mobility-accounts/oidc-provider/endpoints_auth.go

package op

import (
	"fmt"
	"html/template"
	"net/http"
	"time"

	"github.com/gorilla/csrf"
	"github.com/gorilla/mux"
	"github.com/ory/fosite"
	"github.com/ory/fosite/handler/openid"
	"github.com/ory/fosite/token/jwt"
)

func (op *OIDCHandler) AuthEndpoint(w http.ResponseWriter, r *http.Request) {
	namespace := mux.Vars(r)["namespace"]
	oauth2Provider := op.NamespaceProviders[namespace]
	templates_dir := op.config.Namespaces[namespace].TemplatesDir

	t := template.New("auth")
	t = template.Must(t.ParseFiles(
		templates_dir + "/auth.html",
	))

	ctx := r.Context()
	ar, err := oauth2Provider.NewAuthorizeRequest(ctx, r)
	if err != nil {
		oauth2Provider.WriteAuthorizeError(w, ar, err)
		return
	}

	if r.Method == "POST" {
		if r.Form.Get("username") == "" || r.Form.Get("password") == "" {
			oauth2Provider.WriteAuthorizeError(w, ar, fosite.ErrAccessDenied)
			return
		}

		account, err := op.handler.Login(r.Form.Get("username"), r.Form.Get("password"), namespace)
		if err != nil {
			if err = t.ExecuteTemplate(w, "auth", map[string]any{
				csrf.TemplateTag: csrf.TemplateField(r),
				"error":          fmt.Sprintf("Wrong username (%v) or password (%v) in namespace \"%v\"", r.Form.Get("username"), r.Form.Get("password"), namespace),
				"realError":      err,
			}); err != nil {
				oauth2Provider.WriteAuthorizeError(w, ar, err)
			}
			return
		}

		sessionData := &openid.DefaultSession{
			Claims: &jwt.IDTokenClaims{
				Issuer:      fmt.Sprintf("%s://%s/%s", op.Protocol, r.Host, namespace),
				Subject:     account.ID,
				Audience:    []string{},
				ExpiresAt:   time.Now().Add(time.Hour * 30),
				IssuedAt:    time.Now(),
				RequestedAt: time.Now(),
				AuthTime:    time.Now(),
				Extra:       make(map[string]interface{}),
			},
			Username: r.Form.Get("username"),
			Subject:  account.ID,
			Headers: &jwt.Headers{
				Extra: make(map[string]interface{}),
			},
		}

		// Manage claims
		for _, v := range ar.GetRequestedScopes() {
			ar.GrantScope(v)

			if v != "openid" { // TODO handle standard claims like profile, email, ...
				if mc, ok := op.config.Namespaces[namespace].MatchClaims[v]; ok {
					if d, ok := account.Data[mc]; ok {
						sessionData.Claims.Extra[v] = d
					}
				} else if d, ok := account.Data[v]; ok {
					sessionData.Claims.Extra[v] = d
				}
			}
		}

		response, err := oauth2Provider.NewAuthorizeResponse(ctx, ar, sessionData)
		if err != nil {
			oauth2Provider.WriteAuthorizeError(w, ar, err)
			return
		}

		oauth2Provider.WriteAuthorizeResponse(w, ar, response)
		return
	}

	err = t.ExecuteTemplate(w, "auth", map[string]any{
		// csrf.TemplateTag: csrf.TemplateField(r),
	})

	if err != nil {
		panic(err)
	}
}
Refactor previous COOPGO Identity service - Initial commit 2022-08-02 10:26:28 +00:00			`package op`

			`import (`
			`"fmt"`
			`"html/template"`
			`"net/http"`
			`"time"`

			`"github.com/gorilla/csrf"`
			`"github.com/gorilla/mux"`
			`"github.com/ory/fosite"`
			`"github.com/ory/fosite/handler/openid"`
			`"github.com/ory/fosite/token/jwt"`
			`)`

			`func (op OIDCHandler) AuthEndpoint(w http.ResponseWriter, r http.Request) {`
			`namespace := mux.Vars(r)["namespace"]`
			`oauth2Provider := op.NamespaceProviders[namespace]`
			`templates_dir := op.config.Namespaces[namespace].TemplatesDir`

			`t := template.New("auth")`
			`t = template.Must(t.ParseFiles(`
			`templates_dir + "/auth.html",`
			`))`

			`ctx := r.Context()`
			`ar, err := oauth2Provider.NewAuthorizeRequest(ctx, r)`
			`if err != nil {`
			`oauth2Provider.WriteAuthorizeError(w, ar, err)`
			`return`
			`}`

			`if r.Method == "POST" {`
			`if r.Form.Get("username") == "" \|\| r.Form.Get("password") == "" {`
			`oauth2Provider.WriteAuthorizeError(w, ar, fosite.ErrAccessDenied)`
			`return`
			`}`

			`account, err := op.handler.Login(r.Form.Get("username"), r.Form.Get("password"), namespace)`
			`if err != nil {`
			`if err = t.ExecuteTemplate(w, "auth", map[string]any{`
			`csrf.TemplateTag: csrf.TemplateField(r),`
			`"error": fmt.Sprintf("Wrong username (%v) or password (%v) in namespace \"%v\"", r.Form.Get("username"), r.Form.Get("password"), namespace),`
			`"realError": err,`
			`}); err != nil {`
			`oauth2Provider.WriteAuthorizeError(w, ar, err)`
			`}`
			`return`
			`}`

			`sessionData := &openid.DefaultSession{`
			`Claims: &jwt.IDTokenClaims{`
Handle HTTP/HTTPS protocol depending on dev env or not 2022-11-07 00:35:06 +00:00			`Issuer: fmt.Sprintf("%s://%s/%s", op.Protocol, r.Host, namespace),`
Refactor previous COOPGO Identity service - Initial commit 2022-08-02 10:26:28 +00:00			`Subject: account.ID,`
			`Audience: []string{},`
			`ExpiresAt: time.Now().Add(time.Hour * 30),`
			`IssuedAt: time.Now(),`
			`RequestedAt: time.Now(),`
			`AuthTime: time.Now(),`
			`Extra: make(map[string]interface{}),`
			`},`
			`Username: r.Form.Get("username"),`
			`Subject: account.ID,`
			`Headers: &jwt.Headers{`
			`Extra: make(map[string]interface{}),`
			`},`
			`}`

			`// Manage claims`
			`for _, v := range ar.GetRequestedScopes() {`
			`ar.GrantScope(v)`

			`if v != "openid" { // TODO handle standard claims like profile, email, ...`
			`if mc, ok := op.config.Namespaces[namespace].MatchClaims[v]; ok {`
			`if d, ok := account.Data[mc]; ok {`
			`sessionData.Claims.Extra[v] = d`
			`}`
			`} else if d, ok := account.Data[v]; ok {`
			`sessionData.Claims.Extra[v] = d`
			`}`
			`}`
			`}`

			`response, err := oauth2Provider.NewAuthorizeResponse(ctx, ar, sessionData)`
			`if err != nil {`
			`oauth2Provider.WriteAuthorizeError(w, ar, err)`
			`return`
			`}`

			`oauth2Provider.WriteAuthorizeResponse(w, ar, response)`
			`return`
			`}`

			`err = t.ExecuteTemplate(w, "auth", map[string]any{`
			`// csrf.TemplateTag: csrf.TemplateField(r),`
			`})`

			`if err != nil {`
			`panic(err)`
			`}`
			`}`