auth

Paddy 2014-08-16 Parent:fc5df8e68c7b Child:1f04b1146cad

16:13568ac73ac3 Go to Latest

auth/context.go

Note the potential for CSRF attacks. Our auth provider probably shouldn't have security vulnerabilities. Add TODOs to ensure that logging in and authorizing a grant are not susceptible to CSRF attacks, or it becomes pretty easy for an attacker to gain access to user data or to gain access to a user account.

Download raw file
View source Diff to previous Annotate
History
1 package auth
2
3 import (
4 "encoding/json"
5 "html/template"
6 "io"
7 "log"
8 )
9
10 type Context struct {
11 Config ServerConfig
12 Clients ClientStore
13 Tokens TokenStore
14 Profiles ProfileStore
15 Log *log.Logger
16 Templates Templates
17 }
18
19 type Templates struct {
20 Error *template.Template
21 Confirmation *template.Template
22 Login *template.Template
23 }
24
25 type jsonError struct {
26 Error string `json:"error,omitempty"`
27 Description string `json:"error_description,omitempty"`
28 URI string `json:"error_uri,omitempty"`
29 State string `json:"state,omitempty"`
30 }
31
32 func (c Context) RenderError(w io.Writer, err error) {
33 if c.Templates.Error == nil {
34 log.Println("Error template is nil, can't render error.")
35 return
36 }
37 renderErr := c.Templates.Error.Execute(w, map[string]interface{}{
38 "err": err,
39 })
40 if renderErr != nil {
41 log.Printf("Error executing error template (oh, the irony): %s\n", renderErr)
42 return
43 }
44 }
45
46 func (c Context) RenderJSONError(w io.Writer, code, description, baseURI string) {
47 d, err := json.Marshal(jsonError{
48 Error: code,
49 Description: description,
50 URI: baseURI,
51 })
52 if err != nil {
53 log.Printf("Error marshalling json error (oh, the irony): %s\n", err)
54 return
55 }
56 _, err = w.Write(d)
57 if err != nil {
58 log.Printf("Error writing json error: %s\n", err)
59 return
60 }
61 }
62
63 func (c Context) RenderConfirmation(w io.Writer) {
64 if c.Templates.Confirmation == nil {
65 log.Println("Confirmation template is nil, can't render confirmation.")
66 return
67 }
68 // TODO: CSRF prevention
69 err := c.Templates.Confirmation.Execute(w, nil)
70 if err != nil {
71 log.Printf("Error executing confirmation template: %s\n", err)
72 return
73 }
74 }
75
76 func (c Context) RenderLogin(w io.Writer) {
77 if c.Templates.Login == nil {
78 log.Println("Login template is nil, can't render confirmation.")
79 return
80 }
81 // TODO: CSRF prevention
82 err := c.Templates.Login.Execute(w, nil)
83 if err != nil {
84 log.Printf("Error executing login template: %s\n", err)
85 return
86 }
87 }
88
89 func (c Context) RenderJSONToken(w io.Writer, data AccessData) {
90 d, err := json.Marshal(data)
91 if err != nil {
92 log.Printf("Error marshalling json token: %s\n", err)
93 return
94 }
95 _, err = w.Write(d)
96 if err != nil {
97 log.Printf("Error writing json token: %s\n", err)
98 return
99 }
100 }