Support additional authentication methods - Oauth

README.md

@@ -114,6 +114,125 @@ You can retrieve the token using [pbcli](https://github.com/PushBits/cli) by run
 pbcli application show $PB_APPLICATION --url https://pushbits.example.com --username $PB_USERNAME
 ```
 
+### Authentication
+
+Pushbits offers you two methods of authenticating against the server:
+
+* Basic authentication (`basic`)
+* Oauth 2 (`oauth`)
+
+You will find the corresponding setting in the security section.
+
+```yaml
+...
+security:
+    ...
+    # The authentication method to use
+    authentication: basic
+...
+```
+
+#### Basic authentication
+
+For [basic authentication](https://de.wikipedia.org/wiki/HTTP-Authentifizierung) you have to provide your username and password in each request to the server. For example in curl you can do this with the `--user` flag:
+
+```bash
+curl -u myusername:totalysecretpassword
+```
+
+#### Oauth 2
+
+[Oauth 2](https://de.wikipedia.org/wiki/OAuth) is a token based authentication method. Instead of passing your password with each request you request a token from an authorization server. With this token you are then able to authenticate yourself against the pushbits server. 
+
+Make sure to setup the "oauth" section in the config file correctly.
+
+##### Authenticating
+
+For authentication use the ``/oauth2/auth` endpoint. E.g.:
+
+```bash
+curl \
+	--header "Content-Type: application/json" \
+	--request GET \
+	"https://pushbits.example.com/oauth2/auth?client_id=000000&username=admin&password=1233456&response_type=code&redirect_uri=https://myapp.example.com"
+```
+
+This will return a HTTP redirect with the status code `302` and an authentication code set as parameter:
+
+```
+HTTP/2 302
+date: Sun, 23 May 2021 10:33:27 GMT
+location: https://myapp.example.com?code=4T1TJXMBPTOS4NNGILBDYW
+content-length: 0
+```
+
+Your app then needs to use this code to trade it for a access token. 
+
+**Hint for command line users:** you can extract the authentication code from the redirect without the need of a running webserver.
+
+##### Receiving an access token
+
+You can get an access token from the `/oauth/token` endpoint. There are several methods, so called "grant types" for receiving a token. Pushbits currently supports the following one's:
+
+* Refresh 
+* Authentication code
+
+Oauth2 authentication is based on "clients", thus you need to provide identifieres for a client with your request. These are the `client_id` and the `client_secret`. 
+
+For your first token you will need a authentication code, see the section above. Then use it like this: 
+
+```bash
+curl \
+	--header "Content-Type: application/json" \
+	--request GET \
+	"https://pushbits.example.com/oauth2/token?grant_type=authorization_code&client_id=000000&client_secret=49gjg4js9&response_type=token&redirect_uri=https://myapp.example.com&code=OP1Q2UJEVL-RPR9GZAUURA"
+```
+
+This will then return an access token and refresh token for you. 
+
+```json
+{
+  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMDAwMDAiLCJleHAiOjE2MjE4NTU3ODcsInN1YiI6IjEifQ.jMux7CBw6fY15Ohc8exEbcnUiMBVVgCowvq3rMrw7MQ",
+  "expires_in": 86400,
+  "refresh_token": "OP1Q2UJEVL-RPR9GZAUURA",
+  "token_type": "Bearer"
+}
+```
+
+The access token is short lived, the refresh token is long lived, but can not be used for authentication. If your access token runs out, you can use the refresh token to generate a new access token:
+
+```bash
+curl \
+	--header "Content-Type: application/json" \
+	--request GET \
+	"https://pushbits.example.com/oauth2/token?grant_type=refresh_token&client_id=000000&client_secret=49gjg4js9&response_type=token&refresh_token=OP1Q2UJEVL-RPR9GZAUURA"
+```
+
+##### Getting information about a access token
+
+With a valid access token you can get information about it from `/oauth/tokeninfo`. This is ment for testing if a token is issued correctly.
+
+```bash
+curl \
+	--header "Content-Type: application/json" \
+	--request GET \
+    -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMDAwMDAiLCJleHAiOjE2MjE4NTU3ODcsInN1YiI6IjEifQ.jMux7CBw6fY15Ohc8exEbcnUiMBVVgCowvq3rMrw7MQ" \
+	"https://pushbits.example.com/oauth2/tokeninfo"
+```
+
+##### Revoking a token
+
+Admin users are eligable to revoke tokens. This should not be necessary in normal operation, as tokens are only short lived. But there might be situations where attackers might have gotten knowledge about a token. 
+
+```bash
+curl \
+	--header "Content-Type: application/json" \
+	--request POST \
+    -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMDAwMDAiLCJleHAiOjE2MjE4NTU3ODcsInN1YiI6IjEifQ.jMux7CBw6fY15Ohc8exEbcnUiMBVVgCowvq3rMrw7MQ" \
+    --data '{"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIwMDAwMDAiLCJleHAiOjE2MjE4NDg1MDYsInN1YiI6IjEifQ.cO0_8fqsJDG4KswjC0CSzc_EznntH-FDQejdolPAISo"}'
+	"https://pushbits.example.com/oauth2/revoke"
+```
+
 ### Message options
 
 Messages are supporting three different syntaxes:

cmd/pushbits/main.go

@@ -60,7 +60,7 @@ func main() {
 		log.Fatal(err)
 	}
 
-	engine := router.Create(c.Debug, cm, db, dp)
+	engine := router.Create(c.Debug, cm, db, dp, c.Authentication)
 
 	runner.Run(engine, c.HTTP.ListenAddress, c.HTTP.Port)
 }

config.example.yml

@@ -60,3 +60,22 @@ crypto:
 formatting: 
     # Whether to use colored titles based on the message priority (<0: grey, 0-3: default, 4-10: yellow, 10-20: orange, >20: red).
     coloredtitle: false
+
+authentication:
+    # The authentication method to use.
+    method: basic
+    # Only needed if you choose oauth method.
+    oauth:
+        # The storage used for tokens.
+        storage: "file"
+        # The connection to the storage. For file: the filename, ending with .db. For mysql: the connection string. Check out
+        # https://github.com/go-sql-driver/mysql#dsn-data-source-name for details.
+        connection: "pushbits_token.db"
+        # Oauth client identifier (random string).
+        clientid: "000000"
+        # Oauth client secret.
+        clientsecret: "123456"
+        # Oauth redirect url after successful auth. Can be overwritten in the authentication request.
+        clientredirect: "http://localhost"
+        # Key used for signing the access tokens (JWT with HS512)
+        tokenkey: "123456"

go.mod

@@ -4,13 +4,17 @@ go 1.14
 
 require (
 	github.com/alexedwards/argon2id v0.0.0-20201228115903-cf543ebc1f7b
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible // indirect
 	github.com/gin-contrib/location v0.0.2
 	github.com/gin-gonic/gin v1.6.3
+	github.com/go-oauth2/gin-server v1.0.0
 	github.com/go-playground/validator/v10 v10.3.0 // indirect
 	github.com/golang/protobuf v1.4.3 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20210408062403-ad838ccf8cdd
 	github.com/google/go-cmp v0.5.0 // indirect
+	github.com/imrenagi/go-oauth2-mysql v1.1.0
 	github.com/jinzhu/configor v1.2.1
+	github.com/jmoiron/sqlx v1.3.3
 	github.com/json-iterator/go v1.1.10 // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/matrix-org/gomatrix v0.0.0-20200827122206-7dd5e2a05bcd
@@ -19,6 +23,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.1 // indirect
 	github.com/ugorji/go v1.2.4 // indirect
 	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c // indirect
+	gopkg.in/oauth2.v3 v3.12.0
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gorm.io/driver/mysql v1.0.4
 	gorm.io/driver/sqlite v1.1.4