2021-07-17 16:29:50 +00:00
|
|
|
package handlers
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"net/http"
|
2021-10-13 16:41:41 +00:00
|
|
|
"strings"
|
2021-07-17 16:29:50 +00:00
|
|
|
|
2021-08-04 10:25:13 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/constants"
|
2022-01-17 06:02:13 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/envstore"
|
2021-07-23 16:27:44 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/oauth"
|
2022-01-22 19:54:41 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/sessionstore"
|
2021-09-20 05:06:26 +00:00
|
|
|
"github.com/authorizerdev/authorizer/server/utils"
|
2021-07-17 16:29:50 +00:00
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
)
|
|
|
|
|
|
2022-01-17 06:02:13 +00:00
|
|
|
// OAuthLoginHandler set host in the oauth state that is useful for redirecting to oauth_callback
|
2021-08-04 06:48:57 +00:00
|
|
|
func OAuthLoginHandler() gin.HandlerFunc {
|
2021-07-17 16:29:50 +00:00
|
|
|
return func(c *gin.Context) {
|
2022-01-31 06:05:24 +00:00
|
|
|
hostname := utils.GetHost(c)
|
2022-03-08 07:06:26 +00:00
|
|
|
redirectURI := strings.TrimSpace(c.Query("redirectURL"))
|
|
|
|
|
roles := strings.TrimSpace(c.Query("roles"))
|
|
|
|
|
state := strings.TrimSpace(c.Query("state"))
|
|
|
|
|
scopeString := strings.TrimSpace(c.Query("scope"))
|
2021-08-04 06:48:57 +00:00
|
|
|
|
2022-03-08 07:06:26 +00:00
|
|
|
if redirectURI == "" {
|
2021-08-04 06:48:57 +00:00
|
|
|
c.JSON(400, gin.H{
|
2022-03-08 07:06:26 +00:00
|
|
|
"error": "invalid redirect uri",
|
2021-08-04 06:48:57 +00:00
|
|
|
})
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-09-20 05:06:26 +00:00
|
|
|
|
2022-03-08 07:06:26 +00:00
|
|
|
if state == "" {
|
|
|
|
|
c.JSON(400, gin.H{
|
|
|
|
|
"error": "invalid state",
|
|
|
|
|
})
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var scope []string
|
|
|
|
|
if scopeString == "" {
|
|
|
|
|
scope = []string{"openid", "profile", "email"}
|
|
|
|
|
} else {
|
|
|
|
|
scope = strings.Split(scopeString, " ")
|
|
|
|
|
}
|
|
|
|
|
|
2021-10-13 16:41:41 +00:00
|
|
|
if roles != "" {
|
2021-09-20 05:06:26 +00:00
|
|
|
// validate role
|
2021-10-13 16:41:41 +00:00
|
|
|
rolesSplit := strings.Split(roles, ",")
|
|
|
|
|
|
|
|
|
|
// use protected roles verification for admin login only.
|
|
|
|
|
// though if not associated with user, it will be rejected from oauth_callback
|
2022-02-28 02:25:01 +00:00
|
|
|
if !utils.IsValidRoles(append([]string{}, append(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyRoles), envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyProtectedRoles)...)...), rolesSplit) {
|
2021-09-20 05:06:26 +00:00
|
|
|
c.JSON(400, gin.H{
|
|
|
|
|
"error": "invalid role",
|
|
|
|
|
})
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2022-02-28 02:25:01 +00:00
|
|
|
roles = strings.Join(envstore.EnvStoreObj.GetSliceStoreEnvVariable(constants.EnvKeyDefaultRoles), ",")
|
2021-09-20 05:06:26 +00:00
|
|
|
}
|
|
|
|
|
|
2022-03-08 07:06:26 +00:00
|
|
|
oauthStateString := state + "@" + redirectURI + "@" + roles + "@" + strings.Join(scope, ",")
|
2021-08-04 06:48:57 +00:00
|
|
|
|
2021-07-28 11:08:55 +00:00
|
|
|
provider := c.Param("oauth_provider")
|
2021-12-03 17:25:27 +00:00
|
|
|
isProviderConfigured := true
|
2021-07-28 11:08:55 +00:00
|
|
|
switch provider {
|
2022-01-17 06:02:13 +00:00
|
|
|
case constants.SignupMethodGoogle:
|
2021-12-03 17:25:27 +00:00
|
|
|
if oauth.OAuthProviders.GoogleConfig == nil {
|
|
|
|
|
isProviderConfigured = false
|
|
|
|
|
break
|
|
|
|
|
}
|
2022-02-28 15:56:49 +00:00
|
|
|
sessionstore.SetState(oauthStateString, constants.SignupMethodGoogle)
|
2021-08-04 10:25:13 +00:00
|
|
|
// during the init of OAuthProvider authorizer url might be empty
|
2022-01-31 06:05:24 +00:00
|
|
|
oauth.OAuthProviders.GoogleConfig.RedirectURL = hostname + "/oauth_callback/google"
|
2021-12-03 17:25:27 +00:00
|
|
|
url := oauth.OAuthProviders.GoogleConfig.AuthCodeURL(oauthStateString)
|
2021-07-17 16:29:50 +00:00
|
|
|
c.Redirect(http.StatusTemporaryRedirect, url)
|
2022-01-17 06:02:13 +00:00
|
|
|
case constants.SignupMethodGithub:
|
2021-12-03 17:25:27 +00:00
|
|
|
if oauth.OAuthProviders.GithubConfig == nil {
|
|
|
|
|
isProviderConfigured = false
|
|
|
|
|
break
|
|
|
|
|
}
|
2022-02-28 15:56:49 +00:00
|
|
|
sessionstore.SetState(oauthStateString, constants.SignupMethodGithub)
|
2022-01-31 06:05:24 +00:00
|
|
|
oauth.OAuthProviders.GithubConfig.RedirectURL = hostname + "/oauth_callback/github"
|
2021-12-03 17:25:27 +00:00
|
|
|
url := oauth.OAuthProviders.GithubConfig.AuthCodeURL(oauthStateString)
|
2021-07-17 23:18:42 +00:00
|
|
|
c.Redirect(http.StatusTemporaryRedirect, url)
|
2022-01-17 06:02:13 +00:00
|
|
|
case constants.SignupMethodFacebook:
|
2021-12-03 17:25:27 +00:00
|
|
|
if oauth.OAuthProviders.FacebookConfig == nil {
|
|
|
|
|
isProviderConfigured = false
|
|
|
|
|
break
|
|
|
|
|
}
|
2022-02-28 15:56:49 +00:00
|
|
|
sessionstore.SetState(oauthStateString, constants.SignupMethodFacebook)
|
2022-01-31 06:05:24 +00:00
|
|
|
oauth.OAuthProviders.FacebookConfig.RedirectURL = hostname + "/oauth_callback/facebook"
|
2021-12-03 17:25:27 +00:00
|
|
|
url := oauth.OAuthProviders.FacebookConfig.AuthCodeURL(oauthStateString)
|
2021-09-04 22:27:29 +00:00
|
|
|
c.Redirect(http.StatusTemporaryRedirect, url)
|
2021-07-28 11:08:55 +00:00
|
|
|
default:
|
|
|
|
|
c.JSON(422, gin.H{
|
|
|
|
|
"message": "Invalid oauth provider",
|
|
|
|
|
})
|
2021-07-17 23:18:42 +00:00
|
|
|
}
|
2021-12-03 17:25:27 +00:00
|
|
|
|
|
|
|
|
if !isProviderConfigured {
|
|
|
|
|
c.JSON(422, gin.H{
|
|
|
|
|
"message": provider + " not configured",
|
|
|
|
|
})
|
|
|
|
|
}
|
2021-07-17 16:29:50 +00:00
|
|
|
}
|
|
|
|
|
}
|
