From ffde1b150faca940bc6c172068aa068cf468aa39 Mon Sep 17 00:00:00 2001 From: tobi <31960611+tsmethurst@users.noreply.github.com> Date: Fri, 25 Apr 2025 15:15:36 +0200 Subject: [chore] Move deps to code.superseriousbusiness.org (#4054) --- .../oauth2/v4/manage/config.go | 39 -- .../oauth2/v4/manage/manager.go | 504 --------------------- .../superseriousbusiness/oauth2/v4/manage/util.go | 30 -- 3 files changed, 573 deletions(-) delete mode 100644 vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/config.go delete mode 100644 vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/manager.go delete mode 100644 vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/util.go (limited to 'vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage') diff --git a/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/config.go b/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/config.go deleted file mode 100644 index 664c0a386..000000000 --- a/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/config.go +++ /dev/null @@ -1,39 +0,0 @@ -package manage - -import "time" - -// Config authorization configuration parameters -type Config struct { - // access token expiration time, 0 means it doesn't expire - AccessTokenExp time.Duration - // refresh token expiration time, 0 means it doesn't expire - RefreshTokenExp time.Duration - // whether to generate the refreshing token - IsGenerateRefresh bool -} - -// RefreshingConfig refreshing token config -type RefreshingConfig struct { - // access token expiration time, 0 means it doesn't expire - AccessTokenExp time.Duration - // refresh token expiration time, 0 means it doesn't expire - RefreshTokenExp time.Duration - // whether to generate the refreshing token - IsGenerateRefresh bool - // whether to reset the refreshing create time - IsResetRefreshTime bool - // whether to remove access token - IsRemoveAccess bool - // whether to remove refreshing token - IsRemoveRefreshing bool -} - -// default configs -var ( - DefaultCodeExp = time.Minute * 10 - DefaultAuthorizeCodeTokenCfg = &Config{AccessTokenExp: time.Hour * 2, RefreshTokenExp: time.Hour * 24 * 3, IsGenerateRefresh: true} - DefaultImplicitTokenCfg = &Config{AccessTokenExp: time.Hour * 1} - DefaultPasswordTokenCfg = &Config{AccessTokenExp: time.Hour * 2, RefreshTokenExp: time.Hour * 24 * 7, IsGenerateRefresh: true} - DefaultClientTokenCfg = &Config{AccessTokenExp: time.Hour * 2} - DefaultRefreshTokenCfg = &RefreshingConfig{IsGenerateRefresh: true, IsRemoveAccess: true, IsRemoveRefreshing: true} -) diff --git a/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/manager.go b/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/manager.go deleted file mode 100644 index 8e73b6793..000000000 --- a/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/manager.go +++ /dev/null @@ -1,504 +0,0 @@ -package manage - -import ( - "context" - "time" - - "codeberg.org/superseriousbusiness/oauth2/v4" - "codeberg.org/superseriousbusiness/oauth2/v4/errors" - "codeberg.org/superseriousbusiness/oauth2/v4/generates" - "codeberg.org/superseriousbusiness/oauth2/v4/models" -) - -// NewDefaultManager create to default authorization management instance -func NewDefaultManager() *Manager { - m := NewManager() - // default implementation - m.MapAuthorizeGenerate(generates.NewAuthorizeGenerate()) - m.MapAccessGenerate(generates.NewAccessGenerate()) - - return m -} - -// NewManager create to authorization management instance -func NewManager() *Manager { - return &Manager{ - gtcfg: make(map[oauth2.GrantType]*Config), - validateURI: DefaultValidateURI, - } -} - -// Manager provide authorization management -type Manager struct { - codeExp time.Duration - gtcfg map[oauth2.GrantType]*Config - rcfg *RefreshingConfig - validateURI ValidateURIHandler - authorizeGenerate oauth2.AuthorizeGenerate - accessGenerate oauth2.AccessGenerate - tokenStore oauth2.TokenStore - clientStore oauth2.ClientStore -} - -// get grant type config -func (m *Manager) grantConfig(gt oauth2.GrantType) *Config { - if c, ok := m.gtcfg[gt]; ok && c != nil { - return c - } - switch gt { - case oauth2.AuthorizationCode: - return DefaultAuthorizeCodeTokenCfg - case oauth2.Implicit: - return DefaultImplicitTokenCfg - case oauth2.PasswordCredentials: - return DefaultPasswordTokenCfg - case oauth2.ClientCredentials: - return DefaultClientTokenCfg - } - return &Config{} -} - -// SetAuthorizeCodeExp set the authorization code expiration time -func (m *Manager) SetAuthorizeCodeExp(exp time.Duration) { - m.codeExp = exp -} - -// SetAuthorizeCodeTokenCfg set the authorization code grant token config -func (m *Manager) SetAuthorizeCodeTokenCfg(cfg *Config) { - m.gtcfg[oauth2.AuthorizationCode] = cfg -} - -// SetImplicitTokenCfg set the implicit grant token config -func (m *Manager) SetImplicitTokenCfg(cfg *Config) { - m.gtcfg[oauth2.Implicit] = cfg -} - -// SetPasswordTokenCfg set the password grant token config -func (m *Manager) SetPasswordTokenCfg(cfg *Config) { - m.gtcfg[oauth2.PasswordCredentials] = cfg -} - -// SetClientTokenCfg set the client grant token config -func (m *Manager) SetClientTokenCfg(cfg *Config) { - m.gtcfg[oauth2.ClientCredentials] = cfg -} - -// SetRefreshTokenCfg set the refreshing token config -func (m *Manager) SetRefreshTokenCfg(cfg *RefreshingConfig) { - m.rcfg = cfg -} - -// SetValidateURIHandler set the validates that RedirectURI is contained in baseURI -func (m *Manager) SetValidateURIHandler(handler ValidateURIHandler) { - m.validateURI = handler -} - -// MapAuthorizeGenerate mapping the authorize code generate interface -func (m *Manager) MapAuthorizeGenerate(gen oauth2.AuthorizeGenerate) { - m.authorizeGenerate = gen -} - -// MapAccessGenerate mapping the access token generate interface -func (m *Manager) MapAccessGenerate(gen oauth2.AccessGenerate) { - m.accessGenerate = gen -} - -// MapClientStorage mapping the client store interface -func (m *Manager) MapClientStorage(stor oauth2.ClientStore) { - m.clientStore = stor -} - -// MustClientStorage mandatory mapping the client store interface -func (m *Manager) MustClientStorage(stor oauth2.ClientStore, err error) { - if err != nil { - panic(err.Error()) - } - m.clientStore = stor -} - -// MapTokenStorage mapping the token store interface -func (m *Manager) MapTokenStorage(stor oauth2.TokenStore) { - m.tokenStore = stor -} - -// MustTokenStorage mandatory mapping the token store interface -func (m *Manager) MustTokenStorage(stor oauth2.TokenStore, err error) { - if err != nil { - panic(err) - } - m.tokenStore = stor -} - -// GetClient get the client information -func (m *Manager) GetClient(ctx context.Context, clientID string) (cli oauth2.ClientInfo, err error) { - cli, err = m.clientStore.GetByID(ctx, clientID) - if err != nil { - return - } else if cli == nil { - err = errors.ErrInvalidClient - } - return -} - -// GenerateAuthToken generate the authorization token(code) -func (m *Manager) GenerateAuthToken(ctx context.Context, rt oauth2.ResponseType, tgr *oauth2.TokenGenerateRequest) (oauth2.TokenInfo, error) { - cli, err := m.GetClient(ctx, tgr.ClientID) - if err != nil { - return nil, err - } else if tgr.RedirectURI != "" { - if err := m.validateURI(cli.GetDomain(), tgr.RedirectURI); err != nil { - return nil, err - } - } - - ti := models.NewToken() - ti.SetClientID(tgr.ClientID) - ti.SetUserID(tgr.UserID) - ti.SetRedirectURI(tgr.RedirectURI) - ti.SetScope(tgr.Scope) - - createAt := time.Now() - td := &oauth2.GenerateBasic{ - Client: cli, - UserID: tgr.UserID, - CreateAt: createAt, - TokenInfo: ti, - Request: tgr.Request, - } - switch rt { - case oauth2.Code: - codeExp := m.codeExp - if codeExp == 0 { - codeExp = DefaultCodeExp - } - ti.SetCodeCreateAt(createAt) - ti.SetCodeExpiresIn(codeExp) - if exp := tgr.AccessTokenExp; exp > 0 { - ti.SetAccessExpiresIn(exp) - } - if tgr.CodeChallenge != "" { - ti.SetCodeChallenge(tgr.CodeChallenge) - ti.SetCodeChallengeMethod(tgr.CodeChallengeMethod) - } - - tv, err := m.authorizeGenerate.Token(ctx, td) - if err != nil { - return nil, err - } - ti.SetCode(tv) - case oauth2.Token: - // set access token expires - icfg := m.grantConfig(oauth2.Implicit) - aexp := icfg.AccessTokenExp - if exp := tgr.AccessTokenExp; exp > 0 { - aexp = exp - } - ti.SetAccessCreateAt(createAt) - ti.SetAccessExpiresIn(aexp) - - if icfg.IsGenerateRefresh { - ti.SetRefreshCreateAt(createAt) - ti.SetRefreshExpiresIn(icfg.RefreshTokenExp) - } - - tv, rv, err := m.accessGenerate.Token(ctx, td, icfg.IsGenerateRefresh) - if err != nil { - return nil, err - } - ti.SetAccess(tv) - - if rv != "" { - ti.SetRefresh(rv) - } - } - - err = m.tokenStore.Create(ctx, ti) - if err != nil { - return nil, err - } - return ti, nil -} - -// get authorization code data -func (m *Manager) getAuthorizationCode(ctx context.Context, code string) (oauth2.TokenInfo, error) { - ti, err := m.tokenStore.GetByCode(ctx, code) - if err != nil { - return nil, err - } else if ti == nil || ti.GetCode() != code || ti.GetCodeCreateAt().Add(ti.GetCodeExpiresIn()).Before(time.Now()) { - err = errors.ErrInvalidAuthorizeCode - return nil, errors.ErrInvalidAuthorizeCode - } - return ti, nil -} - -// delete authorization code data -func (m *Manager) delAuthorizationCode(ctx context.Context, code string) error { - return m.tokenStore.RemoveByCode(ctx, code) -} - -// get and delete authorization code data -func (m *Manager) getAndDelAuthorizationCode(ctx context.Context, tgr *oauth2.TokenGenerateRequest) (oauth2.TokenInfo, error) { - code := tgr.Code - ti, err := m.getAuthorizationCode(ctx, code) - if err != nil { - return nil, err - } else if ti.GetClientID() != tgr.ClientID { - return nil, errors.ErrInvalidAuthorizeCode - } else if codeURI := ti.GetRedirectURI(); codeURI != "" && codeURI != tgr.RedirectURI { - return nil, errors.ErrInvalidAuthorizeCode - } - - err = m.delAuthorizationCode(ctx, code) - if err != nil { - return nil, err - } - return ti, nil -} - -func (m *Manager) validateCodeChallenge(ti oauth2.TokenInfo, ver string) error { - cc := ti.GetCodeChallenge() - // early return - if cc == "" && ver == "" { - return nil - } - if cc == "" { - return errors.ErrMissingCodeVerifier - } - if ver == "" { - return errors.ErrMissingCodeVerifier - } - ccm := ti.GetCodeChallengeMethod() - if ccm.String() == "" { - ccm = oauth2.CodeChallengePlain - } - if !ccm.Validate(cc, ver) { - return errors.ErrInvalidCodeChallenge - } - return nil -} - -// GenerateAccessToken generate the access token -func (m *Manager) GenerateAccessToken(ctx context.Context, gt oauth2.GrantType, tgr *oauth2.TokenGenerateRequest) (oauth2.TokenInfo, error) { - cli, err := m.GetClient(ctx, tgr.ClientID) - if err != nil { - return nil, err - } - if cliPass, ok := cli.(oauth2.ClientPasswordVerifier); ok { - if !cliPass.VerifyPassword(tgr.ClientSecret) { - return nil, errors.ErrInvalidClient - } - } else if len(cli.GetSecret()) > 0 && tgr.ClientSecret != cli.GetSecret() { - return nil, errors.ErrInvalidClient - } - if tgr.RedirectURI != "" { - if err := m.validateURI(cli.GetDomain(), tgr.RedirectURI); err != nil { - return nil, err - } - } - - if gt == oauth2.AuthorizationCode { - ti, err := m.getAndDelAuthorizationCode(ctx, tgr) - if err != nil { - return nil, err - } - if err := m.validateCodeChallenge(ti, tgr.CodeVerifier); err != nil { - return nil, err - } - tgr.UserID = ti.GetUserID() - tgr.Scope = ti.GetScope() - if exp := ti.GetAccessExpiresIn(); exp > 0 { - tgr.AccessTokenExp = exp - } - } - - ti := models.NewToken() - ti.SetClientID(tgr.ClientID) - ti.SetUserID(tgr.UserID) - ti.SetRedirectURI(tgr.RedirectURI) - ti.SetScope(tgr.Scope) - - createAt := time.Now() - ti.SetAccessCreateAt(createAt) - - // set access token expires - gcfg := m.grantConfig(gt) - aexp := gcfg.AccessTokenExp - if exp := tgr.AccessTokenExp; exp > 0 { - aexp = exp - } - ti.SetAccessExpiresIn(aexp) - if gcfg.IsGenerateRefresh { - ti.SetRefreshCreateAt(createAt) - ti.SetRefreshExpiresIn(gcfg.RefreshTokenExp) - } - - td := &oauth2.GenerateBasic{ - Client: cli, - UserID: tgr.UserID, - CreateAt: createAt, - TokenInfo: ti, - Request: tgr.Request, - } - - av, rv, err := m.accessGenerate.Token(ctx, td, gcfg.IsGenerateRefresh) - if err != nil { - return nil, err - } - ti.SetAccess(av) - - if rv != "" { - ti.SetRefresh(rv) - } - - err = m.tokenStore.Create(ctx, ti) - if err != nil { - return nil, err - } - - return ti, nil -} - -// RefreshAccessToken refreshing an access token -func (m *Manager) RefreshAccessToken(ctx context.Context, tgr *oauth2.TokenGenerateRequest) (oauth2.TokenInfo, error) { - cli, err := m.GetClient(ctx, tgr.ClientID) - if err != nil { - return nil, err - } else if cliPass, ok := cli.(oauth2.ClientPasswordVerifier); ok { - if !cliPass.VerifyPassword(tgr.ClientSecret) { - return nil, errors.ErrInvalidClient - } - } else if tgr.ClientSecret != cli.GetSecret() { - return nil, errors.ErrInvalidClient - } - - ti, err := m.LoadRefreshToken(ctx, tgr.Refresh) - if err != nil { - return nil, err - } else if ti.GetClientID() != tgr.ClientID { - return nil, errors.ErrInvalidRefreshToken - } - - oldAccess, oldRefresh := ti.GetAccess(), ti.GetRefresh() - - td := &oauth2.GenerateBasic{ - Client: cli, - UserID: ti.GetUserID(), - CreateAt: time.Now(), - TokenInfo: ti, - Request: tgr.Request, - } - - rcfg := DefaultRefreshTokenCfg - if v := m.rcfg; v != nil { - rcfg = v - } - - ti.SetAccessCreateAt(td.CreateAt) - if v := rcfg.AccessTokenExp; v > 0 { - ti.SetAccessExpiresIn(v) - } - - if v := rcfg.RefreshTokenExp; v > 0 { - ti.SetRefreshExpiresIn(v) - } - - if rcfg.IsResetRefreshTime { - ti.SetRefreshCreateAt(td.CreateAt) - } - - if scope := tgr.Scope; scope != "" { - ti.SetScope(scope) - } - - tv, rv, err := m.accessGenerate.Token(ctx, td, rcfg.IsGenerateRefresh) - if err != nil { - return nil, err - } - - ti.SetAccess(tv) - if rv != "" { - ti.SetRefresh(rv) - } - - if err := m.tokenStore.Create(ctx, ti); err != nil { - return nil, err - } - - if rcfg.IsRemoveAccess { - // remove the old access token - if err := m.tokenStore.RemoveByAccess(ctx, oldAccess); err != nil { - return nil, err - } - } - - if rcfg.IsRemoveRefreshing && rv != "" { - // remove the old refresh token - if err := m.tokenStore.RemoveByRefresh(ctx, oldRefresh); err != nil { - return nil, err - } - } - - if rv == "" { - ti.SetRefresh("") - ti.SetRefreshCreateAt(time.Now()) - ti.SetRefreshExpiresIn(0) - } - - return ti, nil -} - -// RemoveAccessToken use the access token to delete the token information -func (m *Manager) RemoveAccessToken(ctx context.Context, access string) error { - if access == "" { - return errors.ErrInvalidAccessToken - } - return m.tokenStore.RemoveByAccess(ctx, access) -} - -// RemoveRefreshToken use the refresh token to delete the token information -func (m *Manager) RemoveRefreshToken(ctx context.Context, refresh string) error { - if refresh == "" { - return errors.ErrInvalidAccessToken - } - return m.tokenStore.RemoveByRefresh(ctx, refresh) -} - -// LoadAccessToken according to the access token for corresponding token information -func (m *Manager) LoadAccessToken(ctx context.Context, access string) (oauth2.TokenInfo, error) { - if access == "" { - return nil, errors.ErrInvalidAccessToken - } - - ct := time.Now() - ti, err := m.tokenStore.GetByAccess(ctx, access) - if err != nil { - return nil, err - } else if ti == nil || ti.GetAccess() != access { - return nil, errors.ErrInvalidAccessToken - } else if ti.GetRefresh() != "" && ti.GetRefreshExpiresIn() != 0 && - ti.GetRefreshCreateAt().Add(ti.GetRefreshExpiresIn()).Before(ct) { - return nil, errors.ErrExpiredRefreshToken - } else if ti.GetAccessExpiresIn() != 0 && - ti.GetAccessCreateAt().Add(ti.GetAccessExpiresIn()).Before(ct) { - return nil, errors.ErrExpiredAccessToken - } - return ti, nil -} - -// LoadRefreshToken according to the refresh token for corresponding token information -func (m *Manager) LoadRefreshToken(ctx context.Context, refresh string) (oauth2.TokenInfo, error) { - if refresh == "" { - return nil, errors.ErrInvalidRefreshToken - } - - ti, err := m.tokenStore.GetByRefresh(ctx, refresh) - if err != nil { - return nil, err - } else if ti == nil || ti.GetRefresh() != refresh { - return nil, errors.ErrInvalidRefreshToken - } else if ti.GetRefreshExpiresIn() != 0 && // refresh token set to not expire - ti.GetRefreshCreateAt().Add(ti.GetRefreshExpiresIn()).Before(time.Now()) { - return nil, errors.ErrExpiredRefreshToken - } - return ti, nil -} diff --git a/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/util.go b/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/util.go deleted file mode 100644 index fd1146231..000000000 --- a/vendor/codeberg.org/superseriousbusiness/oauth2/v4/manage/util.go +++ /dev/null @@ -1,30 +0,0 @@ -package manage - -import ( - "net/url" - "strings" - - "codeberg.org/superseriousbusiness/oauth2/v4/errors" -) - -type ( - // ValidateURIHandler validates that redirectURI is contained in baseURI - ValidateURIHandler func(baseURI, redirectURI string) error -) - -// DefaultValidateURI validates that redirectURI is contained in baseURI -func DefaultValidateURI(baseURI string, redirectURI string) error { - base, err := url.Parse(baseURI) - if err != nil { - return err - } - - redirect, err := url.Parse(redirectURI) - if err != nil { - return err - } - if !strings.HasSuffix(redirect.Host, base.Host) { - return errors.ErrInvalidRedirectURI - } - return nil -} -- cgit v1.2.3