mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10395 Commits
17 Branches
Tree: 7974b34183
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '7974b34183'
${ noResults }
gitea/modules/auth/oauth2/oauth2.go

oauth2.go 9.3KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package oauth2

  6. 

  7. import (

  8. 	"net/http"

  9. 	"net/url"

  10. 

  11. 	"code.gitea.io/gitea/modules/log"

  12. 	"code.gitea.io/gitea/modules/setting"

  13. 

  14. 	uuid "github.com/google/uuid"

  15. 	"github.com/lafriks/xormstore"

  16. 	"github.com/markbates/goth"

  17. 	"github.com/markbates/goth/gothic"

  18. 	"github.com/markbates/goth/providers/bitbucket"

  19. 	"github.com/markbates/goth/providers/discord"

  20. 	"github.com/markbates/goth/providers/dropbox"

  21. 	"github.com/markbates/goth/providers/facebook"

  22. 	"github.com/markbates/goth/providers/gitea"

  23. 	"github.com/markbates/goth/providers/github"

  24. 	"github.com/markbates/goth/providers/gitlab"

  25. 	"github.com/markbates/goth/providers/google"

  26. 	"github.com/markbates/goth/providers/mastodon"

  27. 	"github.com/markbates/goth/providers/nextcloud"

  28. 	"github.com/markbates/goth/providers/openidConnect"

  29. 	"github.com/markbates/goth/providers/twitter"

  30. 	"github.com/markbates/goth/providers/yandex"

  31. 	"xorm.io/xorm"

  32. )

  33. 

  34. var (

  35. 	sessionUsersStoreKey = "gitea-oauth2-sessions"

  36. 	providerHeaderKey    = "gitea-oauth2-provider"

  37. )

  38. 

  39. // CustomURLMapping describes the urls values to use when customizing OAuth2 provider URLs

  40. type CustomURLMapping struct {

  41. 	AuthURL    string

  42. 	TokenURL   string

  43. 	ProfileURL string

  44. 	EmailURL   string

  45. }

  46. 

  47. // Init initialize the setup of the OAuth2 library

  48. func Init(x *xorm.Engine) error {

  49. 	store, err := xormstore.NewOptions(x, xormstore.Options{

  50. 		TableName: "oauth2_session",

  51. 	}, []byte(sessionUsersStoreKey))

  52. 

  53. 	if err != nil {

  54. 		return err

  55. 	}

  56. 	// according to the Goth lib:

  57. 	// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:

  58. 	// securecookie: the value is too long

  59. 	// when using OpenID Connect , since this can contain a large amount of extra information in the id_token

  60. 

  61. 	// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk

  62. 	store.MaxLength(setting.OAuth2.MaxTokenLength)

  63. 	gothic.Store = store

  64. 

  65. 	gothic.SetState = func(req *http.Request) string {

  66. 		return uuid.New().String()

  67. 	}

  68. 

  69. 	gothic.GetProviderName = func(req *http.Request) (string, error) {

  70. 		return req.Header.Get(providerHeaderKey), nil

  71. 	}

  72. 

  73. 	return nil

  74. }

  75. 

  76. // Auth OAuth2 auth service

  77. func Auth(provider string, request *http.Request, response http.ResponseWriter) error {

  78. 	// not sure if goth is thread safe (?) when using multiple providers

  79. 	request.Header.Set(providerHeaderKey, provider)

  80. 

  81. 	// don't use the default gothic begin handler to prevent issues when some error occurs

  82. 	// normally the gothic library will write some custom stuff to the response instead of our own nice error page

  83. 	//gothic.BeginAuthHandler(response, request)

  84. 

  85. 	url, err := gothic.GetAuthURL(response, request)

  86. 	if err == nil {

  87. 		http.Redirect(response, request, url, http.StatusTemporaryRedirect)

  88. 	}

  89. 	return err

  90. }

  91. 

  92. // ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url

  93. // this will trigger a new authentication request, but because we save it in the session we can use that

  94. func ProviderCallback(provider string, request *http.Request, response http.ResponseWriter) (goth.User, error) {

  95. 	// not sure if goth is thread safe (?) when using multiple providers

  96. 	request.Header.Set(providerHeaderKey, provider)

  97. 

  98. 	user, err := gothic.CompleteUserAuth(response, request)

  99. 	if err != nil {

  100. 		return user, err

  101. 	}

  102. 

  103. 	return user, nil

  104. }

  105. 

  106. // RegisterProvider register a OAuth2 provider in goth lib

  107. func RegisterProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) error {

  108. 	provider, err := createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL, customURLMapping)

  109. 

  110. 	if err == nil && provider != nil {

  111. 		goth.UseProviders(provider)

  112. 	}

  113. 

  114. 	return err

  115. }

  116. 

  117. // RemoveProvider removes the given OAuth2 provider from the goth lib

  118. func RemoveProvider(providerName string) {

  119. 	delete(goth.GetProviders(), providerName)

  120. }

  121. 

  122. // used to create different types of goth providers

  123. func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) {

  124. 	callbackURL := setting.AppURL + "user/oauth2/" + url.PathEscape(providerName) + "/callback"

  125. 

  126. 	var provider goth.Provider

  127. 	var err error

  128. 

  129. 	switch providerType {

  130. 	case "bitbucket":

  131. 		provider = bitbucket.New(clientID, clientSecret, callbackURL, "account")

  132. 	case "dropbox":

  133. 		provider = dropbox.New(clientID, clientSecret, callbackURL)

  134. 	case "facebook":

  135. 		provider = facebook.New(clientID, clientSecret, callbackURL, "email")

  136. 	case "github":

  137. 		authURL := github.AuthURL

  138. 		tokenURL := github.TokenURL

  139. 		profileURL := github.ProfileURL

  140. 		emailURL := github.EmailURL

  141. 		if customURLMapping != nil {

  142. 			if len(customURLMapping.AuthURL) > 0 {

  143. 				authURL = customURLMapping.AuthURL

  144. 			}

  145. 			if len(customURLMapping.TokenURL) > 0 {

  146. 				tokenURL = customURLMapping.TokenURL

  147. 			}

  148. 			if len(customURLMapping.ProfileURL) > 0 {

  149. 				profileURL = customURLMapping.ProfileURL

  150. 			}

  151. 			if len(customURLMapping.EmailURL) > 0 {

  152. 				emailURL = customURLMapping.EmailURL

  153. 			}

  154. 		}

  155. 		provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL)

  156. 	case "gitlab":

  157. 		authURL := gitlab.AuthURL

  158. 		tokenURL := gitlab.TokenURL

  159. 		profileURL := gitlab.ProfileURL

  160. 		if customURLMapping != nil {

  161. 			if len(customURLMapping.AuthURL) > 0 {

  162. 				authURL = customURLMapping.AuthURL

  163. 			}

  164. 			if len(customURLMapping.TokenURL) > 0 {

  165. 				tokenURL = customURLMapping.TokenURL

  166. 			}

  167. 			if len(customURLMapping.ProfileURL) > 0 {

  168. 				profileURL = customURLMapping.ProfileURL

  169. 			}

  170. 		}

  171. 		provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user")

  172. 	case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work

  173. 		provider = google.New(clientID, clientSecret, callbackURL)

  174. 	case "openidConnect":

  175. 		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL); err != nil {

  176. 			log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err)

  177. 		}

  178. 	case "twitter":

  179. 		provider = twitter.NewAuthenticate(clientID, clientSecret, callbackURL)

  180. 	case "discord":

  181. 		provider = discord.New(clientID, clientSecret, callbackURL, discord.ScopeIdentify, discord.ScopeEmail)

  182. 	case "gitea":

  183. 		authURL := gitea.AuthURL

  184. 		tokenURL := gitea.TokenURL

  185. 		profileURL := gitea.ProfileURL

  186. 		if customURLMapping != nil {

  187. 			if len(customURLMapping.AuthURL) > 0 {

  188. 				authURL = customURLMapping.AuthURL

  189. 			}

  190. 			if len(customURLMapping.TokenURL) > 0 {

  191. 				tokenURL = customURLMapping.TokenURL

  192. 			}

  193. 			if len(customURLMapping.ProfileURL) > 0 {

  194. 				profileURL = customURLMapping.ProfileURL

  195. 			}

  196. 		}

  197. 		provider = gitea.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)

  198. 	case "nextcloud":

  199. 		authURL := nextcloud.AuthURL

  200. 		tokenURL := nextcloud.TokenURL

  201. 		profileURL := nextcloud.ProfileURL

  202. 		if customURLMapping != nil {

  203. 			if len(customURLMapping.AuthURL) > 0 {

  204. 				authURL = customURLMapping.AuthURL

  205. 			}

  206. 			if len(customURLMapping.TokenURL) > 0 {

  207. 				tokenURL = customURLMapping.TokenURL

  208. 			}

  209. 			if len(customURLMapping.ProfileURL) > 0 {

  210. 				profileURL = customURLMapping.ProfileURL

  211. 			}

  212. 		}

  213. 		provider = nextcloud.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)

  214. 	case "yandex":

  215. 		// See https://tech.yandex.com/passport/doc/dg/reference/response-docpage/

  216. 		provider = yandex.New(clientID, clientSecret, callbackURL, "login:email", "login:info", "login:avatar")

  217. 	case "mastodon":

  218. 		instanceURL := mastodon.InstanceURL

  219. 		if customURLMapping != nil && len(customURLMapping.AuthURL) > 0 {

  220. 			instanceURL = customURLMapping.AuthURL

  221. 		}

  222. 		provider = mastodon.NewCustomisedURL(clientID, clientSecret, callbackURL, instanceURL)

  223. 	}

  224. 

  225. 	// always set the name if provider is created so we can support multiple setups of 1 provider

  226. 	if err == nil && provider != nil {

  227. 		provider.SetName(providerName)

  228. 	}

  229. 

  230. 	return provider, err

  231. }

  232. 

  233. // GetDefaultTokenURL return the default token url for the given provider

  234. func GetDefaultTokenURL(provider string) string {

  235. 	switch provider {

  236. 	case "github":

  237. 		return github.TokenURL

  238. 	case "gitlab":

  239. 		return gitlab.TokenURL

  240. 	case "gitea":

  241. 		return gitea.TokenURL

  242. 	case "nextcloud":

  243. 		return nextcloud.TokenURL

  244. 	}

  245. 	return ""

  246. }

  247. 

  248. // GetDefaultAuthURL return the default authorize url for the given provider

  249. func GetDefaultAuthURL(provider string) string {

  250. 	switch provider {

  251. 	case "github":

  252. 		return github.AuthURL

  253. 	case "gitlab":

  254. 		return gitlab.AuthURL

  255. 	case "gitea":

  256. 		return gitea.AuthURL

  257. 	case "nextcloud":

  258. 		return nextcloud.AuthURL

  259. 	case "mastodon":

  260. 		return mastodon.InstanceURL

  261. 	}

  262. 	return ""

  263. }

  264. 

  265. // GetDefaultProfileURL return the default profile url for the given provider

  266. func GetDefaultProfileURL(provider string) string {

  267. 	switch provider {

  268. 	case "github":

  269. 		return github.ProfileURL

  270. 	case "gitlab":

  271. 		return gitlab.ProfileURL

  272. 	case "gitea":

  273. 		return gitea.ProfileURL

  274. 	case "nextcloud":

  275. 		return nextcloud.ProfileURL

  276. 	}

  277. 	return ""

  278. }

  279. 

  280. // GetDefaultEmailURL return the default email url for the given provider

  281. func GetDefaultEmailURL(provider string) string {

  282. 	if provider == "github" {

  283. 		return github.EmailURL

  284. 	}

  285. 	return ""

  286. }