auth
85:1dc4e152e3b0 Browse Files
Break client verification out, break token returns out. Break client verification out into a helper function to avoid rewriting it for pretty much every grant. Break token returns out into a new function as part of the GrantType, so that implicit grants can redirect with the token value. Split returning the token as JSON into its own exported function, which can be used in multiple grants. Return more relevant information to the template when a user is deciding whether or not to authorize a grant.
client.go grant.go oauth2.go oauth2_test.go
1.1 --- a/client.go Sat Dec 06 03:33:11 2014 -0500 1.2 +++ b/client.go Sun Dec 07 02:52:39 2014 -0500 1.3 @@ -1,7 +1,9 @@ 1.4 package auth 1.5 1.6 import ( 1.7 + "encoding/json" 1.8 "errors" 1.9 + "net/http" 1.10 "net/url" 1.11 "time" 1.12 1.13 @@ -109,6 +111,50 @@ 1.14 return nil 1.15 } 1.16 1.17 +func verifyClient(w http.ResponseWriter, r *http.Request, allowPublic bool, context Context) (uuid.ID, bool) { 1.18 + enc := json.NewEncoder(w) 1.19 + clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth() 1.20 + if !fromAuthHeader { 1.21 + if !allowPublic { 1.22 + w.WriteHeader(http.StatusBadRequest) 1.23 + renderJSONError(enc, "unauthorized_client") 1.24 + return nil, false 1.25 + } 1.26 + clientIDStr = r.PostFormValue("client_id") 1.27 + } 1.28 + clientID, err := uuid.Parse(clientIDStr) 1.29 + if err != nil { 1.30 + w.WriteHeader(http.StatusUnauthorized) 1.31 + if fromAuthHeader { 1.32 + w.Header().Set("WWW-Authenticate", "Basic") 1.33 + } 1.34 + renderJSONError(enc, "invalid_client") 1.35 + return nil, false 1.36 + } 1.37 + client, err := context.GetClient(clientID) 1.38 + if err == ErrClientNotFound { 1.39 + w.WriteHeader(http.StatusUnauthorized) 1.40 + if fromAuthHeader { 1.41 + w.Header().Set("WWW-Authenticate", "Basic") 1.42 + } 1.43 + renderJSONError(enc, "invalid_client") 1.44 + return nil, false 1.45 + } else if err != nil { 1.46 + w.WriteHeader(http.StatusInternalServerError) 1.47 + renderJSONError(enc, "server_error") 1.48 + return nil, false 1.49 + } 1.50 + if client.Secret != clientSecret { 1.51 + w.WriteHeader(http.StatusUnauthorized) 1.52 + if fromAuthHeader { 1.53 + w.Header().Set("WWW-Authenticate", "Basic") 1.54 + } 1.55 + renderJSONError(enc, "invalid_client") 1.56 + return nil, false 1.57 + } 1.58 + return clientID, true 1.59 +} 1.60 + 1.61 // Endpoint represents a single URI that a Client 1.62 // controls. Users will be redirected to these URIs 1.63 // following successful authorization grants and
2.1 --- a/grant.go Sat Dec 06 03:33:11 2014 -0500 2.2 +++ b/grant.go Sun Dec 07 02:52:39 2014 -0500 2.3 @@ -13,6 +13,7 @@ 2.4 RegisterGrantType("authorization_code", GrantType{ 2.5 Validate: authCodeGrantValidate, 2.6 IssuesRefresh: true, 2.7 + ReturnToken: RenderJSONToken, 2.8 }) 2.9 } 2.10 2.11 @@ -85,38 +86,8 @@ 2.12 renderJSONError(enc, "invalid_request") 2.13 return 2.14 } 2.15 - // BUG(paddy): We really ought to break client verification out into its own helper functions, but I think it may depend on which grant_type is used... 2.16 - redirectURI := r.PostFormValue("redirect_uri") 2.17 - clientIDStr, clientSecret, fromAuthHeader := r.BasicAuth() 2.18 - if !fromAuthHeader { 2.19 - clientIDStr = r.PostFormValue("client_id") 2.20 - } 2.21 - clientID, err := uuid.Parse(clientIDStr) 2.22 - if err != nil { 2.23 - w.WriteHeader(http.StatusUnauthorized) 2.24 - if fromAuthHeader { 2.25 - w.Header().Set("WWW-Authenticate", "Basic") 2.26 - } 2.27 - renderJSONError(enc, "invalid_client") 2.28 - return 2.29 - } 2.30 - client, err := context.GetClient(clientID) 2.31 - if err != nil { 2.32 - if err == ErrClientNotFound { 2.33 - w.WriteHeader(http.StatusUnauthorized) 2.34 - renderJSONError(enc, "invalid_client") 2.35 - } else { 2.36 - w.WriteHeader(http.StatusInternalServerError) 2.37 - renderJSONError(enc, "server_error") 2.38 - } 2.39 - return 2.40 - } 2.41 - if client.Secret != clientSecret { 2.42 - w.WriteHeader(http.StatusUnauthorized) 2.43 - if fromAuthHeader { 2.44 - w.Header().Set("WWW-Authenticate", "Basic") 2.45 - } 2.46 - renderJSONError(enc, "invalid_client") 2.47 + clientID, success := verifyClient(w, r, true, context) 2.48 + if !success { 2.49 return 2.50 } 2.51 grant, err := context.GetGrant(code) 2.52 @@ -130,6 +101,7 @@ 2.53 renderJSONError(enc, "server_error") 2.54 return 2.55 } 2.56 + redirectURI := r.PostFormValue("redirect_uri") 2.57 if grant.RedirectURI != redirectURI { 2.58 w.WriteHeader(http.StatusBadRequest) 2.59 renderJSONError(enc, "invalid_grant")
3.1 --- a/oauth2.go Sat Dec 06 03:33:11 2014 -0500 3.2 +++ b/oauth2.go Sun Dec 07 02:52:39 2014 -0500 3.3 @@ -58,9 +58,13 @@ 3.4 // 3.5 // IssuesRefresh determines whether the GrantType should yield a refresh token as well as an access token. If true, the client 3.6 // will be issued a refresh token. 3.7 +// 3.8 +// The ReturnToken will be called when a token is created and needs to be returned to the client. If it returns true, the token 3.9 +// was successfully returned and the Invalidate function will be called asynchronously. 3.10 type GrantType struct { 3.11 Validate func(w http.ResponseWriter, r *http.Request, context Context) (scope string, profileID uuid.ID, valid bool) 3.12 Invalidate func(r *http.Request, context Context) bool 3.13 + ReturnToken func(w http.ResponseWriter, r *http.Request, token Token, context Context) bool 3.14 IssuesRefresh bool 3.15 } 3.16 3.17 @@ -107,6 +111,22 @@ 3.18 } 3.19 } 3.20 3.21 +func RenderJSONToken(w http.ResponseWriter, r *http.Request, token Token, context Context) bool { 3.22 + enc := json.NewEncoder(w) 3.23 + resp := tokenResponse{ 3.24 + AccessToken: token.AccessToken, 3.25 + RefreshToken: token.RefreshToken, 3.26 + ExpiresIn: token.ExpiresIn, 3.27 + TokenType: token.TokenType, 3.28 + } 3.29 + err := enc.Encode(resp) 3.30 + if err != nil { 3.31 + // TODO(paddy): log this or something 3.32 + return false 3.33 + } 3.34 + return true 3.35 +} 3.36 + 3.37 func checkCookie(r *http.Request, context Context) (Session, error) { 3.38 cookie, err := r.Cookie(authCookieName) 3.39 if err == http.ErrNoCookie { 3.40 @@ -339,9 +359,21 @@ 3.41 http.Redirect(w, r, redirectURL.String(), http.StatusFound) 3.42 return 3.43 } 3.44 + profile, err := context.GetProfileByID(session.ProfileID) 3.45 + if err != nil { 3.46 + q := redirectURL.Query() 3.47 + q.Add("error", "server_error") 3.48 + q.Add("state", state) 3.49 + redirectURL.RawQuery = q.Encode() 3.50 + http.Redirect(w, r, redirectURL.String(), http.StatusFound) 3.51 + return 3.52 + } 3.53 w.WriteHeader(http.StatusOK) 3.54 context.Render(w, getGrantTemplateName, map[string]interface{}{ 3.55 - "client": client, 3.56 + "client": client, 3.57 + "redirectURL": redirectURL, 3.58 + "scope": scope, 3.59 + "profile": profile, 3.60 }) 3.61 } 3.62 3.63 @@ -379,18 +411,9 @@ 3.64 renderJSONError(enc, "server_error") 3.65 return 3.66 } 3.67 - resp := tokenResponse{ 3.68 - AccessToken: token.AccessToken, 3.69 - RefreshToken: token.RefreshToken, 3.70 - ExpiresIn: token.ExpiresIn, 3.71 - TokenType: token.TokenType, 3.72 + if gt.ReturnToken(w, r, token, context) && gt.Invalidate != nil { 3.73 + go gt.Invalidate(r, context) 3.74 } 3.75 - err = enc.Encode(resp) 3.76 - if err != nil { 3.77 - // TODO(paddy): log this or something 3.78 - return 3.79 - } 3.80 - // BUG(paddy): we need to invalidate the grant for future requests 3.81 } 3.82 3.83 // TODO(paddy): exchange user credentials for access token
4.1 --- a/oauth2_test.go Sat Dec 06 03:33:11 2014 -0500 4.2 +++ b/oauth2_test.go Sun Dec 07 02:52:39 2014 -0500 4.3 @@ -64,9 +64,17 @@ 4.4 if err != nil { 4.5 t.Fatal("Can't store endpoint:", err) 4.6 } 4.7 + profile := Profile{ 4.8 + ID: uuid.NewID(), 4.9 + } 4.10 + err = testContext.SaveProfile(profile) 4.11 + if err != nil { 4.12 + t.Fatal("Can't store profile:", err) 4.13 + } 4.14 session := Session{ 4.15 - ID: "testsession", 4.16 - Active: true, 4.17 + ID: "testsession", 4.18 + Active: true, 4.19 + ProfileID: profile.ID, 4.20 } 4.21 err = testContext.CreateSession(session) 4.22 if err != nil { 4.23 @@ -792,6 +800,7 @@ 4.24 err = json.Unmarshal(w.Body.Bytes(), &resp) 4.25 if err != nil { 4.26 t.Error("Error unmarshalling response:", err) 4.27 + t.Error("Response:", w.Body.String()) 4.28 } 4.29 if resp.AccessToken == "" { 4.30 t.Error("Got blank access token back") 4.31 @@ -810,7 +819,7 @@ 4.32 t.Error("Error retrieving token:", err) 4.33 } 4.34 if len(tokens) != 1 { 4.35 - t.Errorf("Expected %d tokens, got %d", 1, len(tokens)) 4.36 + t.Fatalf("Expected %d tokens, got %d", 1, len(tokens)) 4.37 } 4.38 if tokens[0].AccessToken != resp.AccessToken { 4.39 t.Errorf(`Expected access token to be "%s", got "%s"`, tokens[0].AccessToken, resp.AccessToken)