OpenI
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
4957 Commits
197 Branches
392 MB
3511 Download
Tree: 01d957677f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '01d957677f'
${ noResults }
aiforge/vendor/golang.org/x/oauth2/internal/token.go

token.go 6.9 kB
Raw Normal View History

Oauth2 consumer (#679) * initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
8 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227 
  1. // Copyright 2014 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // Package internal contains support packages for oauth2 package.

  6. package internal

  7. 

  8. import (

  9. 	"encoding/json"

  10. 	"fmt"

  11. 	"io"

  12. 	"io/ioutil"

  13. 	"mime"

  14. 	"net/http"

  15. 	"net/url"

  16. 	"strconv"

  17. 	"strings"

  18. 	"time"

  19. 

  20. 	"golang.org/x/net/context"

  21. )

  22. 

  23. // Token represents the crendentials used to authorize

  24. // the requests to access protected resources on the OAuth 2.0

  25. // provider's backend.

  26. //

  27. // This type is a mirror of oauth2.Token and exists to break

  28. // an otherwise-circular dependency. Other internal packages

  29. // should convert this Token into an oauth2.Token before use.

  30. type Token struct {

  31. 	// AccessToken is the token that authorizes and authenticates

  32. 	// the requests.

  33. 	AccessToken string

  34. 

  35. 	// TokenType is the type of token.

  36. 	// The Type method returns either this or "Bearer", the default.

  37. 	TokenType string

  38. 

  39. 	// RefreshToken is a token that's used by the application

  40. 	// (as opposed to the user) to refresh the access token

  41. 	// if it expires.

  42. 	RefreshToken string

  43. 

  44. 	// Expiry is the optional expiration time of the access token.

  45. 	//

  46. 	// If zero, TokenSource implementations will reuse the same

  47. 	// token forever and RefreshToken or equivalent

  48. 	// mechanisms for that TokenSource will not be used.

  49. 	Expiry time.Time

  50. 

  51. 	// Raw optionally contains extra metadata from the server

  52. 	// when updating a token.

  53. 	Raw interface{}

  54. }

  55. 

  56. // tokenJSON is the struct representing the HTTP response from OAuth2

  57. // providers returning a token in JSON form.

  58. type tokenJSON struct {

  59. 	AccessToken  string         `json:"access_token"`

  60. 	TokenType    string         `json:"token_type"`

  61. 	RefreshToken string         `json:"refresh_token"`

  62. 	ExpiresIn    expirationTime `json:"expires_in"` // at least PayPal returns string, while most return number

  63. 	Expires      expirationTime `json:"expires"`    // broken Facebook spelling of expires_in

  64. }

  65. 

  66. func (e *tokenJSON) expiry() (t time.Time) {

  67. 	if v := e.ExpiresIn; v != 0 {

  68. 		return time.Now().Add(time.Duration(v) * time.Second)

  69. 	}

  70. 	if v := e.Expires; v != 0 {

  71. 		return time.Now().Add(time.Duration(v) * time.Second)

  72. 	}

  73. 	return

  74. }

  75. 

  76. type expirationTime int32

  77. 

  78. func (e *expirationTime) UnmarshalJSON(b []byte) error {

  79. 	var n json.Number

  80. 	err := json.Unmarshal(b, &n)

  81. 	if err != nil {

  82. 		return err

  83. 	}

  84. 	i, err := n.Int64()

  85. 	if err != nil {

  86. 		return err

  87. 	}

  88. 	*e = expirationTime(i)

  89. 	return nil

  90. }

  91. 

  92. var brokenAuthHeaderProviders = []string{

  93. 	"https://accounts.google.com/",

  94. 	"https://api.dropbox.com/",

  95. 	"https://api.dropboxapi.com/",

  96. 	"https://api.instagram.com/",

  97. 	"https://api.netatmo.net/",

  98. 	"https://api.odnoklassniki.ru/",

  99. 	"https://api.pushbullet.com/",

  100. 	"https://api.soundcloud.com/",

  101. 	"https://api.twitch.tv/",

  102. 	"https://app.box.com/",

  103. 	"https://connect.stripe.com/",

  104. 	"https://login.microsoftonline.com/",

  105. 	"https://login.salesforce.com/",

  106. 	"https://oauth.sandbox.trainingpeaks.com/",

  107. 	"https://oauth.trainingpeaks.com/",

  108. 	"https://oauth.vk.com/",

  109. 	"https://openapi.baidu.com/",

  110. 	"https://slack.com/",

  111. 	"https://test-sandbox.auth.corp.google.com",

  112. 	"https://test.salesforce.com/",

  113. 	"https://user.gini.net/",

  114. 	"https://www.douban.com/",

  115. 	"https://www.googleapis.com/",

  116. 	"https://www.linkedin.com/",

  117. 	"https://www.strava.com/oauth/",

  118. 	"https://www.wunderlist.com/oauth/",

  119. 	"https://api.patreon.com/",

  120. 	"https://sandbox.codeswholesale.com/oauth/token",

  121. 	"https://api.codeswholesale.com/oauth/token",

  122. }

  123. 

  124. func RegisterBrokenAuthHeaderProvider(tokenURL string) {

  125. 	brokenAuthHeaderProviders = append(brokenAuthHeaderProviders, tokenURL)

  126. }

  127. 

  128. // providerAuthHeaderWorks reports whether the OAuth2 server identified by the tokenURL

  129. // implements the OAuth2 spec correctly

  130. // See https://code.google.com/p/goauth2/issues/detail?id=31 for background.

  131. // In summary:

  132. // - Reddit only accepts client secret in the Authorization header

  133. // - Dropbox accepts either it in URL param or Auth header, but not both.

  134. // - Google only accepts URL param (not spec compliant?), not Auth header

  135. // - Stripe only accepts client secret in Auth header with Bearer method, not Basic

  136. func providerAuthHeaderWorks(tokenURL string) bool {

  137. 	for _, s := range brokenAuthHeaderProviders {

  138. 		if strings.HasPrefix(tokenURL, s) {

  139. 			// Some sites fail to implement the OAuth2 spec fully.

  140. 			return false

  141. 		}

  142. 	}

  143. 

  144. 	// Assume the provider implements the spec properly

  145. 	// otherwise. We can add more exceptions as they're

  146. 	// discovered. We will _not_ be adding configurable hooks

  147. 	// to this package to let users select server bugs.

  148. 	return true

  149. }

  150. 

  151. func RetrieveToken(ctx context.Context, clientID, clientSecret, tokenURL string, v url.Values) (*Token, error) {

  152. 	hc, err := ContextClient(ctx)

  153. 	if err != nil {

  154. 		return nil, err

  155. 	}

  156. 	v.Set("client_id", clientID)

  157. 	bustedAuth := !providerAuthHeaderWorks(tokenURL)

  158. 	if bustedAuth && clientSecret != "" {

  159. 		v.Set("client_secret", clientSecret)

  160. 	}

  161. 	req, err := http.NewRequest("POST", tokenURL, strings.NewReader(v.Encode()))

  162. 	if err != nil {

  163. 		return nil, err

  164. 	}

  165. 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

  166. 	if !bustedAuth {

  167. 		req.SetBasicAuth(clientID, clientSecret)

  168. 	}

  169. 	r, err := hc.Do(req)

  170. 	if err != nil {

  171. 		return nil, err

  172. 	}

  173. 	defer r.Body.Close()

  174. 	body, err := ioutil.ReadAll(io.LimitReader(r.Body, 1<<20))

  175. 	if err != nil {

  176. 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v", err)

  177. 	}

  178. 	if code := r.StatusCode; code < 200 || code > 299 {

  179. 		return nil, fmt.Errorf("oauth2: cannot fetch token: %v\nResponse: %s", r.Status, body)

  180. 	}

  181. 

  182. 	var token *Token

  183. 	content, _, _ := mime.ParseMediaType(r.Header.Get("Content-Type"))

  184. 	switch content {

  185. 	case "application/x-www-form-urlencoded", "text/plain":

  186. 		vals, err := url.ParseQuery(string(body))

  187. 		if err != nil {

  188. 			return nil, err

  189. 		}

  190. 		token = &Token{

  191. 			AccessToken:  vals.Get("access_token"),

  192. 			TokenType:    vals.Get("token_type"),

  193. 			RefreshToken: vals.Get("refresh_token"),

  194. 			Raw:          vals,

  195. 		}

  196. 		e := vals.Get("expires_in")

  197. 		if e == "" {

  198. 			// TODO(jbd): Facebook's OAuth2 implementation is broken and

  199. 			// returns expires_in field in expires. Remove the fallback to expires,

  200. 			// when Facebook fixes their implementation.

  201. 			e = vals.Get("expires")

  202. 		}

  203. 		expires, _ := strconv.Atoi(e)

  204. 		if expires != 0 {

  205. 			token.Expiry = time.Now().Add(time.Duration(expires) * time.Second)

  206. 		}

  207. 	default:

  208. 		var tj tokenJSON

  209. 		if err = json.Unmarshal(body, &tj); err != nil {

  210. 			return nil, err

  211. 		}

  212. 		token = &Token{

  213. 			AccessToken:  tj.AccessToken,

  214. 			TokenType:    tj.TokenType,

  215. 			RefreshToken: tj.RefreshToken,

  216. 			Expiry:       tj.expiry(),

  217. 			Raw:          make(map[string]interface{}),

  218. 		}

  219. 		json.Unmarshal(body, &token.Raw) // no error checks for optional fields

  220. 	}

  221. 	// Don't overwrite `RefreshToken` with an empty value

  222. 	// if this was a token refreshing request.

  223. 	if token.RefreshToken == "" {

  224. 		token.RefreshToken = v.Get("refresh_token")

  225. 	}

  226. 	return token, nil

  227. }

No Description