add /openid/request_token and /openid/userinfo routes

heavily changed and improved by me Co-authored-by: mikoto <avdb@keemail.me> Signed-off-by: strawberry <strawberry@puppygock.gay>
2024-07-02 21:51:11 -04:00 · 2024-07-02 21:51:11 -04:00 · 1a64e42cfe
commit 1a64e42cfe
parent 5edd391e83
11 changed files with 151 additions and 7 deletions
--- a/src/api/client/mod.rs
+++ b/src/api/client/mod.rs
@ -11,6 +11,7 @@ pub(super) mod keys;
 pub(super) mod media;
 pub(super) mod membership;
 pub(super) mod message;
+pub(super) mod openid;
 pub(super) mod presence;
 pub(super) mod profile;
 pub(super) mod push;
@ -48,6 +49,7 @@ pub(super) use media::*;
 pub(super) use membership::*;
 pub use membership::{join_room_by_id_helper, leave_all_rooms, leave_room, validate_and_add_event_id};
 pub(super) use message::*;
+pub(super) use openid::*;
 pub(super) use presence::*;
 pub(super) use profile::*;
 pub use profile::{update_all_rooms, update_avatar_url, update_displayname};
--- a/src/api/client/openid.rs
+++ b/src/api/client/openid.rs
@ -0,0 +1,41 @@
+use std::time::Duration;
+
+use conduit::utils;
+use ruma::{
+	api::client::{account, error::ErrorKind},
+	authentication::TokenType,
+};
+
+use super::TOKEN_LENGTH;
+use crate::{services, Error, Result, Ruma};
+
+/// # `POST /_matrix/client/v3/user/{userId}/openid/request_token`
+///
+/// Request an OpenID token to verify identity with third-party services.
+///
+/// - The token generated is only valid for the OpenID API
+pub(crate) async fn create_openid_token_route(
+	body: Ruma<account::request_openid_token::v3::Request>,
+) -> Result<account::request_openid_token::v3::Response> {
+	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+
+	if sender_user != &body.user_id {
+		return Err(Error::BadRequest(
+			ErrorKind::InvalidParam,
+			"Not allowed to request OpenID tokens on behalf of other users",
+		));
+	}
+
+	let access_token = utils::random_string(TOKEN_LENGTH);
+
+	let expires_in = services()
+		.users
+		.create_openid_token(&body.user_id, &access_token)?;
+
+	Ok(account::request_openid_token::v3::Response {
+		access_token,
+		token_type: TokenType::Bearer,
+		matrix_server_name: services().globals.config.server_name.clone(),
+		expires_in: Duration::from_secs(expires_in),
+	})
+}
--- a/src/api/router/auth.rs
+++ b/src/api/router/auth.rs
@ -76,12 +76,26 @@ pub(super) async fn auth(
 	}

 	match (metadata.authentication, token) {
-		(_, Token::Invalid) => Err(Error::BadRequest(
-			ErrorKind::UnknownToken {
-				soft_logout: false,
-			},
-			"Unknown access token.",
-		)),
+		(_, Token::Invalid) => {
+			// OpenID endpoint uses a query param with the same name, drop this once query
+			// params for user auth are removed from the spec. This is required to make
+			// integration manager work.
+			if request.query.access_token.is_some() && request.parts.uri.path().contains("/openid/") {
+				Ok(Auth {
+					origin: None,
+					sender_user: None,
+					sender_device: None,
+					appservice_info: None,
+				})
+			} else {
+				Err(Error::BadRequest(
+					ErrorKind::UnknownToken {
+						soft_logout: false,
+					},
+					"Unknown access token.",
+				))
+			}
+		},
 		(AuthScheme::AccessToken, Token::Appservice(info)) => Ok(auth_appservice(request, info)?),
 		(AuthScheme::None | AuthScheme::AccessTokenOptional | AuthScheme::AppserviceToken, Token::Appservice(info)) => {
 			Ok(Auth {
--- a/src/api/routes.rs
+++ b/src/api/routes.rs
@ -39,6 +39,7 @@ pub fn build(router: Router, server: &Server) -> Router {
 		.ruma_route(client::get_room_aliases_route)
 		.ruma_route(client::get_filter_route)
 		.ruma_route(client::create_filter_route)
+		.ruma_route(client::create_openid_token_route)
 		.ruma_route(client::set_global_account_data_route)
 		.ruma_route(client::set_room_account_data_route)
 		.ruma_route(client::get_global_account_data_route)
@ -212,6 +213,7 @@ pub fn build(router: Router, server: &Server) -> Router {
 			.ruma_route(server::get_profile_information_route)
 			.ruma_route(server::get_keys_route)
 			.ruma_route(server::claim_keys_route)
+			.ruma_route(server::get_openid_userinfo_route)
 			.ruma_route(server::get_hierarchy_route)
 			.ruma_route(server::well_known_server)
 			.route("/_conduwuit/local_user_count", get(client::conduwuit_local_user_count))
--- a/src/api/server/mod.rs
+++ b/src/api/server/mod.rs
@ -7,6 +7,7 @@ pub(super) mod invite;
 pub(super) mod key;
 pub(super) mod make_join;
 pub(super) mod make_leave;
+pub(super) mod openid;
 pub(super) mod publicrooms;
 pub(super) mod query;
 pub(super) mod send;
@ -27,6 +28,7 @@ pub(super) use invite::*;
 pub(super) use key::*;
 pub(super) use make_join::*;
 pub(super) use make_leave::*;
+pub(super) use openid::*;
 pub(super) use publicrooms::*;
 pub(super) use query::*;
 pub(super) use send::*;
--- a/src/api/server/openid.rs
+++ b/src/api/server/openid.rs
@ -0,0 +1,16 @@
+use ruma::api::federation::openid::get_openid_userinfo;
+
+use crate::{services, Result, Ruma};
+
+/// # `GET /_matrix/federation/v1/openid/userinfo`
+///
+/// Get information about the user that generated the OpenID token.
+pub(crate) async fn get_openid_userinfo_route(
+	body: Ruma<get_openid_userinfo::v1::Request>,
+) -> Result<get_openid_userinfo::v1::Response> {
+	Ok(get_openid_userinfo::v1::Response::new(
+		services()
+			.users
+			.find_from_openid_token(&body.access_token)?,
+	))
+}