| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163 |
- package oauth
-
- import (
- "bytes"
- "fmt"
- "math"
- "net/http"
- "net/url"
- "strconv"
- "strings"
- )
-
- //
- // OAuth1 2-legged provider
- // Contributed by https://github.com/jacobpgallagher
- //
-
- // Provide an buffer reader which implements the Close() interface
- type oauthBufferReader struct {
- *bytes.Buffer
- }
-
- // So that it implements the io.ReadCloser interface
- func (m oauthBufferReader) Close() error { return nil }
-
- type ConsumerGetter func(key string, header map[string]string) (*Consumer, error)
-
- // Provider provides methods for a 2-legged Oauth1 provider
- type Provider struct {
- ConsumerGetter ConsumerGetter
-
- // For mocking
- clock clock
- }
-
- // NewProvider takes a function to get the consumer secret from a datastore.
- // Returns a Provider
- func NewProvider(secretGetter ConsumerGetter) *Provider {
- provider := &Provider{
- secretGetter,
- &defaultClock{},
- }
- return provider
- }
-
- // Combine a URL and Request to make the URL absolute
- func makeURLAbs(url *url.URL, request *http.Request) {
- if !url.IsAbs() {
- url.Host = request.Host
- if request.TLS != nil || request.Header.Get("X-Forwarded-Proto") == "https" {
- url.Scheme = "https"
- } else {
- url.Scheme = "http"
- }
- }
- }
-
- // IsAuthorized takes an *http.Request and returns a pointer to a string containing the consumer key,
- // or nil if not authorized
- func (provider *Provider) IsAuthorized(request *http.Request) (*string, error) {
- var err error
- var userParams map[string]string
-
- // start with the body/query params
- userParams, err = parseBody(request)
- if err != nil {
- return nil, err
- }
-
- // if the oauth params are in the Authorization header, grab them, and
- // let them override what's in userParams
- authHeader := request.Header.Get(HTTP_AUTH_HEADER)
- if len(authHeader) > 6 && strings.EqualFold(OAUTH_HEADER, authHeader[0:6]) {
- authHeader = authHeader[6:]
- params := strings.Split(authHeader, ",")
- for _, param := range params {
- vals := strings.SplitN(param, "=", 2)
- k := strings.Trim(vals[0], " ")
- v := strings.Trim(strings.Trim(vals[1], "\""), " ")
- if strings.HasPrefix(k, "oauth") {
- userParams[k], err = url.QueryUnescape(v)
- if err != nil {
- return nil, err
- }
- }
- }
- }
-
- // pop the request's signature, it's not included in our signature
- // calculation
- oauthSignature, ok := userParams[SIGNATURE_PARAM]
- if !ok {
- return nil, fmt.Errorf("no oauth signature")
- }
- delete(userParams, SIGNATURE_PARAM)
-
- // get the oauth consumer key
- consumerKey, ok := userParams[CONSUMER_KEY_PARAM]
- if !ok || consumerKey == "" {
- return nil, fmt.Errorf("no consumer key")
- }
-
- // use it to create a consumer object
- consumer, err := provider.ConsumerGetter(consumerKey, userParams)
- if err != nil {
- return nil, err
- }
-
- // Make sure timestamp is no more than 10 digits
- timestamp := userParams[TIMESTAMP_PARAM]
- if len(timestamp) > 10 {
- timestamp = timestamp[0:10]
- }
-
- // Check the timestamp
- if !consumer.serviceProvider.IgnoreTimestamp {
- oauthTimeNumber, err := strconv.Atoi(timestamp)
- if err != nil {
- return nil, err
- }
-
- if math.Abs(float64(int64(oauthTimeNumber)-provider.clock.Seconds())) > 5*60 {
- return nil, fmt.Errorf("too much clock skew")
- }
- }
-
- // Include the query string params in the base string
- if consumer.serviceProvider.SignQueryParams {
- for k, v := range request.URL.Query() {
- userParams[k] = strings.Join(v, "")
- }
- }
-
- // if our consumer supports bodyhash, check it
- if consumer.serviceProvider.BodyHash {
- bodyHash, err := calculateBodyHash(request, consumer.signer)
- if err != nil {
- return nil, err
- }
-
- sentHash, ok := userParams[BODY_HASH_PARAM]
-
- if bodyHash == "" && ok {
- return nil, fmt.Errorf("body_hash must not be set")
- } else if sentHash != bodyHash {
- return nil, fmt.Errorf("body_hash mismatch")
- }
- }
-
- allParams := NewOrderedParams()
- for key, value := range userParams {
- allParams.Add(key, value)
- }
-
- makeURLAbs(request.URL, request)
- baseString := consumer.requestString(request.Method, canonicalizeUrl(request.URL), allParams)
- err = consumer.signer.Verify(baseString, oauthSignature)
- if err != nil {
- return nil, err
- }
-
- return &consumerKey, nil
- }
|
