FEATURE: Delegated authentication via user api keys (#7272)

app/controllers/application_controller.rb

@@ -731,6 +731,26 @@ class ApplicationController < ActionController::Base
         redirect_to path(redirect_path)
       end
     end
+
+    # Used by clients authenticated via user API.
+    # Redirects to provided URL scheme if
+    # - request uses a valid public key and auth_redirect scheme
+    # - one_time_password scope is allowed
+    if !current_user &&
+      params.has_key?(:user_api_public_key) &&
+      params.has_key?(:auth_redirect)
+      begin
+        OpenSSL::PKey::RSA.new(params[:user_api_public_key])
+      rescue OpenSSL::PKey::RSAError
+        return render plain: I18n.t("user_api_key.invalid_public_key")
+      end
+
+      if UserApiKey.invalid_auth_redirect?(params[:auth_redirect])
+        return render plain: I18n.t("user_api_key.invalid_auth_redirect")
+      end
+      redirect_to("#{params[:auth_redirect]}?otp=true") if UserApiKey.allowed_scopes.superset?(Set.new(["one_time_password"]))
+    end
+
   end
 
   def block_if_readonly_mode

app/controllers/session_controller.rb

@@ -12,7 +12,7 @@ class SessionController < ApplicationController
   before_action :check_local_login_allowed, only: %i(create forgot_password email_login)
   before_action :rate_limit_login, only: %i(create email_login)
   skip_before_action :redirect_to_login_if_required
-  skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login sso_provider destroy email_login)
+  skip_before_action :preload_json, :check_xhr, only: %i(sso sso_login sso_provider destroy email_login one_time_password)
 
   ACTIVATE_USER_KEY = "activate_user"
 
@@ -321,6 +321,20 @@ class SessionController < ApplicationController
     render layout: 'no_ember'
   end
 
+  def one_time_password
+    otp_username = $redis.get "otp_#{params[:token]}"
+
+    if otp_username && user = User.find_by_username(otp_username)
+      log_on_user(user)
+      $redis.del "otp_#{params[:token]}"
+      return redirect_to path("/")
+    else
+      @error = I18n.t('user_api_key.invalid_token')
+    end
+
+    render layout: 'no_ember'
+  end
+
   def forgot_password
     params.require(:login)
 

app/controllers/user_api_keys_controller.rb

@@ -2,11 +2,11 @@ class UserApiKeysController < ApplicationController
 
   layout 'no_ember'
 
-  requires_login only: [:create, :revoke, :undo_revoke]
-  skip_before_action :redirect_to_login_if_required, only: [:new]
+  requires_login only: [:create, :create_otp, :revoke, :undo_revoke]
+  skip_before_action :redirect_to_login_if_required, only: [:new, :otp]
   skip_before_action :check_xhr, :preload_json
 
-  AUTH_API_VERSION ||= 3
+  AUTH_API_VERSION ||= 4
 
   def new
 
@@ -51,17 +51,15 @@ class UserApiKeysController < ApplicationController
 
     require_params
 
-    if params.key?(:auth_redirect) && SiteSetting.allowed_user_api_auth_redirects
-        .split('|')
-        .none? { |u| WildcardUrlChecker.check_url(u, params[:auth_redirect]) }
-
-      raise Discourse::InvalidAccess
+    if params.key?(:auth_redirect)
+      raise Discourse::InvalidAccess if UserApiKey.invalid_auth_redirect?(params[:auth_redirect])
     end
 
     raise Discourse::InvalidAccess unless meets_tl?
 
     validate_params
     @application_name = params[:application_name]
+    scopes = params[:scopes].split(",")
 
     # destroy any old keys we had
     UserApiKey.where(user_id: current_user.id, client_id: params[:client_id]).destroy_all
@@ -72,7 +70,7 @@ class UserApiKeysController < ApplicationController
       user_id: current_user.id,
       push_url: params[:push_url],
       key: SecureRandom.hex,
-      scopes: params[:scopes].split(",")
+      scopes: scopes
     )
 
     # we keep the payload short so it encrypts easily with public key
@@ -87,8 +85,15 @@ class UserApiKeysController < ApplicationController
     public_key = OpenSSL::PKey::RSA.new(params[:public_key])
     @payload = Base64.encode64(public_key.public_encrypt(@payload))
 
+    if scopes.include?("one_time_password")
+      # encrypt one_time_password separately to bypass 128 chars encryption limit
+      otp_payload = one_time_password(public_key, current_user.username)
+    end
+
     if params[:auth_redirect]
-      redirect_to("#{params[:auth_redirect]}?payload=#{CGI.escape(@payload)}")
+      redirect_path = "#{params[:auth_redirect]}?payload=#{CGI.escape(@payload)}"
+      redirect_path << "&oneTimePassword=#{CGI.escape(otp_payload)}" if scopes.include?("one_time_password")
+      redirect_to(redirect_path)
     else
       respond_to do |format|
         format.html { render :show }
@@ -100,6 +105,38 @@ class UserApiKeysController < ApplicationController
     end
   end
 
+  def otp
+    require_params_otp
+
+    unless current_user
+      cookies[:destination_url] = request.fullpath
+
+      if SiteSetting.enable_sso?
+        redirect_to path('/session/sso')
+      else
+        redirect_to path('/login')
+      end
+      return
+    end
+
+    @application_name = params[:application_name]
+    @public_key = params[:public_key]
+    @auth_redirect = params[:auth_redirect]
+  end
+
+  def create_otp
+    require_params_otp
+
+    raise Discourse::InvalidAccess if UserApiKey.invalid_auth_redirect?(params[:auth_redirect])
+    raise Discourse::InvalidAccess unless meets_tl?
+
+    public_key = OpenSSL::PKey::RSA.new(params[:public_key])
+    otp_payload = one_time_password(public_key, current_user.username)
+
+    redirect_path = "#{params[:auth_redirect]}?oneTimePassword=#{CGI.escape(otp_payload)}"
+    redirect_to(redirect_path)
+  end
+
   def revoke
     revoke_key = find_key if params[:id]
 
@@ -141,15 +178,30 @@ class UserApiKeysController < ApplicationController
 
   def validate_params
     requested_scopes = Set.new(params[:scopes].split(","))
-
     raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(requested_scopes)
 
     # our pk has got to parse
     OpenSSL::PKey::RSA.new(params[:public_key])
   end
 
+  def require_params_otp
+    [
+     :public_key,
+     :auth_redirect,
+     :application_name
+    ].each { |p| params.require(p) }
+  end
+
   def meets_tl?
     current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key
   end
 
+  def one_time_password(public_key, username)
+    raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(Set.new(["one_time_password"]))
+
+    otp = SecureRandom.hex
+    $redis.setex "otp_#{otp}", 10.minutes, username
+
+    Base64.encode64(public_key.public_encrypt(otp))
+  end
 end