104 lines
2.7 KiB
Go
104 lines
2.7 KiB
Go
|
package oauth
|
||
|
|
||
|
import (
|
||
|
"context"
|
||
|
userApi "git.0x7f.app/WOJ/woj-server/internal/api/user"
|
||
|
"git.0x7f.app/WOJ/woj-server/internal/e"
|
||
|
"git.0x7f.app/WOJ/woj-server/internal/model"
|
||
|
"git.0x7f.app/WOJ/woj-server/internal/service/user"
|
||
|
"git.0x7f.app/WOJ/woj-server/pkg/utils"
|
||
|
"github.com/gin-gonic/gin"
|
||
|
)
|
||
|
|
||
|
// CallbackHandler
|
||
|
// @Summary Callback with OAuth2
|
||
|
// @Description Callback endpoint from OAuth2
|
||
|
// @Tags oauth
|
||
|
// @Produce json
|
||
|
// @Router /oauth/callback [get]
|
||
|
func (s *service) CallbackHandler() gin.HandlerFunc {
|
||
|
// TODO: we are returning e.Response directly here, we should redirect to a trampoline page, passing the response as query string
|
||
|
|
||
|
return func(c *gin.Context) {
|
||
|
// verify state
|
||
|
signed, err := c.Cookie(oauthStateCookieName)
|
||
|
if err != nil {
|
||
|
e.Pong[any](c, e.InvalidParameter, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
state := c.Query("state")
|
||
|
if !utils.SignAndCompare(state, signed, []byte(s.conf.ClientSecret)) {
|
||
|
e.Pong[any](c, e.OAuthStateMismatch, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Exchange code for token
|
||
|
token, err := s.conf.Exchange(context.Background(), c.Query("code"))
|
||
|
if err != nil {
|
||
|
e.Pong[any](c, e.OAuthExchangeFailed, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Extract the ID Token from OAuth2 token.
|
||
|
raw, ok := token.Extra("id_token").(string)
|
||
|
if !ok {
|
||
|
e.Pong[any](c, e.OAuthExchangeFailed, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Parse and verify ID Token payload.
|
||
|
idToken, err := s.verifier.Verify(context.Background(), raw)
|
||
|
if err != nil {
|
||
|
e.Pong[any](c, e.OAuthVerifyFailed, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Extract custom claims
|
||
|
// TODO: extract role from claims
|
||
|
// TODO: currently username = email, add Email in User model
|
||
|
var claims struct {
|
||
|
Email string `json:"email"`
|
||
|
EmailVerified bool `json:"email_verified"`
|
||
|
Nickname string `json:"preferred_username"`
|
||
|
Role string `json:"role"`
|
||
|
}
|
||
|
if err := idToken.Claims(&claims); err != nil {
|
||
|
e.Pong[any](c, e.OAuthGetClaimsFailed, nil)
|
||
|
return
|
||
|
}
|
||
|
if !claims.EmailVerified || claims.Email == "" || claims.Nickname == "" {
|
||
|
e.Pong[any](c, e.UserInvalid, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Check User Existence
|
||
|
u, status := s.user.ProfileOrCreate(&user.CreateData{UserName: claims.Email, NickName: claims.Nickname})
|
||
|
if status != e.Success {
|
||
|
e.Pong[any](c, status, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Increment User Version
|
||
|
version, status := s.user.IncrVersion(u.ID)
|
||
|
if status != e.Success {
|
||
|
e.Pong[any](c, status, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
// Sign JWT Token
|
||
|
claim := &model.Claim{
|
||
|
UID: u.ID,
|
||
|
Role: u.Role,
|
||
|
Version: version,
|
||
|
}
|
||
|
jwt, status := s.jwt.SignClaim(claim)
|
||
|
if status != e.Success {
|
||
|
e.Pong[any](c, status, nil)
|
||
|
return
|
||
|
}
|
||
|
|
||
|
e.Pong(c, status, userApi.LoginResponse{Token: jwt, NickName: u.NickName})
|
||
|
}
|
||
|
}
|