Mirror
/
go-neb
mirror of https://github.com/matrix-org/go-neb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
573 Commits
120 Branches
3 Tags
12 MiB
Tree: 1e297c50ad
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1e297c50ad'
${ noResults }
go-neb/realms/github/github.go

307 lines
8.3 KiB
Raw Normal View History

Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
Add redirect handler for AuthRealms Add state param generation for githubRealm.
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Tweak the auth session API to be more transactional - Rename the path from /configureAuthSession to /requestAuthSession - Add a global getter/setter for the `ServiceDB` : this avoids cyclical deps because now the Realm wants access to the database, and due to the factory pattern it would mean `types.go` would need to import `database`, but `database` is already doing so to invoke the factory function in `schema.go`. - Modify how `AuthSession` is loaded/stored in the database. Now it is just a blunt JSON store for Public fields. It is initialised via a new Realm interface function `AuthSession(userID, realmID)` which is there to return the right `struct` so stuff can be unmarshalled into it. - Add a new Realm interface function `RequestAuthSession` which is invoked when `/requestAuthSession` is hit. It is a direct request/response mapping, a JSON blob goes in as a param, and a JSON blob comes out as the return. The Realm is free to create/load/update/delete `AuthSessions` inside the function. This allows better control over when new sessions are made (or whether to return an existing session).
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
Re-format project as a Go module (#310) * Define project as a Go module and update dependency versions Signed-off-by: Nikos Filippakis <me@nfil.dev> * Update docs, configs and dockerfile to use latest Go version Signed-off-by: Nikos Filippakis <me@nfil.dev> * Add postgres database driver Signed-off-by: Nikos Filippakis <me@nfil.dev>
4 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Finish implementing auth in JIRA. Access tokens are now stored. Added redirectURL to the factory function for AuthRealms.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Grab access tokens from the GithubService and use them Currently only an authenticated client is used to lookup expansion issues.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Add endpoint for GETing AuthSession information for a user/realm tuple Add a new `AuthSession` function `Authenticated()` which returns `true` if the user has completed the auth process. This allows the caller to distinguish between: - Never done any auth (404s) - In the process of doing auth (`Authenticated == false`) - Finished doing auth (`Authenticated == true`)
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add endpoint for GETing AuthSession information for a user/realm tuple Add a new `AuthSession` function `Authenticated()` which returns `true` if the user has completed the auth process. This allows the caller to distinguish between: - Never done any auth (404s) - In the process of doing auth (`Authenticated == false`) - Finished doing auth (`Authenticated == true`)
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Paginate repo list
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Paginate repo list
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Paginate repo list
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Paginate repo list
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Paginate repo list
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
List possible GH repos on /getSession Add an Info() method to pull out info about an auth session.
8 years ago
Grab access tokens from the GithubService and use them Currently only an authenticated client is used to lookup expansion issues.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Grab access tokens from the GithubService and use them Currently only an authenticated client is used to lookup expansion issues.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Grab access tokens from the GithubService and use them Currently only an authenticated client is used to lookup expansion issues.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add ID field to AuthSessions so redirects can lookup based off this key Required for Github OAuth redirect requests and just is generally useful to have. Add UNIQUE constraints on realm/user and realm/id to prevent multiple users getting the same ID.
8 years ago
Comments
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
Comments
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
Comments
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add an Init() function to AuthRealms
8 years ago
Comments
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add JiraRealm type. Add Register() function to AuthRealms Verify that PrivateKeyPEM is indeed a PEM formatted block in Register()
8 years ago
Comments
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add redirect handler for AuthRealms Add state param generation for githubRealm.
8 years ago
Add RedirectURL param when requesting GH auth sessions
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Add redirect handler for AuthRealms Add state param generation for githubRealm.
8 years ago
Finish implementing auth in JIRA. Access tokens are now stored. Added redirectURL to the factory function for AuthRealms.
8 years ago
Actually specify scopes...
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add ID field to AuthSessions so redirects can lookup based off this key Required for Github OAuth redirect requests and just is generally useful to have. Add UNIQUE constraints on realm/user and realm/id to prevent multiple users getting the same ID.
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Add RedirectURL param when requesting GH auth sessions
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add RedirectURL param when requesting GH auth sessions
8 years ago
More logging
8 years ago
Add RedirectURL param when requesting GH auth sessions
8 years ago
Add redirect handler for AuthRealms Add state param generation for githubRealm.
8 years ago
Tweak the auth session API to be more transactional - Rename the path from /configureAuthSession to /requestAuthSession - Add a global getter/setter for the `ServiceDB` : this avoids cyclical deps because now the Realm wants access to the database, and due to the factory pattern it would mean `types.go` would need to import `database`, but `database` is already doing so to invoke the factory function in `schema.go`. - Modify how `AuthSession` is loaded/stored in the database. Now it is just a blunt JSON store for Public fields. It is initialised via a new Realm interface function `AuthSession(userID, realmID)` which is there to return the right `struct` so stuff can be unmarshalled into it. - Add a new Realm interface function `RequestAuthSession` which is invoked when `/requestAuthSession` is hit. It is a direct request/response mapping, a JSON blob goes in as a param, and a JSON blob comes out as the return. The Realm is free to create/load/update/delete `AuthSessions` inside the function. This allows better control over when new sessions are made (or whether to return an existing session).
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Tweak the auth session API to be more transactional - Rename the path from /configureAuthSession to /requestAuthSession - Add a global getter/setter for the `ServiceDB` : this avoids cyclical deps because now the Realm wants access to the database, and due to the factory pattern it would mean `types.go` would need to import `database`, but `database` is already doing so to invoke the factory function in `schema.go`. - Modify how `AuthSession` is loaded/stored in the database. Now it is just a blunt JSON store for Public fields. It is initialised via a new Realm interface function `AuthSession(userID, realmID)` which is there to return the right `struct` so stuff can be unmarshalled into it. - Add a new Realm interface function `RequestAuthSession` which is invoked when `/requestAuthSession` is hit. It is a direct request/response mapping, a JSON blob goes in as a param, and a JSON blob comes out as the return. The Realm is free to create/load/update/delete `AuthSessions` inside the function. This allows better control over when new sessions are made (or whether to return an existing session).
8 years ago
Comments
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Store access_tokens in the DB
8 years ago
Start parsing out redirect requests for github realms
8 years ago
Add ID field to AuthSessions so redirects can lookup based off this key Required for Github OAuth redirect requests and just is generally useful to have. Add UNIQUE constraints on realm/user and realm/id to prevent multiple users getting the same ID.
8 years ago
Start parsing out redirect requests for github realms
8 years ago
Add ID field to AuthSessions so redirects can lookup based off this key Required for Github OAuth redirect requests and just is generally useful to have. Add UNIQUE constraints on realm/user and realm/id to prevent multiple users getting the same ID.
8 years ago
Start parsing out redirect requests for github realms
8 years ago
Store access_tokens in the DB
8 years ago
Start parsing out redirect requests for github realms
8 years ago
Add ID field to AuthSessions so redirects can lookup based off this key Required for Github OAuth redirect requests and just is generally useful to have. Add UNIQUE constraints on realm/user and realm/id to prevent multiple users getting the same ID.
8 years ago
Store access_tokens in the DB
8 years ago
Add ID field to AuthSessions so redirects can lookup based off this key Required for Github OAuth redirect requests and just is generally useful to have. Add UNIQUE constraints on realm/user and realm/id to prevent multiple users getting the same ID.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Use non-panicking type assertion
8 years ago
Store access_tokens in the DB
8 years ago
Check for a valid session before exchanging codes
8 years ago
Redirect even if already authed if a redirect URL is given
8 years ago
Check for a valid session before exchanging codes
8 years ago
Store access_tokens in the DB
8 years ago
Redirect even if already authed if a redirect URL is given
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add RedirectURL param when requesting GH auth sessions
8 years ago
Return Location headers on 302s WriteHeader must come AFTER Header().Set() else it does nothing, yay!
8 years ago
Add RedirectURL param when requesting GH auth sessions
8 years ago
Redirect even if already authed if a redirect URL is given
8 years ago
Add RedirectURL param when requesting GH auth sessions
8 years ago
Add redirect handler for AuthRealms Add state param generation for githubRealm.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add ID field to AuthSessions so redirects can lookup based off this key Required for Github OAuth redirect requests and just is generally useful to have. Add UNIQUE constraints on realm/user and realm/id to prevent multiple users getting the same ID.
8 years ago
Tweak the auth session API to be more transactional - Rename the path from /configureAuthSession to /requestAuthSession - Add a global getter/setter for the `ServiceDB` : this avoids cyclical deps because now the Realm wants access to the database, and due to the factory pattern it would mean `types.go` would need to import `database`, but `database` is already doing so to invoke the factory function in `schema.go`. - Modify how `AuthSession` is loaded/stored in the database. Now it is just a blunt JSON store for Public fields. It is initialised via a new Realm interface function `AuthSession(userID, realmID)` which is there to return the right `struct` so stuff can be unmarshalled into it. - Add a new Realm interface function `RequestAuthSession` which is invoked when `/requestAuthSession` is hit. It is a direct request/response mapping, a JSON blob goes in as a param, and a JSON blob comes out as the return. The Realm is free to create/load/update/delete `AuthSessions` inside the function. This allows better control over when new sessions are made (or whether to return an existing session).
8 years ago
Add concept of AuthSessions Auth sessions are a single auth process between a user and an auth realm. As such, they are keyed off the tuple of `(user_id, realm_id)`. Only the realm which they belong to knows how to construct them, hence all "load" sections require an `AuthRealm` to be extracted first. Currently I pass in a `json.RawMessage` rather than factory initialise and clobber public fields based on the JSON, we can always change that if need be later down the line. Overall, this feels really nice (when starting to add in GH auth, everything I wanted was already there in the right place waiting for me).
8 years ago
Store access_tokens in the DB
8 years ago
Add redirect handler for AuthRealms Add state param generation for githubRealm.
8 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
Finish implementing auth in JIRA. Access tokens are now stored. Added redirectURL to the factory function for AuthRealms.
8 years ago
Add realm documentation - Add godoc for realms - Remove realm info from README
8 years ago
Add concept of AuthRealms - These represent a place where a user can authenticate themselves. - They function in the same way as Services (insert/update based on an HTTP API) - They currently don't *do* a lot other than exist for storing realm-specific information (e.g. the `GithubRealm` stores the `ClientSecret` and `ClientID`)
8 years ago
  1. // Package github implements OAuth2 support for github.com
  2. package github
  4. import (
  5. "crypto/rand"
  6. "encoding/hex"
  7. "encoding/json"
  8. "io/ioutil"
  9. "net/http"
  10. "net/url"
  12. "github.com/google/go-github/github"
  13. "github.com/matrix-org/go-neb/database"
  14. "github.com/matrix-org/go-neb/services/github/client"
  15. "github.com/matrix-org/go-neb/types"
  16. log "github.com/sirupsen/logrus"
  17. )
  19. // RealmType of the Github Realm
  20. const RealmType = "github"
  22. // Realm can handle OAuth processes with github.com
  23. //
  24. // Example request:
  25. // {
  26. // "ClientSecret": "YOUR_CLIENT_SECRET",
  27. // "ClientID": "YOUR_CLIENT_ID"
  28. // }
  29. type Realm struct {
  30. id string
  31. redirectURL string
  33. // The client secret for this Github application.
  34. ClientSecret string
  35. // The client ID for this Github application.
  36. ClientID string
  37. // Optional. The URL to redirect the client to after authentication.
  38. StarterLink string
  39. }
  41. // Session represents an authenticated github session
  42. type Session struct {
  43. id string
  44. userID string
  45. realmID string
  47. // AccessToken is the github access token for the user
  48. AccessToken string
  49. // Scopes are the set of *ALLOWED* scopes (which may not be the same as the requested scopes)
  50. Scopes string
  51. // Optional. The client-supplied URL to redirect them to after the auth process is complete.
  52. ClientsRedirectURL string
  53. }
  55. // AuthRequest is a request for authenticating with github.com
  56. type AuthRequest struct {
  57. // Optional. The URL to redirect to after authentication.
  58. RedirectURL string
  59. }
  61. // AuthResponse is a response to an AuthRequest.
  62. type AuthResponse struct {
  63. // The URL to visit to perform OAuth on github.com
  64. URL string
  65. }
  67. // Authenticated returns true if the user has completed the auth process
  68. func (s *Session) Authenticated() bool {
  69. return s.AccessToken != ""
  70. }
  72. // Info returns a list of possible repositories that this session can integrate with.
  73. func (s *Session) Info() interface{} {
  74. logger := log.WithFields(log.Fields{
  75. "user_id": s.userID,
  76. "realm_id": s.realmID,
  77. })
  78. cli := client.New(s.AccessToken)
  79. var repos []client.TrimmedRepository
  81. opts := &github.RepositoryListOptions{
  82. Type: "all",
  83. ListOptions: github.ListOptions{
  84. PerPage: 100,
  85. },
  86. }
  87. for {
  88. // query for a list of possible projects
  89. rs, resp, err := cli.Repositories.List("", opts)
  90. if err != nil {
  91. logger.WithError(err).Print("Failed to query github projects on github.com")
  92. return nil
  93. }
  95. for _, r := range rs {
  96. repos = append(repos, client.TrimRepository(r))
  97. }
  99. if resp.NextPage == 0 {
  100. break
  101. }
  102. opts.ListOptions.Page = resp.NextPage
  103. logger.Print("Session.Info() Next => ", resp.NextPage)
  104. }
  105. logger.Print("Session.Info() Returning ", len(repos), " repos")
  107. return struct {
  108. Repos []client.TrimmedRepository
  109. }{repos}
  110. }
  112. // UserID returns the user_id who authorised with Github
  113. func (s *Session) UserID() string {
  114. return s.userID
  115. }
  117. // RealmID returns the realm ID of the realm which performed the authentication
  118. func (s *Session) RealmID() string {
  119. return s.realmID
  120. }
  122. // ID returns the session ID
  123. func (s *Session) ID() string {
  124. return s.id
  125. }
  127. // ID returns the realm ID
  128. func (r *Realm) ID() string {
  129. return r.id
  130. }
  132. // Type is github
  133. func (r *Realm) Type() string {
  134. return RealmType
  135. }
  137. // Init does nothing.
  138. func (r *Realm) Init() error {
  139. return nil
  140. }
  142. // Register does nothing.
  143. func (r *Realm) Register() error {
  144. return nil
  145. }
  147. // RequestAuthSession generates an OAuth2 URL for this user to auth with github via.
  148. // The request body is of type "github.AuthRequest". The response is of type "github.AuthResponse".
  149. //
  150. // Request example:
  151. // {
  152. // "RedirectURL": "https://optional-url.com/to/redirect/to/after/auth"
  153. // }
  154. //
  155. // Response example:
  156. // {
  157. // "URL": "https://github.com/login/oauth/authorize?client_id=abcdef&client_secret=acascacac...."
  158. // }
  159. func (r *Realm) RequestAuthSession(userID string, req json.RawMessage) interface{} {
  160. state, err := randomString(10)
  161. if err != nil {
  162. log.WithError(err).Print("Failed to generate state param")
  163. return nil
  164. }
  166. u, _ := url.Parse("https://github.com/login/oauth/authorize")
  167. q := u.Query()
  168. q.Set("client_id", r.ClientID)
  169. q.Set("client_secret", r.ClientSecret)
  170. q.Set("state", state)
  171. q.Set("redirect_uri", r.redirectURL)
  172. q.Set("scope", "admin:repo_hook,admin:org_hook,repo")
  173. u.RawQuery = q.Encode()
  174. session := &Session{
  175. id: state, // key off the state for redirects
  176. userID: userID,
  177. realmID: r.ID(),
  178. }
  180. // check if they supplied a redirect URL
  181. var reqBody AuthRequest
  182. if err = json.Unmarshal(req, &reqBody); err != nil {
  183. log.WithError(err).Print("Failed to decode request body")
  184. return nil
  185. }
  186. session.ClientsRedirectURL = reqBody.RedirectURL
  187. log.WithFields(log.Fields{
  188. "clients_redirect_url": session.ClientsRedirectURL,
  189. "redirect_url": u.String(),
  190. }).Print("RequestAuthSession: Performing redirect")
  192. _, err = database.GetServiceDB().StoreAuthSession(session)
  193. if err != nil {
  194. log.WithError(err).Print("Failed to store new auth session")
  195. return nil
  196. }
  198. return &AuthResponse{u.String()}
  199. }
  201. // OnReceiveRedirect processes OAuth redirect requests from Github
  202. func (r *Realm) OnReceiveRedirect(w http.ResponseWriter, req *http.Request) {
  203. // parse out params from the request
  204. code := req.URL.Query().Get("code")
  205. state := req.URL.Query().Get("state")
  206. logger := log.WithFields(log.Fields{
  207. "state": state,
  208. })
  209. logger.WithField("code", code).Print("GithubRealm: OnReceiveRedirect")
  210. if code == "" || state == "" {
  211. failWith(logger, w, 400, "code and state are required", nil)
  212. return
  213. }
  214. // load the session (we keyed off the state param)
  215. session, err := database.GetServiceDB().LoadAuthSessionByID(r.ID(), state)
  216. if err != nil {
  217. // most likely cause
  218. failWith(logger, w, 400, "Provided ?state= param is not recognised.", err)
  219. return
  220. }
  221. ghSession, ok := session.(*Session)
  222. if !ok {
  223. failWith(logger, w, 500, "Unexpected session found.", nil)
  224. return
  225. }
  226. logger.WithField("user_id", ghSession.UserID()).Print("Mapped redirect to user")
  228. if ghSession.AccessToken != "" && ghSession.Scopes != "" {
  229. r.redirectOr(w, 400, "You have already authenticated with Github", logger, ghSession)
  230. return
  231. }
  233. // exchange code for access_token
  234. res, err := http.PostForm("https://github.com/login/oauth/access_token",
  235. url.Values{"client_id": {r.ClientID}, "client_secret": {r.ClientSecret}, "code": {code}})
  236. if err != nil {
  237. failWith(logger, w, 502, "Failed to exchange code for token", err)
  238. return
  239. }
  240. defer res.Body.Close()
  241. body, err := ioutil.ReadAll(res.Body)
  242. if err != nil {
  243. failWith(logger, w, 502, "Failed to read token response", err)
  244. return
  245. }
  246. vals, err := url.ParseQuery(string(body))
  247. if err != nil {
  248. failWith(logger, w, 502, "Failed to parse token response", err)
  249. return
  250. }
  252. // update database and return
  253. ghSession.AccessToken = vals.Get("access_token")
  254. ghSession.Scopes = vals.Get("scope")
  255. logger.WithField("scope", ghSession.Scopes).Print("Scopes granted.")
  256. _, err = database.GetServiceDB().StoreAuthSession(ghSession)
  257. if err != nil {
  258. failWith(logger, w, 500, "Failed to persist session", err)
  259. return
  260. }
  261. r.redirectOr(
  262. w, 200, "You have successfully linked your Github account to "+ghSession.UserID(), logger, ghSession,
  263. )
  264. }
  266. func (r *Realm) redirectOr(w http.ResponseWriter, code int, msg string, logger *log.Entry, ghSession *Session) {
  267. if ghSession.ClientsRedirectURL != "" {
  268. w.Header().Set("Location", ghSession.ClientsRedirectURL)
  269. w.WriteHeader(302)
  270. // technically don't need a body but *shrug*
  271. w.Write([]byte(ghSession.ClientsRedirectURL))
  272. } else {
  273. failWith(logger, w, code, msg, nil)
  274. }
  275. }
  277. // AuthSession returns a Github Session for this user
  278. func (r *Realm) AuthSession(id, userID, realmID string) types.AuthSession {
  279. return &Session{
  280. id: id,
  281. userID: userID,
  282. realmID: realmID,
  283. }
  284. }
  286. func failWith(logger *log.Entry, w http.ResponseWriter, code int, msg string, err error) {
  287. logger.WithError(err).Print(msg)
  288. w.WriteHeader(code)
  289. w.Write([]byte(msg))
  290. }
  292. // Generate a cryptographically secure pseudorandom string with the given number of bytes (length).
  293. // Returns a hex string of the bytes.
  294. func randomString(length int) (string, error) {
  295. b := make([]byte, length)
  296. _, err := rand.Read(b)
  297. if err != nil {
  298. return "", err
  299. }
  300. return hex.EncodeToString(b), nil
  301. }
  303. func init() {
  304. types.RegisterAuthRealm(func(realmID, redirectURL string) types.AuthRealm {
  305. return &Realm{id: realmID, redirectURL: redirectURL}
  306. })
  307. }