Mirrors/overte-Armored-Dragon
3
0
Fork 0
mirror of https://github.com/Armored-Dragon/overte.git synced 2025-03-11 16:13:16 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #585 from ctrlaltdavid/feature/oauth2-login

Browse source 
OAuth2 WordPress log in
This commit is contained in:
kasenvr 2020-08-04 14:14:50 -04:00 committed by GitHub
commit 4bfb414cbe
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 470 additions and 113 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
domain-server/resources/describe-settings.json
View file

@ -3,7 +3,7 @@
"settings": [
{
"name": "metaverse",
"label": "Metaverse / Networking",
"label": "Networking / Metaverse",
"settings": [
{
"name": "access_token",
@ -57,6 +57,39 @@
}
]
},
{
"name": "authentication",
"label": "Networking / WordPress OAuth2",
"settings": [
{
"name": "enable_oauth2",
"label": "Enable OAuth2 Authentication",
"help": "Allow a WordPress-based (miniOrange) OAuth2 service to assign users to groups based on their role with the service.",
"default": false,
"type": "checkbox",
"advanced": true
},
{
"name": "oauth2_url_path",
"label": "Authentication URL",
"help": "The URL that the Interface will use to login via OAuth2.",
"advanced": true
},
{
"name": "wordpress_url_base",
"label": "WordPress API URL Base",
"help": "The URL base that the domain server will use to make WordPress API calls. Typically \"https://oursite.com/wp-json/\". However, if using non-pretty permalinks or otherwise get a 404 error then try \"https://oursite.com/?rest_route=/\".",
"advanced": true
},
{
"name": "plugin_client_id",
"label": "WordPress Plugin Client ID",
"help": "This is the client ID from the WordPress plugin configuration.",
"advanced": true,
"backup": false
}
]
},
{
"label": "Monitoring",
"name": "monitoring",

210
domain-server/src/DomainGatekeeper.cpp
View file

@ -90,12 +90,13 @@ void DomainGatekeeper::processConnectRequestPacket(QSharedPointer<ReceivedMessag
SharedNodePointer node;
QString username;
QString domainUsername;
if (pendingAssignment != _pendingAssignedNodes.end()) {
node = processAssignmentConnectRequest(nodeConnection, pendingAssignment->second);
} else if (!STATICALLY_ASSIGNED_NODES.contains(nodeConnection.nodeType)) {
QByteArray usernameSignature;
QByteArray domainUsernameSignature;
QString domainUsername;
QStringList domainTokens;
if (message->getBytesLeftToRead() > 0) {
// read username from packet
@ -108,16 +109,21 @@ void DomainGatekeeper::processConnectRequestPacket(QSharedPointer<ReceivedMessag
if (message->getBytesLeftToRead() > 0) {
// Read domain username from packet.
packetStream >> domainUsername;
domainUsername = domainUsername.toLower(); // Domain usernames are case-insensitive; internally lower-case.
if (message->getBytesLeftToRead() > 0) {
// Read domain signature from packet.
packetStream >> domainUsernameSignature;
// Read domain tokens from packet.
QString domainTokensString;
packetStream >> domainTokensString;
domainTokens = domainTokensString.split(":");
}
}
}
}
node = processAgentConnectRequest(nodeConnection, username, usernameSignature, domainUsername, domainUsernameSignature);
node = processAgentConnectRequest(nodeConnection, username, usernameSignature,
domainUsername, domainTokens.value(0), domainTokens.value(1));
}
if (node) {
@ -175,7 +181,7 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
auto userGroups = _domainGroupMemberships[verifiedDomainUserName];
foreach (QString userGroup, userGroups) {
// Domain groups may be specified as comma- and/or space-separated lists of group names.
// For example, "silver gold, platinum".
// For example, "@silver @Gold, @platinum".
auto domainGroups = _server->_settingsManager.getDomainGroupNames()
.filter(QRegularExpression("^(.*[\\s,])?" + userGroup + "([\\s,].*)?$",
QRegularExpression::CaseInsensitiveOption));
@ -296,7 +302,7 @@ NodePermissions DomainGatekeeper::setPermissionsForUser(bool isLocalUser, QStrin
auto userGroups = _domainGroupMemberships[verifiedDomainUserName];
foreach(QString userGroup, userGroups) {
// Domain groups may be specified as comma- and/or space-separated lists of group names.
// For example, "silver gold, platinum".
// For example, "@silver @Gold, @platinum".
auto domainGroups = _server->_settingsManager.getDomainBlacklistGroupNames()
.filter(QRegularExpression("^(.*[\\s,])?" + userGroup + "([\\s,].*)?$",
QRegularExpression::CaseInsensitiveOption));
@ -444,6 +450,10 @@ SharedNodePointer DomainGatekeeper::processAssignmentConnectRequest(const NodeCo
return newNode;
}
const QString AUTHENTICATION_ENAABLED = "authentication.enable_oauth2";
const QString AUTHENTICATION_OAUTH2_URL_PATH = "authentication.oauth2_url_path";
const QString AUTHENTICATION_WORDPRESS_URL_BASE = "authentication.wordpress_url_base";
const QString AUTHENTICATION_PLUGIN_CLIENT_ID = "authentication.plugin_client_id";
const QString MAXIMUM_USER_CAPACITY = "security.maximum_user_capacity";
const QString MAXIMUM_USER_CAPACITY_REDIRECT_LOCATION = "security.maximum_user_capacity_redirect_location";
@ -451,7 +461,8 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect
const QString& username,
const QByteArray& usernameSignature,
const QString& domainUsername,
const QByteArray& domainUsernameSignature) {
const QString& domainAccessToken,
const QString& domainRefreshToken) {
auto limitedNodeList = DependencyManager::get<LimitedNodeList>();
@ -501,29 +512,33 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect
QString verifiedDomainUsername;
QStringList verifiedDomainUserGroups;
if (domainHasLogin() && !domainUsername.isEmpty()) {
if (domainUsernameSignature.isEmpty()) {
if (domainAccessToken.isEmpty()) {
// User is attempting to prove their domain identity.
// ####### TODO: OAuth2 corollary of metaverse code, above.
getDomainGroupMemberships(domainUsernameSignature); // Optimistically get started on group memberships.
#ifdef WANT_DEBUG
qDebug() << "stalling login because we have no domain username-signature:" << domainUsername;
qDebug() << "Stalling login because we have no domain OAuth2 tokens:" << domainUsername;
#endif
return SharedNodePointer();
} else if (verifyDomainUserSignature(domainUsername, domainUsernameSignature, nodeConnection.senderSockAddr)) {
} else if (needToVerifyDomainUserIdentity(domainUsername, domainAccessToken, domainRefreshToken)) {
// User's domain identity needs to be confirmed.
requestDomainUser(domainUsername, domainAccessToken, domainRefreshToken);
#ifdef WANT_DEBUG
qDebug() << "Stalling login because we haven't authenticated user yet:" << domainUsername;
#endif
} else if (verifyDomainUserIdentity(domainUsername, domainAccessToken, domainRefreshToken,
nodeConnection.senderSockAddr)) {
// User's domain identity is confirmed.
getDomainGroupMemberships(domainUsername);
verifiedDomainUsername = domainUsername.toLower();
verifiedDomainUsername = domainUsername;
} else {
// User's identity didn't check out.
// ####### TODO: OAuth2 corollary of metaverse code, above.
// User's domain identity didn't check out.
#ifdef WANT_DEBUG
qDebug() << "stalling login because domain signature verification failed:" << domainUsername;
qDebug() << "Stalling login because domain user verification failed:" << domainUsername;
#endif
return SharedNodePointer();
}
}
@ -533,10 +548,22 @@ SharedNodePointer DomainGatekeeper::processAgentConnectRequest(const NodeConnect
if (!userPerms.can(NodePermissions::Permission::canConnectToDomain)) {
if (domainHasLogin()) {
sendConnectionDeniedPacket("You lack the required permissions to connect to this domain.",
nodeConnection.senderSockAddr, DomainHandler::ConnectionRefusedReason::NotAuthorizedDomain);
QString domainAuthURL;
auto domainAuthURLVariant = _server->_settingsManager.valueForKeyPath(AUTHENTICATION_OAUTH2_URL_PATH);
if (domainAuthURLVariant.canConvert<QString>()) {
domainAuthURL = domainAuthURLVariant.toString();
}
QString domainAuthClientID;
auto domainAuthClientIDVariant = _server->_settingsManager.valueForKeyPath(AUTHENTICATION_PLUGIN_CLIENT_ID);
if (domainAuthClientIDVariant.canConvert<QString>()) {
domainAuthClientID = domainAuthClientIDVariant.toString();
}
sendConnectionDeniedPacket("You lack the required domain permissions to connect to this domain.",
nodeConnection.senderSockAddr, DomainHandler::ConnectionRefusedReason::NotAuthorizedDomain,
domainAuthURL + "|" + domainAuthClientID);
} else {
sendConnectionDeniedPacket("You lack the required permissions to connect to this domain.",
sendConnectionDeniedPacket("You lack the required metaverse permissions to connect to this domain.",
nodeConnection.senderSockAddr, DomainHandler::ConnectionRefusedReason::NotAuthorizedMetaverse);
}
#ifdef WANT_DEBUG
@ -734,17 +761,21 @@ bool DomainGatekeeper::verifyUserSignature(const QString& username,
return false;
}
bool DomainGatekeeper::verifyDomainUserSignature(const QString& domainUsername,
const QByteArray& domainUsernameSignature,
const HifiSockAddr& senderSockAddr) {
// ####### TODO: Verify via domain OAuth2.
bool success = true;
if (success) {
bool DomainGatekeeper::needToVerifyDomainUserIdentity(const QString& username, const QString& accessToken,
const QString& refreshToken) {
return !_verifiedDomainUserIdentities.contains(username)
|| _verifiedDomainUserIdentities.value(username) != QPair<QString, QString>(accessToken, refreshToken);
}
bool DomainGatekeeper::verifyDomainUserIdentity(const QString& username, const QString& accessToken,
const QString& refreshToken, const HifiSockAddr& senderSockAddr) {
if (_verifiedDomainUserIdentities.contains(username)
&& _verifiedDomainUserIdentities.value(username) == QPair<QString, QString>(accessToken, refreshToken)) {
return true;
}
sendConnectionDeniedPacket("Error decrypting domain username signature.", senderSockAddr,
sendConnectionDeniedPacket("Error verifying domain user.", senderSockAddr,
DomainHandler::ConnectionRefusedReason::LoginErrorDomain);
return false;
}
@ -1076,20 +1107,6 @@ void DomainGatekeeper::getIsGroupMemberErrorCallback(QNetworkReply* requestReply
}
void DomainGatekeeper::getDomainGroupMemberships(const QString& domainUserName) {
// ####### TODO: Get user's domain group memberships (WordPress roles) from domain.
// This may be able to be provided at the same time as the "authenticate user" call to the domain API, in which case
// a copy of some of the following code can be made there. However, this code is still needed for refreshing groups.
// ####### TODO: Check how often this method and the WordPress API is called.
QStringList wordpressGroupsForUser;
wordpressGroupsForUser << "silVER" << "gold" << "coal";
_domainGroupMemberships[domainUserName] = wordpressGroupsForUser;
}
void DomainGatekeeper::getDomainOwnerFriendsList() {
JSONCallbackParameters callbackParams;
callbackParams.callbackReceiver = this;
@ -1138,7 +1155,7 @@ void DomainGatekeeper::getDomainOwnerFriendsListErrorCallback(QNetworkReply* req
qDebug() << "getDomainOwnerFriendsList api call failed:" << requestReply->error();
}
// ####### TODO: Domain equivalent or addition
// ####### TODO: Domain equivalent or addition [plugin groups]
void DomainGatekeeper::refreshGroupsCache() {
// if agents are connected to this domain, refresh our cached information about groups and memberships in such.
getDomainOwnerFriendsList();
@ -1163,17 +1180,6 @@ void DomainGatekeeper::refreshGroupsCache() {
#endif
}
bool DomainGatekeeper::domainHasLogin() {
// The domain may have its own users and groups. This is enabled in the server settings by ...
// ####### TODO: Use a particular string in the server name or set a particular tag in the server's settings?
// Or add a new server setting?
// ####### TODO: Also configure URL for getting user's group memberships, in the server's settings?
// ####### TODO
return true;
}
void DomainGatekeeper::initLocalIDManagement() {
std::uniform_int_distribution<quint16> sixteenBitRand;
std::random_device randomDevice;
@ -1201,3 +1207,91 @@ Node::LocalID DomainGatekeeper::findOrCreateLocalID(const QUuid& uuid) {
_localIDs.insert(newLocalID);
return newLocalID;
}
bool DomainGatekeeper::domainHasLogin() {
// The domain may have its own users and groups in a WordPress site.
// ####### TODO: Add checks of any further domain server settings used. [plugin, groups]
return _server->_settingsManager.valueForKeyPath(AUTHENTICATION_ENAABLED).toBool()
&& !_server->_settingsManager.valueForKeyPath(AUTHENTICATION_OAUTH2_URL_PATH).toString().isEmpty()
&& !_server->_settingsManager.valueForKeyPath(AUTHENTICATION_WORDPRESS_URL_BASE).toString().isEmpty();
}
void DomainGatekeeper::requestDomainUser(const QString& username, const QString& accessToken, const QString& refreshToken) {
if (_inFlightDomainUserIdentityRequests.contains(username)) {
// Domain identify request for this username is already in progress.
return;
}
_inFlightDomainUserIdentityRequests.insert(username, QPair<QString, QString>(accessToken, refreshToken));
if (_verifiedDomainUserIdentities.contains(username)) {
_verifiedDomainUserIdentities.remove(username);
}
QString apiBase = _server->_settingsManager.valueForKeyPath(AUTHENTICATION_WORDPRESS_URL_BASE).toString();
if (!apiBase.endsWith("/")) {
apiBase += "/";
}
// Get data pertaining to "me", the user who generated the access token.
const QString WORDPRESS_USER_ROUTE = "wp/v2/users/me";
const QString WORDPRESS_USER_QUERY = "_fields=username,roles";
QUrl domainUserURL = apiBase + WORDPRESS_USER_ROUTE + (apiBase.contains("?") ? "&" : "?") + WORDPRESS_USER_QUERY;
QNetworkRequest request;
request.setHeader(QNetworkRequest::UserAgentHeader, NetworkingConstants::VIRCADIA_USER_AGENT);
request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
request.setRawHeader(QByteArray("Authorization"), QString("Bearer " + accessToken).toUtf8());
QByteArray formData; // No data to send.
request.setUrl(domainUserURL);
request.setAttribute(QNetworkRequest::FollowRedirectsAttribute, true);
QNetworkAccessManager& networkAccessManager = NetworkAccessManager::getInstance();
QNetworkReply* requestReply = networkAccessManager.post(request, formData);
connect(requestReply, &QNetworkReply::finished, this, &DomainGatekeeper::requestDomainUserFinished);
}
void DomainGatekeeper::requestDomainUserFinished() {
QNetworkReply* requestReply = reinterpret_cast<QNetworkReply*>(sender());
QJsonDocument jsonResponse = QJsonDocument::fromJson(requestReply->readAll());
const QJsonObject& rootObject = jsonResponse.object();
auto httpStatus = requestReply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
if (200 <= httpStatus && httpStatus < 300) {
QString username = rootObject.value("username").toString().toLower();
if (_inFlightDomainUserIdentityRequests.contains(username)) {
// Success! Verified user.
_verifiedDomainUserIdentities.insert(username, _inFlightDomainUserIdentityRequests.value(username));
_inFlightDomainUserIdentityRequests.remove(username);
// User user's WordPress roles as domain groups.
QStringList domainUserGroups;
auto userRoles = rootObject.value("roles").toArray();
foreach (auto role, userRoles) {
// Distinguish domain groups from metaverse groups by a leading special character.
domainUserGroups.append(DOMAIN_GROUP_CHAR + role.toString().toLower());
}
_domainGroupMemberships[username] = domainUserGroups;
} else {
// Failure.
qDebug() << "Unexpected username in response for user details -" << username;
}
} else {
// Failure.
qDebug() << "Error in response for user details -" << httpStatus << requestReply->error()
<< "-" << rootObject["error"].toString() << rootObject["error_description"].toString();
_inFlightDomainUserIdentityRequests.clear();
}
}

30
domain-server/src/DomainGatekeeper.h
View file

@ -30,6 +30,8 @@
#include "NodeConnectionData.h"
#include "PendingAssignedNodeData.h"
const QString DOMAIN_GROUP_CHAR = "@";
class DomainServer;
class DomainGatekeeper : public QObject {
@ -72,6 +74,10 @@ public slots:
private slots:
void handlePeerPingTimeout();
// Login and groups for domain, separate from metaverse.
void requestDomainUserFinished();
private:
SharedNodePointer processAssignmentConnectRequest(const NodeConnectionData& nodeConnection,
const PendingAssignedNodeData& pendingAssignment);
@ -79,14 +85,16 @@ private:
const QString& username,
const QByteArray& usernameSignature,
const QString& domainUsername,
const QByteArray& domainUsernameSignature);
const QString& domainAccessToken,
const QString& domainRefreshToken);
SharedNodePointer addVerifiedNodeFromConnectRequest(const NodeConnectionData& nodeConnection);
bool verifyUserSignature(const QString& username, const QByteArray& usernameSignature,
const HifiSockAddr& senderSockAddr);
bool verifyDomainUserSignature(const QString& domainUsername, const QByteArray& domainUsernameSignature,
const HifiSockAddr& senderSockAddr);
bool needToVerifyDomainUserIdentity(const QString& username, const QString& accessToken, const QString& refreshToken);
bool verifyDomainUserIdentity(const QString& username, const QString& accessToken, const QString& refreshToken,
const HifiSockAddr& senderSockAddr);
bool isWithinMaxCapacity();
@ -135,20 +143,24 @@ private:
// void getIsGroupMember(const QString& username, const QUuid groupID);
void getDomainOwnerFriendsList();
// Login and groups for domain, separate from metaverse.
bool domainHasLogin();
void getDomainGroupMemberships(const QString& domainUserName);
QHash<QString, QStringList> _domainGroupMemberships; // <domainUserName, [domainGroupName]>
// Local ID management.
void initLocalIDManagement();
using UUIDToLocalID = std::unordered_map<QUuid, Node::LocalID> ;
using LocalIDs = std::unordered_set<Node::LocalID>;
LocalIDs _localIDs;
UUIDToLocalID _uuidToLocalID;
Node::LocalID _currentLocalID;
Node::LocalID _idIncrement;
// Login and groups for domain, separate from metaverse.
bool domainHasLogin();
void requestDomainUser(const QString& username, const QString& accessToken, const QString& refreshToken);
typedef QHash<QString, QPair<QString, QString>> DomainUserIdentities; // <domainUserName, <access_token, refresh_token>>
DomainUserIdentities _inFlightDomainUserIdentityRequests; // Domain user identity requests currently in progress.
DomainUserIdentities _verifiedDomainUserIdentities; // Verified domain users.
QHash<QString, QStringList> _domainGroupMemberships; // <domainUserName, [domainGroupName]>
};

6
domain-server/src/DomainServerSettingsManager.cpp
View file

@ -1966,6 +1966,10 @@ void DomainServerSettingsManager::apiRefreshGroupInformation() {
QStringList groupNames = getAllKnownGroupNames();
foreach (QString groupName, groupNames) {
QString lowerGroupName = groupName.toLower();
if (lowerGroupName.contains(DOMAIN_GROUP_CHAR)) {
// Ignore domain groups.
return;
}
if (_groupIDs.contains(lowerGroupName)) {
// we already know about this one. recall setGroupID in case the group has been
// added to another section (the same group is found in both groups and blacklists).
@ -2186,7 +2190,7 @@ QList<QUuid> DomainServerSettingsManager::getBlacklistGroupIDs() {
}
QStringList DomainServerSettingsManager::getDomainGroupNames() {
// Names as configured in domain server; not necessarily mnetaverse groups.
// Names as configured in domain server; not necessarily metaverse groups.
QSet<QString> result;
foreach(NodePermissionsKey groupKey, _groupPermissions.keys()) {
result += _groupPermissions[groupKey]->getID();

8
domain-server/src/DomainServerSettingsManager.h
View file

@ -19,11 +19,11 @@
#include <HifiConfigVariantMap.h>
#include <HTTPManager.h>
#include <ReceivedMessage.h>
#include "NodePermissions.h"
#include <Node.h>
#include <ReceivedMessage.h>
#include "DomainGatekeeper.h"
#include "NodePermissions.h"
const QString SETTINGS_PATHS_KEY = "paths";

4
interface/resources/qml/LoginDialog/LinkAccountBody.qml
View file

@ -46,7 +46,7 @@ Item {
readonly property bool loginDialogPoppedUp: loginDialog.getLoginDialogPoppedUp()
readonly property bool isLoggingInToDomain: loginDialog.getDomainLoginRequested()
readonly property string domainAuthProvider: loginDialog.getDomainLoginAuthProvider()
readonly property string domainLoginDomain: loginDialog.getDomainLoginDomain()
QtObject {
id: d
@ -76,7 +76,7 @@ Item {
if (!isLoggingInToDomain) {
loginDialog.login(emailField.text, passwordField.text);
} else {
loginDialog.loginDomain(emailField.text, passwordField.text, domainAuthProvider);
loginDialog.loginDomain(emailField.text, passwordField.text);
}
if (linkAccountBody.loginDialogPoppedUp) {

1
interface/src/Application.cpp
View file

@ -9444,7 +9444,6 @@ void Application::forceDisplayName(const QString& displayName) {
getMyAvatar()->setDisplayName(displayName);
}
void Application::forceLoginWithTokens(const QString& tokens) {
// ####### TODO
DependencyManager::get<AccountManager>()->setAccessTokens(tokens);
Setting::Handle<bool>(KEEP_ME_LOGGED_IN_SETTING_NAME, true).set(true);
}

6
interface/src/ConnectionMonitor.cpp
View file

@ -14,8 +14,10 @@
#include "Application.h"
#include "ui/DialogsManager.h"
#include <AccountManager.h>
#include <DependencyManager.h>
#include <DomainHandler.h>
#include <DomainAccountManager.h>
#include <AddressManager.h>
#include <NodeList.h>
@ -34,6 +36,10 @@ void ConnectionMonitor::init() {
connect(&domainHandler, &DomainHandler::domainConnectionRefused, this, &ConnectionMonitor::stopTimer);
connect(&domainHandler, &DomainHandler::redirectToErrorDomainURL, this, &ConnectionMonitor::stopTimer);
connect(this, &ConnectionMonitor::setRedirectErrorState, &domainHandler, &DomainHandler::setRedirectErrorState);
auto accountManager = DependencyManager::get<AccountManager>();
connect(accountManager.data(), &AccountManager::loginComplete, this, &ConnectionMonitor::startTimer);
auto domainAccountManager = DependencyManager::get<DomainAccountManager>();
connect(domainAccountManager.data(), &DomainAccountManager::loginComplete, this, &ConnectionMonitor::startTimer);
_timer.setSingleShot(true);
if (!domainHandler.isConnected()) {

14
interface/src/ui/DialogsManager.cpp
View file

@ -110,8 +110,14 @@ void DialogsManager::setDomainConnectionFailureVisibility(bool visible) {
}
}
void DialogsManager::setDomainLogin(bool isDomainLogin, const QString& domain) {
_isDomainLogin = isDomainLogin;
_domainLoginDomain = domain;
}
void DialogsManager::toggleLoginDialog() {
_isDomainLogin = false;
setDomainLogin(false);
LoginDialog::toggleAction();
}
@ -120,7 +126,7 @@ void DialogsManager::showLoginDialog() {
// ####### TODO: May be called from script via DialogsManagerScriptingInterface. Need to handle the case that it's already
// displayed and may be the domain login version.
_isDomainLogin = false;
setDomainLogin(false);
LoginDialog::showWithSelection();
}
@ -129,8 +135,8 @@ void DialogsManager::hideLoginDialog() {
}
void DialogsManager::showDomainLoginDialog() {
_isDomainLogin = true;
void DialogsManager::showDomainLoginDialog(const QString& domain) {
setDomainLogin(true, domain);
LoginDialog::showWithSelection();
}

5
interface/src/ui/DialogsManager.h
View file

@ -42,6 +42,7 @@ public:
void emitAddressBarShown(bool visible) { emit addressBarShown(visible); }
void setAddressBarVisible(bool addressBarVisible);
bool getIsDomainLogin() { return _isDomainLogin; }
QString getDomainLoginDomain() { return _domainLoginDomain; }
public slots:
void showAddressBar();
@ -51,7 +52,7 @@ public slots:
void toggleLoginDialog();
void showLoginDialog();
void hideLoginDialog();
void showDomainLoginDialog();
void showDomainLoginDialog(const QString& domain);
void octreeStatsDetails();
void lodTools();
void hmdTools(bool showTools);
@ -86,7 +87,9 @@ private:
bool _dialogCreatedWhileShown { false };
bool _addressBarVisible { false };
void setDomainLogin(bool isDomainLogin, const QString& domain = "");
bool _isDomainLogin { false };
QString _domainLoginDomain;
};
#endif // hifi_DialogsManager_h

22
interface/src/ui/LoginDialog.cpp
View file

@ -25,6 +25,7 @@
#include <UserActivityLogger.h>
#include "AccountManager.h"
#include "DomainAccountManager.h"
#include "DependencyManager.h"
#include "DialogsManager.h"
#include "Menu.h"
@ -40,12 +41,17 @@ const QUrl LOGIN_DIALOG = PathUtils::qmlUrl("OverlayLoginDialog.qml");
LoginDialog::LoginDialog(QQuickItem *parent) : OffscreenQmlDialog(parent) {
auto accountManager = DependencyManager::get<AccountManager>();
auto domainAccountManager = DependencyManager::get<DomainAccountManager>();
// the login hasn't been dismissed yet if the user isn't logged in and is encouraged to login.
#if !defined(Q_OS_ANDROID)
connect(accountManager.data(), &AccountManager::loginComplete,
this, &LoginDialog::handleLoginCompleted);
connect(accountManager.data(), &AccountManager::loginFailed,
this, &LoginDialog::handleLoginFailed);
connect(domainAccountManager.data(), &DomainAccountManager::loginComplete,
this, &LoginDialog::handleLoginCompleted);
connect(domainAccountManager.data(), &DomainAccountManager::loginFailed,
this, &LoginDialog::handleLoginFailed);
connect(qApp, &Application::loginDialogFocusEnabled, this, &LoginDialog::focusEnabled);
connect(qApp, &Application::loginDialogFocusDisabled, this, &LoginDialog::focusDisabled);
connect(this, SIGNAL(dismissedLoginDialog()), qApp, SLOT(onDismissedLoginDialog()));
@ -137,13 +143,9 @@ void LoginDialog::login(const QString& username, const QString& password) const
DependencyManager::get<AccountManager>()->requestAccessToken(username, password);
}
void LoginDialog::loginDomain(const QString& username, const QString& password, const QString& domainAuthProvider) const {
qDebug() << "Attempting to login" << username << "into a domain through" << domainAuthProvider;
// ####### TODO
// DependencyManager::get<DomainAccountManager>()->requestAccessToken(username, password, domainAuthProvider);
// ####### TODO: It may not be necessary to pass domainAuthProvider to the login dialog and through to here because it was
// originally provided to the QML from C++.
void LoginDialog::loginDomain(const QString& username, const QString& password) const {
qDebug() << "Attempting to login" << username << "into a domain";
DependencyManager::get<DomainAccountManager>()->requestAccessToken(username, password);
}
void LoginDialog::loginThroughOculus() {
@ -426,8 +428,6 @@ bool LoginDialog::getDomainLoginRequested() const {
return DependencyManager::get<DialogsManager>()->getIsDomainLogin();
}
// ####### TODO: This method may not be necessary.
QString LoginDialog::getDomainLoginAuthProvider() const {
// ####### TODO
return QString("https://example.com/oauth2");
QString LoginDialog::getDomainLoginDomain() const {
return DependencyManager::get<DialogsManager>()->getDomainLoginDomain();
}

4
interface/src/ui/LoginDialog.h
View file

@ -72,7 +72,7 @@ protected slots:
Q_INVOKABLE QString oculusUserID() const;
Q_INVOKABLE void login(const QString& username, const QString& password) const;
Q_INVOKABLE void loginDomain(const QString& username, const QString& password, const QString& domainAuthProvider) const;
Q_INVOKABLE void loginDomain(const QString& username, const QString& password) const;
Q_INVOKABLE void loginThroughSteam();
Q_INVOKABLE void linkSteam();
Q_INVOKABLE void createAccountFromSteam(QString username = QString());
@ -85,7 +85,7 @@ protected slots:
Q_INVOKABLE bool getLoginDialogPoppedUp() const;
Q_INVOKABLE bool getDomainLoginRequested() const;
Q_INVOKABLE QString getDomainLoginAuthProvider() const;
Q_INVOKABLE QString getDomainLoginDomain() const;
};

4
libraries/networking/src/AccountManager.cpp
View file

@ -508,7 +508,9 @@ bool AccountManager::checkAndSignalForAccessToken() {
if (!hasToken) {
// emit a signal so somebody can call back to us and request an access token given a username and password
emit authRequired();
// Dialog can be hidden immediately after showing if we've just teleported to the domain, unless the signal is delayed.
QTimer::singleShot(500, this, [this] { emit this->authRequired(); });
}
return hasToken;

165
libraries/networking/src/DomainAccountManager.cpp
View file

@ -12,27 +12,182 @@
#include "DomainAccountManager.h"
#include <QTimer>
#include <QtCore/QJsonObject>
#include <QtCore/QJsonDocument>
#include <QtNetwork/QNetworkRequest>
#include <QtNetwork/QNetworkReply>
#include <SettingHandle.h>
#include "NetworkingConstants.h"
#include "NetworkLogging.h"
#include "NetworkAccessManager.h"
// FIXME: Generalize to other OAuth2 sources for domain login.
const bool VERBOSE_HTTP_REQUEST_DEBUGGING = false;
// ####### TODO: Add storing domain URL and check against it when retrieving values?
// ####### TODO: Add storing _authURL and check against it when retrieving values?
Setting::Handle<QString> domainAccessToken {"private/domainAccessToken", "" };
Setting::Handle<QString> domainAccessRefreshToken {"private/domainAccessToken", "" };
Setting::Handle<int> domainAccessTokenExpiresIn {"private/domainAccessTokenExpiresIn", -1 };
Setting::Handle<QString> domainAccessTokenType {"private/domainAccessTokenType", "" };
DomainAccountManager::DomainAccountManager() {
DomainAccountManager::DomainAccountManager() :
_authURL(),
_username(),
_access_token(),
_refresh_token()
{
connect(this, &DomainAccountManager::loginComplete, this, &DomainAccountManager::sendInterfaceAccessTokenToServer);
}
void DomainAccountManager::setAuthURL(const QUrl& authURL) {
if (_authURL != authURL) {
_authURL = authURL;
qCDebug(networking) << "AccountManager URL for authenticated requests has been changed to" << qPrintable(_authURL.toString());
_access_token = "";
_refresh_token = "";
// ####### TODO: Restore and refresh OAuth2 tokens if have them for this domain.
// ####### TODO: Handle "keep me logged in".
}
}
void DomainAccountManager::requestAccessToken(const QString& username, const QString& password) {
_username = username;
_access_token = "";
_refresh_token = "";
QNetworkRequest request;
request.setHeader(QNetworkRequest::UserAgentHeader, NetworkingConstants::VIRCADIA_USER_AGENT);
request.setHeader(QNetworkRequest::ContentTypeHeader, "application/x-www-form-urlencoded");
// miniOrange WordPress API Authentication plugin:
// - Requires "client_id" parameter.
// - Ignores "state" parameter.
QByteArray formData;
formData.append("grant_type=password&");
formData.append("username=" + QUrl::toPercentEncoding(username) + "&");
formData.append("password=" + QUrl::toPercentEncoding(password) + "&");
formData.append("client_id=" + _clientID);
request.setUrl(_authURL);
request.setAttribute(QNetworkRequest::FollowRedirectsAttribute, true);
QNetworkAccessManager& networkAccessManager = NetworkAccessManager::getInstance();
QNetworkReply* requestReply = networkAccessManager.post(request, formData);
connect(requestReply, &QNetworkReply::finished, this, &DomainAccountManager::requestAccessTokenFinished);
}
void DomainAccountManager::requestAccessTokenFinished() {
QNetworkReply* requestReply = reinterpret_cast<QNetworkReply*>(sender());
QJsonDocument jsonResponse = QJsonDocument::fromJson(requestReply->readAll());
const QJsonObject& rootObject = jsonResponse.object();
auto httpStatus = requestReply->attribute(QNetworkRequest::HttpStatusCodeAttribute).toInt();
if (200 <= httpStatus && httpStatus < 300) {
// miniOrange plugin provides no scope.
if (rootObject.contains("access_token")) {
// Success.
QUrl rootURL = requestReply->url();
rootURL.setPath("");
setTokensFromJSON(rootObject, rootURL);
emit loginComplete();
} else {
// Failure.
qCDebug(networking) << "Received a response for password grant that is missing one or more expected values.";
emit loginFailed();
}
} else {
// Failure.
qCDebug(networking) << "Error in response for password grant -" << httpStatus << requestReply->error()
<< "-" << rootObject["error"].toString() << rootObject["error_description"].toString();
emit loginFailed();
}
}
void DomainAccountManager::sendInterfaceAccessTokenToServer() {
emit newTokens();
}
bool DomainAccountManager::accessTokenIsExpired() {
// ####### TODO: accessTokenIsExpired()
return true;
/*
return domainAccessTokenExpiresIn.get() != -1 && domainAccessTokenExpiresIn.get() <= QDateTime::currentMSecsSinceEpoch();
*/
}
bool DomainAccountManager::hasValidAccessToken() {
QString currentDomainAccessToken = domainAccessToken.get();
if (currentDomainAccessToken.isEmpty() || accessTokenIsExpired()) {
// #######: TODO
if (VERBOSE_HTTP_REQUEST_DEBUGGING) {
qCDebug(networking) << "An access token is required for requests to"
<< qPrintable(_authURL.toString());
}
return false;
return false;
} else {
// ####### TODO::
// if (!_isWaitingForTokenRefresh && needsToRefreshToken()) {
// refreshAccessToken();
// }
return true;
}
}
void DomainAccountManager::setTokensFromJSON(const QJsonObject& jsonObject, const QUrl& url) {
_access_token = jsonObject["access_token"].toString();
_refresh_token = jsonObject["refresh_token"].toString();
// ####### TODO: Enable and use these.
// ####### TODO: Protect these per AccountManager?
// ######: TODO: clientID needed?
/*
qCDebug(networking) << "Storing a domain account with access-token for" << qPrintable(url.toString());
domainAccessToken.set(jsonObject["access_token"].toString());
domainAccessRefreshToken.set(jsonObject["refresh_token"].toString());
domainAccessTokenExpiresIn.set(QDateTime::currentMSecsSinceEpoch() + (jsonObject["expires_in"].toDouble() * 1000));
domainAccessTokenType.set(jsonObject["token_type"].toString());
*/
}
bool DomainAccountManager::checkAndSignalForAccessToken() {
bool hasToken = hasValidAccessToken();
// ####### TODO: Handle hasToken == true.
// It causes the login dialog not to display (OK) but somewhere the domain server needs to be sent it (and if domain server
// gets error when trying to use it then user should be prompted to login).
hasToken = false;
if (!hasToken) {
// Emit a signal so somebody can call back to us and request an access token given a user name and password.
// Dialog can be hidden immediately after showing if we've just teleported to the domain, unless the signal is delayed.
QTimer::singleShot(500, this, [this] { emit this->authRequired(); });
auto domain = _authURL.host();
QTimer::singleShot(500, this, [this, domain] {
emit this->authRequired(domain);
});
}
return hasToken;

25
libraries/networking/src/DomainAccountManager.h
View file

@ -13,6 +13,7 @@
#define hifi_DomainAccountManager_h
#include <QtCore/QObject>
#include <QtCore/QUrl>
#include <DependencyManager.h>
@ -22,18 +23,40 @@ class DomainAccountManager : public QObject, public Dependency {
public:
DomainAccountManager();
void setAuthURL(const QUrl& authURL);
void setClientID(const QString& clientID) { _clientID = clientID; }
QString getUsername() { return _username; }
QString getAccessToken() { return _access_token; }
QString getRefreshToken() { return _refresh_token; }
Q_INVOKABLE bool checkAndSignalForAccessToken();
public slots:
void requestAccessToken(const QString& username, const QString& password);
void requestAccessTokenFinished();
signals:
void authRequired();
void authRequired(const QString& domain);
void loginComplete();
void loginFailed();
void logoutComplete();
void newTokens();
private slots:
private:
bool hasValidAccessToken();
bool accessTokenIsExpired();
void setTokensFromJSON(const QJsonObject&, const QUrl& url);
void sendInterfaceAccessTokenToServer();
QUrl _authURL;
QString _clientID;
QString _username; // ####### TODO: Store elsewhere?
QString _access_token; // ####... ""
QString _refresh_token; // ####... ""
};
#endif // hifi_DomainAccountManager_h

11
libraries/networking/src/DomainHandler.cpp
View file

@ -550,7 +550,9 @@ void DomainHandler::processDomainServerConnectionDeniedPacket(QSharedPointer<Rec
// output to the log so the user knows they got a denied connection request
// and check and signal for an access token so that we can make sure they are logged in
qCWarning(networking) << "The domain-server denied a connection request: " << reasonMessage << " extraInfo:" << extraInfo;
QString sanitizedExtraInfo = extraInfo.toLower().startsWith("http") ? "" : extraInfo; // Don't log URLs.
qCWarning(networking) << "The domain-server denied a connection request: " << reasonMessage
<< " extraInfo:" << sanitizedExtraInfo;
if (!_domainConnectionRefusals.contains(reasonMessage)) {
_domainConnectionRefusals.insert(reasonMessage);
@ -584,8 +586,13 @@ void DomainHandler::processDomainServerConnectionDeniedPacket(QSharedPointer<Rec
}
} else if (reasonSuggestsDomainLogin(reasonCode)) {
qCWarning(networking) << "Make sure you are logged in to the domain.";
auto accountManager = DependencyManager::get<DomainAccountManager>();
if (!extraInfo.isEmpty()) {
auto extraInfoComponents = extraInfo.split("|");
accountManager->setAuthURL(extraInfoComponents.value(0));
accountManager->setClientID(extraInfoComponents.value(1));
}
if (!_hasCheckedForDomainAccessToken) {
accountManager->checkAndSignalForAccessToken();

1
libraries/networking/src/DomainHandler.h
View file

@ -125,6 +125,7 @@ public:
bool isConnected() const { return _isConnected; }
void setIsConnected(bool isConnected);
bool isServerless() const { return _domainURL.scheme() != URL_SCHEME_HIFI; }
bool getInterstitialModeEnabled() const;
void setInterstitialModeEnabled(bool enableInterstitialMode);

30
libraries/networking/src/NodeList.cpp
View file

@ -34,6 +34,7 @@
#include "AddressManager.h"
#include "Assignment.h"
#include "AudioHelpers.h"
#include "DomainAccountManager.h"
#include "HifiSockAddr.h"
#include "FingerprintUtils.h"
@ -104,6 +105,13 @@ NodeList::NodeList(char newOwnerType, int socketListenPort, int dtlsListenPort)
// clear our NodeList when logout is requested
connect(accountManager.data(), &AccountManager::logoutComplete , this, [this]{ reset("Logged out"); });
// Only used in Interface.
auto domainAccountManager = DependencyManager::get<DomainAccountManager>();
if (domainAccountManager) {
_hasDomainAccountManager = true;
connect(domainAccountManager.data(), &DomainAccountManager::newTokens, this, &NodeList::sendDomainServerCheckIn);
}
// anytime we get a new node we will want to attempt to punch to it
connect(this, &LimitedNodeList::nodeAdded, this, &NodeList::startNodeHolePunch);
connect(this, &LimitedNodeList::nodeSocketUpdated, this, &NodeList::startNodeHolePunch);
@ -468,6 +476,7 @@ void NodeList::sendDomainServerCheckIn() {
packetStream << _ownerType.load() << publicSockAddr << localSockAddr << _nodeTypesOfInterest.toList();
packetStream << DependencyManager::get<AddressManager>()->getPlaceName();
// ####### TODO: Also send if need to send new domainLogin data?
if (!domainIsConnected) {
DataServerAccountInfo& accountInfo = accountManager->getAccountInfo();
packetStream << accountInfo.getUsername();
@ -477,20 +486,21 @@ void NodeList::sendDomainServerCheckIn() {
const QByteArray& usernameSignature = accountManager->getAccountInfo().getUsernameSignature(connectionToken);
packetStream << usernameSignature;
} else {
packetStream << QString(""); // Placeholder in case have domainUsername.
// ####### TODO: Only append if are going to send domain username?
packetStream << QString(""); // Placeholder in case have domain username.
}
} else {
packetStream << QString(""); // Placeholder in case have domainUsername.
// ####### TODO: Only append if are going to send domainUsername?
packetStream << QString("") << QString(""); // Placeholders in case have domain username.
}
// ####### TODO: Send domain username and signature if domain has these and aren't logged in.
// ####### If get into difficulties, could perhaps send domain's username and signature instead of metaverse.
bool domainLoginIsConnected = false;
if (!domainLoginIsConnected) {
if (false) { // ####### For testing, false causes user to be considered "not logged in".
packetStream << QString("a@b.c");
if (true) { // ####### For testing, false is unhandled at this stage.
packetStream << QString("signature"); // #######: Consider "logged in" if this is sent during testing.
// Send domain domain login data from Interface to domain server.
if (_hasDomainAccountManager) {
auto domainAccountManager = DependencyManager::get<DomainAccountManager>();
if (!domainAccountManager->getUsername().isEmpty()) {
packetStream << domainAccountManager->getUsername();
if (!domainAccountManager->getAccessToken().isEmpty()) {
packetStream << (domainAccountManager->getAccessToken() + ":" + domainAccountManager->getRefreshToken());
}
}
}

2
libraries/networking/src/NodeList.h
View file

@ -196,6 +196,8 @@ private:
#if (PR_BUILD || DEV_BUILD)
bool _shouldSendNewerVersion { false };
#endif
bool _hasDomainAccountManager { false };
};
#endif // hifi_NodeList_h