commit a21cd50cd67b301980663d5b176a3ad704b8732b · hailey.at/atproto-oauth-golang

+21 -10

cmd/web_server_demo/handle_auth.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"encoding/json"

     

       5
       5
        
       	"fmt"

     

       6
       6
       +
       	"log/slog"

     

       6
       7
        
       	"net/url"

     

       7
       8
        
       	"strings"

     

       8
       9
        
       	"time"

     
···

       100
       101
        
       		return err

     

       101
       102
        
       	}

     

       102
       103
        
       

     

       104
       104
       +
       	params := url.Values{

     

       105
       105
       +
       		"client_id":   {s.args.UrlRoot + serverMetadataPath},

     

       106
       106
       +
       		"request_uri": {parResp.RequestUri},

     

       107
       107
       +
       		"ext-one":     {"hello"},

     

       108
       108
       +
       		"ext-two":     {"world"},

     

       109
       109
       +
       	}

     

       110
       110
       +
       

     

       103
       111
        
       	u, _ := url.Parse(meta.AuthorizationEndpoint)

     

       104
       104
       -
       	u.RawQuery = fmt.Sprintf("client_id=%s&request_uri=%s", url.QueryEscape(s.args.UrlRoot+serverMetadataPath), parResp.RequestUri)

     

       112
       112
       +
       	u.RawQuery = params.Encode()

     

       105
       113
        
       

     

       106
       114
        
       	sess, err := session.Get("session", e)

     

       107
       115
        
       	if err != nil {

     
···

       115
       123
        
       	}

     

       116
       124
        
       

     

       117
       125
        
       	// make sure the session is empty

     

       118
       118
       -
       	sess.Values = map[interface{}]interface{}{}

     

       126
       126
       +
       	sess.Values = map[any]any{}

     

       119
       127
        
       	sess.Values["oauth_state"] = parResp.State

     

       120
       128
        
       	sess.Values["oauth_did"] = did

     

       121
       129
        
       

     
···

       127
       135
        
       }

     

       128
       136
        
       

     

       129
       137
        
       func (s *TestServer) handleCallback(e echo.Context) error {

     

       130
       130
       -
       	resState := e.QueryParam("state")

     

       131
       131
       -
       	resIss := e.QueryParam("iss")

     

       132
       132
       -
       	resCode := e.QueryParam("code")

     

       138
       138
       +
       	params := e.QueryParams()

     

       139
       139
       +
       	state := params.Get("state")

     

       140
       140
       +
       	iss := params.Get("iss")

     

       141
       141
       +
       	code := params.Get("code")

     

       133
       142
        
       

     

       134
       143
        
       	sess, err := session.Get("session", e)

     

       135
       144
        
       	if err != nil {

     
···

       138
       147
        
       

     

       139
       148
        
       	sessState := sess.Values["oauth_state"]

     

       140
       149
        
       

     

       141
       141
       -
       	if resState == "" || resIss == "" || resCode == "" {

     

       150
       150
       +
       	if state == "" || iss == "" || code == "" {

     

       142
       151
        
       		return fmt.Errorf("request missing needed parameters")

     

       143
       152
        
       	}

     

       144
       153
        
       

     

       145
       145
       -
       	if resState != sessState {

     

       154
       154
       +
       	if state != sessState {

     

       146
       155
        
       		return fmt.Errorf("session state does not match response state")

     

       147
       156
        
       	}

     

       148
       157
        
       

     
···

       155
       164
        
       		return err

     

       156
       165
        
       	}

     

       157
       166
        
       

     

       158
       158
       -
       	if resIss != oauthRequest.AuthserverIss {

     

       167
       167
       +
       	if iss != oauthRequest.AuthserverIss {

     

       159
       168
        
       		return fmt.Errorf("incoming iss did not match authserver iss")

     

       160
       169
        
       	}

     

       161
       170
        
       

     
···

       164
       173
        
       		return err

     

       165
       174
        
       	}

     

       166
       175
        
       

     

       167
       167
       -
       	initialTokenResp, err := s.oauthClient.InitialTokenRequest(e.Request().Context(), resCode, resIss, oauthRequest.PkceVerifier, oauthRequest.DpopAuthserverNonce, jwk)

     

       176
       176
       +
       	initialTokenResp, err := s.oauthClient.InitialTokenRequest(e.Request().Context(), code, iss, oauthRequest.PkceVerifier, oauthRequest.DpopAuthserverNonce, jwk)

     

       168
       177
        
       	if err != nil {

     

       169
       178
        
       		return err

     

       170
       179
        
       	}

     
···

       203
       212
        
       	}

     

       204
       213
        
       

     

       205
       214
        
       	// make sure the session is empty

     

       206
       206
       -
       	sess.Values = map[interface{}]interface{}{}

     

       215
       215
       +
       	sess.Values = map[any]any{}

     

       207
       216
        
       	sess.Values["did"] = oauthRequest.Did

     

       208
       217
        
       

     

       209
       218
        
       	if err := sess.Save(e.Request(), e.Response()); err != nil {

     

       210
       219
        
       		return err

     

       211
       220
        
       	}

     

       221
       221
       +
       

     

       222
       222
       +
       	slog.Default().Info("handled callback", "params", params)

     

       212
       223
        
       

     

       213
       224
        
       	return e.Redirect(302, "/")

     

       214
       225
        
       }

+5 -5

oauth.go

···

       252
       252
        
       		"client_assertion":      {clientAssertion},

     

       253
       253
        
       	}

     

       254
       254
        
       

     

       255
       255
       +
       	if loginHint != "" {

     

       256
       256
       +
       		params.Set("login_hint", loginHint)

     

       257
       257
       +
       	}

     

       258
       258
       +
       

     

       255
       259
        
       	for _, e := range extras {

     

       256
       260
        
       		if !strings.HasPrefix(e.Name, "ext-") {

     

       257
       261
        
       			e.Name = "ext-" + e.Name

     

       258
       262
        
       		}

     

       259
       263
        
       		e.Value = url.QueryEscape(e.Value)

     

       260
       260
       -
       		params[e.Name] = []string{e.Value}

     

       261
       261
       -
       	}

     

       262
       262
       -
       

     

       263
       263
       -
       	if loginHint != "" {

     

       264
       264
       -
       		params.Set("login_hint", loginHint)

     

       264
       264
       +
       		params.Set(e.Name, e.Value)

     

       265
       265
        
       	}

     

       266
       266
        
       

     

       267
       267
        
       	_, err = helpers.IsUrlSafeAndParsed(parUrl)