-
Notifications
You must be signed in to change notification settings - Fork 47
/
oauth2.go
216 lines (192 loc) · 5.75 KB
/
oauth2.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
// Copyright 2014 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// Package oauth2 contains Martini handlers to provide
// user login via an OAuth 2.0 backend.
package oauth2
import (
"encoding/json"
"fmt"
"net/http"
"net/url"
"time"
"github.com/go-martini/martini"
"github.com/martini-contrib/sessions"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
)
const (
codeRedirect = 302
keyToken = "oauth2_token"
keyNextPage = "next"
)
var (
// PathLogin is the path to handle OAuth 2.0 logins.
PathLogin = "/login"
// PathLogout is the path to handle OAuth 2.0 logouts.
PathLogout = "/logout"
// PathCallback is the path to handle callback from OAuth 2.0 backend
// to exchange credentials.
PathCallback = "/oauth2callback"
// PathError is the path to handle error cases.
PathError = "/oauth2error"
)
// Tokens represents a container that contains user's OAuth 2.0 access and refresh tokens.
type Tokens interface {
Access() string
Refresh() string
Expired() bool
ExpiryTime() time.Time
}
type token struct {
oauth2.Token
}
// Access returns the access token.
func (t *token) Access() string {
return t.AccessToken
}
// Refresh returns the refresh token.
func (t *token) Refresh() string {
return t.RefreshToken
}
// Expired returns whether the access token is expired or not.
func (t *token) Expired() bool {
if t == nil {
return true
}
return !t.Token.Valid()
}
// ExpiryTime returns the expiry time of the user's access token.
func (t *token) ExpiryTime() time.Time {
return t.Expiry
}
// String returns the string representation of the token.
func (t *token) String() string {
return fmt.Sprintf("tokens: %v", t)
}
// Google returns a new Google OAuth 2.0 backend endpoint.
func Google(conf *oauth2.Config) martini.Handler {
conf.Endpoint = google.Endpoint
return NewOAuth2Provider(conf)
}
// Github returns a new Github OAuth 2.0 backend endpoint.
func Github(conf *oauth2.Config) martini.Handler {
conf.Endpoint = oauth2.Endpoint{
AuthURL: "https://github.com/login/oauth/authorize",
TokenURL: "https://github.com/login/oauth/access_token",
}
return NewOAuth2Provider(conf)
}
// Facebook returns a new Facebook OAuth 2.0 backend endpoint.
func Facebook(conf *oauth2.Config) martini.Handler {
conf.Endpoint = oauth2.Endpoint{
AuthURL: "https://www.facebook.com/dialog/oauth",
TokenURL: "https://graph.facebook.com/oauth/access_token",
}
return NewOAuth2Provider(conf)
}
// LinkedIn returns a new LinkedIn OAuth 2.0 backend endpoint.
func LinkedIn(conf *oauth2.Config) martini.Handler {
conf.Endpoint = oauth2.Endpoint{
AuthURL: "https://www.linkedin.com/uas/oauth2/authorization",
TokenURL: "https://www.linkedin.com/uas/oauth2/accessToken",
}
return NewOAuth2Provider(conf)
}
// NewOAuth2Provider returns a generic OAuth 2.0 backend endpoint.
func NewOAuth2Provider(conf *oauth2.Config) martini.Handler {
return func(s sessions.Session, c martini.Context, w http.ResponseWriter, r *http.Request) {
if r.Method == "GET" {
switch r.URL.Path {
case PathLogin:
login(conf, s, w, r)
case PathLogout:
logout(s, w, r)
case PathCallback:
handleOAuth2Callback(conf, s, w, r)
}
}
tk := unmarshallToken(s)
if tk != nil {
// check if the access token is expired
if tk.Expired() && tk.Refresh() == "" {
s.Delete(keyToken)
tk = nil
}
}
// Inject tokens.
c.MapTo(tk, (*Tokens)(nil))
}
}
// Handler that redirects user to the login page
// if user is not logged in.
// Sample usage:
// m.Get("/login-required", oauth2.LoginRequired, func() ... {})
var LoginRequired = func() martini.Handler {
return func(s sessions.Session, c martini.Context, w http.ResponseWriter, r *http.Request) {
token := unmarshallToken(s)
if token == nil || token.Expired() {
next := url.QueryEscape(r.URL.RequestURI())
http.Redirect(w, r, PathLogin+"?next="+next, codeRedirect)
}
}
}()
func login(f *oauth2.Config, s sessions.Session, w http.ResponseWriter, r *http.Request) {
next := extractPath(r.URL.Query().Get(keyNextPage))
if s.Get(keyToken) == nil {
// User is not logged in.
if next == "" {
next = "/"
}
http.Redirect(w, r, f.AuthCodeURL(next), codeRedirect)
return
}
// No need to login, redirect to the next page.
http.Redirect(w, r, next, codeRedirect)
}
func logout(s sessions.Session, w http.ResponseWriter, r *http.Request) {
next := extractPath(r.URL.Query().Get(keyNextPage))
s.Delete(keyToken)
http.Redirect(w, r, next, codeRedirect)
}
func handleOAuth2Callback(f *oauth2.Config, s sessions.Session, w http.ResponseWriter, r *http.Request) {
next := extractPath(r.URL.Query().Get("state"))
code := r.URL.Query().Get("code")
t, err := f.Exchange(oauth2.NoContext, code)
if err != nil {
// Pass the error message, or allow dev to provide its own
// error handler.
http.Redirect(w, r, PathError, codeRedirect)
return
}
// Store the credentials in the session.
val, _ := json.Marshal(t)
s.Set(keyToken, val)
http.Redirect(w, r, next, codeRedirect)
}
func unmarshallToken(s sessions.Session) (t *token) {
if s.Get(keyToken) == nil {
return
}
data := s.Get(keyToken).([]byte)
var tk oauth2.Token
json.Unmarshal(data, &tk)
return &token{tk}
}
func extractPath(next string) string {
n, err := url.Parse(next)
if err != nil {
return "/"
}
return n.Path
}