goweb-oidc/middleware.go

package oidc

import (
	"encoding/gob"
	"net/http"

	"github.com/coreos/go-oidc/v3/oidc"
	"github.com/pkg/errors"
	"gitlab.com/wpetit/goweb/logger"
	"gitlab.com/wpetit/goweb/middleware/container"
	"gitlab.com/wpetit/goweb/service/session"
)

const (
	SessionIDTokenKey   = "oidc-id-token"
	SessionOIDCStateKey = "oidc-state"
	SessionOIDCNonceKey = "oidc-nonce"
)

func init() {
	gob.Register(&oidc.IDToken{})
}

func Middleware(next http.Handler) http.Handler {
	fn := func(w http.ResponseWriter, r *http.Request) {
		if _, err := IDToken(w, r); err != nil {
			logger.Error(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))

			ctn := container.Must(r.Context())
			client := Must(ctn)
			client.Login(w, r)
			return
		}

		next.ServeHTTP(w, r)
	}

	return http.HandlerFunc(fn)
}

func HandleCallback(next http.Handler) http.Handler {
	fn := func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		ctn := container.Must(ctx)
		client := Must(ctn)

		_, rawIDToken, err := client.Validate(w, r)
		if err != nil {
			logger.Error(ctx, "could not validate oidc token", logger.E(errors.WithStack(err)))

			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)

			return
		}

		sess, err := session.Must(ctn).Get(w, r)
		if err != nil {
			panic(errors.Wrap(err, "could not retrieve session"))
		}

		sess.Set(SessionIDTokenKey, rawIDToken)

		if err := sess.Save(w, r); err != nil {
			panic(errors.Wrap(err, "could not save session"))
		}

		next.ServeHTTP(w, r)
	}

	return http.HandlerFunc(fn)
}

func RawIDToken(w http.ResponseWriter, r *http.Request) (string, error) {
	ctx := r.Context()

	ctn, err := container.From(ctx)
	if err != nil {
		return "", errors.Wrap(err, "could not retrieve service container")
	}

	sess, err := session.Must(ctn).Get(w, r)
	if err != nil {
		return "", errors.Wrap(err, "could not retrieve session")
	}

	rawIDToken, ok := sess.Get(SessionIDTokenKey).(string)
	if !ok || rawIDToken == "" {
		return "", errors.New("invalid id token")
	}

	return rawIDToken, nil
}

func IDToken(w http.ResponseWriter, r *http.Request) (*oidc.IDToken, error) {
	rawIDToken, err := RawIDToken(w, r)
	if err != nil {
		return nil, errors.Wrap(err, "could not retrieve raw idtoken")
	}

	ctx := r.Context()
	ctn, err := container.From(ctx)
	if err != nil {
		return nil, errors.Wrap(err, "could not retrieve service container")
	}

	client, err := From(ctn)
	if err != nil {
		return nil, errors.Wrap(err, "could not retrieve oidc service")
	}

	idToken, err := client.verifier.Verify(ctx, rawIDToken)
	if err != nil {
		return nil, errors.Wrap(err, "could not verify id token")
	}

	return idToken, nil
}
Initial commit 2020-05-20 10:43:12 +02:00			`package oidc`

			`import (`
			`"encoding/gob"`
			`"net/http"`

feat: use github.com/coreos/go-oidc/v3 2023-11-02 18:21:54 +01:00			`"github.com/coreos/go-oidc/v3/oidc"`
Initial commit 2020-05-20 10:43:12 +02:00			`"github.com/pkg/errors"`
			`"gitlab.com/wpetit/goweb/logger"`
			`"gitlab.com/wpetit/goweb/middleware/container"`
			`"gitlab.com/wpetit/goweb/service/session"`
			`)`

			`const (`
Test App: logout flow 2020-05-26 11:17:16 +02:00			`SessionIDTokenKey = "oidc-id-token"`
			`SessionOIDCStateKey = "oidc-state"`
Ajout du nonce au login 2023-03-02 15:07:02 +01:00			`SessionOIDCNonceKey = "oidc-nonce"`
Initial commit 2020-05-20 10:43:12 +02:00			`)`

			`func init() {`
			`gob.Register(&oidc.IDToken{})`
			`}`

			`func Middleware(next http.Handler) http.Handler {`
			`fn := func(w http.ResponseWriter, r *http.Request) {`
			`if _, err := IDToken(w, r); err != nil {`
Decorates errors and remove sentry dependency 2022-07-19 10:24:49 +02:00			`logger.Error(r.Context(), "could not retrieve idtoken", logger.E(errors.WithStack(err)))`

Initial commit 2020-05-20 10:43:12 +02:00			`ctn := container.Must(r.Context())`
			`client := Must(ctn)`
			`client.Login(w, r)`
			`return`
			`}`

			`next.ServeHTTP(w, r)`
			`}`

			`return http.HandlerFunc(fn)`
			`}`

			`func HandleCallback(next http.Handler) http.Handler {`
			`fn := func(w http.ResponseWriter, r *http.Request) {`
			`ctx := r.Context()`
			`ctn := container.Must(ctx)`
			`client := Must(ctn)`

Test App: logout flow 2020-05-26 11:17:16 +02:00			`_, rawIDToken, err := client.Validate(w, r)`
Initial commit 2020-05-20 10:43:12 +02:00			`if err != nil {`
Decorates errors and remove sentry dependency 2022-07-19 10:24:49 +02:00			`logger.Error(ctx, "could not validate oidc token", logger.E(errors.WithStack(err)))`
Initial commit 2020-05-20 10:43:12 +02:00
			`http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)`

			`return`
			`}`

			`sess, err := session.Must(ctn).Get(w, r)`
			`if err != nil {`
			`panic(errors.Wrap(err, "could not retrieve session"))`
			`}`

Test App: logout flow 2020-05-26 11:17:16 +02:00			`sess.Set(SessionIDTokenKey, rawIDToken)`
Initial commit 2020-05-20 10:43:12 +02:00
			`if err := sess.Save(w, r); err != nil {`
			`panic(errors.Wrap(err, "could not save session"))`
			`}`

			`next.ServeHTTP(w, r)`
			`}`

			`return http.HandlerFunc(fn)`
			`}`

Test App: logout flow 2020-05-26 11:17:16 +02:00			`func RawIDToken(w http.ResponseWriter, r *http.Request) (string, error) {`
			`ctx := r.Context()`

			`ctn, err := container.From(ctx)`
			`if err != nil {`
			`return "", errors.Wrap(err, "could not retrieve service container")`
			`}`
Initial commit 2020-05-20 10:43:12 +02:00
			`sess, err := session.Must(ctn).Get(w, r)`
			`if err != nil {`
Test App: logout flow 2020-05-26 11:17:16 +02:00			`return "", errors.Wrap(err, "could not retrieve session")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

Test App: logout flow 2020-05-26 11:17:16 +02:00			`rawIDToken, ok := sess.Get(SessionIDTokenKey).(string)`
			`if !ok \|\| rawIDToken == "" {`
			`return "", errors.New("invalid id token")`
Initial commit 2020-05-20 10:43:12 +02:00			`}`

Test App: logout flow 2020-05-26 11:17:16 +02:00			`return rawIDToken, nil`
Initial commit 2020-05-20 10:43:12 +02:00			`}`
Basic logout workflow 2020-05-20 13:06:04 +02:00
Test App: logout flow 2020-05-26 11:17:16 +02:00			`func IDToken(w http.ResponseWriter, r http.Request) (oidc.IDToken, error) {`
			`rawIDToken, err := RawIDToken(w, r)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "could not retrieve raw idtoken")`
			`}`
Basic logout workflow 2020-05-20 13:06:04 +02:00
Test App: logout flow 2020-05-26 11:17:16 +02:00			`ctx := r.Context()`
			`ctn, err := container.From(ctx)`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`if err != nil {`
Test App: logout flow 2020-05-26 11:17:16 +02:00			`return nil, errors.Wrap(err, "could not retrieve service container")`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`}`

Test App: logout flow 2020-05-26 11:17:16 +02:00			`client, err := From(ctn)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "could not retrieve oidc service")`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`}`

Test App: logout flow 2020-05-26 11:17:16 +02:00			`idToken, err := client.verifier.Verify(ctx, rawIDToken)`
			`if err != nil {`
			`return nil, errors.Wrap(err, "could not verify id token")`
			`}`

			`return idToken, nil`
Basic logout workflow 2020-05-20 13:06:04 +02:00			`}`