mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2025-05-25 11:22:16 +00:00
Integrate OAuth2 Provider (#5378)
This commit is contained in:
Jonas Franz
techknowlogick
parent
9d3732dfd5
commit
e777c6bdc6
37 changed files with 2667 additions and 11 deletions
|
|
@ -7,6 +7,7 @@ package auth
|
|||
import (
|
||||
"reflect"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/Unknwon/com"
|
||||
"github.com/go-macaron/binding"
|
||||
|
|
@ -44,7 +45,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
|
|||
auHead := ctx.Req.Header.Get("Authorization")
|
||||
if len(auHead) > 0 {
|
||||
auths := strings.Fields(auHead)
|
||||
if len(auths) == 2 && auths[0] == "token" {
|
||||
if len(auths) == 2 && (auths[0] == "token" || strings.ToLower(auths[0]) == "bearer") {
|
||||
tokenSHA = auths[1]
|
||||
}
|
||||
}
|
||||
|
|
@ -52,6 +53,13 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
|
|||
|
||||
// Let's see if token is valid.
|
||||
if len(tokenSHA) > 0 {
|
||||
if strings.Contains(tokenSHA, ".") {
|
||||
uid := checkOAuthAccessToken(tokenSHA)
|
||||
if uid != 0 {
|
||||
ctx.Data["IsApiToken"] = true
|
||||
}
|
||||
return uid
|
||||
}
|
||||
t, err := models.GetAccessTokenBySHA(tokenSHA)
|
||||
if err != nil {
|
||||
if models.IsErrAccessTokenNotExist(err) || models.IsErrAccessTokenEmpty(err) {
|
||||
|
|
@ -77,6 +85,29 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
|
|||
return 0
|
||||
}
|
||||
|
||||
func checkOAuthAccessToken(accessToken string) int64 {
|
||||
// JWT tokens require a "."
|
||||
if !strings.Contains(accessToken, ".") {
|
||||
return 0
|
||||
}
|
||||
token, err := models.ParseOAuth2Token(accessToken)
|
||||
if err != nil {
|
||||
log.Trace("ParseOAuth2Token", err)
|
||||
return 0
|
||||
}
|
||||
var grant *models.OAuth2Grant
|
||||
if grant, err = models.GetOAuth2GrantByID(token.GrantID); err != nil || grant == nil {
|
||||
return 0
|
||||
}
|
||||
if token.Type != models.TypeAccessToken {
|
||||
return 0
|
||||
}
|
||||
if token.ExpiresAt < time.Now().Unix() || token.IssuedAt > time.Now().Unix() {
|
||||
return 0
|
||||
}
|
||||
return grant.UserID
|
||||
}
|
||||
|
||||
// SignedInUser returns the user object of signed user.
|
||||
// It returns a bool value to indicate whether user uses basic auth or not.
|
||||
func SignedInUser(ctx *macaron.Context, sess session.Store) (*models.User, bool) {
|
||||
|
|
|
|||
|
|
@ -137,6 +137,54 @@ func (f *SignInForm) Validate(ctx *macaron.Context, errs binding.Errors) binding
|
|||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// AuthorizationForm form for authorizing oauth2 clients
|
||||
type AuthorizationForm struct {
|
||||
ResponseType string `binding:"Required;In(code)"`
|
||||
ClientID string `binding:"Required"`
|
||||
RedirectURI string
|
||||
State string
|
||||
|
||||
// PKCE support
|
||||
CodeChallengeMethod string // S256, plain
|
||||
CodeChallenge string
|
||||
}
|
||||
|
||||
// Validate valideates the fields
|
||||
func (f *AuthorizationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
|
||||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// GrantApplicationForm form for authorizing oauth2 clients
|
||||
type GrantApplicationForm struct {
|
||||
ClientID string `binding:"Required"`
|
||||
RedirectURI string
|
||||
State string
|
||||
}
|
||||
|
||||
// Validate valideates the fields
|
||||
func (f *GrantApplicationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
|
||||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// AccessTokenForm for issuing access tokens from authorization codes or refresh tokens
|
||||
type AccessTokenForm struct {
|
||||
GrantType string
|
||||
ClientID string
|
||||
ClientSecret string
|
||||
RedirectURI string
|
||||
// TODO Specify authentication code length to prevent against birthday attacks
|
||||
Code string
|
||||
RefreshToken string
|
||||
|
||||
// PKCE support
|
||||
CodeVerifier string
|
||||
}
|
||||
|
||||
// Validate valideates the fields
|
||||
func (f *AccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
|
||||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// __________________________________________.___ _______ ________ _________
|
||||
// / _____/\_ _____/\__ ___/\__ ___/| |\ \ / _____/ / _____/
|
||||
// \_____ \ | __)_ | | | | | |/ | \/ \ ___ \_____ \
|
||||
|
|
@ -258,6 +306,17 @@ func (f *NewAccessTokenForm) Validate(ctx *macaron.Context, errs binding.Errors)
|
|||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// EditOAuth2ApplicationForm form for editing oauth2 applications
|
||||
type EditOAuth2ApplicationForm struct {
|
||||
Name string `binding:"Required;MaxSize(255)" form:"application_name"`
|
||||
RedirectURI string `binding:"Required" form:"redirect_uri"`
|
||||
}
|
||||
|
||||
// Validate valideates the fields
|
||||
func (f *EditOAuth2ApplicationForm) Validate(ctx *macaron.Context, errs binding.Errors) binding.Errors {
|
||||
return validate(errs, ctx.Data, f, ctx.Locale)
|
||||
}
|
||||
|
||||
// TwoFactorAuthForm for logging in with 2FA token.
|
||||
type TwoFactorAuthForm struct {
|
||||
Passcode string `binding:"Required"`
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue