hspguard/internal/oauth/client.go

package oauth

import (
	"context"
	"fmt"
	"slices"
	"strings"
)

type VerifyOAuthClientParams struct {
	ClientID    string    `json:"client_id"`
	RedirectURI *string   `json:"redirect_uri"`
	State       string    `json:"state"`
	Scopes      *[]string `json:"scopes"`
}

func (h *OAuthHandler) verifyOAuthClient(ctx context.Context, params *VerifyOAuthClientParams) (string, error) {
	client, err := h.repo.GetApiServiceCID(ctx, params.ClientID)
	if err != nil {
		uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", *params.RedirectURI)
		if params.State != "" {
			uri += "&state=" + params.State
		}
		return uri, fmt.Errorf("target oauth service with client id '%s' is not registered", params.ClientID)
	}

	if !client.IsActive {
		uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", *params.RedirectURI)
		if params.State != "" {
			uri += "&state=" + params.State
		}
		return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
	}

	if params.Scopes != nil {
		for _, scope := range *params.Scopes {
			if !slices.Contains(client.Scopes, scope) {
				uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", *params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
				if params.State != "" {
					uri += "&state=" + params.State
				}
				return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
			}
		}
	}

	if params.RedirectURI != nil {
		if !slices.Contains(client.RedirectUris, *params.RedirectURI) {
			uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", *params.RedirectURI)
			if params.State != "" {
				uri += "&state=" + params.State
			}
			return uri, fmt.Errorf("redirect uri '%s' is unallowed", *params.RedirectURI)
		}
	}

	return "", nil
}