feat: add userinfo + logout

2022-03-04 00:36:27 +05:30
parent 5c7d32ec16
commit 2946428ab8
7 changed files with 266 additions and 34 deletions
--- a/server/handlers/authorize.go
+++ b/server/handlers/authorize.go
@@ -5,7 +5,12 @@ import (
 	"net/http"
 	"strings"

+	"github.com/authorizerdev/authorizer/server/cookie"
+	"github.com/authorizerdev/authorizer/server/db"
+	"github.com/authorizerdev/authorizer/server/sessionstore"
+	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 )

 // AuthorizeHandler is the handler for the /authorize route
@@ -14,59 +19,203 @@ import (
 // state[recommended] = to prevent CSRF attack (for authorizer its compulsory)
 // code_challenge = to prevent CSRF attack
 // code_challenge_method = to prevent CSRF attack [only sh256 is supported]
+
+// check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.
 func AuthorizeHandler() gin.HandlerFunc {
-	return func(c *gin.Context) {
-		redirectURI := strings.TrimSpace(c.Query("redirect_uri"))
-		responseType := strings.TrimSpace(c.Query("response_type"))
-		state := strings.TrimSpace(c.Query("state"))
-		codeChallenge := strings.TrimSpace(c.Query("code_challenge"))
-		codeChallengeMethod := strings.TrimSpace(c.Query("code_challenge_method"))
-		fmt.Println(codeChallengeMethod)
+	return func(gc *gin.Context) {
+		redirectURI := strings.TrimSpace(gc.Query("redirect_uri"))
+		responseType := strings.TrimSpace(gc.Query("response_type"))
+		state := strings.TrimSpace(gc.Query("state"))
+		codeChallenge := strings.TrimSpace(gc.Query("code_challenge"))
 		template := "authorize.tmpl"

 		if redirectURI == "" {
-			c.HTML(http.StatusBadRequest, template, gin.H{
-				"targetOrigin":          nil,
-				"authorizationResponse": nil,
-				"error":                 "redirect_uri is required",
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": nil,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"error": "redirect_uri is required",
+					},
+				},
 			})
 			return
 		}

 		if state == "" {
-			c.HTML(http.StatusBadRequest, template, gin.H{
-				"targetOrigin":          nil,
-				"authorizationResponse": nil,
-				"error":                 "state is required",
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": nil,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"error": "state is required",
+					},
+				},
 			})
 			return
 		}

 		if responseType == "" {
-			responseType = "code"
+			responseType = "token"
 		}

-		isCode := responseType == "code"
-		isToken := responseType == "token"
+		isResponseTypeCode := responseType == "code"
+		isResponseTypeToken := responseType == "token"

-		if !isCode && !isToken {
-			c.HTML(http.StatusBadRequest, template, gin.H{
-				"targetOrigin":          nil,
-				"authorizationResponse": nil,
-				"error":                 "response_type is invalid",
+		if !isResponseTypeCode && !isResponseTypeToken {
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": nil,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"error": "response_type is invalid",
+					},
+				},
 			})
 			return
 		}

-		if isCode {
+		if isResponseTypeCode {
 			if codeChallenge == "" {
-				c.HTML(http.StatusBadRequest, template, gin.H{
-					"targetOrigin":          nil,
-					"authorizationResponse": nil,
-					"error":                 "code_challenge is required",
+				gc.HTML(http.StatusBadRequest, template, gin.H{
+					"target_origin": nil,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error": "code_challenge is required",
+						},
+					},
 				})
 				return
 			}
 		}
+
+		sessionToken, err := cookie.GetSession(gc)
+		if err != nil {
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": nil,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"error":             "login_required",
+						"error_description": "Login is required",
+					},
+				},
+			})
+			return
+		}
+
+		// get session from cookie
+		claims, err := token.ValidateBrowserSession(gc, sessionToken)
+		if err != nil {
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": nil,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"error":             "login_required",
+						"error_description": "Login is required",
+					},
+				},
+			})
+			return
+		}
+		userID := claims.Subject
+		user, err := db.Provider.GetUserByID(userID)
+		if err != nil {
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": nil,
+				"authorization_response": map[string]interface{}{
+					"type": "authorization_response",
+					"response": map[string]string{
+						"error":             "signup_required",
+						"error_description": "Sign up required",
+					},
+				},
+			})
+			return
+		}
+
+		// if user is logged in
+		// based on the response type, generate the response
+		if isResponseTypeCode {
+			// rollover the session for security
+			sessionstore.RemoveState(sessionToken)
+			nonce := uuid.New().String()
+			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, claims.Scope)
+			if err != nil {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": nil,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error":             "login_required",
+							"error_description": "Login is required",
+						},
+					},
+				})
+				return
+			}
+
+			sessionstore.SetState(newSessionToken, newSessionTokenData.Nonce+"@"+user.ID)
+			cookie.SetSession(gc, newSessionToken)
+			code := uuid.New().String()
+			sessionstore.SetState("code_challenge_"+codeChallenge, code)
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": redirectURI,
+				"authorization_response": map[string]string{
+					"code":  code,
+					"state": state,
+				},
+			})
+			return
+		}
+
+		if isResponseTypeToken {
+			// rollover the session for security
+			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, claims.Scope)
+			if err != nil {
+				gc.HTML(http.StatusOK, template, gin.H{
+					"target_origin": nil,
+					"authorization_response": map[string]interface{}{
+						"type": "authorization_response",
+						"response": map[string]string{
+							"error":             "login_required",
+							"error_description": "Login is required",
+						},
+					},
+				})
+				return
+			}
+			sessionstore.RemoveState(sessionToken)
+			sessionstore.SetState(authToken.FingerPrintHash, authToken.FingerPrint+"@"+user.ID)
+			sessionstore.SetState(authToken.AccessToken.Token, authToken.FingerPrint+"@"+user.ID)
+			cookie.SetSession(gc, authToken.FingerPrintHash)
+			expiresIn := int64(1800)
+			gc.HTML(http.StatusOK, template, gin.H{
+				"target_origin": redirectURI,
+				"authorization_response": map[string]interface{}{
+					"access_token": authToken.AccessToken.Token,
+					"id_token":     authToken.IDToken.Token,
+					"state":        state,
+					"scope":        claims.Scope,
+					"expires_in":   expiresIn,
+				},
+			})
+			return
+		}
+		fmt.Println("=> returning from here...")
+
+		// by default return with error
+		gc.HTML(http.StatusOK, template, gin.H{
+			"target_origin": nil,
+			"authorization_response": map[string]interface{}{
+				"type": "authorization_response",
+				"response": map[string]string{
+					"error":             "login_required",
+					"error_description": "Login is required",
+				},
+			},
+		})
 	}
 }