go-bouquins/bouquins/auth.go

package bouquins

import (
	"encoding/json"
	"fmt"
	"log"
	"math/rand"
	"net/http"

	"github.com/gorilla/sessions"
	"golang.org/x/oauth2"
)

const (
	alphanums            = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
	sessionName          = "bouquins"
	sessionOAuthState    = "oauthState"
	sessionOAuthProvider = "provider"
	sessionUser          = "username"

	pProvider = "provider"
)

var (
	Providers = [1]OAuth2Provider{GithubProvider("github")}
)

type OAuth2Provider interface {
	GetUser(token *oauth2.Token) (string, error)
	Name() string
}

type GithubProvider string

func (p GithubProvider) Name() string {
	return string(p)
}
func (p GithubProvider) GetUser(token *oauth2.Token) (string, error) {
	apiReq, err := http.NewRequest("GET", "https://api.github.com/user/emails", nil)
	apiReq.Header.Add("Accept", "application/vnd.github.v3+json")
	apiReq.Header.Add("Authorization", "token "+token.AccessToken)
	client := &http.Client{}
	response, err := client.Do(apiReq)
	defer response.Body.Close()
	if err != nil {
		log.Println("Auth error", err)
		return "", fmt.Errorf("Authentification error")
	}

	dec := json.NewDecoder(response.Body)
	var emails []GitHubEmail
	err = dec.Decode(&emails)
	if err != nil {
		log.Println("Error reading github API response", err)
		return "", fmt.Errorf("Error reading github API response")
	}
	fmt.Printf("Content: %s\n", emails)
	var userEmail string
	for _, email := range emails {
		if email.Primary && email.Verified {
			userEmail = email.Email
		}
	}
	log.Println("User email:", userEmail)
	return userEmail, nil
}

func findProvider(name string) OAuth2Provider {
	for _, p := range Providers {
		if p.Name() == name {
			return p
		}
	}
	return nil
}

// generates a 16 characters long random string
func securedRandString() string {
	b := make([]byte, 16)
	for i := range b {
		b[i] = alphanums[rand.Intn(len(alphanums))]
	}
	return string(b)
}

// current session
func (app *Bouquins) Session(req *http.Request) *sessions.Session {
	session, _ := app.Cookies.Get(req, sessionName)
	return session
}

// logged in username
func (app *Bouquins) Username(req *http.Request) string {
	username := app.Session(req).Values[sessionUser]
	if username != nil {
		return username.(string)
	}
	return ""
}

// sets value in session
func (app *Bouquins) SessionSet(name string, value string, res http.ResponseWriter, req *http.Request) {
	session := app.Session(req)
	session.Values[name] = value
	session.Save(req, res)
}

// LoginPage redirects to OAuth login page (github)
func (app *Bouquins) LoginPage(res http.ResponseWriter, req *http.Request) error {
	provider := req.URL.Query().Get(pProvider)
	oauth := app.OAuthConf[provider]
	if oauth != nil {
		app.SessionSet(sessionOAuthProvider, provider, res, req)
		state := securedRandString()
		app.SessionSet(sessionOAuthState, state, res, req)
		url := oauth.AuthCodeURL(state)
		http.Redirect(res, req, url, http.StatusTemporaryRedirect)
		return nil
	}
	// choose provider
	return app.render(res, tplProvider, app.NewModel("Authentification", "provider", req))
}

// LogoutPage logout connected user
func (app *Bouquins) LogoutPage(res http.ResponseWriter, req *http.Request) error {
	app.SessionSet(sessionUser, "", res, req)
	return RedirectHome(res, req)
}

// CallbackPage handle OAuth 2 callback
func (app *Bouquins) CallbackPage(res http.ResponseWriter, req *http.Request) error {
	savedState := app.Session(req).Values[sessionOAuthState]
	providerParam := app.Session(req).Values[sessionOAuthProvider]
	if savedState == "" || providerParam == "" {
		return fmt.Errorf("missing oauth data")
	}
	providerName := providerParam.(string)
	oauth := app.OAuthConf[providerName]
	provider := findProvider(providerName)
	if oauth == nil || provider == nil {
		return fmt.Errorf("missing oauth configuration")
	}
	app.SessionSet(sessionOAuthState, "", res, req)
	app.SessionSet(sessionOAuthProvider, "", res, req)
	state := req.FormValue("state")
	if state != savedState {
		return fmt.Errorf("invalid oauth state, expected '%s', got '%s'", "state", state)
	}
	code := req.FormValue("code")
	token, err := oauth.Exchange(oauth2.NoContext, code)
	if err != nil {
		return fmt.Errorf("Code exchange failed with '%s'", err)
	}
	userEmail, err := provider.GetUser(token)
	if err != nil {
		return err
	}
	// FIXME list allowed users
	if userEmail == "meutel+github@meutel.net" {
		app.SessionSet(sessionUser, "Meutel", res, req)
		log.Println("User logged in", userEmail)
		return RedirectHome(res, req)
	} else {
		return fmt.Errorf("Unknown user")
	}
}
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`package bouquins`

			`import (`
			`"encoding/json"`
			`"fmt"`
			`"log"`
			`"math/rand"`
			`"net/http"`

			`"github.com/gorilla/sessions"`
			`"golang.org/x/oauth2"`
			`)`

			`const (`
Select oauth provider 2017-09-08 18:29:01 +00:00			`alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"`
			`sessionName = "bouquins"`
			`sessionOAuthState = "oauthState"`
			`sessionOAuthProvider = "provider"`
			`sessionUser = "username"`

			`pProvider = "provider"`
			`)`

			`var (`
			`Providers = [1]OAuth2Provider{GithubProvider("github")}`
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`)`

Select oauth provider 2017-09-08 18:29:01 +00:00			`type OAuth2Provider interface {`
			`GetUser(token *oauth2.Token) (string, error)`
			`Name() string`
			`}`

			`type GithubProvider string`

			`func (p GithubProvider) Name() string {`
			`return string(p)`
			`}`
			`func (p GithubProvider) GetUser(token *oauth2.Token) (string, error) {`
			`apiReq, err := http.NewRequest("GET", "https://api.github.com/user/emails", nil)`
			`apiReq.Header.Add("Accept", "application/vnd.github.v3+json")`
			`apiReq.Header.Add("Authorization", "token "+token.AccessToken)`
			`client := &http.Client{}`
			`response, err := client.Do(apiReq)`
			`defer response.Body.Close()`
			`if err != nil {`
			`log.Println("Auth error", err)`
			`return "", fmt.Errorf("Authentification error")`
			`}`

			`dec := json.NewDecoder(response.Body)`
			`var emails []GitHubEmail`
			`err = dec.Decode(&emails)`
			`if err != nil {`
			`log.Println("Error reading github API response", err)`
			`return "", fmt.Errorf("Error reading github API response")`
			`}`
			`fmt.Printf("Content: %s\n", emails)`
			`var userEmail string`
			`for _, email := range emails {`
			`if email.Primary && email.Verified {`
			`userEmail = email.Email`
			`}`
			`}`
			`log.Println("User email:", userEmail)`
			`return userEmail, nil`
			`}`

			`func findProvider(name string) OAuth2Provider {`
			`for _, p := range Providers {`
			`if p.Name() == name {`
			`return p`
			`}`
			`}`
			`return nil`
			`}`

Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`// generates a 16 characters long random string`
			`func securedRandString() string {`
			`b := make([]byte, 16)`
			`for i := range b {`
			`b[i] = alphanums[rand.Intn(len(alphanums))]`
			`}`
			`return string(b)`
			`}`

			`// current session`
			`func (app Bouquins) Session(req http.Request) *sessions.Session {`
			`session, _ := app.Cookies.Get(req, sessionName)`
			`return session`
			`}`

			`// logged in username`
			`func (app Bouquins) Username(req http.Request) string {`
			`username := app.Session(req).Values[sessionUser]`
			`if username != nil {`
			`return username.(string)`
			`}`
			`return ""`
			`}`

			`// sets value in session`
			`func (app Bouquins) SessionSet(name string, value string, res http.ResponseWriter, req http.Request) {`
			`session := app.Session(req)`
			`session.Values[name] = value`
			`session.Save(req, res)`
			`}`

			`// LoginPage redirects to OAuth login page (github)`
			`func (app Bouquins) LoginPage(res http.ResponseWriter, req http.Request) error {`
Select oauth provider 2017-09-08 18:29:01 +00:00			`provider := req.URL.Query().Get(pProvider)`
			`oauth := app.OAuthConf[provider]`
			`if oauth != nil {`
			`app.SessionSet(sessionOAuthProvider, provider, res, req)`
			`state := securedRandString()`
			`app.SessionSet(sessionOAuthState, state, res, req)`
			`url := oauth.AuthCodeURL(state)`
			`http.Redirect(res, req, url, http.StatusTemporaryRedirect)`
			`return nil`
			`}`
			`// choose provider`
			`return app.render(res, tplProvider, app.NewModel("Authentification", "provider", req))`
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`}`

			`// LogoutPage logout connected user`
			`func (app Bouquins) LogoutPage(res http.ResponseWriter, req http.Request) error {`
			`app.SessionSet(sessionUser, "", res, req)`
			`return RedirectHome(res, req)`
			`}`

			`// CallbackPage handle OAuth 2 callback`
			`func (app Bouquins) CallbackPage(res http.ResponseWriter, req http.Request) error {`
			`savedState := app.Session(req).Values[sessionOAuthState]`
Select oauth provider 2017-09-08 18:29:01 +00:00			`providerParam := app.Session(req).Values[sessionOAuthProvider]`
			`if savedState == "" \|\| providerParam == "" {`
			`return fmt.Errorf("missing oauth data")`
			`}`
			`providerName := providerParam.(string)`
			`oauth := app.OAuthConf[providerName]`
			`provider := findProvider(providerName)`
			`if oauth == nil \|\| provider == nil {`
			`return fmt.Errorf("missing oauth configuration")`
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`}`
			`app.SessionSet(sessionOAuthState, "", res, req)`
Select oauth provider 2017-09-08 18:29:01 +00:00			`app.SessionSet(sessionOAuthProvider, "", res, req)`
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`state := req.FormValue("state")`
			`if state != savedState {`
			`return fmt.Errorf("invalid oauth state, expected '%s', got '%s'", "state", state)`
			`}`
			`code := req.FormValue("code")`
Select oauth provider 2017-09-08 18:29:01 +00:00			`token, err := oauth.Exchange(oauth2.NoContext, code)`
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`if err != nil {`
			`return fmt.Errorf("Code exchange failed with '%s'", err)`
			`}`
Select oauth provider 2017-09-08 18:29:01 +00:00			`userEmail, err := provider.GetUser(token)`
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`if err != nil {`
Select oauth provider 2017-09-08 18:29:01 +00:00			`return err`
Refactoring: move auth logic in auth.go 2017-09-08 16:19:31 +00:00			`}`
			`// FIXME list allowed users`
			`if userEmail == "meutel+github@meutel.net" {`
			`app.SessionSet(sessionUser, "Meutel", res, req)`
			`log.Println("User logged in", userEmail)`
			`return RedirectHome(res, req)`
			`} else {`
			`return fmt.Errorf("Unknown user")`
			`}`
			`}`