1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
package server
import (
"context"
"net/http"
"strings"
"time"
"code.superseriousbusiness.org/oauth2/v4"
"code.superseriousbusiness.org/oauth2/v4/errors"
)
type (
// ClientInfoHandler get client info from request
ClientInfoHandler func(r *http.Request) (clientID, clientSecret string, err error)
// ClientAuthorizedHandler check the client allows to use this authorization grant type
ClientAuthorizedHandler func(clientID string, grant oauth2.GrantType) (allowed bool, err error)
// ClientScopeHandler check the client allows to use scope
ClientScopeHandler func(tgr *oauth2.TokenGenerateRequest) (allowed bool, err error)
// UserAuthorizationHandler get user id from request authorization
UserAuthorizationHandler func(w http.ResponseWriter, r *http.Request) (userID string, err error)
// PasswordAuthorizationHandler get user id from username and password
PasswordAuthorizationHandler func(ctx context.Context, clientID, username, password string) (userID string, err error)
// RefreshingScopeHandler check the scope of the refreshing token
RefreshingScopeHandler func(tgr *oauth2.TokenGenerateRequest, oldScope string) (allowed bool, err error)
// RefreshingValidationHandler check if refresh_token is still valid. eg no revocation or other
RefreshingValidationHandler func(ti oauth2.TokenInfo) (allowed bool, err error)
// ResponseErrorHandler response error handing
ResponseErrorHandler func(re *errors.Response)
// InternalErrorHandler internal error handing
InternalErrorHandler func(err error) (re *errors.Response)
// PreRedirectErrorHandler is used to override "redirect-on-error" behavior
PreRedirectErrorHandler func(w http.ResponseWriter, req *AuthorizeRequest, err error) error
// AuthorizeScopeHandler set the authorized scope
AuthorizeScopeHandler func(w http.ResponseWriter, r *http.Request) (scope string, err error)
// AccessTokenExpHandler set expiration date for the access token
AccessTokenExpHandler func(w http.ResponseWriter, r *http.Request) (exp time.Duration, err error)
// ExtensionFieldsHandler in response to the access token with the extension of the field
ExtensionFieldsHandler func(ti oauth2.TokenInfo) (fieldsValue map[string]interface{})
// ResponseTokenHandler response token handling
ResponseTokenHandler func(w http.ResponseWriter, data map[string]interface{}, header http.Header, statusCode ...int) error
// Handler to fetch the refresh token from the request
RefreshTokenResolveHandler func(r *http.Request) (string, error)
// Handler to fetch the access token from the request
AccessTokenResolveHandler func(r *http.Request) (string, bool)
)
// ClientFormHandler get client data from form
func ClientFormHandler(r *http.Request) (string, string, error) {
clientID := r.Form.Get("client_id")
if clientID == "" {
return "", "", errors.ErrInvalidClient
}
clientSecret := r.Form.Get("client_secret")
return clientID, clientSecret, nil
}
// ClientBasicHandler get client data from basic authorization
func ClientBasicHandler(r *http.Request) (string, string, error) {
username, password, ok := r.BasicAuth()
if !ok {
return "", "", errors.ErrInvalidClient
}
return username, password, nil
}
func RefreshTokenFormResolveHandler(r *http.Request) (string, error) {
rt := r.FormValue("refresh_token")
if rt == "" {
return "", errors.ErrInvalidRequest
}
return rt, nil
}
func RefreshTokenCookieResolveHandler(r *http.Request) (string, error) {
c, err := r.Cookie("refresh_token")
if err != nil {
return "", errors.ErrInvalidRequest
}
return c.Value, nil
}
func AccessTokenDefaultResolveHandler(r *http.Request) (string, bool) {
token := ""
auth := r.Header.Get("Authorization")
prefix := "Bearer "
if auth != "" && strings.HasPrefix(auth, prefix) {
token = auth[len(prefix):]
} else {
token = r.FormValue("access_token")
}
return token, token != ""
}
func AccessTokenCookieResolveHandler(r *http.Request) (string, bool) {
c, err := r.Cookie("access_token")
if err != nil {
return "", false
}
return c.Value, true
}
|
