github-mirror/alist
2
0
Fork 0
mirror of https://github.com/AlistGo/alist.git synced 2025-06-04 17:04:42 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

feat: rebuild Single sign-on system (#3649 close #3571)

Browse Source 
* rebuild single sign on system

* perf: use cache

* fix: codefactor check

---------

Co-authored-by: Andy Hsu <i@nn.ci>
This commit is contained in:
itsHenry
2023-03-02 17:55:33 +08:00
committed by GitHub
parent f442185aa5
commit 603681fbe6
9 changed files with 237 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/handles/auth.go
View File

@ -101,7 +101,7 @@ func UpdateCurrent(c *gin.Context) {
if req.Password != "" {
user.Password = req.Password
}
user.GithubID = req.GithubID
user.SsoID = req.SsoID
if err := op.UpdateUser(user); err != nil {
common.ErrorResp(c, err, 500)
} else {

101
server/handles/githublogin.go
View File

@ -1,101 +0,0 @@
package handles
import (
"errors"
"net/url"
"strconv"
"github.com/alist-org/alist/v3/internal/db"
"github.com/alist-org/alist/v3/pkg/utils"
"github.com/alist-org/alist/v3/server/common"
"github.com/gin-gonic/gin"
"github.com/go-resty/resty/v2"
)
func GithubLoginRedirect(c *gin.Context) {
method := c.Query("method")
callbackURL := c.Query("callback_url")
withParams := c.Query("with_params")
enabled, err := db.GetSettingItemByKey("github_login_enabled")
clientId, err := db.GetSettingItemByKey("github_client_id")
if err != nil {
common.ErrorResp(c, err, 400)
return
} else if enabled.Value == "true" {
urlValues := url.Values{}
urlValues.Add("client_id", clientId.Value)
if method == "get_github_id" {
urlValues.Add("allow_signup", "true")
} else if method == "github_callback_login" {
urlValues.Add("allow_signup", "false")
}
if method == "" {
common.ErrorStrResp(c, "no method provided", 400)
return
}
if withParams != "" {
urlValues.Add("redirect_uri", common.GetApiUrl(c.Request)+"/api/auth/github_callback"+"?method="+method+"&callback_url="+callbackURL+"&with_params="+withParams)
} else {
urlValues.Add("redirect_uri", common.GetApiUrl(c.Request)+"/api/auth/github_callback"+"?method="+method+"&callback_url="+callbackURL)
}
c.Redirect(302, "https://github.com/login/oauth/authorize?"+urlValues.Encode())
} else {
common.ErrorStrResp(c, "github Login not enabled", 403)
}
}
var githubClient = resty.New().SetRetryCount(3)
func GithubLoginCallback(c *gin.Context) {
argument := c.Query("method")
callbackUrl := c.Query("callback_url")
if argument == "get_github_id" || argument == "github_login" {
enabled, err := db.GetSettingItemByKey("github_login_enabled")
clientId, err := db.GetSettingItemByKey("github_client_id")
clientSecret, err := db.GetSettingItemByKey("github_client_secrets")
if err != nil {
common.ErrorResp(c, err, 400)
return
} else if enabled.Value == "true" {
callbackCode := c.Query("code")
if callbackCode == "" {
common.ErrorStrResp(c, "No code provided", 400)
return
}
resp, err := githubClient.R().SetHeader("content-type", "application/json").
SetBody(map[string]string{
"client_id": clientId.Value,
"client_secret": clientSecret.Value,
"code": callbackCode,
"redirect_uri": common.GetApiUrl(c.Request) + "/api/auth/github_callback",
}).Post("https://github.com/login/oauth/access_token")
if err != nil {
common.ErrorResp(c, err, 400)
return
}
accessToken := utils.Json.Get(resp.Body(), "access_token").ToString()
resp, err = githubClient.R().SetHeader("Authorization", "Bearer "+accessToken).
Get("https://api.github.com/user")
ghUserID := utils.Json.Get(resp.Body(), "id").ToInt()
if argument == "get_github_id" {
c.Redirect(302, callbackUrl+"?githubID="+strconv.Itoa(ghUserID))
}
if argument == "github_login" {
user, err := db.GetUserByGithubID(ghUserID)
if err != nil {
common.ErrorResp(c, err, 400)
}
token, err := common.GenerateToken(user.Username)
withParams := c.Query("with_params")
if withParams == "true" {
c.Redirect(302, callbackUrl+"&token="+token)
} else if withParams == "false" {
c.Redirect(302, callbackUrl+"?token="+token)
}
return
}
} else {
common.ErrorResp(c, errors.New("invalid request"), 500)
}
}
}

181
server/handles/ssologin.go Normal file
View File

@ -0,0 +1,181 @@
package handles
import (
"errors"
"fmt"
"net/url"
"github.com/alist-org/alist/v3/internal/conf"
"github.com/alist-org/alist/v3/internal/db"
"github.com/alist-org/alist/v3/internal/setting"
"github.com/alist-org/alist/v3/pkg/utils"
"github.com/alist-org/alist/v3/server/common"
"github.com/gin-gonic/gin"
"github.com/go-resty/resty/v2"
)
func SSOLoginRedirect(c *gin.Context) {
method := c.Query("method")
enabled := setting.GetBool(conf.SSOLoginEnabled)
clientId := setting.GetStr(conf.SSOClientId)
platform := setting.GetStr(conf.SSOLoginplatform)
var r_url string
var redirect_uri string
if enabled {
urlValues := url.Values{}
if method == "" {
common.ErrorStrResp(c, "no method provided", 400)
return
}
redirect_uri = common.GetApiUrl(c.Request) + "/api/auth/sso_callback" + "?method=" + method
urlValues.Add("response_type", "code")
urlValues.Add("redirect_uri", redirect_uri)
urlValues.Add("client_id", clientId)
switch platform {
case "Github":
r_url = "https://github.com/login/oauth/authorize?"
urlValues.Add("scope", "read:user")
case "Microsoft":
r_url = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?"
urlValues.Add("scope", "user.read")
urlValues.Add("response_mode", "query")
case "Google":
r_url = "https://accounts.google.com/o/oauth2/v2/auth?"
urlValues.Add("scope", "https://www.googleapis.com/auth/userinfo.profile")
case "Dingtalk":
r_url = "https://login.dingtalk.com/oauth2/auth?"
urlValues.Add("scope", "openid")
urlValues.Add("prompt", "consent")
urlValues.Add("response_type", "code")
default:
common.ErrorStrResp(c, "invalid platform", 400)
return
}
c.Redirect(302, r_url+urlValues.Encode())
} else {
common.ErrorStrResp(c, "Single sign-on is not enabled", 403)
}
}
var ssoClient = resty.New().SetRetryCount(3)
func SSOLoginCallback(c *gin.Context) {
argument := c.Query("method")
if argument == "get_sso_id" || argument == "sso_get_token" {
enabled := setting.GetBool(conf.SSOLoginEnabled)
clientId := setting.GetStr(conf.SSOClientId)
platform := setting.GetStr(conf.SSOLoginplatform)
clientSecret := setting.GetStr(conf.SSOClientSecret)
var url1, url2, additionalbody, scope, authstring, idstring string
switch platform {
case "Github":
url1 = "https://github.com/login/oauth/access_token"
url2 = "https://api.github.com/user"
additionalbody = ""
authstring = "code"
scope = "read:user"
idstring = "id"
case "Microsoft":
url1 = "https://login.microsoftonline.com/common/oauth2/v2.0/token"
url2 = "https://graph.microsoft.com/v1.0/me"
additionalbody = "&grant_type=authorization_code"
scope = "user.read"
authstring = "code"
idstring = "id"
case "Google":
url1 = "https://oauth2.googleapis.com/token"
url2 = "https://www.googleapis.com/oauth2/v1/userinfo"
additionalbody = "&grant_type=authorization_code"
scope = "https://www.googleapis.com/auth/userinfo.profile"
authstring = "code"
idstring = "id"
case "Dingtalk":
url1 = "https://api.dingtalk.com/v1.0/oauth2/userAccessToken"
url2 = "https://api.dingtalk.com/v1.0/contact/users/me"
authstring = "authCode"
idstring = "unionId"
default:
common.ErrorStrResp(c, "invalid platform", 400)
return
}
if enabled {
callbackCode := c.Query(authstring)
if callbackCode == "" {
common.ErrorStrResp(c, "No code provided", 400)
return
}
var resp *resty.Response
var err error
if platform == "Dingtalk" {
resp, err = ssoClient.R().SetHeader("content-type", "application/json").SetHeader("Accept", "application/json").
SetBody(map[string]string{
"clientId": clientId,
"clientSecret": clientSecret,
"code": callbackCode,
"grantType": "authorization_code",
}).
Post(url1)
} else {
resp, err = ssoClient.R().SetHeader("content-type", "application/x-www-form-urlencoded").SetHeader("Accept", "application/json").
SetBody("client_id=" + clientId + "&client_secret=" + clientSecret + "&code=" + callbackCode + "&redirect_uri=" + common.GetApiUrl(c.Request) + "/api/auth/sso_callback?method=" + argument + "&scope=" + scope + additionalbody).
Post(url1)
}
if err != nil {
common.ErrorResp(c, err, 400)
return
}
if platform == "Dingtalk" {
accessToken := utils.Json.Get(resp.Body(), "accessToken").ToString()
resp, err = ssoClient.R().SetHeader("x-acs-dingtalk-access-token", accessToken).
Get(url2)
} else {
accessToken := utils.Json.Get(resp.Body(), "access_token").ToString()
resp, err = ssoClient.R().SetHeader("Authorization", "Bearer "+accessToken).
Get(url2)
}
if err != nil {
common.ErrorResp(c, err, 400)
return
}
UserID := utils.Json.Get(resp.Body(), idstring).ToString()
if UserID == "0" {
common.ErrorResp(c, errors.New("error occured"), 400)
return
}
if argument == "get_sso_id" {
html := fmt.Sprintf(`<!DOCTYPE html>
<head></head>
<body>
<script>
window.opener.postMessage({"sso_id": "%s"}, "*")
window.close()
</script>
</body>`, UserID)
c.Data(200, "text/html; charset=utf-8", []byte(html))
return
}
if argument == "sso_get_token" {
user, err := db.GetUserBySSOID(UserID)
if err != nil {
common.ErrorResp(c, err, 400)
}
token, err := common.GenerateToken(user.Username)
if err != nil {
common.ErrorResp(c, err, 400)
}
html := fmt.Sprintf(`<!DOCTYPE html>
<head></head>
<body>
<script>
window.opener.postMessage({"token":"%s"}, "*")
window.close()
</script>
</body>`, token)
c.Data(200, "text/html; charset=utf-8", []byte(html))
return
}
} else {
common.ErrorResp(c, errors.New("invalid request"), 500)
}
}
}

4
server/router.go
View File

@ -43,8 +43,8 @@ func Init(e *gin.Engine) {
auth.POST("/auth/2fa/verify", handles.Verify2FA)
// github auth
api.GET("/auth/github", handles.GithubLoginRedirect)
api.GET("/auth/github_callback", handles.GithubLoginCallback)
api.GET("/auth/sso", handles.SSOLoginRedirect)
api.GET("/auth/sso_callback", handles.SSOLoginCallback)
// no need auth
public := api.Group("/public")