Select oauth provider
This commit is contained in:
parent
893daeab71
commit
93a1de6452
106
bouquins/auth.go
106
bouquins/auth.go
@ -15,9 +15,65 @@ const (
|
|||||||
alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
|
alphanums = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
|
||||||
sessionName = "bouquins"
|
sessionName = "bouquins"
|
||||||
sessionOAuthState = "oauthState"
|
sessionOAuthState = "oauthState"
|
||||||
|
sessionOAuthProvider = "provider"
|
||||||
sessionUser = "username"
|
sessionUser = "username"
|
||||||
|
|
||||||
|
pProvider = "provider"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
Providers = [1]OAuth2Provider{GithubProvider("github")}
|
||||||
|
)
|
||||||
|
|
||||||
|
type OAuth2Provider interface {
|
||||||
|
GetUser(token *oauth2.Token) (string, error)
|
||||||
|
Name() string
|
||||||
|
}
|
||||||
|
|
||||||
|
type GithubProvider string
|
||||||
|
|
||||||
|
func (p GithubProvider) Name() string {
|
||||||
|
return string(p)
|
||||||
|
}
|
||||||
|
func (p GithubProvider) GetUser(token *oauth2.Token) (string, error) {
|
||||||
|
apiReq, err := http.NewRequest("GET", "https://api.github.com/user/emails", nil)
|
||||||
|
apiReq.Header.Add("Accept", "application/vnd.github.v3+json")
|
||||||
|
apiReq.Header.Add("Authorization", "token "+token.AccessToken)
|
||||||
|
client := &http.Client{}
|
||||||
|
response, err := client.Do(apiReq)
|
||||||
|
defer response.Body.Close()
|
||||||
|
if err != nil {
|
||||||
|
log.Println("Auth error", err)
|
||||||
|
return "", fmt.Errorf("Authentification error")
|
||||||
|
}
|
||||||
|
|
||||||
|
dec := json.NewDecoder(response.Body)
|
||||||
|
var emails []GitHubEmail
|
||||||
|
err = dec.Decode(&emails)
|
||||||
|
if err != nil {
|
||||||
|
log.Println("Error reading github API response", err)
|
||||||
|
return "", fmt.Errorf("Error reading github API response")
|
||||||
|
}
|
||||||
|
fmt.Printf("Content: %s\n", emails)
|
||||||
|
var userEmail string
|
||||||
|
for _, email := range emails {
|
||||||
|
if email.Primary && email.Verified {
|
||||||
|
userEmail = email.Email
|
||||||
|
}
|
||||||
|
}
|
||||||
|
log.Println("User email:", userEmail)
|
||||||
|
return userEmail, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func findProvider(name string) OAuth2Provider {
|
||||||
|
for _, p := range Providers {
|
||||||
|
if p.Name() == name {
|
||||||
|
return p
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
// generates a 16 characters long random string
|
// generates a 16 characters long random string
|
||||||
func securedRandString() string {
|
func securedRandString() string {
|
||||||
b := make([]byte, 16)
|
b := make([]byte, 16)
|
||||||
@ -51,12 +107,18 @@ func (app *Bouquins) SessionSet(name string, value string, res http.ResponseWrit
|
|||||||
|
|
||||||
// LoginPage redirects to OAuth login page (github)
|
// LoginPage redirects to OAuth login page (github)
|
||||||
func (app *Bouquins) LoginPage(res http.ResponseWriter, req *http.Request) error {
|
func (app *Bouquins) LoginPage(res http.ResponseWriter, req *http.Request) error {
|
||||||
// TODO choose provider
|
provider := req.URL.Query().Get(pProvider)
|
||||||
|
oauth := app.OAuthConf[provider]
|
||||||
|
if oauth != nil {
|
||||||
|
app.SessionSet(sessionOAuthProvider, provider, res, req)
|
||||||
state := securedRandString()
|
state := securedRandString()
|
||||||
app.SessionSet(sessionOAuthState, state, res, req)
|
app.SessionSet(sessionOAuthState, state, res, req)
|
||||||
url := app.OAuthConf.AuthCodeURL(state)
|
url := oauth.AuthCodeURL(state)
|
||||||
http.Redirect(res, req, url, http.StatusTemporaryRedirect)
|
http.Redirect(res, req, url, http.StatusTemporaryRedirect)
|
||||||
return nil
|
return nil
|
||||||
|
}
|
||||||
|
// choose provider
|
||||||
|
return app.render(res, tplProvider, app.NewModel("Authentification", "provider", req))
|
||||||
}
|
}
|
||||||
|
|
||||||
// LogoutPage logout connected user
|
// LogoutPage logout connected user
|
||||||
@ -68,45 +130,31 @@ func (app *Bouquins) LogoutPage(res http.ResponseWriter, req *http.Request) erro
|
|||||||
// CallbackPage handle OAuth 2 callback
|
// CallbackPage handle OAuth 2 callback
|
||||||
func (app *Bouquins) CallbackPage(res http.ResponseWriter, req *http.Request) error {
|
func (app *Bouquins) CallbackPage(res http.ResponseWriter, req *http.Request) error {
|
||||||
savedState := app.Session(req).Values[sessionOAuthState]
|
savedState := app.Session(req).Values[sessionOAuthState]
|
||||||
if savedState == "" {
|
providerParam := app.Session(req).Values[sessionOAuthProvider]
|
||||||
return fmt.Errorf("missing saved oauth state")
|
if savedState == "" || providerParam == "" {
|
||||||
|
return fmt.Errorf("missing oauth data")
|
||||||
|
}
|
||||||
|
providerName := providerParam.(string)
|
||||||
|
oauth := app.OAuthConf[providerName]
|
||||||
|
provider := findProvider(providerName)
|
||||||
|
if oauth == nil || provider == nil {
|
||||||
|
return fmt.Errorf("missing oauth configuration")
|
||||||
}
|
}
|
||||||
app.SessionSet(sessionOAuthState, "", res, req)
|
app.SessionSet(sessionOAuthState, "", res, req)
|
||||||
|
app.SessionSet(sessionOAuthProvider, "", res, req)
|
||||||
state := req.FormValue("state")
|
state := req.FormValue("state")
|
||||||
if state != savedState {
|
if state != savedState {
|
||||||
return fmt.Errorf("invalid oauth state, expected '%s', got '%s'", "state", state)
|
return fmt.Errorf("invalid oauth state, expected '%s', got '%s'", "state", state)
|
||||||
}
|
}
|
||||||
code := req.FormValue("code")
|
code := req.FormValue("code")
|
||||||
token, err := app.OAuthConf.Exchange(oauth2.NoContext, code)
|
token, err := oauth.Exchange(oauth2.NoContext, code)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Code exchange failed with '%s'", err)
|
return fmt.Errorf("Code exchange failed with '%s'", err)
|
||||||
}
|
}
|
||||||
apiReq, err := http.NewRequest("GET", "https://api.github.com/user/emails", nil)
|
userEmail, err := provider.GetUser(token)
|
||||||
apiReq.Header.Add("Accept", "application/vnd.github.v3+json")
|
|
||||||
apiReq.Header.Add("Authorization", "token "+token.AccessToken)
|
|
||||||
client := &http.Client{}
|
|
||||||
response, err := client.Do(apiReq)
|
|
||||||
defer response.Body.Close()
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Println("Auth error", err)
|
return err
|
||||||
return fmt.Errorf("Authentification error")
|
|
||||||
}
|
}
|
||||||
|
|
||||||
dec := json.NewDecoder(response.Body)
|
|
||||||
var emails []GitHubEmail
|
|
||||||
err = dec.Decode(&emails)
|
|
||||||
if err != nil {
|
|
||||||
log.Println("Error reading github API response", err)
|
|
||||||
return fmt.Errorf("Error reading github API response")
|
|
||||||
}
|
|
||||||
fmt.Printf("Content: %s\n", emails)
|
|
||||||
var userEmail string
|
|
||||||
for _, email := range emails {
|
|
||||||
if email.Primary && email.Verified {
|
|
||||||
userEmail = email.Email
|
|
||||||
}
|
|
||||||
}
|
|
||||||
log.Println("User email:", userEmail)
|
|
||||||
// FIXME list allowed users
|
// FIXME list allowed users
|
||||||
if userEmail == "meutel+github@meutel.net" {
|
if userEmail == "meutel+github@meutel.net" {
|
||||||
app.SessionSet(sessionUser, "Meutel", res, req)
|
app.SessionSet(sessionUser, "Meutel", res, req)
|
||||||
|
@ -27,6 +27,7 @@ const (
|
|||||||
tplIndex = "index.html"
|
tplIndex = "index.html"
|
||||||
tplSearch = "search.html"
|
tplSearch = "search.html"
|
||||||
tplAbout = "about.html"
|
tplAbout = "about.html"
|
||||||
|
tplProvider = "provider.html"
|
||||||
|
|
||||||
pList = "list"
|
pList = "list"
|
||||||
pOrder = "order"
|
pOrder = "order"
|
||||||
@ -74,7 +75,7 @@ type GitHubEmail struct {
|
|||||||
type Bouquins struct {
|
type Bouquins struct {
|
||||||
Tpl *template.Template
|
Tpl *template.Template
|
||||||
DB *sql.DB
|
DB *sql.DB
|
||||||
OAuthConf *oauth2.Config
|
OAuthConf map[string]*oauth2.Config
|
||||||
Cookies *sessions.CookieStore
|
Cookies *sessions.CookieStore
|
||||||
}
|
}
|
||||||
|
|
||||||
|
3
main.go
3
main.go
@ -71,7 +71,8 @@ func initApp() *BouquinsConf {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// TODO conf by provider, client ID and secret in conf file
|
// TODO conf by provider, client ID and secret in conf file
|
||||||
oauthConf := &oauth2.Config{
|
oauthConf := make(map[string]*oauth2.Config)
|
||||||
|
oauthConf["github"] = &oauth2.Config{
|
||||||
ClientID: "8b0aedf07828f06918a0",
|
ClientID: "8b0aedf07828f06918a0",
|
||||||
ClientSecret: "eb26ec9c986fc28bd169bdddf169b794861e0d65",
|
ClientSecret: "eb26ec9c986fc28bd169bdddf169b794861e0d65",
|
||||||
Scopes: []string{"user:email"},
|
Scopes: []string{"user:email"},
|
||||||
|
9
templates/provider.html
Normal file
9
templates/provider.html
Normal file
@ -0,0 +1,9 @@
|
|||||||
|
{{ template "header.html" . }}
|
||||||
|
<div class="container" id="provider">
|
||||||
|
<p>Veuillez sélectionner un mode d'authentification:<p>
|
||||||
|
<ul>
|
||||||
|
<!-- TODO list providers, icon -->
|
||||||
|
<li><a href="/login?provider=github">Github</a></li>
|
||||||
|
</ul>
|
||||||
|
</div>
|
||||||
|
{{ template "footer.html" . }}
|
Loading…
Reference in New Issue
Block a user