Added support for SAML with app being on different domain from SAML callback

Author: akclace

internal/metadata/metadata.go

@@ -21,7 +21,7 @@ import (
 	_ "modernc.org/sqlite"
 )
 
-const CURRENT_DB_VERSION = 6
+const CURRENT_DB_VERSION = 7
 
 // Metadata is the metadata persistence layer
 type Metadata struct {
@@ -258,6 +258,18 @@ func (m *Metadata) VersionUpgrade(config *types.ServerConfig) error {
 		}
 	}
 
+	if version < 7 {
+		m.Info().Msg("Upgrading to version 7")
+		if _, err := tx.ExecContext(ctx, `create table keystore(key text, value `+system.MapDataType(m.dbType, "blob")+
+			`, create_time `+system.MapDataType(m.dbType, "datetime")+`, delete_at `+system.MapDataType(m.dbType, "datetime")+`, PRIMARY KEY(key))`); err != nil {
+			return err
+		}
+
+		if _, err := tx.ExecContext(ctx, `update version set version=7, last_upgraded=`+system.FuncNow(m.dbType)); err != nil {
+			return err
+		}
+	}
+
 	if err := tx.Commit(); err != nil {
 		return err
 	}
@@ -754,6 +766,78 @@ func (m *Metadata) GetConfig() (*types.DynamicConfig, error) {
 	return &config, nil
 }
 
+func (m *Metadata) FetchKV(ctx context.Context, key string) (map[string]any, error) {
+	row := m.db.QueryRowContext(ctx, system.RebindQuery(m.dbType, `select value from keystore where key = ? and (delete_at is null or delete_at > `+system.FuncNow(m.dbType)+`)`), key)
+	var value []byte
+	err := row.Scan(&value)
+	if err != nil {
+		return nil, fmt.Errorf("error querying keystore: %w", err)
+	}
+
+	var valueMap map[string]any
+	err = json.Unmarshal([]byte(value), &valueMap)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshalling value: %w", err)
+	}
+	return valueMap, nil
+}
+
+func (m *Metadata) StoreKV(ctx context.Context, key string, value map[string]any, expireAt *time.Time) error {
+	valueJson, err := json.Marshal(value)
+	if err != nil {
+		return fmt.Errorf("error marshalling value: %w", err)
+	}
+	return m.StoreKVBlob(ctx, key, valueJson, expireAt)
+}
+
+func (m *Metadata) StoreKVBlob(ctx context.Context, key string, value []byte, expireAt *time.Time) error {
+	_, err := m.db.ExecContext(ctx, system.RebindQuery(m.dbType,
+		`insert into keystore values (?, ?, `+system.FuncNow(m.dbType)+`, ?)`), key, value, toNullTime(expireAt))
+	if err != nil {
+		return fmt.Errorf("error storing value: %w", err)
+	}
+	return nil
+}
+
+func (m *Metadata) UpdateKV(ctx context.Context, key string, value map[string]any) error {
+	valueJson, err := json.Marshal(value)
+	if err != nil {
+		return fmt.Errorf("error marshalling value: %w", err)
+	}
+	return m.UpdateKVBlob(ctx, key, valueJson)
+}
+
+func (m *Metadata) UpdateKVBlob(ctx context.Context, key string, value []byte) error {
+	result, err := m.db.ExecContext(ctx, system.RebindQuery(m.dbType,
+		`update keystore set value = ? where key = ?`), value, key)
+	if err != nil {
+		return fmt.Errorf("error updating value: %w", err)
+	}
+	rowsAffected, err := result.RowsAffected()
+	if err != nil {
+		return fmt.Errorf("error getting rows affected: %w", err)
+	}
+	if rowsAffected == 0 {
+		return fmt.Errorf("no key entry found with key for update: %s", key)
+	}
+	return nil
+}
+
+func (m *Metadata) DeleteKV(ctx context.Context, key string) error {
+	_, err := m.db.ExecContext(ctx, system.RebindQuery(m.dbType, `delete from keystore where key = ?`), key)
+	if err != nil {
+		return fmt.Errorf("error deleting value: %w", err)
+	}
+	return nil
+}
+
+func toNullTime(t *time.Time) sql.NullTime {
+	if t == nil {
+		return sql.NullTime{Valid: false}
+	}
+	return sql.NullTime{Time: *t, Valid: true}
+}
+
 // BeginTransaction starts a new Transaction
 func (m *Metadata) BeginTransaction(ctx context.Context) (types.Transaction, error) {
 	tx, err := m.db.BeginTx(ctx, nil)

internal/passwd/passwd.go

@@ -5,6 +5,7 @@ package passwd
 
 import (
 	"crypto/rand"
+	"encoding/base64"
 	"math/big"
 )
 
@@ -29,6 +30,18 @@ func generateRandString(length int, charsAllowed string) (string, error) {
 	return string(password), nil
 }
 
+func GenerateSessionNonce() (string, string, error) {
+	buf1 := make([]byte, 32)
+	if _, err := rand.Read(buf1); err != nil {
+		return "", "", err
+	}
+	buf2 := make([]byte, 32)
+	if _, err := rand.Read(buf2); err != nil {
+		return "", "", err
+	}
+	return base64.URLEncoding.EncodeToString(buf1), base64.URLEncoding.EncodeToString(buf1), nil
+}
+
 // GeneratePassword generates a random password
 func GeneratePassword() (string, error) {
 	return generateRandString(16, PASSWORD_CHARS)

internal/server/oauth.go

@@ -40,7 +40,10 @@ const (
 	USER_NICKNAME_KEY       = "nickname"
 	PROVIDER_NAME_KEY       = "provider_name"
 	GROUPS_KEY              = "groups"
+	NONCE_KEY               = "nonce"
+	SESSION_ID_KEY          = "session_id"
 	REDIRECT_URL            = "redirect"
+	SESSION_INDEX_KEY       = "session_index"
 )
 
 // OAuthManager manages the OAuth providers and their configurations (also OIDC)
@@ -373,7 +376,7 @@ func (s *OAuthManager) CheckAuth(w http.ResponseWriter, r *http.Request, appProv
 				return "", nil, err
 			}
 		}
-		s.Warn().Err(err).Msg("no auth, redirecting to login")
+		s.Debug().Msg("no auth cookie, redirecting to login")
 		if r.Header.Get("HX-Request") == "true" {
 			w.Header().Set("HX-Redirect", s.config.Security.CallbackUrl+types.INTERNAL_URL_PREFIX+"/auth/"+appProvider)
 		} else {