question: Option<String>,
site_registration_mode: Option<RegistrationMode>,
site_oauth_registration: Option<bool>,
) -> EditSite {
EditSite {
name: site_name,
@ -612,6 +624,7 @@ mod tests {
reports_email_admins: None,
content_warning: None,
default_post_listing_mode: None,
oauth_registration: site_oauth_registration,
}
}
}

356
crates/api_crud/src/user/create.rs
View File

@ -3,8 +3,12 @@ use actix_web::{web::Json, HttpRequest};
use lemmy_api_common::{
claims::Claims,
context::LemmyContext,
oauth_provider::{AuthenticateWithOauth, TokenResponse},
person::{LoginResponse, Register},
utils::{
check_email_verified,
check_registration_application,
check_user_valid,
generate_inbox_url,
generate_local_apub_endpoint,
generate_shared_inbox_url,
@ -18,11 +22,15 @@ use lemmy_api_common::{
};
use lemmy_db_schema::{
aggregates::structs::PersonAggregates,
newtypes::{InstanceId, OAuthProviderId},
source::{
captcha_answer::{CaptchaAnswer, CheckCaptchaAnswer},
language::Language,
local_site::LocalSite,
local_user::{LocalUser, LocalUserInsertForm},
local_user_vote_display_mode::LocalUserVoteDisplayMode,
oauth_account::{OAuthAccount, OAuthAccountInsertForm},
oauth_provider::UnsafeOAuthProvider,
person::{Person, PersonInsertForm},
registration_application::{RegistrationApplication, RegistrationApplicationInsertForm},
},
@ -31,15 +39,15 @@ use lemmy_db_schema::{
};
use lemmy_db_views::structs::{LocalUserView, SiteView};
use lemmy_utils::{
error::{LemmyErrorExt, LemmyErrorType, LemmyResult},
error::{LemmyError, LemmyErrorExt, LemmyErrorType, LemmyResult},
utils::{
slurs::{check_slurs, check_slurs_opt},
validation::is_valid_actor_name,
},
};
use rand::Rng;
use std::collections::HashSet;
#[tracing::instrument(skip(context))]
pub async fn register(
data: Json<Register>,
req: HttpRequest,
@ -95,14 +103,6 @@ pub async fn register(
check_slurs(&data.username, &slur_regex)?;
check_slurs_opt(&data.answer, &slur_regex)?;
let actor_keypair = generate_actor_keypair()?;
is_valid_actor_name(&data.username, local_site.actor_name_max_length as usize)?;
let actor_id = generate_local_apub_endpoint(
EndpointType::Person,
&data.username,
&context.settings().get_protocol_and_hostname(),
)?;
if let Some(email) = &data.email {
if LocalUser::is_email_taken(&mut context.pool(), email).await? {
Err(LemmyErrorType::EmailAlreadyExists)?
@ -110,24 +110,13 @@ pub async fn register(
}
// We have to create both a person, and local_user
// Register the new person
let person_form = PersonInsertForm {
actor_id: Some(actor_id.clone()),
inbox_url: Some(generate_inbox_url(&actor_id)?),
shared_inbox_url: Some(generate_shared_inbox_url(context.settings())?),
private_key: Some(actor_keypair.private_key),
..PersonInsertForm::new(
data.username.clone(),
actor_keypair.public_key,
site_view.site.instance_id,
)
};
// insert the person
let inserted_person = Person::create(&mut context.pool(), &person_form)
.await
.with_lemmy_type(LemmyErrorType::UserAlreadyExists)?;
let inserted_person = create_person(
data.username.clone(),
&local_site,
site_view.site.instance_id,
&context,
)
.await?;
// Automatically set their application as accepted, if they created this with open registration.
// Also fixes a bug which allows users to log in when registrations are changed to closed.
@ -153,7 +142,7 @@ pub async fn register(
let local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_person.id)
.email(data.email.as_deref().map(str::to_lowercase))
.password_encrypted(data.password.to_string())
.password_encrypted(Some(data.password.to_string()))
.show_nsfw(Some(show_nsfw))
.accepted_application(accepted_application)
.default_listing_type(Some(local_site.default_post_listing_type))
@ -238,3 +227,312 @@ pub async fn register(
Ok(Json(login_response))
}
#[tracing::instrument(skip(context))]
pub async fn authenticate_with_oauth(
data: Json<AuthenticateWithOauth>,
req: HttpRequest,
context: Data<LemmyContext>,
) -> LemmyResult<Json<LoginResponse>> {
let site_view = SiteView::read_local(&mut context.pool())
.await?
.ok_or(LemmyErrorType::LocalSiteNotSetup)?;
let local_site: LocalSite = site_view.local_site.clone();
// validate inputs
if data.oauth_provider_id == OAuthProviderId(0i64)
|| data.code.is_empty()
|| data.code.len() > 300
{
return Err(LemmyErrorType::OauthAuthorizationInvalid)?;
}
// validate the redirect_uri
let redirect_uri = &data.redirect_uri;
if !redirect_uri
.host_str()
.unwrap_or("")
.eq(context.settings().get_ui_hostname())
|| !redirect_uri
.scheme()
.eq(context.settings().get_protocol_string())
|| !redirect_uri.path().eq(&String::from("/oauth/callback"))
|| !redirect_uri.query().unwrap_or("").is_empty()
{
Err(LemmyErrorType::OauthAuthorizationInvalid)?
}
// Fetch the OAUTH provider and make sure it's enabled
let oauth_provider_id = data.oauth_provider_id;
let oauth_provider = UnsafeOAuthProvider::read(&mut context.pool(), oauth_provider_id)
.await
.ok()
.ok_or(LemmyErrorType::OauthAuthorizationInvalid)?
.ok_or(LemmyErrorType::OauthAuthorizationInvalid)?;
if !oauth_provider.enabled {
return Err(LemmyErrorType::OauthAuthorizationInvalid)?;
}
// Request an Access Token from the OAUTH provider
let response = context
.client()
.post(oauth_provider.token_endpoint.as_str())
.header("Accept", "application/json")
.form(&[
("grant_type", "authorization_code"),
("code", &data.code),
("redirect_uri", redirect_uri.as_str()),
("client_id", &oauth_provider.client_id),
("client_secret", &oauth_provider.client_secret),
])
.send()
.await;
if response.is_err() {
return Err(LemmyErrorType::OauthLoginFailed)?;
}
let response = response.expect("invalid oauth token endpoint response");
if !response.status().is_success() {
return Err(LemmyErrorType::OauthLoginFailed)?;
}
// Extract the access token
let token_response = response
.json::<TokenResponse>()
.await
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
// Request the user info from the OAUTH provider
let response = context
.client()
.get(oauth_provider.userinfo_endpoint.as_str())
.header("Accept", "application/json")
.bearer_auth(token_response.access_token)
.send()
.await;
if response.is_err() {
return Err(LemmyErrorType::OauthLoginFailed)?;
}
let response = response.expect("invalid oauth userinfo response");
if !response.status().is_success() {
return Err(LemmyErrorType::OauthLoginFailed)?;
}
// Extract the OAUTH user_id claim from the returned user_info
let user_info = response
.json::<serde_json::Value>()
.await
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
let oauth_user_id: String;
if let Some(oauth_user_id_value) = user_info.get(oauth_provider.id_claim) {
oauth_user_id = serde_json::from_value::<String>(oauth_user_id_value.clone())
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
} else {
return Err(LemmyErrorType::OauthLoginFailed)?;
}
let mut login_response = LoginResponse {
jwt: None,
registration_created: false,
verify_email_sent: false,
};
// Lookup user by oauth_user_id
let mut local_user_view =
LocalUserView::find_by_oauth_id(&mut context.pool(), oauth_provider.id, &oauth_user_id).await?;
let local_user: LocalUser;
if let Some(user_view) = local_user_view {
// user found by oauth_user_id => Login user
local_user = user_view.clone().local_user;
check_user_valid(&user_view.person)?;
check_email_verified(&user_view, &site_view)?;
check_registration_application(&user_view, &site_view.local_site, &mut context.pool()).await?;
} else {
// user has never previously registered using oauth
// prevent registration if registration is closed
if local_site.registration_mode == RegistrationMode::Closed {
Err(LemmyErrorType::RegistrationClosed)?
}
// prevent registration if registration is closed for OAUTH providers
if !local_site.oauth_registration {
return Err(LemmyErrorType::OauthRegistrationClosed)?;
}
// Extract the OAUTH email claim from the returned user_info
let email: String;
if let Some(email_value) = user_info.get("email") {
email = serde_json::from_value::<String>(email_value.clone())
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
} else {
return Err(LemmyErrorType::OauthLoginFailed)?;
}
// Lookup user by OAUTH email and link accounts
local_user_view = LocalUserView::find_by_email(&mut context.pool(), &email).await?;
let person;
if let Some(user_view) = local_user_view {
// user found by email => link and login if linking is allowed
if oauth_provider.account_linking_enabled {
// Link with OAUTH => Login user
let oauth_account_form =
OAuthAccountInsertForm::new(user_view.local_user.id, oauth_provider.id, oauth_user_id);
OAuthAccount::create(&mut context.pool(), &oauth_account_form)
.await
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
local_user = user_view.local_user;
person = user_view.person;
} else {
// email already registered
return Err(LemmyErrorType::EmailAlreadyExists)?;
}
} else {
// No user was found by email => Register as new user
// Extract the OAUTH name claim from the returned user_info
let user_name: String;
if let Some(user_name_value) = user_info.get(oauth_provider.name_claim) {
user_name = serde_json::from_value::<String>(user_name_value.clone())
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
} else {
return Err(LemmyErrorType::OauthLoginFailed)?;
}
// remove spaces from username
let username = str::replace(&user_name, " ", "_");
let username = username + &rand::thread_rng().gen_range(0..999).to_string();
// check for slurs
let slur_regex = local_site_to_slur_regex(&local_site);
check_slurs(&username, &slur_regex)
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
// We have to create a person, a local_user, and an oauth_account
person = create_person(username, &local_site, site_view.site.instance_id, &context).await?;
// Create the local user
let local_user_form = LocalUserInsertForm::builder()
.person_id(person.id)
.email(Some(str::to_lowercase(&email)))
.password_encrypted(None)
.show_nsfw(Some(false))
.accepted_application(Some(oauth_provider.auto_approve_application))
.email_verified(Some(oauth_provider.auto_verify_email))
.default_listing_type(Some(local_site.default_post_listing_type))
// If its the initial site setup, they are an admin
.admin(Some(!local_site.site_setup))
.build();
local_user = LocalUser::create(&mut context.pool(), &local_user_form, vec![])
.await
.ok()
.ok_or(LemmyErrorType::OauthLoginFailed)?;
// Create the oauth account
let oauth_account_form =
OAuthAccountInsertForm::new(local_user.id, oauth_provider.id, oauth_user_id);
OAuthAccount::create(&mut context.pool(), &oauth_account_form)
.await
.ok()
.ok_or(LemmyErrorType::IncorrectLogin)?;
}
// prevent sign in until application is accepted
if local_site.site_setup
&& local_site.registration_mode == RegistrationMode::RequireApplication
&& !local_user.accepted_application
&& !local_user.admin
{
// Create the registration application
let form = RegistrationApplicationInsertForm {
local_user_id: local_user.id,
answer: String::from("SSO ") + &oauth_provider.display_name,
};
RegistrationApplication::create(&mut context.pool(), &form).await?;
login_response.registration_created = true;
}
// Check email is verified when required
if !local_user.admin && local_site.require_email_verification && !local_user.email_verified {
let local_user_view = LocalUserView {
local_user: local_user.clone(),
local_user_vote_display_mode: LocalUserVoteDisplayMode::default(),
person,
counts: PersonAggregates::default(),
};
send_verification_email(
&local_user_view,
&local_user
.email
.clone()
.expect("invalid verification email"),
&mut context.pool(),
context.settings(),
)
.await?;
login_response.verify_email_sent = true;
}
}
if !login_response.registration_created && !login_response.verify_email_sent {
let jwt = Claims::generate(local_user.id, req, &context).await?;
login_response.jwt = Some(jwt);
}
return Ok(Json(login_response));
}
async fn create_person(
username: String,
local_site: &LocalSite,
instance_id: InstanceId,
context: &Data<LemmyContext>,
) -> Result<Person, LemmyError> {
let actor_keypair = generate_actor_keypair()?;
is_valid_actor_name(&username, local_site.actor_name_max_length as usize)?;
let actor_id = generate_local_apub_endpoint(
EndpointType::Person,
&username,
&context.settings().get_protocol_and_hostname(),
)?;
// Register the new person
let person_form = PersonInsertForm {
actor_id: Some(actor_id.clone()),
inbox_url: Some(generate_inbox_url(&actor_id)?),
shared_inbox_url: Some(generate_shared_inbox_url(context.settings())?),
private_key: Some(actor_keypair.private_key),
..PersonInsertForm::new(username.clone(), actor_keypair.public_key, instance_id)
};
// insert the person
let inserted_person = Person::create(&mut context.pool(), &person_form)
.await
.with_lemmy_type(LemmyErrorType::UserAlreadyExists)?;
Ok(inserted_person)
}

11
crates/api_crud/src/user/delete.rs
View File

@ -19,11 +19,12 @@ pub async fn delete_account(
local_user_view: LocalUserView,
) -> LemmyResult<Json<SuccessResponse>> {
// Verify the password
let valid: bool = verify(
&data.password,
&local_user_view.local_user.password_encrypted,
)
.unwrap_or(false);
let valid: bool = if let Some(password_encrypted) = &local_user_view.local_user.password_encrypted
{
verify(&data.password, password_encrypted).unwrap_or(false)
} else {
false
};
if !valid {
Err(LemmyErrorType::IncorrectLogin)?
}

2
crates/apub/src/api/user_settings_backup.rs
View File

@ -347,7 +347,7 @@ mod tests {
let user_form = LocalUserInsertForm::builder()
.person_id(person.id)
.password_encrypted("pass".to_string())
.password_encrypted(Some("pass".to_string()))
.build();
let local_user = LocalUser::create(&mut context.pool(), &user_form, vec![]).await?;

4
crates/db_schema/src/impls/actor_language.rs
View File

@ -535,7 +535,7 @@ mod tests {
let person = Person::create(pool, &person_form).await.unwrap();
let local_user_form = LocalUserInsertForm::builder()
.person_id(person.id)
.password_encrypted("my_pw".to_string())
.password_encrypted(Some("my_pw".to_string()))
.build();
let local_user = LocalUser::create(pool, &local_user_form, vec![])
@ -647,7 +647,7 @@ mod tests {
let person = Person::create(pool, &person_form).await.unwrap();
let local_user_form = LocalUserInsertForm::builder()
.person_id(person.id)
.password_encrypted("my_pw".to_string())
.password_encrypted(Some("my_pw".to_string()))
.build();
let local_user = LocalUser::create(pool, &local_user_form, vec![])
.await

12
crates/db_schema/src/impls/local_user.rs
View File

@ -32,9 +32,11 @@ impl LocalUser {
) -> Result<LocalUser, Error> {
let conn = &mut get_conn(pool).await?;
let mut form_with_encrypted_password = form.clone();
let password_hash =
hash(&form.password_encrypted, DEFAULT_COST).expect("Couldn't hash password");
form_with_encrypted_password.password_encrypted = password_hash;
if let Some(password_encrypted) = &form.password_encrypted {
let password_hash = hash(password_encrypted, DEFAULT_COST).expect("Couldn't hash password");
form_with_encrypted_password.password_encrypted = Some(password_hash);
}
let local_user_ = insert_into(local_user::table)
.values(form_with_encrypted_password)
@ -58,7 +60,7 @@ impl LocalUser {
form: &LocalUserUpdateForm,
) -> Result<usize, Error> {
let conn = &mut get_conn(pool).await?;
let res = diesel::update(local_user::table.find(local_user_id))
let res: Result<usize, Error> = diesel::update(local_user::table.find(local_user_id))
.set(form)
.execute(conn)
.await;
@ -259,7 +261,7 @@ impl LocalUserInsertForm {
pub fn test_form(person_id: PersonId) -> Self {
Self::builder()
.person_id(person_id)
.password_encrypted(String::new())
.password_encrypted(Some(String::new()))
.build()
}
}

2
crates/db_schema/src/impls/mod.rs
View File

@ -22,6 +22,8 @@ pub mod local_user;
pub mod local_user_vote_display_mode;
pub mod login_token;
pub mod moderator;
pub mod oauth_account;
pub mod oauth_provider;
pub mod password_reset_request;
pub mod person;
pub mod person_block;

35
crates/db_schema/src/impls/oauth_account.rs 100644
View File

@ -0,0 +1,35 @@
use crate::{
newtypes::OAuthAccountId,
schema::oauth_account,
source::oauth_account::{OAuthAccount, OAuthAccountInsertForm, OAuthAccountUpdateForm},
traits::Crud,
utils::{get_conn, DbPool},
};
use diesel::{dsl::insert_into, result::Error, QueryDsl};
use diesel_async::RunQueryDsl;
#[async_trait]
impl Crud for OAuthAccount {
type InsertForm = OAuthAccountInsertForm;
type UpdateForm = OAuthAccountUpdateForm;
type IdType = OAuthAccountId;
async fn create(pool: &mut DbPool<'_>, form: &Self::InsertForm) -> Result<Self, Error> {
let conn = &mut get_conn(pool).await?;
insert_into(oauth_account::table)
.values(form)
.get_result::<Self>(conn)
.await
}
async fn update(
pool: &mut DbPool<'_>,
oauth_account_id: OAuthAccountId,
form: &Self::UpdateForm,
) -> Result<Self, Error> {
let conn = &mut get_conn(pool).await?;
diesel::update(oauth_account::table.find(oauth_account_id))
.set(form)
.get_result::<Self>(conn)
.await
}
}

88
crates/db_schema/src/impls/oauth_provider.rs 100644
View File

@ -0,0 +1,88 @@
use crate::{
newtypes::OAuthProviderId,
schema::oauth_provider,
source::oauth_provider::{
OAuthProvider,
OAuthProviderInsertForm,
OAuthProviderUpdateForm,
UnsafeOAuthProvider,
},
traits::Crud,
utils::{get_conn, DbPool},
};
use diesel::{dsl::insert_into, result::Error, QueryDsl};
use diesel_async::RunQueryDsl;
#[async_trait]
impl Crud for UnsafeOAuthProvider {
type InsertForm = OAuthProviderInsertForm;
type UpdateForm = OAuthProviderUpdateForm;
type IdType = OAuthProviderId;
async fn create(pool: &mut DbPool<'_>, form: &Self::InsertForm) -> Result<Self, Error> {
let conn = &mut get_conn(pool).await?;
insert_into(oauth_provider::table)
.values(form)
.get_result::<Self>(conn)
.await
}
async fn update(
pool: &mut DbPool<'_>,
oauth_provider_id: OAuthProviderId,
form: &Self::UpdateForm,
) -> Result<Self, Error> {
let conn = &mut get_conn(pool).await?;
diesel::update(oauth_provider::table.find(oauth_provider_id))
.set(form)
.get_result::<Self>(conn)
.await
}
}
impl UnsafeOAuthProvider {
pub async fn get_all(pool: &mut DbPool<'_>) -> Result<Vec<Self>, Error> {
let conn = &mut get_conn(pool).await?;
let oauth_providers = oauth_provider::table
.order(oauth_provider::id)
.select(oauth_provider::all_columns)
.load::<UnsafeOAuthProvider>(conn)
.await?;
Ok(oauth_providers)
}
}
impl OAuthProvider {
pub async fn get_all(pool: &mut DbPool<'_>) -> Result<Vec<Self>, Error> {
let oauth_providers = UnsafeOAuthProvider::get_all(pool).await?;
let mut result = Vec::<OAuthProvider>::new();
for oauth_provider in &oauth_providers {
result.push(Self::from_unsafe(oauth_provider));
}
Ok(result)
}
pub fn from_unsafe(unsafe_oauth_provider: &UnsafeOAuthProvider) -> Self {
OAuthProvider {
id: unsafe_oauth_provider.id,
display_name: unsafe_oauth_provider.display_name.clone(),
issuer: Some(unsafe_oauth_provider.issuer.clone()),
authorization_endpoint: unsafe_oauth_provider.authorization_endpoint.clone(),
token_endpoint: Some(unsafe_oauth_provider.token_endpoint.clone()),
userinfo_endpoint: Some(unsafe_oauth_provider.userinfo_endpoint.clone()),
id_claim: Some(unsafe_oauth_provider.id_claim.clone()),
name_claim: Some(unsafe_oauth_provider.name_claim.clone()),
client_id: unsafe_oauth_provider.client_id.clone(),
scopes: unsafe_oauth_provider.scopes.clone(),
auto_verify_email: Some(unsafe_oauth_provider.auto_verify_email),
auto_approve_application: Some(unsafe_oauth_provider.auto_approve_application),
account_linking_enabled: Some(unsafe_oauth_provider.account_linking_enabled),
enabled: Some(unsafe_oauth_provider.enabled),
published: Some(unsafe_oauth_provider.published),
updated: unsafe_oauth_provider.updated,
}
}
}

2
crates/db_schema/src/impls/password_reset_request.rs
View File

@ -74,7 +74,7 @@ mod tests {
let inserted_person = Person::create(pool, &new_person).await?;
let new_local_user = LocalUserInsertForm::builder()
.person_id(inserted_person.id)
.password_encrypted("pass".to_string())
.password_encrypted(Some("pass".to_string()))
.build();
let inserted_local_user = LocalUser::create(pool, &new_local_user, vec![]).await?;

29
crates/db_schema/src/newtypes.rs
View File

@ -148,6 +148,20 @@ pub struct LocalSiteId(i32);
/// The custom emoji id.
pub struct CustomEmojiId(i32);
#[repr(transparent)]
#[derive(Debug, Copy, Clone, Hash, Eq, PartialEq, Serialize, Deserialize, Default)]
#[cfg_attr(feature = "full", derive(DieselNewType, TS))]
#[cfg_attr(feature = "full", ts(export))]
#[serde(into = "String", from = "String")]
/// The oauth provider id.
pub struct OAuthProviderId(pub i64);
#[derive(Debug, Copy, Clone, Hash, Eq, PartialEq, Serialize, Deserialize, Default)]
#[cfg_attr(feature = "full", derive(DieselNewType, TS))]
#[cfg_attr(feature = "full", ts(export))]
/// The oauth account id.
pub struct OAuthAccountId(pub i32);
#[cfg(feature = "full")]
#[derive(Serialize, Deserialize)]
#[serde(remote = "Ltree")]
@ -272,6 +286,21 @@ where
}
}
impl From<OAuthProviderId> for String {
fn from(id: OAuthProviderId) -> Self {
id.0.to_string()
}
}
impl From<String> for OAuthProviderId {
fn from(id: String) -> Self {
OAuthProviderId(
id.parse::<i64>()
.expect("OAuthProviderID is not a valid integer"),
)
}
}
impl InstanceId {
pub fn inner(self) -> i32 {
self.0

39
crates/db_schema/src/schema.rs
View File

@ -393,6 +393,7 @@ diesel::table! {
federation_signed_fetch -> Bool,
default_post_listing_mode -> PostListingModeEnum,
default_sort_type -> SortTypeEnum,
oauth_registration -> Bool,
}
}
@ -436,7 +437,7 @@ diesel::table! {
local_user (id) {
id -> Int4,
person_id -> Int4,
password_encrypted -> Text,
password_encrypted -> Nullable<Text>,
email -> Nullable<Text>,
show_nsfw -> Bool,
theme -> Text,
@ -613,6 +614,39 @@ diesel::table! {
}
}
diesel::table! {
oauth_account (id) {
id -> Int4,
local_user_id -> Int4,
oauth_provider_id -> Int8,
oauth_user_id -> Text,
published -> Timestamptz,
updated -> Nullable<Timestamptz>,
}
}
diesel::table! {
oauth_provider (id) {
id -> Int8,
display_name -> Text,
issuer -> Text,
authorization_endpoint -> Text,
token_endpoint -> Text,
userinfo_endpoint -> Text,
id_claim -> Text,
name_claim -> Text,
client_id -> Text,
client_secret -> Text,
scopes -> Text,
auto_verify_email -> Bool,
auto_approve_application -> Bool,
account_linking_enabled -> Bool,
enabled -> Bool,
published -> Timestamptz,
updated -> Nullable<Timestamptz>,
}
}
diesel::table! {
password_reset_request (id) {
id -> Int4,
@ -1005,6 +1039,7 @@ diesel::joinable!(mod_remove_community -> person (mod_person_id));
diesel::joinable!(mod_remove_post -> person (mod_person_id));
diesel::joinable!(mod_remove_post -> post (post_id));
diesel::joinable!(mod_transfer_community -> community (community_id));
diesel::joinable!(oauth_account -> local_user (local_user_id));
diesel::joinable!(password_reset_request -> local_user (local_user_id));
diesel::joinable!(person -> instance (instance_id));
diesel::joinable!(person_aggregates -> person (person_id));
@ -1086,6 +1121,8 @@ diesel::allow_tables_to_appear_in_same_query!(
mod_remove_community,
mod_remove_post,
mod_transfer_community,
oauth_account,
oauth_provider,
password_reset_request,
person,
person_aggregates,

4
crates/db_schema/src/source/local_site.rs
View File

@ -70,6 +70,8 @@ pub struct LocalSite {
pub default_post_listing_mode: PostListingMode,
/// Default value for [LocalUser.post_listing_mode]
pub default_sort_type: SortType,
/// Whether or not external auth methods can auto-register users.
pub oauth_registration: bool,
}
#[derive(Clone, TypedBuilder)]
@ -97,6 +99,7 @@ pub struct LocalSiteInsertForm {
pub captcha_enabled: Option<bool>,
pub captcha_difficulty: Option<String>,
pub registration_mode: Option<RegistrationMode>,
pub oauth_registration: Option<bool>,
pub reports_email_admins: Option<bool>,
pub federation_signed_fetch: Option<bool>,
pub default_post_listing_mode: Option<PostListingMode>,
@ -125,6 +128,7 @@ pub struct LocalSiteUpdateForm {
pub captcha_enabled: Option<bool>,
pub captcha_difficulty: Option<String>,
pub registration_mode: Option<RegistrationMode>,
pub oauth_registration: Option<bool>,
pub reports_email_admins: Option<bool>,
pub updated: Option<Option<DateTime<Utc>>>,
pub federation_signed_fetch: Option<bool>,

4
crates/db_schema/src/source/local_user.rs
View File

@ -25,7 +25,7 @@ pub struct LocalUser {
/// The person_id for the local user.
pub person_id: PersonId,
#[serde(skip)]
pub password_encrypted: SensitiveString,
pub password_encrypted: Option<SensitiveString>,
pub email: Option<SensitiveString>,
/// Whether to show NSFW content.
pub show_nsfw: bool,
@ -77,7 +77,7 @@ pub struct LocalUserInsertForm {
#[builder(!default)]
pub person_id: PersonId,
#[builder(!default)]
pub password_encrypted: String,
pub password_encrypted: Option<String>,
pub email: Option<String>,
pub show_nsfw: Option<bool>,
pub theme: Option<String>,

2
crates/db_schema/src/source/mod.rs
View File

@ -27,6 +27,8 @@ pub mod local_user;
pub mod local_user_vote_display_mode;
pub mod login_token;
pub mod moderator;
pub mod oauth_account;
pub mod oauth_provider;
pub mod password_reset_request;
pub mod person;
pub mod person_block;

41
crates/db_schema/src/source/oauth_account.rs 100644
View File

@ -0,0 +1,41 @@
use crate::newtypes::{LocalUserId, OAuthAccountId, OAuthProviderId};
#[cfg(feature = "full")]
use crate::schema::oauth_account;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use serde_with::skip_serializing_none;
#[cfg(feature = "full")]
use ts_rs::TS;
#[skip_serializing_none]
#[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
#[cfg_attr(feature = "full", derive(Queryable, Selectable, Identifiable, TS))]
#[cfg_attr(feature = "full", diesel(table_name = oauth_account))]
#[cfg_attr(feature = "full", diesel(check_for_backend(diesel::pg::Pg)))]
#[cfg_attr(feature = "full", ts(export))]
/// An auth account method.
pub struct OAuthAccount {
pub id: OAuthAccountId,
pub local_user_id: LocalUserId,
pub oauth_provider_id: OAuthProviderId,
pub oauth_user_id: String,
pub published: DateTime<Utc>,
pub updated: Option<DateTime<Utc>>,
}
#[derive(Debug, Clone, derive_new::new)]
#[cfg_attr(feature = "full", derive(Insertable, AsChangeset))]
#[cfg_attr(feature = "full", diesel(table_name = oauth_account))]
pub struct OAuthAccountInsertForm {
pub local_user_id: LocalUserId,
pub oauth_provider_id: OAuthProviderId,
pub oauth_user_id: String,
}
#[derive(Debug, Clone, derive_new::new)]
#[cfg_attr(feature = "full", derive(Insertable, AsChangeset))]
#[cfg_attr(feature = "full", diesel(table_name = oauth_account))]
pub struct OAuthAccountUpdateForm {
pub oauth_provider_id: OAuthProviderId,
pub oauth_user_id: String,
}

159
crates/db_schema/src/source/oauth_provider.rs 100644
View File

@ -0,0 +1,159 @@
use crate::newtypes::{DbUrl, OAuthProviderId};
#[cfg(feature = "full")]
use crate::schema::oauth_provider;
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use serde_with::skip_serializing_none;
#[cfg(feature = "full")]
use ts_rs::TS;
#[skip_serializing_none]
#[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
#[cfg_attr(feature = "full", derive(Queryable, Selectable, Identifiable, TS))]
#[cfg_attr(feature = "full", diesel(table_name = oauth_provider))]
#[cfg_attr(feature = "full", diesel(check_for_backend(diesel::pg::Pg)))]
/// oauth provider with client_secret - should never be sent to the client
pub struct UnsafeOAuthProvider {
#[cfg_attr(feature = "full", ts(type = "string"))]
pub id: OAuthProviderId,
/// The OAuth 2.0 provider name displayed to the user on the Login page
pub display_name: String,
/// The issuer url of the OAUTH provider.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub issuer: DbUrl,
/// The authorization endpoint is used to interact with the resource owner and obtain an
/// authorization grant. This is usually provided by the OAUTH provider.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub authorization_endpoint: DbUrl,
/// The token endpoint is used by the client to obtain an access token by presenting its
/// authorization grant or refresh token. This is usually provided by the OAUTH provider.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub token_endpoint: DbUrl,
/// The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the
/// authenticated End-User. This is defined in the OIDC specification.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub userinfo_endpoint: DbUrl,
/// The OAuth 2.0 claim containing the unique user ID returned by the provider. Usually this
/// should be set to "sub".
pub id_claim: String,
/// The OAuth 2.0 claim containing the user name returned by the provider. This depends on the
/// provider and could be "name", "username", ...
pub name_claim: String,
/// The client_id is provided by the OAuth 2.0 provider and is a unique identifier to this
/// service
pub client_id: String,
/// The client_secret is provided by the OAuth 2.0 provider and is used to authenticate this
/// service with the provider
#[serde(skip)]
pub client_secret: String,
/// Lists the scopes requested from users. Users will have to grant access to the requested scope
/// at sign up.
pub scopes: String,
/// Automatically sets email as verified on registration
pub auto_verify_email: bool,
/// Automatically approves user application on registration
pub auto_approve_application: bool,
/// Allows linking an OAUTH account to an existing user account by matching emails
pub account_linking_enabled: bool,
/// switch to enable or disable an oauth provider
pub enabled: bool,
pub published: DateTime<Utc>,
pub updated: Option<DateTime<Utc>>,
}
#[skip_serializing_none]
#[derive(Clone, PartialEq, Eq, Debug, Serialize, Deserialize)]
#[cfg_attr(feature = "full", derive(TS))]
#[cfg_attr(feature = "full", ts(export))]
pub struct OAuthProvider {
#[cfg_attr(feature = "full", ts(type = "string"))]
pub id: OAuthProviderId,
/// The OAuth 2.0 provider name displayed to the user on the Login page
pub display_name: String,
/// The issuer url of the OAUTH provider.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub issuer: Option<DbUrl>,
/// The authorization endpoint is used to interact with the resource owner and obtain an
/// authorization grant. This is usually provided by the OAUTH provider.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub authorization_endpoint: DbUrl,
/// The token endpoint is used by the client to obtain an access token by presenting its
/// authorization grant or refresh token. This is usually provided by the OAUTH provider.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub token_endpoint: Option<DbUrl>,
/// The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the
/// authenticated End-User. This is defined in the OIDC specification.
#[cfg_attr(feature = "full", ts(type = "string"))]
pub userinfo_endpoint: Option<DbUrl>,
/// The OAuth 2.0 claim containing the unique user ID returned by the provider. Usually this
/// should be set to "sub".
pub id_claim: Option<String>,
/// The OAuth 2.0 claim containing the user name returned by the provider. This depends on the
/// provider and could be "name", "username", ...
pub name_claim: Option<String>,
/// The client_id is provided by the OAuth 2.0 provider and is a unique identifier to this
/// service
pub client_id: String,
/// Lists the scopes requested from users. Users will have to grant access to the requested scope
/// at sign up.
pub scopes: String,
/// Automatically sets email as verified on registration
pub auto_verify_email: Option<bool>,
/// Automatically approves user application on registration
pub auto_approve_application: Option<bool>,
/// Allows linking an OAUTH account to an existing user account by matching emails
pub account_linking_enabled: Option<bool>,
/// switch to enable or disable an oauth provider
pub enabled: Option<bool>,
pub published: Option<DateTime<Utc>>,
pub updated: Option<DateTime<Utc>>,
}
#[derive(Debug, Clone)]
#[cfg_attr(feature = "full", derive(Insertable, AsChangeset, TS))]
#[cfg_attr(feature = "full", diesel(table_name = oauth_provider))]
#[cfg_attr(feature = "full", ts(export))]
pub struct OAuthProviderInsertForm {
pub id: OAuthProviderId,
pub display_name: String,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub issuer: DbUrl,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub authorization_endpoint: DbUrl,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub token_endpoint: DbUrl,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub userinfo_endpoint: DbUrl,
pub id_claim: String,
pub name_claim: String,
pub client_id: String,
pub client_secret: String,
pub scopes: String,
pub auto_verify_email: bool,
pub auto_approve_application: bool,
pub account_linking_enabled: bool,
pub enabled: bool,
}
#[derive(Debug, Clone)]
#[cfg_attr(feature = "full", derive(Insertable, AsChangeset, TS))]
#[cfg_attr(feature = "full", diesel(table_name = oauth_provider))]
#[cfg_attr(feature = "full", ts(export))]
pub struct OAuthProviderUpdateForm {
pub display_name: String,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub authorization_endpoint: DbUrl,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub token_endpoint: DbUrl,
#[cfg_attr(feature = "full", ts(type = "string"))]
pub userinfo_endpoint: DbUrl,
pub id_claim: String,
pub name_claim: String,
pub client_secret: Option<String>,
pub scopes: String,
pub auto_verify_email: bool,
pub auto_approve_application: bool,
pub account_linking_enabled: bool,
pub enabled: bool,
pub updated: DateTime<Utc>,
}

2
crates/db_views/src/comment_report_view.rs
View File

@ -303,7 +303,7 @@ mod tests {
let new_local_user = LocalUserInsertForm::builder()
.person_id(inserted_timmy.id)
.password_encrypted("123".to_string())
.password_encrypted(Some("123".to_string()))
.build();
let timmy_local_user = LocalUser::create(pool, &new_local_user, vec![])
.await

2
crates/db_views/src/comment_view.rs
View File

@ -493,7 +493,7 @@ mod tests {
let timmy_local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_timmy_person.id)
.admin(Some(true))
.password_encrypted(String::new())
.password_encrypted(Some(String::new()))
.build();
let inserted_timmy_local_user = LocalUser::create(pool, &timmy_local_user_form, vec![]).await?;

34
crates/db_views/src/local_user_view.rs
View File

@ -3,8 +3,8 @@ use actix_web::{dev::Payload, FromRequest, HttpMessage, HttpRequest};
use diesel::{result::Error, BoolExpressionMethods, ExpressionMethods, JoinOnDsl, QueryDsl};
use diesel_async::RunQueryDsl;
use lemmy_db_schema::{
newtypes::{LocalUserId, PersonId},
schema::{local_user, local_user_vote_display_mode, person, person_aggregates},
newtypes::{LocalUserId, OAuthProviderId, PersonId},
schema::{local_user, local_user_vote_display_mode, oauth_account, person, person_aggregates},
utils::{
functions::{coalesce, lower},
DbConn,
@ -23,6 +23,7 @@ enum ReadBy<'a> {
Name(&'a str),
NameOrEmail(&'a str),
Email(&'a str),
OAuthID(OAuthProviderId, &'a str),
}
enum ListMode {
@ -58,12 +59,21 @@ fn queries<'a>(
),
_ => query,
};
query
let query = query
.inner_join(local_user_vote_display_mode::table)
.inner_join(person_aggregates::table.on(person::id.eq(person_aggregates::person_id)))
.select(selection)
.first(&mut conn)
.await
.inner_join(person_aggregates::table.on(person::id.eq(person_aggregates::person_id)));
if let ReadBy::OAuthID(oauth_provider_id, oauth_user_id) = search {
query
.inner_join(oauth_account::table)
.filter(oauth_account::oauth_provider_id.eq(oauth_provider_id))
.filter(oauth_account::oauth_user_id.eq(oauth_user_id))
.select(selection)
.first(&mut conn)
.await
} else {
query.select(selection).first(&mut conn).await
}
};
let list = move |mut conn: DbConn<'a>, mode: ListMode| async move {
@ -120,6 +130,16 @@ impl LocalUserView {
queries().read(pool, ReadBy::Email(from_email)).await
}
pub async fn find_by_oauth_id(
pool: &mut DbPool<'_>,
oauth_provider_id: OAuthProviderId,
oauth_user_id: &str,
) -> Result<Option<Self>, Error> {
queries()
.read(pool, ReadBy::OAuthID(oauth_provider_id, oauth_user_id))
.await
}
pub async fn list_admins_with_emails(pool: &mut DbPool<'_>) -> Result<Vec<Self>, Error> {
queries().list(pool, ListMode::AdminsWithEmails).await
}

2
crates/db_views/src/post_report_view.rs
View File

@ -325,7 +325,7 @@ mod tests {
let new_local_user = LocalUserInsertForm::builder()
.person_id(inserted_timmy.id)
.password_encrypted("123".to_string())
.password_encrypted(Some("123".to_string()))
.build();
let timmy_local_user = LocalUser::create(pool, &new_local_user, vec![])
.await

6
crates/db_views/src/registration_application_view.rs
View File

@ -169,7 +169,7 @@ mod tests {
let timmy_local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_timmy_person.id)
.password_encrypted("nada".to_string())
.password_encrypted(Some("nada".to_string()))
.admin(Some(true))
.build();
@ -183,7 +183,7 @@ mod tests {
let sara_local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_sara_person.id)
.password_encrypted("nada".to_string())
.password_encrypted(Some("nada".to_string()))
.build();
let inserted_sara_local_user = LocalUser::create(pool, &sara_local_user_form, vec![])
@ -211,7 +211,7 @@ mod tests {
let jess_local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_jess_person.id)
.password_encrypted("nada".to_string())
.password_encrypted(Some("nada".to_string()))
.build();
let inserted_jess_local_user = LocalUser::create(pool, &jess_local_user_form, vec![])

2
crates/db_views_actor/src/community_view.rs
View File

@ -290,7 +290,7 @@ mod tests {
let local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_person.id)
.password_encrypted(String::new())
.password_encrypted(Some(String::new()))
.build();
let local_user = LocalUser::create(pool, &local_user_form, vec![])
.await

4
crates/db_views_actor/src/person_view.rs
View File

@ -198,7 +198,7 @@ mod tests {
let alice = Person::create(pool, &alice_form).await?;
let alice_local_user_form = LocalUserInsertForm::builder()
.person_id(alice.id)
.password_encrypted(String::new())
.password_encrypted(Some(String::new()))
.build();
let alice_local_user = LocalUser::create(pool, &alice_local_user_form, vec![]).await?;
@ -210,7 +210,7 @@ mod tests {
let bob = Person::create(pool, &bob_form).await?;
let bob_local_user_form = LocalUserInsertForm::builder()
.person_id(bob.id)
.password_encrypted(String::new())
.password_encrypted(Some(String::new()))
.build();
let bob_local_user = LocalUser::create(pool, &bob_local_user_form, vec![]).await?;

3
crates/routes/src/images.rs
View File

@ -4,8 +4,7 @@ use actix_web::{
header::{HeaderName, ACCEPT_ENCODING, HOST},
StatusCode,
},
web,
web::Query,
web::{self, Query},
HttpRequest,
HttpResponse,
};

4
crates/utils/src/error.rs
View File

@ -53,6 +53,7 @@ pub enum LemmyErrorType {
CouldntFindCommentReply,
CouldntFindPrivateMessage,
CouldntFindActivity,
CouldntFindOauthProvider,
PersonIsBlocked,
CommunityIsBlocked,
InstanceIsBlocked,
@ -176,6 +177,9 @@ pub enum LemmyErrorType {
CantBlockLocalInstance,
UrlWithoutDomain,
InboxTimeout,
OauthAuthorizationInvalid,
OauthLoginFailed,
OauthRegistrationClosed,
Unknown(String),
}

7
crates/utils/src/settings/mod.rs
View File

@ -74,6 +74,13 @@ impl Settings {
fs::read_to_string(Self::get_config_location())
}
pub fn get_ui_hostname(&self) -> &str {
match &self.hostname_ui {
Some(domain) => domain,
_ => &self.hostname,
}
}
/// Returns either "http" or "https", depending on tls_enabled setting
pub fn get_protocol_string(&self) -> &'static str {
if self.tls_enabled {

5
crates/utils/src/settings/structs.rs
View File

@ -28,6 +28,11 @@ pub struct Settings {
#[default("unset")]
#[doku(example = "example.com")]
pub hostname: String,
/// the domain name of your lemmy-ui instance used for OAUTH2 (defaults to the backend instance
/// hostname)
#[default(None)]
#[doku(example = "example.com")]
pub hostname_ui: Option<String>,
/// Address where lemmy should listen for incoming requests
#[default(IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)))]
#[doku(as = "String")]

2
crates/utils/translations

@ -1 +1 @@
Subproject commit ee2cffac809ad466644f061ad79ac577b6c2e4fd
Subproject commit 94f0c7e44e967ea6d003ee03b1753f08011fcf53

3
migrations/2024-07-01-163929_user_password_encrypted_optional/down.sql 100644
View File

@ -0,0 +1,3 @@
ALTER TABLE local_user
ALTER COLUMN password_encrypted SET NOT NULL;

3
migrations/2024-07-01-163929_user_password_encrypted_optional/up.sql 100644
View File

@ -0,0 +1,3 @@
ALTER TABLE local_user
ALTER COLUMN password_encrypted DROP NOT NULL;

5
migrations/2024-07-01-174833_create_oauth_provider/down.sql 100644
View File

@ -0,0 +1,5 @@
DROP TABLE oauth_provider;
ALTER TABLE local_site
DROP COLUMN oauth_registration;

24
migrations/2024-07-01-174833_create_oauth_provider/up.sql 100644
View File

@ -0,0 +1,24 @@
CREATE TABLE oauth_provider (
id bigint UNIQUE,
display_name text NOT NULL,
issuer text NOT NULL,
authorization_endpoint text NOT NULL,
token_endpoint text NOT NULL,
userinfo_endpoint text NOT NULL,
id_claim text NOT NULL,
name_claim text NOT NULL,
client_id text NOT NULL UNIQUE,
client_secret text NOT NULL,
scopes text NOT NULL,
auto_verify_email boolean DEFAULT TRUE NOT NULL,
auto_approve_application boolean DEFAULT TRUE NOT NULL,
account_linking_enabled boolean DEFAULT FALSE NOT NULL,
enabled boolean DEFAULT FALSE NOT NULL,
published timestamp with time zone DEFAULT now() NOT NULL,
updated timestamp with time zone,
PRIMARY KEY (id)
);
ALTER TABLE local_site
ADD COLUMN oauth_registration boolean DEFAULT FALSE NOT NULL;

2
migrations/2024-07-01-214047_create_oauth_accounts/down.sql 100644
View File

@ -0,0 +1,2 @@
DROP TABLE oauth_account;

11
migrations/2024-07-01-214047_create_oauth_accounts/up.sql 100644
View File

@ -0,0 +1,11 @@
CREATE TABLE oauth_account (
id serial PRIMARY KEY,
local_user_id int REFERENCES local_user ON UPDATE CASCADE ON DELETE CASCADE NOT NULL,
oauth_provider_id bigint NOT NULL,
oauth_user_id text NOT NULL,
published timestamp with time zone DEFAULT now() NOT NULL,
updated timestamp with time zone,
UNIQUE (oauth_provider_id, oauth_user_id),
UNIQUE (oauth_provider_id, local_user_id)
);

22
src/api_routes_http.rs
View File

@ -108,6 +108,11 @@ use lemmy_api_crud::{
delete::delete_custom_emoji,
update::update_custom_emoji,
},
oauth_provider::{
create::create_oauth_provider,
delete::delete_oauth_provider,
update::update_oauth_provider,
},
post::{
create::create_post,
delete::delete_post,
@ -122,7 +127,10 @@ use lemmy_api_crud::{
update::update_private_message,
},
site::{create::create_site, read::get_site, update::update_site},
user::{create::register, delete::delete_account},
user::{
create::{authenticate_with_oauth, register},
delete::delete_account,
},
};
use lemmy_apub::api::{
list_comments::list_comments,
@ -376,6 +384,18 @@ pub fn config(cfg: &mut web::ServiceConfig, rate_limit: &RateLimitCell) {
.route("", web::post().to(create_custom_emoji))
.route("", web::put().to(update_custom_emoji))
.route("/delete", web::post().to(delete_custom_emoji)),
)
.service(
web::scope("/oauth_provider")
.wrap(rate_limit.message())
.route("", web::post().to(create_oauth_provider))
.route("", web::put().to(update_oauth_provider))
.route("/delete", web::post().to(delete_oauth_provider)),
)
.service(
web::scope("/oauth")
.wrap(rate_limit.register())
.route("/authenticate", web::post().to(authenticate_with_oauth)),
),
);
cfg.service(

2
src/code_migrations.rs
View File

@ -470,7 +470,7 @@ async fn initialize_local_site_2022_10_10(
let local_user_form = LocalUserInsertForm::builder()
.person_id(person_inserted.id)
.password_encrypted(setup.admin_password.clone())
.password_encrypted(Some(setup.admin_password.clone()))
.email(setup.admin_email.clone())
.admin(Some(true))
.build();

5
src/session_middleware.rs
View File

@ -1,7 +1,7 @@
use actix_web::{
body::MessageBody,
dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
http::header::CACHE_CONTROL,
http::header::{HeaderValue, CACHE_CONTROL},
Error,
HttpMessage,
};
@ -9,7 +9,6 @@ use core::future::Ready;
use futures_util::future::LocalBoxFuture;
use lemmy_api::{local_user_view_from_jwt, read_auth_token};
use lemmy_api_common::context::LemmyContext;
use reqwest::header::HeaderValue;
use std::{future::ready, rc::Rc};
#[derive(Clone)]
@ -148,7 +147,7 @@ mod tests {
let local_user_form = LocalUserInsertForm::builder()
.person_id(inserted_person.id)
.password_encrypted("123456".to_string())
.password_encrypted(Some("123456".to_string()))
.build();
let inserted_local_user = LocalUser::create(pool, &local_user_form, vec![])