woj-server/internal/web/oauth/callback.go

package oauth

import (
	"context"
	userApi "git.0x7f.app/WOJ/woj-server/internal/api/user"
	"git.0x7f.app/WOJ/woj-server/internal/e"
	"git.0x7f.app/WOJ/woj-server/internal/model"
	"git.0x7f.app/WOJ/woj-server/internal/service/user"
	"git.0x7f.app/WOJ/woj-server/pkg/utils"
	"github.com/gin-gonic/gin"
)

// CallbackHandler
// @Summary     Callback with OAuth2
// @Description Callback endpoint from OAuth2
// @Tags        oauth
// @Produce     json
// @Router      /oauth/callback [get]
func (s *service) CallbackHandler() gin.HandlerFunc {
	// TODO: we are returning e.Response directly here, we should redirect to a trampoline page, passing the response as query string

	return func(c *gin.Context) {
		// verify state
		signed, err := c.Cookie(oauthStateCookieName)
		if err != nil {
			e.Pong[any](c, e.InvalidParameter, nil)
			return
		}

		state := c.Query("state")
		if !utils.SignAndCompare(state, signed, []byte(s.conf.ClientSecret)) {
			e.Pong[any](c, e.OAuthStateMismatch, nil)
			return
		}

		// Exchange code for token
		token, err := s.conf.Exchange(context.Background(), c.Query("code"))
		if err != nil {
			e.Pong[any](c, e.OAuthExchangeFailed, nil)
			return
		}

		// Extract the ID Token from OAuth2 token.
		raw, ok := token.Extra("id_token").(string)
		if !ok {
			e.Pong[any](c, e.OAuthExchangeFailed, nil)
			return
		}

		// Parse and verify ID Token payload.
		idToken, err := s.verifier.Verify(context.Background(), raw)
		if err != nil {
			e.Pong[any](c, e.OAuthVerifyFailed, nil)
			return
		}

		// Extract custom claims
		// TODO: extract role from claims
		// TODO: currently username = email, add Email in User model
		var claims struct {
			Email         string `json:"email"`
			EmailVerified bool   `json:"email_verified"`
			Nickname      string `json:"preferred_username"`
			Role          string `json:"role"`
		}
		if err := idToken.Claims(&claims); err != nil {
			e.Pong[any](c, e.OAuthGetClaimsFailed, nil)
			return
		}
		if !claims.EmailVerified || claims.Email == "" || claims.Nickname == "" {
			e.Pong[any](c, e.UserInvalid, nil)
			return
		}

		// Check User Existence
		u, status := s.user.ProfileOrCreate(&user.CreateData{UserName: claims.Email, NickName: claims.Nickname})
		if status != e.Success {
			e.Pong[any](c, status, nil)
			return
		}

		// Increment User Version
		version, status := s.user.IncrVersion(u.ID)
		if status != e.Success {
			e.Pong[any](c, status, nil)
			return
		}

		// Sign JWT Token
		claim := &model.Claim{
			UID:     u.ID,
			Role:    u.Role,
			Version: version,
		}
		jwt, status := s.jwt.SignClaim(claim)
		if status != e.Success {
			e.Pong[any](c, status, nil)
			return
		}

		e.Pong(c, status, userApi.LoginResponse{Token: jwt, NickName: u.NickName})
	}
}
feat: add initial oauth2 support 2024-01-03 00:55:41 +08:00			`package oauth`

			`import (`
			`"context"`
			`userApi "git.0x7f.app/WOJ/woj-server/internal/api/user"`
			`"git.0x7f.app/WOJ/woj-server/internal/e"`
			`"git.0x7f.app/WOJ/woj-server/internal/model"`
			`"git.0x7f.app/WOJ/woj-server/internal/service/user"`
			`"git.0x7f.app/WOJ/woj-server/pkg/utils"`
			`"github.com/gin-gonic/gin"`
			`)`

			`// CallbackHandler`
			`// @Summary Callback with OAuth2`
			`// @Description Callback endpoint from OAuth2`
			`// @Tags oauth`
			`// @Produce json`
			`// @Router /oauth/callback [get]`
			`func (s *service) CallbackHandler() gin.HandlerFunc {`
			`// TODO: we are returning e.Response directly here, we should redirect to a trampoline page, passing the response as query string`

			`return func(c *gin.Context) {`
			`// verify state`
			`signed, err := c.Cookie(oauthStateCookieName)`
			`if err != nil {`
			`e.Pong[any](c, e.InvalidParameter, nil)`
			`return`
			`}`

			`state := c.Query("state")`
			`if !utils.SignAndCompare(state, signed, []byte(s.conf.ClientSecret)) {`
			`e.Pong[any](c, e.OAuthStateMismatch, nil)`
			`return`
			`}`

			`// Exchange code for token`
			`token, err := s.conf.Exchange(context.Background(), c.Query("code"))`
			`if err != nil {`
			`e.Pong[any](c, e.OAuthExchangeFailed, nil)`
			`return`
			`}`

			`// Extract the ID Token from OAuth2 token.`
			`raw, ok := token.Extra("id_token").(string)`
			`if !ok {`
			`e.Pong[any](c, e.OAuthExchangeFailed, nil)`
			`return`
			`}`

			`// Parse and verify ID Token payload.`
			`idToken, err := s.verifier.Verify(context.Background(), raw)`
			`if err != nil {`
			`e.Pong[any](c, e.OAuthVerifyFailed, nil)`
			`return`
			`}`

			`// Extract custom claims`
			`// TODO: extract role from claims`
			`// TODO: currently username = email, add Email in User model`
			`var claims struct {`
			Email string `json:"email"`
			EmailVerified bool `json:"email_verified"`
			Nickname string `json:"preferred_username"`
			Role string `json:"role"`
			`}`
			`if err := idToken.Claims(&claims); err != nil {`
			`e.Pong[any](c, e.OAuthGetClaimsFailed, nil)`
			`return`
			`}`
			`if !claims.EmailVerified \|\| claims.Email == "" \|\| claims.Nickname == "" {`
			`e.Pong[any](c, e.UserInvalid, nil)`
			`return`
			`}`

			`// Check User Existence`
			`u, status := s.user.ProfileOrCreate(&user.CreateData{UserName: claims.Email, NickName: claims.Nickname})`
			`if status != e.Success {`
			`e.Pong[any](c, status, nil)`
			`return`
			`}`

			`// Increment User Version`
			`version, status := s.user.IncrVersion(u.ID)`
			`if status != e.Success {`
			`e.Pong[any](c, status, nil)`
			`return`
			`}`

			`// Sign JWT Token`
			`claim := &model.Claim{`
			`UID: u.ID,`
			`Role: u.Role,`
			`Version: version,`
			`}`
			`jwt, status := s.jwt.SignClaim(claim)`
			`if status != e.Success {`
			`e.Pong[any](c, status, nil)`
			`return`
			`}`

			`e.Pong(c, status, userApi.LoginResponse{Token: jwt, NickName: u.NickName})`
			`}`
			`}`