oauth2: Complete implementation

2022-05-20 02:26:42 +02:00 · 2022-05-20 02:26:42 +02:00 · 8142349db4
parent 27af1333ad
commit 8142349db4
5 changed files with 120 additions and 17 deletions
--- a/config/config.go
+++ b/config/config.go
@ -1,28 +1,37 @@
 package config
-import "os"
+import (
 	"errors"
 	"os"
 )
 type TwitterCredentials struct {
 	ClientID, ClientSecret, CallbackURL string
 }
 type Config struct {
 	PublicPath string
 	SessionKey string
 	ListenAddr string
 	Twitter    TwitterCredentials
 }
-func NewFromEnv() Config {
+func NewFromEnv() (Config, error) {
 	listenAddr := os.Getenv("ELON_LISTEN_ADDR")
 	if listenAddr == "" {
 		listenAddr = ":8000"
 	}
 	sessionKey := os.Getenv("ELON_SESSION_KEY")
 	if sessionKey == "" {
 		return Config{}, errors.New("missing ELON_SESSION_KEY")
 	}
 	return Config{
 		PublicPath: os.Getenv("ELON_PUBLIC_PATH"),
 		SessionKey: sessionKey,
 		ListenAddr: listenAddr,
 		Twitter: TwitterCredentials{
 			ClientID:     os.Getenv("ELON_TWITTER_CLIENT_ID"),
 			ClientSecret: os.Getenv("ELON_TWITTER_CLIENT_SECRET"),
 			CallbackURL:  os.Getenv("ELON_TWITTER_CALLBACK_URL"),
 		},
-	}
+	}, nil
 }
--- a/go.mod
+++ b/go.mod
@ -10,6 +10,8 @@ require (
 require (
 	github.com/golang/protobuf v1.4.2 // indirect
 	github.com/google/go-cmp v0.5.7 // indirect
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/gorilla/sessions v1.2.1 // indirect
 	golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
 	google.golang.org/appengine v1.6.6 // indirect
 	google.golang.org/protobuf v1.25.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -97,6 +97,10 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
--- a/httpserver/httpserver.go
+++ b/httpserver/httpserver.go
@ -2,8 +2,12 @@ package httpserver
 import (
 	"context"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 	"io"
 	"log"
 	"math/rand"
 	"net/http"
 	"path/filepath"
 	"text/template"
@ -11,17 +15,28 @@ import (
 	"git.netflux.io/rob/elon-eats-my-tweets/config"
 	"github.com/go-chi/chi"
 	"github.com/go-chi/chi/middleware"
 	"github.com/gorilla/sessions"
 	"golang.org/x/oauth2"
 )
 const (
 	sessionName            = "elon_session"
 	sessionKeyState        = "state"
 	sessionKeyPkceVerifier = "pkce_verifier"
 	stateLen               = 64
 	pkceVerifierLen        = 64
 )
 type handler struct {
 	templates    *template.Template
 	oauth2Config *oauth2.Config
 	sessionStore *sessions.CookieStore
 }
 func newHandler(cfg config.Config, templates *template.Template) *handler {
 	return &handler{
 		templates:    templates,
 		sessionStore: sessions.NewCookieStore([]byte(cfg.SessionKey)),
 		oauth2Config: &oauth2.Config{
 			ClientID:     cfg.Twitter.ClientID,
 			ClientSecret: cfg.Twitter.ClientSecret,
@ -30,6 +45,7 @@ func newHandler(cfg config.Config, templates *template.Template) *handler {
 			Endpoint: oauth2.Endpoint{
 				AuthURL:   "https://twitter.com/i/oauth2/authorize",
 				TokenURL:  "https://api.twitter.com/2/oauth2/token",
 				AuthStyle: oauth2.AuthStyleInHeader,
 			},
 		},
 	}
@ -44,32 +60,81 @@ func (h *handler) getIndex(w http.ResponseWriter, r *http.Request) {
 }
 func (h *handler) getLogin(w http.ResponseWriter, r *http.Request) {
 	state := randSeq(stateLen)
 	pkceVerifier := randSeq(pkceVerifierLen)
 	session, _ := h.sessionStore.Get(r, sessionName)
 	session.Values[sessionKeyState] = state
 	session.Values[sessionKeyPkceVerifier] = pkceVerifier
 	if err := session.Save(r, w); err != nil {
 		log.Printf("error saving session: %v", err)
 		http.Error(w, "error saving session", http.StatusBadRequest)
 		return
 	}
 	url := h.oauth2Config.AuthCodeURL(
-		// TODO: implement state and code_challenge tokens
+		state,
-		"state",
+		oauth2.SetAuthURLParam("code_challenge", encodeSHA256(pkceVerifier)),
-		oauth2.SetAuthURLParam("code_challenge", "challenge"),
+		oauth2.SetAuthURLParam("code_challenge_method", "S256"),
 		oauth2.SetAuthURLParam("code_challenge_method", "plain"),
 	)
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 }
 func (h *handler) getCallback(w http.ResponseWriter, r *http.Request) {
 	session, err := h.sessionStore.Get(r, sessionName)
 	if err != nil {
 		log.Printf("error reading session: %v", err)
 		http.Error(w, "error reading session", http.StatusBadRequest)
 		return
 	}
 	state, ok := session.Values[sessionKeyState]
 	if !ok {
 		log.Println("empty state", err)
 		http.Error(w, "error reading session", http.StatusBadRequest)
 		return
 	}
 	if state != r.URL.Query().Get("state") {
 		http.Error(w, "error validating request", http.StatusBadRequest)
 		return
 	}
 	code := r.URL.Query().Get("code")
 	if code == "" {
 		http.Error(w, "empty code", http.StatusBadRequest)
 		return
 	}
-	_, err := h.oauth2Config.Exchange(context.Background(), code, oauth2.SetAuthURLParam("code_verifier", "challenge"))
+	pkceVerifier, ok := session.Values[sessionKeyPkceVerifier]
-	if err != nil {
+	if !ok {
-		log.Printf("error exchanging code: %v", err)
+		log.Println("empty code challenge", err)
-		http.Error(w, "error exchanging code", http.StatusInternalServerError)
+		http.Error(w, "error reading session", http.StatusBadRequest)
 		return
 	}
 	token, err := h.oauth2Config.Exchange(context.Background(), code, oauth2.SetAuthURLParam("code_verifier", pkceVerifier.(string)))
 	if err != nil {
 		log.Printf("error exchanging code: %v", err)
 		http.Error(w, "error exchanging code", http.StatusForbidden)
 		return
 	}
 	client := h.oauth2Config.Client(context.Background(), token)
 	resp, err := client.Get("https://api.twitter.com/2/users/me")
 	if err != nil {
 		log.Printf("error fetching users/me: %v", err)
 		http.Error(w, "error fetching user", http.StatusInternalServerError)
 		return
 	}
 	defer resp.Body.Close()
 	// TODO: do something sensible
 	body, _ := io.ReadAll(resp.Body)
 	w.Header().Set("content-type", "application/json")
 	w.WriteHeader(http.StatusOK)
-	w.Header().Set("content-type", "text/html")
+	if _, err = w.Write([]byte(body)); err != nil {
 	if _, err = w.Write([]byte("ok")); err != nil {
 		log.Printf("error writing response: %v", err)
 	}
 }
@ -93,3 +158,19 @@ func Start(cfg config.Config) error {
 	return http.ListenAndServe(":8000", r)
 }
 // https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-go
 var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
 func randSeq(n int) string {
 	b := make([]rune, n)
 	for i := range b {
 		b[i] = letters[rand.Intn(len(letters))]
 	}
 	return string(b)
 }
 func encodeSHA256(s string) string {
 	enc := sha256.Sum256([]byte(s))
 	return base64.RawURLEncoding.EncodeToString(enc[:])
 }
--- a/main.go
+++ b/main.go
@ -2,13 +2,20 @@ package main
 import (
 	"log"
 	"math/rand"
 	"time"
 	"git.netflux.io/rob/elon-eats-my-tweets/config"
 	"git.netflux.io/rob/elon-eats-my-tweets/httpserver"
 )
 func main() {
-	c := config.NewFromEnv()
+	rand.Seed(time.Now().UnixNano())
 	c, err := config.NewFromEnv()
 	if err != nil {
 		log.Fatal(err)
 	}
 	log.Fatal(httpserver.Start(c))
 }