auth
auth/oauth2.go
Break client verification out, break token returns out. Break client verification out into a helper function to avoid rewriting it for pretty much every grant. Break token returns out into a new function as part of the GrantType, so that implicit grants can redirect with the token value. Split returning the token as JSON into its own exported function, which can be used in multiple grants. Return more relevant information to the template when a user is deciding whether or not to authorize a grant.
1.1 --- a/oauth2.go Sat Dec 06 03:33:11 2014 -0500 1.2 +++ b/oauth2.go Sun Dec 07 02:52:39 2014 -0500 1.3 @@ -58,9 +58,13 @@ 1.4 // 1.5 // IssuesRefresh determines whether the GrantType should yield a refresh token as well as an access token. If true, the client 1.6 // will be issued a refresh token. 1.7 +// 1.8 +// The ReturnToken will be called when a token is created and needs to be returned to the client. If it returns true, the token 1.9 +// was successfully returned and the Invalidate function will be called asynchronously. 1.10 type GrantType struct { 1.11 Validate func(w http.ResponseWriter, r *http.Request, context Context) (scope string, profileID uuid.ID, valid bool) 1.12 Invalidate func(r *http.Request, context Context) bool 1.13 + ReturnToken func(w http.ResponseWriter, r *http.Request, token Token, context Context) bool 1.14 IssuesRefresh bool 1.15 } 1.16 1.17 @@ -107,6 +111,22 @@ 1.18 } 1.19 } 1.20 1.21 +func RenderJSONToken(w http.ResponseWriter, r *http.Request, token Token, context Context) bool { 1.22 + enc := json.NewEncoder(w) 1.23 + resp := tokenResponse{ 1.24 + AccessToken: token.AccessToken, 1.25 + RefreshToken: token.RefreshToken, 1.26 + ExpiresIn: token.ExpiresIn, 1.27 + TokenType: token.TokenType, 1.28 + } 1.29 + err := enc.Encode(resp) 1.30 + if err != nil { 1.31 + // TODO(paddy): log this or something 1.32 + return false 1.33 + } 1.34 + return true 1.35 +} 1.36 + 1.37 func checkCookie(r *http.Request, context Context) (Session, error) { 1.38 cookie, err := r.Cookie(authCookieName) 1.39 if err == http.ErrNoCookie { 1.40 @@ -339,9 +359,21 @@ 1.41 http.Redirect(w, r, redirectURL.String(), http.StatusFound) 1.42 return 1.43 } 1.44 + profile, err := context.GetProfileByID(session.ProfileID) 1.45 + if err != nil { 1.46 + q := redirectURL.Query() 1.47 + q.Add("error", "server_error") 1.48 + q.Add("state", state) 1.49 + redirectURL.RawQuery = q.Encode() 1.50 + http.Redirect(w, r, redirectURL.String(), http.StatusFound) 1.51 + return 1.52 + } 1.53 w.WriteHeader(http.StatusOK) 1.54 context.Render(w, getGrantTemplateName, map[string]interface{}{ 1.55 - "client": client, 1.56 + "client": client, 1.57 + "redirectURL": redirectURL, 1.58 + "scope": scope, 1.59 + "profile": profile, 1.60 }) 1.61 } 1.62 1.63 @@ -379,18 +411,9 @@ 1.64 renderJSONError(enc, "server_error") 1.65 return 1.66 } 1.67 - resp := tokenResponse{ 1.68 - AccessToken: token.AccessToken, 1.69 - RefreshToken: token.RefreshToken, 1.70 - ExpiresIn: token.ExpiresIn, 1.71 - TokenType: token.TokenType, 1.72 + if gt.ReturnToken(w, r, token, context) && gt.Invalidate != nil { 1.73 + go gt.Invalidate(r, context) 1.74 } 1.75 - err = enc.Encode(resp) 1.76 - if err != nil { 1.77 - // TODO(paddy): log this or something 1.78 - return 1.79 - } 1.80 - // BUG(paddy): we need to invalidate the grant for future requests 1.81 } 1.82 1.83 // TODO(paddy): exchange user credentials for access token