auth
auth/access.go
Handle remaining access errors. Fill out remaining TODOs about returning errors when trying to obtain an access token.
| paddy@6 | 1 package auth |
| paddy@0 | 2 |
| paddy@0 | 3 import ( |
| paddy@0 | 4 "net/http" |
| paddy@1 | 5 "net/url" |
| paddy@0 | 6 "time" |
| paddy@0 | 7 |
| paddy@1 | 8 "strconv" |
| paddy@0 | 9 "secondbit.org/uuid" |
| paddy@0 | 10 ) |
| paddy@0 | 11 |
| paddy@0 | 12 // GrantType is the type for OAuth param `grant_type` |
| paddy@0 | 13 type GrantType string |
| paddy@0 | 14 |
| paddy@0 | 15 const ( |
| paddy@0 | 16 AuthorizationCodeGrant GrantType = "authorization_code" |
| paddy@0 | 17 RefreshTokenGrant = "refresh_token" |
| paddy@0 | 18 PasswordGrant = "password" |
| paddy@0 | 19 ClientCredentialsGrant = "client_credentials" |
| paddy@0 | 20 ) |
| paddy@0 | 21 |
| paddy@0 | 22 // AccessData represents an access grant (tokens, expiration, client, etc) |
| paddy@0 | 23 type AccessData struct { |
| paddy@1 | 24 PreviousAuthorizeData *AuthorizeData |
| paddy@1 | 25 PreviousAccessData *AccessData // previous access data, when refreshing |
| paddy@1 | 26 AccessToken string |
| paddy@1 | 27 RefreshToken string |
| paddy@1 | 28 ExpiresIn int32 |
| paddy@1 | 29 CreatedAt time.Time |
| paddy@1 | 30 TokenType string |
| paddy@1 | 31 ProfileID uuid.ID |
| paddy@1 | 32 AuthRequest |
| paddy@0 | 33 } |
| paddy@0 | 34 |
| paddy@0 | 35 // IsExpired returns true if access expired |
| paddy@0 | 36 func (d *AccessData) IsExpired() bool { |
| paddy@0 | 37 return d.CreatedAt.Add(time.Duration(d.ExpiresIn) * time.Second).Before(time.Now()) |
| paddy@0 | 38 } |
| paddy@0 | 39 |
| paddy@0 | 40 // ExpireAt returns the expiration date |
| paddy@0 | 41 func (d *AccessData) ExpireAt() time.Time { |
| paddy@0 | 42 return d.CreatedAt.Add(time.Duration(d.ExpiresIn) * time.Second) |
| paddy@0 | 43 } |
| paddy@0 | 44 |
| paddy@0 | 45 // HandleOAuth2AccessRequest is the http.HandlerFunc for handling access token requests. |
| paddy@0 | 46 func HandleOAuth2AccessRequest(w http.ResponseWriter, r *http.Request, ctx Context) { |
| paddy@0 | 47 // Only allow GET or POST |
| paddy@0 | 48 if r.Method != "POST" { |
| paddy@1 | 49 if r.Method != "GET" || !ctx.Config.AllowGetAccessRequest { |
| paddy@3 | 50 ctx.RenderJSONError(w, ErrorInvalidRequest, "Invalid request method.", ctx.Config.DocumentationDomain) |
| paddy@0 | 51 return |
| paddy@0 | 52 } |
| paddy@0 | 53 } |
| paddy@0 | 54 |
| paddy@0 | 55 grantType := GrantType(r.Form.Get("grant_type")) |
| paddy@0 | 56 if ctx.Config.AllowedAccessTypes.Exists(grantType) { |
| paddy@0 | 57 switch grantType { |
| paddy@0 | 58 case AuthorizationCodeGrant: |
| paddy@0 | 59 handleAuthorizationCodeRequest(w, r, ctx) |
| paddy@0 | 60 case RefreshTokenGrant: |
| paddy@0 | 61 handleRefreshTokenRequest(w, r, ctx) |
| paddy@0 | 62 case PasswordGrant: |
| paddy@0 | 63 handlePasswordRequest(w, r, ctx) |
| paddy@0 | 64 case ClientCredentialsGrant: |
| paddy@0 | 65 handleClientCredentialsRequest(w, r, ctx) |
| paddy@0 | 66 default: |
| paddy@3 | 67 ctx.RenderJSONError(w, ErrorUnsupportedGrantType, "Unsupported grant type.", ctx.Config.DocumentationDomain) |
| paddy@0 | 68 return |
| paddy@0 | 69 } |
| paddy@0 | 70 } |
| paddy@0 | 71 } |
| paddy@0 | 72 |
| paddy@0 | 73 func handleAuthorizationCodeRequest(w http.ResponseWriter, r *http.Request, ctx Context) { |
| paddy@0 | 74 // get client authentication |
| paddy@0 | 75 auth, err := getClientAuth(r, ctx.Config.AllowClientSecretInParams) |
| paddy@0 | 76 if err != nil { |
| paddy@3 | 77 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@0 | 78 return |
| paddy@0 | 79 } |
| paddy@0 | 80 |
| paddy@1 | 81 code := r.Form.Get("code") |
| paddy@0 | 82 // "code" is required |
| paddy@1 | 83 if code == "" { |
| paddy@3 | 84 ctx.RenderJSONError(w, ErrorInvalidRequest, "Code must be supplied.", ctx.Config.DocumentationDomain) |
| paddy@0 | 85 return |
| paddy@0 | 86 } |
| paddy@0 | 87 |
| paddy@0 | 88 // must have a valid client |
| paddy@1 | 89 client, err := getClient(auth, ctx) |
| paddy@0 | 90 if err != nil { |
| paddy@5 | 91 if err == ClientNotFoundError || err == InvalidClientError { |
| paddy@5 | 92 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@9 | 93 return |
| paddy@5 | 94 } |
| paddy@9 | 95 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@0 | 96 return |
| paddy@0 | 97 } |
| paddy@0 | 98 |
| paddy@0 | 99 // must be a valid authorization code |
| paddy@1 | 100 authData, err := ctx.Tokens.GetAuthorization(code) |
| paddy@0 | 101 if err != nil { |
| paddy@9 | 102 if err == AuthorizationNotFoundError { |
| paddy@9 | 103 ctx.RenderJSONError(w, ErrorInvalidGrant, "Invalid authorization.", ctx.Config.DocumentationDomain) |
| paddy@9 | 104 return |
| paddy@9 | 105 } |
| paddy@9 | 106 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@0 | 107 return |
| paddy@0 | 108 } |
| paddy@5 | 109 if authData.RedirectURI == "" { |
| paddy@5 | 110 ctx.RenderJSONError(w, ErrorInvalidGrant, "Invalid redirect on grant.", ctx.Config.DocumentationDomain) |
| paddy@0 | 111 return |
| paddy@5 | 112 } |
| paddy@1 | 113 if authData.IsExpired() { |
| paddy@3 | 114 ctx.RenderJSONError(w, ErrorInvalidGrant, "Authorization is expired.", ctx.Config.DocumentationDomain) |
| paddy@3 | 115 return |
| paddy@0 | 116 } |
| paddy@0 | 117 |
| paddy@0 | 118 // code must be from the client |
| paddy@1 | 119 if !authData.Client.ID.Equal(client.ID) { |
| paddy@3 | 120 ctx.RenderJSONError(w, ErrorInvalidGrant, "Grant issued to another client.", ctx.Config.DocumentationDomain) |
| paddy@0 | 121 return |
| paddy@0 | 122 } |
| paddy@0 | 123 |
| paddy@0 | 124 // check redirect uri |
| paddy@1 | 125 redirectURI := r.Form.Get("redirect_uri") |
| paddy@1 | 126 if redirectURI == "" { |
| paddy@1 | 127 redirectURI = client.RedirectURI |
| paddy@0 | 128 } |
| paddy@1 | 129 if err = validateURI(client.RedirectURI, redirectURI); err != nil { |
| paddy@3 | 130 ctx.RenderJSONError(w, ErrorInvalidGrant, "Redirect URI doesn't match client.", ctx.Config.DocumentationDomain) |
| paddy@0 | 131 return |
| paddy@0 | 132 } |
| paddy@1 | 133 if authData.RedirectURI != redirectURI { |
| paddy@3 | 134 ctx.RenderJSONError(w, ErrorInvalidGrant, "Redirect URI doesn't match auth redirect.", ctx.Config.DocumentationDomain) |
| paddy@0 | 135 return |
| paddy@0 | 136 } |
| paddy@0 | 137 |
| paddy@1 | 138 data := AccessData{ |
| paddy@1 | 139 AuthRequest: AuthRequest{ |
| paddy@1 | 140 Client: client, |
| paddy@1 | 141 RedirectURI: redirectURI, |
| paddy@1 | 142 Scope: authData.Scope, |
| paddy@1 | 143 }, |
| paddy@1 | 144 PreviousAuthorizeData: &authData, |
| paddy@1 | 145 } |
| paddy@1 | 146 |
| paddy@1 | 147 err = fillTokens(&data, true, ctx) |
| paddy@1 | 148 if err != nil { |
| paddy@7 | 149 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@1 | 150 return |
| paddy@1 | 151 } |
| paddy@4 | 152 ctx.RenderJSONToken(w, data) |
| paddy@0 | 153 } |
| paddy@0 | 154 |
| paddy@0 | 155 func handleRefreshTokenRequest(w http.ResponseWriter, r *http.Request, ctx Context) { |
| paddy@0 | 156 // get client authentication |
| paddy@0 | 157 auth, err := getClientAuth(r, ctx.Config.AllowClientSecretInParams) |
| paddy@3 | 158 |
| paddy@0 | 159 if err != nil { |
| paddy@3 | 160 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@0 | 161 return |
| paddy@0 | 162 } |
| paddy@0 | 163 |
| paddy@1 | 164 code := r.Form.Get("refresh_token") |
| paddy@0 | 165 |
| paddy@0 | 166 // "refresh_token" is required |
| paddy@1 | 167 if code == "" { |
| paddy@3 | 168 ctx.RenderJSONError(w, ErrorInvalidRequest, "Missing refresh token.", ctx.Config.DocumentationDomain) |
| paddy@0 | 169 return |
| paddy@0 | 170 } |
| paddy@0 | 171 |
| paddy@0 | 172 // must have a valid client |
| paddy@1 | 173 client, err := getClient(auth, ctx) |
| paddy@0 | 174 if err != nil { |
| paddy@5 | 175 if err == ClientNotFoundError || err == InvalidClientError { |
| paddy@5 | 176 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@9 | 177 return |
| paddy@5 | 178 } |
| paddy@9 | 179 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@0 | 180 return |
| paddy@0 | 181 } |
| paddy@0 | 182 |
| paddy@0 | 183 // must be a valid refresh code |
| paddy@1 | 184 refreshData, err := ctx.Tokens.GetRefresh(code) |
| paddy@0 | 185 if err != nil { |
| paddy@9 | 186 if err == TokenNotFoundError { |
| paddy@9 | 187 ctx.RenderJSONError(w, ErrorInvalidGrant, "Refresh token not valid.", ctx.Config.DocumentationDomain) |
| paddy@9 | 188 return |
| paddy@9 | 189 } |
| paddy@9 | 190 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@0 | 191 return |
| paddy@0 | 192 } |
| paddy@0 | 193 |
| paddy@0 | 194 // client must be the same as the previous token |
| paddy@1 | 195 if !refreshData.Client.ID.Equal(client.ID) { |
| paddy@3 | 196 ctx.RenderJSONError(w, ErrorInvalidGrant, "Refresh token issued to another client.", ctx.Config.DocumentationDomain) |
| paddy@0 | 197 return |
| paddy@0 | 198 } |
| paddy@0 | 199 |
| paddy@1 | 200 scope := r.Form.Get("scope") |
| paddy@1 | 201 if scope == "" { |
| paddy@1 | 202 scope = refreshData.Scope |
| paddy@0 | 203 } |
| paddy@0 | 204 |
| paddy@1 | 205 data := AccessData{ |
| paddy@1 | 206 AuthRequest: AuthRequest{ |
| paddy@5 | 207 Client: client, |
| paddy@5 | 208 Scope: scope, |
| paddy@1 | 209 }, |
| paddy@1 | 210 PreviousAccessData: &refreshData, |
| paddy@1 | 211 } |
| paddy@1 | 212 err = fillTokens(&data, true, ctx) |
| paddy@1 | 213 if err != nil { |
| paddy@7 | 214 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@1 | 215 return |
| paddy@1 | 216 } |
| paddy@4 | 217 ctx.RenderJSONToken(w, data) |
| paddy@0 | 218 } |
| paddy@0 | 219 |
| paddy@0 | 220 func handlePasswordRequest(w http.ResponseWriter, r *http.Request, ctx Context) { |
| paddy@0 | 221 // get client authentication |
| paddy@0 | 222 auth, err := getClientAuth(r, ctx.Config.AllowClientSecretInParams) |
| paddy@0 | 223 if err != nil { |
| paddy@4 | 224 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@0 | 225 return |
| paddy@0 | 226 } |
| paddy@0 | 227 |
| paddy@1 | 228 username := r.Form.Get("username") |
| paddy@1 | 229 password := r.Form.Get("password") |
| paddy@1 | 230 scope := r.Form.Get("scope") |
| paddy@0 | 231 |
| paddy@0 | 232 // "username" and "password" is required |
| paddy@1 | 233 if username == "" || password == "" { |
| paddy@4 | 234 ctx.RenderJSONError(w, ErrorInvalidRequest, "Missing credentials.", ctx.Config.DocumentationDomain) |
| paddy@0 | 235 return |
| paddy@0 | 236 } |
| paddy@0 | 237 |
| paddy@0 | 238 // must have a valid client |
| paddy@1 | 239 client, err := getClient(auth, ctx) |
| paddy@0 | 240 if err != nil { |
| paddy@5 | 241 if err == ClientNotFoundError || err == InvalidClientError { |
| paddy@5 | 242 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@9 | 243 return |
| paddy@5 | 244 } |
| paddy@9 | 245 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@0 | 246 return |
| paddy@0 | 247 } |
| paddy@0 | 248 |
| paddy@1 | 249 _, err = ctx.Profiles.GetProfile(username, password) |
| paddy@1 | 250 if err != nil { |
| paddy@9 | 251 if err == ProfileNotFoundError { |
| paddy@9 | 252 ctx.RenderJSONError(w, ErrorInvalidGrant, "Invalid credentials.", ctx.Config.DocumentationDomain) |
| paddy@9 | 253 return |
| paddy@9 | 254 } |
| paddy@9 | 255 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@1 | 256 return |
| paddy@1 | 257 } |
| paddy@1 | 258 |
| paddy@1 | 259 data := AccessData{ |
| paddy@1 | 260 AuthRequest: AuthRequest{ |
| paddy@5 | 261 Client: client, |
| paddy@5 | 262 Scope: scope, |
| paddy@1 | 263 }, |
| paddy@1 | 264 } |
| paddy@1 | 265 |
| paddy@1 | 266 err = fillTokens(&data, true, ctx) |
| paddy@1 | 267 if err != nil { |
| paddy@7 | 268 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@1 | 269 return |
| paddy@1 | 270 } |
| paddy@4 | 271 ctx.RenderJSONToken(w, data) |
| paddy@0 | 272 } |
| paddy@0 | 273 |
| paddy@0 | 274 func handleClientCredentialsRequest(w http.ResponseWriter, r *http.Request, ctx Context) { |
| paddy@0 | 275 // get client authentication |
| paddy@0 | 276 auth, err := getClientAuth(r, ctx.Config.AllowClientSecretInParams) |
| paddy@0 | 277 if err != nil { |
| paddy@4 | 278 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@0 | 279 return |
| paddy@0 | 280 } |
| paddy@0 | 281 |
| paddy@1 | 282 scope := r.Form.Get("scope") |
| paddy@0 | 283 |
| paddy@0 | 284 // must have a valid client |
| paddy@1 | 285 client, err := getClient(auth, ctx) |
| paddy@0 | 286 if err != nil { |
| paddy@5 | 287 if err == ClientNotFoundError || err == InvalidClientError { |
| paddy@5 | 288 ctx.RenderJSONError(w, ErrorInvalidClient, "Invalid client auth.", ctx.Config.DocumentationDomain) |
| paddy@9 | 289 return |
| paddy@5 | 290 } |
| paddy@9 | 291 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@0 | 292 return |
| paddy@0 | 293 } |
| paddy@0 | 294 |
| paddy@1 | 295 data := AccessData{ |
| paddy@1 | 296 AuthRequest: AuthRequest{ |
| paddy@5 | 297 Client: client, |
| paddy@5 | 298 Scope: scope, |
| paddy@1 | 299 }, |
| paddy@1 | 300 } |
| paddy@0 | 301 |
| paddy@1 | 302 err = fillTokens(&data, true, ctx) |
| paddy@0 | 303 if err != nil { |
| paddy@7 | 304 ctx.RenderJSONError(w, ErrorServerError, "Internal server error.", ctx.Config.DocumentationDomain) |
| paddy@0 | 305 return |
| paddy@0 | 306 } |
| paddy@4 | 307 ctx.RenderJSONToken(w, data) |
| paddy@0 | 308 } |
| paddy@0 | 309 |
| paddy@1 | 310 func fillTokens(data *AccessData, includeRefresh bool, ctx Context) error { |
| paddy@0 | 311 var err error |
| paddy@0 | 312 |
| paddy@0 | 313 // generate access token |
| paddy@1 | 314 data.AccessToken = newToken() |
| paddy@1 | 315 if includeRefresh { |
| paddy@1 | 316 data.RefreshToken = newToken() |
| paddy@0 | 317 } |
| paddy@0 | 318 |
| paddy@0 | 319 // save access token |
| paddy@1 | 320 err = ctx.Tokens.SaveAccess(*data) |
| paddy@0 | 321 if err != nil { |
| paddy@7 | 322 // TODO: log error |
| paddy@7 | 323 return InternalServerError |
| paddy@0 | 324 } |
| paddy@0 | 325 |
| paddy@0 | 326 // remove authorization token |
| paddy@1 | 327 if data.PreviousAuthorizeData != nil { |
| paddy@1 | 328 err = ctx.Tokens.RemoveAuthorization(data.PreviousAuthorizeData.Code) |
| paddy@0 | 329 if err != nil { |
| paddy@0 | 330 // TODO: log error |
| paddy@0 | 331 } |
| paddy@0 | 332 } |
| paddy@0 | 333 |
| paddy@0 | 334 // remove previous access token |
| paddy@1 | 335 if data.PreviousAccessData != nil { |
| paddy@1 | 336 if data.PreviousAccessData.RefreshToken != "" { |
| paddy@1 | 337 err = ctx.Tokens.RemoveRefresh(data.PreviousAccessData.RefreshToken) |
| paddy@0 | 338 if err != nil { |
| paddy@0 | 339 // TODO: log error |
| paddy@0 | 340 } |
| paddy@0 | 341 } |
| paddy@1 | 342 err = ctx.Tokens.RemoveAccess(data.PreviousAccessData.AccessToken) |
| paddy@0 | 343 if err != nil { |
| paddy@0 | 344 // TODO: log error |
| paddy@0 | 345 } |
| paddy@0 | 346 } |
| paddy@0 | 347 |
| paddy@1 | 348 data.TokenType = ctx.Config.TokenType |
| paddy@1 | 349 data.ExpiresIn = ctx.Config.AccessExpiration |
| paddy@1 | 350 data.CreatedAt = time.Now() |
| paddy@1 | 351 return nil |
| paddy@0 | 352 } |
| paddy@0 | 353 |
| paddy@1 | 354 func (data AccessData) GetRedirect(fragment bool) (string, error) { |
| paddy@1 | 355 u, err := url.Parse(data.RedirectURI) |
| paddy@1 | 356 if err != nil { |
| paddy@1 | 357 return "", err |
| paddy@1 | 358 } |
| paddy@1 | 359 |
| paddy@1 | 360 // add parameters |
| paddy@1 | 361 q := u.Query() |
| paddy@1 | 362 q.Set("access_token", data.AccessToken) |
| paddy@1 | 363 q.Set("token_type", data.TokenType) |
| paddy@1 | 364 q.Set("expires_in", strconv.FormatInt(int64(data.ExpiresIn), 10)) |
| paddy@1 | 365 if data.RefreshToken != "" { |
| paddy@1 | 366 q.Set("refresh_token", data.RefreshToken) |
| paddy@1 | 367 } |
| paddy@1 | 368 if data.Scope != "" { |
| paddy@1 | 369 q.Set("scope", data.Scope) |
| paddy@1 | 370 } |
| paddy@1 | 371 if len(data.ProfileID) > 0 { |
| paddy@1 | 372 q.Set("profile", data.ProfileID.String()) |
| paddy@1 | 373 } |
| paddy@1 | 374 if fragment { |
| paddy@1 | 375 u.RawQuery = "" |
| paddy@1 | 376 u.Fragment = q.Encode() |
| paddy@1 | 377 } else { |
| paddy@1 | 378 u.RawQuery = q.Encode() |
| paddy@1 | 379 } |
| paddy@1 | 380 |
| paddy@1 | 381 return u.String(), nil |
| paddy@1 | 382 } |
| paddy@0 | 383 |
| paddy@0 | 384 // getClient looks up and authenticates the basic auth using the given |
| paddy@0 | 385 // storage. Sets an error on the response if auth fails or a server error occurs. |
| paddy@0 | 386 func getClient(auth BasicAuth, ctx Context) (Client, error) { |
| paddy@0 | 387 id, err := uuid.Parse(auth.Username) |
| paddy@0 | 388 if err != nil { |
| paddy@0 | 389 return Client{}, err |
| paddy@0 | 390 } |
| paddy@1 | 391 client, err := ctx.Clients.GetClient(id) |
| paddy@0 | 392 if err != nil { |
| paddy@5 | 393 if err == ClientNotFoundError { |
| paddy@5 | 394 return Client{}, err |
| paddy@5 | 395 } |
| paddy@5 | 396 // TODO: log error |
| paddy@5 | 397 return Client{}, InternalServerError |
| paddy@0 | 398 } |
| paddy@0 | 399 if client.Secret != auth.Password { |
| paddy@5 | 400 return Client{}, InvalidClientError |
| paddy@0 | 401 } |
| paddy@0 | 402 if client.RedirectURI == "" { |
| paddy@5 | 403 return Client{}, InvalidClientError |
| paddy@0 | 404 } |
| paddy@0 | 405 return client, nil |
| paddy@0 | 406 } |