feat(oidc_provider) use askama templates

Implements a custom OidcResponse with CSP headers and oxide-auth processing compatibility.
2025-09-11 06:13:02 +02:00 · 2025-05-09 11:17:50 +02:00 · 2025-05-09 11:17:50 +02:00 · fa9b8869b6
commit fa9b8869b6
parent 3417ac2487
18 changed files with 621 additions and 225 deletions
--- a/src/api/Cargo.toml
+++ b/src/api/Cargo.toml
@ -92,6 +92,7 @@ tokio.workspace = true
 tracing.workspace = true
 oxide-auth.workspace = true
 oxide-auth-axum.workspace = true
+conduwuit-web.workspace = true
 percent-encoding.workspace = true

 [lints]
--- a/src/api/client/oidc/authorize.rs
+++ b/src/api/client/oidc/authorize.rs
@ -1,29 +1,13 @@
+use conduwuit_web::oidc::{oidc_consent_form, oidc_login_form, AuthorizationQuery, OidcRequest, OidcResponse};
 use oxide_auth_axum::{OAuthResponse, OAuthRequest};
 use oxide_auth::{
 	endpoint::{OwnerConsent, Solicitation},
 	frontends::simple::endpoint::FnSolicitor,
-	primitives::registrar::PreGrant,
 };
 use axum::extract::{Query, State};
-use serde_html_form;
 use conduwuit::{Result, err};
-use reqwest::Url;
 use percent_encoding::percent_decode_str;

-
-/// The set of query parameters a client needs to get authorization.
-#[derive(serde::Deserialize, Debug)]
-pub(crate) struct OAuthQuery {
-	client_id: String,
-	redirect_uri: Url,
-	scope: String,
-	state: String,
-	code_challenge: String,
-	code_challenge_method: String,
-	response_type: String,
-	response_mode: String,
-}
-
 /// # `GET /_matrix/client/unstable/org.matrix.msc2964/authorize`
 ///
 /// Authenticate a user and device, and solicit the user's consent.
@ -34,9 +18,9 @@ pub(crate) struct OAuthQuery {
 /// access to stage two, [authorize_consent].
 pub(crate) async fn authorize(
 	State(services): State<crate::State>,
-	Query(query): Query<OAuthQuery>,
-	oauth: OAuthRequest,
-) -> Result<OAuthResponse> {
+	Query(query): Query<AuthorizationQuery>,
+	oauth: OidcRequest,
+) -> Result<OidcResponse> {
 	tracing::trace!("processing OAuth request: {query:?}");
 	// Enforce MSC2964's restrictions on OAuth2 flow.
 	let Ok(scope) = percent_decode_str(&query.scope).decode_utf8() else {
@ -60,16 +44,13 @@ pub(crate) async fn authorize(
 		.client
 		.as_ref()
 		.map(|s| s.domain().expect("well-known client should be a domain"));
-	let login_redirect = OAuthResponse::default()
-		.body(&login_form(hostname, &query))
-		.content_type("text/html")
-		.expect("should set Content-Type on OAuth response");
+	let hostname = hostname.unwrap_or("Continuwuity");
 	match oauth.authorization_header() {
 		| None => {
-			return Ok(login_redirect);
+			return Ok(oidc_login_form(hostname, &query));
 		},
 		| Some(token) => if services.users.find_from_token(token).await.is_err() {
-			return Ok(login_redirect); 
+			return Ok(oidc_login_form(hostname, &query)); 
 		}
 	}
 	// TODO register the device ID ?
@ -77,18 +58,7 @@ pub(crate) async fn authorize(
 	services
 		.oidc
 		.endpoint()
-		.with_solicitor(FnSolicitor(move |_: &mut _, solicitation: Solicitation<'_>|
-			OwnerConsent::InProgress(
-				OAuthResponse::default()
-					.body(&consent_page_html(
-						"/_matrix/client/unstable/org.matrix.msc2964/authorize",
-						solicitation,
-						hostname.unwrap_or("conduwuit"),
-					))
-					.content_type("text/html")
-					.expect("set content type on consent form")
-			)
-		))
+        .with_solicitor(oidc_consent_form(hostname, &query))
 		.authorization_flow()
 		.execute(oauth)
 		.map_err(|err| err!("authorization failed: {err:?}"))
@ -116,99 +86,15 @@ pub(crate) async fn authorize_consent(
 	services
 		.oidc
 		.endpoint()
-		.with_solicitor(FnSolicitor(move |_: &mut _, solicitation: Solicitation<'_>|
-			match allowed {
-				| false => OwnerConsent::Denied,
-				| true => OwnerConsent::Authorized(solicitation.pre_grant().client_id.clone())
-			}
-		))
+		.with_solicitor(
+			FnSolicitor(move |_: &mut _, solicitation: Solicitation<'_>|
+				match allowed {
+					| false => OwnerConsent::Denied,
+					| true => OwnerConsent::Authorized(solicitation.pre_grant().client_id.clone())
+				}
+			)
+		)
 		.authorization_flow()
 		.execute(oauth)
 		.map_err(|err| err!(Request(Unknown("consent request failed: {err:?}"))))
 }
-
-fn login_form(
-	hostname: Option<&str>,
-	OAuthQuery {
-		client_id,
-		redirect_uri,
-		scope,
-		state,
-		code_challenge,
-		code_challenge_method,
-		response_type,
-		response_mode,
-	}: &OAuthQuery,
-) -> String {
-	let hostname = hostname.unwrap_or("");
-
-	format!(
-		r#"
-			<!DOCTYPE html>
-			<html>
-			<head>
-				<meta charset="utf-8">
-				<meta name="viewport" content="width=device-width, initial-scale=1.0">
-			</head>
-			<body>
-				<center>
-					<h1>{hostname} login</h1>
-					<form action="/_matrix/client/unstable/org.matrix.msc2964/login" method="post">
-						<input type="text" name="username" placeholder="Username" required>
-						<input type="password" name="password" placeholder="Password" required>
-						<input type="hidden" name="client_id" value="{client_id}">
-						<input type="hidden" name="redirect_uri" value="{redirect_uri}">
-						<input type="hidden" name="scope" value="{scope}">
-						<input type="hidden" name="state" value="{state}">
-						<input type="hidden" name="code_challenge" value="{code_challenge}">
-						<input type="hidden" name="code_challenge_method" value="{code_challenge_method}">
-						<input type="hidden" name="response_type" value="{response_type}">
-						<input type="hidden" name="response_mode" value="{response_mode}">
-						<button type="submit">Login</button>
-					</form>
-				</center>
-			</body>
-			</html>
-		"#
-	)
-}
-
-pub(crate) fn consent_page_html(
-	route: &str,
-	solicitation: Solicitation<'_>,
-	hostname: &str,
-) -> String {
-	let state = solicitation.state();
-	let grant = solicitation.pre_grant();
-	let PreGrant { client_id, redirect_uri, scope } = grant;
-	let mut args = vec![
-		("response_type", "code"),
-		("client_id", client_id.as_str()),
-		("redirect_uri", redirect_uri.as_str()),
-	];
-	if let Some(state) = state {
-		args.push(("state", state));
-	}
-	let args = serde_html_form::to_string(args).unwrap();
-
-	format!(
-		r#"
-			<html>
-				<head>
-					<meta charset='utf-8'>
-					<meta name='viewport' content='width=device-width, initial-scale=1.0'>
-				</head>
-				<body>
-					<center>
-						<h1>{hostname} login</h1>
-						'{client_id}' (at {redirect_uri}) is requesting permission for '{scope}'
-						<form method="post">
-							<input type="submit" value="Accept" formaction="{route}?{args}&allow=true">
-							<input type="submit" value="Deny" formaction="{route}?{args}&deny=true">
-						</form>
-					</center>
-				</body>
-			</html>
-		"#, 
-	)
-}
--- a/src/api/client/oidc/login.rs
+++ b/src/api/client/oidc/login.rs
@ -1,57 +1,20 @@
-use super::authorize::consent_page_html;
-use oxide_auth_axum::{OAuthRequest, OAuthResponse};
-use oxide_auth::{
-	endpoint::{OwnerConsent, Solicitation},
-	frontends::simple::endpoint::FnSolicitor,
+use conduwuit_web::oidc::{
+	oidc_consent_form,
+	AuthorizationQuery,
+	LoginError,
+	LoginQuery,
+	OidcRequest,
+	OidcResponse,
 };
-use axum::extract::{Form, FromRequest, State};
+use axum::extract::State;
 use conduwuit::{
 	Result,
 	err,
 	utils::hash::verify_password,
 };
 use ruma::user_id::UserId;
-use reqwest::Url;
-use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC};
-
-/// The set of query parameters a client needs to get authorization.
-#[derive(serde::Deserialize, Debug)]
-pub(crate) struct LoginForm {
-	username: String,
-	password: String,
-	client_id: String,
-	redirect_uri: Url,
-	scope: String,
-	state: String,
-	code_challenge: String,
-	code_challenge_method: String,
-	response_type: String,
-	response_mode: String,
-}
-
-impl From<LoginForm> for String {
-	/// Turn the OAuth parameters from a Form into a GET query, suitable for
-	/// then turning it into oxide-auth's OAuthRequest. Strips the unneeded
-	/// username and password.
-	fn from(value: LoginForm) -> Self {
-		let encode = |text: &str| -> String {
-			utf8_percent_encode(text, NON_ALPHANUMERIC).to_string()
-		};
-
-		format!(
-			"?client_id={}&redirect_uri={}&scope={}&state={}&code_challenge={}&code_challenge_method={}&response_type={}&response_mode={}",
-			encode(&value.client_id),
-			encode(&value.redirect_uri.to_string()),
-			encode(&value.scope),
-			encode(&value.state),
-			encode(&value.code_challenge),
-			encode(&value.code_challenge_method),
-			encode(&value.response_type),
-			encode(&value.response_mode),
-		)
-	}
-}

+//#[axum::debug_handler]
 /// # `POST /_matrix/client/unstable/org.matrix.msc2964/login`
 ///
 /// Display a login UI to the user and return an authorization code on success.
@ -60,14 +23,17 @@ impl From<LoginForm> for String {
 /// [super::authorize::authorize_consent].
 pub(crate) async fn oidc_login(
 	State(services): State<crate::State>,
-	Form(login_query): Form<LoginForm>,
-) -> Result<OAuthResponse> {
+	request: OidcRequest,
+) -> Result<OidcResponse> {
+	let query: LoginQuery = request.clone().try_into().map_err(|LoginError(err)|
+		err!(Request(InvalidParam("Cannot process login form. {err}")))
+	)?;
 	// Only accept local usernames. Mostly to simplify things at first.
 	let user_id = UserId::parse_with_server_name(
-			login_query.username.clone(),
+			query.username.clone(),
 			&services.config.server_name
 		)
-		.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
+		.map_err(|e| err!(Request(InvalidUsername("Username is invalid: {e}"))))?;

 	if ! services.users.exists(&user_id).await {
 		return Err(err!(Request(Unknown("unknown username"))));
@ -82,49 +48,26 @@ pub(crate) async fn oidc_login(
 	if valid_hash.is_empty() {
 		return Err(err!(Request(UserDeactivated("the user's hash was not found"))));
 	}
-	if let Err(_) = verify_password(&login_query.password, &valid_hash) {
+	if let Err(_) = verify_password(&query.password, &valid_hash) {
 		return Err(err!(Request(InvalidParam("password does not match"))));
 	}
+	tracing::info!("{user_id:?} passed, forwarding to consent page");

-	// Build up a GET query and parse it as an OAuthRequest.
-	let login_query: String = login_query.into();
-	let login_url = http::Uri::builder()
-		.scheme("https")
-		.authority(services.config.server_name.as_str())
-		.path_and_query(login_query)
-		.build()
-		.expect("should be parseable");
-	let req: http::Request<axum::body::Body> = http::Request::builder()
-		.method("GET")
-		.uri(&login_url)
-		.body(axum::body::Body::empty())
-		.expect("login form OAuth parameters parseable as a query");
-	let oauth = OAuthRequest::from_request(req, &"")
-		.await
-		.expect("request parseable as an OAuth query");
 	let hostname = services
 		.config
 		.well_known
 		.client
 		.as_ref()
-		.map(|s| s.domain().expect("well-known client should be a domain"));
+		.map(|s| s.domain().expect("well-known client should have a domain"));
+
+	let hostname = hostname.unwrap_or("Continuwuity");
+	let authorization_query: AuthorizationQuery = query.into();

 	services
 		.oidc
 		.endpoint()
-		.with_solicitor(FnSolicitor(move |_: &mut _, solicitation: Solicitation<'_>|
-			OwnerConsent::InProgress(
-				OAuthResponse::default()
-					.body(&consent_page_html(
-						"/_matrix/client/unstable/org.matrix.msc2964/authorize",
-						solicitation,
-						hostname.unwrap_or("conduwuit"),
-					))
-					.content_type("text/html")
-					.expect("set content type on consent form")
-			)
-		))
+		.with_solicitor(oidc_consent_form(hostname, &authorization_query))
 		.authorization_flow()
-		.execute(oauth)
+		.execute(request)
 		.map_err(|err| err!(Request(Unknown("authorization failed: {err:?}"))))
 }
--- a/src/api/client/oidc/mod.rs
+++ b/src/api/client/oidc/mod.rs
@ -1,12 +1,14 @@
 /// OIDC
 ///
 /// Stands for OpenID Connect, and is an authentication scheme relying on OAuth2.
-/// The MSC2964 Matrix Spec Proposal describes an authentication process based
-/// on OIDC with restrictions. See the [sample flow] for details on what's expected.
+/// The [MSC2964] Matrix Spec Proposal describes an authentication process based
+/// on the OIDC flow, with restrictions. See the [sample flow] for details on
+/// what's expected.
 ///
-/// This module implements the needed endpoints. It relies on [`service::oidc`] and
-/// the [oxide-auth] crate.
+/// This module implements the needed endpoints. It relies on the [oxide-auth]
+/// crate, and the [`service::oidc`] and [`web::oidc`] modules.
 ///
+/// [MSC2964]: https://github.com/matrix-org/matrix-spec-proposals/pull/2964
 /// [oxide-auth]: https://docs.rs/oxide-auth
 /// [sample flow]: https://github.com/sandhose/matrix-spec-proposals/blob/msc/sandhose/oauth2-profile/proposals/2964-oauth2-profile.md#sample-flow

--- a/src/api/client/oidc/register.rs
+++ b/src/api/client/oidc/register.rs
@ -51,7 +51,7 @@ pub(crate) struct ClientResponse {

 /// # `GET /_matrix/client/unstable/org.matrix.msc2964/device/register`
 ///
-/// Register a client, as specified in [MSC2966]. This client, "device" in Oidc parlance,
+/// Register a client, as specified in [MSC2966]. This client, "device" in OIDC parlance,
 /// will have the right to submit [super::authorize::authorize] requests.
 ///
 /// [MSC2966]: https://github.com/matrix-org/matrix-spec-proposals/pull/2966
--- a/src/api/client/oidc/token.rs
+++ b/src/api/client/oidc/token.rs
@ -1,9 +1,3 @@
-/// Implementation of [MSC2964]'s OAuth2 restricted flow using the [oxide-auth]
-/// crate. See the MSC for restrictions that apply to this flow.
-///
-/// [MSC2965]: https://github.com/matrix-org/matrix-spec-proposals/pull/2965
-/// [oxide-auth]: https://docs.rs/oxide-auth
-
 use oxide_auth_axum::{OAuthResponse, OAuthRequest};
 use oxide_auth::endpoint::QueryParameter;
 use axum::{