From 6c76ecf76e05e32001b14689a58f9e6f912bd22d Mon Sep 17 00:00:00 2001 From: Gennady Lipenkov Date: Thu, 17 Feb 2022 05:56:55 +0300 Subject: [PATCH] refactor(auth): improve authentication flow for oauth 2.0 with local webserver Signed-off-by: Gennady Lipenkov --- cmd/gateclient/client.go | 20 ++++------ cmd/gateclient/oauth.go | 85 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 92 insertions(+), 13 deletions(-) create mode 100644 cmd/gateclient/oauth.go diff --git a/cmd/gateclient/client.go b/cmd/gateclient/client.go index b7becaa1..dd3ecfd8 100644 --- a/cmd/gateclient/client.go +++ b/cmd/gateclient/client.go @@ -388,10 +388,14 @@ func authenticateOAuth2(output func(string), httpClient *http.Client, endpoint s return false, errors.New("incorrect OAuth2 auth configuration") } + redirectURL := url.URL{ + Scheme: "http", + Host: localWebServer, + } config := &oauth2.Config{ ClientID: OAuth2.ClientId, ClientSecret: OAuth2.ClientSecret, - RedirectURL: "http://localhost:8085", + RedirectURL: redirectURL.String(), Scopes: OAuth2.Scopes, Endpoint: oauth2.Endpoint{ AuthURL: OAuth2.AuthUrl, @@ -409,14 +413,6 @@ func authenticateOAuth2(output func(string), httpClient *http.Client, endpoint s return false, errors.Wrapf(err, "Could not refresh token from source: %v", tokenSource) } } else { - // Do roundtrip. - http.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - code := r.FormValue("code") - fmt.Fprintln(w, code) - })) - go http.ListenAndServe(":8085", nil) - // Note: leaving server connection open for scope of request, will be reaped on exit. - verifier, verifierCode, err := generateCodeVerifier() if err != nil { return false, err @@ -427,10 +423,8 @@ func authenticateOAuth2(output func(string), httpClient *http.Client, endpoint s challengeMethod := oauth2.SetAuthURLParam("code_challenge_method", "S256") authURL := config.AuthCodeURL("state-token", oauth2.AccessTypeOffline, oauth2.ApprovalForce, challengeMethod, codeChallenge) - output(fmt.Sprintf("Navigate to %s and authenticate", authURL)) - code := prompt(output, "Paste authorization code:") - - newToken, err = config.Exchange(context.Background(), code, codeVerifier) + output("Trying to get token from web") + newToken, err = getTokenFromWeb(output, config, authURL, codeVerifier) if err != nil { return false, err } diff --git a/cmd/gateclient/oauth.go b/cmd/gateclient/oauth.go new file mode 100644 index 00000000..cdb2a9d4 --- /dev/null +++ b/cmd/gateclient/oauth.go @@ -0,0 +1,85 @@ +package gateclient + +import ( + "context" + "fmt" + "log" + "net" + "net/http" + "os/exec" + "runtime" + + "golang.org/x/oauth2" +) + +const localWebServer = "localhost:8085" + +func startWebServer() (codeCh chan string, err error) { + listener, err := net.Listen("tcp", localWebServer) + if err != nil { + return nil, err + } + codeCh = make(chan string) + + go http.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // TODO: add handle of `error` + //error := r.FormValue("error") + code := r.FormValue("code") + codeCh <- code // send code to OAuth flow + listener.Close() + w.Header().Set("Content-Type", "text/plain") + fmt.Fprintf(w, "Received code: %v\r\nYou can now safely close this browser window.", code) + })) + + return codeCh, nil +} + +// getTokenFromWeb uses Config to request a Token. +// It returns the retrieved Token. +func getTokenFromWeb(output func(string), config *oauth2.Config, authURL string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) { + codeCh, err := startWebServer() + if err != nil { + output("Unable to start a web server.") + return nil, err + } + + err = openURL(authURL) + if err != nil { + log.Fatalf("Unable to open authorization URL in web server: %v", err) + } else { + output("Your browser has been opened to an authorization URL.\n" + + " This program will resume once authorization has been provided.\n") + output(authURL) + } + + // Wait for the web server to get the code. + code := <-codeCh + return exchangeToken(config, code, opts...) +} + +// Exchange the authorization code for an access token +func exchangeToken(config *oauth2.Config, code string, opts ...oauth2.AuthCodeOption) (*oauth2.Token, error) { + tok, err := config.Exchange(context.Background(), code, opts...) + if err != nil { + return nil, fmt.Errorf("Unable to retrieve token %v", err) + } + return tok, nil +} + +// openURL opens a browser window to the specified location. +// This code originally appeared at: +// http://stackoverflow.com/questions/10377243/how-can-i-launch-a-process-that-is-not-a-file-in-go +func openURL(url string) error { + var err error + switch runtime.GOOS { + case "linux": + err = exec.Command("xdg-open", url).Start() + case "windows": + err = exec.Command("rundll32", "url.dll,FileProtocolHandler", url).Start() + case "darwin": + err = exec.Command("open", url).Start() + default: + err = fmt.Errorf("Cannot open URL %s on this platform", url) + } + return err +}