parent
93f6e98047
commit
adf42a5b54
@ -0,0 +1,233 @@ |
|||||||
|
// Copyright 2014 Google Inc. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
// Package oauth2 contains Martini handlers to provide
|
||||||
|
// user login via an OAuth 2.0 backend.
|
||||||
|
package oauth2 |
||||||
|
|
||||||
|
import ( |
||||||
|
"encoding/json" |
||||||
|
"fmt" |
||||||
|
"net/http" |
||||||
|
"net/url" |
||||||
|
"strings" |
||||||
|
"time" |
||||||
|
|
||||||
|
"code.google.com/p/goauth2/oauth" |
||||||
|
"github.com/go-martini/martini" |
||||||
|
"github.com/martini-contrib/sessions" |
||||||
|
) |
||||||
|
|
||||||
|
const ( |
||||||
|
codeRedirect = 302 |
||||||
|
keyToken = "oauth2_token" |
||||||
|
keyNextPage = "next" |
||||||
|
) |
||||||
|
|
||||||
|
var ( |
||||||
|
// Path to handle OAuth 2.0 logins.
|
||||||
|
PathLogin = "/login" |
||||||
|
// Path to handle OAuth 2.0 logouts.
|
||||||
|
PathLogout = "/logout" |
||||||
|
// Path to handle callback from OAuth 2.0 backend
|
||||||
|
// to exchange credentials.
|
||||||
|
PathCallback = "/oauth2callback" |
||||||
|
// Path to handle error cases.
|
||||||
|
PathError = "/oauth2error" |
||||||
|
) |
||||||
|
|
||||||
|
// Represents OAuth2 backend options.
|
||||||
|
type Options struct { |
||||||
|
ClientId string |
||||||
|
ClientSecret string |
||||||
|
RedirectURL string |
||||||
|
Scopes []string |
||||||
|
|
||||||
|
AuthUrl string |
||||||
|
TokenUrl string |
||||||
|
} |
||||||
|
|
||||||
|
// Represents a container that contains
|
||||||
|
// user's OAuth 2.0 access and refresh tokens.
|
||||||
|
type Tokens interface { |
||||||
|
Access() string |
||||||
|
Refresh() string |
||||||
|
IsExpired() bool |
||||||
|
ExpiryTime() time.Time |
||||||
|
ExtraData() map[string]string |
||||||
|
} |
||||||
|
|
||||||
|
type token struct { |
||||||
|
oauth.Token |
||||||
|
} |
||||||
|
|
||||||
|
func (t *token) ExtraData() map[string]string { |
||||||
|
return t.Extra |
||||||
|
} |
||||||
|
|
||||||
|
// Returns the access token.
|
||||||
|
func (t *token) Access() string { |
||||||
|
return t.AccessToken |
||||||
|
} |
||||||
|
|
||||||
|
// Returns the refresh token.
|
||||||
|
func (t *token) Refresh() string { |
||||||
|
return t.RefreshToken |
||||||
|
} |
||||||
|
|
||||||
|
// Returns whether the access token is
|
||||||
|
// expired or not.
|
||||||
|
func (t *token) IsExpired() bool { |
||||||
|
if t == nil { |
||||||
|
return true |
||||||
|
} |
||||||
|
return t.Expired() |
||||||
|
} |
||||||
|
|
||||||
|
// Returns the expiry time of the user's
|
||||||
|
// access token.
|
||||||
|
func (t *token) ExpiryTime() time.Time { |
||||||
|
return t.Expiry |
||||||
|
} |
||||||
|
|
||||||
|
// Formats tokens into string.
|
||||||
|
func (t *token) String() string { |
||||||
|
return fmt.Sprintf("tokens: %v", t) |
||||||
|
} |
||||||
|
|
||||||
|
// Returns a new Google OAuth 2.0 backend endpoint.
|
||||||
|
func Google(opts *Options) martini.Handler { |
||||||
|
opts.AuthUrl = "https://accounts.google.com/o/oauth2/auth" |
||||||
|
opts.TokenUrl = "https://accounts.google.com/o/oauth2/token" |
||||||
|
return NewOAuth2Provider(opts) |
||||||
|
} |
||||||
|
|
||||||
|
// Returns a new Github OAuth 2.0 backend endpoint.
|
||||||
|
func Github(opts *Options) martini.Handler { |
||||||
|
opts.AuthUrl = "https://github.com/login/oauth/authorize" |
||||||
|
opts.TokenUrl = "https://github.com/login/oauth/access_token" |
||||||
|
return NewOAuth2Provider(opts) |
||||||
|
} |
||||||
|
|
||||||
|
func Facebook(opts *Options) martini.Handler { |
||||||
|
opts.AuthUrl = "https://www.facebook.com/dialog/oauth" |
||||||
|
opts.TokenUrl = "https://graph.facebook.com/oauth/access_token" |
||||||
|
return NewOAuth2Provider(opts) |
||||||
|
} |
||||||
|
|
||||||
|
// Returns a generic OAuth 2.0 backend endpoint.
|
||||||
|
func NewOAuth2Provider(opts *Options) martini.Handler { |
||||||
|
config := &oauth.Config{ |
||||||
|
ClientId: opts.ClientId, |
||||||
|
ClientSecret: opts.ClientSecret, |
||||||
|
RedirectURL: opts.RedirectURL, |
||||||
|
Scope: strings.Join(opts.Scopes, " "), |
||||||
|
AuthURL: opts.AuthUrl, |
||||||
|
TokenURL: opts.TokenUrl, |
||||||
|
} |
||||||
|
|
||||||
|
transport := &oauth.Transport{ |
||||||
|
Config: config, |
||||||
|
Transport: http.DefaultTransport, |
||||||
|
} |
||||||
|
|
||||||
|
return func(s sessions.Session, c martini.Context, w http.ResponseWriter, r *http.Request) { |
||||||
|
if r.Method == "GET" { |
||||||
|
switch r.URL.Path { |
||||||
|
case PathLogin: |
||||||
|
login(transport, s, w, r) |
||||||
|
case PathLogout: |
||||||
|
logout(transport, s, w, r) |
||||||
|
case PathCallback: |
||||||
|
handleOAuth2Callback(transport, s, w, r) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
tk := unmarshallToken(s) |
||||||
|
if tk != nil { |
||||||
|
// check if the access token is expired
|
||||||
|
if tk.IsExpired() && tk.Refresh() == "" { |
||||||
|
s.Delete(keyToken) |
||||||
|
tk = nil |
||||||
|
} |
||||||
|
} |
||||||
|
// Inject tokens.
|
||||||
|
c.MapTo(tk, (*Tokens)(nil)) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
// Handler that redirects user to the login page
|
||||||
|
// if user is not logged in.
|
||||||
|
// Sample usage:
|
||||||
|
// m.Get("/login-required", oauth2.LoginRequired, func() ... {})
|
||||||
|
var LoginRequired martini.Handler = func() martini.Handler { |
||||||
|
return func(s sessions.Session, c martini.Context, w http.ResponseWriter, r *http.Request) { |
||||||
|
token := unmarshallToken(s) |
||||||
|
if token == nil || token.IsExpired() { |
||||||
|
next := url.QueryEscape(r.URL.RequestURI()) |
||||||
|
http.Redirect(w, r, PathLogin+"?next="+next, codeRedirect) |
||||||
|
} |
||||||
|
} |
||||||
|
}() |
||||||
|
|
||||||
|
func login(t *oauth.Transport, s sessions.Session, w http.ResponseWriter, r *http.Request) { |
||||||
|
next := extractPath(r.URL.Query().Get(keyNextPage)) |
||||||
|
if s.Get(keyToken) == nil { |
||||||
|
// User is not logged in.
|
||||||
|
http.Redirect(w, r, t.Config.AuthCodeURL(next), codeRedirect) |
||||||
|
return |
||||||
|
} |
||||||
|
// No need to login, redirect to the next page.
|
||||||
|
http.Redirect(w, r, next, codeRedirect) |
||||||
|
} |
||||||
|
|
||||||
|
func logout(t *oauth.Transport, s sessions.Session, w http.ResponseWriter, r *http.Request) { |
||||||
|
next := extractPath(r.URL.Query().Get(keyNextPage)) |
||||||
|
s.Delete(keyToken) |
||||||
|
http.Redirect(w, r, next, codeRedirect) |
||||||
|
} |
||||||
|
|
||||||
|
func handleOAuth2Callback(t *oauth.Transport, s sessions.Session, w http.ResponseWriter, r *http.Request) { |
||||||
|
next := extractPath(r.URL.Query().Get("state")) |
||||||
|
code := r.URL.Query().Get("code") |
||||||
|
tk, err := t.Exchange(code) |
||||||
|
if err != nil { |
||||||
|
// Pass the error message, or allow dev to provide its own
|
||||||
|
// error handler.
|
||||||
|
http.Redirect(w, r, PathError, codeRedirect) |
||||||
|
return |
||||||
|
} |
||||||
|
// Store the credentials in the session.
|
||||||
|
val, _ := json.Marshal(tk) |
||||||
|
s.Set(keyToken, val) |
||||||
|
http.Redirect(w, r, next, codeRedirect) |
||||||
|
} |
||||||
|
|
||||||
|
func unmarshallToken(s sessions.Session) (t *token) { |
||||||
|
if s.Get(keyToken) == nil { |
||||||
|
return |
||||||
|
} |
||||||
|
data := s.Get(keyToken).([]byte) |
||||||
|
var tk oauth.Token |
||||||
|
json.Unmarshal(data, &tk) |
||||||
|
return &token{tk} |
||||||
|
} |
||||||
|
|
||||||
|
func extractPath(next string) string { |
||||||
|
n, err := url.Parse(next) |
||||||
|
if err != nil { |
||||||
|
return "/" |
||||||
|
} |
||||||
|
return n.Path |
||||||
|
} |
@ -0,0 +1,162 @@ |
|||||||
|
// Copyright 2014 Google Inc. All Rights Reserved.
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// Unless required by applicable law or agreed to in writing, software
|
||||||
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
// See the License for the specific language governing permissions and
|
||||||
|
// limitations under the License.
|
||||||
|
|
||||||
|
package oauth2 |
||||||
|
|
||||||
|
import ( |
||||||
|
"net/http" |
||||||
|
"net/http/httptest" |
||||||
|
"testing" |
||||||
|
|
||||||
|
"github.com/go-martini/martini" |
||||||
|
"github.com/martini-contrib/sessions" |
||||||
|
) |
||||||
|
|
||||||
|
func Test_LoginRedirect(t *testing.T) { |
||||||
|
recorder := httptest.NewRecorder() |
||||||
|
m := martini.New() |
||||||
|
m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123")))) |
||||||
|
m.Use(Google(&Options{ |
||||||
|
ClientId: "client_id", |
||||||
|
ClientSecret: "client_secret", |
||||||
|
RedirectURL: "refresh_url", |
||||||
|
Scopes: []string{"x", "y"}, |
||||||
|
})) |
||||||
|
|
||||||
|
r, _ := http.NewRequest("GET", "/login", nil) |
||||||
|
m.ServeHTTP(recorder, r) |
||||||
|
|
||||||
|
location := recorder.HeaderMap["Location"][0] |
||||||
|
if recorder.Code != 302 { |
||||||
|
t.Errorf("Not being redirected to the auth page.") |
||||||
|
} |
||||||
|
if location != "https://accounts.google.com/o/oauth2/auth?access_type=&approval_prompt=&client_id=client_id&redirect_uri=refresh_url&response_type=code&scope=x+y&state=" { |
||||||
|
t.Errorf("Not being redirected to the right page, %v found", location) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
func Test_LoginRedirectAfterLoginRequired(t *testing.T) { |
||||||
|
recorder := httptest.NewRecorder() |
||||||
|
m := martini.Classic() |
||||||
|
m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123")))) |
||||||
|
m.Use(Google(&Options{ |
||||||
|
ClientId: "client_id", |
||||||
|
ClientSecret: "client_secret", |
||||||
|
RedirectURL: "refresh_url", |
||||||
|
Scopes: []string{"x", "y"}, |
||||||
|
})) |
||||||
|
|
||||||
|
m.Get("/login-required", LoginRequired, func(tokens Tokens) (int, string) { |
||||||
|
return 200, tokens.Access() |
||||||
|
}) |
||||||
|
|
||||||
|
r, _ := http.NewRequest("GET", "/login-required?key=value", nil) |
||||||
|
m.ServeHTTP(recorder, r) |
||||||
|
|
||||||
|
location := recorder.HeaderMap["Location"][0] |
||||||
|
if recorder.Code != 302 { |
||||||
|
t.Errorf("Not being redirected to the auth page.") |
||||||
|
} |
||||||
|
if location != "/login?next=%2Flogin-required%3Fkey%3Dvalue" { |
||||||
|
t.Errorf("Not being redirected to the right page, %v found", location) |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
func Test_Logout(t *testing.T) { |
||||||
|
recorder := httptest.NewRecorder() |
||||||
|
s := sessions.NewCookieStore([]byte("secret123")) |
||||||
|
|
||||||
|
m := martini.Classic() |
||||||
|
m.Use(sessions.Sessions("my_session", s)) |
||||||
|
m.Use(Google(&Options{ |
||||||
|
// no need to configure
|
||||||
|
})) |
||||||
|
|
||||||
|
m.Get("/", func(s sessions.Session) { |
||||||
|
s.Set(keyToken, "dummy token") |
||||||
|
}) |
||||||
|
|
||||||
|
m.Get("/get", func(s sessions.Session) { |
||||||
|
if s.Get(keyToken) != nil { |
||||||
|
t.Errorf("User credentials are still kept in the session.") |
||||||
|
} |
||||||
|
}) |
||||||
|
|
||||||
|
logout, _ := http.NewRequest("GET", "/logout", nil) |
||||||
|
index, _ := http.NewRequest("GET", "/", nil) |
||||||
|
|
||||||
|
m.ServeHTTP(httptest.NewRecorder(), index) |
||||||
|
m.ServeHTTP(recorder, logout) |
||||||
|
|
||||||
|
if recorder.Code != 302 { |
||||||
|
t.Errorf("Not being redirected to the next page.") |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
func Test_LogoutOnAccessTokenExpiration(t *testing.T) { |
||||||
|
recorder := httptest.NewRecorder() |
||||||
|
s := sessions.NewCookieStore([]byte("secret123")) |
||||||
|
|
||||||
|
m := martini.Classic() |
||||||
|
m.Use(sessions.Sessions("my_session", s)) |
||||||
|
m.Use(Google(&Options{ |
||||||
|
// no need to configure
|
||||||
|
})) |
||||||
|
|
||||||
|
m.Get("/addtoken", func(s sessions.Session) { |
||||||
|
s.Set(keyToken, "dummy token") |
||||||
|
}) |
||||||
|
|
||||||
|
m.Get("/", func(s sessions.Session) { |
||||||
|
if s.Get(keyToken) != nil { |
||||||
|
t.Errorf("User not logged out although access token is expired.") |
||||||
|
} |
||||||
|
}) |
||||||
|
|
||||||
|
addtoken, _ := http.NewRequest("GET", "/addtoken", nil) |
||||||
|
index, _ := http.NewRequest("GET", "/", nil) |
||||||
|
m.ServeHTTP(recorder, addtoken) |
||||||
|
m.ServeHTTP(recorder, index) |
||||||
|
} |
||||||
|
|
||||||
|
func Test_InjectedTokens(t *testing.T) { |
||||||
|
recorder := httptest.NewRecorder() |
||||||
|
m := martini.Classic() |
||||||
|
m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123")))) |
||||||
|
m.Use(Google(&Options{ |
||||||
|
// no need to configure
|
||||||
|
})) |
||||||
|
m.Get("/", func(tokens Tokens) string { |
||||||
|
return "Hello world!" |
||||||
|
}) |
||||||
|
r, _ := http.NewRequest("GET", "/", nil) |
||||||
|
m.ServeHTTP(recorder, r) |
||||||
|
} |
||||||
|
|
||||||
|
func Test_LoginRequired(t *testing.T) { |
||||||
|
recorder := httptest.NewRecorder() |
||||||
|
m := martini.Classic() |
||||||
|
m.Use(sessions.Sessions("my_session", sessions.NewCookieStore([]byte("secret123")))) |
||||||
|
m.Use(Google(&Options{ |
||||||
|
// no need to configure
|
||||||
|
})) |
||||||
|
m.Get("/", LoginRequired, func(tokens Tokens) string { |
||||||
|
return "Hello world!" |
||||||
|
}) |
||||||
|
r, _ := http.NewRequest("GET", "/", nil) |
||||||
|
m.ServeHTTP(recorder, r) |
||||||
|
if recorder.Code != 302 { |
||||||
|
t.Errorf("Not being redirected to the auth page although user is not logged in.") |
||||||
|
} |
||||||
|
} |
Loading…
Reference in new issue