wip on auth

COSSAS · Oct 3, 2024 · e5a0186 · e5a0186
1 parent e9830ba
commit e5a0186
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 10 deletions.
diff --git a/auth/gin_oidc.go b/auth/gin_oidc.go
@@ -80,6 +80,19 @@ func (auth *Authenticator) OIDCCallBack(gc *gin.Context) {
 		return
 	}
 	auth.Cookiejar.DeleteNonceSession(gc)
+	accessToken := oauth2Token.AccessToken
+	// if err := verifiedIDToken.VerifyAccessToken(accessToken); err != nil {
+	// 	log.Printf(err.Error())
+	// 	api.JSONErrorStatus(gc, http.StatusUnauthorized, errors.New("access token not matched with id token"))
+	// 	return
+	// }
+	//
+
+	if _, err = verifier.Verify(localContext, accessToken); err != nil {
+		api.JSONErrorStatus(gc, http.StatusUnauthorized, errors.New("invalid access token"))
+	}
+	auth.Cookiejar.SetUserToken(gc, accessToken)
+	auth.Cookiejar.DeleteStateSession(gc)
 	gc.Redirect(http.StatusFound, "/dashboard")
 }
 
@@ -90,6 +103,11 @@ func (auth *Authenticator) sessionAuth(gc *gin.Context) gin.HandlerFunc {
 			gc.Redirect(http.StatusOK, "/")
 			return
 		}
-		username, role, err := auth.VerifyClaims(gc*gin.Context, tokenCookie)
+		_, err := auth.VerifyClaims(gc, tokenCookie)
+		if err != nil {
+			api.JSONErrorStatus(gc, http.StatusUnauthorized, errors.New("could not map token claims"))
+			return
+		}
+		return
 	}
 }
diff --git a/auth/verify.go b/auth/verify.go
@@ -7,21 +7,20 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-func (auth *Authenticator) VerifyClaims(gc *gin.Context, token string) (name string, role string, err error) {
+func (auth *Authenticator) VerifyClaims(gc *gin.Context, token string) (*User, error) {
 	verifier := auth.GetTokenVerifier()
 	accessToken, err := verifier.Verify(gc, token)
 	if err != nil {
-		return "", "", errors.New(fmt.Sprintf("could not obtain token from cookie: %w", err))
+		return nil, errors.New(fmt.Sprintf("could not obtain token from cookie: %s", err.Error()))
 	}
 	var claims map[string]any
 	if err := accessToken.Claims(&claims); err != nil {
-		return "", "", errors.New(fmt.Sprintf("could not map clains: %w", err))
+		return nil, errors.New(fmt.Sprintf("could not map clains: %s", err.Error()))
 	}
 	if _, ok := claims["iss"]; !ok {
-		return "", "", errors.New("no issues in claim")
+		return nil, errors.New("no issues in claim")
 	}
-
-	return "", "", nil
+	return auth.mapClaimsToUser(claims)
 }
 
 func (auth *Authenticator) mapClaimsToUser(claims map[string]any) (*User, error) {

diff --git a/auth/verify_test.go b/auth/verify_test.go
@@ -6,8 +6,8 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestMapClaimsToUser_AllFieldsMappedCorrectly(t *testing.T) {
-	UserClaimsConfig := UserClaimsConfig{
+func TestMapClaimsToUserAllFieldsMappedCorrectly(t *testing.T) {
+	config := UserClaimsConfig{
 		OIDCClaimUsernameField: "preferred_username",
 		OIDCClaimEmailField:    "email",
 		OIDCClaimNameField:     "name",
@@ -27,7 +27,7 @@ func TestMapClaimsToUser_AllFieldsMappedCorrectly(t *testing.T) {
 	}
 
 	auth := &Authenticator{
-		userclaimConfig: &UserClaimsConfig,
+		userclaimConfig: &config,
 	}
 
 	user, err := auth.mapClaimsToUser(claims)