From f447a259d4309fd85e6d88c4166fb61b1014922a Mon Sep 17 00:00:00 2001 From: Philipp Wolfer Date: Thu, 23 Nov 2023 14:41:31 +0100 Subject: [PATCH] OAuth2Strategy interface to abstract the details of the login flow This allows implementing clients the deviate from the standard OAuth2 flow --- backends/auth.go | 2 +- backends/spotify/spotify.go | 18 ++++++++++++ cmd/auth.go | 42 +++++++++++----------------- internal/auth/callback.go | 36 ++++++++++++++++++++++++ internal/auth/strategy.go | 56 +++++++++++++++++++++++++++++++++++++ models/interfaces.go | 3 +- 6 files changed, 130 insertions(+), 27 deletions(-) create mode 100644 internal/auth/callback.go create mode 100644 internal/auth/strategy.go diff --git a/backends/auth.go b/backends/auth.go index f78feb3..2309826 100644 --- a/backends/auth.go +++ b/backends/auth.go @@ -46,7 +46,7 @@ func Authenticate(service string, backend models.Backend, db storage.Database, c if err != nil { return auth, err } - conf := authenticator.OAuth2Config(redirectURL) + conf := authenticator.OAuth2Strategy(redirectURL).Config() tokenSource := NewDatabaseTokenSource(db, service, &conf, token) authenticator.OAuth2Setup(tokenSource) } diff --git a/backends/spotify/spotify.go b/backends/spotify/spotify.go index 6c9bf89..ee59b5a 100644 --- a/backends/spotify/spotify.go +++ b/backends/spotify/spotify.go @@ -25,6 +25,7 @@ import ( "time" "github.com/spf13/viper" + "go.uploadedlobster.com/scotty/internal/auth" "go.uploadedlobster.com/scotty/models" "golang.org/x/oauth2" "golang.org/x/oauth2/spotify" @@ -44,6 +45,23 @@ func (b *SpotifyApiBackend) FromConfig(config *viper.Viper) models.Backend { return b } +func (b *SpotifyApiBackend) OAuth2Strategy(redirectUrl *url.URL) auth.OAuth2Strategy { + conf := oauth2.Config{ + ClientID: b.clientId, + ClientSecret: b.clientSecret, + Scopes: []string{ + "user-read-currently-playing", + "user-read-recently-played", + "user-library-read", + "user-library-modify", + }, + RedirectURL: redirectUrl.String(), + Endpoint: spotify.Endpoint, + } + + return auth.NewStandardStrategy(conf) +} + func (b *SpotifyApiBackend) OAuth2Config(redirectUrl *url.URL) oauth2.Config { return oauth2.Config{ ClientID: b.clientId, diff --git a/cmd/auth.go b/cmd/auth.go index 0bff457..7ab9e19 100644 --- a/cmd/auth.go +++ b/cmd/auth.go @@ -17,14 +17,14 @@ Scotty. If not, see . package cmd import ( - "context" "fmt" - "net/http" + "os" "github.com/cli/browser" "github.com/spf13/cobra" "github.com/spf13/viper" "go.uploadedlobster.com/scotty/backends" + "go.uploadedlobster.com/scotty/internal/auth" "go.uploadedlobster.com/scotty/models" "go.uploadedlobster.com/scotty/storage" "golang.org/x/oauth2" @@ -43,44 +43,36 @@ var authCmd = &cobra.Command{ redirectURL, err := backends.BuildRedirectURL(viper.GetViper(), backend.Name()) cobra.CheckErr(err) - ctx := context.Background() - conf := backend.OAuth2Config(redirectURL) - - responseChan := make(chan string) - // Start an HTTP server to listen for the response - http.HandleFunc(redirectURL.Path, func(w http.ResponseWriter, r *http.Request) { - code := r.URL.Query().Get("code") - fmt.Fprint(w, "Token received, you can close this window now.") - responseChan <- code - }) + responseChan := make(chan auth.CodeResponse) + auth.RunOauth2CallbackServer(*redirectURL, responseChan) - go http.ListenAndServe(redirectURL.Host, nil) + // The backend must provide an authentication strategy + strategy := backend.OAuth2Strategy(redirectURL) // use PKCE to protect against CSRF attacks // https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html#name-countermeasures-6 verifier := oauth2.GenerateVerifier() - // Redirect user to consent page to ask for permission - // for the scopes specified above. - url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier)) + state := "somestate" // FIXME: Should be a random string + // Redirect user to consent page to ask for permission specified scopes. + url := strategy.AuthCodeURL(verifier, state) fmt.Printf("Visit the URL for the auth dialog: %v\n", url) - err = browser.OpenURL(url) cobra.CheckErr(err) + // Retrieve the code from the authentication callback code := <-responseChan + if code.State != state { + cobra.CompErrorln("Error: oauth state mismatch") + os.Exit(1) + } - // Use the authorization code that is pushed to the redirect - // URL. Exchange will do the handshake to retrieve the - // initial access token. The HTTP Client returned by - // conf.Client will refresh the token as necessary. - // var code string - // _, err = fmt.Scan(&code) - // cobra.CheckErr(err) - tok, err := conf.Exchange(ctx, code, oauth2.VerifierOption(verifier)) + // Exchange the code for the authentication token + tok, err := strategy.ExchangeToken(code, verifier) cobra.CheckErr(err) + // Store the retrieved token in the database db, err := storage.New(viper.GetString("database")) cobra.CheckErr(err) diff --git a/internal/auth/callback.go b/internal/auth/callback.go new file mode 100644 index 0000000..4fa41f6 --- /dev/null +++ b/internal/auth/callback.go @@ -0,0 +1,36 @@ +/* +Copyright © 2023 Philipp Wolfer + +Scotty is free software: you can redistribute it and/or modify it under the +terms of the GNU General Public License as published by the Free Software +Foundation, either version 3 of the License, or (at your option) any later version. + +Scotty is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR +A PARTICULAR PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along with +Scotty. If not, see . +*/ + +package auth + +import ( + "fmt" + "net/http" + "net/url" +) + +func RunOauth2CallbackServer(redirectURL url.URL, responseChan chan CodeResponse) { + http.HandleFunc(redirectURL.Path, func(w http.ResponseWriter, r *http.Request) { + code := r.URL.Query().Get("code") + state := r.URL.Query().Get("state") + fmt.Fprint(w, "Token received, you can close this window now.") + responseChan <- CodeResponse{ + Code: code, + State: state, + } + }) + + go http.ListenAndServe(redirectURL.Host, nil) +} diff --git a/internal/auth/strategy.go b/internal/auth/strategy.go new file mode 100644 index 0000000..403c429 --- /dev/null +++ b/internal/auth/strategy.go @@ -0,0 +1,56 @@ +/* +Copyright © 2023 Philipp Wolfer + +Scotty is free software: you can redistribute it and/or modify it under the +terms of the GNU General Public License as published by the Free Software +Foundation, either version 3 of the License, or (at your option) any later version. + +Scotty is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR +A PARTICULAR PURPOSE. See the GNU General Public License for more details. + +You should have received a copy of the GNU General Public License along with +Scotty. If not, see . +*/ + +package auth + +import ( + "context" + + "golang.org/x/oauth2" +) + +type OAuth2Strategy interface { + Config() oauth2.Config + + AuthCodeURL(verifier string, state string) string + + ExchangeToken(code CodeResponse, verifier string) (*oauth2.Token, error) +} + +type CodeResponse struct { + Code string + State string +} + +func NewStandardStrategy(conf oauth2.Config) OAuth2Strategy { + return StandardStrategy{conf: conf} +} + +type StandardStrategy struct { + conf oauth2.Config +} + +func (s StandardStrategy) Config() oauth2.Config { + return s.conf +} + +func (s StandardStrategy) AuthCodeURL(verifier string, state string) string { + return s.conf.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier)) +} + +func (s StandardStrategy) ExchangeToken(code CodeResponse, verifier string) (*oauth2.Token, error) { + ctx := context.Background() + return s.conf.Exchange(ctx, code.Code, oauth2.VerifierOption(verifier)) +} diff --git a/models/interfaces.go b/models/interfaces.go index 7928804..9078eba 100644 --- a/models/interfaces.go +++ b/models/interfaces.go @@ -21,6 +21,7 @@ import ( "time" "github.com/spf13/viper" + "go.uploadedlobster.com/scotty/internal/auth" "golang.org/x/oauth2" ) @@ -87,7 +88,7 @@ type OAuth2Authenticator interface { Backend // Returns OAuth2 config suitable for this backend - OAuth2Config(redirectUrl *url.URL) oauth2.Config + OAuth2Strategy(redirectUrl *url.URL) auth.OAuth2Strategy // Setup the OAuth2 client OAuth2Setup(token oauth2.TokenSource) error