auth

Paddy 2014-08-16 Parent:fc5df8e68c7b Child:1f04b1146cad

16:13568ac73ac3 Go to Latest

auth/context.go

Note the potential for CSRF attacks. Our auth provider probably shouldn't have security vulnerabilities. Add TODOs to ensure that logging in and authorizing a grant are not susceptible to CSRF attacks, or it becomes pretty easy for an attacker to gain access to user data or to gain access to a user account.

Download raw file
View source Diff to previous Annotate
History
paddy@6 1 package auth
paddy@0 2
paddy@10 3 import (
paddy@15 4 "encoding/json"
paddy@15 5 "html/template"
paddy@10 6 "io"
paddy@10 7 "log"
paddy@10 8 )
paddy@1 9
paddy@0 10 type Context struct {
paddy@15 11 Config ServerConfig
paddy@15 12 Clients ClientStore
paddy@15 13 Tokens TokenStore
paddy@15 14 Profiles ProfileStore
paddy@15 15 Log *log.Logger
paddy@15 16 Templates Templates
paddy@15 17 }
paddy@15 18
paddy@15 19 type Templates struct {
paddy@15 20 Error *template.Template
paddy@15 21 Confirmation *template.Template
paddy@15 22 Login *template.Template
paddy@15 23 }
paddy@15 24
paddy@15 25 type jsonError struct {
paddy@15 26 Error string `json:"error,omitempty"`
paddy@15 27 Description string `json:"error_description,omitempty"`
paddy@15 28 URI string `json:"error_uri,omitempty"`
paddy@15 29 State string `json:"state,omitempty"`
paddy@0 30 }
paddy@1 31
paddy@1 32 func (c Context) RenderError(w io.Writer, err error) {
paddy@15 33 if c.Templates.Error == nil {
paddy@15 34 log.Println("Error template is nil, can't render error.")
paddy@15 35 return
paddy@15 36 }
paddy@15 37 renderErr := c.Templates.Error.Execute(w, map[string]interface{}{
paddy@15 38 "err": err,
paddy@15 39 })
paddy@15 40 if renderErr != nil {
paddy@15 41 log.Printf("Error executing error template (oh, the irony): %s\n", renderErr)
paddy@15 42 return
paddy@15 43 }
paddy@1 44 }
paddy@1 45
paddy@3 46 func (c Context) RenderJSONError(w io.Writer, code, description, baseURI string) {
paddy@15 47 d, err := json.Marshal(jsonError{
paddy@15 48 Error: code,
paddy@15 49 Description: description,
paddy@15 50 URI: baseURI,
paddy@15 51 })
paddy@15 52 if err != nil {
paddy@15 53 log.Printf("Error marshalling json error (oh, the irony): %s\n", err)
paddy@15 54 return
paddy@15 55 }
paddy@15 56 _, err = w.Write(d)
paddy@15 57 if err != nil {
paddy@15 58 log.Printf("Error writing json error: %s\n", err)
paddy@15 59 return
paddy@15 60 }
paddy@3 61 }
paddy@3 62
paddy@1 63 func (c Context) RenderConfirmation(w io.Writer) {
paddy@15 64 if c.Templates.Confirmation == nil {
paddy@15 65 log.Println("Confirmation template is nil, can't render confirmation.")
paddy@15 66 return
paddy@15 67 }
paddy@16 68 // TODO: CSRF prevention
paddy@15 69 err := c.Templates.Confirmation.Execute(w, nil)
paddy@15 70 if err != nil {
paddy@15 71 log.Printf("Error executing confirmation template: %s\n", err)
paddy@15 72 return
paddy@15 73 }
paddy@1 74 }
paddy@1 75
paddy@1 76 func (c Context) RenderLogin(w io.Writer) {
paddy@15 77 if c.Templates.Login == nil {
paddy@15 78 log.Println("Login template is nil, can't render confirmation.")
paddy@15 79 return
paddy@15 80 }
paddy@16 81 // TODO: CSRF prevention
paddy@15 82 err := c.Templates.Login.Execute(w, nil)
paddy@15 83 if err != nil {
paddy@15 84 log.Printf("Error executing login template: %s\n", err)
paddy@15 85 return
paddy@15 86 }
paddy@1 87 }
paddy@4 88
paddy@4 89 func (c Context) RenderJSONToken(w io.Writer, data AccessData) {
paddy@15 90 d, err := json.Marshal(data)
paddy@15 91 if err != nil {
paddy@15 92 log.Printf("Error marshalling json token: %s\n", err)
paddy@15 93 return
paddy@15 94 }
paddy@15 95 _, err = w.Write(d)
paddy@15 96 if err != nil {
paddy@15 97 log.Printf("Error writing json token: %s\n", err)
paddy@15 98 return
paddy@15 99 }
paddy@4 100 }