Files
authorizer/server/handlers/token.go

275 lines
8.4 KiB
Go
Raw Normal View History

2022-03-04 12:56:11 +05:30
package handlers
import (
"crypto/sha256"
"encoding/base64"
"net/http"
"strings"
"time"
2022-03-04 12:56:11 +05:30
2022-05-23 11:52:51 +05:30
"github.com/gin-gonic/gin"
"github.com/google/uuid"
2022-05-23 11:52:51 +05:30
log "github.com/sirupsen/logrus"
2022-03-07 08:31:39 +05:30
"github.com/authorizerdev/authorizer/server/constants"
2022-03-04 12:56:11 +05:30
"github.com/authorizerdev/authorizer/server/cookie"
"github.com/authorizerdev/authorizer/server/db"
2022-05-27 23:20:38 +05:30
"github.com/authorizerdev/authorizer/server/memorystore"
2022-03-04 12:56:11 +05:30
"github.com/authorizerdev/authorizer/server/token"
)
2022-11-12 23:54:37 +05:30
type RequestBody struct {
CodeVerifier string `form:"code_verifier" json:"code_verifier"`
Code string `form:"code" json:"code"`
ClientID string `form:"client_id" json:"client_id"`
ClientSecret string `form:"client_secret" json:"client_secret"`
GrantType string `form:"grant_type" json:"grant_type"`
RefreshToken string `form:"refresh_token" json:"refresh_token"`
RedirectURI string `form:"redirect_uri" json:"redirect_uri"`
}
2022-03-08 18:49:42 +05:30
// TokenHandler to handle /oauth/token requests
// grant type required
2022-03-04 12:56:11 +05:30
func TokenHandler() gin.HandlerFunc {
return func(gc *gin.Context) {
2022-11-12 23:54:37 +05:30
var reqBody RequestBody
if err := gc.Bind(&reqBody); err != nil {
2022-05-23 11:52:51 +05:30
log.Debug("Error binding JSON: ", err)
2022-03-04 12:56:11 +05:30
gc.JSON(http.StatusBadRequest, gin.H{
"error": "error_binding_json",
"error_description": err.Error(),
})
return
}
2022-11-12 23:54:37 +05:30
codeVerifier := strings.TrimSpace(reqBody.CodeVerifier)
code := strings.TrimSpace(reqBody.Code)
clientID := strings.TrimSpace(reqBody.ClientID)
grantType := strings.TrimSpace(reqBody.GrantType)
refreshToken := strings.TrimSpace(reqBody.RefreshToken)
clientSecret := strings.TrimSpace(reqBody.ClientSecret)
if grantType == "" {
grantType = "authorization_code"
}
isRefreshTokenGrant := grantType == "refresh_token"
isAuthorizationCodeGrant := grantType == "authorization_code"
if !isRefreshTokenGrant && !isAuthorizationCodeGrant {
2022-05-25 12:30:22 +05:30
log.Debug("Invalid grant type: ", grantType)
gc.JSON(http.StatusBadRequest, gin.H{
"error": "invalid_grant_type",
"error_description": "grant_type is invalid",
})
}
2022-03-07 08:31:39 +05:30
// check if clientID & clientSecret are present as part of
// authorization header with basic auth
2022-11-17 05:44:40 +05:30
if clientID == "" && clientSecret == "" {
clientID, clientSecret, _ = gc.Request.BasicAuth()
}
2022-03-07 08:31:39 +05:30
if clientID == "" {
2022-05-23 11:52:51 +05:30
log.Debug("Client ID is empty")
2022-03-07 08:31:39 +05:30
gc.JSON(http.StatusBadRequest, gin.H{
"error": "client_id_required",
"error_description": "The client id is required",
})
return
}
2022-05-29 17:22:46 +05:30
if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); clientID != client || err != nil {
2022-05-25 12:30:22 +05:30
log.Debug("Client ID is invalid: ", clientID)
2022-03-07 08:31:39 +05:30
gc.JSON(http.StatusBadRequest, gin.H{
"error": "invalid_client_id",
"error_description": "The client id is invalid",
})
return
}
2022-03-04 12:56:11 +05:30
var userID string
var roles, scope []string
loginMethod := ""
sessionKey := ""
if isAuthorizationCodeGrant {
if code == "" {
2022-05-23 11:52:51 +05:30
log.Debug("Code is empty")
gc.JSON(http.StatusBadRequest, gin.H{
"error": "invalid_code",
"error_description": "The code is required",
})
return
}
2022-03-04 12:56:11 +05:30
2022-11-12 23:54:37 +05:30
if codeVerifier == "" && clientSecret == "" {
gc.JSON(http.StatusBadRequest, gin.H{
2022-11-12 23:54:37 +05:30
"error": "invalid_dat",
"error_description": "The code verifier or client secret is required",
})
return
}
2022-11-12 23:54:37 +05:30
// Get state
sessionData, err := memorystore.Provider.GetState(code)
if sessionData == "" || err != nil {
log.Debug("Session data is empty")
gc.JSON(http.StatusBadRequest, gin.H{
2022-11-12 23:54:37 +05:30
"error": "invalid_code",
"error_description": "The code is invalid",
})
return
}
2022-11-12 23:54:37 +05:30
// [0] -> code_challenge
// [1] -> session cookie
sessionDataSplit := strings.Split(sessionData, "@@")
go memorystore.Provider.RemoveState(code)
if codeVerifier != "" {
hash := sha256.New()
hash.Write([]byte(codeVerifier))
encryptedCode := strings.ReplaceAll(base64.RawURLEncoding.EncodeToString(hash.Sum(nil)), "+", "-")
encryptedCode = strings.ReplaceAll(encryptedCode, "/", "_")
encryptedCode = strings.ReplaceAll(encryptedCode, "=", "")
if encryptedCode != sessionDataSplit[0] {
gc.JSON(http.StatusBadRequest, gin.H{
"error": "invalid_code_verifier",
"error_description": "The code verifier is invalid",
})
return
}
} else {
if clientHash, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientSecret); clientSecret != clientHash || err != nil {
log.Debug("Client Secret is invalid: ", clientID)
gc.JSON(http.StatusBadRequest, gin.H{
"error": "invalid_client_secret",
"error_description": "The client secret is invalid",
})
return
}
}
// validate session
claims, err := token.ValidateBrowserSession(gc, sessionDataSplit[1])
if err != nil {
2022-05-23 11:52:51 +05:30
log.Debug("Error validating session: ", err)
gc.JSON(http.StatusUnauthorized, gin.H{
"error": "unauthorized",
"error_description": "Invalid session data",
})
return
}
userID = claims.Subject
roles = claims.Roles
scope = claims.Scope
loginMethod = claims.LoginMethod
2022-06-12 00:27:21 +05:30
// rollover the session for security
sessionKey = userID
if loginMethod != "" {
sessionKey = loginMethod + ":" + userID
}
go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
2022-11-12 23:54:37 +05:30
} else {
// validate refresh token
if refreshToken == "" {
2022-05-23 11:52:51 +05:30
log.Debug("Refresh token is empty")
gc.JSON(http.StatusBadRequest, gin.H{
"error": "invalid_refresh_token",
"error_description": "The refresh token is invalid",
})
2022-11-03 11:51:59 +01:00
return
}
claims, err := token.ValidateRefreshToken(gc, refreshToken)
if err != nil {
2022-05-23 11:52:51 +05:30
log.Debug("Error validating refresh token: ", err)
gc.JSON(http.StatusUnauthorized, gin.H{
"error": "unauthorized",
"error_description": err.Error(),
})
2022-11-03 11:51:59 +01:00
return
}
userID = claims["sub"].(string)
2022-11-04 01:40:18 +05:30
claimLoginMethod := claims["login_method"]
2022-03-08 21:13:23 +05:30
rolesInterface := claims["roles"].([]interface{})
scopeInterface := claims["scope"].([]interface{})
for _, v := range rolesInterface {
roles = append(roles, v.(string))
}
for _, v := range scopeInterface {
scope = append(scope, v.(string))
}
sessionKey = userID
2022-11-04 01:40:18 +05:30
if claimLoginMethod != nil && claimLoginMethod != "" {
sessionKey = claimLoginMethod.(string) + ":" + sessionKey
loginMethod = claimLoginMethod.(string)
}
2022-11-04 01:40:18 +05:30
2022-03-08 19:18:33 +05:30
// remove older refresh token and rotate it for security
go memorystore.Provider.DeleteUserSession(sessionKey, claims["nonce"].(string))
}
if sessionKey == "" {
log.Debug("Error getting sessionKey: ", sessionKey, loginMethod)
gc.JSON(http.StatusUnauthorized, gin.H{
"error": "unauthorized",
"error_description": "User not found",
})
return
2022-03-04 12:56:11 +05:30
}
2022-07-10 21:49:33 +05:30
user, err := db.Provider.GetUserByID(gc, userID)
2022-03-04 12:56:11 +05:30
if err != nil {
2022-05-23 11:52:51 +05:30
log.Debug("Error getting user: ", err)
2022-03-04 12:56:11 +05:30
gc.JSON(http.StatusUnauthorized, gin.H{
"error": "unauthorized",
"error_description": "User not found",
})
return
}
2022-11-12 23:54:37 +05:30
nonce := uuid.New().String() + "@@" + code
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)
2022-03-04 12:56:11 +05:30
if err != nil {
2022-05-23 11:52:51 +05:30
log.Debug("Error creating auth token: ", err)
2022-03-04 12:56:11 +05:30
gc.JSON(http.StatusUnauthorized, gin.H{
"error": "unauthorized",
"error_description": "User not found",
})
return
}
2022-11-04 01:40:18 +05:30
2023-04-08 13:06:15 +05:30
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash, authToken.SessionTokenExpiresAt)
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token, authToken.AccessToken.ExpiresAt)
2022-03-04 12:56:11 +05:30
cookie.SetSession(gc, authToken.FingerPrintHash)
expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
if expiresIn <= 0 {
expiresIn = 1
}
2022-03-04 12:56:11 +05:30
res := map[string]interface{}{
"access_token": authToken.AccessToken.Token,
"id_token": authToken.IDToken.Token,
"scope": strings.Join(scope, " "),
"roles": roles,
2022-03-04 12:56:11 +05:30
"expires_in": expiresIn,
}
if authToken.RefreshToken != nil {
res["refresh_token"] = authToken.RefreshToken.Token
2023-04-08 13:06:15 +05:30
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
2022-03-04 12:56:11 +05:30
}
gc.JSON(http.StatusOK, res)
}
}