auth
auth/oauth2.go
Fix bug when issuing client secret. Client secrets were only issued to public clients, not only to confidential clients. Oops.
1 package auth
3 import (
4 "encoding/json"
5 "errors"
6 "html/template"
7 "log"
8 "net/http"
9 "net/url"
10 "sync"
11 "time"
13 "code.secondbit.org/uuid.hg"
14 "github.com/gorilla/mux"
15 )
17 const (
18 authCookieName = "auth"
19 defaultAuthorizationCodeExpiration = 600 // default to ten minute grant expirations
20 getAuthorizationCodeTemplateName = "get_grant"
21 )
23 var (
24 // ErrNoAuth is returned when an Authorization header is not present or is empty.
25 ErrNoAuth = errors.New("no authorization header supplied")
26 // ErrInvalidAuthFormat is returned when an Authorization header is present but not the correct format.
27 ErrInvalidAuthFormat = errors.New("authorization header is not in a valid format")
28 // ErrIncorrectAuth is returned when a user authentication attempt does not match the stored values.
29 ErrIncorrectAuth = errors.New("invalid authentication")
30 // ErrInvalidPassphraseScheme is returned when an undefined passphrase scheme is used.
31 ErrInvalidPassphraseScheme = errors.New("invalid passphrase scheme")
32 // ErrNoSession is returned when no session ID is passed with a request.
33 ErrNoSession = errors.New("no session ID found")
35 grantTypesMap = grantTypes{types: map[string]GrantType{}}
36 )
38 type grantTypes struct {
39 types map[string]GrantType
40 sync.RWMutex
41 }
43 // GrantType defines a set of functions and metadata around a specific authorization grant strategy.
44 //
45 // The Validate function will be called when requests are made that match the GrantType, and should write any
46 // errors to the ResponseWriter. It is responsible for determining if the grant is valid and a token should be issued.
47 // It must return the scope the grant was for and the ID of the Profile that issued the grant, as well as if the grant
48 // is valid or not. It must not be nil.
49 //
50 // The Invalidate function will be called when the grant has successfully generated a token and the token has successfully
51 // been conveyed to the user. The Invalidate function is always called asynchronously, outside the request. It should take
52 // care of marking the grant as used, if the GrantType requires grants to be one-time only grants. The Invalidate function
53 // can be nil.
54 //
55 // IssuesRefresh determines whether the GrantType should yield a refresh token as well as an access token. If true, the client
56 // will be issued a refresh token.
57 //
58 // The ReturnToken will be called when a token is created and needs to be returned to the client. If it returns true, the token
59 // was successfully returned and the Invalidate function will be called asynchronously.
60 type GrantType struct {
61 Validate func(w http.ResponseWriter, r *http.Request, context Context) (scope string, profileID uuid.ID, valid bool)
62 Invalidate func(r *http.Request, context Context) error
63 ReturnToken func(w http.ResponseWriter, r *http.Request, token Token, context Context) bool
64 IssuesRefresh bool
65 }
67 type tokenResponse struct {
68 AccessToken string `json:"access_token"`
69 TokenType string `json:"token_type,omitempty"`
70 ExpiresIn int32 `json:"expires_in,omitempty"`
71 RefreshToken string `json:"refresh_token,omitempty"`
72 }
74 type errorResponse struct {
75 Error string `json:"error"`
76 Description string `json:"error_description,omitempty"`
77 URI string `json:"error_uri,omitempty"`
78 }
80 // RegisterGrantType associates a string with a GrantType. When the string is used as the value for "grant_type" when obtaining
81 // an access token, the associated GrantType's properties will be used.
82 //
83 // RegisterGrantType should be called in the `init()` function of packages, much like database/sql registers drivers. It will panic
84 // if a GrantType tries to register under a string that already has a GrantType registered for it.
85 func RegisterGrantType(name string, g GrantType) {
86 grantTypesMap.Lock()
87 defer grantTypesMap.Unlock()
88 if _, ok := grantTypesMap.types[name]; ok {
89 panic("Duplicate registration of grant_type " + name)
90 }
91 grantTypesMap.types[name] = g
92 }
94 func findGrantType(name string) (GrantType, bool) {
95 grantTypesMap.RLock()
96 defer grantTypesMap.RUnlock()
97 t, ok := grantTypesMap.types[name]
98 return t, ok
99 }
101 func renderJSONError(enc *json.Encoder, errorType string) {
102 err := enc.Encode(errorResponse{
103 Error: errorType,
104 })
105 if err != nil {
106 log.Println(err)
107 }
108 }
110 // RenderJSONToken is an implementation of the ReturnToken function for GrantTypes. It returns the token using JSON
111 // according to the spec. See RFC 6479, Section 4.1.4.
112 func RenderJSONToken(w http.ResponseWriter, r *http.Request, token Token, context Context) bool {
113 enc := json.NewEncoder(w)
114 resp := tokenResponse{
115 AccessToken: token.AccessToken,
116 RefreshToken: token.RefreshToken,
117 ExpiresIn: token.ExpiresIn,
118 TokenType: token.TokenType,
119 }
120 w.Header().Set("Content-Type", "application/json")
121 err := enc.Encode(resp)
122 if err != nil {
123 log.Println(err)
124 return false
125 }
126 return true
127 }
129 // RegisterOAuth2 adds handlers to the passed router to handle the OAuth2 endpoints.
130 func RegisterOAuth2(r *mux.Router, context Context) {
131 r.Handle("/authorize", wrap(context, GetAuthorizationCodeHandler))
132 r.Handle("/token", wrap(context, GetTokenHandler))
133 }
135 // GetAuthorizationCodeHandler presents and processes the page for asking a user to grant access
136 // to their data. See RFC 6749, Section 4.1.
137 func GetAuthorizationCodeHandler(w http.ResponseWriter, r *http.Request, context Context) {
138 session, err := checkCookie(r, context)
139 if err != nil {
140 if err == ErrNoSession || err == ErrInvalidSession {
141 redir := buildLoginRedirect(r, context)
142 if redir == "" {
143 log.Println("No login URL configured.")
144 w.WriteHeader(http.StatusInternalServerError)
145 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
146 "internal_error": template.HTML("Missing login URL."),
147 })
148 return
149 }
150 http.Redirect(w, r, redir, http.StatusFound)
151 return
152 }
153 log.Println(err.Error())
154 w.WriteHeader(http.StatusInternalServerError)
155 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
156 "internal_error": template.HTML(err.Error()),
157 })
158 return
159 }
160 if r.URL.Query().Get("client_id") == "" {
161 w.WriteHeader(http.StatusBadRequest)
162 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
163 "error": template.HTML("Client ID must be specified in the request."),
164 })
165 return
166 }
167 clientID, err := uuid.Parse(r.URL.Query().Get("client_id"))
168 if err != nil {
169 w.WriteHeader(http.StatusBadRequest)
170 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
171 "error": template.HTML("client_id is not a valid Client ID."),
172 })
173 return
174 }
175 redirectURI := r.URL.Query().Get("redirect_uri")
176 client, err := context.GetClient(clientID)
177 if err != nil {
178 if err == ErrClientNotFound {
179 w.WriteHeader(http.StatusBadRequest)
180 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
181 "error": template.HTML("The specified Client couldn’t be found."),
182 })
183 } else {
184 log.Println(err.Error())
185 w.WriteHeader(http.StatusInternalServerError)
186 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
187 "internal_error": template.HTML(err.Error()),
188 })
189 }
190 return
191 }
192 // BUG(paddy): checking if the redirect URI is valid should be a helper function
193 // whether a redirect URI is valid or not depends on the number of endpoints
194 // the client has registered
195 numEndpoints, err := context.CountEndpoints(clientID)
196 if err != nil {
197 log.Println(err.Error())
198 w.WriteHeader(http.StatusInternalServerError)
199 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
200 "internal_error": template.HTML(err.Error()),
201 })
202 return
203 }
204 var validURI bool
205 if redirectURI != "" {
206 validURI, err = context.CheckEndpoint(clientID, redirectURI)
207 if err != nil {
208 if err == ErrEndpointURINotURL {
209 w.WriteHeader(http.StatusBadRequest)
210 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
211 "error": template.HTML("The redirect_uri specified is not valid."),
212 })
213 return
214 }
215 log.Println(err.Error())
216 w.WriteHeader(http.StatusInternalServerError)
217 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
218 "internal_error": template.HTML(err.Error()),
219 })
220 return
221 }
222 } else if redirectURI == "" && numEndpoints == 1 {
223 // if we don't specify the endpoint and there's only one endpoint, the
224 // request is valid, and we're redirecting to that one endpoint
225 validURI = true
226 endpoints, err := context.ListEndpoints(clientID, 1, 0)
227 if err != nil {
228 log.Println(err.Error())
229 w.WriteHeader(http.StatusInternalServerError)
230 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
231 "internal_error": template.HTML(err.Error()),
232 })
233 return
234 }
235 if len(endpoints) != 1 {
236 validURI = false
237 } else {
238 redirectURI = endpoints[0].URI
239 }
240 } else {
241 validURI = false
242 }
243 if !validURI {
244 w.WriteHeader(http.StatusBadRequest)
245 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
246 "error": template.HTML("The redirect_uri specified is not valid."),
247 })
248 return
249 }
250 redirectURL, err := url.Parse(redirectURI)
251 if err != nil {
252 w.WriteHeader(http.StatusBadRequest)
253 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
254 "error": template.HTML("The redirect_uri specified is not valid."),
255 })
256 return
257 }
258 scope := r.URL.Query().Get("scope")
259 state := r.URL.Query().Get("state")
260 if r.URL.Query().Get("response_type") != "code" {
261 q := redirectURL.Query()
262 q.Add("error", "invalid_request")
263 q.Add("state", state)
264 redirectURL.RawQuery = q.Encode()
265 http.Redirect(w, r, redirectURL.String(), http.StatusFound)
266 return
267 }
268 if r.Method == "POST" {
269 // BUG(paddy): We need to implement CSRF protection when obtaining a grant code.
270 if r.PostFormValue("grant") == "approved" {
271 code := uuid.NewID().String()
272 authCode := AuthorizationCode{
273 Code: code,
274 Created: time.Now(),
275 ExpiresIn: defaultAuthorizationCodeExpiration,
276 ClientID: clientID,
277 Scope: scope,
278 RedirectURI: r.URL.Query().Get("redirect_uri"),
279 State: state,
280 ProfileID: session.ProfileID,
281 }
282 err := context.SaveAuthorizationCode(authCode)
283 if err != nil {
284 q := redirectURL.Query()
285 q.Add("error", "server_error")
286 q.Add("state", state)
287 redirectURL.RawQuery = q.Encode()
288 http.Redirect(w, r, redirectURL.String(), http.StatusFound)
289 return
290 }
291 q := redirectURL.Query()
292 q.Add("code", code)
293 q.Add("state", state)
294 redirectURL.RawQuery = q.Encode()
295 http.Redirect(w, r, redirectURL.String(), http.StatusFound)
296 return
297 }
298 q := redirectURL.Query()
299 q.Add("error", "access_denied")
300 q.Add("state", state)
301 redirectURL.RawQuery = q.Encode()
302 http.Redirect(w, r, redirectURL.String(), http.StatusFound)
303 return
304 }
305 profile, err := context.GetProfileByID(session.ProfileID)
306 if err != nil {
307 q := redirectURL.Query()
308 q.Add("error", "server_error")
309 q.Add("state", state)
310 redirectURL.RawQuery = q.Encode()
311 http.Redirect(w, r, redirectURL.String(), http.StatusFound)
312 return
313 }
314 w.WriteHeader(http.StatusOK)
315 context.Render(w, getAuthorizationCodeTemplateName, map[string]interface{}{
316 "client": client,
317 "redirectURL": redirectURL,
318 "scope": scope,
319 "profile": profile,
320 })
321 }
323 // GetTokenHandler allows a client to exchange an authorization grant for an
324 // access token. See RFC 6749 Section 4.1.3.
325 func GetTokenHandler(w http.ResponseWriter, r *http.Request, context Context) {
326 enc := json.NewEncoder(w)
327 grantType := r.PostFormValue("grant_type")
328 gt, ok := findGrantType(grantType)
329 if !ok {
330 w.WriteHeader(http.StatusBadRequest)
331 renderJSONError(enc, "invalid_request")
332 return
333 }
334 scope, profileID, valid := gt.Validate(w, r, context)
335 if !valid {
336 return
337 }
338 refresh := ""
339 if gt.IssuesRefresh {
340 refresh = uuid.NewID().String()
341 }
342 token := Token{
343 AccessToken: uuid.NewID().String(),
344 RefreshToken: refresh,
345 Created: time.Now(),
346 ExpiresIn: defaultTokenExpiration,
347 RefreshExpiresIn: defaultRefreshTokenExpiration,
348 TokenType: "bearer",
349 Scope: scope,
350 ProfileID: profileID,
351 }
352 err := context.SaveToken(token)
353 if err != nil {
354 w.WriteHeader(http.StatusInternalServerError)
355 renderJSONError(enc, "server_error")
356 return
357 }
358 if gt.ReturnToken(w, r, token, context) && gt.Invalidate != nil {
359 go gt.Invalidate(r, context)
360 }
361 }
363 // TODO(paddy): exchange user credentials for access token
364 // TODO(paddy): exchange client credentials for access token
365 // TODO(paddy): implicit grant for access token
366 // TODO(paddy): exchange refresh token for access token