From e5a01862a7fc458743ca50fd8e42dda998c5a565 Mon Sep 17 00:00:00 2001 From: JP Date: Thu, 3 Oct 2024 22:42:02 +0200 Subject: [PATCH] wip on auth --- auth/gin_oidc.go | 20 +++++++++++++++++++- auth/verify.go | 11 +++++------ auth/verify_test.go | 6 +++--- 3 files changed, 27 insertions(+), 10 deletions(-) diff --git a/auth/gin_oidc.go b/auth/gin_oidc.go index 932be54..b07685c 100644 --- a/auth/gin_oidc.go +++ b/auth/gin_oidc.go @@ -80,6 +80,19 @@ func (auth *Authenticator) OIDCCallBack(gc *gin.Context) { return } auth.Cookiejar.DeleteNonceSession(gc) + accessToken := oauth2Token.AccessToken + // if err := verifiedIDToken.VerifyAccessToken(accessToken); err != nil { + // log.Printf(err.Error()) + // api.JSONErrorStatus(gc, http.StatusUnauthorized, errors.New("access token not matched with id token")) + // return + // } + // + + if _, err = verifier.Verify(localContext, accessToken); err != nil { + api.JSONErrorStatus(gc, http.StatusUnauthorized, errors.New("invalid access token")) + } + auth.Cookiejar.SetUserToken(gc, accessToken) + auth.Cookiejar.DeleteStateSession(gc) gc.Redirect(http.StatusFound, "/dashboard") } @@ -90,6 +103,11 @@ func (auth *Authenticator) sessionAuth(gc *gin.Context) gin.HandlerFunc { gc.Redirect(http.StatusOK, "/") return } - username, role, err := auth.VerifyClaims(gc*gin.Context, tokenCookie) + _, err := auth.VerifyClaims(gc, tokenCookie) + if err != nil { + api.JSONErrorStatus(gc, http.StatusUnauthorized, errors.New("could not map token claims")) + return + } + return } } diff --git a/auth/verify.go b/auth/verify.go index a1de4a8..b7f1dbd 100644 --- a/auth/verify.go +++ b/auth/verify.go @@ -7,21 +7,20 @@ import ( "github.com/gin-gonic/gin" ) -func (auth *Authenticator) VerifyClaims(gc *gin.Context, token string) (name string, role string, err error) { +func (auth *Authenticator) VerifyClaims(gc *gin.Context, token string) (*User, error) { verifier := auth.GetTokenVerifier() accessToken, err := verifier.Verify(gc, token) if err != nil { - return "", "", errors.New(fmt.Sprintf("could not obtain token from cookie: %w", err)) + return nil, errors.New(fmt.Sprintf("could not obtain token from cookie: %s", err.Error())) } var claims map[string]any if err := accessToken.Claims(&claims); err != nil { - return "", "", errors.New(fmt.Sprintf("could not map clains: %w", err)) + return nil, errors.New(fmt.Sprintf("could not map clains: %s", err.Error())) } if _, ok := claims["iss"]; !ok { - return "", "", errors.New("no issues in claim") + return nil, errors.New("no issues in claim") } - - return "", "", nil + return auth.mapClaimsToUser(claims) } func (auth *Authenticator) mapClaimsToUser(claims map[string]any) (*User, error) { diff --git a/auth/verify_test.go b/auth/verify_test.go index e03678d..c458db4 100644 --- a/auth/verify_test.go +++ b/auth/verify_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" ) -func TestMapClaimsToUser_AllFieldsMappedCorrectly(t *testing.T) { - UserClaimsConfig := UserClaimsConfig{ +func TestMapClaimsToUserAllFieldsMappedCorrectly(t *testing.T) { + config := UserClaimsConfig{ OIDCClaimUsernameField: "preferred_username", OIDCClaimEmailField: "email", OIDCClaimNameField: "name", @@ -27,7 +27,7 @@ func TestMapClaimsToUser_AllFieldsMappedCorrectly(t *testing.T) { } auth := &Authenticator{ - userclaimConfig: &UserClaimsConfig, + userclaimConfig: &config, } user, err := auth.mapClaimsToUser(claims)