FEATURE: Delegated authentication via user api keys (#7272)

app/controllers/user_api_keys_controller.rb

@@ -2,11 +2,11 @@ class UserApiKeysController < ApplicationController
 
   layout 'no_ember'
 
-  requires_login only: [:create, :revoke, :undo_revoke]
-  skip_before_action :redirect_to_login_if_required, only: [:new]
+  requires_login only: [:create, :create_otp, :revoke, :undo_revoke]
+  skip_before_action :redirect_to_login_if_required, only: [:new, :otp]
   skip_before_action :check_xhr, :preload_json
 
-  AUTH_API_VERSION ||= 3
+  AUTH_API_VERSION ||= 4
 
   def new
 
@@ -51,17 +51,15 @@ class UserApiKeysController < ApplicationController
 
     require_params
 
-    if params.key?(:auth_redirect) && SiteSetting.allowed_user_api_auth_redirects
-        .split('|')
-        .none? { |u| WildcardUrlChecker.check_url(u, params[:auth_redirect]) }
-
-      raise Discourse::InvalidAccess
+    if params.key?(:auth_redirect)
+      raise Discourse::InvalidAccess if UserApiKey.invalid_auth_redirect?(params[:auth_redirect])
     end
 
     raise Discourse::InvalidAccess unless meets_tl?
 
     validate_params
     @application_name = params[:application_name]
+    scopes = params[:scopes].split(",")
 
     # destroy any old keys we had
     UserApiKey.where(user_id: current_user.id, client_id: params[:client_id]).destroy_all
@@ -72,7 +70,7 @@ class UserApiKeysController < ApplicationController
       user_id: current_user.id,
       push_url: params[:push_url],
       key: SecureRandom.hex,
-      scopes: params[:scopes].split(",")
+      scopes: scopes
     )
 
     # we keep the payload short so it encrypts easily with public key
@@ -87,8 +85,15 @@ class UserApiKeysController < ApplicationController
     public_key = OpenSSL::PKey::RSA.new(params[:public_key])
     @payload = Base64.encode64(public_key.public_encrypt(@payload))
 
+    if scopes.include?("one_time_password")
+      # encrypt one_time_password separately to bypass 128 chars encryption limit
+      otp_payload = one_time_password(public_key, current_user.username)
+    end
+
     if params[:auth_redirect]
-      redirect_to("#{params[:auth_redirect]}?payload=#{CGI.escape(@payload)}")
+      redirect_path = "#{params[:auth_redirect]}?payload=#{CGI.escape(@payload)}"
+      redirect_path << "&oneTimePassword=#{CGI.escape(otp_payload)}" if scopes.include?("one_time_password")
+      redirect_to(redirect_path)
     else
       respond_to do |format|
         format.html { render :show }
@@ -100,6 +105,38 @@ class UserApiKeysController < ApplicationController
     end
   end
 
+  def otp
+    require_params_otp
+
+    unless current_user
+      cookies[:destination_url] = request.fullpath
+
+      if SiteSetting.enable_sso?
+        redirect_to path('/session/sso')
+      else
+        redirect_to path('/login')
+      end
+      return
+    end
+
+    @application_name = params[:application_name]
+    @public_key = params[:public_key]
+    @auth_redirect = params[:auth_redirect]
+  end
+
+  def create_otp
+    require_params_otp
+
+    raise Discourse::InvalidAccess if UserApiKey.invalid_auth_redirect?(params[:auth_redirect])
+    raise Discourse::InvalidAccess unless meets_tl?
+
+    public_key = OpenSSL::PKey::RSA.new(params[:public_key])
+    otp_payload = one_time_password(public_key, current_user.username)
+
+    redirect_path = "#{params[:auth_redirect]}?oneTimePassword=#{CGI.escape(otp_payload)}"
+    redirect_to(redirect_path)
+  end
+
   def revoke
     revoke_key = find_key if params[:id]
 
@@ -141,15 +178,30 @@ class UserApiKeysController < ApplicationController
 
   def validate_params
     requested_scopes = Set.new(params[:scopes].split(","))
-
     raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(requested_scopes)
 
     # our pk has got to parse
     OpenSSL::PKey::RSA.new(params[:public_key])
   end
 
+  def require_params_otp
+    [
+     :public_key,
+     :auth_redirect,
+     :application_name
+    ].each { |p| params.require(p) }
+  end
+
   def meets_tl?
     current_user.staff? || current_user.trust_level >= SiteSetting.min_trust_level_for_user_api_key
   end
 
+  def one_time_password(public_key, username)
+    raise Discourse::InvalidAccess unless UserApiKey.allowed_scopes.superset?(Set.new(["one_time_password"]))
+
+    otp = SecureRandom.hex
+    $redis.setex "otp_#{otp}", 10.minutes, username
+
+    Base64.encode64(public_key.public_encrypt(otp))
+  end
 end