mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
11343 Commits
17 Branches
Tree: 024ef3940f
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '024ef3940f'
${ noResults }
gitea/routers/user/oauth.go

oauth.go 19KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"encoding/base64"

  9. 	"fmt"

  10. 	"html"

  11. 	"net/http"

  12. 	"net/url"

  13. 	"strings"

  14. 

  15. 	"code.gitea.io/gitea/models"

  16. 	"code.gitea.io/gitea/modules/base"

  17. 	"code.gitea.io/gitea/modules/context"

  18. 	"code.gitea.io/gitea/modules/log"

  19. 	"code.gitea.io/gitea/modules/setting"

  20. 	"code.gitea.io/gitea/modules/timeutil"

  21. 	"code.gitea.io/gitea/modules/web"

  22. 	"code.gitea.io/gitea/services/forms"

  23. 

  24. 	"gitea.com/go-chi/binding"

  25. 	"github.com/dgrijalva/jwt-go"

  26. )

  27. 

  28. const (

  29. 	tplGrantAccess base.TplName = "user/auth/grant"

  30. 	tplGrantError  base.TplName = "user/auth/grant_error"

  31. )

  32. 

  33. // TODO move error and responses to SDK or models

  34. 

  35. // AuthorizeErrorCode represents an error code specified in RFC 6749

  36. type AuthorizeErrorCode string

  37. 

  38. const (

  39. 	// ErrorCodeInvalidRequest represents the according error in RFC 6749

  40. 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"

  41. 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749

  42. 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"

  43. 	// ErrorCodeAccessDenied represents the according error in RFC 6749

  44. 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"

  45. 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749

  46. 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"

  47. 	// ErrorCodeInvalidScope represents the according error in RFC 6749

  48. 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"

  49. 	// ErrorCodeServerError represents the according error in RFC 6749

  50. 	ErrorCodeServerError AuthorizeErrorCode = "server_error"

  51. 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749

  52. 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"

  53. )

  54. 

  55. // AuthorizeError represents an error type specified in RFC 6749

  56. type AuthorizeError struct {

  57. 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`

  58. 	ErrorDescription string

  59. 	State            string

  60. }

  61. 

  62. // Error returns the error message

  63. func (err AuthorizeError) Error() string {

  64. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  65. }

  66. 

  67. // AccessTokenErrorCode represents an error code specified in RFC 6749

  68. type AccessTokenErrorCode string

  69. 

  70. const (

  71. 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749

  72. 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"

  73. 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749

  74. 	AccessTokenErrorCodeInvalidClient = "invalid_client"

  75. 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749

  76. 	AccessTokenErrorCodeInvalidGrant = "invalid_grant"

  77. 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749

  78. 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"

  79. 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749

  80. 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"

  81. 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749

  82. 	AccessTokenErrorCodeInvalidScope = "invalid_scope"

  83. )

  84. 

  85. // AccessTokenError represents an error response specified in RFC 6749

  86. type AccessTokenError struct {

  87. 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`

  88. 	ErrorDescription string               `json:"error_description"`

  89. }

  90. 

  91. // Error returns the error message

  92. func (err AccessTokenError) Error() string {

  93. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  94. }

  95. 

  96. // TokenType specifies the kind of token

  97. type TokenType string

  98. 

  99. const (

  100. 	// TokenTypeBearer represents a token type specified in RFC 6749

  101. 	TokenTypeBearer TokenType = "bearer"

  102. 	// TokenTypeMAC represents a token type specified in RFC 6749

  103. 	TokenTypeMAC = "mac"

  104. )

  105. 

  106. // AccessTokenResponse represents a successful access token response

  107. type AccessTokenResponse struct {

  108. 	AccessToken  string    `json:"access_token"`

  109. 	TokenType    TokenType `json:"token_type"`

  110. 	ExpiresIn    int64     `json:"expires_in"`

  111. 	RefreshToken string    `json:"refresh_token"`

  112. 	IDToken      string    `json:"id_token,omitempty"`

  113. }

  114. 

  115. func newAccessTokenResponse(grant *models.OAuth2Grant, clientSecret string) (*AccessTokenResponse, *AccessTokenError) {

  116. 	if setting.OAuth2.InvalidateRefreshTokens {

  117. 		if err := grant.IncreaseCounter(); err != nil {

  118. 			return nil, &AccessTokenError{

  119. 				ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  120. 				ErrorDescription: "cannot increase the grant counter",

  121. 			}

  122. 		}

  123. 	}

  124. 	// generate access token to access the API

  125. 	expirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)

  126. 	accessToken := &models.OAuth2Token{

  127. 		GrantID: grant.ID,

  128. 		Type:    models.TypeAccessToken,

  129. 		StandardClaims: jwt.StandardClaims{

  130. 			ExpiresAt: expirationDate.AsTime().Unix(),

  131. 		},

  132. 	}

  133. 	signedAccessToken, err := accessToken.SignToken()

  134. 	if err != nil {

  135. 		return nil, &AccessTokenError{

  136. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  137. 			ErrorDescription: "cannot sign token",

  138. 		}

  139. 	}

  140. 

  141. 	// generate refresh token to request an access token after it expired later

  142. 	refreshExpirationDate := timeutil.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()

  143. 	refreshToken := &models.OAuth2Token{

  144. 		GrantID: grant.ID,

  145. 		Counter: grant.Counter,

  146. 		Type:    models.TypeRefreshToken,

  147. 		StandardClaims: jwt.StandardClaims{

  148. 			ExpiresAt: refreshExpirationDate,

  149. 		},

  150. 	}

  151. 	signedRefreshToken, err := refreshToken.SignToken()

  152. 	if err != nil {

  153. 		return nil, &AccessTokenError{

  154. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  155. 			ErrorDescription: "cannot sign token",

  156. 		}

  157. 	}

  158. 

  159. 	// generate OpenID Connect id_token

  160. 	signedIDToken := ""

  161. 	if grant.ScopeContains("openid") {

  162. 		app, err := models.GetOAuth2ApplicationByID(grant.ApplicationID)

  163. 		if err != nil {

  164. 			return nil, &AccessTokenError{

  165. 				ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  166. 				ErrorDescription: "cannot find application",

  167. 			}

  168. 		}

  169. 		idToken := &models.OIDCToken{

  170. 			StandardClaims: jwt.StandardClaims{

  171. 				ExpiresAt: expirationDate.AsTime().Unix(),

  172. 				Issuer:    setting.AppURL,

  173. 				Audience:  app.ClientID,

  174. 				Subject:   fmt.Sprint(grant.UserID),

  175. 			},

  176. 			Nonce: grant.Nonce,

  177. 		}

  178. 		signedIDToken, err = idToken.SignToken(clientSecret)

  179. 		if err != nil {

  180. 			return nil, &AccessTokenError{

  181. 				ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  182. 				ErrorDescription: "cannot sign token",

  183. 			}

  184. 		}

  185. 	}

  186. 

  187. 	return &AccessTokenResponse{

  188. 		AccessToken:  signedAccessToken,

  189. 		TokenType:    TokenTypeBearer,

  190. 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,

  191. 		RefreshToken: signedRefreshToken,

  192. 		IDToken:      signedIDToken,

  193. 	}, nil

  194. }

  195. 

  196. // AuthorizeOAuth manages authorize requests

  197. func AuthorizeOAuth(ctx *context.Context) {

  198. 	form := web.GetForm(ctx).(*forms.AuthorizationForm)

  199. 	errs := binding.Errors{}

  200. 	errs = form.Validate(ctx.Req, errs)

  201. 	if len(errs) > 0 {

  202. 		errstring := ""

  203. 		for _, e := range errs {

  204. 			errstring += e.Error() + "\n"

  205. 		}

  206. 		ctx.ServerError("AuthorizeOAuth: Validate: ", fmt.Errorf("errors occurred during validation: %s", errstring))

  207. 		return

  208. 	}

  209. 

  210. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  211. 	if err != nil {

  212. 		if models.IsErrOauthClientIDInvalid(err) {

  213. 			handleAuthorizeError(ctx, AuthorizeError{

  214. 				ErrorCode:        ErrorCodeUnauthorizedClient,

  215. 				ErrorDescription: "Client ID not registered",

  216. 				State:            form.State,

  217. 			}, "")

  218. 			return

  219. 		}

  220. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  221. 		return

  222. 	}

  223. 	if err := app.LoadUser(); err != nil {

  224. 		ctx.ServerError("LoadUser", err)

  225. 		return

  226. 	}

  227. 

  228. 	if !app.ContainsRedirectURI(form.RedirectURI) {

  229. 		handleAuthorizeError(ctx, AuthorizeError{

  230. 			ErrorCode:        ErrorCodeInvalidRequest,

  231. 			ErrorDescription: "Unregistered Redirect URI",

  232. 			State:            form.State,

  233. 		}, "")

  234. 		return

  235. 	}

  236. 

  237. 	if form.ResponseType != "code" {

  238. 		handleAuthorizeError(ctx, AuthorizeError{

  239. 			ErrorCode:        ErrorCodeUnsupportedResponseType,

  240. 			ErrorDescription: "Only code response type is supported.",

  241. 			State:            form.State,

  242. 		}, form.RedirectURI)

  243. 		return

  244. 	}

  245. 

  246. 	// pkce support

  247. 	switch form.CodeChallengeMethod {

  248. 	case "S256":

  249. 	case "plain":

  250. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {

  251. 			handleAuthorizeError(ctx, AuthorizeError{

  252. 				ErrorCode:        ErrorCodeServerError,

  253. 				ErrorDescription: "cannot set code challenge method",

  254. 				State:            form.State,

  255. 			}, form.RedirectURI)

  256. 			return

  257. 		}

  258. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {

  259. 			handleAuthorizeError(ctx, AuthorizeError{

  260. 				ErrorCode:        ErrorCodeServerError,

  261. 				ErrorDescription: "cannot set code challenge",

  262. 				State:            form.State,

  263. 			}, form.RedirectURI)

  264. 			return

  265. 		}

  266. 		// Here we're just going to try to release the session early

  267. 		if err := ctx.Session.Release(); err != nil {

  268. 			// we'll tolerate errors here as they *should* get saved elsewhere

  269. 			log.Error("Unable to save changes to the session: %v", err)

  270. 		}

  271. 	case "":

  272. 		break

  273. 	default:

  274. 		handleAuthorizeError(ctx, AuthorizeError{

  275. 			ErrorCode:        ErrorCodeInvalidRequest,

  276. 			ErrorDescription: "unsupported code challenge method",

  277. 			State:            form.State,

  278. 		}, form.RedirectURI)

  279. 		return

  280. 	}

  281. 

  282. 	grant, err := app.GetGrantByUserID(ctx.User.ID)

  283. 	if err != nil {

  284. 		handleServerError(ctx, form.State, form.RedirectURI)

  285. 		return

  286. 	}

  287. 

  288. 	// Redirect if user already granted access

  289. 	if grant != nil {

  290. 		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)

  291. 		if err != nil {

  292. 			handleServerError(ctx, form.State, form.RedirectURI)

  293. 			return

  294. 		}

  295. 		redirect, err := code.GenerateRedirectURI(form.State)

  296. 		if err != nil {

  297. 			handleServerError(ctx, form.State, form.RedirectURI)

  298. 			return

  299. 		}

  300. 		// Update nonce to reflect the new session

  301. 		if len(form.Nonce) > 0 {

  302. 			err := grant.SetNonce(form.Nonce)

  303. 			if err != nil {

  304. 				log.Error("Unable to update nonce: %v", err)

  305. 			}

  306. 		}

  307. 		ctx.Redirect(redirect.String(), 302)

  308. 		return

  309. 	}

  310. 

  311. 	// show authorize page to grant access

  312. 	ctx.Data["Application"] = app

  313. 	ctx.Data["RedirectURI"] = form.RedirectURI

  314. 	ctx.Data["State"] = form.State

  315. 	ctx.Data["Scope"] = form.Scope

  316. 	ctx.Data["Nonce"] = form.Nonce

  317. 	ctx.Data["ApplicationUserLink"] = "<a href=\"" + html.EscapeString(setting.AppURL) + html.EscapeString(url.PathEscape(app.User.LowerName)) + "\">@" + html.EscapeString(app.User.Name) + "</a>"

  318. 	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + html.EscapeString(form.RedirectURI) + "</strong>"

  319. 	// TODO document SESSION <=> FORM

  320. 	err = ctx.Session.Set("client_id", app.ClientID)

  321. 	if err != nil {

  322. 		handleServerError(ctx, form.State, form.RedirectURI)

  323. 		log.Error(err.Error())

  324. 		return

  325. 	}

  326. 	err = ctx.Session.Set("redirect_uri", form.RedirectURI)

  327. 	if err != nil {

  328. 		handleServerError(ctx, form.State, form.RedirectURI)

  329. 		log.Error(err.Error())

  330. 		return

  331. 	}

  332. 	err = ctx.Session.Set("state", form.State)

  333. 	if err != nil {

  334. 		handleServerError(ctx, form.State, form.RedirectURI)

  335. 		log.Error(err.Error())

  336. 		return

  337. 	}

  338. 	// Here we're just going to try to release the session early

  339. 	if err := ctx.Session.Release(); err != nil {

  340. 		// we'll tolerate errors here as they *should* get saved elsewhere

  341. 		log.Error("Unable to save changes to the session: %v", err)

  342. 	}

  343. 	ctx.HTML(http.StatusOK, tplGrantAccess)

  344. }

  345. 

  346. // GrantApplicationOAuth manages the post request submitted when a user grants access to an application

  347. func GrantApplicationOAuth(ctx *context.Context) {

  348. 	form := web.GetForm(ctx).(*forms.GrantApplicationForm)

  349. 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||

  350. 		ctx.Session.Get("redirect_uri") != form.RedirectURI {

  351. 		ctx.Error(http.StatusBadRequest)

  352. 		return

  353. 	}

  354. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  355. 	if err != nil {

  356. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  357. 		return

  358. 	}

  359. 	grant, err := app.CreateGrant(ctx.User.ID, form.Scope)

  360. 	if err != nil {

  361. 		handleAuthorizeError(ctx, AuthorizeError{

  362. 			State:            form.State,

  363. 			ErrorDescription: "cannot create grant for user",

  364. 			ErrorCode:        ErrorCodeServerError,

  365. 		}, form.RedirectURI)

  366. 		return

  367. 	}

  368. 	if len(form.Nonce) > 0 {

  369. 		err := grant.SetNonce(form.Nonce)

  370. 		if err != nil {

  371. 			log.Error("Unable to update nonce: %v", err)

  372. 		}

  373. 	}

  374. 

  375. 	var codeChallenge, codeChallengeMethod string

  376. 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)

  377. 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)

  378. 

  379. 	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)

  380. 	if err != nil {

  381. 		handleServerError(ctx, form.State, form.RedirectURI)

  382. 		return

  383. 	}

  384. 	redirect, err := code.GenerateRedirectURI(form.State)

  385. 	if err != nil {

  386. 		handleServerError(ctx, form.State, form.RedirectURI)

  387. 		return

  388. 	}

  389. 	ctx.Redirect(redirect.String(), 302)

  390. }

  391. 

  392. // OIDCWellKnown generates JSON so OIDC clients know Gitea's capabilities

  393. func OIDCWellKnown(ctx *context.Context) {

  394. 	t := ctx.Render.TemplateLookup("user/auth/oidc_wellknown")

  395. 	ctx.Resp.Header().Set("Content-Type", "application/json")

  396. 	if err := t.Execute(ctx.Resp, ctx.Data); err != nil {

  397. 		log.Error("%v", err)

  398. 		ctx.Error(http.StatusInternalServerError)

  399. 	}

  400. }

  401. 

  402. // AccessTokenOAuth manages all access token requests by the client

  403. func AccessTokenOAuth(ctx *context.Context) {

  404. 	form := *web.GetForm(ctx).(*forms.AccessTokenForm)

  405. 	if form.ClientID == "" {

  406. 		authHeader := ctx.Req.Header.Get("Authorization")

  407. 		authContent := strings.SplitN(authHeader, " ", 2)

  408. 		if len(authContent) == 2 && authContent[0] == "Basic" {

  409. 			payload, err := base64.StdEncoding.DecodeString(authContent[1])

  410. 			if err != nil {

  411. 				handleAccessTokenError(ctx, AccessTokenError{

  412. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  413. 					ErrorDescription: "cannot parse basic auth header",

  414. 				})

  415. 				return

  416. 			}

  417. 			pair := strings.SplitN(string(payload), ":", 2)

  418. 			if len(pair) != 2 {

  419. 				handleAccessTokenError(ctx, AccessTokenError{

  420. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  421. 					ErrorDescription: "cannot parse basic auth header",

  422. 				})

  423. 				return

  424. 			}

  425. 			form.ClientID = pair[0]

  426. 			form.ClientSecret = pair[1]

  427. 		}

  428. 	}

  429. 	switch form.GrantType {

  430. 	case "refresh_token":

  431. 		handleRefreshToken(ctx, form)

  432. 		return

  433. 	case "authorization_code":

  434. 		handleAuthorizationCode(ctx, form)

  435. 		return

  436. 	default:

  437. 		handleAccessTokenError(ctx, AccessTokenError{

  438. 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,

  439. 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",

  440. 		})

  441. 	}

  442. }

  443. 

  444. func handleRefreshToken(ctx *context.Context, form forms.AccessTokenForm) {

  445. 	token, err := models.ParseOAuth2Token(form.RefreshToken)

  446. 	if err != nil {

  447. 		handleAccessTokenError(ctx, AccessTokenError{

  448. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  449. 			ErrorDescription: "client is not authorized",

  450. 		})

  451. 		return

  452. 	}

  453. 	// get grant before increasing counter

  454. 	grant, err := models.GetOAuth2GrantByID(token.GrantID)

  455. 	if err != nil || grant == nil {

  456. 		handleAccessTokenError(ctx, AccessTokenError{

  457. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  458. 			ErrorDescription: "grant does not exist",

  459. 		})

  460. 		return

  461. 	}

  462. 

  463. 	// check if token got already used

  464. 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {

  465. 		handleAccessTokenError(ctx, AccessTokenError{

  466. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  467. 			ErrorDescription: "token was already used",

  468. 		})

  469. 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)

  470. 		return

  471. 	}

  472. 	accessToken, tokenErr := newAccessTokenResponse(grant, form.ClientSecret)

  473. 	if tokenErr != nil {

  474. 		handleAccessTokenError(ctx, *tokenErr)

  475. 		return

  476. 	}

  477. 	ctx.JSON(http.StatusOK, accessToken)

  478. }

  479. 

  480. func handleAuthorizationCode(ctx *context.Context, form forms.AccessTokenForm) {

  481. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  482. 	if err != nil {

  483. 		handleAccessTokenError(ctx, AccessTokenError{

  484. 			ErrorCode:        AccessTokenErrorCodeInvalidClient,

  485. 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),

  486. 		})

  487. 		return

  488. 	}

  489. 	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

  490. 		handleAccessTokenError(ctx, AccessTokenError{

  491. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  492. 			ErrorDescription: "client is not authorized",

  493. 		})

  494. 		return

  495. 	}

  496. 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {

  497. 		handleAccessTokenError(ctx, AccessTokenError{

  498. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  499. 			ErrorDescription: "client is not authorized",

  500. 		})

  501. 		return

  502. 	}

  503. 	authorizationCode, err := models.GetOAuth2AuthorizationByCode(form.Code)

  504. 	if err != nil || authorizationCode == nil {

  505. 		handleAccessTokenError(ctx, AccessTokenError{

  506. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  507. 			ErrorDescription: "client is not authorized",

  508. 		})

  509. 		return

  510. 	}

  511. 	// check if code verifier authorizes the client, PKCE support

  512. 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {

  513. 		handleAccessTokenError(ctx, AccessTokenError{

  514. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  515. 			ErrorDescription: "client is not authorized",

  516. 		})

  517. 		return

  518. 	}

  519. 	// check if granted for this application

  520. 	if authorizationCode.Grant.ApplicationID != app.ID {

  521. 		handleAccessTokenError(ctx, AccessTokenError{

  522. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  523. 			ErrorDescription: "invalid grant",

  524. 		})

  525. 		return

  526. 	}

  527. 	// remove token from database to deny duplicate usage

  528. 	if err := authorizationCode.Invalidate(); err != nil {

  529. 		handleAccessTokenError(ctx, AccessTokenError{

  530. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  531. 			ErrorDescription: "cannot proceed your request",

  532. 		})

  533. 	}

  534. 	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant, form.ClientSecret)

  535. 	if tokenErr != nil {

  536. 		handleAccessTokenError(ctx, *tokenErr)

  537. 		return

  538. 	}

  539. 	// send successful response

  540. 	ctx.JSON(http.StatusOK, resp)

  541. }

  542. 

  543. func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {

  544. 	ctx.JSON(http.StatusBadRequest, acErr)

  545. }

  546. 

  547. func handleServerError(ctx *context.Context, state string, redirectURI string) {

  548. 	handleAuthorizeError(ctx, AuthorizeError{

  549. 		ErrorCode:        ErrorCodeServerError,

  550. 		ErrorDescription: "A server error occurred",

  551. 		State:            state,

  552. 	}, redirectURI)

  553. }

  554. 

  555. func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {

  556. 	if redirectURI == "" {

  557. 		log.Warn("Authorization failed: %v", authErr.ErrorDescription)

  558. 		ctx.Data["Error"] = authErr

  559. 		ctx.HTML(400, tplGrantError)

  560. 		return

  561. 	}

  562. 	redirect, err := url.Parse(redirectURI)

  563. 	if err != nil {

  564. 		ctx.ServerError("url.Parse", err)

  565. 		return

  566. 	}

  567. 	q := redirect.Query()

  568. 	q.Set("error", string(authErr.ErrorCode))

  569. 	q.Set("error_description", authErr.ErrorDescription)

  570. 	q.Set("state", authErr.State)

  571. 	redirect.RawQuery = q.Encode()

  572. 	ctx.Redirect(redirect.String(), 302)

  573. }