woj-server/internal/api/oauth/callback.go

package oauth

import (
	"context"
	"fmt"
	"git.0x7f.app/WOJ/woj-server/internal/e"
	"git.0x7f.app/WOJ/woj-server/internal/model"
	"git.0x7f.app/WOJ/woj-server/internal/service/user"
	"github.com/gin-gonic/gin"
	"github.com/jackc/pgtype"
	"net/http"
)

// CallbackHandler
// @Summary     Callback with OAuth2
// @Description Callback endpoint from OAuth2
// @Tags        oauth
// @Produce     json
// @Router      /v1/oauth/callback [get]
func (h *handler) CallbackHandler() gin.HandlerFunc {
	// TODO: Figure out a better way to cooperate with frontend
	// Currently using /login?redirect_token=xxx to pass jwt token
	//                 /error?message=xxx to pass error message

	return func(c *gin.Context) {
		// Extract key from cookie
		key, err := c.Cookie(oauthStateCookieName)
		if err != nil {
			c.Redirect(http.StatusFound, "/error?message="+e.InvalidParameter.QueryString())
			return
		}

		// Get state from redis
		key = fmt.Sprintf(oauthStateKey, key)
		expected, err := h.cache.Get().Get(context.Background(), key).Result()
		if err != nil {
			c.Redirect(http.StatusFound, "/error?message="+e.RedisError.QueryString())
			return
		}

		// Whether state is valid, delete it
		h.cache.Get().Unlink(context.Background(), key)

		// Verify state
		if c.Query("state") != expected {
			c.Redirect(http.StatusFound, "/error?message="+e.OAuthStateMismatch.QueryString())
			return
		}

		// Exchange code for token
		token, err := h.conf.Exchange(context.Background(), c.Query("code"))
		if err != nil {
			c.Redirect(http.StatusFound, "/error?message="+e.OAuthExchangeFailed.QueryString())
			return
		}

		// Extract the ID Token from OAuth2 token.
		raw, ok := token.Extra("id_token").(string)
		if !ok {
			c.Redirect(http.StatusFound, "/error?message="+e.OAuthExchangeFailed.QueryString())
			return
		}

		// Parse and verify ID Token payload.
		idToken, err := h.verifier.Verify(context.Background(), raw)
		if err != nil {
			c.Redirect(http.StatusFound, "/error?message="+e.OAuthVerifyFailed.QueryString())
			return
		}

		// Extract custom claims
		// TODO: extract role from claims: need to modify oidc provider
		var claims struct {
			Sub  string `json:"sub"`
			Name string `json:"name"`

			// Exp               uint64 `json:"exp"`
			// Iat               uint64 `json:"iat"`
			// AuthTime          uint64 `json:"auth_time"`
			// Jti               string `json:"jti"`
			// Iss               string `json:"iss"`
			// Aud               string `json:"aud"`
			// Typ               string `json:"typ"`
			// Azp               string `json:"azp"`
			// SessionState      string `json:"session_state"`
			// AtHash            string `json:"at_hash"`
			// Acr               string `json:"acr"`
			// Sid               string `json:"sid"`
			// PreferredUsername string `json:"preferred_username"`
			// GivenName         string `json:"given_name"`
			// FamilyName        string `json:"family_name"`
		}

		if err := idToken.Claims(&claims); err != nil {
			c.Redirect(http.StatusFound, "/error?message="+e.OAuthGetClaimsFailed.QueryString())
			return
		}

		if claims.Name == "" || claims.Sub == "" {
			c.Redirect(http.StatusFound, "/error?message="+e.UserInvalid.QueryString())
			return
		}

		uid := pgtype.UUID{}
		if err := uid.Set(claims.Sub); err != nil {
			c.Redirect(http.StatusFound, "/error?message="+e.UserInvalid.QueryString())
			return
		}

		// Check user existence
		u, status := h.user.ProfileOrCreate(&user.CreateData{UID: uid, NickName: claims.Name})
		if status != e.Success {
			c.Redirect(http.StatusFound, "/error?message="+status.QueryString())
			return
		}

		// Increment user version
		version, status := h.user.IncrVersion(u.ID)
		if status != e.Success {
			c.Redirect(http.StatusFound, "/error?message="+status.QueryString())
			return
		}

		// Sign JWT token
		claim := &model.Claim{
			UID:     u.ID,
			Role:    u.Role,
			Version: version,
		}
		jwt, status := h.jwt.SignClaim(claim)
		if status != e.Success {
			c.Redirect(http.StatusFound, "/error?message="+status.QueryString())
			return
		}

		c.Redirect(http.StatusFound, "/login?redirect_token="+jwt)
	}
}
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`package oauth`

			`import (`
			`"context"`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`"fmt"`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`"git.0x7f.app/WOJ/woj-server/internal/e"`
			`"git.0x7f.app/WOJ/woj-server/internal/model"`
			`"git.0x7f.app/WOJ/woj-server/internal/service/user"`
			`"github.com/gin-gonic/gin"`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`"github.com/jackc/pgtype"`
feat: redirect to frontend landing page 2024-01-05 15:47:29 +08:00			`"net/http"`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`)`

			`// CallbackHandler`
			`// @Summary Callback with OAuth2`
			`// @Description Callback endpoint from OAuth2`
			`// @Tags oauth`
			`// @Produce json`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`// @Router /v1/oauth/callback [get]`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`func (h *handler) CallbackHandler() gin.HandlerFunc {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`// TODO: Figure out a better way to cooperate with frontend`
			`// Currently using /login?redirect_token=xxx to pass jwt token`
			`// /error?message=xxx to pass error message`

feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return func(c *gin.Context) {`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Extract key from cookie`
			`key, err := c.Cookie(oauthStateCookieName)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if err != nil {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+e.InvalidParameter.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Get state from redis`
			`key = fmt.Sprintf(oauthStateKey, key)`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`expected, err := h.cache.Get().Get(context.Background(), key).Result()`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`if err != nil {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+e.RedisError.QueryString())`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`return`
			`}`

			`// Whether state is valid, delete it`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`h.cache.Get().Unlink(context.Background(), key)`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00
			`// Verify state`
			`if c.Query("state") != expected {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+e.OAuthStateMismatch.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

			`// Exchange code for token`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`token, err := h.conf.Exchange(context.Background(), c.Query("code"))`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if err != nil {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+e.OAuthExchangeFailed.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

			`// Extract the ID Token from OAuth2 token.`
			`raw, ok := token.Extra("id_token").(string)`
			`if !ok {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+e.OAuthExchangeFailed.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

			`// Parse and verify ID Token payload.`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`idToken, err := h.verifier.Verify(context.Background(), raw)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if err != nil {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+e.OAuthVerifyFailed.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

			`// Extract custom claims`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`// TODO: extract role from claims: need to modify oidc provider`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`var claims struct {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			Sub string `json:"sub"`
			Name string `json:"name"`

			// Exp uint64 `json:"exp"`
			// Iat uint64 `json:"iat"`
			// AuthTime uint64 `json:"auth_time"`
			// Jti string `json:"jti"`
			// Iss string `json:"iss"`
			// Aud string `json:"aud"`
			// Typ string `json:"typ"`
			// Azp string `json:"azp"`
			// SessionState string `json:"session_state"`
			// AtHash string `json:"at_hash"`
			// Acr string `json:"acr"`
			// Sid string `json:"sid"`
			// PreferredUsername string `json:"preferred_username"`
			// GivenName string `json:"given_name"`
			// FamilyName string `json:"family_name"`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`}`
feat: always use sso for user 2024-04-28 22:58:39 +08:00
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if err := idToken.Claims(&claims); err != nil {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+e.OAuthGetClaimsFailed.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`
feat: always use sso for user 2024-04-28 22:58:39 +08:00
			`if claims.Name == "" \|\| claims.Sub == "" {`
			`c.Redirect(http.StatusFound, "/error?message="+e.UserInvalid.QueryString())`
			`return`
			`}`

			`uid := pgtype.UUID{}`
			`if err := uid.Set(claims.Sub); err != nil {`
			`c.Redirect(http.StatusFound, "/error?message="+e.UserInvalid.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Check user existence`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`u, status := h.user.ProfileOrCreate(&user.CreateData{UID: uid, NickName: claims.Name})`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if status != e.Success {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+status.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Increment user version`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`version, status := h.user.IncrVersion(u.ID)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if status != e.Success {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+status.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Sign JWT token`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`claim := &model.Claim{`
			`UID: u.ID,`
			`Role: u.Role,`
			`Version: version,`
			`}`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`jwt, status := h.jwt.SignClaim(claim)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if status != e.Success {`
feat: always use sso for user 2024-04-28 22:58:39 +08:00			`c.Redirect(http.StatusFound, "/error?message="+status.QueryString())`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`return`
			`}`

feat: redirect to frontend landing page 2024-01-05 15:47:29 +08:00			`c.Redirect(http.StatusFound, "/login?redirect_token="+jwt)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`}`
			`}`