writefreely
/
writefreely
kopie van https://github.com/writefreely/writefreely.git
2
0
Vork 0
Code Kwesties Publicaties 25 Wiki Activiteit
A clean, Markdown-based publishing platform made for writers. Write together, and build a community. https://writefreely.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
630 Commits
45 Branches
76 MiB
 
 
 
 
 
Branch: T705-oauth
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van 'T705-oauth'
${ noResults }
writefreely/oauth.go

291 regels
8.6 KiB
Ruw Permalink Blame Geschiedenis 

  1. package writefreely

  2. 

  3. import (

  4. 	"context"

  5. 	"encoding/json"

  6. 	"fmt"

  7. 	"github.com/gorilla/sessions"

  8. 	"github.com/guregu/null/zero"

  9. 	"github.com/writeas/nerds/store"

  10. 	"github.com/writeas/web-core/auth"

  11. 	"github.com/writeas/web-core/log"

  12. 	"github.com/writeas/writefreely/config"

  13. 	"io"

  14. 	"io/ioutil"

  15. 	"net/http"

  16. 	"net/url"

  17. 	"strings"

  18. 	"time"

  19. )

  20. 

  21. // TokenResponse contains data returned when a token is created either

  22. // through a code exchange or using a refresh token.

  23. type TokenResponse struct {

  24. 	AccessToken  string `json:"access_token"`

  25. 	ExpiresIn    int    `json:"expires_in"`

  26. 	RefreshToken string `json:"refresh_token"`

  27. 	TokenType    string `json:"token_type"`

  28. 	Error        string `json:"error"`

  29. }

  30. 

  31. // InspectResponse contains data returned when an access token is inspected.

  32. type InspectResponse struct {

  33. 	ClientID  string    `json:"client_id"`

  34. 	UserID    int64     `json:"user_id"`

  35. 	ExpiresAt time.Time `json:"expires_at"`

  36. 	Username  string    `json:"username"`

  37. 	Email     string    `json:"email"`

  38. }

  39. 

  40. // tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token

  41. // endpoint. One megabyte is plenty.

  42. const tokenRequestMaxLen = 1000000

  43. 

  44. // infoRequestMaxLen is the most bytes that we'll read from the

  45. // /oauth/inspect endpoint.

  46. const infoRequestMaxLen = 1000000

  47. 

  48. // OAuthDatastoreProvider provides a minimal interface of data store, config,

  49. // and session store for use with the oauth handlers.

  50. type OAuthDatastoreProvider interface {

  51. 	DB() OAuthDatastore

  52. 	Config() *config.Config

  53. 	SessionStore() sessions.Store

  54. }

  55. 

  56. // OAuthDatastore provides a minimal interface of data store methods used in

  57. // oauth functionality.

  58. type OAuthDatastore interface {

  59. 	GenerateOAuthState(context.Context) (string, error)

  60. 	ValidateOAuthState(context.Context, string) error

  61. 	GetIDForRemoteUser(context.Context, int64) (int64, error)

  62. 	CreateUser(*config.Config, *User, string) error

  63. 	RecordRemoteUserID(context.Context, int64, int64) error

  64. 	GetUserForAuthByID(int64) (*User, error)

  65. }

  66. 

  67. type HttpClient interface {

  68. 	Do(req *http.Request) (*http.Response, error)

  69. }

  70. 

  71. type oauthHandler struct {

  72. 	Config     *config.Config

  73. 	DB         OAuthDatastore

  74. 	Store      sessions.Store

  75. 	HttpClient HttpClient

  76. }

  77. 

  78. // buildAuthURL returns a URL used to initiate authentication.

  79. func buildAuthURL(db OAuthDatastore, ctx context.Context, clientID, authLocation, callbackURL string) (string, error) {

  80. 	state, err := db.GenerateOAuthState(ctx)

  81. 	if err != nil {

  82. 		return "", err

  83. 	}

  84. 

  85. 	u, err := url.Parse(authLocation)

  86. 	if err != nil {

  87. 		return "", err

  88. 	}

  89. 	q := u.Query()

  90. 	q.Set("client_id", clientID)

  91. 	q.Set("redirect_uri", callbackURL)

  92. 	q.Set("response_type", "code")

  93. 	q.Set("state", state)

  94. 	u.RawQuery = q.Encode()

  95. 

  96. 	return u.String(), nil

  97. }

  98. 

  99. // app *App, w http.ResponseWriter, r *http.Request

  100. func (h oauthHandler) viewOauthInit(w http.ResponseWriter, r *http.Request) {

  101. 	location, err := buildAuthURL(h.DB, r.Context(), h.Config.App.OAuthClientID, h.Config.App.OAuthProviderAuthLocation, h.Config.App.OAuthClientCallbackLocation)

  102. 	if err != nil {

  103. 		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")

  104. 		return

  105. 	}

  106. 	http.Redirect(w, r, location, http.StatusTemporaryRedirect)

  107. }

  108. 

  109. func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request) {

  110. 	ctx := r.Context()

  111. 

  112. 	code := r.FormValue("code")

  113. 	state := r.FormValue("state")

  114. 

  115. 	err := h.DB.ValidateOAuthState(ctx, state)

  116. 	if err != nil {

  117. 		log.Error("Unable to ValidateOAuthState: %s", err)

  118. 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  119. 		return

  120. 	}

  121. 

  122. 	tokenResponse, err := h.exchangeOauthCode(ctx, code)

  123. 	if err != nil {

  124. 		log.Error("Unable to exchangeOauthCode: %s", err)

  125. 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  126. 		return

  127. 	}

  128. 

  129. 	// Now that we have the access token, let's use it real quick to make sur

  130. 	// it really really works.

  131. 	tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)

  132. 	if err != nil {

  133. 		log.Error("Unable to inspectOauthAccessToken: %s", err)

  134. 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  135. 		return

  136. 	}

  137. 

  138. 	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)

  139. 	if err != nil {

  140. 		log.Error("Unable to GetIDForRemoteUser: %s", err)

  141. 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  142. 		return

  143. 	}

  144. 

  145. 	fmt.Println("local user id", localUserID)

  146. 

  147. 	if localUserID == -1 {

  148. 		// We don't have, nor do we want, the password from the origin, so we

  149. 		//create a random string. If the user needs to set a password, they

  150. 		//can do so through the settings page or through the password reset

  151. 		//flow.

  152. 		randPass := store.Generate62RandomString(14)

  153. 		hashedPass, err := auth.HashPass([]byte(randPass))

  154. 		if err != nil {

  155. 			log.ErrorLog.Println(err)

  156. 			failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")

  157. 			return

  158. 		}

  159. 		newUser := &User{

  160. 			Username:   tokenInfo.Username,

  161. 			HashedPass: hashedPass,

  162. 			HasPass:    true,

  163. 			Email:      zero.NewString("", tokenInfo.Email != ""),

  164. 			Created:    time.Now().Truncate(time.Second).UTC(),

  165. 		}

  166. 

  167. 		err = h.DB.CreateUser(h.Config, newUser, newUser.Username)

  168. 		if err != nil {

  169. 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  170. 			return

  171. 		}

  172. 

  173. 		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)

  174. 		if err != nil {

  175. 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  176. 			return

  177. 		}

  178. 

  179. 		if err := loginOrFail(h.Store, w, r, newUser); err != nil {

  180. 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  181. 		}

  182. 		return

  183. 	}

  184. 

  185. 	user, err := h.DB.GetUserForAuthByID(localUserID)

  186. 	if err != nil {

  187. 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  188. 		return

  189. 	}

  190. 	if err = loginOrFail(h.Store, w, r, user); err != nil {

  191. 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())

  192. 	}

  193. }

  194. 

  195. func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {

  196. 	form := url.Values{}

  197. 	form.Add("grant_type", "authorization_code")

  198. 	form.Add("redirect_uri", h.Config.App.OAuthClientCallbackLocation)

  199. 	form.Add("code", code)

  200. 	req, err := http.NewRequest("POST", h.Config.App.OAuthProviderTokenLocation, strings.NewReader(form.Encode()))

  201. 	if err != nil {

  202. 		return nil, err

  203. 	}

  204. 	req.WithContext(ctx)

  205. 	req.Header.Set("User-Agent", "writefreely")

  206. 	req.Header.Set("Accept", "application/json")

  207. 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

  208. 	req.SetBasicAuth(h.Config.App.OAuthClientID, h.Config.App.OAuthClientSecret)

  209. 

  210. 	resp, err := h.HttpClient.Do(req)

  211. 	if err != nil {

  212. 		return nil, err

  213. 	}

  214. 

  215. 	// Nick: I like using limited readers to reduce the risk of an endpoint

  216. 	// being broken or compromised.

  217. 	lr := io.LimitReader(resp.Body, tokenRequestMaxLen)

  218. 	body, err := ioutil.ReadAll(lr)

  219. 	if err != nil {

  220. 		return nil, err

  221. 	}

  222. 

  223. 	var tokenResponse TokenResponse

  224. 	err = json.Unmarshal(body, &tokenResponse)

  225. 	if err != nil {

  226. 		return nil, err

  227. 	}

  228. 

  229. 	// Check the response for an error message, and return it if there is one.

  230. 	if tokenResponse.Error != "" {

  231. 		return nil, fmt.Errorf(tokenResponse.Error)

  232. 	}

  233. 	return &tokenResponse, nil

  234. }

  235. 

  236. func (h oauthHandler) inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error) {

  237. 	req, err := http.NewRequest("GET", h.Config.App.OAuthProviderInspectLocation, nil)

  238. 	if err != nil {

  239. 		return nil, err

  240. 	}

  241. 	req.WithContext(ctx)

  242. 	req.Header.Set("User-Agent", "writefreely")

  243. 	req.Header.Set("Accept", "application/json")

  244. 	req.Header.Set("Authorization", "Bearer "+accessToken)

  245. 

  246. 	resp, err := h.HttpClient.Do(req)

  247. 	if err != nil {

  248. 		return nil, err

  249. 	}

  250. 

  251. 	// Nick: I like using limited readers to reduce the risk of an endpoint

  252. 	// being broken or compromised.

  253. 	lr := io.LimitReader(resp.Body, infoRequestMaxLen)

  254. 	body, err := ioutil.ReadAll(lr)

  255. 	if err != nil {

  256. 		return nil, err

  257. 	}

  258. 

  259. 	var inspectResponse InspectResponse

  260. 	err = json.Unmarshal(body, &inspectResponse)

  261. 	if err != nil {

  262. 		return nil, err

  263. 	}

  264. 	return &inspectResponse, nil

  265. }

  266. 

  267. func loginOrFail(store sessions.Store, w http.ResponseWriter, r *http.Request, user *User) error {

  268. 	// An error may be returned, but a valid session should always be returned.

  269. 	session, _ := store.Get(r, cookieName)

  270. 	session.Values[cookieUserVal] = user.Cookie()

  271. 	if err := session.Save(r, w); err != nil {

  272. 		fmt.Println("error saving session", err)

  273. 		return err

  274. 	}

  275. 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)

  276. 	return nil

  277. }

  278. 

  279. // failOAuthRequest is an HTTP handler helper that formats returned error

  280. // messages.

  281. func failOAuthRequest(w http.ResponseWriter, statusCode int, message string) {

  282. 	w.Header().Set("Content-Type", "application/json")

  283. 	w.WriteHeader(statusCode)

  284. 	err := json.NewEncoder(w).Encode(map[string]interface{}{

  285. 		"error": message,

  286. 	})

  287. 	if err != nil {

  288. 		panic(err)

  289. 	}

  290. }