Initial import of rewrite

15 files changed, 1097 insertions, 0 deletions

diff --git a/app/config.go b/app/config.go
new file mode 100644
index 0000000..2ffd0cb
--- /dev/null
+++ b/app/config.go
@@ -0,0 +1,45 @@
+package app
+
+import "time"
+
+type Config struct {
+        Bind                     []string      `flag:"bind" flag-scope:"web" flag-help:"Addresses and ports to bind http server"`
+        Debug                    bool          `flag:"debug" flag-help:"Enable debug mode"`
+        MongoDbUri               string        `flag:"mongodb-uri" flag-scope:"web,register" flag-help:"URI for connection to mongodb"`
+        DisableBackgroundJobs    bool          `flag:"disable-bg-jobs" flag-scope:"web" flag-help:"Disable background jobs and only serve web pages"`
+        Hostnames                []string      `flag:"hostname" flag-scope:"web" flag-help:"Hostname this server serves (can be specified multiple times)"`
+        TrustedIPRanges          []string      `flag:"trusted-ip-ranges" flag-scope:"web" flag-help:"Comma separated list of IP ranges for trusted XFF proxies"`
+        DNSApiKeyVaultPath       string        `flag:"dns-api-vault-path" flag-scope:"web" flag-help:"Vault material for DNS API key"`
+        AutocertEmail            string        `flag:"autocert-email" flag-scope:"web" flag-help:"Autocert notification email"`
+        AutocertHost             string        `flag:"autocert-host" flag-scope:"web" flag-help:"Autocert service url"`
+        NetboxHost               string        `flag:"netbox-host" flag-scope:"web" flag-help:"Netbox service url"`
+        NetboxApiKeyVaultPath    string        `flag:"netbox-api-vault-path" flag-scope:"web" flag-help:"Vault material path for Netbox API key"`
+        CookieKeyPath            string        `flag:"cookie-key-path" flag-scope:"web" flag-help:"Vault material path for cookie encryption key"`
+        SSHCAKeyPath             string        `flag:"ssh-ca-key-path" flag-scope:"web" flag-help:"Vault material path for SSH CA key"`
+        SSHCertificateExpiration time.Duration `flag:"ssh-cert-expire" flag-scope:"web" flag-help:"Lifetime duration of signed SSH certificates"`
+        OauthRPName              string        `flag:"oauth-rp-name" flag-scope:"web" flag-help:"Name of Oauth2 relying party for auth"`
+        OauthDevicePollSecs      int           `flag:"oauth-device-poll-secs" flag-scope:"web" flag-help:"Number of seconds between polls for oauth device flow"`
+        OauthSessionTimeout      time.Duration `flag:"oauth-session-timelut" flag-scope:"web" flag-help:"Timeout before oauth session expires"`
+        InviteTimeout            time.Duration `flag:"invite-timeout" flag-scope:"register" flag-help:"Timeout before inivitation code expires"`
+}
+
+var DefaultConfig = &Config{
+        Bind:                     []string{":8069"},
+        Debug:                    false,
+        MongoDbUri:               "ssh-proxy-prod@mongodb.sea4.crute.me/ssh-proxy-prod",
+        DisableBackgroundJobs:    false,
+        Hostnames:                []string{"ssh-proxy.crute.me"},
+        TrustedIPRanges:          []string{"172.19.0.0/22", "2602:803:4072::/48"},
+        DNSApiKeyVaultPath:       "service/ssh-proxy/dns-api-key",
+        AutocertEmail:            "letsencrypt-certs@pomonaconsulting.com",
+        AutocertHost:             "https://dns-manage.crute.me/acmev2",
+        NetboxHost:               "https://netbox.crute.me",
+        NetboxApiKeyVaultPath:    "infra/netbox-readonly",
+        CookieKeyPath:            "service/ssh-proxy/cookie-key",
+        SSHCAKeyPath:             "service/ssh-proxy/ssh-ca-key",
+        SSHCertificateExpiration: time.Minute,
+        OauthRPName:              "Crute SSH Proxy",
+        OauthDevicePollSecs:      5,
+        OauthSessionTimeout:      5 * time.Minute,
+        InviteTimeout:            1 * time.Hour,
+}
diff --git a/app/controllers/ca.go b/app/controllers/ca.go
new file mode 100644
index 0000000..632db50
--- /dev/null
+++ b/app/controllers/ca.go
@@ -0,0 +1,172 @@
+package controllers
+
+import (
+        "crypto/rand"
+        "fmt"
+        "io"
+        "net/http"
+        "strings"
+        "time"
+
+        "code.crute.us/mcrute/ssh-proxy/app/middleware"
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+        "github.com/labstack/echo/v4"
+        "golang.org/x/crypto/ssh"
+)
+
+type CASecret struct {
+        Key string `mapstructure:"key"`
+}
+
+type CAHandlerConfig struct {
+        Logger     echo.Logger
+        Users      models.UserStore
+        Expiration time.Duration
+        Secret     CASecret
+}
+
+type CAHandler struct {
+        Logger     echo.Logger
+        Users      models.UserStore
+        Expiration time.Duration
+        signer     ssh.Signer
+}
+
+func NewCAHandler(cfg CAHandlerConfig) (*CAHandler, error) {
+        signer, err := ssh.ParsePrivateKey([]byte(cfg.Secret.Key))
+        if err != nil {
+                return nil, err
+        }
+
+        cfg.Logger.Infof("CA Authorized Key: %s", ssh.MarshalAuthorizedKey(signer.PublicKey()))
+
+        return &CAHandler{
+                Logger:     cfg.Logger,
+                Users:      cfg.Users,
+                Expiration: cfg.Expiration,
+                signer:     signer,
+        }, nil
+}
+
+func (h *CAHandler) authorizeRequest(c echo.Context, certRequest *ssh.Certificate) error {
+        session := middleware.GetAuthorizedSession(c)
+
+        user, err := h.Users.Get(c.Request().Context(), session.UserId)
+        if err != nil {
+                return err
+        }
+
+        if user.Username != certRequest.ValidPrincipals[0] {
+                return fmt.Errorf("Authenticated username and cert username must match")
+        }
+
+        if !session.HasScope("ca:issue") {
+                return fmt.Errorf("Authorized session does not have scope ca:issue")
+        }
+
+        if certRequest.Extensions == nil {
+                return fmt.Errorf("Cert request extensions are empty")
+        }
+
+        hostLine, ok := certRequest.Extensions["allowed-hosts"]
+        if !ok {
+                return fmt.Errorf("Cert request allowed-hosts is blank")
+        }
+
+        for _, host := range strings.Split(hostLine, ",") {
+                if !user.AuthorizedForHost(host) {
+                        return fmt.Errorf("User %s is not authorized for host %s", session.UserId, host)
+                }
+        }
+
+        h.Logger.Infof("Allowing user %s to obtain SSH certificate for hosts %s", user.Username, hostLine)
+        return nil
+}
+
+func (h *CAHandler) verifyRequestSignature(c *ssh.Certificate) error {
+        // Copied from ssh.Certificate#bytesForSigning
+        // https://cs.opensource.google/go/x/crypto/+/refs/tags/v0.11.0:ssh/certs.go;l=499-505
+        c2 := *c
+        c2.Signature = nil
+        out := c2.Marshal()
+        // Drop trailing signature length.
+        return c.Verify(out[:len(out)-4], c.Signature)
+}
+
+func (h *CAHandler) HandleIssue(c echo.Context) error {
+        req, err := io.ReadAll(c.Request().Body)
+        if err != nil {
+                return c.JSON(http.StatusBadRequest, map[string]string{
+                        "error": "Unable to read request body",
+                })
+        }
+
+        pubkey, _, _, _, err := ssh.ParseAuthorizedKey(req)
+        if err != nil {
+                return c.JSON(http.StatusBadRequest, map[string]string{
+                        "error": "Error parsing certificate request",
+                })
+        }
+
+        certRequest, ok := pubkey.(*ssh.Certificate)
+        if !ok {
+                return c.JSON(http.StatusBadRequest, map[string]string{
+                        "error": "Invalid format for certificate request",
+                })
+        }
+
+        if certRequest.CertType != ssh.UserCert {
+                return c.JSON(http.StatusBadRequest, map[string]string{
+                        "error": "This CA only issues user certificates",
+                })
+        }
+
+        if len(certRequest.ValidPrincipals) != 1 {
+                return c.JSON(http.StatusBadRequest, map[string]string{
+                        "error": "Invalid number of principals specified",
+                })
+        }
+
+        // Kinda silly I guess but at least proves that the requestor
+        // is in posession of the private key that we're signing
+        if err := h.verifyRequestSignature(certRequest); err != nil {
+                h.Logger.Error(err)
+                return c.JSON(http.StatusUnauthorized, map[string]string{
+                        "error": "Invalid signature",
+                })
+        }
+
+        if err := h.authorizeRequest(c, certRequest); err != nil {
+                h.Logger.Error(err)
+                return c.JSON(http.StatusUnauthorized, map[string]string{
+                        "error": "Not authorized",
+                })
+        }
+
+        utcNow := time.Now().UTC()
+
+        // Serial doesn't really matter since these are so short lived and we
+        // won't be revoking them
+        certToIssue := &ssh.Certificate{
+                Key:             certRequest.Key,
+                Serial:          uint64(utcNow.Unix()),
+                CertType:        ssh.UserCert,
+                KeyId:           fmt.Sprintf("%s_%d", certRequest.ValidPrincipals[0], utcNow.Unix()),
+                ValidPrincipals: certRequest.ValidPrincipals,
+                ValidAfter:      uint64(utcNow.Add(-5 * time.Minute).Unix()),
+                ValidBefore:     uint64(utcNow.Add(h.Expiration).Unix()),
+                Permissions: ssh.Permissions{
+                        Extensions: map[string]string{
+                                "permit-pty": "",
+                        },
+                },
+        }
+
+        if err := certToIssue.SignCert(rand.Reader, h.signer); err != nil {
+                return c.JSON(http.StatusBadRequest, map[string]string{
+                        "error": "Error signing certificate",
+                })
+        }
+
+        return c.Blob(http.StatusOK, "application/x-ssh-certificate", ssh.MarshalAuthorizedKey(certToIssue))
+}
diff --git a/app/controllers/login.go b/app/controllers/login.go
new file mode 100644
index 0000000..603eb20
--- /dev/null
+++ b/app/controllers/login.go
@@ -0,0 +1,117 @@
+package controllers
+
+import (
+        "bytes"
+        "encoding/json"
+        "io"
+        "net/http"
+        "time"
+
+        "code.crute.us/mcrute/golib/echo/session"
+        "code.crute.us/mcrute/ssh-proxy/app"
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+        "github.com/go-webauthn/webauthn/protocol"
+        "github.com/go-webauthn/webauthn/webauthn"
+        "github.com/labstack/echo/v4"
+)
+
+type LoginController[T app.AppSession] struct {
+        Logger            echo.Logger
+        Sessions          session.Store[T]
+        Users             models.UserStore
+        AuthSessions      models.AuthSessionStore
+        Webauthn          *webauthn.WebAuthn
+        SessionExpiration time.Duration
+}
+
+func (a *LoginController[T]) HandleStart(c echo.Context) error {
+        user, err := a.Users.Get(c.Request().Context(), c.Param("username"))
+        if err != nil {
+                a.Logger.Errorf("Error getting user: %s", err)
+                return c.NoContent(http.StatusNotFound)
+        }
+
+        request, sessionData, err := a.Webauthn.BeginLogin(user)
+        if err != nil {
+                a.Logger.Errorf("Error creating webauthn request: %s", err)
+                return c.NoContent(http.StatusInternalServerError)
+        }
+
+        session := a.Sessions.Get(c)
+        s := session.Self()
+        s.WebauthnSession = sessionData
+        a.Sessions.Update(c, session)
+
+        return c.JSON(http.StatusOK, request)
+}
+
+func (a *LoginController[T]) HandleFinish(c echo.Context) error {
+        ctx := c.Request().Context()
+
+        body, err := io.ReadAll(c.Request().Body)
+        if err != nil {
+                a.Logger.Errorf("Error reading request body:", err)
+                return c.NoContent(http.StatusInternalServerError)
+        }
+
+        user, err := a.Users.Get(ctx, c.Param("username"))
+        if err != nil {
+                a.Logger.Errorf("Error getting user: %s", err)
+                return c.NoContent(http.StatusNotFound)
+        }
+
+        response, err := protocol.ParseCredentialRequestResponseBody(bytes.NewBuffer(body))
+        if err != nil {
+                a.Logger.Errorf("Error parsing credential response: %s", err)
+                return c.NoContent(http.StatusBadRequest)
+        }
+
+        session := a.Sessions.Get(c)
+        s := session.Self()
+
+        if s.WebauthnSession == nil {
+                a.Logger.Errorf("Webauthn session is not set")
+                return c.NoContent(http.StatusBadRequest)
+        }
+
+        if _, err := a.Webauthn.ValidateLogin(user, *s.WebauthnSession, response); err != nil {
+                a.Logger.Errorf("Error validating login: %s", err)
+                return c.NoContent(http.StatusBadRequest)
+        }
+
+        // Don't check the clone warning or the auth count because these are
+        // meaningless for Passkeys since they are synced across devices
+        // (presumably securely). This would only matter for hard tokens like
+        // Yubikeys and since we're also allowing Passkey support there is no
+        // need to be more strict for that class of device.
+
+        var code struct {
+                Code string `json:"code"`
+        }
+        if err := json.Unmarshal(body, &code); err != nil {
+                a.Logger.Errorf("Error decoding json body")
+                return c.NoContent(http.StatusBadRequest)
+        }
+
+        authSession, err := a.AuthSessions.GetByUserCode(ctx, code.Code)
+        if err != nil {
+                a.Logger.Errorf("No auth session exists")
+                return c.NoContent(http.StatusUnauthorized)
+        }
+
+        if authSession.AccessCode != "" {
+                a.Logger.Errorf("Session is already authenticated")
+                return c.NoContent(http.StatusUnauthorized)
+        }
+
+        authSession.GenerateAccessCode()
+        authSession.UserId = user.Username
+        authSession.Expires = time.Now().Add(a.SessionExpiration)
+
+        if err := a.AuthSessions.Upsert(ctx, authSession); err != nil {
+                a.Logger.Errorf("Error saving auth session")
+                return c.NoContent(http.StatusInternalServerError)
+        }
+
+        return c.NoContent(http.StatusOK)
+}
diff --git a/app/controllers/oauth2_device.go b/app/controllers/oauth2_device.go
new file mode 100644
index 0000000..0ddf653
--- /dev/null
+++ b/app/controllers/oauth2_device.go
@@ -0,0 +1,129 @@
+package controllers
+
+import (
+        "crypto/subtle"
+        "fmt"
+        "net/http"
+        "strconv"
+        "time"
+
+        "code.crute.us/mcrute/ssh-proxy/app"
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+        "github.com/labstack/echo/v4"
+)
+
+func badRequest(c echo.Context, e models.AuthorizationError, d string) error {
+        return c.JSON(http.StatusBadRequest, models.Oauth2Error{
+                Type:        e,
+                Description: d,
+        })
+}
+
+type OAuth2DeviceController[T app.AppSession] struct {
+        Logger            echo.Logger
+        OauthClients      models.OauthClientStore
+        AuthSessions      models.AuthSessionStore
+        Hostname          string
+        PollSeconds       int
+        SessionExpiration time.Duration
+}
+
+func (a *OAuth2DeviceController[T]) HandleStart(c echo.Context) error {
+        ctx := c.Request().Context()
+
+        var form models.AuthorizationRequest
+        if err := (&echo.DefaultBinder{}).BindBody(c, &form); err != nil {
+                a.Logger.Errorf("Unable to parse form data: %s", err)
+                return badRequest(c, models.ErrInvalidRequest, "")
+        }
+
+        client, err := a.OauthClients.Get(ctx, form.ClientId)
+        if err != nil {
+                a.Logger.Errorf("Unable to find client ID '%s': %s", form.ClientId, err)
+                return badRequest(c, models.ErrUnauthorizedClient, "")
+        }
+
+        if len(form.Challenge) <= 16 {
+                return badRequest(c, models.ErrInvalidRequest,
+                        "code_challenge is too short, minimum length is 16 bytes")
+        }
+
+        if form.ChallengeMethod != models.ChallengeS256 {
+                return badRequest(c, models.ErrInvalidRequest,
+                        "code_challenge_method invalid, only S256 supported")
+        }
+
+        session := models.NewAuthSession(client.Id, time.Now().Add(a.SessionExpiration))
+        session.SetChallenge(form.Challenge, form.ChallengeMethod)
+        session.SetScopeString(form.Scope)
+
+        if !session.HasAnyScopes() {
+                return badRequest(c, models.ErrInvalidRequest, "one or more scopes required")
+        }
+
+        for _, s := range session.Scope {
+                if s != "ssh:proxy" && s != "ca:issue" {
+                        return badRequest(c, models.ErrInvalidScope, fmt.Sprintf("scope %s is not recognized", s))
+                }
+        }
+
+        if err := a.AuthSessions.Insert(ctx, session); err != nil {
+                a.Logger.Errorf("Error inserting auth session", err)
+                return c.NoContent(http.StatusInternalServerError)
+        }
+
+        return c.JSON(http.StatusOK, models.DeviceAuthorizationResponse{
+                DeviceCode:              session.DeviceCode,
+                UserCode:                session.UserCode,
+                VerificationUri:         fmt.Sprintf("%s/login", a.Hostname),
+                VerificationUriComplete: fmt.Sprintf("%s/login?code=%s", a.Hostname, session.UserCode),
+                ExpiresIn:               int(time.Until(session.Expires).Seconds()),
+                Interval:                a.PollSeconds,
+        })
+}
+
+func (a *OAuth2DeviceController[T]) HandleToken(c echo.Context) error {
+        ctx := c.Request().Context()
+
+        var form models.DeviceAccessTokenRequest
+        if err := (&echo.DefaultBinder{}).BindBody(c, &form); err != nil {
+                a.Logger.Errorf("Unable to parse form data: %s", err)
+                return badRequest(c, models.ErrInvalidRequest, "")
+        }
+
+        session, err := a.AuthSessions.Get(ctx, form.DeviceCode)
+        if err != nil {
+                return c.NoContent(http.StatusNotFound)
+        }
+
+        if form.GrantType != models.DEVICE_CODE_GRANT_TYPE {
+                return badRequest(c, models.ErrUnsupportedGrantType, "")
+        }
+
+        if subtle.ConstantTimeCompare([]byte(session.ClientId), []byte(form.ClientId)) != 1 {
+                return badRequest(c, models.ErrUnauthorizedClient, "")
+        }
+
+        if time.Now().After(session.Expires) {
+                return badRequest(c, models.ErrExpiredToken, "")
+        }
+
+        verifier := &models.PKCEChallenge{Verifier: form.CodeVerifier}
+        if verifier.EqualString(session.Challenge) {
+                return badRequest(c, models.ErrInvalidGrant, "") // Per RFC7636 4.6
+        }
+
+        if session.IsRegistration {
+                return badRequest(c, models.ErrInvalidGrant, "")
+        }
+
+        if session.AccessCode == "" {
+                return badRequest(c, models.ErrAuthorizationPending, "")
+        }
+
+        return c.JSON(http.StatusOK, models.AccessTokenResponse{
+                AccessToken: session.AccessCode,
+                TokenType:   "Bearer",
+                ExpiresIn:   strconv.FormatInt(int64(time.Until(session.Expires).Seconds()), 10),
+        })
+}
diff --git a/app/controllers/proxy.go b/app/controllers/proxy.go
new file mode 100644
index 0000000..c8345e8
--- /dev/null
+++ b/app/controllers/proxy.go
@@ -0,0 +1,78 @@
+package controllers
+
+import (
+        "fmt"
+        "net"
+        "net/http"
+        "strconv"
+
+        "code.crute.us/mcrute/ssh-proxy/app/middleware"
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+        "code.crute.us/mcrute/ssh-proxy/proxy"
+
+        "github.com/gorilla/websocket"
+        "github.com/labstack/echo/v4"
+)
+
+type ProxyHandler struct {
+        Logger   echo.Logger
+        Upgrader websocket.Upgrader
+        Users    models.UserStore
+}
+
+func getConnectAddr(c echo.Context) string {
+        p, err := strconv.Atoi(c.Param("port"))
+        if err != nil {
+                p = 22
+        }
+        return fmt.Sprintf("%s:%d", c.Param("host"), p)
+}
+
+func (h *ProxyHandler) authorizeRequest(c echo.Context) error {
+        session := middleware.GetAuthorizedSession(c)
+
+        user, err := h.Users.Get(c.Request().Context(), session.UserId)
+        if err != nil {
+                return err
+        }
+
+        if !session.HasScope("ssh:proxy") {
+                return fmt.Errorf("Authorized session does not have scope ssh:proxy")
+        }
+
+        host := c.Param("host")
+        if user.AuthorizedForHost(host) {
+                h.Logger.Infof("Allowing user %s to proxy to host %s", session.UserId, host)
+                return nil
+        }
+
+        return fmt.Errorf("User %s not authorized for host %s", session.UserId, host)
+}
+
+func (h *ProxyHandler) Handle(c echo.Context) error {
+        if err := h.authorizeRequest(c); err != nil {
+                h.Logger.Error(err)
+                return c.NoContent(http.StatusUnauthorized)
+        }
+
+        wsconn, err := h.Upgrader.Upgrade(c.Response(), c.Request(), nil)
+        if err != nil {
+                return err
+        }
+        defer wsconn.Close()
+
+        proxyconn, err := net.Dial("tcp", getConnectAddr(c))
+        if err != nil {
+                return err
+        }
+        defer proxyconn.Close()
+
+        errc := make(chan error)
+        ws := &proxy.WebsocketReadWriter{W: wsconn}
+
+        go proxy.CopyWithErrors(proxyconn, ws, errc)
+        go proxy.CopyWithErrors(ws, proxyconn, errc)
+
+        <-errc
+        return nil
+}
diff --git a/app/controllers/register.go b/app/controllers/register.go
new file mode 100644
index 0000000..8698bda
--- /dev/null
+++ b/app/controllers/register.go
@@ -0,0 +1,78 @@
+package controllers
+
+import (
+        "net/http"
+
+        "code.crute.us/mcrute/golib/echo/session"
+        "code.crute.us/mcrute/ssh-proxy/app"
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+        "github.com/go-webauthn/webauthn/protocol"
+        "github.com/go-webauthn/webauthn/webauthn"
+        "github.com/labstack/echo/v4"
+)
+
+type RegisterController[T app.AppSession] struct {
+        Logger       echo.Logger
+        Sessions     session.Store[T]
+        Users        models.UserStore
+        AuthSessions models.AuthSessionStore
+        Webauthn     *webauthn.WebAuthn
+}
+
+func (a *RegisterController[T]) HandleStart(c echo.Context) error {
+        user, err := a.Users.Get(c.Request().Context(), c.Param("username"))
+        if err != nil {
+                a.Logger.Errorf("Error getting user: %s", err)
+                return c.NoContent(http.StatusNotFound)
+        }
+
+        request, sessionData, err := a.Webauthn.BeginRegistration(user)
+        if err != nil {
+                a.Logger.Errorf("Error creating webauthn request: %s", err)
+                return c.NoContent(http.StatusInternalServerError)
+        }
+
+        session := a.Sessions.Get(c)
+        s := session.Self()
+        s.WebauthnSession = sessionData
+        a.Sessions.Update(c, session)
+
+        return c.JSON(http.StatusOK, request)
+}
+
+func (a *RegisterController[T]) HandleFinish(c echo.Context) error {
+        user, err := a.Users.Get(c.Request().Context(), c.Param("username"))
+        if err != nil {
+                a.Logger.Errorf("Error getting user: %s", err)
+                return c.NoContent(http.StatusNotFound)
+        }
+
+        response, err := protocol.ParseCredentialCreationResponseBody(c.Request().Body)
+        if err != nil {
+                a.Logger.Errorf("Error parsing credential response: %s", err)
+                return c.NoContent(http.StatusBadRequest)
+        }
+
+        session := a.Sessions.Get(c)
+        s := session.Self()
+
+        if s.WebauthnSession == nil {
+                a.Logger.Errorf("Webauthn session is not set")
+                return c.NoContent(http.StatusBadRequest)
+        }
+
+        credential, err := a.Webauthn.CreateCredential(user, *s.WebauthnSession, response)
+        if err != nil {
+                a.Logger.Errorf("Error creating credential: %s", err)
+                return c.NoContent(http.StatusBadRequest)
+        }
+
+        user.Fido2Credentials = append(user.Fido2Credentials, *credential)
+
+        if err := a.Users.Upsert(c.Request().Context(), user); err != nil {
+                a.Logger.Errorf("Error saving user: %s", err)
+                return c.NoContent(http.StatusInternalServerError)
+        }
+
+        return c.NoContent(http.StatusOK)
+}
diff --git a/app/middleware/token_auth.go b/app/middleware/token_auth.go
new file mode 100644
index 0000000..6454ddb
--- /dev/null
+++ b/app/middleware/token_auth.go
@@ -0,0 +1,76 @@
+package middleware
+
+import (
+        "net/http"
+        "strings"
+        "time"
+
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+        "github.com/labstack/echo/v4"
+)
+
+const authorizedSession = "__ssh-proxy_authorized_session"
+
+func GetAuthorizedSession(c echo.Context) *models.AuthSession {
+        ses := c.Get(authorizedSession)
+        if ses != nil {
+                return ses.(*models.AuthSession)
+        }
+        return nil
+}
+
+type TokenAuthMiddleware struct {
+        Logger        echo.Logger
+        RequiredScope string
+        AuthSessions  models.AuthSessionStore
+}
+
+func (m *TokenAuthMiddleware) Middleware(next echo.HandlerFunc) echo.HandlerFunc {
+        return func(c echo.Context) error {
+                authHeader := strings.SplitN(c.Request().Header.Get("Authorization"), " ", 2)
+
+                if len(authHeader) != 2 || strings.ToLower(authHeader[0]) != "bearer" {
+                        return c.JSON(http.StatusBadRequest, models.Oauth2Error{
+                                Type:        models.ErrInvalidRequest,
+                                Description: "invalid authorization header",
+                        })
+                }
+
+                session, err := m.AuthSessions.GetByAccessCode(c.Request().Context(), authHeader[1])
+                if err != nil {
+                        return c.JSON(http.StatusUnauthorized, models.Oauth2Error{
+                                Type: models.ErrAccessDenied,
+                        })
+                }
+
+                if time.Now().After(session.Expires) {
+                        return c.JSON(http.StatusUnauthorized, models.Oauth2Error{
+                                Type: models.ErrAccessDenied,
+                        })
+                }
+
+                foundScope := false
+                for _, s := range session.Scope {
+                        if s == m.RequiredScope {
+                                foundScope = true
+                                break
+                        }
+                }
+
+                if !foundScope {
+                        return c.JSON(http.StatusUnauthorized, models.Oauth2Error{
+                                Type: models.ErrAccessDenied,
+                        })
+                }
+
+                if session.IsRegistration {
+                        return c.JSON(http.StatusUnauthorized, models.Oauth2Error{
+                                Type: models.ErrAccessDenied,
+                        })
+                }
+
+                c.Set(authorizedSession, session)
+
+                return next(c)
+        }
+}
diff --git a/app/models/auth_session.go b/app/models/auth_session.go
new file mode 100644
index 0000000..0b86b16
--- /dev/null
+++ b/app/models/auth_session.go
@@ -0,0 +1,75 @@
+package models
+
+import (
+        "context"
+        "strings"
+        "time"
+)
+
+type AuthSession struct {
+        DeviceCode      string `bson:"_id"`
+        ClientId        string
+        UserCode        string
+        AccessCode      string
+        Challenge       string
+        ChallengeMethod string
+        UserId          string
+        IsRegistration  bool
+        Scope           []string
+        Expires         time.Time
+        Deleted         *time.Time
+}
+
+func NewAuthSession(client string, expires time.Time) *AuthSession {
+        return &AuthSession{
+                DeviceCode: createDeviceCode(),
+                UserCode:   createUserCode(),
+                Expires:    expires,
+                ClientId:   client,
+        }
+}
+
+func (s *AuthSession) GenerateAccessCode() {
+        s.AccessCode = createDeviceCode()
+}
+
+func (s *AuthSession) RecordId() string {
+        return s.DeviceCode
+}
+
+func (s *AuthSession) MarkDeleted(t time.Time) {
+        s.Deleted = &t
+}
+
+func (s *AuthSession) SetChallenge(challenge string, method PKCEChallengeType) {
+        s.Challenge = challenge
+        s.ChallengeMethod = string(method)
+}
+
+func (s *AuthSession) SetScopeString(scope string) {
+        s.Scope = strings.Split(scope, " ")
+}
+
+func (s *AuthSession) HasAnyScopes() bool {
+        return len(s.Scope) > 0
+}
+
+func (s *AuthSession) HasScope(scope string) bool {
+        for _, c := range s.Scope {
+                if c == scope {
+                        return true
+                }
+        }
+        return false
+}
+
+type AuthSessionStore interface {
+        List(ctx context.Context) ([]*AuthSession, error)
+        ListAll(ctx context.Context) ([]*AuthSession, error)
+        Get(ctx context.Context, name string) (*AuthSession, error)
+        GetByUserCode(ctx context.Context, userCode string) (*AuthSession, error)
+        GetByAccessCode(ctx context.Context, userCode string) (*AuthSession, error)
+        Insert(ctx context.Context, m *AuthSession) error
+        Upsert(ctx context.Context, m *AuthSession) error
+        Delete(ctx context.Context, m *AuthSession) error
+}
diff --git a/app/models/auth_session_mongodb.go b/app/models/auth_session_mongodb.go
new file mode 100644
index 0000000..fc5f5dd
--- /dev/null
+++ b/app/models/auth_session_mongodb.go
@@ -0,0 +1,45 @@
+package models
+
+import (
+        "context"
+        "time"
+
+        "code.crute.us/mcrute/ssh-proxy/db"
+
+        "go.mongodb.org/mongo-driver/bson"
+        "go.mongodb.org/mongo-driver/bson/primitive"
+)
+
+type AuthSessionStoreMongodb struct {
+        *db.MongoDbBasicStore[*AuthSession]
+}
+
+var _ AuthSessionStore = (*AuthSessionStoreMongodb)(nil)
+
+func (s *AuthSessionStoreMongodb) getBy(ctx context.Context, field, value string) (*AuthSession, error) {
+        var out AuthSession
+
+        if err := s.Db.Collection(s.CollectionName).FindOne(ctx, &bson.M{
+                field: value,
+                "expires": bson.M{
+                        "$gte": primitive.NewDateTimeFromTime(time.Now()),
+                },
+        }).Decode(&out); err != nil {
+                return nil, err
+        }
+
+        return &out, nil
+}
+
+func (s *AuthSessionStoreMongodb) GetByUserCode(ctx context.Context, userCode string) (*AuthSession, error) {
+        return s.getBy(ctx, "usercode", userCode)
+}
+
+func (s *AuthSessionStoreMongodb) GetByAccessCode(ctx context.Context, accessCode string) (*AuthSession, error) {
+        return s.getBy(ctx, "accesscode", accessCode)
+}
+
+func (s *AuthSessionStoreMongodb) Insert(ctx context.Context, session *AuthSession) error {
+        _, err := s.Db.Collection(s.CollectionName).InsertOne(ctx, session)
+        return err
+}
diff --git a/app/models/auth_session_util.go b/app/models/auth_session_util.go
new file mode 100644
index 0000000..1f1474a
--- /dev/null
+++ b/app/models/auth_session_util.go
@@ -0,0 +1,25 @@
+package models
+
+import (
+        "crypto/rand"
+        "encoding/base32"
+        "encoding/base64"
+        "fmt"
+)
+
+func createDeviceCode() string {
+        buf := make([]byte, 32)
+        if _, err := rand.Read(buf); err != nil {
+                panic(err)
+        }
+        return base64.URLEncoding.EncodeToString(buf)
+}
+
+func createUserCode() string {
+        buf := make([]byte, 32)
+        if _, err := rand.Read(buf); err != nil {
+                panic(err)
+        }
+        userCodeRaw := base32.StdEncoding.EncodeToString(buf)
+        return fmt.Sprintf("%s-%s", userCodeRaw[0:4], userCodeRaw[5:9])
+}
diff --git a/app/models/oauth2.go b/app/models/oauth2.go
new file mode 100644
index 0000000..9bfde0a
--- /dev/null
+++ b/app/models/oauth2.go
@@ -0,0 +1,103 @@
+package models
+
+import (
+        "crypto/rand"
+        "crypto/sha256"
+        "crypto/subtle"
+        "encoding/base64"
+        "fmt"
+)
+
+const (
+        DEVICE_CODE_GRANT_TYPE = "urn:ietf:params:oauth:grant-type:device_code"
+)
+
+type AuthorizationRequest struct {
+        Challenge       string            `url:"code_challenge" form:"code_challenge" json:"code_challenge"`                      // RFC7636
+        ChallengeMethod PKCEChallengeType `url:"code_challenge_method" form:"code_challenge_method" json:"code_challenge_method"` // RFC7636
+        ClientId        string            `url:"client_id" form:"client_id" json:"client_id"`
+        Scope           string            `url:"scope" form:"scope" json:"scope"`
+}
+
+type DeviceAuthorizationResponse struct {
+        DeviceCode              string `json:"device_code"`      // REQUIRED
+        UserCode                string `json:"user_code"`        // REQUIRED
+        VerificationUri         string `json:"verification_uri"` // REQUIRED
+        VerificationUriComplete string `json:"verification_uri_complete,omitempty"`
+        ExpiresIn               int    `json:"expires_in,omitempty"`
+        Interval                int    `json:"interval,omitempty"`
+}
+
+type DeviceAccessTokenRequest struct {
+        GrantType    string `url:"grant_type" form:"grant_type" json:"grant_type"`
+        DeviceCode   string `url:"device_code" form:"device_code" json:"device_code"`
+        ClientId     string `url:"client_id" form:"client_id" json:"client_id"`
+        CodeVerifier string `url:"code_verifier" form:"code_verifier" json:"code_verifier"`
+}
+
+type AccessTokenResponse struct {
+        AccessToken  string `json:"access_token"`
+        TokenType    string `json:"token_type"`           // Must be Bearer
+        ExpiresIn    string `json:"expires_in,omitempty"` // Lifetime in seconds
+        RefreshToken string `json:"refresh_token,omitempty"`
+        Scope        string `json:"scope,omitempty"`
+}
+
+type AuthorizationError string
+
+const (
+        ErrInvalidRequest       AuthorizationError = "invalid_request"
+        ErrInvalidClient                           = "invalid_client"
+        ErrInvalidGrant                            = "invalid_grant"
+        ErrUnauthorizedClient                      = "unauthorized_client"
+        ErrUnsupportedGrantType                    = "unsupported_grant_type"
+        ErrInvalidScope                            = "invalid_scope"
+        ErrAuthorizationPending                    = "authorization_pending" // RFC7636
+        ErrSlowDown                                = "slow_down"             // RFC7636
+        ErrAccessDenied                            = "access_denied"         // RFC7636
+        ErrExpiredToken                            = "expired_token"         // RFC7636
+)
+
+type Oauth2Error struct {
+        Type        AuthorizationError `json:"error"`
+        Description string             `json:"error_description,omitempty"`
+        Uri         string             `json:"error_uri,omitempty"`
+}
+
+func (e Oauth2Error) Error() string {
+        if e.Description == "" {
+                return fmt.Sprintf("Oauth2Error: %s", e.Type)
+        } else {
+                return fmt.Sprintf("Oauth2Error: %s %s", e.Type, e.Description)
+        }
+}
+
+type PKCEChallengeType string
+
+const (
+        ChallengePlain PKCEChallengeType = "plain"
+        ChallengeS256                    = "S256"
+)
+
+type PKCEChallenge struct {
+        Verifier string
+}
+
+func NewPKCEChallenge() (*PKCEChallenge, error) {
+        buf := make([]byte, 32)
+        if _, err := rand.Read(buf); err != nil {
+                return nil, err
+        }
+        return &PKCEChallenge{
+                Verifier: base64.URLEncoding.EncodeToString(buf),
+        }, nil
+}
+
+func (c *PKCEChallenge) Challenge() string {
+        hash := sha256.Sum256([]byte(c.Verifier))
+        return base64.URLEncoding.EncodeToString(hash[:])
+}
+
+func (c *PKCEChallenge) EqualString(o string) bool {
+        return subtle.ConstantTimeCompare([]byte(o), []byte(c.Challenge())) != 1
+}
diff --git a/app/models/oauth_client.go b/app/models/oauth_client.go
new file mode 100644
index 0000000..2f30087
--- /dev/null
+++ b/app/models/oauth_client.go
@@ -0,0 +1,27 @@
+package models
+
+import (
+        "context"
+        "time"
+)
+
+type OauthClient struct {
+        Id      string `bson:"_id"`
+        Deleted *time.Time
+}
+
+func (c *OauthClient) RecordId() string {
+        return c.Id
+}
+
+func (c *OauthClient) MarkDeleted(t time.Time) {
+        c.Deleted = &t
+}
+
+type OauthClientStore interface {
+        List(ctx context.Context) ([]*OauthClient, error)
+        ListAll(ctx context.Context) ([]*OauthClient, error)
+        Get(ctx context.Context, name string) (*OauthClient, error)
+        Upsert(ctx context.Context, m *OauthClient) error
+        Delete(ctx context.Context, m *OauthClient) error
+}
diff --git a/app/models/user.go b/app/models/user.go
new file mode 100644
index 0000000..5c9ec90
--- /dev/null
+++ b/app/models/user.go
@@ -0,0 +1,63 @@
+package models
+
+import (
+        "context"
+        "time"
+
+        "github.com/go-webauthn/webauthn/webauthn"
+)
+
+type User struct {
+        Username         string `bson:"_id"`
+        DisplayName      string
+        AllowedHosts     []string
+        Fido2Credentials []webauthn.Credential
+        Deleted          *time.Time
+}
+
+var _ webauthn.User = (*User)(nil)
+
+func (u *User) RecordId() string {
+        return u.Username
+}
+
+func (u *User) MarkDeleted(t time.Time) {
+        u.Deleted = &t
+}
+
+func (u *User) WebAuthnID() []byte {
+        return []byte(u.Username)
+}
+
+func (u *User) WebAuthnName() string {
+        return u.Username
+}
+
+func (u *User) WebAuthnDisplayName() string {
+        return u.DisplayName
+}
+
+func (u *User) WebAuthnCredentials() []webauthn.Credential {
+        return u.Fido2Credentials
+}
+
+func (u *User) WebAuthnIcon() string {
+        return ""
+}
+
+func (u *User) AuthorizedForHost(host string) bool {
+        for _, c := range u.AllowedHosts {
+                if host == c {
+                        return true
+                }
+        }
+        return false
+}
+
+type UserStore interface {
+        List(ctx context.Context) ([]*User, error)
+        ListAll(ctx context.Context) ([]*User, error)
+        Get(ctx context.Context, name string) (*User, error)
+        Upsert(ctx context.Context, m *User) error
+        Delete(ctx context.Context, m *User) error
+}
diff --git a/app/session.go b/app/session.go
new file mode 100644
index 0000000..58aa13d
--- /dev/null
+++ b/app/session.go
@@ -0,0 +1,46 @@
+package app
+
+import (
+        "time"
+
+        "code.crute.us/mcrute/golib/echo/middleware"
+        "code.crute.us/mcrute/golib/echo/session"
+        "github.com/go-webauthn/webauthn/webauthn"
+        "github.com/labstack/echo/v4"
+)
+
+type AppSession interface {
+        session.Session
+        middleware.CSRFAwareSession
+        Self() *Session
+}
+
+type Session struct {
+        Expiration      time.Time
+        CSRFToken       string
+        WebauthnSession *webauthn.SessionData
+}
+
+var _ AppSession = (*Session)(nil)
+
+func NewSession(c echo.Context) *Session {
+        return &Session{
+                Expiration: time.Now().Add(365 * 24 * time.Hour),
+        }
+}
+
+func (s *Session) Self() *Session {
+        return s
+}
+
+func (s *Session) Expires() time.Time {
+        return s.Expiration
+}
+
+func (s *Session) GetCSRFSecret() string {
+        return s.CSRFToken
+}
+
+func (s *Session) SetCSRFSecret(secret string) {
+        s.CSRFToken = secret
+}
diff --git a/app/templates.go b/app/templates.go
new file mode 100644
index 0000000..52ded7a
--- /dev/null
+++ b/app/templates.go
@@ -0,0 +1,18 @@
+package app
+
+import (
+        "code.crute.us/mcrute/golib/echo/controller"
+        "code.crute.us/mcrute/ssh-proxy/app/models"
+)
+
+type PageContext struct {
+        PageName          string
+        Year              int
+        RenderTime        string
+        Flags             *controller.FeatureFlags
+        Context           *controller.PageContext
+        CSRFToken         string
+        AuthenticatedUser *models.User
+        Model             any // For pages with one model
+        Models            any // For pages with a collection of models
+}