woj-server/internal/api/oauth/callback.go

package oauth

import (
	"context"
	"fmt"
	userApi "git.0x7f.app/WOJ/woj-server/internal/api/user"
	"git.0x7f.app/WOJ/woj-server/internal/e"
	"git.0x7f.app/WOJ/woj-server/internal/model"
	"git.0x7f.app/WOJ/woj-server/internal/service/user"
	"github.com/gin-gonic/gin"
)

// CallbackHandler
// @Summary     Callback with OAuth2
// @Description Callback endpoint from OAuth2
// @Tags        oauth
// @Produce     json
// @Router      /oauth/callback [get]
func (h *handler) CallbackHandler() gin.HandlerFunc {
	// TODO: we are returning e.Response directly here, we should redirect to a trampoline page, passing the response as query string

	return func(c *gin.Context) {
		// Extract key from cookie
		key, err := c.Cookie(oauthStateCookieName)
		if err != nil {
			e.Pong[any](c, e.InvalidParameter, nil)
			return
		}

		// Get state from redis
		key = fmt.Sprintf(oauthStateKey, key)
		expected, err := h.cache.Get().Get(context.Background(), key).Result()
		if err != nil {
			e.Pong[any](c, e.RedisError, nil)
			return
		}

		// Whether state is valid, delete it
		h.cache.Get().Unlink(context.Background(), key)
		c.SetCookie(oauthStateCookieName, "", -1, "/", "", false, true)

		// Verify state
		if c.Query("state") != expected {
			e.Pong[any](c, e.OAuthStateMismatch, nil)
			return
		}

		// Exchange code for token
		token, err := h.conf.Exchange(context.Background(), c.Query("code"))
		if err != nil {
			e.Pong[any](c, e.OAuthExchangeFailed, nil)
			return
		}

		// Extract the ID Token from OAuth2 token.
		raw, ok := token.Extra("id_token").(string)
		if !ok {
			e.Pong[any](c, e.OAuthExchangeFailed, nil)
			return
		}

		// Parse and verify ID Token payload.
		idToken, err := h.verifier.Verify(context.Background(), raw)
		if err != nil {
			e.Pong[any](c, e.OAuthVerifyFailed, nil)
			return
		}

		// Extract custom claims
		// TODO: extract role from claims
		// TODO: currently username = email, add Email in User model
		var claims struct {
			Email         string `json:"email"`
			EmailVerified bool   `json:"email_verified"`
			Nickname      string `json:"preferred_username"`
			Role          string `json:"role"`
		}
		if err := idToken.Claims(&claims); err != nil {
			e.Pong[any](c, e.OAuthGetClaimsFailed, nil)
			return
		}
		if !claims.EmailVerified || claims.Email == "" || claims.Nickname == "" {
			e.Pong[any](c, e.UserInvalid, nil)
			return
		}

		// Check user existence
		u, status := h.user.ProfileOrCreate(&user.CreateData{UserName: claims.Email, NickName: claims.Nickname})
		if status != e.Success {
			e.Pong[any](c, status, nil)
			return
		}

		// Increment user version
		version, status := h.user.IncrVersion(u.ID)
		if status != e.Success {
			e.Pong[any](c, status, nil)
			return
		}

		// Sign JWT token
		claim := &model.Claim{
			UID:     u.ID,
			Role:    u.Role,
			Version: version,
		}
		jwt, status := h.jwt.SignClaim(claim)
		if status != e.Success {
			e.Pong[any](c, status, nil)
			return
		}

		e.Pong(c, status, userApi.LoginResponse{Token: jwt, NickName: u.NickName})
	}
}
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`package oauth`

			`import (`
			`"context"`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`"fmt"`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`userApi "git.0x7f.app/WOJ/woj-server/internal/api/user"`
			`"git.0x7f.app/WOJ/woj-server/internal/e"`
			`"git.0x7f.app/WOJ/woj-server/internal/model"`
			`"git.0x7f.app/WOJ/woj-server/internal/service/user"`
			`"github.com/gin-gonic/gin"`
			`)`

			`// CallbackHandler`
			`// @Summary Callback with OAuth2`
			`// @Description Callback endpoint from OAuth2`
			`// @Tags oauth`
			`// @Produce json`
			`// @Router /oauth/callback [get]`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`func (h *handler) CallbackHandler() gin.HandlerFunc {`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`// TODO: we are returning e.Response directly here, we should redirect to a trampoline page, passing the response as query string`

			`return func(c *gin.Context) {`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Extract key from cookie`
			`key, err := c.Cookie(oauthStateCookieName)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if err != nil {`
			`e.Pong[any](c, e.InvalidParameter, nil)`
			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Get state from redis`
			`key = fmt.Sprintf(oauthStateKey, key)`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`expected, err := h.cache.Get().Get(context.Background(), key).Result()`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`if err != nil {`
			`e.Pong[any](c, e.RedisError, nil)`
			`return`
			`}`

			`// Whether state is valid, delete it`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`h.cache.Get().Unlink(context.Background(), key)`
fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`c.SetCookie(oauthStateCookieName, "", -1, "/", "", false, true)`

			`// Verify state`
			`if c.Query("state") != expected {`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`e.Pong[any](c, e.OAuthStateMismatch, nil)`
			`return`
			`}`

			`// Exchange code for token`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`token, err := h.conf.Exchange(context.Background(), c.Query("code"))`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if err != nil {`
			`e.Pong[any](c, e.OAuthExchangeFailed, nil)`
			`return`
			`}`

			`// Extract the ID Token from OAuth2 token.`
			`raw, ok := token.Extra("id_token").(string)`
			`if !ok {`
			`e.Pong[any](c, e.OAuthExchangeFailed, nil)`
			`return`
			`}`

			`// Parse and verify ID Token payload.`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`idToken, err := h.verifier.Verify(context.Background(), raw)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if err != nil {`
			`e.Pong[any](c, e.OAuthVerifyFailed, nil)`
			`return`
			`}`

			`// Extract custom claims`
			`// TODO: extract role from claims`
			`// TODO: currently username = email, add Email in User model`
			`var claims struct {`
			Email string `json:"email"`
			EmailVerified bool `json:"email_verified"`
			Nickname string `json:"preferred_username"`
			Role string `json:"role"`
			`}`
			`if err := idToken.Claims(&claims); err != nil {`
			`e.Pong[any](c, e.OAuthGetClaimsFailed, nil)`
			`return`
			`}`
			`if !claims.EmailVerified \|\| claims.Email == "" \|\| claims.Nickname == "" {`
			`e.Pong[any](c, e.UserInvalid, nil)`
			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Check user existence`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`u, status := h.user.ProfileOrCreate(&user.CreateData{UserName: claims.Email, NickName: claims.Nickname})`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if status != e.Success {`
			`e.Pong[any](c, status, nil)`
			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Increment user version`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`version, status := h.user.IncrVersion(u.ID)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if status != e.Success {`
			`e.Pong[any](c, status, nil)`
			`return`
			`}`

fix: signed state could not prevent replay attack, use redis to store real state and delete once checked 2024-01-03 14:10:44 +08:00			`// Sign JWT token`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`claim := &model.Claim{`
			`UID: u.ID,`
			`Role: u.Role,`
			`Version: version,`
			`}`
chore: move oauth into api 2024-01-05 00:57:43 +08:00			`jwt, status := h.jwt.SignClaim(claim)`
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`if status != e.Success {`
			`e.Pong[any](c, status, nil)`
			`return`
			`}`

			`e.Pong(c, status, userApi.LoginResponse{Token: jwt, NickName: u.NickName})`
			`}`
			`}`