Compare commits
20 Commits
1.1.21.bet
...
1.1.21.bet
| Author | SHA1 | Date | |
|---|---|---|---|
|
b2e0a3371f | ||
|
|
a68876a6f4 | ||
|
|
2c867b0314 | ||
|
|
74b858ac24 | ||
|
|
fedc3173fe | ||
|
|
de4381261e | ||
|
|
a916b8c32c | ||
|
|
89f08b6d31 | ||
|
|
cc23784df8 | ||
|
|
7ff3b3018a | ||
|
|
2b52932e98 | ||
|
|
c716638725 | ||
|
|
252cd1fa2d | ||
|
|
7c2693b086 | ||
|
|
eaa10ec5bc | ||
|
|
253128ca0c | ||
|
|
cddfe1e088 | ||
|
|
8e655bcb5b | ||
|
|
9a411e673c | ||
|
|
346c8e5a47 |
10
.github/workflows/release.yaml
vendored
10
.github/workflows/release.yaml
vendored
@@ -2,17 +2,17 @@ on:
|
|||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
inputs:
|
inputs:
|
||||||
logLevel:
|
logLevel:
|
||||||
description: 'Log level'
|
description: 'Log level'
|
||||||
required: true
|
required: true
|
||||||
default: 'warning'
|
default: 'warning'
|
||||||
type: choice
|
type: choice
|
||||||
options:
|
options:
|
||||||
- info
|
- info
|
||||||
- warning
|
- warning
|
||||||
- debug
|
- debug
|
||||||
tags:
|
tags:
|
||||||
description: 'Tags'
|
description: 'Tags'
|
||||||
required: false
|
required: false
|
||||||
type: boolean
|
type: boolean
|
||||||
release:
|
release:
|
||||||
types: [created]
|
types: [created]
|
||||||
@@ -28,7 +28,7 @@ jobs:
|
|||||||
node-version: '16'
|
node-version: '16'
|
||||||
- uses: actions/setup-go@v2
|
- uses: actions/setup-go@v2
|
||||||
with:
|
with:
|
||||||
go-version: '^1.17.3'
|
go-version: '^1.19.1'
|
||||||
- name: Install dependencies
|
- name: Install dependencies
|
||||||
run: |
|
run: |
|
||||||
sudo apt-get install build-essential wget zip gcc-mingw-w64 && \
|
sudo apt-get install build-essential wget zip gcc-mingw-w64 && \
|
||||||
|
|||||||
@@ -38,6 +38,8 @@ export default function Root({
|
|||||||
const scope = searchParams.get('scope')
|
const scope = searchParams.get('scope')
|
||||||
? searchParams.get('scope')?.toString().split(' ')
|
? searchParams.get('scope')?.toString().split(' ')
|
||||||
: ['openid', 'profile', 'email'];
|
: ['openid', 'profile', 'email'];
|
||||||
|
const code = searchParams.get('code') || ''
|
||||||
|
const nonce = searchParams.get('nonce') || ''
|
||||||
|
|
||||||
const urlProps: Record<string, any> = {
|
const urlProps: Record<string, any> = {
|
||||||
state,
|
state,
|
||||||
@@ -58,9 +60,19 @@ export default function Root({
|
|||||||
if (token) {
|
if (token) {
|
||||||
let redirectURL = config.redirectURL || '/app';
|
let redirectURL = config.redirectURL || '/app';
|
||||||
let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}`;
|
let params = `access_token=${token.access_token}&id_token=${token.id_token}&expires_in=${token.expires_in}&state=${globalState.state}`;
|
||||||
|
|
||||||
|
if (code !== '') {
|
||||||
|
params += `&code=${code}`
|
||||||
|
}
|
||||||
|
|
||||||
|
if (nonce !== '') {
|
||||||
|
params += `&nonce=${nonce}`
|
||||||
|
}
|
||||||
|
|
||||||
if (token.refresh_token) {
|
if (token.refresh_token) {
|
||||||
params += `&refresh_token=${token.refresh_token}`;
|
params += `&refresh_token=${token.refresh_token}`;
|
||||||
}
|
}
|
||||||
|
|
||||||
const url = new URL(redirectURL);
|
const url = new URL(redirectURL);
|
||||||
if (redirectURL.includes('?')) {
|
if (redirectURL.includes('?')) {
|
||||||
redirectURL = `${redirectURL}&${params}`;
|
redirectURL = `${redirectURL}&${params}`;
|
||||||
|
|||||||
@@ -42,6 +42,7 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|||||||
scopeString := strings.TrimSpace(gc.Query("scope"))
|
scopeString := strings.TrimSpace(gc.Query("scope"))
|
||||||
clientID := strings.TrimSpace(gc.Query("client_id"))
|
clientID := strings.TrimSpace(gc.Query("client_id"))
|
||||||
responseMode := strings.TrimSpace(gc.Query("response_mode"))
|
responseMode := strings.TrimSpace(gc.Query("response_mode"))
|
||||||
|
nonce := strings.TrimSpace(gc.Query("nonce"))
|
||||||
|
|
||||||
var scope []string
|
var scope []string
|
||||||
if scopeString == "" {
|
if scopeString == "" {
|
||||||
@@ -64,22 +65,61 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|||||||
|
|
||||||
if err := validateAuthorizeRequest(responseType, responseMode, clientID, state, codeChallenge); err != nil {
|
if err := validateAuthorizeRequest(responseType, responseMode, clientID, state, codeChallenge); err != nil {
|
||||||
log.Debug("invalid authorization request: ", err)
|
log.Debug("invalid authorization request: ", err)
|
||||||
gc.JSON(http.StatusBadRequest, gin.H{"error": err})
|
gc.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
log := log.WithFields(log.Fields{
|
||||||
|
"response_mode": responseMode,
|
||||||
|
"response_type": responseType,
|
||||||
|
"state": state,
|
||||||
|
"code_challenge": codeChallenge,
|
||||||
|
"scope": scope,
|
||||||
|
"redirect_uri": redirectURI,
|
||||||
|
})
|
||||||
|
|
||||||
|
code := uuid.New().String()
|
||||||
|
if nonce == "" {
|
||||||
|
nonce = uuid.New().String()
|
||||||
|
}
|
||||||
|
memorystore.Provider.SetState(codeChallenge, code)
|
||||||
|
|
||||||
// used for response mode query or fragment
|
// used for response mode query or fragment
|
||||||
loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
|
loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI + "&code=" + code + "&nonce=" + nonce
|
||||||
loginURL := "/app?" + loginState
|
loginURL := "/app?" + loginState
|
||||||
|
|
||||||
if responseMode == constants.ResponseModeFragment {
|
if responseMode == constants.ResponseModeFragment {
|
||||||
loginURL = "/app#" + loginState
|
loginURL = "/app#" + loginState
|
||||||
}
|
}
|
||||||
|
|
||||||
loginError := map[string]interface{}{
|
if state == "" {
|
||||||
"error": "login_required",
|
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
|
||||||
"error_description": "Login is required",
|
"type": "authorization_response",
|
||||||
|
"response": map[string]interface{}{
|
||||||
|
"error": "state_required",
|
||||||
|
"error_description": "state is required",
|
||||||
|
},
|
||||||
|
}, http.StatusOK)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if responseType == constants.ResponseTypeCode && codeChallenge == "" {
|
||||||
|
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
|
||||||
|
"type": "authorization_response",
|
||||||
|
"response": map[string]interface{}{
|
||||||
|
"error": "code_challenge_required",
|
||||||
|
"error_description": "code challenge is required",
|
||||||
|
},
|
||||||
|
}, http.StatusOK)
|
||||||
|
}
|
||||||
|
|
||||||
|
loginError := map[string]interface{}{
|
||||||
|
"type": "authorization_response",
|
||||||
|
"response": map[string]interface{}{
|
||||||
|
"error": "login_required",
|
||||||
|
"error_description": "Login is required",
|
||||||
|
},
|
||||||
|
}
|
||||||
sessionToken, err := cookie.GetSession(gc)
|
sessionToken, err := cookie.GetSession(gc)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("GetSession failed: ", err)
|
log.Debug("GetSession failed: ", err)
|
||||||
@@ -94,13 +134,17 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|||||||
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
userID := claims.Subject
|
userID := claims.Subject
|
||||||
user, err := db.Provider.GetUserByID(gc, userID)
|
user, err := db.Provider.GetUserByID(gc, userID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("GetUserByID failed: ", err)
|
log.Debug("GetUserByID failed: ", err)
|
||||||
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
|
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
|
||||||
"error": "signup_required",
|
"type": "authorization_response",
|
||||||
"error_description": "Sign up required",
|
"response": map[string]interface{}{
|
||||||
|
"error": "signup_required",
|
||||||
|
"error_description": "Sign up required",
|
||||||
|
},
|
||||||
}, http.StatusOK)
|
}, http.StatusOK)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -110,17 +154,22 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|||||||
sessionKey = claims.LoginMethod + ":" + user.ID
|
sessionKey = claims.LoginMethod + ":" + user.ID
|
||||||
}
|
}
|
||||||
|
|
||||||
|
newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
|
||||||
|
if err != nil {
|
||||||
|
log.Debug("CreateSessionToken failed: ", err)
|
||||||
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
|
||||||
|
log.Debug("SetState failed: ", err)
|
||||||
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
// rollover the session for security
|
// rollover the session for security
|
||||||
go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
|
go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
|
||||||
if responseType == constants.ResponseTypeCode {
|
if responseType == constants.ResponseTypeCode {
|
||||||
nonce := uuid.New().String()
|
|
||||||
newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
|
|
||||||
if err != nil {
|
|
||||||
log.Debug("CreateSessionToken failed: ", err)
|
|
||||||
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken); err != nil {
|
if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken); err != nil {
|
||||||
log.Debug("SetUserSession failed: ", err)
|
log.Debug("SetUserSession failed: ", err)
|
||||||
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
||||||
@@ -128,39 +177,43 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|||||||
}
|
}
|
||||||
|
|
||||||
cookie.SetSession(gc, newSessionToken)
|
cookie.SetSession(gc, newSessionToken)
|
||||||
code := uuid.New().String()
|
|
||||||
if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
|
|
||||||
log.Debug("SetState failed: ", err)
|
|
||||||
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
// in case, response type is code and user is already logged in send the code and state
|
// in case, response type is code and user is already logged in send the code and state
|
||||||
// and cookie session will already be rolled over and set
|
// and cookie session will already be rolled over and set
|
||||||
if responseMode == constants.ResponseModeFormPost {
|
// gc.HTML(http.StatusOK, authorizeWebMessageTemplate, gin.H{
|
||||||
gc.HTML(http.StatusOK, authorizeFormPostTemplate, gin.H{
|
// "target_origin": redirectURI,
|
||||||
"target_origin": redirectURI,
|
// "authorization_response": map[string]interface{}{
|
||||||
"authorization_response": map[string]interface{}{
|
// "type": "authorization_response",
|
||||||
"type": "authorization_response",
|
// "response": map[string]string{
|
||||||
"response": map[string]string{
|
// "code": code,
|
||||||
"code": code,
|
// "state": state,
|
||||||
"state": state,
|
// },
|
||||||
},
|
// },
|
||||||
},
|
// })
|
||||||
})
|
|
||||||
} else {
|
params := "code=" + code + "&state=" + state + "&nonce=" + nonce
|
||||||
gc.HTML(http.StatusOK, authorizeWebMessageTemplate, gin.H{
|
if responseMode == constants.ResponseModeQuery {
|
||||||
"target_origin": redirectURI,
|
if strings.Contains(redirectURI, "?") {
|
||||||
"authorization_response": map[string]interface{}{
|
redirectURI = redirectURI + "&" + params
|
||||||
"type": "authorization_response",
|
} else {
|
||||||
"response": map[string]string{
|
redirectURI = redirectURI + "?" + params
|
||||||
"code": code,
|
}
|
||||||
"state": state,
|
} else if responseMode == constants.ResponseModeFragment {
|
||||||
},
|
if strings.Contains(redirectURI, "#") {
|
||||||
},
|
redirectURI = redirectURI + "&" + params
|
||||||
})
|
} else {
|
||||||
|
redirectURI = redirectURI + "#" + params
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
|
||||||
|
"type": "authorization_response",
|
||||||
|
"response": map[string]interface{}{
|
||||||
|
"code": code,
|
||||||
|
"state": state,
|
||||||
|
},
|
||||||
|
}, http.StatusOK)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -193,7 +246,7 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// used of query mode
|
// used of query mode
|
||||||
params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
|
params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token + "&code=" + code + "&nonce=" + nonce
|
||||||
|
|
||||||
res := map[string]interface{}{
|
res := map[string]interface{}{
|
||||||
"access_token": authToken.AccessToken.Token,
|
"access_token": authToken.AccessToken.Token,
|
||||||
@@ -202,6 +255,8 @@ func AuthorizeHandler() gin.HandlerFunc {
|
|||||||
"scope": scope,
|
"scope": scope,
|
||||||
"token_type": "Bearer",
|
"token_type": "Bearer",
|
||||||
"expires_in": expiresIn,
|
"expires_in": expiresIn,
|
||||||
|
"code": code,
|
||||||
|
"nonce": nonce,
|
||||||
}
|
}
|
||||||
|
|
||||||
if authToken.RefreshToken != nil {
|
if authToken.RefreshToken != nil {
|
||||||
@@ -244,27 +299,17 @@ func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeC
|
|||||||
return fmt.Errorf("invalid response mode %s. 'query', 'fragment', 'form_post' and 'web_message' are valid response_mode", responseMode)
|
return fmt.Errorf("invalid response mode %s. 'query', 'fragment', 'form_post' and 'web_message' are valid response_mode", responseMode)
|
||||||
}
|
}
|
||||||
|
|
||||||
if responseType == constants.ResponseTypeCode && strings.TrimSpace(codeChallenge) == "" {
|
|
||||||
return fmt.Errorf("code_challenge is required for %s '%s'", responseType, constants.ResponseTypeCode)
|
|
||||||
}
|
|
||||||
|
|
||||||
if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); client != clientID || err != nil {
|
if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); client != clientID || err != nil {
|
||||||
return fmt.Errorf("invalid client_id %s", clientID)
|
return fmt.Errorf("invalid client_id %s", clientID)
|
||||||
}
|
}
|
||||||
|
|
||||||
if strings.TrimSpace(state) == "" {
|
|
||||||
return fmt.Errorf("state is required")
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func handleResponse(gc *gin.Context, responseMode, loginURI, redirectURI string, data map[string]interface{}, httpStatusCode int) {
|
func handleResponse(gc *gin.Context, responseMode, loginURI, redirectURI string, data map[string]interface{}, httpStatusCode int) {
|
||||||
isAuthenticationRequired := false
|
isAuthenticationRequired := false
|
||||||
if val, ok := data["error"]; ok {
|
if _, ok := data["response"].(map[string]interface{})["error"]; ok {
|
||||||
if val == "login_required" || val == "signup_required" {
|
isAuthenticationRequired = true
|
||||||
isAuthenticationRequired = true
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
switch responseMode {
|
switch responseMode {
|
||||||
@@ -284,7 +329,7 @@ func handleResponse(gc *gin.Context, responseMode, loginURI, redirectURI string,
|
|||||||
case constants.ResponseModeFormPost:
|
case constants.ResponseModeFormPost:
|
||||||
gc.HTML(httpStatusCode, authorizeFormPostTemplate, gin.H{
|
gc.HTML(httpStatusCode, authorizeFormPostTemplate, gin.H{
|
||||||
"target_origin": redirectURI,
|
"target_origin": redirectURI,
|
||||||
"authorization_response": data,
|
"authorization_response": data["response"],
|
||||||
})
|
})
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -17,14 +17,14 @@ func OpenIDConfigurationHandler() gin.HandlerFunc {
|
|||||||
c.JSON(200, gin.H{
|
c.JSON(200, gin.H{
|
||||||
"issuer": issuer,
|
"issuer": issuer,
|
||||||
"authorization_endpoint": issuer + "/authorize",
|
"authorization_endpoint": issuer + "/authorize",
|
||||||
"token_endpoint": issuer + "/token",
|
"token_endpoint": issuer + "/oauth/token",
|
||||||
"userinfo_endpoint": issuer + "/userinfo",
|
"userinfo_endpoint": issuer + "/userinfo",
|
||||||
"jwks_uri": issuer + "/.well-known/jwks.json",
|
"jwks_uri": issuer + "/.well-known/jwks.json",
|
||||||
"response_types_supported": []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token"},
|
"response_types_supported": []string{"code", "token", "id_token"},
|
||||||
"scopes_supported": []string{"openid", "email", "profile", "email_verified", "given_name", "family_name", "nick_name", "picture"},
|
"scopes_supported": []string{"openid", "email", "profile", "email_verified", "given_name", "family_name", "nick_name", "picture"},
|
||||||
"response_modes_supported": []string{"query", "fragment", "form_post", "web_message"},
|
"response_modes_supported": []string{"query", "fragment", "form_post", "web_message"},
|
||||||
"id_token_signing_alg_values_supported": []string{jwtType},
|
"id_token_signing_alg_values_supported": []string{jwtType},
|
||||||
"claims_supported": []string{"aud", "exp", "iss", "iat", "sub", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "picture", "email", "email_verified", "roles", "gender", "birthdate", "phone_number", "phone_number_verified"},
|
"claims_supported": []string{"aud", "exp", "iss", "iat", "sub", "given_name", "family_name", "middle_name", "nickname", "preferred_username", "picture", "email", "email_verified", "roles", "gender", "birthdate", "phone_number", "phone_number_verified", "nonce"},
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -91,7 +91,7 @@ func GetDomainName(uri string) string {
|
|||||||
return host
|
return host
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetAppURL to get /app/ url if not configured by user
|
// GetAppURL to get /app url if not configured by user
|
||||||
func GetAppURL(gc *gin.Context) string {
|
func GetAppURL(gc *gin.Context) string {
|
||||||
envAppURL, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
|
envAppURL, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyAppURL)
|
||||||
if envAppURL == "" || err != nil {
|
if envAppURL == "" || err != nil {
|
||||||
|
|||||||
@@ -4,9 +4,9 @@
|
|||||||
<title>Authorization Response</title>
|
<title>Authorization Response</title>
|
||||||
</head>
|
</head>
|
||||||
<body onload="document.forms['authorize_form_post'].submit()">
|
<body onload="document.forms['authorize_form_post'].submit()">
|
||||||
<form action={{.target_origin}} name="authorize_form_post">
|
<form action="{{.target_origin}}" name="authorize_form_post" method="POST">
|
||||||
{{ range $key, $val := .authorization_response }}
|
{{ range $key, $val := .authorization_response }}
|
||||||
<input type="hidden" key={{$key}} value={{$val}} name={{$key}} id={{$key}} />
|
<input type="hidden" key="{{$key}}" value="{{$val}}" name="{{$key}}" id="{{$key}}" />
|
||||||
{{ end }}
|
{{ end }}
|
||||||
</form>
|
</form>
|
||||||
</body>
|
</body>
|
||||||
|
|||||||
Reference in New Issue
Block a user