feat: verify api service in code generation

internal/oauth/client.go

@@ -0,0 +1,56 @@
+package oauth
+
+import (
+	"fmt"
+	"net/http"
+	"slices"
+	"strings"
+)
+
+type VerifyOAuthClientParams struct {
+	ClientID    string `json:"client_id"`
+	RedirectURI string `json:"redirect_uri"`
+	State       string `json:"state"`
+}
+
+func (h *OAuthHandler) verifyOAuthClient(w http.ResponseWriter, r *http.Request, params *VerifyOAuthClientParams) (string, error) {
+	client, err := h.repo.GetApiServiceCID(r.Context(), params.ClientID)
+	if err != nil {
+		uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", params.RedirectURI)
+		if params.State != "" {
+			uri += "&state=" + params.State
+		}
+		return uri, fmt.Errorf("target oauth service with client id '%s' is not registered", params.ClientID)
+	}
+
+	if !client.IsActive {
+		uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", params.RedirectURI)
+		if params.State != "" {
+			uri += "&state=" + params.State
+		}
+		return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
+	}
+
+	scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
+
+	for scope := range scopes {
+		if !slices.Contains(client.Scopes, scope) {
+			uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
+			if params.State != "" {
+				uri += "&state=" + params.State
+			}
+			return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
+		}
+	}
+
+	if !slices.Contains(client.RedirectUris, params.RedirectURI) {
+		uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", params.RedirectURI)
+		if params.State != "" {
+			uri += "&state=" + params.State
+		}
+		http.Redirect(w, r, uri, http.StatusFound)
+		return uri, fmt.Errorf("redirect uri '%s' is unallowed", params.RedirectURI)
+	}
+
+	return "", nil
+}