Verify

2023-05-11 13:50:10 -04:00 · 2023-05-11 13:50:10 -04:00 · d4767caf30
commit d4767caf30
parent a26a6be62b
10 changed files with 279 additions and 26 deletions
--- a/server/config.go
+++ b/server/config.go
@ -107,10 +107,12 @@ type Config struct {
 	SMTPServerListen                     string
 	SMTPServerDomain                     string
 	SMTPServerAddrPrefix                 string
-	TwilioBaseURL                        string
+	TwilioMessagingBaseURL               string
 	TwilioAccount                        string
 	TwilioAuthToken                      string
 	TwilioFromNumber                     string
+	TwilioVerifyBaseURL                  string
+	TwilioVerifyService                  string
 	MetricsEnable                        bool
 	MetricsListenHTTP                    string
 	ProfileListenHTTP                    string
@ -191,10 +193,12 @@ func NewConfig() *Config {
 		SMTPServerListen:                     "",
 		SMTPServerDomain:                     "",
 		SMTPServerAddrPrefix:                 "",
-		TwilioBaseURL:                        "https://api.twilio.com", // Override for tests
+		TwilioMessagingBaseURL:               "https://api.twilio.com", // Override for tests
 		TwilioAccount:                        "",
 		TwilioAuthToken:                      "",
 		TwilioFromNumber:                     "",
+		TwilioVerifyBaseURL:                  "https://verify.twilio.com", // Override for tests
+		TwilioVerifyService:                  "",
 		MessageLimit:                         DefaultMessageLengthLimit,
 		MinDelay:                             DefaultMinDelay,
 		MaxDelay:                             DefaultMaxDelay,
--- a/server/server.go
+++ b/server/server.go
@ -88,6 +88,7 @@ var (
 	apiAccountSettingsPath                               = "/v1/account/settings"
 	apiAccountSubscriptionPath                           = "/v1/account/subscription"
 	apiAccountReservationPath                            = "/v1/account/reservation"
+	apiAccountPhonePath                                  = "/v1/account/phone"
 	apiAccountBillingPortalPath                          = "/v1/account/billing/portal"
 	apiAccountBillingWebhookPath                         = "/v1/account/billing/webhook"
 	apiAccountBillingSubscriptionPath                    = "/v1/account/billing/subscription"
@ -450,6 +451,10 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
 		return s.ensurePaymentsEnabled(s.ensureStripeCustomer(s.handleAccountBillingPortalSessionCreate))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == apiAccountBillingWebhookPath {
 		return s.ensurePaymentsEnabled(s.ensureUserManager(s.handleAccountBillingWebhook))(w, r, v) // This request comes from Stripe!
+	} else if r.Method == http.MethodPut && r.URL.Path == apiAccountPhonePath {
+		return s.ensureUser(s.withAccountSync(s.handleAccountPhoneNumberAdd))(w, r, v)
+	} else if r.Method == http.MethodPost && r.URL.Path == apiAccountPhonePath {
+		return s.ensureUser(s.withAccountSync(s.handleAccountPhoneNumberVerify))(w, r, v)
 	} else if r.Method == http.MethodGet && r.URL.Path == apiStatsPath {
 		return s.handleStats(w, r, v)
 	} else if r.Method == http.MethodGet && r.URL.Path == apiTiersPath {
--- a/server/server.yml
+++ b/server/server.yml
@ -149,6 +149,7 @@
 # twilio-account:
 # twilio-auth-token:
 # twilio-from-number:
+# twilio-verify-service:

 # Interval in which keepalive messages are sent to the client. This is to prevent
 # intermediaries closing the connection for inactivity.
--- a/server/server_account.go
+++ b/server/server_account.go
@ -144,6 +144,19 @@ func (s *Server) handleAccountGet(w http.ResponseWriter, r *http.Request, v *vis
 				})
 			}
 		}
+		phoneNumbers, err := s.userManager.PhoneNumbers(u.ID)
+		if err != nil {
+			return err
+		}
+		if len(phoneNumbers) > 0 {
+			response.PhoneNumbers = make([]*apiAccountPhoneNumberResponse, 0)
+			for _, p := range phoneNumbers {
+				response.PhoneNumbers = append(response.PhoneNumbers, &apiAccountPhoneNumberResponse{
+					Number:   p.Number,
+					Verified: p.Verified,
+				})
+			}
+		}
 	} else {
 		response.Username = user.Everyone
 		response.Role = string(user.RoleAnonymous)
@ -517,6 +530,80 @@ func (s *Server) maybeRemoveMessagesAndExcessReservations(r *http.Request, v *vi
 	return nil
 }

+func (s *Server) handleAccountPhoneNumberAdd(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	u := v.User()
+	req, err := readJSONWithLimit[apiAccountPhoneNumberRequest](r.Body, jsonBodyBytesLimit, false)
+	if err != nil {
+		return err
+	}
+	if !phoneNumberRegex.MatchString(req.Number) {
+		return errHTTPBadRequestPhoneNumberInvalid
+	}
+	// Check user is allowed to add phone numbers
+	if u == nil || (u.IsUser() && u.Tier == nil) {
+		return errHTTPUnauthorized
+	} else if u.IsUser() && u.Tier.SMSLimit == 0 && u.Tier.CallLimit == 0 {
+		return errHTTPUnauthorized
+	}
+	// Actually add the unverified number, and send verification
+	logvr(v, r).
+		Tag(tagAccount).
+		Fields(log.Context{
+			"number": req.Number,
+		}).
+		Debug("Adding phone number, and sending verification")
+	if err := s.userManager.AddPhoneNumber(u.ID, req.Number); err != nil {
+		return err
+	}
+	if err := s.verifyPhone(v, r, req.Number); err != nil {
+		return err
+	}
+	return s.writeJSON(w, newSuccessResponse())
+}
+
+func (s *Server) handleAccountPhoneNumberVerify(w http.ResponseWriter, r *http.Request, v *visitor) error {
+	u := v.User()
+	req, err := readJSONWithLimit[apiAccountPhoneNumberRequest](r.Body, jsonBodyBytesLimit, false)
+	if err != nil {
+		return err
+	}
+	if !phoneNumberRegex.MatchString(req.Number) {
+		return errHTTPBadRequestPhoneNumberInvalid
+	}
+	// Check user is allowed to add phone numbers
+	if u == nil {
+		return errHTTPUnauthorized
+	}
+	// Get phone numbers, and check if it's in the list
+	phoneNumbers, err := s.userManager.PhoneNumbers(u.ID)
+	if err != nil {
+		return err
+	}
+	found := false
+	for _, phoneNumber := range phoneNumbers {
+		if phoneNumber.Number == req.Number && phoneNumber.Verified {
+			found = true
+			break
+		}
+	}
+	if !found {
+		return errHTTPBadRequestPhoneNumberInvalid
+	}
+	if err := s.checkVerifyPhone(v, r, req.Number, req.Code); err != nil {
+		return err
+	}
+	logvr(v, r).
+		Tag(tagAccount).
+		Fields(log.Context{
+			"number": req.Number,
+		}).
+		Debug("Marking phone number as verified")
+	if err := s.userManager.MarkPhoneNumberVerified(u.ID, req.Number); err != nil {
+		return err
+	}
+	return s.writeJSON(w, newSuccessResponse())
+}
+
 // publishSyncEventAsync kicks of a Go routine to publish a sync message to the user's sync topic
 func (s *Server) publishSyncEventAsync(v *visitor) {
 	go func() {
--- a/server/server_twilio.go
+++ b/server/server_twilio.go
@ -38,7 +38,7 @@ func (s *Server) sendSMS(v *visitor, r *http.Request, m *message, to string) {
 	data.Set("From", s.config.TwilioFromNumber)
 	data.Set("To", to)
 	data.Set("Body", body)
-	s.performTwilioRequest(v, r, m, metricSMSSentSuccess, metricSMSSentFailure, twilioMessageEndpoint, to, body, data)
+	s.twilioMessagingRequest(v, r, m, metricSMSSentSuccess, metricSMSSentFailure, twilioMessageEndpoint, to, body, data)
 }

 func (s *Server) callPhone(v *visitor, r *http.Request, m *message, to string) {
@ -47,10 +47,72 @@ func (s *Server) callPhone(v *visitor, r *http.Request, m *message, to string) {
 	data.Set("From", s.config.TwilioFromNumber)
 	data.Set("To", to)
 	data.Set("Twiml", body)
-	s.performTwilioRequest(v, r, m, metricCallsMadeSuccess, metricCallsMadeFailure, twilioCallEndpoint, to, body, data)
+	s.twilioMessagingRequest(v, r, m, metricCallsMadeSuccess, metricCallsMadeFailure, twilioCallEndpoint, to, body, data)
 }

-func (s *Server) performTwilioRequest(v *visitor, r *http.Request, m *message, msuccess, mfailure prometheus.Counter, endpoint, to, body string, data url.Values) {
+func (s *Server) verifyPhone(v *visitor, r *http.Request, phoneNumber string) error {
+	logvr(v, r).Tag(tagTwilio).Field("twilio_to", phoneNumber).Debug("Sending phone verification")
+	data := url.Values{}
+	data.Set("To", phoneNumber)
+	data.Set("Channel", "sms")
+	requestURL := fmt.Sprintf("%s/v2/Services/%s/Verifications", s.config.TwilioVerifyBaseURL, s.config.TwilioVerifyService)
+	req, err := http.NewRequest(http.MethodPost, requestURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Authorization", util.BasicAuth(s.config.TwilioAccount, s.config.TwilioAuthToken))
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	response, err := io.ReadAll(resp.Body)
+	ev := logvr(v, r).Tag(tagTwilio)
+	if err != nil {
+		ev.Err(err).Warn("Error sending Twilio phone verification request")
+		return err
+	}
+	if ev.IsTrace() {
+		ev.Field("twilio_response", string(response)).Trace("Received successful Twilio phone verification response")
+	} else if ev.IsDebug() {
+		ev.Debug("Received successful Twilio phone verification response")
+	}
+	return nil
+}
+
+func (s *Server) checkVerifyPhone(v *visitor, r *http.Request, phoneNumber, code string) error {
+	logvr(v, r).Tag(tagTwilio).Field("twilio_to", phoneNumber).Debug("Checking phone verification")
+	data := url.Values{}
+	data.Set("To", phoneNumber)
+	data.Set("Code", code)
+	requestURL := fmt.Sprintf("%s/v2/Services/%s/VerificationCheck", s.config.TwilioVerifyBaseURL, s.config.TwilioAccount)
+	req, err := http.NewRequest(http.MethodPost, requestURL, strings.NewReader(data.Encode()))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("Authorization", util.BasicAuth(s.config.TwilioAccount, s.config.TwilioAuthToken))
+	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	} else if resp.StatusCode != http.StatusOK {
+		return
+	}
+	response, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	ev := logvr(v, r).Tag(tagTwilio)
+	if ev.IsTrace() {
+		ev.Field("twilio_response", string(response)).Trace("Received successful Twilio phone verification response")
+	} else if ev.IsDebug() {
+		ev.Debug("Received successful Twilio phone verification response")
+	}
+	return nil
+}
+
+func (s *Server) twilioMessagingRequest(v *visitor, r *http.Request, m *message, msuccess, mfailure prometheus.Counter, endpoint, to, body string, data url.Values) {
 	logContext := log.Context{
 		"twilio_from": s.config.TwilioFromNumber,
 		"twilio_to":   to,
@ -61,7 +123,7 @@ func (s *Server) performTwilioRequest(v *visitor, r *http.Request, m *message, m
 	} else if ev.IsDebug() {
 		ev.Debug("Sending Twilio request")
 	}
-	response, err := s.performTwilioRequestInternal(endpoint, data)
+	response, err := s.performTwilioMessagingRequestInternal(endpoint, data)
 	if err != nil {
 		ev.
 			Field("twilio_body", body).
@ -79,8 +141,8 @@ func (s *Server) performTwilioRequest(v *visitor, r *http.Request, m *message, m
 	minc(msuccess)
 }

-func (s *Server) performTwilioRequestInternal(endpoint string, data url.Values) (string, error) {
-	requestURL := fmt.Sprintf("%s/2010-04-01/Accounts/%s/%s", s.config.TwilioBaseURL, s.config.TwilioAccount, endpoint)
+func (s *Server) performTwilioMessagingRequestInternal(endpoint string, data url.Values) (string, error) {
+	requestURL := fmt.Sprintf("%s/2010-04-01/Accounts/%s/%s", s.config.TwilioMessagingBaseURL, s.config.TwilioAccount, endpoint)
 	req, err := http.NewRequest(http.MethodPost, requestURL, strings.NewReader(data.Encode()))
 	if err != nil {
 		return "", err
--- a/server/server_twilio_test.go
+++ b/server/server_twilio_test.go
@ -25,7 +25,7 @@ func TestServer_Twilio_SMS(t *testing.T) {

 	c := newTestConfig(t)
 	c.BaseURL = "https://ntfy.sh"
-	c.TwilioBaseURL = twilioServer.URL
+	c.TwilioMessagingBaseURL = twilioServer.URL
 	c.TwilioAccount = "AC1234567890"
 	c.TwilioAuthToken = "AAEAA1234567890"
 	c.TwilioFromNumber = "+1234567890"
@ -58,7 +58,7 @@ func TestServer_Twilio_SMS_With_User(t *testing.T) {

 	c := newTestConfigWithAuthFile(t)
 	c.BaseURL = "https://ntfy.sh"
-	c.TwilioBaseURL = twilioServer.URL
+	c.TwilioMessagingBaseURL = twilioServer.URL
 	c.TwilioAccount = "AC1234567890"
 	c.TwilioAuthToken = "AAEAA1234567890"
 	c.TwilioFromNumber = "+1234567890"
@ -104,7 +104,7 @@ func TestServer_Twilio_Call(t *testing.T) {
 	defer twilioServer.Close()

 	c := newTestConfig(t)
-	c.TwilioBaseURL = twilioServer.URL
+	c.TwilioMessagingBaseURL = twilioServer.URL
 	c.TwilioAccount = "AC1234567890"
 	c.TwilioAuthToken = "AAEAA1234567890"
 	c.TwilioFromNumber = "+1234567890"
@ -139,7 +139,7 @@ func TestServer_Twilio_Call_With_User(t *testing.T) {
 	defer twilioServer.Close()

 	c := newTestConfigWithAuthFile(t)
-	c.TwilioBaseURL = twilioServer.URL
+	c.TwilioMessagingBaseURL = twilioServer.URL
 	c.TwilioAccount = "AC1234567890"
 	c.TwilioAuthToken = "AAEAA1234567890"
 	c.TwilioFromNumber = "+1234567890"
@ -167,7 +167,7 @@ func TestServer_Twilio_Call_With_User(t *testing.T) {

 func TestServer_Twilio_Call_InvalidNumber(t *testing.T) {
 	c := newTestConfig(t)
-	c.TwilioBaseURL = "https://127.0.0.1"
+	c.TwilioMessagingBaseURL = "https://127.0.0.1"
 	c.TwilioAccount = "AC1234567890"
 	c.TwilioAuthToken = "AAEAA1234567890"
 	c.TwilioFromNumber = "+1234567890"
@ -181,7 +181,7 @@ func TestServer_Twilio_Call_InvalidNumber(t *testing.T) {

 func TestServer_Twilio_SMS_InvalidNumber(t *testing.T) {
 	c := newTestConfig(t)
-	c.TwilioBaseURL = "https://127.0.0.1"
+	c.TwilioMessagingBaseURL = "https://127.0.0.1"
 	c.TwilioAccount = "AC1234567890"
 	c.TwilioAuthToken = "AAEAA1234567890"
 	c.TwilioFromNumber = "+1234567890"
--- a/server/types.go
+++ b/server/types.go
@ -277,6 +277,16 @@ type apiAccountTokenResponse struct {
 	Expires    int64  `json:"expires,omitempty"` // Unix timestamp
 }

+type apiAccountPhoneNumberRequest struct {
+	Number string `json:"number"`
+	Code   string `json:"code,omitempty"` // Only supplied in "verify" call
+}
+
+type apiAccountPhoneNumberResponse struct {
+	Number   string `json:"number"`
+	Verified bool   `json:"verified"`
+}
+
 type apiAccountTier struct {
 	Code string `json:"code"`
 	Name string `json:"name"`
@ -326,18 +336,19 @@ type apiAccountBilling struct {
 }

 type apiAccountResponse struct {
-	Username      string                     `json:"username"`
-	Role          string                     `json:"role,omitempty"`
-	SyncTopic     string                     `json:"sync_topic,omitempty"`
-	Language      string                     `json:"language,omitempty"`
-	Notification  *user.NotificationPrefs    `json:"notification,omitempty"`
-	Subscriptions []*user.Subscription       `json:"subscriptions,omitempty"`
-	Reservations  []*apiAccountReservation   `json:"reservations,omitempty"`
-	Tokens        []*apiAccountTokenResponse `json:"tokens,omitempty"`
-	Tier          *apiAccountTier            `json:"tier,omitempty"`
-	Limits        *apiAccountLimits          `json:"limits,omitempty"`
-	Stats         *apiAccountStats           `json:"stats,omitempty"`
-	Billing       *apiAccountBilling         `json:"billing,omitempty"`
+	Username      string                           `json:"username"`
+	Role          string                           `json:"role,omitempty"`
+	SyncTopic     string                           `json:"sync_topic,omitempty"`
+	Language      string                           `json:"language,omitempty"`
+	Notification  *user.NotificationPrefs          `json:"notification,omitempty"`
+	Subscriptions []*user.Subscription             `json:"subscriptions,omitempty"`
+	Reservations  []*apiAccountReservation         `json:"reservations,omitempty"`
+	Tokens        []*apiAccountTokenResponse       `json:"tokens,omitempty"`
+	PhoneNumbers  []*apiAccountPhoneNumberResponse `json:"phone_numbers,omitempty"`
+	Tier          *apiAccountTier                  `json:"tier,omitempty"`
+	Limits        *apiAccountLimits                `json:"limits,omitempty"`
+	Stats         *apiAccountStats                 `json:"stats,omitempty"`
+	Billing       *apiAccountBilling               `json:"billing,omitempty"`
 }

 type apiAccountReservationRequest struct {
@ -419,3 +430,7 @@ type apiStripeSubscriptionDeletedEvent struct {
 	ID       string `json:"id"`
 	Customer string `json:"customer"`
 }
+
+type apiTwilioVerifyResponse struct {
+	Status string `json:"status"`
+}