auth

Paddy 2015-03-03 Parent:23c1a07c8a61 Child:762953f6a7f2

135:d30a3a12d387 Go to Latest

auth/token.go

Attach our Scope type to AuthCodes and Tokens. When obtaining an AuthorizationCode or Token, attach a slice of strings, each one a Scope ID, instead of just attaching the encoded string the user passes in. This will allow us to change our Scope encoding down the line, and is more conceptually faithful. Also, if an authorization request is made with an invalid scope, return the invalid_scope error.

Download raw file

View source Diff to previous Annotate

1 package auth

3 import (

4 "encoding/json"

5 "errors"

6 "log"

7 "net/http"

8 "time"

10 "code.secondbit.org/uuid.hg"

13 const (

14 defaultTokenExpiration = 3600 // one hour

17 func init() {

18 RegisterGrantType("refresh_token", GrantType{

19 Validate: refreshTokenValidate,

20 Invalidate: refreshTokenInvalidate,

21 IssuesRefresh: true,

22 ReturnToken: RenderJSONToken,

23 AuditString: refreshTokenAuditString,

27 var (

28 // ErrNoTokenStore is returned when a Context tries to act on a tokenStore without setting one first.

29 ErrNoTokenStore = errors.New("no tokenStore was specified for the Context")

30 // ErrTokenNotFound is returned when a Token is requested but not found in a tokenStore.

31 ErrTokenNotFound = errors.New("token not found in tokenStore")

32 // ErrTokenAlreadyExists is returned when a Token is added to a tokenStore, but another Token with

33 // the same AccessToken property already exists in the tokenStore.

34 ErrTokenAlreadyExists = errors.New("token already exists in tokenStore")

37 // Token represents an access and/or refresh token that the Client can use to access user data

38 // or obtain a new access token.

39 type Token struct {

40 AccessToken string

41 RefreshToken string

42 Created time.Time

43 CreatedFrom string

44 ExpiresIn int32

45 TokenType string

46 Scopes []string

47 ProfileID uuid.ID

48 ClientID uuid.ID

49 Revoked bool

50 RefreshRevoked bool

53 type tokenStore interface {

54 getToken(token string, refresh bool) (Token, error)

55 saveToken(token Token) error

56 revokeToken(token string, refresh bool) error

57 getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error)

60 func (m *memstore) getToken(token string, refresh bool) (Token, error) {

61 if refresh {

62 t, err := m.lookupTokenByRefresh(token)

63 if err != nil {

64 return Token{}, err

66 token = t

68 m.tokenLock.RLock()

69 defer m.tokenLock.RUnlock()

70 result, ok := m.tokens[token]

71 if !ok {

72 return Token{}, ErrTokenNotFound

74 return result, nil

77 func (m *memstore) saveToken(token Token) error {

78 m.tokenLock.Lock()

79 defer m.tokenLock.Unlock()

80 _, ok := m.tokens[token.AccessToken]

81 if ok {

82 return ErrTokenAlreadyExists

84 m.tokens[token.AccessToken] = token

85 if token.RefreshToken != "" {

86 m.refreshTokenLookup[token.RefreshToken] = token.AccessToken

88 if _, ok = m.profileTokenLookup[token.ProfileID.String()]; ok {

89 m.profileTokenLookup[token.ProfileID.String()] = append(m.profileTokenLookup[token.ProfileID.String()], token.AccessToken)

90 } else {

91 m.profileTokenLookup[token.ProfileID.String()] = []string{token.AccessToken}

93 return nil

96 func (m *memstore) revokeToken(token string, refresh bool) error {

97 if refresh {

98 t, err := m.lookupTokenByRefresh(token)

99 if err != nil {

100 return err

102 token = t

104 m.tokenLock.Lock()

105 defer m.tokenLock.Unlock()

106 t, ok := m.tokens[token]

107 if !ok {

108 return ErrTokenNotFound

110 if refresh {

111 t.RefreshRevoked = true

112 } else {

113 t.Revoked = true

115 m.tokens[token] = t

116 return nil

119 func (m *memstore) getTokensByProfileID(profileID uuid.ID, num, offset int) ([]Token, error) {

120 ids, err := m.lookupTokensByProfileID(profileID.String())

121 if err != nil {

122 return []Token{}, err

124 if len(ids) > num+offset {

125 ids = ids[offset : num+offset]

126 } else if len(ids) > offset {

127 ids = ids[offset:]

128 } else {

129 return []Token{}, nil

131 tokens := []Token{}

132 for _, id := range ids {

133 token, err := m.getToken(id, false)

134 if err != nil {

135 return []Token{}, err

137 tokens = append(tokens, token)

139 return tokens, nil

142 func refreshTokenValidate(w http.ResponseWriter, r *http.Request, context Context) (scopes []string, profileID uuid.ID, valid bool) {

143 enc := json.NewEncoder(w)

144 refresh := r.PostFormValue("refresh_token")

145 if refresh == "" {

146 w.WriteHeader(http.StatusBadRequest)

147 renderJSONError(enc, "invalid_request")

148 return

150 token, err := context.GetToken(refresh, true)

151 if err != nil {

152 if err == ErrTokenNotFound {

153 w.WriteHeader(http.StatusBadRequest)

154 renderJSONError(enc, "invalid_grant")

155 return

157 log.Println("Error exchanging refresh token:", err)

158 w.WriteHeader(http.StatusInternalServerError)

159 renderJSONError(enc, "server_error")

160 return

162 clientID, _, ok := getClientAuth(w, r, true)

163 if !ok {

164 return

166 if !token.ClientID.Equal(clientID) {

167 w.WriteHeader(http.StatusBadRequest)

168 renderJSONError(enc, "invalid_grant")

169 return

171 if token.RefreshRevoked {

172 w.WriteHeader(http.StatusBadRequest)

173 renderJSONError(enc, "invalid_grant")

174 return

176 return token.Scopes, token.ProfileID, true

179 func refreshTokenInvalidate(r *http.Request, context Context) error {

180 refresh := r.PostFormValue("refresh_token")

181 if refresh == "" {

182 return ErrTokenNotFound

184 return context.RevokeToken(refresh, true)

187 func refreshTokenAuditString(r *http.Request) string {

188 return "refresh_token:" + r.PostFormValue("refresh_token")

191 // BUG(paddy): We need to implement a handler for revoking a token.

192 // BUG(paddy): We need to implement a handler for listing active tokens.