mirror of
https://github.com/yusing/godoxy.git
synced 2025-06-04 02:42:34 +02:00
192 lines
5.1 KiB
Go
192 lines
5.1 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"net/http"
|
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
|
U "github.com/yusing/go-proxy/internal/api/v1/utils"
|
|
"github.com/yusing/go-proxy/internal/common"
|
|
E "github.com/yusing/go-proxy/internal/error"
|
|
"github.com/yusing/go-proxy/internal/utils/strutils"
|
|
"golang.org/x/oauth2"
|
|
)
|
|
|
|
type OIDCProvider struct {
|
|
oauthConfig *oauth2.Config
|
|
oidcProvider *oidc.Provider
|
|
oidcVerifier *oidc.IDTokenVerifier
|
|
overrideHost bool
|
|
}
|
|
|
|
var (
|
|
apiOAuth *OIDCProvider
|
|
APIOIDCCallbackHandler http.HandlerFunc
|
|
)
|
|
|
|
// initOIDC initializes the OIDC provider.
|
|
func initOIDC(issuerURL, clientID, clientSecret, redirectURL string) (err error) {
|
|
if issuerURL == "" {
|
|
return nil // OIDC not configured
|
|
}
|
|
|
|
apiOAuth, err = NewOIDCProvider(issuerURL, clientID, clientSecret, redirectURL)
|
|
APIOIDCCallbackHandler = apiOAuth.OIDCCallbackHandler
|
|
return
|
|
}
|
|
|
|
func NewOIDCProvider(issuerURL, clientID, clientSecret, redirectURL string) (*OIDCProvider, error) {
|
|
provider, err := oidc.NewProvider(context.Background(), issuerURL)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to initialize OIDC provider: %w", err)
|
|
}
|
|
|
|
return &OIDCProvider{
|
|
oauthConfig: &oauth2.Config{
|
|
ClientID: clientID,
|
|
ClientSecret: clientSecret,
|
|
RedirectURL: redirectURL,
|
|
Endpoint: provider.Endpoint(),
|
|
Scopes: strutils.CommaSeperatedList(common.OIDCScopes),
|
|
},
|
|
oidcProvider: provider,
|
|
oidcVerifier: provider.Verifier(&oidc.Config{
|
|
ClientID: clientID,
|
|
}),
|
|
}, nil
|
|
}
|
|
|
|
func NewOIDCProviderFromEnv(redirectURL string) (*OIDCProvider, error) {
|
|
return NewOIDCProvider(
|
|
common.OIDCIssuerURL,
|
|
common.OIDCClientID,
|
|
common.OIDCClientSecret,
|
|
redirectURL,
|
|
)
|
|
}
|
|
|
|
func (provider *OIDCProvider) SetOverrideHostEnabled(enabled bool) {
|
|
provider.overrideHost = enabled
|
|
}
|
|
|
|
// RedirectOIDC initiates the OIDC login flow.
|
|
func (provider *OIDCProvider) RedirectOIDC(w http.ResponseWriter, r *http.Request) {
|
|
if provider == nil {
|
|
U.HandleErr(w, r, E.New("OIDC not configured"), http.StatusNotImplemented)
|
|
return
|
|
}
|
|
|
|
state := common.GenerateRandomString(32)
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: CookieOauthState,
|
|
Value: state,
|
|
MaxAge: 300,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
Secure: true,
|
|
Path: "/",
|
|
})
|
|
|
|
redirURL := provider.oauthConfig.AuthCodeURL(state)
|
|
if provider.overrideHost {
|
|
u, err := r.URL.Parse(redirURL)
|
|
if err != nil {
|
|
U.HandleErr(w, r, err, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
q := u.Query()
|
|
q.Set("redirect_uri", "https://"+r.Host+q.Get("redirect_uri"))
|
|
u.RawQuery = q.Encode()
|
|
redirURL = u.String()
|
|
}
|
|
http.Redirect(w, r, redirURL, http.StatusTemporaryRedirect)
|
|
}
|
|
|
|
// OIDCCallbackHandler handles the OIDC callback.
|
|
func (provider *OIDCProvider) OIDCCallbackHandler(w http.ResponseWriter, r *http.Request) {
|
|
if provider == nil {
|
|
U.HandleErr(w, r, E.New("OIDC not configured"), http.StatusNotImplemented)
|
|
return
|
|
}
|
|
|
|
// For testing purposes, skip provider verification
|
|
if common.IsTest {
|
|
handleTestCallback(w, r)
|
|
return
|
|
}
|
|
|
|
if provider.oidcProvider == nil {
|
|
U.HandleErr(w, r, E.New("OIDC not configured"), http.StatusNotImplemented)
|
|
return
|
|
}
|
|
|
|
state, err := r.Cookie(CookieOauthState)
|
|
if err != nil {
|
|
U.HandleErr(w, r, E.New("missing state cookie"), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if r.URL.Query().Get("state") != state.Value {
|
|
U.HandleErr(w, r, E.New("invalid oauth state"), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
code := r.URL.Query().Get("code")
|
|
oauth2Token, err := provider.oauthConfig.Exchange(r.Context(), code)
|
|
if err != nil {
|
|
U.HandleErr(w, r, fmt.Errorf("failed to exchange token: %w", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
|
if !ok {
|
|
U.HandleErr(w, r, E.New("missing id_token"), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
idToken, err := provider.oidcVerifier.Verify(r.Context(), rawIDToken)
|
|
if err != nil {
|
|
U.HandleErr(w, r, fmt.Errorf("failed to verify ID token: %w", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
var claims struct {
|
|
Email string `json:"email"`
|
|
Username string `json:"preferred_username"`
|
|
}
|
|
if err := idToken.Claims(&claims); err != nil {
|
|
U.HandleErr(w, r, fmt.Errorf("failed to parse claims: %w", err), http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if err := setAuthenticatedCookie(w, r, claims.Username); err != nil {
|
|
U.HandleErr(w, r, err, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Redirect to home page
|
|
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
|
|
}
|
|
|
|
// handleTestCallback handles OIDC callback in test environment.
|
|
func handleTestCallback(w http.ResponseWriter, r *http.Request) {
|
|
state, err := r.Cookie(CookieOauthState)
|
|
if err != nil {
|
|
U.HandleErr(w, r, E.New("missing state cookie"), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
if r.URL.Query().Get("state") != state.Value {
|
|
U.HandleErr(w, r, E.New("invalid oauth state"), http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Create test JWT token
|
|
if err := setAuthenticatedCookie(w, r, "test-user"); err != nil {
|
|
U.HandleErr(w, r, err, http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
|
|
}
|