feat: split oauth endpoints into files

2025-06-02 12:31:01 +02:00
parent 5d9e5d27bf
commit 1ef261660f
5 changed files with 249 additions and 236 deletions
--- a/internal/oauth/token.go
+++ b/internal/oauth/token.go
@ -0,0 +1,129 @@
+package oauth
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+
+	"gitea.local/admin/hspguard/internal/types"
+	"gitea.local/admin/hspguard/internal/util"
+	"gitea.local/admin/hspguard/internal/web"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
+	log.Println("[OAUTH] New request to token endpoint")
+
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" || !strings.HasPrefix(authHeader, "Basic ") {
+		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	// Decode credentials
+	payload, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(authHeader, "Basic "))
+	if err != nil {
+		http.Error(w, "Invalid auth encoding", http.StatusBadRequest)
+		return
+	}
+
+	var clientId string
+	var clientSecret string
+
+	parts := strings.SplitN(string(payload), ":", 2)
+	if len(parts) != 2 {
+		http.Error(w, "Unauthorized", http.StatusForbidden)
+		return
+	}
+
+	clientId = parts[0]
+	clientSecret = parts[1]
+
+	log.Printf("Some client is trying to exchange code with id: %s and secret: %s\n", clientId, clientSecret)
+
+	// Parse the form data
+	err = r.ParseForm()
+	if err != nil {
+		http.Error(w, "Failed to parse form", http.StatusBadRequest)
+		return
+	}
+
+	grantType := r.FormValue("grant_type")
+	redirectUri := r.FormValue("redirect_uri")
+
+	log.Printf("Redirect URI is %s\n", redirectUri)
+
+	switch grantType {
+	case "authorization_code":
+		code := r.FormValue("code")
+
+		fmt.Printf("Code received: %s\n", code)
+
+		// TODO: Verify code from another db table
+		nonce := strings.Split(code, ",")[1]
+
+		userId := strings.Split(code, ",")[0]
+
+		user, err := h.repo.FindUserId(r.Context(), uuid.MustParse(userId))
+		if err != nil {
+			web.Error(w, "requested user not found", http.StatusNotFound)
+			return
+		}
+
+		claims := types.ApiClaims{
+			Email: user.Email,
+			// TODO:
+			EmailVerified: true,
+			Name:          user.FullName,
+			Picture:       user.ProfilePicture.String,
+			Nonce:         nonce,
+			Roles:         []string{"user", "admin"},
+			RegisteredClaims: jwt.RegisteredClaims{
+				Issuer: h.cfg.Jwt.Issuer,
+				// TODO: use dedicated API id that is in local DB and bind to user there
+				Subject:   user.ID.String(),
+				Audience:  jwt.ClaimStrings{clientId},
+				IssuedAt:  jwt.NewNumericDate(time.Now()),
+				ExpiresAt: jwt.NewNumericDate(time.Now().Add(15 * time.Minute)),
+			},
+		}
+
+		idToken, err := util.SignJwtToken(claims, h.cfg.Jwt.PrivateKey)
+		if err != nil {
+			web.Error(w, "failed to sign id token", http.StatusInternalServerError)
+			return
+		}
+
+		type Response struct {
+			IdToken     string `json:"id_token"`
+			TokenType   string `json:"token_type"`
+			AccessToken string `json:"access_token"`
+			Email       string `json:"email"`
+			// TODO: add expires_in, refresh_token, scope (RFC 8693 $2)
+		}
+
+		response := Response{
+			IdToken:   idToken,
+			TokenType: "Bearer",
+			// FIXME:
+			AccessToken: idToken,
+			Email:       user.Email,
+		}
+
+		log.Printf("sending following response: %#v\n", response)
+
+		w.Header().Set("Content-Type", "application/json")
+		encoder := json.NewEncoder(w)
+		if err := encoder.Encode(response); err != nil {
+			web.Error(w, "failed to encode response", http.StatusInternalServerError)
+		}
+	default:
+		web.Error(w, "unsupported grant type", http.StatusBadRequest)
+	}
+}