Scoped oauth
This commit is contained in:
Bel LaPointe
@@ -3,6 +3,7 @@ package server
|
||||
import (
|
||||
"fmt"
|
||||
"local/oauth2"
|
||||
"local/router"
|
||||
"local/storage"
|
||||
"net/http"
|
||||
"net/url"
|
||||
@@ -11,18 +12,20 @@ import (
|
||||
)
|
||||
|
||||
func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
|
||||
scope := ""
|
||||
router.Params(r, &scope)
|
||||
s.limiter.Wait(r.Context())
|
||||
if r.Method != "POST" {
|
||||
http.NotFound(w, r)
|
||||
return
|
||||
}
|
||||
id := r.FormValue("username")
|
||||
id := scope + "." + r.FormValue("username")
|
||||
user, ok := s.getUser(id)
|
||||
if !ok {
|
||||
http.Error(w, "unknown user", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
access, ok := s.getAccess(user)
|
||||
access, ok := s.getAccess(scope, user)
|
||||
if !ok {
|
||||
http.Error(w, "no oauth for user", http.StatusForbidden)
|
||||
return
|
||||
@@ -45,23 +48,23 @@ func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
}
|
||||
|
||||
func (s *Server) genAuth(user string) {
|
||||
func (s *Server) genAuth(scope, user string) {
|
||||
access := uuid.New().String()
|
||||
token := uuid.New().String()
|
||||
s.store.Set(user, []byte(access), ACCESS)
|
||||
s.store.Set(access, []byte(token), TOKEN)
|
||||
s.store.Set(scope+"."+access, []byte(token), TOKEN)
|
||||
}
|
||||
|
||||
func (s *Server) getAccess(user string) (string, bool) {
|
||||
func (s *Server) getAccess(scope, user string) (string, bool) {
|
||||
access, err := s.store.Get(user, ACCESS)
|
||||
if err == storage.ErrNotFound {
|
||||
s.genAuth(user)
|
||||
s.genAuth(scope, user)
|
||||
access, err = s.store.Get(user, ACCESS)
|
||||
}
|
||||
return string(access), err == nil
|
||||
}
|
||||
|
||||
func (s *Server) getToken(access string) (string, bool) {
|
||||
token, err := s.store.Get(access, TOKEN)
|
||||
func (s *Server) getToken(scope, access string) (string, bool) {
|
||||
token, err := s.store.Get(scope+"."+access, TOKEN)
|
||||
return string(token), err == nil
|
||||
}
|
||||
|
||||
@@ -3,6 +3,7 @@ package server
|
||||
import (
|
||||
"fmt"
|
||||
"local/oauth2/oauth2server/config"
|
||||
"local/router"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
@@ -13,25 +14,25 @@ func (s *Server) Routes() error {
|
||||
handler http.HandlerFunc
|
||||
}{
|
||||
{
|
||||
path: fmt.Sprintf("authorize"),
|
||||
path: fmt.Sprintf("authorize/%s", router.Wildcard),
|
||||
handler: s.authorize,
|
||||
},
|
||||
{
|
||||
path: fmt.Sprintf("verify"),
|
||||
path: fmt.Sprintf("verify/%s", router.Wildcard),
|
||||
handler: s.verify,
|
||||
},
|
||||
{
|
||||
path: fmt.Sprintf("users/log"),
|
||||
path: fmt.Sprintf("users/log/%s", router.Wildcard),
|
||||
handler: s.usersLog,
|
||||
},
|
||||
{
|
||||
skip: !config.UserRegistration,
|
||||
path: fmt.Sprintf("users/register"),
|
||||
path: fmt.Sprintf("users/register/%s", router.Wildcard),
|
||||
handler: s.usersRegister,
|
||||
},
|
||||
{
|
||||
skip: !config.UserRegistration,
|
||||
path: fmt.Sprintf("users/submit"),
|
||||
path: fmt.Sprintf("users/submit/%s", router.Wildcard),
|
||||
handler: s.usersSubmit,
|
||||
},
|
||||
}
|
||||
|
||||
@@ -7,18 +7,21 @@ import (
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"local/oauth2/oauth2server/config"
|
||||
"local/router"
|
||||
"net/http"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
||||
func (s *Server) usersLog(w http.ResponseWriter, r *http.Request) {
|
||||
scope := ""
|
||||
router.Params(r, &scope)
|
||||
s.limiter.Wait(r.Context())
|
||||
q := r.URL.Query()
|
||||
fmt.Fprintln(w, `
|
||||
<html>
|
||||
<body>
|
||||
<form method="post" action="/authorize?`+q.Encode()+`">
|
||||
<form method="post" action="/authorize/`+scope+`?`+q.Encode()+`">
|
||||
<input type="password" name="username"></input>
|
||||
<input type="submit"></input>
|
||||
</form>
|
||||
@@ -28,11 +31,13 @@ func (s *Server) usersLog(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
func (s *Server) usersRegister(w http.ResponseWriter, r *http.Request) {
|
||||
scope := ""
|
||||
router.Params(r, &scope)
|
||||
s.limiter.Wait(r.Context())
|
||||
fmt.Fprintln(w, `
|
||||
<html>
|
||||
<body>
|
||||
<form method="post" action="/users/submit">
|
||||
<form method="post" action="/users/submit/`+scope+`">
|
||||
<input type="text" name="username"></input>
|
||||
<input type="submit"></input>
|
||||
</form>
|
||||
@@ -42,12 +47,14 @@ func (s *Server) usersRegister(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
func (s *Server) usersSubmit(w http.ResponseWriter, r *http.Request) {
|
||||
scope := ""
|
||||
router.Params(r, &scope)
|
||||
s.limiter.Wait(r.Context())
|
||||
if r.Method != "POST" {
|
||||
http.NotFound(w, r)
|
||||
return
|
||||
}
|
||||
id := r.FormValue("username")
|
||||
id := scope + "." + r.FormValue("username")
|
||||
if _, ok := s.getUser(id); ok {
|
||||
http.Error(w, "user already exists", http.StatusConflict)
|
||||
return
|
||||
|
||||
@@ -1,16 +1,19 @@
|
||||
package server
|
||||
|
||||
import (
|
||||
"local/router"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
func (s *Server) verify(w http.ResponseWriter, r *http.Request) {
|
||||
scope := ""
|
||||
router.Params(r, &scope)
|
||||
if r.Method != "POST" {
|
||||
http.NotFound(w, r)
|
||||
return
|
||||
}
|
||||
access := r.FormValue("access")
|
||||
token, ok := s.getToken(access)
|
||||
token, ok := s.getToken(scope, access)
|
||||
if !ok {
|
||||
http.Error(w, "unknown access", http.StatusUnauthorized)
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user