lewis.moe
Monorepo for Tangled
1package signup
2
3import (
4 "bufio"
5 "context"
6 "encoding/json"
7 "errors"
8 "fmt"
9 "log/slog"
10 "net/http"
11 "net/url"
12 "os"
13 "strings"
14
15 "github.com/go-chi/chi/v5"
16 "github.com/posthog/posthog-go"
17 "tangled.org/core/appview/config"
18 "tangled.org/core/appview/db"
19 "tangled.org/core/appview/dns"
20 "tangled.org/core/appview/email"
21 "tangled.org/core/appview/models"
22 "tangled.org/core/appview/pages"
23 "tangled.org/core/appview/state/userutil"
24 "tangled.org/core/idresolver"
25)
26
27type Signup struct {
28 config *config.Config
29 db *db.DB
30 cf *dns.Cloudflare
31 posthog posthog.Client
32 idResolver *idresolver.Resolver
33 pages *pages.Pages
34 l *slog.Logger
35 disallowedNicknames map[string]bool
36}
37
38func New(cfg *config.Config, database *db.DB, pc posthog.Client, idResolver *idresolver.Resolver, pages *pages.Pages, l *slog.Logger) *Signup {
39 var cf *dns.Cloudflare
40 if cfg.Cloudflare.ApiToken != "" && cfg.Cloudflare.ZoneId != "" {
41 var err error
42 cf, err = dns.NewCloudflare(cfg)
43 if err != nil {
44 l.Warn("failed to create cloudflare client, signup will be disabled", "error", err)
45 }
46 }
47
48 disallowedNicknames := loadDisallowedNicknames(cfg.Core.DisallowedNicknamesFile, l)
49
50 return &Signup{
51 config: cfg,
52 db: database,
53 posthog: pc,
54 idResolver: idResolver,
55 cf: cf,
56 pages: pages,
57 l: l,
58 disallowedNicknames: disallowedNicknames,
59 }
60}
61
62func loadDisallowedNicknames(filepath string, logger *slog.Logger) map[string]bool {
63 disallowed := make(map[string]bool)
64
65 if filepath == "" {
66 logger.Warn("no disallowed nicknames file configured")
67 return disallowed
68 }
69
70 file, err := os.Open(filepath)
71 if err != nil {
72 logger.Warn("failed to open disallowed nicknames file", "file", filepath, "error", err)
73 return disallowed
74 }
75 defer file.Close()
76
77 scanner := bufio.NewScanner(file)
78 lineNum := 0
79 for scanner.Scan() {
80 lineNum++
81 line := strings.TrimSpace(scanner.Text())
82 if line == "" || strings.HasPrefix(line, "#") {
83 continue // skip empty lines and comments
84 }
85
86 nickname := strings.ToLower(line)
87 if userutil.IsValidSubdomain(nickname) {
88 disallowed[nickname] = true
89 } else {
90 logger.Warn("invalid nickname format in disallowed nicknames file",
91 "file", filepath, "line", lineNum, "nickname", nickname)
92 }
93 }
94
95 if err := scanner.Err(); err != nil {
96 logger.Error("error reading disallowed nicknames file", "file", filepath, "error", err)
97 }
98
99 logger.Info("loaded disallowed nicknames", "count", len(disallowed), "file", filepath)
100 return disallowed
101}
102
103// isNicknameAllowed checks if a nickname is allowed (not in the disallowed list)
104func (s *Signup) isNicknameAllowed(nickname string) bool {
105 return !s.disallowedNicknames[strings.ToLower(nickname)]
106}
107
108func (s *Signup) Router() http.Handler {
109 r := chi.NewRouter()
110 r.Get("/", s.signup)
111 r.Post("/", s.signup)
112 r.Get("/complete", s.complete)
113 r.Post("/complete", s.complete)
114
115 return r
116}
117
118func (s *Signup) signup(w http.ResponseWriter, r *http.Request) {
119 switch r.Method {
120 case http.MethodGet:
121 emailId := r.URL.Query().Get("id")
122 s.pages.Signup(w, pages.SignupParams{
123 CloudflareSiteKey: s.config.Cloudflare.TurnstileSiteKey,
124 EmailId: emailId,
125 })
126 case http.MethodPost:
127 if s.cf == nil {
128 http.Error(w, "signup is disabled", http.StatusFailedDependency)
129 return
130 }
131 emailId := r.FormValue("email")
132 cfToken := r.FormValue("cf-turnstile-response")
133
134 noticeId := "signup-msg"
135
136 if err := s.validateCaptcha(cfToken, r); err != nil {
137 s.l.Warn("turnstile validation failed", "error", err, "email", emailId)
138 s.pages.Notice(w, noticeId, "Captcha validation failed.")
139 return
140 }
141
142 if !email.IsValidEmail(emailId) {
143 s.pages.Notice(w, noticeId, "Invalid email address.")
144 return
145 }
146
147 exists, err := db.CheckEmailExistsAtAll(s.db, emailId)
148 if err != nil {
149 s.l.Error("failed to check email existence", "error", err)
150 s.pages.Notice(w, noticeId, "Failed to complete signup. Try again later.")
151 return
152 }
153 if exists {
154 s.pages.Notice(w, noticeId, "Email already exists.")
155 return
156 }
157
158 code, err := s.inviteCodeRequest()
159 if err != nil {
160 s.l.Error("failed to create invite code", "error", err)
161 s.pages.Notice(w, noticeId, "Failed to create invite code.")
162 return
163 }
164
165 em := email.Email{
166 APIKey: s.config.Resend.ApiKey,
167 From: s.config.Resend.SentFrom,
168 To: emailId,
169 Subject: "Verify your Tangled account",
170 Text: `Copy and paste this code below to verify your account on Tangled.
171 ` + code,
172 Html: `<p>Copy and paste this code below to verify your account on Tangled.</p>
173<p><code>` + code + `</code></p>`,
174 }
175
176 err = email.SendEmail(em)
177 if err != nil {
178 s.l.Error("failed to send email", "error", err)
179 s.pages.Notice(w, noticeId, "Failed to send email.")
180 return
181 }
182 err = db.AddInflightSignup(s.db, models.InflightSignup{
183 Email: emailId,
184 InviteCode: code,
185 })
186 if err != nil {
187 s.l.Error("failed to add inflight signup", "error", err)
188 s.pages.Notice(w, noticeId, "Failed to complete sign up. Try again later.")
189 return
190 }
191
192 s.pages.HxRedirect(w, "/signup/complete")
193 }
194}
195
196func (s *Signup) complete(w http.ResponseWriter, r *http.Request) {
197 switch r.Method {
198 case http.MethodGet:
199 s.pages.CompleteSignup(w)
200 case http.MethodPost:
201 username := r.FormValue("username")
202 password := r.FormValue("password")
203 code := r.FormValue("code")
204
205 if !userutil.IsValidSubdomain(username) {
206 s.pages.Notice(w, "signup-error", "Invalid username. Username must be 4–63 characters, lowercase letters, digits, or hyphens, and can't start or end with a hyphen.")
207 return
208 }
209
210 if !s.isNicknameAllowed(username) {
211 s.pages.Notice(w, "signup-error", "This username is not available. Please choose a different one.")
212 return
213 }
214
215 email, err := db.GetEmailForCode(s.db, code)
216 if err != nil {
217 s.l.Error("failed to get email for code", "error", err)
218 s.pages.Notice(w, "signup-error", "Failed to complete sign up. Try again later.")
219 return
220 }
221
222 if s.cf == nil {
223 s.l.Error("cloudflare client is nil", "error", "Cloudflare integration is not enabled in configuration")
224 s.pages.Notice(w, "signup-error", "Account signup is currently disabled. DNS record creation is not available. Please contact support.")
225 return
226 }
227
228 // Execute signup transactionally with rollback capability
229 err = s.executeSignupTransaction(r.Context(), username, password, email, code, w)
230 if err != nil {
231 // Error already logged and notice already sent
232 return
233 }
234 }
235}
236
237// executeSignupTransaction performs the signup process transactionally with rollback
238func (s *Signup) executeSignupTransaction(ctx context.Context, username, password, email, code string, w http.ResponseWriter) error {
239 // var recordID string
240 var did string
241 var emailAdded bool
242
243 success := false
244 defer func() {
245 if !success {
246 s.l.Info("rolling back signup transaction", "username", username, "did", did)
247
248 // Rollback DNS record
249 // if recordID != "" {
250 // if err := s.cf.DeleteDNSRecord(ctx, recordID); err != nil {
251 // s.l.Error("failed to rollback DNS record", "error", err, "recordID", recordID)
252 // } else {
253 // s.l.Info("successfully rolled back DNS record", "recordID", recordID)
254 // }
255 // }
256
257 // Rollback PDS account
258 if did != "" {
259 if err := s.deleteAccountRequest(did); err != nil {
260 s.l.Error("failed to rollback PDS account", "error", err, "did", did)
261 } else {
262 s.l.Info("successfully rolled back PDS account", "did", did)
263 }
264 }
265
266 // Rollback email from database
267 if emailAdded {
268 if err := db.DeleteEmail(s.db, did, email); err != nil {
269 s.l.Error("failed to rollback email from database", "error", err, "email", email)
270 } else {
271 s.l.Info("successfully rolled back email from database", "email", email)
272 }
273 }
274 }
275 }()
276
277 // step 1: create account in PDS
278 did, err := s.createAccountRequest(username, password, email, code)
279 if err != nil {
280 s.l.Error("failed to create account", "error", err)
281 s.pages.Notice(w, "signup-error", err.Error())
282 return err
283 }
284
285 // XXX: we have a wildcard *.tngl.sh record now
286 // step 2: create DNS record with actual DID
287 // recordID, err = s.cf.CreateDNSRecord(ctx, dns.Record{
288 // Type: "TXT",
289 // Name: "_atproto." + username,
290 // Content: fmt.Sprintf(`"did=%s"`, did),
291 // TTL: 6400,
292 // Proxied: false,
293 // })
294 // if err != nil {
295 // s.l.Error("failed to create DNS record", "error", err)
296 // s.pages.Notice(w, "signup-error", "Failed to create DNS record for your handle. Please contact support.")
297 // return err
298 // }
299
300 // step 3: add email to database
301 err = db.AddEmail(s.db, models.Email{
302 Did: did,
303 Address: email,
304 Verified: true,
305 Primary: true,
306 })
307 if err != nil {
308 s.l.Error("failed to add email", "error", err)
309 s.pages.Notice(w, "signup-error", "Failed to complete sign up. Try again later.")
310 return err
311 }
312 emailAdded = true
313
314 // if we get here, we've successfully created the account and added the email
315 success = true
316
317 s.pages.Notice(w, "signup-msg", fmt.Sprintf(`Account created successfully. You can now
318 <a class="underline text-black dark:text-white" href="/login">login</a>
319 with <code>%s.tngl.sh</code>.`, username))
320
321 // clean up inflight signup asynchronously
322 go func() {
323 if err := db.DeleteInflightSignup(s.db, email); err != nil {
324 s.l.Error("failed to delete inflight signup", "error", err)
325 }
326 }()
327
328 return nil
329}
330
331type turnstileResponse struct {
332 Success bool `json:"success"`
333 ErrorCodes []string `json:"error-codes,omitempty"`
334 ChallengeTs string `json:"challenge_ts,omitempty"`
335 Hostname string `json:"hostname,omitempty"`
336}
337
338func (s *Signup) validateCaptcha(cfToken string, r *http.Request) error {
339 if cfToken == "" {
340 return errors.New("captcha token is empty")
341 }
342
343 if s.config.Cloudflare.TurnstileSecretKey == "" {
344 return errors.New("turnstile secret key not configured")
345 }
346
347 data := url.Values{}
348 data.Set("secret", s.config.Cloudflare.TurnstileSecretKey)
349 data.Set("response", cfToken)
350
351 // include the client IP if we have it
352 if remoteIP := r.Header.Get("CF-Connecting-IP"); remoteIP != "" {
353 data.Set("remoteip", remoteIP)
354 } else if remoteIP := r.Header.Get("X-Forwarded-For"); remoteIP != "" {
355 if ips := strings.Split(remoteIP, ","); len(ips) > 0 {
356 data.Set("remoteip", strings.TrimSpace(ips[0]))
357 }
358 } else {
359 data.Set("remoteip", r.RemoteAddr)
360 }
361
362 resp, err := http.PostForm("https://challenges.cloudflare.com/turnstile/v0/siteverify", data)
363 if err != nil {
364 return fmt.Errorf("failed to verify turnstile token: %w", err)
365 }
366 defer resp.Body.Close()
367
368 var turnstileResp turnstileResponse
369 if err := json.NewDecoder(resp.Body).Decode(&turnstileResp); err != nil {
370 return fmt.Errorf("failed to decode turnstile response: %w", err)
371 }
372
373 if !turnstileResp.Success {
374 s.l.Warn("turnstile validation failed", "error_codes", turnstileResp.ErrorCodes)
375 return errors.New("turnstile validation failed")
376 }
377
378 return nil
379}