auth
auth/client.go
Break client verification out, break token returns out. Break client verification out into a helper function to avoid rewriting it for pretty much every grant. Break token returns out into a new function as part of the GrantType, so that implicit grants can redirect with the token value. Split returning the token as JSON into its own exported function, which can be used in multiple grants. Return more relevant information to the template when a user is deciding whether or not to authorize a grant.
| paddy@6 | 1 package auth |
| paddy@0 | 2 |
| paddy@0 | 3 import ( |
| paddy@85 | 4 "encoding/json" |
| paddy@31 | 5 "errors" |
| paddy@85 | 6 "net/http" |
| paddy@41 | 7 "net/url" |
| paddy@41 | 8 "time" |
| paddy@31 | 9 |
| paddy@45 | 10 "code.secondbit.org/uuid" |
| paddy@0 | 11 ) |
| paddy@0 | 12 |
| paddy@31 | 13 var ( |
| paddy@57 | 14 // ErrNoClientStore is returned when a Context tries to act on a clientStore without setting one first. |
| paddy@57 | 15 ErrNoClientStore = errors.New("no clientStore was specified for the Context") |
| paddy@57 | 16 // ErrClientNotFound is returned when a Client is requested but not found in a clientStore. |
| paddy@57 | 17 ErrClientNotFound = errors.New("client not found in clientStore") |
| paddy@57 | 18 // ErrClientAlreadyExists is returned when a Client is added to a clientStore, but another Client with |
| paddy@57 | 19 // the same ID already exists in the clientStore. |
| paddy@57 | 20 ErrClientAlreadyExists = errors.New("client already exists in clientStore") |
| paddy@41 | 21 |
| paddy@57 | 22 // ErrEmptyChange is returned when a Change has all its properties set to nil. |
| paddy@57 | 23 ErrEmptyChange = errors.New("change must have at least one property set") |
| paddy@57 | 24 // ErrClientNameTooShort is returned when a Client's Name property is too short. |
| paddy@57 | 25 ErrClientNameTooShort = errors.New("client name must be at least 2 characters") |
| paddy@57 | 26 // ErrClientNameTooLong is returned when a Client's Name property is too long. |
| paddy@57 | 27 ErrClientNameTooLong = errors.New("client name must be at most 32 characters") |
| paddy@57 | 28 // ErrClientLogoTooLong is returned when a Client's Logo property is too long. |
| paddy@57 | 29 ErrClientLogoTooLong = errors.New("client logo must be at most 1024 characters") |
| paddy@57 | 30 // ErrClientLogoNotURL is returned when a Client's Logo property is not a valid absolute URL. |
| paddy@57 | 31 ErrClientLogoNotURL = errors.New("client logo must be a valid absolute URL") |
| paddy@57 | 32 // ErrClientWebsiteTooLong is returned when a Client's Website property is too long. |
| paddy@49 | 33 ErrClientWebsiteTooLong = errors.New("client website must be at most 1024 characters") |
| paddy@57 | 34 // ErrClientWebsiteNotURL is returned when a Client's Website property is not a valid absolute URL. |
| paddy@57 | 35 ErrClientWebsiteNotURL = errors.New("client website must be a valid absolute URL") |
| paddy@31 | 36 ) |
| paddy@31 | 37 |
| paddy@25 | 38 // Client represents a client that grants access |
| paddy@25 | 39 // to the auth server, exchanging grants for tokens, |
| paddy@25 | 40 // and tokens for access. |
| paddy@0 | 41 type Client struct { |
| paddy@41 | 42 ID uuid.ID |
| paddy@41 | 43 Secret string |
| paddy@41 | 44 OwnerID uuid.ID |
| paddy@41 | 45 Name string |
| paddy@41 | 46 Logo string |
| paddy@41 | 47 Website string |
| paddy@41 | 48 Type string |
| paddy@0 | 49 } |
| paddy@0 | 50 |
| paddy@57 | 51 // ApplyChange applies the properties of the passed |
| paddy@57 | 52 // ClientChange to the Client object it is called on. |
| paddy@39 | 53 func (c *Client) ApplyChange(change ClientChange) { |
| paddy@39 | 54 if change.Secret != nil { |
| paddy@39 | 55 c.Secret = *change.Secret |
| paddy@39 | 56 } |
| paddy@39 | 57 if change.OwnerID != nil { |
| paddy@39 | 58 c.OwnerID = change.OwnerID |
| paddy@39 | 59 } |
| paddy@39 | 60 if change.Name != nil { |
| paddy@39 | 61 c.Name = *change.Name |
| paddy@39 | 62 } |
| paddy@39 | 63 if change.Logo != nil { |
| paddy@39 | 64 c.Logo = *change.Logo |
| paddy@39 | 65 } |
| paddy@39 | 66 if change.Website != nil { |
| paddy@39 | 67 c.Website = *change.Website |
| paddy@39 | 68 } |
| paddy@39 | 69 } |
| paddy@39 | 70 |
| paddy@57 | 71 // ClientChange represents a bundle of options for |
| paddy@57 | 72 // updating a Client's mutable data. |
| paddy@31 | 73 type ClientChange struct { |
| paddy@41 | 74 Secret *string |
| paddy@41 | 75 OwnerID uuid.ID |
| paddy@41 | 76 Name *string |
| paddy@41 | 77 Logo *string |
| paddy@41 | 78 Website *string |
| paddy@31 | 79 } |
| paddy@31 | 80 |
| paddy@57 | 81 // Validate checks the ClientChange it is called on |
| paddy@57 | 82 // and asserts its internal validity, or lack thereof. |
| paddy@39 | 83 func (c ClientChange) Validate() error { |
| paddy@42 | 84 if c.Secret == nil && c.OwnerID == nil && c.Name == nil && c.Logo == nil && c.Website == nil { |
| paddy@42 | 85 return ErrEmptyChange |
| paddy@42 | 86 } |
| paddy@41 | 87 if c.Name != nil && len(*c.Name) < 2 { |
| paddy@41 | 88 return ErrClientNameTooShort |
| paddy@41 | 89 } |
| paddy@41 | 90 if c.Name != nil && len(*c.Name) > 32 { |
| paddy@41 | 91 return ErrClientNameTooLong |
| paddy@41 | 92 } |
| paddy@42 | 93 if c.Logo != nil && *c.Logo != "" { |
| paddy@42 | 94 if len(*c.Logo) > 1024 { |
| paddy@42 | 95 return ErrClientLogoTooLong |
| paddy@42 | 96 } |
| paddy@42 | 97 u, err := url.Parse(*c.Logo) |
| paddy@42 | 98 if err != nil || !u.IsAbs() { |
| paddy@42 | 99 return ErrClientLogoNotURL |
| paddy@42 | 100 } |
| paddy@41 | 101 } |
| paddy@42 | 102 if c.Website != nil && *c.Website != "" { |
| paddy@42 | 103 if len(*c.Website) > 140 { |
| paddy@42 | 104 return ErrClientWebsiteTooLong |
| paddy@42 | 105 } |
| paddy@42 | 106 u, err := url.Parse(*c.Website) |
| paddy@42 | 107 if err != nil || !u.IsAbs() { |
| paddy@42 | 108 return ErrClientWebsiteNotURL |
| paddy@42 | 109 } |
| paddy@41 | 110 } |
| paddy@39 | 111 return nil |
| paddy@39 | 112 } |
| paddy@39 | 113 |
| paddy@85 | 114 func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) { |
| paddy@85 | 115 enc := json.NewEncoder(w) |
| paddy@85 | 116 clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth() |
| paddy@85 | 117 if !fromAuthHeader { |
| paddy@85 | 118 if !allowPublic { |
| paddy@85 | 119 w.WriteHeader(http.StatusBadRequest) |
| paddy@85 | 120 renderJSONError(enc, "unauthorized_client") |
| paddy@85 | 121 return nil, false |
| paddy@85 | 122 } |
| paddy@85 | 123 clientIDStr = r.PostFormValue("client_id") |
| paddy@85 | 124 } |
| paddy@85 | 125 clientID, err := uuid.Parse(clientIDStr) |
| paddy@85 | 126 if err != nil { |
| paddy@85 | 127 w.WriteHeader(http.StatusUnauthorized) |
| paddy@85 | 128 if fromAuthHeader { |
| paddy@85 | 129 w.Header().Set("WWW-Authenticate", "Basic") |
| paddy@85 | 130 } |
| paddy@85 | 131 renderJSONError(enc, "invalid_client") |
| paddy@85 | 132 return nil, false |
| paddy@85 | 133 } |
| paddy@85 | 134 client, err := context.GetClient(clientID) |
| paddy@85 | 135 if err == ErrClientNotFound { |
| paddy@85 | 136 w.WriteHeader(http.StatusUnauthorized) |
| paddy@85 | 137 if fromAuthHeader { |
| paddy@85 | 138 w.Header().Set("WWW-Authenticate", "Basic") |
| paddy@85 | 139 } |
| paddy@85 | 140 renderJSONError(enc, "invalid_client") |
| paddy@85 | 141 return nil, false |
| paddy@85 | 142 } else if err != nil { |
| paddy@85 | 143 w.WriteHeader(http.StatusInternalServerError) |
| paddy@85 | 144 renderJSONError(enc, "server_error") |
| paddy@85 | 145 return nil, false |
| paddy@85 | 146 } |
| paddy@85 | 147 if client.Secret != clientSecret { |
| paddy@85 | 148 w.WriteHeader(http.StatusUnauthorized) |
| paddy@85 | 149 if fromAuthHeader { |
| paddy@85 | 150 w.Header().Set("WWW-Authenticate", "Basic") |
| paddy@85 | 151 } |
| paddy@85 | 152 renderJSONError(enc, "invalid_client") |
| paddy@85 | 153 return nil, false |
| paddy@85 | 154 } |
| paddy@85 | 155 return clientID, true |
| paddy@85 | 156 } |
| paddy@85 | 157 |
| paddy@57 | 158 // Endpoint represents a single URI that a Client |
| paddy@57 | 159 // controls. Users will be redirected to these URIs |
| paddy@57 | 160 // following successful authorization grants and |
| paddy@57 | 161 // exchanges for access tokens. |
| paddy@41 | 162 type Endpoint struct { |
| paddy@41 | 163 ID uuid.ID |
| paddy@41 | 164 ClientID uuid.ID |
| paddy@41 | 165 URI url.URL |
| paddy@41 | 166 Added time.Time |
| paddy@41 | 167 } |
| paddy@41 | 168 |
| paddy@41 | 169 type sortedEndpoints []Endpoint |
| paddy@41 | 170 |
| paddy@41 | 171 func (s sortedEndpoints) Len() int { |
| paddy@41 | 172 return len(s) |
| paddy@41 | 173 } |
| paddy@41 | 174 |
| paddy@41 | 175 func (s sortedEndpoints) Less(i, j int) bool { |
| paddy@41 | 176 return s[i].Added.Before(s[j].Added) |
| paddy@41 | 177 } |
| paddy@41 | 178 |
| paddy@41 | 179 func (s sortedEndpoints) Swap(i, j int) { |
| paddy@41 | 180 s[i], s[j] = s[j], s[i] |
| paddy@41 | 181 } |
| paddy@41 | 182 |
| paddy@57 | 183 type clientStore interface { |
| paddy@57 | 184 getClient(id uuid.ID) (Client, error) |
| paddy@57 | 185 saveClient(client Client) error |
| paddy@57 | 186 updateClient(id uuid.ID, change ClientChange) error |
| paddy@57 | 187 deleteClient(id uuid.ID) error |
| paddy@57 | 188 listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) |
| paddy@41 | 189 |
| paddy@57 | 190 addEndpoint(client uuid.ID, endpoint Endpoint) error |
| paddy@57 | 191 removeEndpoint(client, endpoint uuid.ID) error |
| paddy@58 | 192 checkEndpoint(client uuid.ID, endpoint string) (bool, error) |
| paddy@57 | 193 listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error) |
| paddy@57 | 194 countEndpoints(client uuid.ID) (int64, error) |
| paddy@0 | 195 } |
| paddy@31 | 196 |
| paddy@57 | 197 func (m *memstore) getClient(id uuid.ID) (Client, error) { |
| paddy@31 | 198 m.clientLock.RLock() |
| paddy@31 | 199 defer m.clientLock.RUnlock() |
| paddy@31 | 200 c, ok := m.clients[id.String()] |
| paddy@31 | 201 if !ok { |
| paddy@31 | 202 return Client{}, ErrClientNotFound |
| paddy@31 | 203 } |
| paddy@31 | 204 return c, nil |
| paddy@31 | 205 } |
| paddy@31 | 206 |
| paddy@57 | 207 func (m *memstore) saveClient(client Client) error { |
| paddy@31 | 208 m.clientLock.Lock() |
| paddy@31 | 209 defer m.clientLock.Unlock() |
| paddy@31 | 210 if _, ok := m.clients[client.ID.String()]; ok { |
| paddy@31 | 211 return ErrClientAlreadyExists |
| paddy@31 | 212 } |
| paddy@31 | 213 m.clients[client.ID.String()] = client |
| paddy@31 | 214 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()], client.ID) |
| paddy@31 | 215 return nil |
| paddy@31 | 216 } |
| paddy@31 | 217 |
| paddy@57 | 218 func (m *memstore) updateClient(id uuid.ID, change ClientChange) error { |
| paddy@39 | 219 m.clientLock.Lock() |
| paddy@39 | 220 defer m.clientLock.Unlock() |
| paddy@39 | 221 c, ok := m.clients[id.String()] |
| paddy@39 | 222 if !ok { |
| paddy@39 | 223 return ErrClientNotFound |
| paddy@39 | 224 } |
| paddy@39 | 225 c.ApplyChange(change) |
| paddy@39 | 226 m.clients[id.String()] = c |
| paddy@31 | 227 return nil |
| paddy@31 | 228 } |
| paddy@31 | 229 |
| paddy@57 | 230 func (m *memstore) deleteClient(id uuid.ID) error { |
| paddy@57 | 231 client, err := m.getClient(id) |
| paddy@31 | 232 if err != nil { |
| paddy@31 | 233 return err |
| paddy@31 | 234 } |
| paddy@31 | 235 m.clientLock.Lock() |
| paddy@31 | 236 defer m.clientLock.Unlock() |
| paddy@31 | 237 delete(m.clients, id.String()) |
| paddy@31 | 238 pos := -1 |
| paddy@31 | 239 for p, item := range m.profileClientLookup[client.OwnerID.String()] { |
| paddy@31 | 240 if item.Equal(id) { |
| paddy@31 | 241 pos = p |
| paddy@31 | 242 break |
| paddy@31 | 243 } |
| paddy@31 | 244 } |
| paddy@31 | 245 if pos >= 0 { |
| paddy@31 | 246 m.profileClientLookup[client.OwnerID.String()] = append(m.profileClientLookup[client.OwnerID.String()][:pos], m.profileClientLookup[client.OwnerID.String()][pos+1:]...) |
| paddy@31 | 247 } |
| paddy@31 | 248 return nil |
| paddy@31 | 249 } |
| paddy@31 | 250 |
| paddy@57 | 251 func (m *memstore) listClientsByOwner(ownerID uuid.ID, num, offset int) ([]Client, error) { |
| paddy@33 | 252 ids := m.lookupClientsByProfileID(ownerID.String()) |
| paddy@31 | 253 if len(ids) > num+offset { |
| paddy@31 | 254 ids = ids[offset : num+offset] |
| paddy@31 | 255 } else if len(ids) > offset { |
| paddy@31 | 256 ids = ids[offset:] |
| paddy@31 | 257 } else { |
| paddy@31 | 258 return []Client{}, nil |
| paddy@31 | 259 } |
| paddy@31 | 260 clients := []Client{} |
| paddy@31 | 261 for _, id := range ids { |
| paddy@57 | 262 client, err := m.getClient(id) |
| paddy@31 | 263 if err != nil { |
| paddy@31 | 264 return []Client{}, err |
| paddy@31 | 265 } |
| paddy@31 | 266 clients = append(clients, client) |
| paddy@31 | 267 } |
| paddy@31 | 268 return clients, nil |
| paddy@31 | 269 } |
| paddy@41 | 270 |
| paddy@57 | 271 func (m *memstore) addEndpoint(client uuid.ID, endpoint Endpoint) error { |
| paddy@41 | 272 m.endpointLock.Lock() |
| paddy@41 | 273 defer m.endpointLock.Unlock() |
| paddy@41 | 274 m.endpoints[client.String()] = append(m.endpoints[client.String()], endpoint) |
| paddy@41 | 275 return nil |
| paddy@41 | 276 } |
| paddy@41 | 277 |
| paddy@57 | 278 func (m *memstore) removeEndpoint(client, endpoint uuid.ID) error { |
| paddy@41 | 279 m.endpointLock.Lock() |
| paddy@41 | 280 defer m.endpointLock.Unlock() |
| paddy@41 | 281 pos := -1 |
| paddy@41 | 282 for p, item := range m.endpoints[client.String()] { |
| paddy@41 | 283 if item.ID.Equal(endpoint) { |
| paddy@41 | 284 pos = p |
| paddy@41 | 285 break |
| paddy@41 | 286 } |
| paddy@41 | 287 } |
| paddy@41 | 288 if pos >= 0 { |
| paddy@41 | 289 m.endpoints[client.String()] = append(m.endpoints[client.String()][:pos], m.endpoints[client.String()][pos+1:]...) |
| paddy@41 | 290 } |
| paddy@41 | 291 return nil |
| paddy@41 | 292 } |
| paddy@41 | 293 |
| paddy@58 | 294 func (m *memstore) checkEndpoint(client uuid.ID, endpoint string) (bool, error) { |
| paddy@41 | 295 m.endpointLock.RLock() |
| paddy@41 | 296 defer m.endpointLock.RUnlock() |
| paddy@41 | 297 for _, candidate := range m.endpoints[client.String()] { |
| paddy@58 | 298 if endpoint == candidate.URI.String() { |
| paddy@41 | 299 return true, nil |
| paddy@41 | 300 } |
| paddy@41 | 301 } |
| paddy@41 | 302 return false, nil |
| paddy@41 | 303 } |
| paddy@41 | 304 |
| paddy@57 | 305 func (m *memstore) listEndpoints(client uuid.ID, num, offset int) ([]Endpoint, error) { |
| paddy@41 | 306 m.endpointLock.RLock() |
| paddy@41 | 307 defer m.endpointLock.RUnlock() |
| paddy@41 | 308 return m.endpoints[client.String()], nil |
| paddy@41 | 309 } |
| paddy@54 | 310 |
| paddy@57 | 311 func (m *memstore) countEndpoints(client uuid.ID) (int64, error) { |
| paddy@54 | 312 m.endpointLock.RLock() |
| paddy@54 | 313 defer m.endpointLock.RUnlock() |
| paddy@54 | 314 return int64(len(m.endpoints[client.String()])), nil |
| paddy@54 | 315 } |