mirror of
https://git.sr.ht/~phw/scotty
synced 2025-04-25 05:47:57 +02:00
OAuth2Strategy interface to abstract the details of the login flow
This allows implementing clients the deviate from the standard OAuth2 flow
This commit is contained in:
Philipp Wolfer
parent
780af98e1e
commit
f447a259d4
6 changed files with 130 additions and 27 deletions
42
cmd/auth.go
42
cmd/auth.go
|
|
@ -17,14 +17,14 @@ Scotty. If not, see <https://www.gnu.org/licenses/>.
|
|||
package cmd
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
"github.com/cli/browser"
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/spf13/viper"
|
||||
"go.uploadedlobster.com/scotty/backends"
|
||||
"go.uploadedlobster.com/scotty/internal/auth"
|
||||
"go.uploadedlobster.com/scotty/models"
|
||||
"go.uploadedlobster.com/scotty/storage"
|
||||
"golang.org/x/oauth2"
|
||||
|
|
@ -43,44 +43,36 @@ var authCmd = &cobra.Command{
|
|||
redirectURL, err := backends.BuildRedirectURL(viper.GetViper(), backend.Name())
|
||||
cobra.CheckErr(err)
|
||||
|
||||
ctx := context.Background()
|
||||
conf := backend.OAuth2Config(redirectURL)
|
||||
|
||||
responseChan := make(chan string)
|
||||
|
||||
// Start an HTTP server to listen for the response
|
||||
http.HandleFunc(redirectURL.Path, func(w http.ResponseWriter, r *http.Request) {
|
||||
code := r.URL.Query().Get("code")
|
||||
fmt.Fprint(w, "Token received, you can close this window now.")
|
||||
responseChan <- code
|
||||
})
|
||||
responseChan := make(chan auth.CodeResponse)
|
||||
auth.RunOauth2CallbackServer(*redirectURL, responseChan)
|
||||
|
||||
go http.ListenAndServe(redirectURL.Host, nil)
|
||||
// The backend must provide an authentication strategy
|
||||
strategy := backend.OAuth2Strategy(redirectURL)
|
||||
|
||||
// use PKCE to protect against CSRF attacks
|
||||
// https://www.ietf.org/archive/id/draft-ietf-oauth-security-topics-22.html#name-countermeasures-6
|
||||
verifier := oauth2.GenerateVerifier()
|
||||
|
||||
// Redirect user to consent page to ask for permission
|
||||
// for the scopes specified above.
|
||||
url := conf.AuthCodeURL("state", oauth2.AccessTypeOffline, oauth2.S256ChallengeOption(verifier))
|
||||
state := "somestate" // FIXME: Should be a random string
|
||||
// Redirect user to consent page to ask for permission specified scopes.
|
||||
url := strategy.AuthCodeURL(verifier, state)
|
||||
fmt.Printf("Visit the URL for the auth dialog: %v\n", url)
|
||||
|
||||
err = browser.OpenURL(url)
|
||||
cobra.CheckErr(err)
|
||||
|
||||
// Retrieve the code from the authentication callback
|
||||
code := <-responseChan
|
||||
if code.State != state {
|
||||
cobra.CompErrorln("Error: oauth state mismatch")
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
// Use the authorization code that is pushed to the redirect
|
||||
// URL. Exchange will do the handshake to retrieve the
|
||||
// initial access token. The HTTP Client returned by
|
||||
// conf.Client will refresh the token as necessary.
|
||||
// var code string
|
||||
// _, err = fmt.Scan(&code)
|
||||
// cobra.CheckErr(err)
|
||||
tok, err := conf.Exchange(ctx, code, oauth2.VerifierOption(verifier))
|
||||
// Exchange the code for the authentication token
|
||||
tok, err := strategy.ExchangeToken(code, verifier)
|
||||
cobra.CheckErr(err)
|
||||
|
||||
// Store the retrieved token in the database
|
||||
db, err := storage.New(viper.GetString("database"))
|
||||
cobra.CheckErr(err)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue