commit 0a3a0143a19843a90776adf74b7aff0e519b6b81 · hailey.at/atproto-oauth-golang

+42 -33

cmd/client_test/handle_auth.go

···

       4
       4
        
       	"encoding/json"

     

       5
       5
        
       	"fmt"

     

       6
       6
        
       	"net/url"

     

       7
       7
       +
       	"strings"

     

       7
       8
        
       	"time"

     

       8
       9
        
       

     

       9
       10
        
       	"github.com/bluesky-social/indigo/atproto/syntax"

     
···

       15
       16
        
       )

     

       16
       17
        
       

     

       17
       18
        
       func (s *TestServer) handleLoginSubmit(e echo.Context) error {

     

       18
       18
       -
       	handle := e.FormValue("handle")

     

       19
       19
       -
       	if handle == "" {

     

       20
       20
       -
       		return e.Redirect(302, "/login?e=handle-empty")

     

       19
       19
       +
       	authInput := e.FormValue("auth-input")

     

       20
       20
       +
       	if authInput == "" {

     

       21
       21
       +
       		return e.Redirect(302, "/login?e=auth-input-empty")

     

       21
       22
        
       	}

     

       22
       23
        
       

     

       23
       23
       -
       	_, herr := syntax.ParseHandle(handle)

     

       24
       24
       -
       	_, derr := syntax.ParseDID(handle)

     

       24
       24
       +
       	var service string

     

       25
       25
       +
       	var did string

     

       25
       26
        
       

     

       26
       26
       -
       	if herr != nil && derr != nil {

     

       27
       27
       -
       		return e.Redirect(302, "/login?e=handle-invalid")

     

       28
       28
       -
       	}

     

       27
       27
       +
       	if strings.HasPrefix("https://", authInput) {

     

       28
       28
       +
       		u, err := url.Parse(authInput)

     

       29
       29
       +
       		if err == nil {

     

       30
       30
       +
       			u.Path = ""

     

       31
       31
       +
       			u.RawQuery = ""

     

       32
       32
       +
       			u.User = nil

     

       33
       33
       +
       			service = u.String()

     

       34
       34
       +
       		}

     

       35
       35
       +
       	} else {

     

       36
       36
       +
       		_, herr := syntax.ParseHandle(authInput)

     

       37
       37
       +
       		_, derr := syntax.ParseDID(authInput)

     

       29
       38
        
       

     

       30
       30
       -
       	var did string

     

       39
       39
       +
       		if herr != nil && derr != nil {

     

       40
       40
       +
       			return e.Redirect(302, "/login?e=handle-invalid")

     

       41
       41
       +
       		}

     

       42
       42
       +
       

     

       43
       43
       +
       		if derr == nil {

     

       44
       44
       +
       			did = authInput

     

       45
       45
       +
       		} else {

     

       46
       46
       +
       			maybeDid, err := resolveHandle(e.Request().Context(), authInput)

     

       47
       47
       +
       			if err != nil {

     

       48
       48
       +
       				return err

     

       49
       49
       +
       			}

     

       50
       50
       +
       

     

       51
       51
       +
       			did = maybeDid

     

       52
       52
       +
       		}

     

       31
       53
        
       

     

       32
       32
       -
       	if derr == nil {

     

       33
       33
       -
       		did = handle

     

       34
       34
       -
       	} else {

     

       35
       35
       -
       		maybeDid, err := resolveHandle(e.Request().Context(), handle)

     

       54
       54
       +
       		maybeService, err := resolveService(ctx, did)

     

       36
       55
        
       		if err != nil {

     

       37
       56
        
       			return err

     

       38
       57
        
       		}

     

       39
       58
        
       

     

       40
       40
       -
       		did = maybeDid

     

       41
       41
       -
       	}

     

       42
       42
       -
       

     

       43
       43
       -
       	service, err := resolveService(ctx, did)

     

       44
       44
       -
       	if err != nil {

     

       45
       45
       -
       		return err

     

       59
       59
       +
       		service = maybeService

     

       46
       60
        
       	}

     

       47
       61
        
       

     

       48
       62
        
       	authserver, err := s.oauthClient.ResolvePDSAuthServer(ctx, service)

     
···

       129
       143
        
       	}

     

       130
       144
        
       

     

       131
       145
        
       	sessState := sess.Values["oauth_state"]

     

       132
       132
       -
       	sessDid := sess.Values["oauth_did"]

     

       133
       146
        
       

     

       134
       134
       -
       	if resState == "" || resIss == "" || resCode == "" || sessState == "" || sessDid == "" {

     

       147
       147
       +
       	if resState == "" || resIss == "" || resCode == "" {

     

       135
       148
        
       		return fmt.Errorf("request missing needed parameters")

     

       136
       149
        
       	}

     

       137
       150
        
       

     
···

       140
       153
        
       	}

     

       141
       154
        
       

     

       142
       155
        
       	var oauthRequest OauthRequest

     

       143
       143
       -
       	if err := s.db.Raw("SELECT * FROM oauth_requests WHERE state = ? AND did = ?", sessState, sessDid).Scan(&oauthRequest).Error; err != nil {

     

       156
       156
       +
       	if err := s.db.Raw("SELECT * FROM oauth_requests WHERE state = ?", sessState).Scan(&oauthRequest).Error; err != nil {

     

       144
       157
        
       		return err

     

       145
       158
        
       	}

     

       146
       159
        
       

     

       147
       147
       -
       	if err := s.db.Exec("DELETE FROM oauth_requests WHERE state = ? AND did = ?", sessState, sessDid).Error; err != nil {

     

       160
       160
       +
       	if err := s.db.Exec("DELETE FROM oauth_requests WHERE state = ?", sessState).Error; err != nil {

     

       148
       161
        
       		return err

     

       149
       162
        
       	}

     

       150
       163
        
       

     
···

       157
       170
        
       		return err

     

       158
       171
        
       	}

     

       159
       172
        
       

     

       160
       160
       -
       	initialTokenResp, err := s.oauthClient.InitialTokenRequest(

     

       161
       161
       -
       		e.Request().Context(),

     

       162
       162
       -
       		resCode,

     

       163
       163
       -
       		resIss,

     

       164
       164
       -
       		oauthRequest.PkceVerifier,

     

       165
       165
       -
       		oauthRequest.DpopAuthserverNonce,

     

       166
       166
       -
       		jwk,

     

       167
       167
       -
       	)

     

       173
       173
       +
       	initialTokenResp, err := s.oauthClient.InitialTokenRequest(e.Request().Context(), resCode, resIss, oauthRequest.PkceVerifier, oauthRequest.DpopAuthserverNonce, jwk)

     

       168
       174
        
       	if err != nil {

     

       169
       175
        
       		return err

     

       170
       176
        
       	}

     

       171
       171
       -
       

     

       172
       172
       -
       	// TODO: resolve if needed

     

       173
       177
        
       

     

       174
       178
        
       	if initialTokenResp.Scope != scope {

     

       175
       179
        
       		return fmt.Errorf("did not receive correct scopes from token request")

     

       180
       180
       +
       	}

     

       181
       181
       +
       

     

       182
       182
       +
       	// if we didn't start with a did, we can get it from the response

     

       183
       183
       +
       	if oauthRequest.Did == "" {

     

       184
       184
       +
       		oauthRequest.Did = initialTokenResp.Sub

     

       176
       185
        
       	}

     

       177
       186
        
       

     

       178
       187
        
       	oauthSession := &OauthSession{

+5 -1

cmd/client_test/html/login.html

···

       1
       1
        
       <!doctype html>

     

       2
       2
        
       <html>

     

       3
       3
        
         <form action="/login" method="post">

     

       4
       4
       -
           <input name="handle" id="handle" placeholder="Enter your handle" />

     

       4
       4
       +
           <input

     

       5
       5
       +
             name="auth-input"

     

       6
       6
       +
             id="auth-input"

     

       7
       7
       +
             placeholder="Enter your handle, did, or pds url"

     

       8
       8
       +
           />

     

       5
       9
        
           <button type="submit" value="Submit">Submit</button>

     

       6
       10
        
         </form>

     

       7
       11
        
       </html>

+2 -2

cmd/client_test/user.go

···

       52
       52
        
       		return nil, false, err

     

       53
       53
        
       	}

     

       54
       54
        
       

     

       55
       55
       -
       	did, ok := sess.Values["did"]

     

       55
       55
       +
       	did, ok := sess.Values["did"].(string)

     

       56
       56
        
       	if !ok {

     

       57
       57
        
       		return nil, false, nil

     

       58
       58
        
       	}

     

       59
       59
        
       

     

       60
       60
       -
       	oauthSession, err := s.getOauthSession(e.Request().Context(), did.(string))

     

       60
       60
       +
       	oauthSession, err := s.getOauthSession(e.Request().Context(), did)

     

       61
       61
        
       

     

       62
       62
        
       	privateJwk, err := oauth.ParseKeyFromBytes([]byte(oauthSession.DpopPrivateJwk))

     

       63
       63
        
       	if err != nil {

+19

generic.go

···

       4
       4
        
       	"crypto/ecdsa"

     

       5
       5
        
       	"crypto/elliptic"

     

       6
       6
        
       	"crypto/rand"

     

       7
       7
       +
       	"crypto/sha256"

     

       8
       8
       +
       	"encoding/base64"

     

       9
       9
       +
       	"encoding/hex"

     

       7
       10
        
       	"fmt"

     

       8
       11
        
       	"net/url"

     

       9
       12
        
       	"time"

     
···

       92
       95
        
       func ParseKeyFromBytes(b []byte) (jwk.Key, error) {

     

       93
       96
        
       	return jwk.ParseKey(b)

     

       94
       97
        
       }

     

       98
       98
       +
       

     

       99
       99
       +
       func generateToken(len int) (string, error) {

     

       100
       100
       +
       	b := make([]byte, len)

     

       101
       101
       +
       	if _, err := rand.Read(b); err != nil {

     

       102
       102
       +
       		return "", err

     

       103
       103
       +
       	}

     

       104
       104
       +
       

     

       105
       105
       +
       	return hex.EncodeToString(b), nil

     

       106
       106
       +
       }

     

       107
       107
       +
       

     

       108
       108
       +
       func generateCodeChallenge(pkceVerifier string) string {

     

       109
       109
       +
       	h := sha256.New()

     

       110
       110
       +
       	h.Write([]byte(pkceVerifier))

     

       111
       111
       +
       	hash := h.Sum(nil)

     

       112
       112
       +
       	return base64.RawURLEncoding.EncodeToString(hash)

     

       113
       113
       +
       }

+67 -74

oauth.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"context"

     

       5
       5
        
       	"crypto/ecdsa"

     

       6
       6
       -
       	"crypto/rand"

     

       7
       7
       -
       	"crypto/sha256"

     

       8
       8
       -
       	"encoding/base64"

     

       9
       9
       -
       	"encoding/hex"

     

       10
       6
        
       	"encoding/json"

     

       11
       7
        
       	"fmt"

     

       12
       8
        
       	"io"

     
···

       29
       25
        
       }

     

       30
       26
        
       

     

       31
       27
        
       type ClientArgs struct {

     

       32
       32
       -
       	H           *http.Client

     

       28
       28
       +
       	Http        *http.Client

     

       33
       29
        
       	ClientJwk   jwk.Key

     

       34
       30
        
       	ClientId    string

     

       35
       31
        
       	RedirectUri string

     
···

       44
       40
        
       		return nil, fmt.Errorf("no redirect uri provided")

     

       45
       41
        
       	}

     

       46
       42
        
       

     

       47
       47
       -
       	if args.H == nil {

     

       48
       48
       -
       		args.H = &http.Client{

     

       43
       43
       +
       	if args.Http == nil {

     

       44
       44
       +
       		args.Http = &http.Client{

     

       49
       45
        
       			Timeout: 5 * time.Second,

     

       50
       46
        
       		}

     

       51
       47
        
       	}

     
···

       58
       54
        
       	kid := args.ClientJwk.KeyID()

     

       59
       55
        
       

     

       60
       56
        
       	return &Client{

     

       61
       61
       -
       		h:                args.H,

     

       57
       57
       +
       		h:                args.Http,

     

       62
       58
        
       		clientKid:        kid,

     

       63
       59
        
       		clientPrivateKey: clientPkey,

     

       64
       60
        
       		clientId:         args.ClientId,

     
···

       122
       118
        
       

     

       123
       119
        
       	resp, err := c.h.Do(req)

     

       124
       120
        
       	if err != nil {

     

       125
       125
       -
       		return nil, fmt.Errorf("error getting response for auth metadata: %w", err)

     

       121
       121
       +
       		return nil, fmt.Errorf("error getting response for authserver metadata: %w", err)

     

       126
       122
        
       	}

     

       127
       123
        
       	defer resp.Body.Close()

     

       128
       124
        
       

     

       129
       125
        
       	if resp.StatusCode != http.StatusOK {

     

       130
       126
        
       		io.Copy(io.Discard, resp.Body)

     

       131
       131
       -
       		return nil, fmt.Errorf(

     

       132
       132
       -
       			"received non-200 response from pds. status code was %d",

     

       133
       133
       -
       			resp.StatusCode,

     

       134
       134
       -
       		)

     

       127
       127
       +
       		return nil, fmt.Errorf("received non-200 response from pds. status code was %d", resp.StatusCode)

     

       135
       128
        
       	}

     

       136
       129
        
       

     

       137
       130
        
       	b, err := io.ReadAll(resp.Body)

     

       138
       131
        
       	if err != nil {

     

       139
       139
       -
       		return nil, fmt.Errorf("could not read body for metadata response: %w", err)

     

       132
       132
       +
       		return nil, fmt.Errorf("could not read body for authserver metadata response: %w", err)

     

       140
       133
        
       	}

     

       141
       134
        
       

     

       142
       135
        
       	var metadata OauthAuthorizationMetadata

     

       143
       136
        
       	if err := metadata.UnmarshalJSON(b); err != nil {

     

       144
       144
       -
       		return nil, fmt.Errorf("could not unmarshal metadata: %w", err)

     

       137
       137
       +
       		return nil, fmt.Errorf("could not unmarshal authserver metadata: %w", err)

     

       145
       138
        
       	}

     

       146
       139
        
       

     

       147
       140
        
       	if err := metadata.Validate(u); err != nil {

     

       148
       148
       -
       		return nil, fmt.Errorf("could not validate metadata: %w", err)

     

       141
       141
       +
       		return nil, fmt.Errorf("could not validate authserver metadata: %w", err)

     

       149
       142
        
       	}

     

       150
       143
        
       

     

       151
       144
        
       	return &metadata, nil

     
···

       338
       331
        
       	dpopAuthserverNonce string,

     

       339
       332
        
       	dpopPrivateJwk jwk.Key,

     

       340
       333
        
       ) (*TokenResponse, error) {

     

       341
       341
       -
       	authserverMeta, err := c.FetchAuthServerMetadata(ctx, authserverIss)

     

       342
       342
       -
       	if err != nil {

     

       343
       343
       -
       		return nil, err

     

       344
       344
       -
       	}

     

       334
       334
       +
       	// we might need to re-run to update dpop nonce

     

       335
       335
       +
       	for range 2 {

     

       336
       336
       +
       		authserverMeta, err := c.FetchAuthServerMetadata(ctx, authserverIss)

     

       337
       337
       +
       		if err != nil {

     

       338
       338
       +
       			return nil, err

     

       339
       339
       +
       		}

     

       340
       340
       +
       

     

       341
       341
       +
       		clientAssertion, err := c.ClientAssertionJwt(authserverIss)

     

       342
       342
       +
       		if err != nil {

     

       343
       343
       +
       			return nil, err

     

       344
       344
       +
       		}

     

       345
       345
        
       

     

       346
       346
       -
       	clientAssertion, err := c.ClientAssertionJwt(authserverIss)

     

       347
       347
       -
       	if err != nil {

     

       348
       348
       -
       		return nil, err

     

       349
       349
       -
       	}

     

       346
       346
       +
       		params := url.Values{

     

       347
       347
       +
       			"client_id":             {c.clientId},

     

       348
       348
       +
       			"redirect_uri":          {c.redirectUri},

     

       349
       349
       +
       			"grant_type":            {"authorization_code"},

     

       350
       350
       +
       			"code":                  {code},

     

       351
       351
       +
       			"code_verifier":         {pkceVerifier},

     

       352
       352
       +
       			"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},

     

       353
       353
       +
       			"client_assertion":      {clientAssertion},

     

       354
       354
       +
       		}

     

       355
       355
       +
       

     

       356
       356
       +
       		dpopProof, err := c.AuthServerDpopJwt("POST", authserverMeta.TokenEndpoint, dpopAuthserverNonce, dpopPrivateJwk)

     

       357
       357
       +
       		if err != nil {

     

       358
       358
       +
       			return nil, err

     

       359
       359
       +
       		}

     

       360
       360
       +
       

     

       361
       361
       +
       		req, err := http.NewRequestWithContext(ctx, "POST", authserverMeta.TokenEndpoint, strings.NewReader(params.Encode()))

     

       362
       362
       +
       		if err != nil {

     

       363
       363
       +
       			return nil, err

     

       364
       364
       +
       		}

     

       365
       365
       +
       

     

       366
       366
       +
       		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       367
       367
       +
       		req.Header.Set("DPoP", dpopProof)

     

       368
       368
       +
       

     

       369
       369
       +
       		resp, err := c.h.Do(req)

     

       370
       370
       +
       		if err != nil {

     

       371
       371
       +
       			return nil, err

     

       372
       372
       +
       		}

     

       373
       373
       +
       		defer resp.Body.Close()

     

       350
       374
        
       

     

       351
       351
       -
       	params := url.Values{

     

       352
       352
       -
       		"client_id":             {c.clientId},

     

       353
       353
       -
       		"redirect_uri":          {c.redirectUri},

     

       354
       354
       -
       		"grant_type":            {"authorization_code"},

     

       355
       355
       -
       		"code":                  {code},

     

       356
       356
       -
       		"code_verifier":         {pkceVerifier},

     

       357
       357
       -
       		"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},

     

       358
       358
       -
       		"client_assertion":      {clientAssertion},

     

       359
       359
       -
       	}

     

       375
       375
       +
       		if resp.StatusCode != 200 && resp.StatusCode != 201 {

     

       376
       376
       +
       			var respMap map[string]string

     

       377
       377
       +
       			if err := json.NewDecoder(resp.Body).Decode(&respMap); err != nil {

     

       378
       378
       +
       				return nil, err

     

       379
       379
       +
       			}

     

       360
       380
        
       

     

       361
       361
       -
       	dpopProof, err := c.AuthServerDpopJwt("POST", authserverMeta.TokenEndpoint, dpopAuthserverNonce, dpopPrivateJwk)

     

       362
       362
       -
       	if err != nil {

     

       363
       363
       -
       		return nil, err

     

       364
       364
       -
       	}

     

       381
       381
       +
       			if resp.StatusCode == 400 && respMap["error"] == "use_dpop_nonce" {

     

       382
       382
       +
       				dpopAuthserverNonce = resp.Header.Get("DPoP-Nonce")

     

       383
       383
       +
       				continue

     

       384
       384
       +
       			}

     

       365
       385
        
       

     

       366
       366
       -
       	req, err := http.NewRequestWithContext(ctx, "POST", authserverMeta.TokenEndpoint, strings.NewReader(params.Encode()))

     

       367
       367
       -
       	if err != nil {

     

       368
       368
       -
       		return nil, err

     

       369
       369
       -
       	}

     

       386
       386
       +
       			return nil, fmt.Errorf("token refresh error: %s", respMap["error"])

     

       387
       387
       +
       		}

     

       370
       388
        
       

     

       371
       371
       -
       	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

     

       372
       372
       -
       	req.Header.Set("DPoP", dpopProof)

     

       389
       389
       +
       		var tokenResponse TokenResponse

     

       390
       390
       +
       		if err := json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil {

     

       391
       391
       +
       			return nil, err

     

       392
       392
       +
       		}

     

       373
       393
        
       

     

       374
       374
       -
       	resp, err := c.h.Do(req)

     

       375
       375
       -
       	if err != nil {

     

       376
       376
       -
       		return nil, err

     

       377
       377
       -
       	}

     

       378
       378
       -
       	defer resp.Body.Close()

     

       394
       394
       +
       		// set nonce so the updates are reflected in the response

     

       395
       395
       +
       		tokenResponse.DpopAuthserverNonce = dpopAuthserverNonce

     

       379
       396
        
       

     

       380
       380
       -
       	var tokenResponse TokenResponse

     

       381
       381
       -
       	if err := json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil {

     

       382
       382
       -
       		return nil, err

     

       397
       397
       +
       		return &tokenResponse, nil

     

       383
       398
        
       	}

     

       384
       399
        
       

     

       385
       385
       -
       	tokenResponse.DpopAuthserverNonce = dpopAuthserverNonce

     

       386
       386
       -
       

     

       387
       387
       -
       	return &tokenResponse, nil

     

       400
       400
       +
       	return nil, nil

     

       388
       401
        
       }

     

       389
       402
        
       

     

       390
       403
        
       func (c *Client) RefreshTokenRequest(

     
···

       460
       473
        
       

     

       461
       474
        
       	return nil, nil

     

       462
       475
        
       }

     

       463
       463
       -
       

     

       464
       464
       -
       func generateToken(len int) (string, error) {

     

       465
       465
       -
       	b := make([]byte, len)

     

       466
       466
       -
       	if _, err := rand.Read(b); err != nil {

     

       467
       467
       -
       		return "", err

     

       468
       468
       -
       	}

     

       469
       469
       -
       

     

       470
       470
       -
       	return hex.EncodeToString(b), nil

     

       471
       471
       -
       }

     

       472
       472
       -
       

     

       473
       473
       -
       func generateCodeChallenge(pkceVerifier string) string {

     

       474
       474
       -
       	h := sha256.New()

     

       475
       475
       -
       	h.Write([]byte(pkceVerifier))

     

       476
       476
       -
       	hash := h.Sum(nil)

     

       477
       477
       -
       	return base64.RawURLEncoding.EncodeToString(hash)

     

       478
       478
       -
       }

     

       479
       479
       -
       

     

       480
       480
       -
       func parsePrivateJwkFromString(str string) (jwk.Key, error) {

     

       481
       481
       -
       	return jwk.ParseKey([]byte(str))

     

       482
       482
       -
       }

-1

oauth_test.go

···

       42
       42
        
       	}

     

       43
       43
        
       

     

       44
       44
        
       	// make sure the server is running

     

       45
       45
       -
       

     

       46
       45
        
       	req, err := http.NewRequest("GET", serverMetadataUrl, nil)

     

       47
       46
        
       	if err != nil {

     

       48
       47
        
       		panic(err)