closed-social
/
gitea
3
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4992 Commits
2 Branches
178 MiB
Tree: 831ff41754
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '831ff41754'
${ noResults }
gitea/modules/auth/oauth2/oauth2.go

105 lines
3.2 KiB
Raw Normal View History

Oauth2 consumer (#679) * initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
7 years ago
 
  1. // Copyright 2017 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package oauth2
  6. 

  7. import (
  8. 	"code.gitea.io/gitea/modules/setting"
  9. 	"code.gitea.io/gitea/modules/log"
  10. 	"github.com/gorilla/sessions"
  11. 	"github.com/markbates/goth"
  12. 	"github.com/markbates/goth/gothic"
  13. 	"net/http"
  14. 	"os"
  15. 	"github.com/satori/go.uuid"
  16. 	"path/filepath"
  17. 	"github.com/markbates/goth/providers/github"
  18. )
  19. 

  20. var (
  21. 	sessionUsersStoreKey = "gitea-oauth2-sessions"
  22. 	providerHeaderKey    = "gitea-oauth2-provider"
  23. )
  24. 

  25. // Init initialize the setup of the OAuth2 library

  26. func Init() {
  27. 	sessionDir := filepath.Join(setting.AppDataPath, "sessions", "oauth2")
  28. 	if err := os.MkdirAll(sessionDir, 0700); err != nil {
  29. 		log.Fatal(4, "Fail to create dir %s: %v", sessionDir, err)
  30. 	}
  31. 

  32. 	gothic.Store = sessions.NewFilesystemStore(sessionDir, []byte(sessionUsersStoreKey))
  33. 

  34. 	gothic.SetState = func(req *http.Request) string {
  35. 		return uuid.NewV4().String()
  36. 	}
  37. 

  38. 	gothic.GetProviderName = func(req *http.Request) (string, error) {
  39. 		return req.Header.Get(providerHeaderKey), nil
  40. 	}
  41. 

  42. }
  43. 

  44. // Auth OAuth2 auth service

  45. func Auth(provider string, request *http.Request, response http.ResponseWriter) error {
  46. 	// not sure if goth is thread safe (?) when using multiple providers

  47. 	request.Header.Set(providerHeaderKey, provider)
  48. 

  49. 	// don't use the default gothic begin handler to prevent issues when some error occurs

  50. 	// normally the gothic library will write some custom stuff to the response instead of our own nice error page

  51. 	//gothic.BeginAuthHandler(response, request)

  52. 

  53. 	url, err := gothic.GetAuthURL(response, request)
  54. 	if err == nil {
  55. 		http.Redirect(response, request, url, http.StatusTemporaryRedirect)
  56. 	}
  57. 	return err
  58. }
  59. 

  60. // ProviderCallback handles OAuth callback, resolve to a goth user and send back to original url

  61. // this will trigger a new authentication request, but because we save it in the session we can use that

  62. func ProviderCallback(provider string, request *http.Request, response http.ResponseWriter) (goth.User, error) {
  63. 	// not sure if goth is thread safe (?) when using multiple providers

  64. 	request.Header.Set(providerHeaderKey, provider)
  65. 

  66. 	user, err := gothic.CompleteUserAuth(response, request)
  67. 	if err != nil {
  68. 		return user, err
  69. 	}
  70. 

  71. 	return user, nil
  72. }
  73. 

  74. // RegisterProvider register a OAuth2 provider in goth lib

  75. func RegisterProvider(providerName, providerType, clientID, clientSecret string) {
  76. 	provider := createProvider(providerName, providerType, clientID, clientSecret)
  77. 

  78. 	if provider != nil {
  79. 		goth.UseProviders(provider)
  80. 	}
  81. }
  82. 

  83. // RemoveProvider removes the given OAuth2 provider from the goth lib

  84. func RemoveProvider(providerName string) {
  85. 	delete(goth.GetProviders(), providerName)
  86. }
  87. 

  88. // used to create different types of goth providers

  89. func createProvider(providerName, providerType, clientID, clientSecret string) goth.Provider {
  90. 	callbackURL := setting.AppURL + "user/oauth2/" + providerName + "/callback"
  91. 

  92. 	var provider goth.Provider
  93. 

  94. 	switch providerType {
  95. 	case "github":
  96. 		provider = github.New(clientID, clientSecret, callbackURL, "user:email")
  97. 	}
  98. 

  99. 	// always set the name if provider is created so we can support multiple setups of 1 provider

  100. 	if provider != nil {
  101. 		provider.SetName(providerName)
  102. 	}
  103. 

  104. 	return provider
  105. }