Add authentication middleware
This commit is contained in:
Achim Rohn
@@ -1,14 +1,21 @@
|
||||
package google
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
. "ersteller-lib"
|
||||
"ersteller-lib/authentication"
|
||||
"ersteller-lib/starter/ent"
|
||||
"ersteller-lib/starter/ent/user"
|
||||
"ersteller-lib/starter/env"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/gorilla/sessions"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
"golang.org/x/oauth2/google"
|
||||
)
|
||||
@@ -17,22 +24,36 @@ const oAuthStateCookieName = "oauthstate"
|
||||
const GoogleLogin = "/login/google"
|
||||
const GoogleLoginCallback = "/google/authenticated"
|
||||
|
||||
type GoogleAuth struct {
|
||||
db *ent.Client
|
||||
server *http.ServeMux
|
||||
environment env.Environment
|
||||
config oauth2.Config
|
||||
const oauthGoogleUrlAPI = "https://www.googleapis.com/oauth2/v2/userinfo?access_token="
|
||||
|
||||
type GoogleUserData struct {
|
||||
Email string `json:"email"`
|
||||
Token *oauth2.Token `json:"-"`
|
||||
}
|
||||
|
||||
func NewGoogleAuth(db *ent.Client, server *http.ServeMux, environment env.Environment) *GoogleAuth {
|
||||
type GoogleAuth struct {
|
||||
db *ent.Client
|
||||
server *http.ServeMux
|
||||
environment env.Environment
|
||||
config oauth2.Config
|
||||
sessionStore *sessions.CookieStore
|
||||
}
|
||||
|
||||
func NewGoogleAuth(db *ent.Client, server *http.ServeMux, environment env.Environment, sessionStore *sessions.CookieStore) *GoogleAuth {
|
||||
config := oauth2.Config{
|
||||
ClientID: environment.GoogleClientId,
|
||||
ClientSecret: environment.GoogleClientSecret,
|
||||
Endpoint: google.Endpoint,
|
||||
RedirectURL: environment.BaseUrl + GoogleLoginCallback,
|
||||
Scopes: []string{},
|
||||
Scopes: []string{"https://www.googleapis.com/auth/userinfo.email"},
|
||||
}
|
||||
return &GoogleAuth{
|
||||
db: db,
|
||||
server: server,
|
||||
environment: environment,
|
||||
config: config,
|
||||
sessionStore: sessionStore,
|
||||
}
|
||||
return &GoogleAuth{db: db, server: server, environment: environment, config: config}
|
||||
}
|
||||
|
||||
func (g *GoogleAuth) AddRoutes() {
|
||||
@@ -41,6 +62,135 @@ func (g *GoogleAuth) AddRoutes() {
|
||||
url := g.config.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.ApprovalForce)
|
||||
http.Redirect(writer, request, url, http.StatusTemporaryRedirect)
|
||||
})
|
||||
|
||||
// OAuth callback handler
|
||||
g.server.HandleFunc("GET "+GoogleLoginCallback, func(writer http.ResponseWriter, request *http.Request) {
|
||||
LogDebug("email authenticated called")
|
||||
|
||||
// Get OAuth state cookie
|
||||
oauthstateCookie, err := request.Cookie(oAuthStateCookieName)
|
||||
if err != nil {
|
||||
LogError("Failed to get cookie: %v", err)
|
||||
http.Error(writer, "Failed to get OAuth state cookie", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Verify OAuth state
|
||||
if request.FormValue("state") != oauthstateCookie.Value {
|
||||
LogError("Failed to verify google oauth state")
|
||||
http.Error(writer, "Invalid OAuth state", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Get authorization code
|
||||
code := request.FormValue("code")
|
||||
data, err := g.ParseUserData(code)
|
||||
if err != nil {
|
||||
LogError("Failed to parse user data: %v", err)
|
||||
http.Error(writer, "Failed to parse user data", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
// Get or create user
|
||||
userId, err := g.db.User.Query().Where(user.Email(data.Email)).OnlyID(request.Context())
|
||||
if err != nil {
|
||||
LogError("Failed to get user id: %v", err)
|
||||
newUser, err := g.db.User.Create().SetEmail(data.Email).Save(request.Context())
|
||||
if err != nil {
|
||||
LogError("Failed to create user: %v", err)
|
||||
http.Error(writer, "Failed to create user", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
userId = newUser.ID
|
||||
}
|
||||
|
||||
// Save email to session
|
||||
err = authentication.SaveEmailAndUserIdToSessionStore(request, writer, g.sessionStore, data.Email, userId)
|
||||
if err != nil {
|
||||
LogError("Failed to save session: %v", err)
|
||||
http.Error(writer, "Failed to save session", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
// Save credentials
|
||||
err = g.SaveCredentials(userId, data.Token)
|
||||
if err != nil {
|
||||
Error("failed to save credentials for user ", userId, ": ", err)
|
||||
http.Error(writer, "Failed to save credentials", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
Debug("saved credentials for user", userId)
|
||||
http.Redirect(writer, request, "/", http.StatusTemporaryRedirect)
|
||||
})
|
||||
|
||||
// Logout handler
|
||||
g.server.HandleFunc("GET /logout", func(writer http.ResponseWriter, request *http.Request) {
|
||||
// Clear the session
|
||||
session, err := g.sessionStore.Get(request, "session") // Using default session name
|
||||
if err != nil {
|
||||
LogError("Failed to get session: %v", err)
|
||||
http.Redirect(writer, request, "/", http.StatusTemporaryRedirect)
|
||||
return
|
||||
}
|
||||
|
||||
session.Options.MaxAge = -1
|
||||
err = session.Save(request, writer)
|
||||
if err != nil {
|
||||
LogError("Failed to save session: %v", err)
|
||||
http.Error(writer, "Failed to clear session", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
http.Redirect(writer, request, "/", http.StatusTemporaryRedirect)
|
||||
})
|
||||
}
|
||||
|
||||
func (g *GoogleAuth) ParseUserData(code string) (GoogleUserData, error) {
|
||||
data, err := g.getUserDataFromGoogle(code)
|
||||
if err != nil {
|
||||
LogError("failed getting user data from Google: %v", err)
|
||||
return GoogleUserData{}, err
|
||||
}
|
||||
LogDebug("user data: %v", data)
|
||||
return data, nil
|
||||
}
|
||||
|
||||
func (g *GoogleAuth) getUserDataFromGoogle(code string) (GoogleUserData, error) {
|
||||
// Use code to get token and get user info from Google.
|
||||
token, err := g.config.Exchange(context.Background(), code)
|
||||
if err != nil {
|
||||
LogError("code exchange wrong: %v", err)
|
||||
return GoogleUserData{}, err
|
||||
}
|
||||
|
||||
response, err := http.Get(oauthGoogleUrlAPI + token.AccessToken)
|
||||
if err != nil {
|
||||
LogError("failed getting user info: %v", err)
|
||||
return GoogleUserData{}, err
|
||||
}
|
||||
defer response.Body.Close()
|
||||
contents, err := ioutil.ReadAll(response.Body)
|
||||
if err != nil {
|
||||
LogError("failed read response: %v", err)
|
||||
return GoogleUserData{}, err
|
||||
}
|
||||
userData := GoogleUserData{}
|
||||
err = json.Unmarshal(contents, &userData)
|
||||
if err != nil {
|
||||
LogError("failed to unmarshal user data: %v", err)
|
||||
return GoogleUserData{}, err
|
||||
}
|
||||
userData.Token = token
|
||||
|
||||
return userData, nil
|
||||
}
|
||||
|
||||
func (g *GoogleAuth) SaveCredentials(userId int, token *oauth2.Token) error {
|
||||
Debug("saving google credentials for user ", userId)
|
||||
// For now, we'll just log this - in a real implementation you'd save to database
|
||||
Debug("saved credentials for user", userId)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (g *GoogleAuth) generateStateOauthCookie(w http.ResponseWriter) string {
|
||||
|
||||
Reference in New Issue
Block a user