hailey.at / atproto-oauth-golang
this repo has no description
fork atom

Compare changes

Choose any two refs to compare.

options
unified split
Changed files
+105 -51
.gitignore
cmd
web_server_demo
handle_auth.go
handle_post.go
main.go
oauth.go
+1
.gitignore 
···

       
2

       
2

       
 

       
jwks.json


     

       
3

       
3

       
 

       
.env


     

       
4

       
4

       
 

       
oauth.db


     

       

       
5

       
+

       
oauth
+19 -10
cmd/web_server_demo/handle_auth.go 
···

       
3

       
3

       
 

       
import (


     

       
4

       
4

       
 

       
	"encoding/json"


     

       
5

       
5

       
 

       
	"fmt"


     

       

       
6

       
+

       
	"log/slog"


     

       
6

       
7

       
 

       
	"net/url"


     

       
7

       
8

       
 

       
	"strings"


     

       
8

       
9

       
 

       
	"time"


     
···

       
100

       
101

       
 

       
		return err


     

       
101

       
102

       
 

       
	}


     

       
102

       
103

       
 

       



     

       

       
104

       
+

       
	params := url.Values{


     

       

       
105

       
+

       
		"client_id":   {s.args.UrlRoot + serverMetadataPath},


     

       

       
106

       
+

       
		"request_uri": {parResp.RequestUri},


     

       

       
107

       
+

       
	}


     

       

       
108

       
+

       



     

       
103

       
109

       
 

       
	u, _ := url.Parse(meta.AuthorizationEndpoint)


     

       
104

       

       
-

       
	u.RawQuery = fmt.Sprintf("client_id=%s&request_uri=%s", url.QueryEscape(serverMetadataUrl), parResp.RequestUri)


     

       

       
110

       
+

       
	u.RawQuery = params.Encode()


     

       
105

       
111

       
 

       



     

       
106

       
112

       
 

       
	sess, err := session.Get("session", e)


     

       
107

       
113

       
 

       
	if err != nil {


     
···

       
115

       
121

       
 

       
	}


     

       
116

       
122

       
 

       



     

       
117

       
123

       
 

       
	// make sure the session is empty


     

       
118

       

       
-

       
	sess.Values = map[interface{}]interface{}{}


     

       

       
124

       
+

       
	sess.Values = map[any]any{}


     

       
119

       
125

       
 

       
	sess.Values["oauth_state"] = parResp.State


     

       
120

       
126

       
 

       
	sess.Values["oauth_did"] = did


     

       
121

       
127

       
 

       



     
···

       
127

       
133

       
 

       
}


     

       
128

       
134

       
 

       



     

       
129

       
135

       
 

       
func (s *TestServer) handleCallback(e echo.Context) error {


     

       
130

       

       
-

       
	resState := e.QueryParam("state")


     

       
131

       

       
-

       
	resIss := e.QueryParam("iss")


     

       
132

       

       
-

       
	resCode := e.QueryParam("code")


     

       

       
136

       
+

       
	params := e.QueryParams()


     

       

       
137

       
+

       
	state := params.Get("state")


     

       

       
138

       
+

       
	iss := params.Get("iss")


     

       

       
139

       
+

       
	code := params.Get("code")


     

       
133

       
140

       
 

       



     

       
134

       
141

       
 

       
	sess, err := session.Get("session", e)


     

       
135

       
142

       
 

       
	if err != nil {


     
···

       
138

       
145

       
 

       



     

       
139

       
146

       
 

       
	sessState := sess.Values["oauth_state"]


     

       
140

       
147

       
 

       



     

       
141

       

       
-

       
	if resState == "" || resIss == "" || resCode == "" {


     

       

       
148

       
+

       
	if state == "" || iss == "" || code == "" {


     

       
142

       
149

       
 

       
		return fmt.Errorf("request missing needed parameters")


     

       
143

       
150

       
 

       
	}


     

       
144

       
151

       
 

       



     

       
145

       

       
-

       
	if resState != sessState {


     

       

       
152

       
+

       
	if state != sessState {


     

       
146

       
153

       
 

       
		return fmt.Errorf("session state does not match response state")


     

       
147

       
154

       
 

       
	}


     

       
148

       
155

       
 

       



     
···

       
155

       
162

       
 

       
		return err


     

       
156

       
163

       
 

       
	}


     

       
157

       
164

       
 

       



     

       
158

       

       
-

       
	if resIss != oauthRequest.AuthserverIss {


     

       

       
165

       
+

       
	if iss != oauthRequest.AuthserverIss {


     

       
159

       
166

       
 

       
		return fmt.Errorf("incoming iss did not match authserver iss")


     

       
160

       
167

       
 

       
	}


     

       
161

       
168

       
 

       



     
···

       
164

       
171

       
 

       
		return err


     

       
165

       
172

       
 

       
	}


     

       
166

       
173

       
 

       



     

       
167

       

       
-

       
	initialTokenResp, err := s.oauthClient.InitialTokenRequest(e.Request().Context(), resCode, resIss, oauthRequest.PkceVerifier, oauthRequest.DpopAuthserverNonce, jwk)


     

       

       
174

       
+

       
	initialTokenResp, err := s.oauthClient.InitialTokenRequest(e.Request().Context(), code, iss, oauthRequest.PkceVerifier, oauthRequest.DpopAuthserverNonce, jwk)


     

       
168

       
175

       
 

       
	if err != nil {


     

       
169

       
176

       
 

       
		return err


     

       
170

       
177

       
 

       
	}


     
···

       
203

       
210

       
 

       
	}


     

       
204

       
211

       
 

       



     

       
205

       
212

       
 

       
	// make sure the session is empty


     

       
206

       

       
-

       
	sess.Values = map[interface{}]interface{}{}


     

       

       
213

       
+

       
	sess.Values = map[any]any{}


     

       
207

       
214

       
 

       
	sess.Values["did"] = oauthRequest.Did


     

       
208

       
215

       
 

       



     

       
209

       
216

       
 

       
	if err := sess.Save(e.Request(), e.Response()); err != nil {


     

       
210

       
217

       
 

       
		return err


     

       
211

       
218

       
 

       
	}


     

       

       
219

       
+

       



     

       

       
220

       
+

       
	slog.Default().Info("handled callback", "params", params)


     

       
212

       
221

       
 

       



     

       
213

       
222

       
 

       
	return e.Redirect(302, "/")


     

       
214

       
223

       
 

       
}
+1 -1
cmd/web_server_demo/handle_post.go 
···

       
35

       
35

       
 

       
		return err


     

       
36

       
36

       
 

       
	}


     

       
37

       
37

       
 

       



     

       
38

       

       
-

       
	return e.File(getFilePath("make-post.html"))


     

       

       
38

       
+

       
	return e.File(s.getFilePath("make-post.html"))


     

       
39

       
39

       
 

       
}
+70 -39
cmd/web_server_demo/main.go 
···

       
22

       
22

       
 

       
)


     

       
23

       
23

       
 

       



     

       
24

       
24

       
 

       
var (


     

       
25

       

       
-

       
	ctx               = context.Background()


     

       
26

       

       
-

       
	serverAddr        = os.Getenv("OAUTH_TEST_SERVER_ADDR")


     

       
27

       

       
-

       
	serverUrlRoot     = os.Getenv("OAUTH_TEST_SERVER_URL_ROOT")


     

       
28

       

       
-

       
	staticFilePath    = os.Getenv("OAUTH_TEST_SERVER_STATIC_PATH")


     

       
29

       

       
-

       
	sessionSecret     = os.Getenv("OAUTH_TEST_SESSION_SECRET")


     

       
30

       

       
-

       
	serverMetadataUrl = fmt.Sprintf("%s/oauth/client-metadata.json", serverUrlRoot)


     

       
31

       

       
-

       
	serverCallbackUrl = fmt.Sprintf("%s/callback", serverUrlRoot)


     

       
32

       

       
-

       
	pdsUrl            = os.Getenv("OAUTH_TEST_PDS_URL")


     

       
33

       

       
-

       
	scope             = "atproto transition:generic"


     

       

       
25

       
+

       
	ctx                = context.Background()


     

       

       
26

       
+

       
	serverMetadataPath = "/oauth/client-metadata.json"


     

       

       
27

       
+

       
	serverCallbackPath = "/callback"


     

       

       
28

       
+

       
	scope              = "atproto transition:generic"


     

       
34

       
29

       
 

       
)


     

       
35

       
30

       
 

       



     

       
36

       
31

       
 

       
func main() {


     

       
37

       
32

       
 

       
	app := &cli.App{


     

       
38

       
33

       
 

       
		Name:   "atproto-goauth-demo-webserver",


     

       
39

       
34

       
 

       
		Action: run,


     

       
40

       

       
-

       
	}


     

       
41

       

       
-

       



     

       
42

       

       
-

       
	if serverUrlRoot == "" {


     

       
43

       

       
-

       
		panic(fmt.Errorf("no server url root set in env file"))


     

       

       
35

       
+

       
		Flags: []cli.Flag{


     

       

       
36

       
+

       
			&cli.StringFlag{


     

       

       
37

       
+

       
				Name:    "addr",


     

       

       
38

       
+

       
				Value:   ":8080",


     

       

       
39

       
+

       
				EnvVars: []string{"OAUTH_TEST_SERVER_ADDR"},


     

       

       
40

       
+

       
			},


     

       

       
41

       
+

       
			&cli.StringFlag{


     

       

       
42

       
+

       
				Name:     "url-root",


     

       

       
43

       
+

       
				Required: true,


     

       

       
44

       
+

       
				EnvVars:  []string{"OAUTH_TEST_SERVER_URL_ROOT"},


     

       

       
45

       
+

       
			},


     

       

       
46

       
+

       
			&cli.StringFlag{


     

       

       
47

       
+

       
				Name:    "static-file-path",


     

       

       
48

       
+

       
				Value:   "./cmd/web_server_demo/html",


     

       

       
49

       
+

       
				EnvVars: []string{"OAUTH_TEST_SERVER_STATIC_PATH"},


     

       

       
50

       
+

       
			},


     

       

       
51

       
+

       
			&cli.StringFlag{


     

       

       
52

       
+

       
				Name:    "session-secret",


     

       

       
53

       
+

       
				Value:   "session-secret",


     

       

       
54

       
+

       
				EnvVars: []string{"OAUTH_TEST_SERVER_SESSION_SECRET"},


     

       

       
55

       
+

       
			},


     

       

       
56

       
+

       
		},


     

       
44

       
57

       
 

       
	}


     

       
45

       
58

       
 

       



     

       
46

       

       
-

       
	app.RunAndExitOnError()


     

       

       
59

       
+

       
	app.Run(os.Args)


     

       
47

       
60

       
 

       
}


     

       
48

       
61

       
 

       



     

       
49

       
62

       
 

       
type TestServer struct {


     
···

       
53

       
66

       
 

       
	oauthClient  *oauth.Client


     

       
54

       
67

       
 

       
	xrpcCli      *oauth.XrpcClient


     

       
55

       
68

       
 

       
	jwksResponse *oauth_helpers.JwksResponseObject


     

       

       
69

       
+

       
	args         ServerArgs


     

       
56

       
70

       
 

       
}


     

       
57

       
71

       
 

       



     

       
58

       
72

       
 

       
type TemplateRenderer struct {


     

       
59

       
73

       
 

       
	templates *template.Template


     

       
60

       
74

       
 

       
}


     

       
61

       
75

       
 

       



     

       
62

       

       
-

       
func (t *TemplateRenderer) Render(w io.Writer, name string, data interface{}, c echo.Context) error {


     

       
63

       

       
-

       
	if viewContext, isMap := data.(map[string]interface{}); isMap {


     

       

       
76

       
+

       
func (t *TemplateRenderer) Render(w io.Writer, name string, data any, c echo.Context) error {


     

       

       
77

       
+

       
	if viewContext, isMap := data.(map[string]any); isMap {


     

       
64

       
78

       
 

       
		viewContext["reverse"] = c.Echo().Reverse


     

       
65

       
79

       
 

       
	}


     

       
66

       
80

       
 

       



     
···

       
68

       
82

       
 

       
}


     

       
69

       
83

       
 

       



     

       
70

       
84

       
 

       
func run(cmd *cli.Context) error {


     

       
71

       

       
-

       
	s, err := NewServer()


     

       

       
85

       
+

       
	s, err := NewServer(ServerArgs{


     

       

       
86

       
+

       
		Addr:           cmd.String("addr"),


     

       

       
87

       
+

       
		UrlRoot:        cmd.String("url-root"),


     

       

       
88

       
+

       
		StaticFilePath: cmd.String("static-file-path"),


     

       

       
89

       
+

       
		SessionSecret:  cmd.String("session-secret"),


     

       

       
90

       
+

       
	})


     

       
72

       
91

       
 

       
	if err != nil {


     

       
73

       
92

       
 

       
		panic(err)


     

       
74

       
93

       
 

       
	}


     
···

       
78

       
97

       
 

       
	return nil


     

       
79

       
98

       
 

       
}


     

       
80

       
99

       
 

       



     

       
81

       

       
-

       
func NewServer() (*TestServer, error) {


     

       

       
100

       
+

       
type ServerArgs struct {


     

       

       
101

       
+

       
	Addr           string


     

       

       
102

       
+

       
	UrlRoot        string


     

       

       
103

       
+

       
	StaticFilePath string


     

       

       
104

       
+

       
	SessionSecret  string


     

       

       
105

       
+

       
}


     

       

       
106

       
+

       



     

       

       
107

       
+

       
func NewServer(args ServerArgs) (*TestServer, error) {


     

       
82

       
108

       
 

       
	e := echo.New()


     

       
83

       
109

       
 

       



     

       
84

       
110

       
 

       
	e.Use(slogecho.New(slog.Default()))


     

       
85

       

       
-

       
	e.Use(session.Middleware(sessions.NewCookieStore([]byte(sessionSecret))))


     

       
86

       

       
-

       



     

       
87

       

       
-

       
	renderer := &TemplateRenderer{


     

       
88

       

       
-

       
		templates: template.Must(template.ParseGlob(getFilePath("*.html"))),


     

       
89

       

       
-

       
	}


     

       
90

       

       
-

       
	e.Renderer = renderer


     

       

       
111

       
+

       
	e.Use(session.Middleware(sessions.NewCookieStore([]byte(args.SessionSecret))))


     

       
91

       
112

       
 

       



     

       
92

       
113

       
 

       
	fmt.Println("atproto goauth demo webserver")


     

       
93

       
114

       
 

       



     
···

       
113

       
134

       
 

       



     

       
114

       
135

       
 

       
	c, err := oauth.NewClient(oauth.ClientArgs{


     

       
115

       
136

       
 

       
		ClientJwk:   k,


     

       
116

       

       
-

       
		ClientId:    serverMetadataUrl,


     

       
117

       

       
-

       
		RedirectUri: serverCallbackUrl,


     

       

       
137

       
+

       
		ClientId:    args.UrlRoot + serverMetadataPath,


     

       

       
138

       
+

       
		RedirectUri: args.UrlRoot + serverCallbackPath,


     

       
118

       
139

       
 

       
	})


     

       
119

       
140

       
 

       
	if err != nil {


     

       
120

       
141

       
 

       
		return nil, err


     

       
121

       
142

       
 

       
	}


     

       
122

       
143

       
 

       



     

       
123

       
144

       
 

       
	httpd := &http.Server{


     

       
124

       

       
-

       
		Addr:    serverAddr,


     

       

       
145

       
+

       
		Addr:    args.Addr,


     

       
125

       
146

       
 

       
		Handler: e,


     

       
126

       
147

       
 

       
	}


     

       
127

       
148

       
 

       



     
···

       
140

       
161

       
 

       
		},


     

       
141

       
162

       
 

       
	}


     

       
142

       
163

       
 

       



     

       
143

       

       
-

       
	return &TestServer{


     

       

       
164

       
+

       
	s := &TestServer{


     

       
144

       
165

       
 

       
		httpd:        httpd,


     

       
145

       
166

       
 

       
		e:            e,


     

       
146

       
167

       
 

       
		db:           db,


     

       
147

       
168

       
 

       
		oauthClient:  c,


     

       
148

       
169

       
 

       
		xrpcCli:      xrpcCli,


     

       
149

       
170

       
 

       
		jwksResponse: oauth_helpers.CreateJwksResponseObject(pubKey),


     

       
150

       

       
-

       
	}, nil


     

       

       
171

       
+

       
		args:         args,


     

       

       
172

       
+

       
	}


     

       

       
173

       
+

       



     

       

       
174

       
+

       
	renderer := &TemplateRenderer{


     

       

       
175

       
+

       
		templates: template.Must(template.ParseGlob(s.getFilePath("*.html"))),


     

       

       
176

       
+

       
	}


     

       

       
177

       
+

       
	e.Renderer = renderer


     

       

       
178

       
+

       



     

       

       
179

       
+

       
	return s, nil


     

       
151

       
180

       
 

       
}


     

       
152

       
181

       
 

       



     

       
153

       
182

       
 

       
func (s *TestServer) run() error {


     

       
154

       
183

       
 

       
	s.e.GET("/", s.handleHome)


     

       
155

       

       
-

       
	s.e.File("/login", getFilePath("login.html"))


     

       

       
184

       
+

       
	s.e.File("/login", s.getFilePath("login.html"))


     

       
156

       
185

       
 

       
	s.e.POST("/login", s.handleLoginSubmit)


     

       
157

       
186

       
 

       
	s.e.GET("/logout", s.handleLogout)


     

       
158

       
187

       
 

       
	s.e.GET("/profile", s.handleProfile)


     
···

       
161

       
190

       
 

       
	s.e.GET("/oauth/client-metadata.json", s.handleClientMetadata)


     

       
162

       
191

       
 

       
	s.e.GET("/oauth/jwks.json", s.handleJwks)


     

       
163

       
192

       
 

       



     

       

       
193

       
+

       
	slog.Default().Info("starting http server", "addr", s.args.Addr)


     

       

       
194

       
+

       



     

       
164

       
195

       
 

       
	if err := s.httpd.ListenAndServe(); err != nil {


     

       
165

       
196

       
 

       
		return err


     

       
166

       
197

       
 

       
	}


     
···

       
181

       
212

       
 

       



     

       
182

       
213

       
 

       
func (s *TestServer) handleClientMetadata(e echo.Context) error {


     

       
183

       
214

       
 

       
	metadata := map[string]any{


     

       
184

       

       
-

       
		"client_id":                       serverMetadataUrl,


     

       

       
215

       
+

       
		"client_id":                       s.args.UrlRoot + serverMetadataPath,


     

       
185

       
216

       
 

       
		"client_name":                     "Atproto GoAuth Demo Webserver",


     

       
186

       

       
-

       
		"client_uri":                      serverUrlRoot,


     

       
187

       

       
-

       
		"logo_uri":                        fmt.Sprintf("%s/logo.png", serverUrlRoot),


     

       
188

       

       
-

       
		"tos_uri":                         fmt.Sprintf("%s/tos", serverUrlRoot),


     

       
189

       

       
-

       
		"policy_url":                      fmt.Sprintf("%s/policy", serverUrlRoot),


     

       
190

       

       
-

       
		"redirect_uris":                   []string{serverCallbackUrl},


     

       

       
217

       
+

       
		"client_uri":                      s.args.UrlRoot,


     

       

       
218

       
+

       
		"logo_uri":                        fmt.Sprintf("%s/logo.png", s.args.UrlRoot),


     

       

       
219

       
+

       
		"tos_uri":                         fmt.Sprintf("%s/tos", s.args.UrlRoot),


     

       

       
220

       
+

       
		"policy_url":                      fmt.Sprintf("%s/policy", s.args.UrlRoot),


     

       

       
221

       
+

       
		"redirect_uris":                   []string{s.args.UrlRoot + serverCallbackPath},


     

       
191

       
222

       
 

       
		"grant_types":                     []string{"authorization_code", "refresh_token"},


     

       
192

       
223

       
 

       
		"response_types":                  []string{"code"},


     

       
193

       
224

       
 

       
		"application_type":                "web",


     

       
194

       
225

       
 

       
		"dpop_bound_access_tokens":        true,


     

       
195

       

       
-

       
		"jwks_uri":                        fmt.Sprintf("%s/oauth/jwks.json", serverUrlRoot),


     

       

       
226

       
+

       
		"jwks_uri":                        fmt.Sprintf("%s/oauth/jwks.json", s.args.UrlRoot),


     

       
196

       
227

       
 

       
		"scope":                           "atproto transition:generic",


     

       
197

       
228

       
 

       
		"token_endpoint_auth_method":      "private_key_jwt",


     

       
198

       
229

       
 

       
		"token_endpoint_auth_signing_alg": "ES256",


     
···

       
205

       
236

       
 

       
	return e.JSON(200, s.jwksResponse)


     

       
206

       
237

       
 

       
}


     

       
207

       
238

       
 

       



     

       
208

       

       
-

       
func getFilePath(file string) string {


     

       
209

       

       
-

       
	return fmt.Sprintf("%s/%s", staticFilePath, file)


     

       

       
239

       
+

       
func (s *TestServer) getFilePath(file string) string {


     

       

       
240

       
+

       
	return fmt.Sprintf("%s/%s", s.args.StaticFilePath, file)


     

       
210

       
241

       
 

       
}
+14 -1
oauth.go 
···

       
204

       
204

       
 

       
	return tokenString, nil


     

       
205

       
205

       
 

       
}


     

       
206

       
206

       
 

       



     

       
207

       

       
-

       
func (c *Client) SendParAuthRequest(ctx context.Context, authServerUrl string, authServerMeta *OauthAuthorizationMetadata, loginHint, scope string, dpopPrivateKey jwk.Key) (*SendParAuthResponse, error) {


     

       

       
207

       
+

       
type ParAuthRequestExtra struct {


     

       

       
208

       
+

       
	Name  string


     

       

       
209

       
+

       
	Value string


     

       

       
210

       
+

       
}


     

       

       
211

       
+

       



     

       

       
212

       
+

       
func (c *Client) SendParAuthRequest(ctx context.Context, authServerUrl string, authServerMeta *OauthAuthorizationMetadata, loginHint, scope string, dpopPrivateKey jwk.Key, extras ...ParAuthRequestExtra) (*SendParAuthResponse, error) {


     

       
208

       
213

       
 

       
	if authServerMeta == nil {


     

       
209

       
214

       
 

       
		return nil, fmt.Errorf("nil metadata provided")


     

       
210

       
215

       
 

       
	}


     
···

       
249

       
254

       
 

       



     

       
250

       
255

       
 

       
	if loginHint != "" {


     

       
251

       
256

       
 

       
		params.Set("login_hint", loginHint)


     

       

       
257

       
+

       
	}


     

       

       
258

       
+

       



     

       

       
259

       
+

       
	for _, e := range extras {


     

       

       
260

       
+

       
		if !strings.HasPrefix(e.Name, "ext-") {


     

       

       
261

       
+

       
			e.Name = "ext-" + e.Name


     

       

       
262

       
+

       
		}


     

       

       
263

       
+

       
		e.Value = url.QueryEscape(e.Value)


     

       

       
264

       
+

       
		params.Set(e.Name, e.Value)


     

       
252

       
265

       
 

       
	}


     

       
253

       
266

       
 

       



     

       
254

       
267

       
 

       
	_, err = helpers.IsUrlSafeAndParsed(parUrl)