authorizer/server/handlers/authorize.go

package handlers

import (
	"net/http"
	"strconv"
	"strings"
	"time"

	"github.com/gin-gonic/gin"
	"github.com/google/uuid"
	log "github.com/sirupsen/logrus"

	"github.com/authorizerdev/authorizer/server/constants"
	"github.com/authorizerdev/authorizer/server/cookie"
	"github.com/authorizerdev/authorizer/server/db"
	"github.com/authorizerdev/authorizer/server/memorystore"
	"github.com/authorizerdev/authorizer/server/token"
)

// AuthorizeHandler is the handler for the /authorize route
// required params
// ?redirect_uri = redirect url
// ?response_mode = to decide if result should be html or re-direct
// state[recommended] = to prevent CSRF attack (for authorizer its compulsory)
// code_challenge = to prevent CSRF attack
// code_challenge_method = to prevent CSRF attack [only sh256 is supported]

// check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.
func AuthorizeHandler() gin.HandlerFunc {
	return func(gc *gin.Context) {
		redirectURI := strings.TrimSpace(gc.Query("redirect_uri"))
		responseType := strings.TrimSpace(gc.Query("response_type"))
		state := strings.TrimSpace(gc.Query("state"))
		codeChallenge := strings.TrimSpace(gc.Query("code_challenge"))
		scopeString := strings.TrimSpace(gc.Query("scope"))
		clientID := strings.TrimSpace(gc.Query("client_id"))
		template := "authorize.tmpl"
		responseMode := strings.TrimSpace(gc.Query("response_mode"))

		var scope []string
		if scopeString == "" {
			scope = []string{"openid", "profile", "email"}
		} else {
			scope = strings.Split(scopeString, " ")
		}

		if responseMode == "" {
			responseMode = "query"
		}

		if responseMode != "query" && responseMode != "web_message" {
			log.Debug("Invalid response_mode: ", responseMode)
			gc.JSON(400, gin.H{"error": "invalid response mode"})
		}

		if redirectURI == "" {
			redirectURI = "/app"
		}

		isQuery := responseMode == "query"

		loginURL := "/app?state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI

		if clientID == "" {
			if isQuery {
				gc.Redirect(http.StatusFound, loginURL)
			} else {
				log.Debug("Failed to get client_id: ", clientID)
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type": "authorization_response",
						"response": map[string]string{
							"error": "client_id is required",
						},
					},
				})
			}
			return
		}

		if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); client != clientID || err != nil {
			if isQuery {
				gc.Redirect(http.StatusFound, loginURL)
			} else {
				log.Debug("Invalid client_id: ", clientID)
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type": "authorization_response",
						"response": map[string]string{
							"error": "invalid_client_id",
						},
					},
				})
			}
			return
		}

		if state == "" {
			if isQuery {
				gc.Redirect(http.StatusFound, loginURL)
			} else {
				log.Debug("Failed to get state: ", state)
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type": "authorization_response",
						"response": map[string]string{
							"error": "state is required",
						},
					},
				})
			}
			return
		}

		if responseType == "" {
			responseType = "token"
		}

		isResponseTypeCode := responseType == "code"
		isResponseTypeToken := responseType == "token"

		if !isResponseTypeCode && !isResponseTypeToken {
			if isQuery {
				gc.Redirect(http.StatusFound, loginURL)
			} else {
				log.Debug("Invalid response_type: ", responseType)
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type": "authorization_response",
						"response": map[string]string{
							"error": "response_type is invalid",
						},
					},
				})
			}
			return
		}

		if isResponseTypeCode {
			if codeChallenge == "" {
				if isQuery {
					gc.Redirect(http.StatusFound, loginURL)
				} else {
					log.Debug("Failed to get code_challenge: ", codeChallenge)
					gc.HTML(http.StatusBadRequest, template, gin.H{
						"target_origin": redirectURI,
						"authorization_response": map[string]interface{}{
							"type": "authorization_response",
							"response": map[string]string{
								"error": "code_challenge is required",
							},
						},
					})
				}
				return
			}
		}

		sessionToken, err := cookie.GetSession(gc)
		if err != nil {
			if isQuery {
				gc.Redirect(http.StatusFound, loginURL)
			} else {
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type": "authorization_response",
						"response": map[string]string{
							"error":             "login_required",
							"error_description": "Login is required",
						},
					},
				})
			}
			return
		}

		// get session from cookie
		claims, err := token.ValidateBrowserSession(gc, sessionToken)
		if err != nil {
			if isQuery {
				gc.Redirect(http.StatusFound, loginURL)
			} else {
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type": "authorization_response",
						"response": map[string]string{
							"error":             "login_required",
							"error_description": "Login is required",
						},
					},
				})
			}
			return
		}
		userID := claims.Subject
		user, err := db.Provider.GetUserByID(userID)
		if err != nil {
			if isQuery {
				gc.Redirect(http.StatusFound, loginURL)
			} else {
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type": "authorization_response",
						"response": map[string]string{
							"error":             "signup_required",
							"error_description": "Sign up required",
						},
					},
				})
			}
			return
		}

		sessionKey := user.ID
		if claims.LoginMethod != "" {
			sessionKey = claims.LoginMethod + ":" + user.ID
		}

		// if user is logged in
		// based on the response type code, generate the response
		if isResponseTypeCode {
			// rollover the session for security
			go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
			nonce := uuid.New().String()
			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
			if err != nil {
				if isQuery {
					gc.Redirect(http.StatusFound, loginURL)
				} else {
					gc.HTML(http.StatusOK, template, gin.H{
						"target_origin": redirectURI,
						"authorization_response": map[string]interface{}{
							"type": "authorization_response",
							"response": map[string]string{
								"error":             "login_required",
								"error_description": "Login is required",
							},
						},
					})
				}
				return
			}

			memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)
			cookie.SetSession(gc, newSessionToken)
			code := uuid.New().String()
			memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken)
			gc.HTML(http.StatusOK, template, gin.H{
				"target_origin": redirectURI,
				"authorization_response": map[string]interface{}{
					"type": "authorization_response",
					"response": map[string]string{
						"code":  code,
						"state": state,
					},
				},
			})
			return
		}

		if isResponseTypeToken {
			// rollover the session for security
			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod)
			if err != nil {
				if isQuery {
					gc.Redirect(http.StatusFound, loginURL)
				} else {
					gc.HTML(http.StatusOK, template, gin.H{
						"target_origin": redirectURI,
						"authorization_response": map[string]interface{}{
							"type": "authorization_response",
							"response": map[string]string{
								"error":             "login_required",
								"error_description": "Login is required",
							},
						},
					})
				}
				return
			}

			go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
			cookie.SetSession(gc, authToken.FingerPrintHash)

			expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
			if expiresIn <= 0 {
				expiresIn = 1
			}

			// used of query mode
			params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token

			res := map[string]interface{}{
				"access_token": authToken.AccessToken.Token,
				"id_token":     authToken.IDToken.Token,
				"state":        state,
				"scope":        scope,
				"token_type":   "Bearer",
				"expires_in":   expiresIn,
			}

			if authToken.RefreshToken != nil {
				res["refresh_token"] = authToken.RefreshToken.Token
				params += "&refresh_token=" + authToken.RefreshToken.Token
				memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
			}

			if isQuery {
				if strings.Contains(redirectURI, "?") {
					gc.Redirect(http.StatusFound, redirectURI+"&"+params)
				} else {
					gc.Redirect(http.StatusFound, redirectURI+"?"+params)
				}
			} else {
				gc.HTML(http.StatusOK, template, gin.H{
					"target_origin": redirectURI,
					"authorization_response": map[string]interface{}{
						"type":     "authorization_response",
						"response": res,
					},
				})
			}
			return
		}

		if isQuery {
			gc.Redirect(http.StatusFound, loginURL)
		} else {
			// by default return with error
			gc.HTML(http.StatusOK, template, gin.H{
				"target_origin": redirectURI,
				"authorization_response": map[string]interface{}{
					"type": "authorization_response",
					"response": map[string]string{
						"error":             "login_required",
						"error_description": "Login is required",
					},
				},
			})
		}
	}
}
feat: add session token 2022-02-28 15:56:49 +00:00			`package handlers`

			`import (`
			`"net/http"`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`"strconv"`
feat: add session token 2022-02-28 15:56:49 +00:00			`"strings"`
enhancement: add access_token_expiry_time env variable 2022-03-25 12:21:20 +00:00			`"time"`
feat: add session token 2022-02-28 15:56:49 +00:00
feat: add logs for http handlers 2022-05-23 06:22:51 +00:00			`"github.com/gin-gonic/gin"`
			`"github.com/google/uuid"`
			`log "github.com/sirupsen/logrus"`

fix: oauth login 2022-03-07 03:01:39 +00:00			`"github.com/authorizerdev/authorizer/server/constants"`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`"github.com/authorizerdev/authorizer/server/cookie"`
			`"github.com/authorizerdev/authorizer/server/db"`
fix: move sessionstore -> memstore 2022-05-27 17:50:38 +00:00			`"github.com/authorizerdev/authorizer/server/memorystore"`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`"github.com/authorizerdev/authorizer/server/token"`
feat: add session token 2022-02-28 15:56:49 +00:00			`)`

			`// AuthorizeHandler is the handler for the /authorize route`
			`// required params`
			`// ?redirect_uri = redirect url`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`// ?response_mode = to decide if result should be html or re-direct`
feat: add session token 2022-02-28 15:56:49 +00:00			`// state[recommended] = to prevent CSRF attack (for authorizer its compulsory)`
			`// code_challenge = to prevent CSRF attack`
			`// code_challenge_method = to prevent CSRF attack [only sh256 is supported]`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00
			`// check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.`
feat: add session token 2022-02-28 15:56:49 +00:00			`func AuthorizeHandler() gin.HandlerFunc {`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`return func(gc *gin.Context) {`
			`redirectURI := strings.TrimSpace(gc.Query("redirect_uri"))`
			`responseType := strings.TrimSpace(gc.Query("response_type"))`
			`state := strings.TrimSpace(gc.Query("state"))`
			`codeChallenge := strings.TrimSpace(gc.Query("code_challenge"))`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`scopeString := strings.TrimSpace(gc.Query("scope"))`
fix: oauth login 2022-03-07 03:01:39 +00:00			`clientID := strings.TrimSpace(gc.Query("client_id"))`
feat: add session token 2022-02-28 15:56:49 +00:00			`template := "authorize.tmpl"`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`responseMode := strings.TrimSpace(gc.Query("response_mode"))`
feat: add session token 2022-02-28 15:56:49 +00:00
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`var scope []string`
			`if scopeString == "" {`
			`scope = []string{"openid", "profile", "email"}`
			`} else {`
			`scope = strings.Split(scopeString, " ")`
			`}`

feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if responseMode == "" {`
			`responseMode = "query"`
fix: oauth login 2022-03-07 03:01:39 +00:00			`}`

feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if responseMode != "query" && responseMode != "web_message" {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Invalid response_mode: ", responseMode)`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`gc.JSON(400, gin.H{"error": "invalid response mode"})`
			`}`

			`if redirectURI == "" {`
			`redirectURI = "/app"`
			`}`

			`isQuery := responseMode == "query"`

fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`loginURL := "/app?state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI`
feat: add support for response mode 2022-03-07 13:19:18 +00:00
			`if clientID == "" {`
			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to get client_id: ", clientID)`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "client_id is required",`
			`},`
fix: oauth login 2022-03-07 03:01:39 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
fix: oauth login 2022-03-07 03:01:39 +00:00			`return`
			`}`

fix: update store method till handlers 2022-05-29 11:52:46 +00:00			`if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); client != clientID \|\| err != nil {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Invalid client_id: ", clientID)`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "invalid_client_id",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add session token 2022-02-28 15:56:49 +00:00			`return`
			`}`

			`if state == "" {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to get state: ", state)`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "state is required",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add session token 2022-02-28 15:56:49 +00:00			`return`
			`}`

			`if responseType == "" {`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`responseType = "token"`
feat: add session token 2022-02-28 15:56:49 +00:00			`}`

feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`isResponseTypeCode := responseType == "code"`
			`isResponseTypeToken := responseType == "token"`
feat: add session token 2022-02-28 15:56:49 +00:00
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`if !isResponseTypeCode && !isResponseTypeToken {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Invalid response_type: ", responseType)`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`gc.HTML(http.StatusOK, template, gin.H{`
fix: oauth login 2022-03-07 03:01:39 +00:00			`"target_origin": redirectURI,`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`"error": "response_type is invalid",`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
			`},`
			`})`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`}`
			`return`
			`}`

			`if isResponseTypeCode {`
			`if codeChallenge == "" {`
			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
fix: format logs 2022-05-25 07:00:22 +00:00			`log.Debug("Failed to get code_challenge: ", codeChallenge)`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`gc.HTML(http.StatusBadRequest, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "code_challenge is required",`
			`},`
			`},`
			`})`
			`}`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`return`
			`}`
			`}`

			`sessionToken, err := cookie.GetSession(gc)`
			`if err != nil {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "login_required",`
			`"error_description": "Login is required",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`return`
			`}`

			`// get session from cookie`
			`claims, err := token.ValidateBrowserSession(gc, sessionToken)`
			`if err != nil {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "login_required",`
			`"error_description": "Login is required",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`return`
			`}`
			`userID := claims.Subject`
			`user, err := db.Provider.GetUserByID(userID)`
			`if err != nil {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "signup_required",`
			`"error_description": "Sign up required",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`return`
			`}`

fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`sessionKey := user.ID`
			`if claims.LoginMethod != "" {`
			`sessionKey = claims.LoginMethod + ":" + user.ID`
			`}`

feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`// if user is logged in`
fix: add provider to token creation 2022-06-29 04:24:12 +00:00			`// based on the response type code, generate the response`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`if isResponseTypeCode {`
			`// rollover the session for security`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`nonce := uuid.New().String()`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`if err != nil {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "login_required",`
			`"error_description": "Login is required",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`return`
			`}`

fix: user session access 2022-06-11 18:57:21 +00:00			`memorystore.Provider.SetUserSession(user.ID, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`cookie.SetSession(gc, newSessionToken)`
			`code := uuid.New().String()`
fix: move sessionstore -> memstore 2022-05-27 17:50:38 +00:00			`memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken)`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
fix: oauth login 2022-03-07 03:01:39 +00:00			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"code": code,`
			`"state": state,`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
			`})`
			`return`
			`}`

			`if isResponseTypeToken {`
			`// rollover the session for security`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod)`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`if err != nil {`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "login_required",`
			`"error_description": "Login is required",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add session token 2022-02-28 15:56:49 +00:00			`return`
			`}`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00
			`go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)`
			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)`
			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)`
fix: refresh token param in string 2022-03-08 14:01:19 +00:00			`cookie.SetSession(gc, authToken.FingerPrintHash)`
enhancement: add access_token_expiry_time env variable 2022-03-25 12:21:20 +00:00
			`expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()`
			`if expiresIn <= 0 {`
			`expiresIn = 1`
			`}`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00
			`// used of query mode`
			`params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token`

feat: add token endpoint 2022-03-04 07:26:11 +00:00			`res := map[string]interface{}{`
			`"access_token": authToken.AccessToken.Token,`
			`"id_token": authToken.IDToken.Token,`
			`"state": state,`
			`"scope": scope,`
			`"token_type": "Bearer",`
			`"expires_in": expiresIn,`
			`}`

			`if authToken.RefreshToken != nil {`
			`res["refresh_token"] = authToken.RefreshToken.Token`
fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`params += "&refresh_token=" + authToken.RefreshToken.Token`
fix: add namespace to session token keys 2022-06-29 16:54:00 +00:00			`memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)`
feat: add token endpoint 2022-03-04 07:26:11 +00:00			`}`

fix: add token information in redirect url 2022-03-08 07:06:26 +00:00			`if isQuery {`
			`if strings.Contains(redirectURI, "?") {`
			`gc.Redirect(http.StatusFound, redirectURI+"&"+params)`
			`} else {`
			`gc.Redirect(http.StatusFound, redirectURI+"?"+params)`
			`}`
			`} else {`
			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": res,`
			`},`
			`})`
			`}`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`return`
feat: add session token 2022-02-28 15:56:49 +00:00			`}`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`if isQuery {`
			`gc.Redirect(http.StatusFound, loginURL)`
			`} else {`
			`// by default return with error`
			`gc.HTML(http.StatusOK, template, gin.H{`
			`"target_origin": redirectURI,`
			`"authorization_response": map[string]interface{}{`
			`"type": "authorization_response",`
			`"response": map[string]string{`
			`"error": "login_required",`
			`"error_description": "Login is required",`
			`},`
feat: add userinfo + logout 2022-03-03 19:06:27 +00:00			`},`
feat: add support for response mode 2022-03-07 13:19:18 +00:00			`})`
			`}`
feat: add session token 2022-02-28 15:56:49 +00:00			`}`
			`}`