Move manager to it's own package so it can import db. Move all references to the in memory session repos to use sqlite3.
375 lines
9.2 KiB
375 lines
9.2 KiB
package server
import (
sessionmanager ""
usermanager ""
type formError struct {
Field string
Error string
type remoteExistsData struct {
Login string
Register string
type registerTemplateData struct {
Error bool
FormErrors []formError
Message string
Email string
Code string
Password string
Local bool
RemoteExists *remoteExistsData
var (
errToFormErrorMap = map[error]formError{
user.ErrorInvalidEmail: formError{
Field: "email",
Error: "Please enter a valid email",
user.ErrorInvalidPassword: formError{
Field: "password",
Error: "Please enter a valid password",
user.ErrorDuplicateEmail: formError{
Field: "email",
Error: "That email is already in use; please choose another.",
func handleRegisterFunc(s *Server, tpl Template) http.HandlerFunc {
errPage := func(w http.ResponseWriter, msg string, code string, status int) {
data := registerTemplateData{
Error: true,
Message: msg,
Code: code,
execTemplateWithStatus(w, tpl, data, status)
internalError := func(w http.ResponseWriter, err error) {
log.Errorf("Internal Error during registration: %v", err)
errPage(w, "There was a problem processing your request.", "", http.StatusInternalServerError)
idx := makeConnectorMap(s.Connectors)
return func(w http.ResponseWriter, r *http.Request) {
err := r.ParseForm()
if err != nil {
internalError(w, err)
// verify the user has a valid code.
key := r.Form.Get("code")
sessionID, err := s.SessionManager.ExchangeKey(key)
if err != nil {
errPage(w, "Please authenticate before registering.", "", http.StatusUnauthorized)
// create a new code for them to use next time they hit the server.
code, err := s.SessionManager.NewSessionKey(sessionID)
if err != nil {
internalError(w, err)
ses, err := s.SessionManager.Get(sessionID)
if err != nil || ses == nil {
var exists bool
exists, err = remoteIdentityExists(s.UserRepo, ses.ConnectorID, ses.Identity.ID)
if err != nil {
internalError(w, err)
if exists {
// we have to create a new session to be able to run the server.Login function
newSessionKey, err := s.NewSession(ses.ConnectorID, ses.ClientID,
ses.ClientState, ses.RedirectURL, ses.Nonce, false, ses.Scope)
if err != nil {
internalError(w, err)
// make sure to clean up the old session
if err = s.KillSession(code); err != nil {
internalError(w, err)
// finally, we can create a valid redirect URL for them.
redirURL, err := s.Login(ses.Identity, newSessionKey)
if err != nil {
internalError(w, err)
registerURL := newLoginURLFromSession(
s.IssuerURL, ses, true, []string{}, "")
execTemplate(w, tpl, registerTemplateData{
RemoteExists: &remoteExistsData{
Login: redirURL,
Register: registerURL.String(),
// determine whether or not this is a local or remote ID that is going
// to be registered.
idpc, ok := idx[ses.ConnectorID]
if !ok {
internalError(w, fmt.Errorf("no such IDPC: %v", ses.ConnectorID))
_, local := idpc.(*connector.LocalConnector)
// Does the email comes from a trusted provider?
trustedEmail := ses.Identity.Email != "" && idpc.TrustedEmailProvider()
validate := r.Form.Get("validate") == "1"
formErrors := []formError{}
email := strings.TrimSpace(r.Form.Get("email"))
// only auto-populate the first time the page is GETted, not on
// subsequent POSTs
if email == "" && r.Method == "GET" {
email = ses.Identity.Email
password := r.Form.Get("password")
if validate {
if email == "" || !user.ValidEmail(email) {
formErrors = append(formErrors, formError{"email", "Please supply a valid email"})
if local && password == "" {
formErrors = append(formErrors, formError{"password", "Please supply a valid password"})
data := registerTemplateData{
Code: code,
Email: email,
Password: password,
Local: local,
// If there are form errors or this is the initial request
// (i.e. validate==false), and we are not going to auto-submit a
// trusted email, then show the form.
if (len(formErrors) > 0 || !validate) && !trustedEmail {
data.FormErrors = formErrors
if !validate {
execTemplate(w, tpl, data)
} else {
execTemplateWithStatus(w, tpl, data, http.StatusBadRequest)
var userID string
if local {
userID, err = registerFromLocalConnector(
email, password)
} else {
if trustedEmail {
// in the case of a trusted email provider, make sure we are
// getting the email address from the session, not from the
// query string, to prevent forgeries.
email = ses.Identity.Email
userID, err = registerFromRemoteConnector(
if err == user.ErrorDuplicateEmail {
// In this case, the user probably just forgot that they registered.
connID, err := getConnectorForUserByEmail(s.UserRepo, email)
if err != nil {
internalError(w, err)
loginURL := newLoginURLFromSession(
s.IssuerURL, ses, false, []string{connID}, "login-maybe")
if err = s.KillSession(code); err != nil {
log.Errorf("Error killing session: %v", err)
http.Redirect(w, r, loginURL.String(), http.StatusSeeOther)
if err != nil {
formErrors := errToFormErrors(err)
if len(formErrors) > 0 {
data.FormErrors = formErrors
execTemplate(w, tpl, data)
if err == user.ErrorDuplicateRemoteIdentity {
errPage(w, "You already registered an account with this identity", "", http.StatusConflict)
internalError(w, err)
ses, err = s.SessionManager.AttachUser(sessionID, userID)
if err != nil {
internalError(w, err)
usr, err := s.UserRepo.Get(nil, userID)
if err != nil {
internalError(w, err)
if !trustedEmail {
_, err = s.UserEmailer.SendEmailVerification(usr.ID, ses.ClientID, ses.RedirectURL)
if err != nil {
log.Errorf("Error sending email verification: %v", err)
w.Header().Set("Location", makeClientRedirectURL(
ses.RedirectURL, code, ses.ClientState).String())
func makeClientRedirectURL(baseRedirURL url.URL, code, clientState string) *url.URL {
ru := baseRedirURL
q := ru.Query()
q.Set("code", code)
q.Set("state", clientState)
ru.RawQuery = q.Encode()
return &ru
func registerFromLocalConnector(userManager *usermanager.UserManager, sessionManager *sessionmanager.SessionManager, ses *session.Session, email, password string) (string, error) {
userID, err := userManager.RegisterWithPassword(email, password, ses.ConnectorID)
if err != nil {
return "", err
ses, err = sessionManager.AttachRemoteIdentity(ses.ID, oidc.Identity{
ID: userID,
if err != nil {
return "", err
return userID, nil
func registerFromRemoteConnector(userManager *usermanager.UserManager, ses *session.Session, email string, emailVerified bool) (string, error) {
if ses.Identity.ID == "" {
return "", errors.New("No Identity found in session.")
rid := user.RemoteIdentity{
ConnectorID: ses.ConnectorID,
ID: ses.Identity.ID,
userID, err := userManager.RegisterWithRemoteIdentity(email, emailVerified, rid)
if err != nil {
return "", err
return userID, nil
func errToFormErrors(err error) []formError {
fes := []formError{}
fe, ok := errToFormErrorMap[err]
if ok {
fes = append(fes, fe)
return fes
func getConnectorForUserByEmail(ur user.UserRepo, email string) (string, error) {
usr, err := ur.GetByEmail(nil, email)
if err != nil {
return "", err
rids, err := ur.GetRemoteIdentities(nil, usr.ID)
if err != nil {
return "", err
if len(rids) == 0 {
return "", fmt.Errorf("No remote Identities for user %v", usr.ID)
return rids[0].ConnectorID, nil
func newLoginURLFromSession(issuer url.URL, ses *session.Session, register bool, connectorFilter []string, msgCode string) *url.URL {
loginURL := issuer
v := loginURL.Query()
loginURL.Path = httpPathAuth
v.Set("redirect_uri", ses.RedirectURL.String())
v.Set("state", ses.ClientState)
v.Set("client_id", ses.ClientID)
if register {
v.Set("register", "1")
if len(connectorFilter) > 0 {
v.Set("show_connectors", strings.Join(connectorFilter, ","))
if msgCode != "" {
v.Set("msg_code", msgCode)
if len(ses.Scope) > 0 {
v.Set("scope", strings.Join(ses.Scope, " "))
loginURL.RawQuery = v.Encode()
return &loginURL
func remoteIdentityExists(ur user.UserRepo, connectorID, id string) (bool, error) {
_, err := ur.GetByRemoteIdentity(nil, user.RemoteIdentity{
ConnectorID: connectorID,
ID: id,
if err == user.ErrorNotFound {
return false, nil
if err == nil {
return true, nil
return false, err