auth

Paddy 2015-03-07 Parent:d30a3a12d387 Child:762953f6a7f2

auth/token.go

Test our GetClientHandler function, add isAuthError helper. Add a helper that identifies whether the error passed to it is an authentication error or is some other type of error. This is useful fo checking whether or not an internal error occurred while authenticating users. Update all instances where we call our authentication helper to make them use the new error helper. All tests continue to pass. Add a new test case for retrieving a client as an unauthenticated user. This clears the client's secret from the response before sending it. Update the GetClientHandler function to return the secret when the owner of the client used Basic Auth in the request. Add a new test case for retrieving a client as an authenticated user, both the owner and a non-owner user. This makes sure the secret is divulged only in the appropriate cases.

Download raw file

View source Diff to previous Annotate

paddy@28	1 package auth
paddy@28	2
paddy@28	3 import (
paddy@123	4 "encoding/json"
paddy@28	5 "errors"
paddy@123	6 "log"
paddy@123	7 "net/http"
paddy@28	8 "time"
paddy@28	9
paddy@107	10 "code.secondbit.org/uuid.hg"
paddy@28	11 )
paddy@28	12
paddy@69	13 const (
paddy@125	14 defaultTokenExpiration = 3600 // one hour
paddy@69	15 )
paddy@69	16
paddy@123	17 func init() {
paddy@123	18 RegisterGrantType("refresh_token", GrantType{
paddy@123	19 Validate: refreshTokenValidate,
paddy@123	20 Invalidate: refreshTokenInvalidate,
paddy@123	21 IssuesRefresh: true,
paddy@123	22 ReturnToken: RenderJSONToken,
paddy@124	23 AuditString: refreshTokenAuditString,
paddy@123	24 })
paddy@123	25 }
paddy@123	26
paddy@28	27 var (
paddy@57	28 // ErrNoTokenStore is returned when a Context tries to act on a tokenStore without setting one first.
paddy@57	29 ErrNoTokenStore = errors.New("no tokenStore was specified for the Context")
paddy@57	30 // ErrTokenNotFound is returned when a Token is requested but not found in a tokenStore.
paddy@57	31 ErrTokenNotFound = errors.New("token not found in tokenStore")
paddy@57	32 // ErrTokenAlreadyExists is returned when a Token is added to a tokenStore, but another Token with
paddy@57	33 // the same AccessToken property already exists in the tokenStore.
paddy@57	34 ErrTokenAlreadyExists = errors.New("token already exists in tokenStore")
paddy@28	35 )
paddy@28	36
paddy@57	37 // Token represents an access and/or refresh token that the Client can use to access user data
paddy@57	38 // or obtain a new access token.
paddy@28	39 type Token struct {
paddy@125	40 AccessToken string
paddy@125	41 RefreshToken string
paddy@125	42 Created time.Time
paddy@125	43 CreatedFrom string
paddy@125	44 ExpiresIn int32
paddy@125	45 TokenType string
paddy@135	46 Scopes []string
paddy@125	47 ProfileID uuid.ID
paddy@125	48 ClientID uuid.ID
paddy@125	49 Revoked bool
paddy@125	50 RefreshRevoked bool
paddy@28	51 }
paddy@28	52
paddy@57	53 type tokenStore interface {
paddy@57	54 getToken(token string, refresh bool) (Token, error)
paddy@57	55 saveToken(token Token) error
paddy@91	56 revokeToken(token string, refresh bool) error
paddy@57	57 getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error)
paddy@28	58 }
paddy@28	59
paddy@57	60 func (m *memstore) getToken(token string, refresh bool) (Token, error) {
paddy@28	61 if refresh {
paddy@28	62 t, err := m.lookupTokenByRefresh(token)
paddy@28	63 if err != nil {
paddy@28	64 return Token{}, err
paddy@28	65 }
paddy@28	66 token = t
paddy@28	67 }
paddy@28	68 m.tokenLock.RLock()
paddy@28	69 defer m.tokenLock.RUnlock()
paddy@28	70 result, ok := m.tokens[token]
paddy@28	71 if !ok {
paddy@28	72 return Token{}, ErrTokenNotFound
paddy@28	73 }
paddy@28	74 return result, nil
paddy@28	75 }
paddy@28	76
paddy@57	77 func (m *memstore) saveToken(token Token) error {
paddy@28	78 m.tokenLock.Lock()
paddy@28	79 defer m.tokenLock.Unlock()
paddy@28	80 _, ok := m.tokens[token.AccessToken]
paddy@28	81 if ok {
paddy@28	82 return ErrTokenAlreadyExists
paddy@28	83 }
paddy@28	84 m.tokens[token.AccessToken] = token
paddy@28	85 if token.RefreshToken != "" {
paddy@28	86 m.refreshTokenLookup[token.RefreshToken] = token.AccessToken
paddy@28	87 }
paddy@28	88 if _, ok = m.profileTokenLookup[token.ProfileID.String()]; ok {
paddy@28	89 m.profileTokenLookup[token.ProfileID.String()] = append(m.profileTokenLookup[token.ProfileID.String()], token.AccessToken)
paddy@28	90 } else {
paddy@28	91 m.profileTokenLookup[token.ProfileID.String()] = []string{token.AccessToken}
paddy@28	92 }
paddy@28	93 return nil
paddy@28	94 }
paddy@28	95
paddy@91	96 func (m *memstore) revokeToken(token string, refresh bool) error {
paddy@91	97 if refresh {
paddy@91	98 t, err := m.lookupTokenByRefresh(token)
paddy@91	99 if err != nil {
paddy@91	100 return err
paddy@91	101 }
paddy@91	102 token = t
paddy@91	103 }
paddy@91	104 m.tokenLock.Lock()
paddy@91	105 defer m.tokenLock.Unlock()
paddy@91	106 t, ok := m.tokens[token]
paddy@91	107 if !ok {
paddy@91	108 return ErrTokenNotFound
paddy@91	109 }
paddy@123	110 if refresh {
paddy@123	111 t.RefreshRevoked = true
paddy@123	112 } else {
paddy@123	113 t.Revoked = true
paddy@123	114 }
paddy@91	115 m.tokens[token] = t
paddy@91	116 return nil
paddy@91	117 }
paddy@91	118
paddy@57	119 func (m *memstore) getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error) {
paddy@28	120 ids, err := m.lookupTokensByProfileID(profileID.String())
paddy@28	121 if err != nil {
paddy@28	122 return []Token{}, err
paddy@28	123 }
paddy@28	124 if len(ids) > num+offset {
paddy@28	125 ids = ids[offset : num+offset]
paddy@28	126 } else if len(ids) > offset {
paddy@28	127 ids = ids[offset:]
paddy@28	128 } else {
paddy@28	129 return []Token{}, nil
paddy@28	130 }
paddy@28	131 tokens := []Token{}
paddy@28	132 for _, id := range ids {
paddy@57	133 token, err := m.getToken(id, false)
paddy@28	134 if err != nil {
paddy@28	135 return []Token{}, err
paddy@28	136 }
paddy@28	137 tokens = append(tokens, token)
paddy@28	138 }
paddy@28	139 return tokens, nil
paddy@28	140 }
paddy@123	141
paddy@135	142 func refreshTokenValidate(w http.ResponseWriter, r *http.Request, context Context) (scopes []string, profileID uuid.ID, valid bool) {
paddy@123	143 enc := json.NewEncoder(w)
paddy@123	144 refresh := r.PostFormValue("refresh_token")
paddy@123	145 if refresh == "" {
paddy@123	146 w.WriteHeader(http.StatusBadRequest)
paddy@123	147 renderJSONError(enc, "invalid_request")
paddy@123	148 return
paddy@123	149 }
paddy@123	150 token, err := context.GetToken(refresh, true)
paddy@123	151 if err != nil {
paddy@123	152 if err == ErrTokenNotFound {
paddy@123	153 w.WriteHeader(http.StatusBadRequest)
paddy@123	154 renderJSONError(enc, "invalid_grant")
paddy@123	155 return
paddy@123	156 }
paddy@123	157 log.Println("Error exchanging refresh token:", err)
paddy@123	158 w.WriteHeader(http.StatusInternalServerError)
paddy@123	159 renderJSONError(enc, "server_error")
paddy@123	160 return
paddy@123	161 }
paddy@123	162 clientID, _, ok := getClientAuth(w, r, true)
paddy@123	163 if !ok {
paddy@123	164 return
paddy@123	165 }
paddy@123	166 if !token.ClientID.Equal(clientID) {
paddy@123	167 w.WriteHeader(http.StatusBadRequest)
paddy@123	168 renderJSONError(enc, "invalid_grant")
paddy@123	169 return
paddy@123	170 }
paddy@123	171 if token.RefreshRevoked {
paddy@123	172 w.WriteHeader(http.StatusBadRequest)
paddy@123	173 renderJSONError(enc, "invalid_grant")
paddy@123	174 return
paddy@123	175 }
paddy@135	176 return token.Scopes, token.ProfileID, true
paddy@123	177 }
paddy@123	178
paddy@123	179 func refreshTokenInvalidate(r *http.Request, context Context) error {
paddy@123	180 refresh := r.PostFormValue("refresh_token")
paddy@123	181 if refresh == "" {
paddy@123	182 return ErrTokenNotFound
paddy@123	183 }
paddy@123	184 return context.RevokeToken(refresh, true)
paddy@123	185 }
paddy@124	186
paddy@124	187 func refreshTokenAuditString(r *http.Request) string {
paddy@124	188 return "refresh_token:" + r.PostFormValue("refresh_token")
paddy@124	189 }
paddy@128	190
paddy@128	191 // BUG(paddy): We need to implement a handler for revoking a token.
paddy@128	192 // BUG(paddy): We need to implement a handler for listing active tokens.