auth
auth/oauth2.go
Add our BUG notices. Rather than keeping the list of things to implement or test on sticky notes attached to my monitor, let's give them BUG designations within the code. Now `godoc . bugs` will list them out for us. Isn't that nice?
| paddy@51 | 1 package auth |
| paddy@51 | 2 |
| paddy@51 | 3 import ( |
| paddy@69 | 4 "encoding/json" |
| paddy@69 | 5 "errors" |
| paddy@61 | 6 "html/template" |
| paddy@77 | 7 "log" |
| paddy@51 | 8 "net/http" |
| paddy@60 | 9 "net/url" |
| paddy@122 | 10 "strconv" |
| paddy@84 | 11 "sync" |
| paddy@60 | 12 "time" |
| paddy@56 | 13 |
| paddy@107 | 14 "code.secondbit.org/uuid.hg" |
| paddy@82 | 15 "github.com/gorilla/mux" |
| paddy@51 | 16 ) |
| paddy@51 | 17 |
| paddy@60 | 18 const ( |
| paddy@87 | 19 authCookieName = "auth" |
| paddy@87 | 20 defaultAuthorizationCodeExpiration = 600 // default to ten minute grant expirations |
| paddy@87 | 21 getAuthorizationCodeTemplateName = "get_grant" |
| paddy@60 | 22 ) |
| paddy@51 | 23 |
| paddy@69 | 24 var ( |
| paddy@69 | 25 // ErrNoAuth is returned when an Authorization header is not present or is empty. |
| paddy@69 | 26 ErrNoAuth = errors.New("no authorization header supplied") |
| paddy@69 | 27 // ErrInvalidAuthFormat is returned when an Authorization header is present but not the correct format. |
| paddy@69 | 28 ErrInvalidAuthFormat = errors.New("authorization header is not in a valid format") |
| paddy@69 | 29 // ErrIncorrectAuth is returned when a user authentication attempt does not match the stored values. |
| paddy@69 | 30 ErrIncorrectAuth = errors.New("invalid authentication") |
| paddy@69 | 31 // ErrInvalidPassphraseScheme is returned when an undefined passphrase scheme is used. |
| paddy@69 | 32 ErrInvalidPassphraseScheme = errors.New("invalid passphrase scheme") |
| paddy@69 | 33 // ErrNoSession is returned when no session ID is passed with a request. |
| paddy@69 | 34 ErrNoSession = errors.New("no session ID found") |
| paddy@84 | 35 |
| paddy@84 | 36 grantTypesMap = grantTypes{types: map[string]GrantType{}} |
| paddy@69 | 37 ) |
| paddy@69 | 38 |
| paddy@84 | 39 type grantTypes struct { |
| paddy@84 | 40 types map[string]GrantType |
| paddy@84 | 41 sync.RWMutex |
| paddy@84 | 42 } |
| paddy@84 | 43 |
| paddy@84 | 44 // GrantType defines a set of functions and metadata around a specific authorization grant strategy. |
| paddy@84 | 45 // |
| paddy@84 | 46 // The Validate function will be called when requests are made that match the GrantType, and should write any |
| paddy@84 | 47 // errors to the ResponseWriter. It is responsible for determining if the grant is valid and a token should be issued. |
| paddy@84 | 48 // It must return the scope the grant was for and the ID of the Profile that issued the grant, as well as if the grant |
| paddy@84 | 49 // is valid or not. It must not be nil. |
| paddy@84 | 50 // |
| paddy@84 | 51 // The Invalidate function will be called when the grant has successfully generated a token and the token has successfully |
| paddy@84 | 52 // been conveyed to the user. The Invalidate function is always called asynchronously, outside the request. It should take |
| paddy@84 | 53 // care of marking the grant as used, if the GrantType requires grants to be one-time only grants. The Invalidate function |
| paddy@84 | 54 // can be nil. |
| paddy@84 | 55 // |
| paddy@84 | 56 // IssuesRefresh determines whether the GrantType should yield a refresh token as well as an access token. If true, the client |
| paddy@84 | 57 // will be issued a refresh token. |
| paddy@85 | 58 // |
| paddy@123 | 59 // AllowsPublic determines whether the GrantType should allow public clients to use that grant. If true, clients without |
| paddy@123 | 60 // credentials will be able to use the grant to obtain a token. |
| paddy@123 | 61 // |
| paddy@124 | 62 // AuditString should return the string that will be saved in the resulting Token's CreatedFrom field, as an audit log of how |
| paddy@124 | 63 // the Token was authorized. |
| paddy@124 | 64 // |
| paddy@85 | 65 // The ReturnToken will be called when a token is created and needs to be returned to the client. If it returns true, the token |
| paddy@85 | 66 // was successfully returned and the Invalidate function will be called asynchronously. |
| paddy@84 | 67 type GrantType struct { |
| paddy@84 | 68 Validate func(w http.ResponseWriter, r *http.Request, context Context) (scope string, profileID uuid.ID, valid bool) |
| paddy@90 | 69 Invalidate func(r *http.Request, context Context) error |
| paddy@85 | 70 ReturnToken func(w http.ResponseWriter, r *http.Request, token Token, context Context) bool |
| paddy@124 | 71 AuditString func(r *http.Request) string |
| paddy@84 | 72 IssuesRefresh bool |
| paddy@123 | 73 AllowsPublic bool |
| paddy@84 | 74 } |
| paddy@84 | 75 |
| paddy@69 | 76 type tokenResponse struct { |
| paddy@69 | 77 AccessToken string `json:"access_token"` |
| paddy@69 | 78 TokenType string `json:"token_type,omitempty"` |
| paddy@69 | 79 ExpiresIn int32 `json:"expires_in,omitempty"` |
| paddy@69 | 80 RefreshToken string `json:"refresh_token,omitempty"` |
| paddy@69 | 81 } |
| paddy@69 | 82 |
| paddy@82 | 83 type errorResponse struct { |
| paddy@82 | 84 Error string `json:"error"` |
| paddy@82 | 85 Description string `json:"error_description,omitempty"` |
| paddy@82 | 86 URI string `json:"error_uri,omitempty"` |
| paddy@82 | 87 } |
| paddy@82 | 88 |
| paddy@84 | 89 // RegisterGrantType associates a string with a GrantType. When the string is used as the value for "grant_type" when obtaining |
| paddy@84 | 90 // an access token, the associated GrantType's properties will be used. |
| paddy@84 | 91 // |
| paddy@84 | 92 // RegisterGrantType should be called in the `init()` function of packages, much like database/sql registers drivers. It will panic |
| paddy@84 | 93 // if a GrantType tries to register under a string that already has a GrantType registered for it. |
| paddy@84 | 94 func RegisterGrantType(name string, g GrantType) { |
| paddy@84 | 95 grantTypesMap.Lock() |
| paddy@84 | 96 defer grantTypesMap.Unlock() |
| paddy@84 | 97 if _, ok := grantTypesMap.types[name]; ok { |
| paddy@84 | 98 panic("Duplicate registration of grant_type " + name) |
| paddy@84 | 99 } |
| paddy@84 | 100 grantTypesMap.types[name] = g |
| paddy@84 | 101 } |
| paddy@84 | 102 |
| paddy@84 | 103 func findGrantType(name string) (GrantType, bool) { |
| paddy@84 | 104 grantTypesMap.RLock() |
| paddy@84 | 105 defer grantTypesMap.RUnlock() |
| paddy@84 | 106 t, ok := grantTypesMap.types[name] |
| paddy@84 | 107 return t, ok |
| paddy@84 | 108 } |
| paddy@84 | 109 |
| paddy@82 | 110 func renderJSONError(enc *json.Encoder, errorType string) { |
| paddy@82 | 111 err := enc.Encode(errorResponse{ |
| paddy@82 | 112 Error: errorType, |
| paddy@82 | 113 }) |
| paddy@82 | 114 if err != nil { |
| paddy@90 | 115 log.Println(err) |
| paddy@69 | 116 } |
| paddy@69 | 117 } |
| paddy@69 | 118 |
| paddy@86 | 119 // RenderJSONToken is an implementation of the ReturnToken function for GrantTypes. It returns the token using JSON |
| paddy@86 | 120 // according to the spec. See RFC 6479, Section 4.1.4. |
| paddy@85 | 121 func RenderJSONToken(w http.ResponseWriter, r *http.Request, token Token, context Context) bool { |
| paddy@85 | 122 enc := json.NewEncoder(w) |
| paddy@85 | 123 resp := tokenResponse{ |
| paddy@85 | 124 AccessToken: token.AccessToken, |
| paddy@85 | 125 RefreshToken: token.RefreshToken, |
| paddy@85 | 126 ExpiresIn: token.ExpiresIn, |
| paddy@85 | 127 TokenType: token.TokenType, |
| paddy@85 | 128 } |
| paddy@109 | 129 w.Header().Set("Content-Type", "application/json") |
| paddy@85 | 130 err := enc.Encode(resp) |
| paddy@85 | 131 if err != nil { |
| paddy@90 | 132 log.Println(err) |
| paddy@85 | 133 return false |
| paddy@85 | 134 } |
| paddy@85 | 135 return true |
| paddy@85 | 136 } |
| paddy@85 | 137 |
| paddy@77 | 138 // RegisterOAuth2 adds handlers to the passed router to handle the OAuth2 endpoints. |
| paddy@77 | 139 func RegisterOAuth2(r *mux.Router, context Context) { |
| paddy@87 | 140 r.Handle("/authorize", wrap(context, GetAuthorizationCodeHandler)) |
| paddy@77 | 141 r.Handle("/token", wrap(context, GetTokenHandler)) |
| paddy@77 | 142 } |
| paddy@77 | 143 |
| paddy@87 | 144 // GetAuthorizationCodeHandler presents and processes the page for asking a user to grant access |
| paddy@57 | 145 // to their data. See RFC 6749, Section 4.1. |
| paddy@87 | 146 func GetAuthorizationCodeHandler(w http.ResponseWriter, r *http.Request, context Context) { |
| paddy@69 | 147 session, err := checkCookie(r, context) |
| paddy@69 | 148 if err != nil { |
| paddy@76 | 149 if err == ErrNoSession || err == ErrInvalidSession { |
| paddy@77 | 150 redir := buildLoginRedirect(r, context) |
| paddy@77 | 151 if redir == "" { |
| paddy@77 | 152 log.Println("No login URL configured.") |
| paddy@77 | 153 w.WriteHeader(http.StatusInternalServerError) |
| paddy@87 | 154 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@77 | 155 "internal_error": template.HTML("Missing login URL."), |
| paddy@77 | 156 }) |
| paddy@77 | 157 return |
| paddy@77 | 158 } |
| paddy@77 | 159 http.Redirect(w, r, redir, http.StatusFound) |
| paddy@77 | 160 return |
| paddy@69 | 161 } |
| paddy@77 | 162 log.Println(err.Error()) |
| paddy@77 | 163 w.WriteHeader(http.StatusInternalServerError) |
| paddy@87 | 164 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@77 | 165 "internal_error": template.HTML(err.Error()), |
| paddy@77 | 166 }) |
| paddy@77 | 167 return |
| paddy@69 | 168 } |
| paddy@56 | 169 if r.URL.Query().Get("client_id") == "" { |
| paddy@56 | 170 w.WriteHeader(http.StatusBadRequest) |
| paddy@87 | 171 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 172 "error": template.HTML("Client ID must be specified in the request."), |
| paddy@56 | 173 }) |
| paddy@56 | 174 return |
| paddy@56 | 175 } |
| paddy@56 | 176 clientID, err := uuid.Parse(r.URL.Query().Get("client_id")) |
| paddy@56 | 177 if err != nil { |
| paddy@56 | 178 w.WriteHeader(http.StatusBadRequest) |
| paddy@87 | 179 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 180 "error": template.HTML("client_id is not a valid Client ID."), |
| paddy@56 | 181 }) |
| paddy@56 | 182 return |
| paddy@56 | 183 } |
| paddy@64 | 184 redirectURI := r.URL.Query().Get("redirect_uri") |
| paddy@56 | 185 client, err := context.GetClient(clientID) |
| paddy@56 | 186 if err != nil { |
| paddy@59 | 187 if err == ErrClientNotFound { |
| paddy@59 | 188 w.WriteHeader(http.StatusBadRequest) |
| paddy@87 | 189 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 190 "error": template.HTML("The specified Client couldn’t be found."), |
| paddy@59 | 191 }) |
| paddy@59 | 192 } else { |
| paddy@77 | 193 log.Println(err.Error()) |
| paddy@59 | 194 w.WriteHeader(http.StatusInternalServerError) |
| paddy@87 | 195 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 196 "internal_error": template.HTML(err.Error()), |
| paddy@59 | 197 }) |
| paddy@59 | 198 } |
| paddy@56 | 199 return |
| paddy@56 | 200 } |
| paddy@128 | 201 // BUG(paddy): Checking if the redirect URI is valid should be a helper function. |
| paddy@128 | 202 |
| paddy@56 | 203 // whether a redirect URI is valid or not depends on the number of endpoints |
| paddy@56 | 204 // the client has registered |
| paddy@56 | 205 numEndpoints, err := context.CountEndpoints(clientID) |
| paddy@56 | 206 if err != nil { |
| paddy@77 | 207 log.Println(err.Error()) |
| paddy@56 | 208 w.WriteHeader(http.StatusInternalServerError) |
| paddy@87 | 209 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 210 "internal_error": template.HTML(err.Error()), |
| paddy@56 | 211 }) |
| paddy@56 | 212 return |
| paddy@56 | 213 } |
| paddy@56 | 214 var validURI bool |
| paddy@58 | 215 if redirectURI != "" { |
| paddy@58 | 216 validURI, err = context.CheckEndpoint(clientID, redirectURI) |
| paddy@56 | 217 if err != nil { |
| paddy@116 | 218 if err == ErrEndpointURINotURL { |
| paddy@116 | 219 w.WriteHeader(http.StatusBadRequest) |
| paddy@116 | 220 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@116 | 221 "error": template.HTML("The redirect_uri specified is not valid."), |
| paddy@116 | 222 }) |
| paddy@116 | 223 return |
| paddy@116 | 224 } |
| paddy@77 | 225 log.Println(err.Error()) |
| paddy@56 | 226 w.WriteHeader(http.StatusInternalServerError) |
| paddy@87 | 227 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 228 "internal_error": template.HTML(err.Error()), |
| paddy@56 | 229 }) |
| paddy@56 | 230 return |
| paddy@56 | 231 } |
| paddy@56 | 232 } else if redirectURI == "" && numEndpoints == 1 { |
| paddy@56 | 233 // if we don't specify the endpoint and there's only one endpoint, the |
| paddy@56 | 234 // request is valid, and we're redirecting to that one endpoint |
| paddy@56 | 235 validURI = true |
| paddy@56 | 236 endpoints, err := context.ListEndpoints(clientID, 1, 0) |
| paddy@56 | 237 if err != nil { |
| paddy@77 | 238 log.Println(err.Error()) |
| paddy@56 | 239 w.WriteHeader(http.StatusInternalServerError) |
| paddy@87 | 240 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 241 "internal_error": template.HTML(err.Error()), |
| paddy@56 | 242 }) |
| paddy@56 | 243 return |
| paddy@56 | 244 } |
| paddy@56 | 245 if len(endpoints) != 1 { |
| paddy@56 | 246 validURI = false |
| paddy@56 | 247 } else { |
| paddy@116 | 248 redirectURI = endpoints[0].URI |
| paddy@56 | 249 } |
| paddy@56 | 250 } else { |
| paddy@56 | 251 validURI = false |
| paddy@56 | 252 } |
| paddy@56 | 253 if !validURI { |
| paddy@56 | 254 w.WriteHeader(http.StatusBadRequest) |
| paddy@87 | 255 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@61 | 256 "error": template.HTML("The redirect_uri specified is not valid."), |
| paddy@56 | 257 }) |
| paddy@56 | 258 return |
| paddy@56 | 259 } |
| paddy@116 | 260 redirectURL, err := url.Parse(redirectURI) |
| paddy@116 | 261 if err != nil { |
| paddy@116 | 262 w.WriteHeader(http.StatusBadRequest) |
| paddy@116 | 263 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@116 | 264 "error": template.HTML("The redirect_uri specified is not valid."), |
| paddy@116 | 265 }) |
| paddy@116 | 266 return |
| paddy@116 | 267 } |
| paddy@60 | 268 scope := r.URL.Query().Get("scope") |
| paddy@60 | 269 state := r.URL.Query().Get("state") |
| paddy@122 | 270 responseType := r.URL.Query().Get("response_type") |
| paddy@122 | 271 q := redirectURL.Query() |
| paddy@122 | 272 q.Add("state", state) |
| paddy@122 | 273 if responseType != "code" && responseType != "token" { |
| paddy@65 | 274 q.Add("error", "invalid_request") |
| paddy@65 | 275 redirectURL.RawQuery = q.Encode() |
| paddy@60 | 276 http.Redirect(w, r, redirectURL.String(), http.StatusFound) |
| paddy@60 | 277 return |
| paddy@56 | 278 } |
| paddy@56 | 279 if r.Method == "POST" { |
| paddy@63 | 280 // BUG(paddy): We need to implement CSRF protection when obtaining a grant code. |
| paddy@56 | 281 if r.PostFormValue("grant") == "approved" { |
| paddy@122 | 282 var fragment bool |
| paddy@122 | 283 switch responseType { |
| paddy@122 | 284 case "code": |
| paddy@122 | 285 code := uuid.NewID().String() |
| paddy@122 | 286 authCode := AuthorizationCode{ |
| paddy@122 | 287 Code: code, |
| paddy@122 | 288 Created: time.Now(), |
| paddy@122 | 289 ExpiresIn: defaultAuthorizationCodeExpiration, |
| paddy@122 | 290 ClientID: clientID, |
| paddy@122 | 291 Scope: scope, |
| paddy@122 | 292 RedirectURI: r.URL.Query().Get("redirect_uri"), |
| paddy@122 | 293 State: state, |
| paddy@122 | 294 ProfileID: session.ProfileID, |
| paddy@122 | 295 } |
| paddy@122 | 296 err := context.SaveAuthorizationCode(authCode) |
| paddy@122 | 297 if err != nil { |
| paddy@122 | 298 log.Println("Error saving authorization code:", err) |
| paddy@122 | 299 q.Add("error", "server_error") |
| paddy@122 | 300 break |
| paddy@122 | 301 } |
| paddy@122 | 302 q.Add("code", code) |
| paddy@122 | 303 case "token": |
| paddy@122 | 304 token := Token{ |
| paddy@122 | 305 AccessToken: uuid.NewID().String(), |
| paddy@122 | 306 Created: time.Now(), |
| paddy@125 | 307 CreatedFrom: "implicit", |
| paddy@122 | 308 ExpiresIn: defaultTokenExpiration, |
| paddy@122 | 309 TokenType: "bearer", |
| paddy@122 | 310 Scope: scope, |
| paddy@122 | 311 ProfileID: session.ProfileID, |
| paddy@125 | 312 ClientID: clientID, |
| paddy@122 | 313 } |
| paddy@122 | 314 err := context.SaveToken(token) |
| paddy@122 | 315 if err != nil { |
| paddy@122 | 316 log.Println("Error saving token:", err) |
| paddy@122 | 317 q.Add("error", "server_error") |
| paddy@122 | 318 break |
| paddy@122 | 319 } |
| paddy@122 | 320 q = url.Values{} // we're not altering the querystring, so don't clone it |
| paddy@122 | 321 q.Add("access_token", token.AccessToken) |
| paddy@122 | 322 q.Add("token_type", token.TokenType) |
| paddy@122 | 323 q.Add("expires_in", strconv.FormatInt(int64(token.ExpiresIn), 10)) |
| paddy@122 | 324 q.Add("scope", token.Scope) |
| paddy@122 | 325 q.Add("state", state) // we wiped out the old values, so we need to set the state again |
| paddy@122 | 326 fragment = true |
| paddy@60 | 327 } |
| paddy@122 | 328 if fragment { |
| paddy@122 | 329 redirectURL.Fragment = q.Encode() |
| paddy@122 | 330 } else { |
| paddy@66 | 331 redirectURL.RawQuery = q.Encode() |
| paddy@60 | 332 } |
| paddy@60 | 333 http.Redirect(w, r, redirectURL.String(), http.StatusFound) |
| paddy@60 | 334 return |
| paddy@56 | 335 } |
| paddy@66 | 336 q.Add("error", "access_denied") |
| paddy@66 | 337 redirectURL.RawQuery = q.Encode() |
| paddy@60 | 338 http.Redirect(w, r, redirectURL.String(), http.StatusFound) |
| paddy@60 | 339 return |
| paddy@56 | 340 } |
| paddy@85 | 341 profile, err := context.GetProfileByID(session.ProfileID) |
| paddy@85 | 342 if err != nil { |
| paddy@122 | 343 log.Println("Error getting profile from session:", err) |
| paddy@85 | 344 q.Add("error", "server_error") |
| paddy@85 | 345 redirectURL.RawQuery = q.Encode() |
| paddy@85 | 346 http.Redirect(w, r, redirectURL.String(), http.StatusFound) |
| paddy@85 | 347 return |
| paddy@85 | 348 } |
| paddy@51 | 349 w.WriteHeader(http.StatusOK) |
| paddy@87 | 350 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{ |
| paddy@85 | 351 "client": client, |
| paddy@85 | 352 "redirectURL": redirectURL, |
| paddy@85 | 353 "scope": scope, |
| paddy@85 | 354 "profile": profile, |
| paddy@56 | 355 }) |
| paddy@51 | 356 } |
| paddy@68 | 357 |
| paddy@69 | 358 // GetTokenHandler allows a client to exchange an authorization grant for an |
| paddy@69 | 359 // access token. See RFC 6749 Section 4.1.3. |
| paddy@69 | 360 func GetTokenHandler(w http.ResponseWriter, r *http.Request, context Context) { |
| paddy@69 | 361 enc := json.NewEncoder(w) |
| paddy@69 | 362 grantType := r.PostFormValue("grant_type") |
| paddy@84 | 363 gt, ok := findGrantType(grantType) |
| paddy@84 | 364 if !ok { |
| paddy@82 | 365 w.WriteHeader(http.StatusBadRequest) |
| paddy@82 | 366 renderJSONError(enc, "invalid_request") |
| paddy@69 | 367 return |
| paddy@69 | 368 } |
| paddy@123 | 369 clientID, success := verifyClient(w, r, gt.AllowsPublic, context) |
| paddy@123 | 370 if !success { |
| paddy@123 | 371 return |
| paddy@123 | 372 } |
| paddy@84 | 373 scope, profileID, valid := gt.Validate(w, r, context) |
| paddy@84 | 374 if !valid { |
| paddy@69 | 375 return |
| paddy@69 | 376 } |
| paddy@84 | 377 refresh := "" |
| paddy@84 | 378 if gt.IssuesRefresh { |
| paddy@84 | 379 refresh = uuid.NewID().String() |
| paddy@69 | 380 } |
| paddy@69 | 381 token := Token{ |
| paddy@125 | 382 AccessToken: uuid.NewID().String(), |
| paddy@125 | 383 RefreshToken: refresh, |
| paddy@125 | 384 Created: time.Now(), |
| paddy@125 | 385 CreatedFrom: gt.AuditString(r), |
| paddy@125 | 386 ExpiresIn: defaultTokenExpiration, |
| paddy@125 | 387 TokenType: "bearer", |
| paddy@125 | 388 Scope: scope, |
| paddy@125 | 389 ProfileID: profileID, |
| paddy@125 | 390 ClientID: clientID, |
| paddy@69 | 391 } |
| paddy@84 | 392 err := context.SaveToken(token) |
| paddy@69 | 393 if err != nil { |
| paddy@82 | 394 w.WriteHeader(http.StatusInternalServerError) |
| paddy@82 | 395 renderJSONError(enc, "server_error") |
| paddy@81 | 396 return |
| paddy@69 | 397 } |
| paddy@85 | 398 if gt.ReturnToken(w, r, token, context) && gt.Invalidate != nil { |
| paddy@85 | 399 go gt.Invalidate(r, context) |
| paddy@69 | 400 } |
| paddy@69 | 401 } |