diff options
| author | Jonas Franz <info@jonasfranz.software> | 2019-03-08 17:42:50 +0100 |
|---|---|---|
| committer | techknowlogick <matti@mdranta.net> | 2019-03-08 11:42:50 -0500 |
| commit | e777c6bdc6f12f9152335f8bfd66b956aedc9957 (patch) | |
| tree | b79c9bc2d4f9402dcd15d993b088840e2fad8a54 /modules/auth | |
| parent | 9d3732dfd512273992855097bba1e909f098db23 (diff) | |
| download | gitea-e777c6bdc6f12f9152335f8bfd66b956aedc9957.tar.gz gitea-e777c6bdc6f12f9152335f8bfd66b956aedc9957.zip | |
Integrate OAuth2 Provider (#5378)
Diffstat (limited to 'modules/auth')
| -rw-r--r-- | modules/auth/auth.go | 33 | ||||
| -rw-r--r-- | modules/auth/user_form.go | 59 |
2 files changed, 91 insertions, 1 deletions
diff --git a/modules/auth/auth.go b/modules/auth/auth.go index f2530fa37c..4be358b737 100644 --- a/modules/auth/auth.go +++ b/modules/auth/auth.go @@ -7,6 +7,7 @@ package auth import ( "reflect" "strings" + "time" "github.com/Unknwon/com" "github.com/go-macaron/binding" @@ -44,7 +45,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 { auHead := ctx.Req.Header.Get("Authorization") if len(auHead) > 0 { auths := strings.Fields(auHead) - if len(auths) == 2 && auths[0] == "token" { + if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") { tokenSHA = auths[1] } } @@ -52,6 +53,13 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 { // Let's see if token is valid. if len(tokenSHA) > 0 { + if strings.Contains(tokenSHA, ".") { + uid := checkOAuthAccessToken(tokenSHA) + if uid != 0 { + ctx.Data["IsApiToken"] = true + } + return uid + } t, err := models.GetAccessTokenBySHA(tokenSHA) if err != nil { if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) { @@ -77,6 +85,29 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 { return 0 } +func checkOAuthAccessToken(accessToken string) int64 { + // JWT tokens require a "." + if !strings.Contains(accessToken, ".") { + return 0 + } + token, err := models.ParseOAuth2Token(accessToken) + if err != nil { + log.Trace("ParseOAuth2Token", err) + return 0 + } + var grant *models.OAuth2Grant + if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil { + return 0 + } + if token.Type != models.TypeAccessToken { + return 0 + } + if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() { + return 0 + } + return grant.UserID +} + // SignedInUser returns the user object of signed user. // It returns a bool value to indicate whether user uses basic auth or not. func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool) { diff --git a/modules/auth/user_form.go b/modules/auth/user_form.go index 3a4df8ea7d..be0f9bf1bf 100644 --- a/modules/auth/user_form.go +++ b/modules/auth/user_form.go @@ -137,6 +137,54 @@ func (f *SignInForm) Validate(ctx *macaron.Context, errs binding.Errors) binding return validate(errs, ctx.Data, f, ctx.Locale) } +// AuthorizationForm form for authorizing oauth2 clients +type AuthorizationForm struct { + ResponseType string `binding:"Required;In(code)"` + ClientID string `binding:"Required"` + RedirectURI string + State string + + // PKCE support + CodeChallengeMethod string // S256, plain + CodeChallenge string +} + +// Validate valideates the fields +func (f *AuthorizationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors { + return validate(errs, ctx.Data, f, ctx.Locale) +} + +// GrantApplicationForm form for authorizing oauth2 clients +type GrantApplicationForm struct { + ClientID string `binding:"Required"` + RedirectURI string + State string +} + +// Validate valideates the fields +func (f *GrantApplicationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors { + return validate(errs, ctx.Data, f, ctx.Locale) +} + +// AccessTokenForm for issuing access tokens from authorization codes or refresh tokens +type AccessTokenForm struct { + GrantType string + ClientID string + ClientSecret string + RedirectURI string + // TODO Specify authentication code length to prevent against birthday attacks + Code string + RefreshToken string + + // PKCE support + CodeVerifier string +} + +// Validate valideates the fields +func (f *AccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors { + return validate(errs, ctx.Data, f, ctx.Locale) +} + // __________________________________________.___ _______ ________ _________ // / _____/\_ _____/\__ ___/\__ ___/| |\ \ / _____/ / _____/ // \_____ \ | __)_ | | | | | |/ | \/ \ ___ \_____ \ @@ -258,6 +306,17 @@ func (f *NewAccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors) return validate(errs, ctx.Data, f, ctx.Locale) } +// EditOAuth2ApplicationForm form for editing oauth2 applications +type EditOAuth2ApplicationForm struct { + Name string `binding:"Required;MaxSize(255)" form:"application_name"` + RedirectURI string `binding:"Required" form:"redirect_uri"` +} + +// Validate valideates the fields +func (f *EditOAuth2ApplicationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors { + return validate(errs, ctx.Data, f, ctx.Locale) +} + // TwoFactorAuthForm for logging in with 2FA token. type TwoFactorAuthForm struct { Passcode string `binding:"Required"` |