godash/handlers/auth.handlers.go

package handlers

import (
	"context"
	"crypto/rand"
	"crypto/sha256"
	"encoding/base64"
	"io"
	"log/slog"
	"net/http"
	"os"
	"time"

	"github.com/alexedwards/scs/v2"
	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/thanhpk/randstr"
	"golang.org/x/oauth2"

	"gitlab.unjx.de/flohoss/godash/internal/env"
	"gitlab.unjx.de/flohoss/godash/services"
)

func setCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {
	c := &http.Cookie{
		Name:     name,
		Value:    value,
		MaxAge:   int(time.Hour.Seconds()),
		Secure:   r.TLS != nil,
		HttpOnly: true,
	}
	http.SetCookie(w, c)
}

func generateCodeVerifier() (string, error) {
	verifierLength := 64
	verifier := make([]byte, verifierLength)

	_, err := rand.Read(verifier)
	if err != nil {
		return "", err
	}
	return base64.RawURLEncoding.EncodeToString(verifier), nil
}

func generateCodeChallenge(verifier string) string {
	hash := sha256.New()
	_, _ = io.WriteString(hash, verifier)
	sha := hash.Sum(nil)
	return base64.RawURLEncoding.EncodeToString(sha)
}

func NewAuthHandler(env *env.Config) *AuthHandler {
	ctx := context.Background()

	oidcProvider, err := oidc.NewProvider(ctx, env.OIDCIssuer)
	if err != nil {
		slog.Error("Failed to get oidc provider", "err", err.Error())
		os.Exit(1)
	}

	oauth2Config := &oauth2.Config{
		ClientID:     env.OIDCClientID,
		ClientSecret: env.OIDCClientSecret,
		Endpoint:     oidcProvider.Endpoint(),
		RedirectURL:  env.OIDCRedirectURI,
		Scopes:       env.OIDCScopes,
	}

	codeVerifier, err := generateCodeVerifier()
	if err != nil {
		slog.Error("Error generating code verifier", "err", err.Error())
		os.Exit(1)
	}
	codeChallenge := generateCodeChallenge(codeVerifier)
	authCodeOptions := []oauth2.AuthCodeOption{
		oauth2.SetAuthURLParam("redirect_uri", env.OIDCRedirectURI),
		oauth2.SetAuthURLParam("code_challenge", codeChallenge),
		oauth2.SetAuthURLParam("code_challenge_method", "S256"),
		oauth2.SetAuthURLParam("code_verifier", codeVerifier),
	}

	sessionManager := scs.New()
	sessionManager.Lifetime = 24 * time.Hour

	return &AuthHandler{
		ctx:             ctx,
		oidcProvider:    oidcProvider,
		oauth2Config:    oauth2Config,
		authCodeOptions: authCodeOptions,
		SessionManager:  sessionManager,
	}
}

type AuthHandler struct {
	ctx             context.Context
	oidcProvider    *oidc.Provider
	oauth2Config    *oauth2.Config
	authCodeOptions []oauth2.AuthCodeOption
	SessionManager  *scs.SessionManager
}

func (ah *AuthHandler) handleCallback(w http.ResponseWriter, r *http.Request) {
	state, err := r.Cookie("state")
	if err != nil {
		http.Error(w, "state not found", http.StatusBadRequest)
		return
	}
	if r.URL.Query().Get("state") != state.Value {
		http.Error(w, "state did not match", http.StatusBadRequest)
		return
	}

	oauth2Token, err := ah.oauth2Config.Exchange(ah.ctx, r.URL.Query().Get("code"), ah.authCodeOptions...)
	if err != nil {
		http.Error(w, "failed to exchange token: "+err.Error(), http.StatusInternalServerError)
		return
	}

	ah.SessionManager.Put(r.Context(), "access_token", oauth2Token.AccessToken)

	http.Redirect(w, r, "/", http.StatusFound)
}

func (ah *AuthHandler) handleLogout(w http.ResponseWriter, r *http.Request) {
	ah.SessionManager.Clear(r.Context())
	http.Redirect(w, r, "/", http.StatusFound)
}

func (ah *AuthHandler) handleLogin(w http.ResponseWriter, r *http.Request) {
	state := randstr.String(16)
	setCallbackCookie(w, r, "state", state)
	http.Redirect(w, r, ah.oauth2Config.AuthCodeURL(state, ah.authCodeOptions...), http.StatusFound)
}

func (ah *AuthHandler) AuthMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		accessToken := ah.SessionManager.GetString(r.Context(), "access_token")
		if accessToken == "" {
			ah.handleLogin(w, r)
			return
		}

		userInfo, err := ah.oidcProvider.UserInfo(ah.ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: accessToken}))
		if err != nil {
			ah.handleLogin(w, r)
			return
		}
		var userClaims services.User
		userInfo.Claims(&userClaims)
		w.Header().Set("X-User-Name", userClaims.Name)
		w.Header().Set("X-User-Email", userClaims.Email)

		next.ServeHTTP(w, r)
	})
}
zitadel 2024-09-10 19:46:16 +02:00			`package handlers`

			`import (`
			`"context"`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`"crypto/rand"`
			`"crypto/sha256"`
			`"encoding/base64"`
			`"io"`
zitadel 2024-09-10 19:46:16 +02:00			`"log/slog"`
			`"net/http"`
			`"os"`
			`"time"`

Add auth 2024-09-16 11:45:24 +02:00			`"github.com/alexedwards/scs/v2"`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`"github.com/coreos/go-oidc/v3/oidc"`
Add auth 2024-09-16 11:45:24 +02:00			`"github.com/thanhpk/randstr"`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`"golang.org/x/oauth2"`
zitadel 2024-09-10 19:46:16 +02:00
			`"gitlab.unjx.de/flohoss/godash/internal/env"`
Add auth 2024-09-16 11:45:24 +02:00			`"gitlab.unjx.de/flohoss/godash/services"`
zitadel 2024-09-10 19:46:16 +02:00			`)`

Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`func setCallbackCookie(w http.ResponseWriter, r *http.Request, name, value string) {`
			`c := &http.Cookie{`
			`Name: name,`
			`Value: value,`
			`MaxAge: int(time.Hour.Seconds()),`
			`Secure: r.TLS != nil,`
			`HttpOnly: true,`
zitadel 2024-09-10 19:46:16 +02:00			`}`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`http.SetCookie(w, c)`
			`}`

			`func generateCodeVerifier() (string, error) {`
			`verifierLength := 64`
			`verifier := make([]byte, verifierLength)`
zitadel 2024-09-10 19:46:16 +02:00
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`_, err := rand.Read(verifier)`
			`if err != nil {`
			`return "", err`
			`}`
			`return base64.RawURLEncoding.EncodeToString(verifier), nil`
			`}`

			`func generateCodeChallenge(verifier string) string {`
			`hash := sha256.New()`
			`_, _ = io.WriteString(hash, verifier)`
			`sha := hash.Sum(nil)`
			`return base64.RawURLEncoding.EncodeToString(sha)`
			`}`

			`func NewAuthHandler(env env.Config) AuthHandler {`
zitadel 2024-09-10 19:46:16 +02:00			`ctx := context.Background()`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00
			`oidcProvider, err := oidc.NewProvider(ctx, env.OIDCIssuer)`
zitadel 2024-09-10 19:46:16 +02:00			`if err != nil {`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`slog.Error("Failed to get oidc provider", "err", err.Error())`
zitadel 2024-09-10 19:46:16 +02:00			`os.Exit(1)`
			`}`

Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`oauth2Config := &oauth2.Config{`
			`ClientID: env.OIDCClientID,`
			`ClientSecret: env.OIDCClientSecret,`
			`Endpoint: oidcProvider.Endpoint(),`
			`RedirectURL: env.OIDCRedirectURI,`
			`Scopes: env.OIDCScopes,`
zitadel 2024-09-10 19:46:16 +02:00			`}`

Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`codeVerifier, err := generateCodeVerifier()`
			`if err != nil {`
			`slog.Error("Error generating code verifier", "err", err.Error())`
			`os.Exit(1)`
			`}`
			`codeChallenge := generateCodeChallenge(codeVerifier)`
			`authCodeOptions := []oauth2.AuthCodeOption{`
Add auth 2024-09-16 11:45:24 +02:00			`oauth2.SetAuthURLParam("redirect_uri", env.OIDCRedirectURI),`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`oauth2.SetAuthURLParam("code_challenge", codeChallenge),`
			`oauth2.SetAuthURLParam("code_challenge_method", "S256"),`
Add auth 2024-09-16 11:45:24 +02:00			`oauth2.SetAuthURLParam("code_verifier", codeVerifier),`
zitadel 2024-09-10 19:46:16 +02:00			`}`

Add auth 2024-09-16 11:45:24 +02:00			`sessionManager := scs.New()`
			`sessionManager.Lifetime = 24 * time.Hour`

zitadel 2024-09-10 19:46:16 +02:00			`return &AuthHandler{`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`ctx: ctx,`
			`oidcProvider: oidcProvider,`
			`oauth2Config: oauth2Config,`
			`authCodeOptions: authCodeOptions,`
Add auth 2024-09-16 11:45:24 +02:00			`SessionManager: sessionManager,`
zitadel 2024-09-10 19:46:16 +02:00			`}`
			`}`

			`type AuthHandler struct {`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`ctx context.Context`
			`oidcProvider *oidc.Provider`
			`oauth2Config *oauth2.Config`
			`authCodeOptions []oauth2.AuthCodeOption`
Add auth 2024-09-16 11:45:24 +02:00			`SessionManager *scs.SessionManager`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`}`

			`func (ah AuthHandler) handleCallback(w http.ResponseWriter, r http.Request) {`
			`state, err := r.Cookie("state")`
			`if err != nil {`
			`http.Error(w, "state not found", http.StatusBadRequest)`
			`return`
			`}`
			`if r.URL.Query().Get("state") != state.Value {`
			`http.Error(w, "state did not match", http.StatusBadRequest)`
			`return`
			`}`

Add auth 2024-09-16 11:45:24 +02:00			`oauth2Token, err := ah.oauth2Config.Exchange(ah.ctx, r.URL.Query().Get("code"), ah.authCodeOptions...)`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`if err != nil {`
			`http.Error(w, "failed to exchange token: "+err.Error(), http.StatusInternalServerError)`
			`return`
			`}`

Add auth 2024-09-16 11:45:24 +02:00			`ah.SessionManager.Put(r.Context(), "access_token", oauth2Token.AccessToken)`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00
Add auth 2024-09-16 11:45:24 +02:00			`http.Redirect(w, r, "/", http.StatusFound)`
			`}`

			`func (ah AuthHandler) handleLogout(w http.ResponseWriter, r http.Request) {`
			`ah.SessionManager.Clear(r.Context())`
			`http.Redirect(w, r, "/", http.StatusFound)`
			`}`

			`func (ah AuthHandler) handleLogin(w http.ResponseWriter, r http.Request) {`
			`state := randstr.String(16)`
			`setCallbackCookie(w, r, "state", state)`
			`http.Redirect(w, r, ah.oauth2Config.AuthCodeURL(state, ah.authCodeOptions...), http.StatusFound)`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`}`

			`func (ah *AuthHandler) AuthMiddleware(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Add auth 2024-09-16 11:45:24 +02:00			`accessToken := ah.SessionManager.GetString(r.Context(), "access_token")`
			`if accessToken == "" {`
			`ah.handleLogin(w, r)`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`return`
			`}`

Add auth 2024-09-16 11:45:24 +02:00			`userInfo, err := ah.oidcProvider.UserInfo(ah.ctx, oauth2.StaticTokenSource(&oauth2.Token{AccessToken: accessToken}))`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`if err != nil {`
Add auth 2024-09-16 11:45:24 +02:00			`ah.handleLogin(w, r)`
Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`return`
			`}`
Add auth 2024-09-16 11:45:24 +02:00			`var userClaims services.User`
			`userInfo.Claims(&userClaims)`
			`w.Header().Set("X-User-Name", userClaims.Name)`
			`w.Header().Set("X-User-Email", userClaims.Email)`

Remove zitadel for oauth2 package 2024-09-16 06:55:39 +02:00			`next.ServeHTTP(w, r)`
			`})`
zitadel 2024-09-10 19:46:16 +02:00			`}`