feat: add backend for oidc consent

Author: steveiliop56

internal/bootstrap/app_bootstrap.go

@@ -47,6 +47,7 @@ type Services struct {
 type BootstrapApp struct {
 	config    model.Config
 	runtime   model.RuntimeConfig
+	helpers   model.RuntimeHelpers
 	services  Services
 	log       *logger.Logger
 	ctx       context.Context
@@ -185,9 +186,8 @@ func (app *BootstrapApp) Setup() error {
 	cookieId := strings.Split(app.runtime.UUID, "-")[0] // first 8 characters of the uuid should be good enough
 
 	app.runtime.SessionCookieName = fmt.Sprintf("%s-%s", model.SessionCookieName, cookieId)
-	app.runtime.CSRFCookieName = fmt.Sprintf("%s-%s", model.CSRFCookieName, cookieId)
-	app.runtime.RedirectCookieName = fmt.Sprintf("%s-%s", model.RedirectCookieName, cookieId)
 	app.runtime.OAuthSessionCookieName = fmt.Sprintf("%s-%s", model.OAuthSessionCookieName, cookieId)
+	app.runtime.ConsentCookieName = fmt.Sprintf("%s-%s", model.ConsentCookieName, cookieId)
 
 	// database
 	store, err := app.SetupStore()
@@ -264,6 +264,9 @@ func (app *BootstrapApp) Setup() error {
 		app.runtime.TrustedDomains = append(app.runtime.TrustedDomains, "https://"+app.services.tailscaleService.GetHostname())
 	}
 
+	// runtime helpers
+	app.helpers.GetCookieDomain = app.getCookieDomain
+
 	// setup router
 	err = app.setupRouter()
 

internal/bootstrap/app_helpers.go

@@ -0,0 +1,55 @@
+package bootstrap
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/tinyauthapp/tinyauth/internal/utils"
+)
+
+// Not really the best place for the helpers to be but it works because bootstrap app provides
+// them with everything they need
+
+func (app *BootstrapApp) getCookieDomain(ctx context.Context, ip string) (string, error) {
+	cookieDomain := app.runtime.CookieDomain
+
+	if app.isTailscaleRequest(ctx, ip) {
+		if app.services.tailscaleService == nil {
+			return "", errors.New("tailscale service is not configured")
+		}
+
+		tsCookieDomain, err := utils.GetCookieDomain(fmt.Sprintf("https://%s", app.services.tailscaleService.GetHostname()))
+
+		if err != nil {
+			return "", fmt.Errorf("failed to get cookie domain for tailscale user: %w", err)
+		}
+
+		cookieDomain = tsCookieDomain
+	}
+
+	if app.config.Auth.SubdomainsEnabled {
+		cookieDomain = "." + cookieDomain
+	}
+
+	return cookieDomain, nil
+}
+
+func (app *BootstrapApp) isTailscaleRequest(ctx context.Context, ip string) bool {
+	if app.services.tailscaleService == nil {
+		return false
+	}
+
+	whois, err := app.services.tailscaleService.Whois(ctx, ip)
+
+	if err != nil {
+		app.log.App.Error().Err(err).Msgf("Error performing Tailscale whois for IP %s: %v", ip, err)
+		return false
+	}
+
+	if whois == nil {
+		return false
+	}
+
+	return true
+}

internal/bootstrap/router_bootstrap.go

@@ -58,8 +58,8 @@ func (app *BootstrapApp) setupRouter() error {
 	apiRouter := engine.Group("/api")
 
 	controller.NewContextController(app.log, app.config, app.runtime, apiRouter)
-	controller.NewOAuthController(app.log, app.config, app.runtime, apiRouter, app.services.authService)
-	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, apiRouter, &engine.RouterGroup)
+	controller.NewOAuthController(app.log, app.config, app.runtime, app.helpers, apiRouter, app.services.authService)
+	controller.NewOIDCController(app.log, app.services.oidcService, app.runtime, app.helpers, app.config, apiRouter, &engine.RouterGroup)
 	controller.NewProxyController(app.log, app.runtime, apiRouter, app.services.accessControlService, app.services.authService, app.services.policyEngine)
 	controller.NewUserController(app.log, app.runtime, apiRouter, app.services.authService)
 	controller.NewResourcesController(app.config, &engine.RouterGroup)

internal/bootstrap/service_bootstrap.go

@@ -42,7 +42,7 @@ func (app *BootstrapApp) setupServices() error {
 	oauthBrokerService := service.NewOAuthBrokerService(app.log, app.runtime.OAuthProviders, app.ctx)
 	app.services.oauthBrokerService = oauthBrokerService
 
-	authService := service.NewAuthService(app.log, app.config, app.runtime, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
+	authService := service.NewAuthService(app.log, app.config, app.runtime, app.helpers, app.ctx, app.ding, app.services.ldapService, app.queries, app.services.oauthBrokerService, app.services.tailscaleService, app.services.policyEngine)
 	app.services.authService = authService
 
 	oidcService, err := service.NewOIDCService(app.log, app.config, app.runtime, app.queries, app.ding)

internal/controller/oauth_controller.go

@@ -24,20 +24,23 @@ type OAuthController struct {
 	log     *logger.Logger
 	config  model.Config
 	runtime model.RuntimeConfig
+	helpers model.RuntimeHelpers
 	auth    *service.AuthService
 }
 
 func NewOAuthController(
 	log *logger.Logger,
 	config model.Config,
 	runtimeConfig model.RuntimeConfig,
+	helpers model.RuntimeHelpers,
 	router *gin.RouterGroup,
 	auth *service.AuthService,
 ) *OAuthController {
 	controller := &OAuthController{
 		log:     log,
 		config:  config,
 		runtime: runtimeConfig,
+		helpers: helpers,
 		auth:    auth,
 	}
 
@@ -105,7 +108,18 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 
 	c.JSON(200, gin.H{
 		"status":  200,
@@ -135,7 +149,15 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}
 
-	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", controller.getCookieDomain(), controller.config.Auth.SecureCookie, true)
+	cookieDomain, err := controller.helpers.GetCookieDomain(c, c.RemoteIP())
+
+	if err != nil {
+		controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain")
+		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.runtime.AppURL))
+		return
+	}
+
+	c.SetCookie(controller.runtime.OAuthSessionCookieName, "", -1, "/", cookieDomain, controller.config.Auth.SecureCookie, true)
 
 	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
 
@@ -252,7 +274,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 
 	controller.log.App.Debug().Msg("Creating session cookie for user")
 
-	cookie, err := controller.auth.CreateSession(c, sessionCookie)
+	cookie, err := controller.auth.CreateSession(c, sessionCookie, c.RemoteIP())
 
 	if err != nil {
 		controller.log.App.Error().Err(err).Msg("Failed to create session cookie")
@@ -298,10 +320,3 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 func (controller *OAuthController) isOidcRequest(params service.OAuthCallbackParams) bool {
 	return params.LoginFor == string(FrontendLoginForOIDC)
 }
-
-func (controller *OAuthController) getCookieDomain() string {
-	if controller.config.Auth.SubdomainsEnabled {
-		return "." + controller.runtime.CookieDomain
-	}
-	return controller.runtime.CookieDomain
-}

internal/controller/oidc_controller.go

@@ -1,12 +1,14 @@
 package controller
 
 import (
+	"database/sql"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/gin-gonic/gin/binding"
@@ -31,6 +33,8 @@ type OIDCController struct {
 	log     *logger.Logger
 	oidc    *service.OIDCService
 	runtime model.RuntimeConfig
+	helpers model.RuntimeHelpers
+	config  model.Config
 }
 
 type AuthorizeCallback struct {
@@ -68,10 +72,11 @@ type ClientCredentials struct {
 }
 
 type AuthorizeScreenParams struct {
-	LoginFor   FrontendLoginFor `url:"login_for"`
-	OIDCTicket string           `url:"oidc_ticket"`
-	OIDCScope  string           `url:"oidc_scope"`
-	OIDCName   string           `url:"oidc_name"`
+	LoginFor        FrontendLoginFor `url:"login_for"`
+	OIDCTicket      string           `url:"oidc_ticket"`
+	OIDCScope       string           `url:"oidc_scope"`
+	OIDCName        string           `url:"oidc_name"`
+	OIDCShowConsent bool             `url:"oidc_show_consent"`
 }
 
 type AuthorizeCompleteRequest struct {
@@ -82,12 +87,16 @@ func NewOIDCController(
 	log *logger.Logger,
 	oidcService *service.OIDCService,
 	runtimeConfig model.RuntimeConfig,
+	helpers model.RuntimeHelpers,
+	config model.Config,
 	router *gin.RouterGroup,
 	mainRouter *gin.RouterGroup) *OIDCController {
 	controller := &OIDCController{
 		log:     log,
 		oidc:    oidcService,
 		runtime: runtimeConfig,
+		helpers: helpers,
+		config:  config,
 	}
 
 	mainRouter.POST("/authorize", controller.authorize)
@@ -163,11 +172,31 @@ func (controller *OIDCController) authorize(c *gin.Context) {
 
 	ticket := controller.oidc.CreateAuthorizeRequestTicket(*req)
 
+	// Check if we have consented before for this client and scope
+	consnetCookie, err := c.Cookie(controller.runtime.ConsentCookieName)
+
+	showConsent := true
+
+	if err == nil {
+		consentEntry, err := controller.oidc.GetConsentEntry(c, consnetCookie)
+
+		if err == nil && consentEntry != nil {
+			if consentEntry.ClientID == req.ClientID && consentEntry.Scopes == req.Scope {
+				showConsent = false
+			}
+		} else {
+			if !errors.Is(err, sql.ErrNoRows) {
+				controller.log.App.Error().Err(err).Msg("Failed to get consent entry for consent cookie")
+			}
+		}
+	}
+
 	queries, err := query.Values(AuthorizeScreenParams{
-		LoginFor:   FrontendLoginForOIDC,
-		OIDCTicket: ticket,
-		OIDCScope:  req.Scope,
-		OIDCName:   client.Name,
+		LoginFor:        FrontendLoginForOIDC,
+		OIDCTicket:      ticket,
+		OIDCScope:       req.Scope,
+		OIDCName:        client.Name,
+		OIDCShowConsent: showConsent,
 	})
 
 	if err != nil {
@@ -289,6 +318,33 @@ func (controller *OIDCController) authorizeComplete(c *gin.Context) {
 		return
 	}
 
+	// Just before returning let's set the consent cookie
+	consnetUUID, err := controller.oidc.CreateConsentEntry(c, authorizeReq.ClientID, authorizeReq.Scope)
+
+	// If we fail to create the consent entry, we don't want to block the authorization flow,
+	// but we log the error and move on without setting the cookie
+	if err == nil {
+		cookieDomain, err := controller.helpers.GetCookieDomain(c.Request.Context(), c.RemoteIP())
+
+		if err == nil {
+			cookie := &http.Cookie{
+				Name:     controller.runtime.ConsentCookieName,
+				Value:    consnetUUID,
+				Path:     "/",
+				Domain:   cookieDomain,
+				Expires:  time.Now().Add(365 * 24 * time.Hour), // set consent cookie for 1 year
+				Secure:   controller.config.Auth.SecureCookie,
+				HttpOnly: true,
+				SameSite: http.SameSiteLaxMode,
+			}
+			http.SetCookie(c.Writer, cookie)
+		} else {
+			controller.log.App.Error().Err(err).Msg("Failed to determine cookie domain for consent cookie")
+		}
+	} else {
+		controller.log.App.Error().Err(err).Msg("Failed to create consent entry")
+	}
+
 	c.JSON(200, gin.H{
 		"status":       200,
 		"redirect_uri": fmt.Sprintf("%s?%s", authorizeReq.RedirectURI, queries.Encode()),

internal/controller/oidc_controller_test.go

@@ -30,6 +30,8 @@ func TestOIDCController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	ctx := context.TODO()
 	dg := ding.New(ctx)
 
@@ -831,7 +833,7 @@ func TestOIDCController(t *testing.T) {
 				svc = nil
 			}
 
-			controller.NewOIDCController(log, svc, runtime, group, &router.RouterGroup)
+			controller.NewOIDCController(log, svc, runtime, helpers, cfg, group, &router.RouterGroup)
 
 			recorder := httptest.NewRecorder()
 

internal/controller/proxy_controller_test.go

@@ -24,6 +24,8 @@ func TestProxyController(t *testing.T) {
 
 	cfg, runtime := test.CreateTestConfigs(t)
 
+	helpers := test.CreateTestHelpers()
+
 	const browserUserAgent = `
 	Mozilla/5.0 (Linux; Android 8.0.0; SM-G955U Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/146.0.0.0 Mobile Safari/537.36`
 
@@ -395,7 +397,7 @@ func TestProxyController(t *testing.T) {
 		Log: log,
 	})
 
-	authService := service.NewAuthService(log, cfg, runtime, ctx, dg, nil, store, broker, nil, policyEngine)
+	authService := service.NewAuthService(log, cfg, runtime, helpers, ctx, dg, nil, store, broker, nil, policyEngine)
 
 	for _, test := range tests {
 		t.Run(test.description, func(t *testing.T) {