♻️ OAuth authenticate

2024-06-26 14:47:34 +08:00
parent 0d02eca76e
commit 21d3d71936
15 changed files with 328 additions and 240 deletions
--- a/pkg/internal/server/api/accounts_api.go
+++ b/pkg/internal/server/api/accounts_api.go
@ -123,7 +123,7 @@ func editUserinfo(c *fiber.Ctx) error {
 	return c.SendStatus(fiber.StatusOK)
 }

-func killSession(c *fiber.Ctx) error {
+func killTicket(c *fiber.Ctx) error {
 	if err := exts.EnsureAuthenticated(c); err != nil {
 		return err
 	}
--- a/pkg/internal/server/api/index.go
+++ b/pkg/internal/server/api/index.go
@ -29,7 +29,7 @@ func MapAPIs(app *fiber.App) {
 			me.Put("/", editUserinfo)
 			me.Get("/events", getEvents)
 			me.Get("/tickets", getTickets)
-			me.Delete("/tickets/:ticketId", killSession)
+			me.Delete("/tickets/:ticketId", killTicket)

 			me.Post("/confirm", doRegisterConfirm)

@ -51,12 +51,18 @@ func MapAPIs(app *fiber.App) {

 		api.Post("/users", doRegister)

-		api.Post("/auth", doAuthenticate)
-		api.Post("/auth/mfa", doMultiFactorAuthenticate)
-		api.Post("/auth/token", getToken)
+		auth := api.Group("/auth").Name("Auth")
+		{
+			auth.Post("/", doAuthenticate)
+			auth.Post("/mfa", doMultiFactorAuthenticate)
+			auth.Post("/token", getToken)

-		api.Get("/auth/factors", getAvailableFactors)
-		api.Post("/auth/factors/:factorId", requestFactorToken)
+			auth.Get("/factors", getAvailableFactors)
+			auth.Post("/factors/:factorId", requestFactorToken)
+
+			auth.Get("/o/authorize", tryAuthorizeThirdClient)
+			auth.Post("/o/authorize", authorizeThirdClient)
+		}

 		realms := api.Group("/realms").Name("Realms API")
 		{
--- a/pkg/internal/server/api/oauth_api.go
+++ b/pkg/internal/server/api/oauth_api.go
@ -0,0 +1,128 @@
+package api
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/server/exts"
+	"strings"
+	"time"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/internal/services"
+	"github.com/gofiber/fiber/v2"
+	"github.com/samber/lo"
+)
+
+func tryAuthorizeThirdClient(c *fiber.Ctx) error {
+	id := c.Query("client_id")
+	redirect := c.Query("redirect_uri")
+
+	if len(id) <= 0 || len(redirect) <= 0 {
+		return fiber.NewError(fiber.StatusBadRequest, "invalid request, missing query parameters")
+	}
+
+	var client models.ThirdClient
+	if err := database.C.Where(&models.ThirdClient{Alias: id}).First(&client).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else if !client.IsDraft && !lo.Contains(client.Callbacks, strings.Split(redirect, "?")[0]) {
+		return fiber.NewError(fiber.StatusBadRequest, "invalid callback url")
+	}
+
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	var ticket models.AuthTicket
+	if err := database.C.Where(&models.AuthTicket{
+		AccountID: user.ID,
+		ClientID:  &client.ID,
+	}).Where("last_grant_at IS NULL").First(&ticket).Error; err == nil {
+		if ticket.ExpiredAt != nil && ticket.ExpiredAt.Unix() < time.Now().Unix() {
+			return c.JSON(fiber.Map{
+				"client": client,
+				"ticket": nil,
+			})
+		} else {
+			ticket, err = services.RegenSession(ticket)
+		}
+
+		return c.JSON(fiber.Map{
+			"client": client,
+			"ticket": ticket,
+		})
+	}
+
+	return c.JSON(fiber.Map{
+		"client": client,
+		"ticket": nil,
+	})
+}
+
+func authorizeThirdClient(c *fiber.Ctx) error {
+	id := c.Query("client_id")
+	response := c.Query("response_type")
+	redirect := c.Query("redirect_uri")
+	scope := c.Query("scope")
+	if len(scope) <= 0 {
+		return fiber.NewError(fiber.StatusBadRequest, "invalid request params")
+	}
+
+	if err := exts.EnsureAuthenticated(c); err != nil {
+		return err
+	}
+	user := c.Locals("user").(models.Account)
+
+	var client models.ThirdClient
+	if err := database.C.Where(&models.ThirdClient{Alias: id}).First(&client).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	switch response {
+	case "code":
+		// OAuth Authorization Mode
+		ticket, err := services.NewOauthTicket(
+			user,
+			client,
+			strings.Split(scope, " "),
+			[]string{"passport", client.Alias},
+			c.IP(),
+			c.Get(fiber.HeaderUserAgent),
+		)
+
+		if err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		} else {
+			services.AddEvent(user, "oauth.connect", client.Alias, c.IP(), c.Get(fiber.HeaderUserAgent))
+			return c.JSON(fiber.Map{
+				"ticket":       ticket,
+				"redirect_uri": redirect,
+			})
+		}
+	case "token":
+		// OAuth Implicit Mode
+		ticket, err := services.NewOauthTicket(
+			user,
+			client,
+			strings.Split(scope, " "),
+			[]string{"passport", client.Alias},
+			c.IP(),
+			c.Get(fiber.HeaderUserAgent),
+		)
+
+		if err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		} else if access, refresh, err := services.GetToken(ticket); err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		} else {
+			services.AddEvent(user, "oauth.connect", client.Alias, c.IP(), c.Get(fiber.HeaderUserAgent))
+			return c.JSON(fiber.Map{
+				"access_token":  access,
+				"refresh_token": refresh,
+				"redirect_uri":  redirect,
+				"ticket":        ticket,
+			})
+		}
+	default:
+		return fiber.NewError(fiber.StatusBadRequest, "unsupported response type")
+	}
+}