mirrors
/
gitea
mirror of https://github.com/go-gitea/gitea.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 210 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9120 Commits
17 Branches
Tree: bea497ff96
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bea497ff96'
${ noResults }
gitea/modules/auth/oauth2/oauth2.go

oauth2.go 8.7KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package oauth2

  6. 

  7. import (

  8. 	"math"

  9. 	"net/http"

  10. 

  11. 	"code.gitea.io/gitea/modules/log"

  12. 	"code.gitea.io/gitea/modules/setting"

  13. 

  14. 	"github.com/lafriks/xormstore"

  15. 	"github.com/markbates/goth"

  16. 	"github.com/markbates/goth/gothic"

  17. 	"github.com/markbates/goth/providers/bitbucket"

  18. 	"github.com/markbates/goth/providers/discord"

  19. 	"github.com/markbates/goth/providers/dropbox"

  20. 	"github.com/markbates/goth/providers/facebook"

  21. 	"github.com/markbates/goth/providers/gitea"

  22. 	"github.com/markbates/goth/providers/github"

  23. 	"github.com/markbates/goth/providers/gitlab"

  24. 	"github.com/markbates/goth/providers/google"

  25. 	"github.com/markbates/goth/providers/nextcloud"

  26. 	"github.com/markbates/goth/providers/openidConnect"

  27. 	"github.com/markbates/goth/providers/twitter"

  28. 	"github.com/satori/go.uuid"

  29. 	"xorm.io/xorm"

  30. )

  31. 

  32. var (

  33. 	sessionUsersStoreKey = "gitea-oauth2-sessions"

  34. 	providerHeaderKey    = "gitea-oauth2-provider"

  35. )

  36. 

  37. // CustomURLMapping describes the urls values to use when customizing OAuth2 provider URLs

  38. type CustomURLMapping struct {

  39. 	AuthURL    string

  40. 	TokenURL   string

  41. 	ProfileURL string

  42. 	EmailURL   string

  43. }

  44. 

  45. // Init initialize the setup of the OAuth2 library

  46. func Init(x *xorm.Engine) error {

  47. 	store, err := xormstore.NewOptions(x, xormstore.Options{

  48. 		TableName: "oauth2_session",

  49. 	}, []byte(sessionUsersStoreKey))

  50. 

  51. 	if err != nil {

  52. 		return err

  53. 	}

  54. 	// according to the Goth lib:

  55. 	// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:

  56. 	// securecookie: the value is too long

  57. 	// when using OpenID Connect , since this can contain a large amount of extra information in the id_token

  58. 

  59. 	// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk

  60. 	store.MaxLength(math.MaxInt16)

  61. 	gothic.Store = store

  62. 

  63. 	gothic.SetState = func(req *http.Request) string {

  64. 		return uuid.NewV4().String()

  65. 	}

  66. 

  67. 	gothic.GetProviderName = func(req *http.Request) (string, error) {

  68. 		return req.Header.Get(providerHeaderKey), nil

  69. 	}

  70. 

  71. 	return nil

  72. }

  73. 

  74. // Auth OAuth2 auth service

  75. func Auth(provider string, request *http.Request, response http.ResponseWriter) error {

  76. 	// not sure if goth is thread safe (?) when using multiple providers

  77. 	request.Header.Set(providerHeaderKey, provider)

  78. 

  79. 	// don't use the default gothic begin handler to prevent issues when some error occurs

  80. 	// normally the gothic library will write some custom stuff to the response instead of our own nice error page

  81. 	//gothic.BeginAuthHandler(response, request)

  82. 

  83. 	url, err := gothic.GetAuthURL(response, request)

  84. 	if err == nil {

  85. 		http.Redirect(response, request, url, http.StatusTemporaryRedirect)

  86. 	}

  87. 	return err

  88. }

  89. 

  90. // ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url

  91. // this will trigger a new authentication request, but because we save it in the session we can use that

  92. func ProviderCallback(provider string, request *http.Request, response http.ResponseWriter) (goth.User, error) {

  93. 	// not sure if goth is thread safe (?) when using multiple providers

  94. 	request.Header.Set(providerHeaderKey, provider)

  95. 

  96. 	user, err := gothic.CompleteUserAuth(response, request)

  97. 	if err != nil {

  98. 		return user, err

  99. 	}

  100. 

  101. 	return user, nil

  102. }

  103. 

  104. // RegisterProvider register a OAuth2 provider in goth lib

  105. func RegisterProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) error {

  106. 	provider, err := createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL, customURLMapping)

  107. 

  108. 	if err == nil && provider != nil {

  109. 		goth.UseProviders(provider)

  110. 	}

  111. 

  112. 	return err

  113. }

  114. 

  115. // RemoveProvider removes the given OAuth2 provider from the goth lib

  116. func RemoveProvider(providerName string) {

  117. 	delete(goth.GetProviders(), providerName)

  118. }

  119. 

  120. // used to create different types of goth providers

  121. func createProvider(providerName, providerType, clientID, clientSecret, openIDConnectAutoDiscoveryURL string, customURLMapping *CustomURLMapping) (goth.Provider, error) {

  122. 	callbackURL := setting.AppURL + "user/oauth2/" + providerName + "/callback"

  123. 

  124. 	var provider goth.Provider

  125. 	var err error

  126. 

  127. 	switch providerType {

  128. 	case "bitbucket":

  129. 		provider = bitbucket.New(clientID, clientSecret, callbackURL, "account")

  130. 	case "dropbox":

  131. 		provider = dropbox.New(clientID, clientSecret, callbackURL)

  132. 	case "facebook":

  133. 		provider = facebook.New(clientID, clientSecret, callbackURL, "email")

  134. 	case "github":

  135. 		authURL := github.AuthURL

  136. 		tokenURL := github.TokenURL

  137. 		profileURL := github.ProfileURL

  138. 		emailURL := github.EmailURL

  139. 		if customURLMapping != nil {

  140. 			if len(customURLMapping.AuthURL) > 0 {

  141. 				authURL = customURLMapping.AuthURL

  142. 			}

  143. 			if len(customURLMapping.TokenURL) > 0 {

  144. 				tokenURL = customURLMapping.TokenURL

  145. 			}

  146. 			if len(customURLMapping.ProfileURL) > 0 {

  147. 				profileURL = customURLMapping.ProfileURL

  148. 			}

  149. 			if len(customURLMapping.EmailURL) > 0 {

  150. 				emailURL = customURLMapping.EmailURL

  151. 			}

  152. 		}

  153. 		provider = github.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, emailURL)

  154. 	case "gitlab":

  155. 		authURL := gitlab.AuthURL

  156. 		tokenURL := gitlab.TokenURL

  157. 		profileURL := gitlab.ProfileURL

  158. 		if customURLMapping != nil {

  159. 			if len(customURLMapping.AuthURL) > 0 {

  160. 				authURL = customURLMapping.AuthURL

  161. 			}

  162. 			if len(customURLMapping.TokenURL) > 0 {

  163. 				tokenURL = customURLMapping.TokenURL

  164. 			}

  165. 			if len(customURLMapping.ProfileURL) > 0 {

  166. 				profileURL = customURLMapping.ProfileURL

  167. 			}

  168. 		}

  169. 		provider = gitlab.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL, "read_user")

  170. 	case "gplus": // named gplus due to legacy gplus -> google migration (Google killed Google+). This ensures old connections still work

  171. 		provider = google.New(clientID, clientSecret, callbackURL)

  172. 	case "openidConnect":

  173. 		if provider, err = openidConnect.New(clientID, clientSecret, callbackURL, openIDConnectAutoDiscoveryURL); err != nil {

  174. 			log.Warn("Failed to create OpenID Connect Provider with name '%s' with url '%s': %v", providerName, openIDConnectAutoDiscoveryURL, err)

  175. 		}

  176. 	case "twitter":

  177. 		provider = twitter.NewAuthenticate(clientID, clientSecret, callbackURL)

  178. 	case "discord":

  179. 		provider = discord.New(clientID, clientSecret, callbackURL, discord.ScopeIdentify, discord.ScopeEmail)

  180. 	case "gitea":

  181. 		authURL := gitea.AuthURL

  182. 		tokenURL := gitea.TokenURL

  183. 		profileURL := gitea.ProfileURL

  184. 		if customURLMapping != nil {

  185. 			if len(customURLMapping.AuthURL) > 0 {

  186. 				authURL = customURLMapping.AuthURL

  187. 			}

  188. 			if len(customURLMapping.TokenURL) > 0 {

  189. 				tokenURL = customURLMapping.TokenURL

  190. 			}

  191. 			if len(customURLMapping.ProfileURL) > 0 {

  192. 				profileURL = customURLMapping.ProfileURL

  193. 			}

  194. 		}

  195. 		provider = gitea.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)

  196. 	case "nextcloud":

  197. 		authURL := nextcloud.AuthURL

  198. 		tokenURL := nextcloud.TokenURL

  199. 		profileURL := nextcloud.ProfileURL

  200. 		if customURLMapping != nil {

  201. 			if len(customURLMapping.AuthURL) > 0 {

  202. 				authURL = customURLMapping.AuthURL

  203. 			}

  204. 			if len(customURLMapping.TokenURL) > 0 {

  205. 				tokenURL = customURLMapping.TokenURL

  206. 			}

  207. 			if len(customURLMapping.ProfileURL) > 0 {

  208. 				profileURL = customURLMapping.ProfileURL

  209. 			}

  210. 		}

  211. 		provider = nextcloud.NewCustomisedURL(clientID, clientSecret, callbackURL, authURL, tokenURL, profileURL)

  212. 	}

  213. 

  214. 	// always set the name if provider is created so we can support multiple setups of 1 provider

  215. 	if err == nil && provider != nil {

  216. 		provider.SetName(providerName)

  217. 	}

  218. 

  219. 	return provider, err

  220. }

  221. 

  222. // GetDefaultTokenURL return the default token url for the given provider

  223. func GetDefaultTokenURL(provider string) string {

  224. 	switch provider {

  225. 	case "github":

  226. 		return github.TokenURL

  227. 	case "gitlab":

  228. 		return gitlab.TokenURL

  229. 	case "gitea":

  230. 		return gitea.TokenURL

  231. 	case "nextcloud":

  232. 		return nextcloud.TokenURL

  233. 	}

  234. 	return ""

  235. }

  236. 

  237. // GetDefaultAuthURL return the default authorize url for the given provider

  238. func GetDefaultAuthURL(provider string) string {

  239. 	switch provider {

  240. 	case "github":

  241. 		return github.AuthURL

  242. 	case "gitlab":

  243. 		return gitlab.AuthURL

  244. 	case "gitea":

  245. 		return gitea.AuthURL

  246. 	case "nextcloud":

  247. 		return nextcloud.AuthURL

  248. 	}

  249. 	return ""

  250. }

  251. 

  252. // GetDefaultProfileURL return the default profile url for the given provider

  253. func GetDefaultProfileURL(provider string) string {

  254. 	switch provider {

  255. 	case "github":

  256. 		return github.ProfileURL

  257. 	case "gitlab":

  258. 		return gitlab.ProfileURL

  259. 	case "gitea":

  260. 		return gitea.ProfileURL

  261. 	case "nextcloud":

  262. 		return nextcloud.ProfileURL

  263. 	}

  264. 	return ""

  265. }

  266. 

  267. // GetDefaultEmailURL return the default email url for the given provider

  268. func GetDefaultEmailURL(provider string) string {

  269. 	if provider == "github" {

  270. 		return github.EmailURL

  271. 	}

  272. 	return ""

  273. }