Git-Mirrors/invidious
1
0
Fork 0
mirror of https://github.com/iv-org/invidious.git synced 2024-10-01 01:25:56 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git-Mirrors:e28e5b4f955cd4adba7724855046cf290cf10b76
Branches Tags
Git-Mirrors:master
Git-Mirrors:latest-version-web-creator-client
Git-Mirrors:limit-feeds-materialized-views
Git-Mirrors:throw-error-wrong-video
Git-Mirrors:disable-notifications
Git-Mirrors:add-proxy
Git-Mirrors:v2.20240825.2
Git-Mirrors:v2.20240825.1
Git-Mirrors:v2.20240825
Git-Mirrors:v2.20240427
Git-Mirrors:0.20.1
Git-Mirrors:0.20.0
Git-Mirrors:0.19.1
Git-Mirrors:0.19.0
Git-Mirrors:0.18.0
Git-Mirrors:0.17.0
Git-Mirrors:0.16.0
Git-Mirrors:0.15.0
Git-Mirrors:0.14.1
Git-Mirrors:0.14.0
Git-Mirrors:0.13.1
Git-Mirrors:0.13.0
Git-Mirrors:0.12.0
Git-Mirrors:0.11.0
Git-Mirrors:0.10.0
Git-Mirrors:0.9.0
Git-Mirrors:0.8.0
Git-Mirrors:0.7.0
Git-Mirrors:0.6.0
Git-Mirrors:0.5.0
Git-Mirrors:0.4.0
Git-Mirrors:0.3.0
Git-Mirrors:0.2.0
Git-Mirrors:0.1.0
...
compare: Git-Mirrors:1e668c4c3d63a2bea83c555ceb45c2c1990ede2c
Branches Tags
Git-Mirrors:master
Git-Mirrors:latest-version-web-creator-client
Git-Mirrors:limit-feeds-materialized-views
Git-Mirrors:throw-error-wrong-video
Git-Mirrors:disable-notifications
Git-Mirrors:add-proxy
Git-Mirrors:v2.20240825.2
Git-Mirrors:v2.20240825.1
Git-Mirrors:v2.20240825
Git-Mirrors:v2.20240427
Git-Mirrors:0.20.1
Git-Mirrors:0.20.0
Git-Mirrors:0.19.1
Git-Mirrors:0.19.0
Git-Mirrors:0.18.0
Git-Mirrors:0.17.0
Git-Mirrors:0.16.0
Git-Mirrors:0.15.0
Git-Mirrors:0.14.1
Git-Mirrors:0.14.0
Git-Mirrors:0.13.1
Git-Mirrors:0.13.0
Git-Mirrors:0.12.0
Git-Mirrors:0.11.0
Git-Mirrors:0.10.0
Git-Mirrors:0.9.0
Git-Mirrors:0.8.0
Git-Mirrors:0.7.0
Git-Mirrors:0.6.0
Git-Mirrors:0.5.0
Git-Mirrors:0.4.0
Git-Mirrors:0.3.0
Git-Mirrors:0.2.0
Git-Mirrors:0.1.0

5 Commits
e28e5b4f95 ... 1e668c4c3d

Author SHA1 Message Date
choelzl
1e668c4c3d
Merge 8953c105be into 53e8a5d62d 2024-09-29 13:06:35 -05:00
TheFrenchGhosty
53e8a5d62d
Remove myself from CODEOWNERS on the config file (#4942) 2024-09-28 23:54:52 +02:00
soraefir
8953c105be
Implemented requested changes and added 'auth_enforce_source' option 2023-07-13 12:48:18 +02:00
soraefir
4d14789e7b
Added login flow functions and fix cookies 2023-07-12 01:09:29 +02:00
soraefir
bee301a6f4
Implemented Oauth 2023-07-12 00:38:03 +02:00
9 changed files with 244 additions and 50 deletions
Show Stats Expand all files Collapse all files

2
.github/CODEOWNERS vendored
View File

@ -6,7 +6,7 @@ docker/ @unixfox
kubernetes/ @unixfox kubernetes/ @unixfox
README.md @thefrenchghosty README.md @thefrenchghosty
config/config.example.yml @thefrenchghosty @SamantazFox @unixfox config/config.example.yml @SamantazFox @unixfox
scripts/ @syeopite scripts/ @syeopite
shards.lock @syeopite shards.lock @syeopite

34
config/config.example.yml
View File

@ -323,6 +323,40 @@ https_only: false
## ##
#enable_user_notifications: true #enable_user_notifications: true
##
## List of Enabled Authentication Backend
## If not provided falls back to default
##
## Supported Values:
## - invidious
## - oauth
## - ldap (Not implemented !)
## - saml (Not implemented !)
##
## Default: ["invidious","oauth"]
##
# auth_type: ["oauth"]
##
## OAuth Configuration
##
## Notes:
## - Supports multiple OAuth backends
## - Requires external_port and domain to be configured
##
## Default: []
##
# oauth:
# example:
# host: oauth.example.net
# field : email
# auth_uri: /oauth/authorize/
# token_uri: /oauth/token/
# info_uri: https://api.example.net/oauth/userinfo/
# client_id: CLIENT_ID
# client_secret: CLIENT_SECRET
# ----------------------------- # -----------------------------
# Background jobs # Background jobs
# ----------------------------- # -----------------------------

24
src/invidious/config.cr
View File

@ -8,6 +8,18 @@ struct DBConfig
property dbname : String property dbname : String
end end
struct OAuthConfig
include YAML::Serializable
property host : String
property field : String = "email"
property auth_uri : String
property token_uri : String
property info_uri : String
property client_id : String
property client_secret : String
end
struct ConfigPreferences struct ConfigPreferences
include YAML::Serializable include YAML::Serializable
@ -137,6 +149,10 @@ class Config
# poToken for passing bot attestation # poToken for passing bot attestation
property po_token : String? = nil property po_token : String? = nil
property auth_type : Array(String) = ["invidious", "oauth"]
property auth_enforce_source : Bool = true
property oauth = {} of String => OAuthConfig
# Saved cookies in "name1=value1; name2=value2..." format # Saved cookies in "name1=value1; name2=value2..." format
@[YAML::Field(converter: Preferences::StringToCookies)] @[YAML::Field(converter: Preferences::StringToCookies)]
property cookies : HTTP::Cookies = HTTP::Cookies.new property cookies : HTTP::Cookies = HTTP::Cookies.new
@ -159,6 +175,14 @@ class Config
end end
end end
def auth_oauth_enabled?
return (@auth_type.find(&.== "oauth") && @oauth.size > 0)
end
def auth_internal_enabled?
return (@auth_type.find(&.== "invidious"))
end
def self.load def self.load
# Load config from file or YAML string env var # Load config from file or YAML string env var
env_config_file = "INVIDIOUS_CONFIG_FILE" env_config_file = "INVIDIOUS_CONFIG_FILE"

53
src/invidious/helpers/oauth.cr Normal file
View File

@ -0,0 +1,53 @@
require "oauth2"
module Invidious::OAuthHelper
extend self
def get_provider(key)
if provider = CONFIG.oauth[key]?
provider
else
raise Exception.new("Invalid OAuth Endpoint: " + key)
end
end
def make_client(key)
if HOST_URL == ""
raise Exception.new("Missing domain and port configuration")
end
provider = get_provider(key)
redirect_uri = "#{HOST_URL}/login/oauth/#{key}"
OAuth2::Client.new(
provider.host,
provider.client_id,
provider.client_secret,
authorize_uri: provider.auth_uri,
token_uri: provider.token_uri,
redirect_uri: redirect_uri
)
end
def get_uri_host_pair(host, url)
if (url.starts_with?(/https*\:\/\//))
uri = URI.parse url
[uri.host || host, uri.path || "/"]
else
[host, url]
end
end
def get_info(key, token)
provider = self.get_provider(key)
uri_host_pair = self.get_uri_host_pair(provider.host, provider.info_uri)
client = HTTP::Client.new(uri_host_pair[0], tls: true)
token.authenticate(client)
response = client.get uri_host_pair[1]
client.close
response.body
end
def info_field(key, token)
info = JSON.parse(self.get_info(key, token))
info[self.get_provider(key).field].as_s?
end
end

149
src/invidious/routes/login.cr
View File

@ -3,11 +3,10 @@
module Invidious::Routes::Login module Invidious::Routes::Login
def self.login_page(env) def self.login_page(env)
locale = env.get("preferences").as(Preferences).locale locale = env.get("preferences").as(Preferences).locale
referer = get_referer(env, "/feed/subscriptions")
user = env.get? "user" user = env.get? "user"
referer = get_referer(env, "/feed/subscriptions")
return env.redirect referer if user return env.redirect referer if user
if !CONFIG.login_enabled if !CONFIG.login_enabled
@ -19,7 +18,13 @@ module Invidious::Routes::Login
captcha = nil captcha = nil
account_type = env.params.query["type"]? account_type = env.params.query["type"]?
account_type ||= "invidious" account_type ||= ""
if CONFIG.auth_type.size == 0
return error_template(401, "No authentication backend enabled.")
elsif CONFIG.auth_type.find(&.== account_type).nil? && CONFIG.auth_type.size == 1
account_type = CONFIG.auth_type[0]
end
captcha_type = env.params.query["captcha"]? captcha_type = env.params.query["captcha"]?
captcha_type ||= "image" captcha_type ||= "image"
@ -27,9 +32,38 @@ module Invidious::Routes::Login
templated "user/login" templated "user/login"
end end
def self.login_oauth(env)
locale = env.get("preferences").as(Preferences).locale
referer = get_referer(env, "/feed/subscriptions")
authorization_code = env.params.query["code"]?
provider_k = env.params.url["provider"]
if authorization_code.nil?
return error_template(403, "Missing Authorization Code")
end
begin
token = OAuthHelper.make_client(provider_k).get_access_token_using_authorization_code(authorization_code)
if email = OAuthHelper.info_field(provider_k, token)
if user = Invidious::Database::Users.select(email: email)
if CONFIG.auth_enforce_source && user.password != ("oauth:" + provider_k)
return error_template(401, "Wrong provider")
else
user_flow_existing(env, email)
end
else
user_flow_new(env, email, nil, "oauth:" + provider_k)
end
end
rescue ex
return error_template(500, "Internal Error")
end
env.redirect referer
end
def self.login(env) def self.login(env)
locale = env.get("preferences").as(Preferences).locale locale = env.get("preferences").as(Preferences).locale
referer = get_referer(env, "/feed/subscriptions") referer = get_referer(env, "/feed/subscriptions")
if !CONFIG.login_enabled if !CONFIG.login_enabled
@ -41,9 +75,22 @@ module Invidious::Routes::Login
password = env.params.body["password"]? password = env.params.body["password"]?
account_type = env.params.query["type"]? account_type = env.params.query["type"]?
account_type ||= "invidious" account_type ||= ""
if CONFIG.auth_type.size == 0
return error_template(401, "No authentication backend enabled.")
elsif CONFIG.auth_type.find(&.== account_type).nil? && CONFIG.auth_type.size == 1
account_type = CONFIG.auth_type[0]
end
case account_type case account_type
when "oauth"
provider_k = env.params.body["provider"]
env.redirect OAuthHelper.make_client(provider_k).get_authorize_uri("openid email profile")
when "saml"
return error_template(501, "Not implemented")
when "ldap"
return error_template(501, "Not implemented")
when "invidious" when "invidious"
if email.nil? || email.empty? if email.nil? || email.empty?
return error_template(401, "User ID is a required field") return error_template(401, "User ID is a required field")
@ -53,24 +100,14 @@ module Invidious::Routes::Login
return error_template(401, "Password is a required field") return error_template(401, "Password is a required field")
end end
user = Invidious::Database::Users.select(email: email) if user = Invidious::Database::Users.select(email: email)
if user.password.not_nil!.starts_with? "oauth"
if user return error_template(401, "Wrong provider")
if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) elsif Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) user_flow_existing(env, email)
Invidious::Database::SessionIDs.insert(sid, email)
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
else else
return error_template(401, "Wrong username or password") return error_template(401, "Wrong username or password")
end end
# Since this user has already registered, we don't want to overwrite their preferences
if env.request.cookies["PREFS"]?
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
else else
if !CONFIG.registration_enabled if !CONFIG.registration_enabled
return error_template(400, "Registration has been disabled by administrator.") return error_template(400, "Registration has been disabled by administrator.")
@ -147,32 +184,7 @@ module Invidious::Routes::Login
end end
end end
end end
user_flow_new(env, email, password, "internal")
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user, sid = create_user(sid, email, password)
if language_header = env.request.headers["Accept-Language"]?
if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
user.preferences.locale = language.header
end
end
Invidious::Database::Users.insert(user)
Invidious::Database::SessionIDs.insert(sid, email)
view_name = "subscriptions_#{sha256(user.email)}"
PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
user.preferences = env.get("preferences").as(Preferences)
Invidious::Database::Users.update_preferences(user)
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end end
env.redirect referer env.redirect referer
@ -211,4 +223,49 @@ module Invidious::Routes::Login
env.redirect referer env.redirect referer
end end
def self.user_flow_existing(env, email)
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
Invidious::Database::SessionIDs.insert(sid, email)
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
# Since this user has already registered, we don't want to overwrite their preferences
if env.request.cookies["PREFS"]?
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end
def self.user_flow_new(env, email, password, provider)
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
if provider == "internal"
user, sid = create_internal_user(sid, email, password)
else
user, sid = create_user(sid, email, provider)
end
if language_header = env.request.headers["Accept-Language"]?
if language = ANG.language_negotiator.best(language_header, LOCALES.keys)
user.preferences.locale = language.header
end
end
Invidious::Database::Users.insert(user)
Invidious::Database::SessionIDs.insert(sid, email)
view_name = "subscriptions_#{sha256(user.email)}"
PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS #{MATERIALIZED_VIEW_SQL.call(user.email)}")
env.response.cookies["SID"] = Invidious::User::Cookies.sid(CONFIG.domain, sid)
if env.request.cookies["PREFS"]?
user.preferences = env.get("preferences").as(Preferences)
Invidious::Database::Users.update_preferences(user)
cookie = env.request.cookies["PREFS"]
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end
end
end end

1
src/invidious/routing.cr
View File

@ -55,6 +55,7 @@ module Invidious::Routing
def register_user_routes def register_user_routes
# User login/out # User login/out
get "/login", Routes::Login, :login_page get "/login", Routes::Login, :login_page
get "/login/oauth/:provider", Routes::Login, :login_oauth
post "/login", Routes::Login, :login post "/login", Routes::Login, :login
post "/signout", Routes::Login, :signout post "/signout", Routes::Login, :signout

2
src/invidious/user/cookies.cr
View File

@ -14,6 +14,7 @@ struct Invidious::User
return HTTP::Cookie.new( return HTTP::Cookie.new(
name: "SID", name: "SID",
domain: domain, domain: domain,
path: "/",
value: sid, value: sid,
expires: Time.utc + 2.years, expires: Time.utc + 2.years,
secure: SECURE, secure: SECURE,
@ -28,6 +29,7 @@ struct Invidious::User
return HTTP::Cookie.new( return HTTP::Cookie.new(
name: "PREFS", name: "PREFS",
domain: domain, domain: domain,
path: "/",
value: URI.encode_www_form(preferences.to_json), value: URI.encode_www_form(preferences.to_json),
expires: Time.utc + 2.years, expires: Time.utc + 2.years,
secure: SECURE, secure: SECURE,

8
src/invidious/users.cr
View File

@ -4,7 +4,6 @@ require "crypto/bcrypt/password"
MATERIALIZED_VIEW_SQL = ->(email : String) { "SELECT cv.* FROM channel_videos cv WHERE EXISTS (SELECT subscriptions FROM users u WHERE cv.ucid = ANY (u.subscriptions) AND u.email = E'#{email.gsub({'\'' => "\\'", '\\' => "\\\\"})}') ORDER BY published DESC" } MATERIALIZED_VIEW_SQL = ->(email : String) { "SELECT cv.* FROM channel_videos cv WHERE EXISTS (SELECT subscriptions FROM users u WHERE cv.ucid = ANY (u.subscriptions) AND u.email = E'#{email.gsub({'\'' => "\\'", '\\' => "\\\\"})}') ORDER BY published DESC" }
def create_user(sid, email, password) def create_user(sid, email, password)
password = Crypto::Bcrypt::Password.create(password, cost: 10)
token = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) token = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
user = Invidious::User.new({ user = Invidious::User.new({
@ -13,7 +12,7 @@ def create_user(sid, email, password)
subscriptions: [] of String, subscriptions: [] of String,
email: email, email: email,
preferences: Preferences.new(CONFIG.default_user_preferences.to_tuple), preferences: Preferences.new(CONFIG.default_user_preferences.to_tuple),
password: password.to_s, password: password,
token: token, token: token,
watched: [] of String, watched: [] of String,
feed_needs_update: true, feed_needs_update: true,
@ -22,6 +21,11 @@ def create_user(sid, email, password)
return user, sid return user, sid
end end
def create_internal_user(sid, email, password)
password = Crypto::Bcrypt::Password.create(password.not_nil!, cost: 10)
create_user(sid, email, password.to_s)
end
def get_subscription_feed(user, max_results = 40, page = 1) def get_subscription_feed(user, max_results = 40, page = 1)
limit = max_results.clamp(0, MAX_ITEMS_PER_PAGE) limit = max_results.clamp(0, MAX_ITEMS_PER_PAGE)
offset = (page - 1) * limit offset = (page - 1) * limit

21
src/invidious/views/user/login.ecr
View File

@ -7,7 +7,18 @@
<div class="pure-u-1 pure-u-lg-3-5"> <div class="pure-u-1 pure-u-lg-3-5">
<div class="h-box"> <div class="h-box">
<% case account_type when %> <% case account_type when %>
<% else # "invidious" %> <% when "oauth" %>
<form class="pure-form pure-form-stacked" action="/login?referer=<%= URI.encode_www_form(referer) %>&type=oauth" method="post">
<fieldset>
<select name="provider" id="provider">
<% CONFIG.oauth.each_key do |key| %>
<option value="<%= key %>"><%= key %></option>
<% end %>
</select>
<button type="submit" class="pure-button pure-button-primary"><%= translate(locale, "Sign In via OAuth") %></button>
</fieldset>
</form>
<% when "invidious" %>
<form class="pure-form pure-form-stacked" action="/login?referer=<%= URI.encode_www_form(referer) %>&type=invidious" method="post"> <form class="pure-form pure-form-stacked" action="/login?referer=<%= URI.encode_www_form(referer) %>&type=invidious" method="post">
<fieldset> <fieldset>
<% if email %> <% if email %>
@ -70,6 +81,14 @@
<% end %> <% end %>
</fieldset> </fieldset>
</form> </form>
<% else %>
<% if CONFIG.auth_internal_enabled? %>
<a class="pure-button pure-button-secondary" href="/login?referer=<%= URI.encode_www_form(referer) %>&type=invidious">Internal</a>
<% end %>
<% if CONFIG.auth_oauth_enabled? %>
<a class="pure-button pure-button-secondary" href="/login?referer=<%= URI.encode_www_form(referer) %>&type=oauth">OAuth</a>
<% end %>
<label></label>
<% end %> <% end %>
</div> </div>
</div> </div>