Basic logout flow and better UX
This commit is contained in:
parent
44338f06e3
commit
2851c879b6
4
Makefile
4
Makefile
|
@ -34,7 +34,9 @@ create-default-client:
|
||||||
hydra \
|
hydra \
|
||||||
hydra clients create \
|
hydra clients create \
|
||||||
-c http://localhost:3002/oauth2/callback \
|
-c http://localhost:3002/oauth2/callback \
|
||||||
--post-logout-callbacks http://localhost:3002
|
--post-logout-callbacks http://localhost:3002 \
|
||||||
|
-n "Default App" \
|
||||||
|
-a "openid" -a "email"
|
||||||
|
|
||||||
|
|
||||||
list-clients:
|
list-clients:
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
{{define "title"}}Connexion{{end}}
|
{{define "title"}}Courriel envoyé.{{end}}
|
||||||
{{define "body"}}
|
{{define "body"}}
|
||||||
<section class="hero is-fullheight">
|
<section class="hero is-fullheight">
|
||||||
<div class="hero-body">
|
<div class="hero-body">
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
{{define "title"}}Erreur{{end}}
|
||||||
|
{{define "body"}}
|
||||||
|
<section class="hero is-fullheight">
|
||||||
|
<div class="hero-body">
|
||||||
|
<div class="container">
|
||||||
|
<div class="columns">
|
||||||
|
<div class="column is-4 is-offset-4">
|
||||||
|
<div class="message is-danger">
|
||||||
|
<div class="message-body">
|
||||||
|
<p class="title is-size-4 has-text-danger">{{ .ErrorTitle }}</p>
|
||||||
|
<p>{{ .ErrorDescription }}</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
{{end}}
|
||||||
|
{{template "base" .}}
|
|
@ -0,0 +1,22 @@
|
||||||
|
{{define "title"}}Connexion{{end}}
|
||||||
|
{{define "body"}}
|
||||||
|
<section class="hero is-fullheight">
|
||||||
|
<div class="hero-body">
|
||||||
|
<div class="container has-text-centered">
|
||||||
|
<div class="columns">
|
||||||
|
<div class="column is-4 is-offset-4">
|
||||||
|
<p class="has-text-black title">
|
||||||
|
Hydra Password<span class="has-text-grey">less</span>
|
||||||
|
</p>
|
||||||
|
<p class="is-size-7">
|
||||||
|
Version: {{ .BuildInfo.ProjectVersion }} |
|
||||||
|
Réf.: {{ .BuildInfo.GitRef }} |
|
||||||
|
Date de construction: {{ .BuildInfo.BuildDate }}
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
</section>
|
||||||
|
{{end}}
|
||||||
|
{{template "base" .}}
|
|
@ -7,7 +7,7 @@
|
||||||
<div class="column is-4 is-offset-4">
|
<div class="column is-4 is-offset-4">
|
||||||
{{template "flash" .}}
|
{{template "flash" .}}
|
||||||
<p class="has-text-black title">
|
<p class="has-text-black title">
|
||||||
Connexion
|
Connexion à <a href="{{.ClientURI }}" class="has-text-info">{{ .ClientName }}</a>
|
||||||
</p>
|
</p>
|
||||||
<p class="has-text-black subtitle">
|
<p class="has-text-black subtitle">
|
||||||
Veuillez entrer votre adresse courriel.
|
Veuillez entrer votre adresse courriel.
|
||||||
|
@ -21,6 +21,14 @@
|
||||||
name="email" placeholder="john.doe@email.com" />
|
name="email" placeholder="john.doe@email.com" />
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
<div class="field is-grouped is-grouped-right">
|
||||||
|
<p class="control">
|
||||||
|
<label class="checkbox">
|
||||||
|
<input type="checkbox" name="rememberMe">
|
||||||
|
Se souvenir de moi
|
||||||
|
</label>
|
||||||
|
</p>
|
||||||
|
</div>
|
||||||
{{ .csrfField }}
|
{{ .csrfField }}
|
||||||
<input name="challenge" type="hidden" value="{{ .LoginChallenge }}" />
|
<input name="challenge" type="hidden" value="{{ .LoginChallenge }}" />
|
||||||
<button type="submit" class="button is-link is-medium is-block is-fullwidth">Envoyer</button>
|
<button type="submit" class="button is-link is-medium is-block is-fullwidth">Envoyer</button>
|
||||||
|
|
|
@ -4,8 +4,8 @@
|
||||||
<table border="0" cellpadding="0" cellspacing="0">
|
<table border="0" cellpadding="0" cellspacing="0">
|
||||||
<tr>
|
<tr>
|
||||||
<td>
|
<td>
|
||||||
<p>Bonjour {{ .Email }}</p>
|
<p>Bonjour,</p>
|
||||||
<p>Vous avez demandé à accéder à l'application "{{ .AppTitle }}". Cliquez sur le lien ci dessous pour vous authentifier. </p>
|
<p>Vous avez demandé à accéder à l'application <a href="{{ .ClientURI }}">"{{ .ClientName }}"</a>. Cliquez sur le lien ci dessous pour vous authentifier. </p>
|
||||||
<table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
|
<table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
|
||||||
<tbody>
|
<tbody>
|
||||||
<tr>
|
<tr>
|
||||||
|
|
|
@ -16,6 +16,10 @@ services:
|
||||||
DSN: mysql://hydra:hydra@tcp(mysql:3306)/hydra
|
DSN: mysql://hydra:hydra@tcp(mysql:3306)/hydra
|
||||||
URLS_LOGIN: http://localhost:3000/login
|
URLS_LOGIN: http://localhost:3000/login
|
||||||
URLS_CONSENT: http://localhost:3000/consent
|
URLS_CONSENT: http://localhost:3000/consent
|
||||||
|
URLS_LOGOUT: http://localhost:3000/logout
|
||||||
|
SUPPORTED_SCOPES: email
|
||||||
|
SUPPORTED_CLAIMS: email,email_verified
|
||||||
|
SECRETS_SYSTEM: fAAya66yXNib52lbXpo16bxy1jD4NZrX
|
||||||
ports:
|
ports:
|
||||||
- 4444:4444
|
- 4444:4444
|
||||||
- 4445:4445
|
- 4445:4445
|
||||||
|
|
|
@ -4,7 +4,6 @@ import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"log"
|
|
||||||
|
|
||||||
"forge.cadoles.com/wpetit/hydra-passwordless/internal/config"
|
"forge.cadoles.com/wpetit/hydra-passwordless/internal/config"
|
||||||
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
|
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
|
||||||
|
@ -23,6 +22,9 @@ type SendConfirmationEmailRequest struct {
|
||||||
Challenge string
|
Challenge string
|
||||||
DefaultScheme string
|
DefaultScheme string
|
||||||
DefaultAddress string
|
DefaultAddress string
|
||||||
|
RememberMe bool
|
||||||
|
ClientName string
|
||||||
|
ClientURI string
|
||||||
}
|
}
|
||||||
|
|
||||||
func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) error {
|
func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) error {
|
||||||
|
@ -48,6 +50,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
|
||||||
conf.HTTP.TokenEncryptionKey,
|
conf.HTTP.TokenEncryptionKey,
|
||||||
req.Email,
|
req.Email,
|
||||||
req.Challenge,
|
req.Challenge,
|
||||||
|
req.RememberMe,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "could not generate jwt")
|
return errors.Wrap(err, "could not generate jwt")
|
||||||
|
@ -67,13 +70,11 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
|
||||||
scheme = conf.HTTP.PublicScheme
|
scheme = conf.HTTP.PublicScheme
|
||||||
}
|
}
|
||||||
|
|
||||||
log.Println(req, scheme)
|
|
||||||
|
|
||||||
verificationLink := fmt.Sprintf("%s//%s/verify?token=%s", scheme, address, token)
|
verificationLink := fmt.Sprintf("%s//%s/verify?token=%s", scheme, address, token)
|
||||||
|
|
||||||
log.Println(verificationLink)
|
|
||||||
|
|
||||||
data := template.Data{
|
data := template.Data{
|
||||||
|
"ClientName": req.ClientName,
|
||||||
|
"ClientURI": req.ClientURI,
|
||||||
"BuildInfo": info,
|
"BuildInfo": info,
|
||||||
"VerificationLink": verificationLink,
|
"VerificationLink": verificationLink,
|
||||||
}
|
}
|
||||||
|
@ -92,7 +93,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
|
||||||
err = ml.Send(
|
err = ml.Send(
|
||||||
mail.WithSender(conf.SMTP.SenderAddress, conf.SMTP.SenderName),
|
mail.WithSender(conf.SMTP.SenderAddress, conf.SMTP.SenderName),
|
||||||
mail.WithRecipients(req.Email),
|
mail.WithRecipients(req.Email),
|
||||||
mail.WithSubject(fmt.Sprintf("[Authentification]")),
|
mail.WithSubject(fmt.Sprintf("[%s] Connexion", req.ClientName)),
|
||||||
mail.WithBody(mail.ContentTypeHTML, html, nil),
|
mail.WithBody(mail.ContentTypeHTML, html, nil),
|
||||||
mail.WithAlternativeBody(mail.ContentTypeText, "", nil),
|
mail.WithAlternativeBody(mail.ContentTypeText, "", nil),
|
||||||
)
|
)
|
||||||
|
|
|
@ -70,7 +70,57 @@ func (c *Client) RejectLoginRequest(challenge string, req *RejectRequest) (*Reje
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Client) LogoutRequest(challenge string) (*LogoutResponse, error) {
|
func (c *Client) LogoutRequest(challenge string) (*LogoutResponse, error) {
|
||||||
return nil, nil
|
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout", url.Values{
|
||||||
|
"logout_challenge": []string{challenge},
|
||||||
|
})
|
||||||
|
|
||||||
|
res, err := c.http.Get(u)
|
||||||
|
if err != nil {
|
||||||
|
return nil, errors.Wrap(err, "could not retrieve logout response")
|
||||||
|
}
|
||||||
|
|
||||||
|
if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest {
|
||||||
|
return nil, errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode)
|
||||||
|
}
|
||||||
|
|
||||||
|
defer res.Body.Close()
|
||||||
|
|
||||||
|
decoder := json.NewDecoder(res.Body)
|
||||||
|
logoutRes := &LogoutResponse{}
|
||||||
|
|
||||||
|
if err := decoder.Decode(logoutRes); err != nil {
|
||||||
|
return nil, errors.Wrap(err, "could not decode json response")
|
||||||
|
}
|
||||||
|
|
||||||
|
return logoutRes, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Client) AcceptLogoutRequest(challenge string) (*AcceptResponse, error) {
|
||||||
|
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/accept", url.Values{
|
||||||
|
"logout_challenge": []string{challenge},
|
||||||
|
})
|
||||||
|
|
||||||
|
res := &AcceptResponse{}
|
||||||
|
|
||||||
|
if err := c.putJSON(u, nil, res); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return res, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func (c *Client) RejectLogoutRequest(challenge string, req *RejectRequest) (*RejectResponse, error) {
|
||||||
|
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/reject", url.Values{
|
||||||
|
"logout_challenge": []string{challenge},
|
||||||
|
})
|
||||||
|
|
||||||
|
res := &RejectResponse{}
|
||||||
|
|
||||||
|
if err := c.putJSON(u, req, res); err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
return res, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Client) ConsentRequest(challenge string) (*ConsentResponse, error) {
|
func (c *Client) ConsentRequest(challenge string) (*ConsentResponse, error) {
|
||||||
|
|
|
@ -5,8 +5,11 @@ type AcceptLoginRequest struct {
|
||||||
Remember bool `json:"remember"`
|
Remember bool `json:"remember"`
|
||||||
RememberFor int `json:"remember_for"`
|
RememberFor int `json:"remember_for"`
|
||||||
ACR string `json:"acr"`
|
ACR string `json:"acr"`
|
||||||
|
Context map[string]interface{} `json:"context"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type AcceptLogoutRequest struct{}
|
||||||
|
|
||||||
type AcceptConsentRequest struct {
|
type AcceptConsentRequest struct {
|
||||||
GrantScope []string `json:"grant_scope"`
|
GrantScope []string `json:"grant_scope"`
|
||||||
GrantAccessTokenAudience []string `json:"grant_access_token_audience"`
|
GrantAccessTokenAudience []string `json:"grant_access_token_audience"`
|
||||||
|
|
|
@ -68,6 +68,10 @@ type RejectResponse struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
type LogoutResponse struct {
|
type LogoutResponse struct {
|
||||||
|
Subject string `json:"subject"`
|
||||||
|
SessionID string `json:"sid"`
|
||||||
|
RPInitiated bool `json:"rp_initiated"`
|
||||||
|
RequestURL string `json:"request_url"`
|
||||||
}
|
}
|
||||||
|
|
||||||
type ConsentResponse struct {
|
type ConsentResponse struct {
|
||||||
|
@ -80,4 +84,5 @@ type ConsentResponse struct {
|
||||||
OidcContext OidcContextResponseFragment `json:"oidc_context"`
|
OidcContext OidcContextResponseFragment `json:"oidc_context"`
|
||||||
RequestedAccessTokenAudience []string `json:"requested_access_token_audience"`
|
RequestedAccessTokenAudience []string `json:"requested_access_token_audience"`
|
||||||
SessionID string `json:"session_id"`
|
SessionID string `json:"session_id"`
|
||||||
|
Context map[string]interface{} `json:"context"`
|
||||||
}
|
}
|
||||||
|
|
|
@ -17,6 +17,7 @@ type VerifyUserRequest struct {
|
||||||
type VerifyUserData struct {
|
type VerifyUserData struct {
|
||||||
Email string
|
Email string
|
||||||
Challenge string
|
Challenge string
|
||||||
|
RememberMe bool
|
||||||
}
|
}
|
||||||
|
|
||||||
func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{}, error) {
|
func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{}, error) {
|
||||||
|
@ -28,7 +29,7 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
|
||||||
ctn := container.Must(ctx)
|
ctn := container.Must(ctx)
|
||||||
conf := config.Must(ctn)
|
conf := config.Must(ctn)
|
||||||
|
|
||||||
email, challenge, err := token.Verify(
|
email, challenge, rememberMe, err := token.Verify(
|
||||||
conf.HTTP.TokenSigningKey,
|
conf.HTTP.TokenSigningKey,
|
||||||
conf.HTTP.TokenEncryptionKey,
|
conf.HTTP.TokenEncryptionKey,
|
||||||
req.Token,
|
req.Token,
|
||||||
|
@ -41,6 +42,7 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
|
||||||
data := &VerifyUserData{
|
data := &VerifyUserData{
|
||||||
Email: email,
|
Email: email,
|
||||||
Challenge: challenge,
|
Challenge: challenge,
|
||||||
|
RememberMe: rememberMe,
|
||||||
}
|
}
|
||||||
|
|
||||||
return data, nil
|
return data, nil
|
||||||
|
|
|
@ -10,7 +10,6 @@ import (
|
||||||
|
|
||||||
func serveConsentPage(w http.ResponseWriter, r *http.Request) {
|
func serveConsentPage(w http.ResponseWriter, r *http.Request) {
|
||||||
ctn := container.Must(r.Context())
|
ctn := container.Must(r.Context())
|
||||||
//tmpl := template.Must(ctn)
|
|
||||||
hydr := hydra.Must(ctn)
|
hydr := hydra.Must(ctn)
|
||||||
|
|
||||||
challenge, err := hydr.ConsentChallenge(r)
|
challenge, err := hydr.ConsentChallenge(r)
|
||||||
|
@ -24,43 +23,29 @@ func serveConsentPage(w http.ResponseWriter, r *http.Request) {
|
||||||
panic(errors.Wrap(err, "could not retrieve consent challenge"))
|
panic(errors.Wrap(err, "could not retrieve consent challenge"))
|
||||||
}
|
}
|
||||||
|
|
||||||
res, err := hydr.ConsentRequest(challenge)
|
consentRes, err := hydr.ConsentRequest(challenge)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(errors.Wrap(err, "could not retrieve hydra consent response"))
|
panic(errors.Wrap(err, "could not retrieve hydra consent response"))
|
||||||
}
|
}
|
||||||
|
|
||||||
if res.Skip {
|
scopes := []string{"email"}
|
||||||
res, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{
|
scopes = append(scopes, consentRes.RequestedScope...)
|
||||||
GrantScope: res.RequestedScope,
|
|
||||||
GrantAccessTokenAudience: res.RequestedAccessTokenAudience,
|
acceptConsentReq := &hydra.AcceptConsentRequest{
|
||||||
})
|
GrantScope: scopes,
|
||||||
|
GrantAccessTokenAudience: consentRes.RequestedAccessTokenAudience,
|
||||||
|
Session: hydra.AcceptConsentSession{
|
||||||
|
IDToken: map[string]interface{}{
|
||||||
|
"email": consentRes.Context["email"],
|
||||||
|
"email_verified": true,
|
||||||
|
},
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
acceptRes, err := hydr.AcceptConsentRequest(challenge, acceptConsentReq)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(errors.Wrap(err, "could not accept hydra consent request"))
|
panic(errors.Wrap(err, "could not accept hydra consent request"))
|
||||||
}
|
}
|
||||||
|
|
||||||
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect)
|
http.Redirect(w, r, acceptRes.RedirectTo, http.StatusTemporaryRedirect)
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
res2, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{
|
|
||||||
GrantScope: res.RequestedScope,
|
|
||||||
GrantAccessTokenAudience: res.RequestedAccessTokenAudience,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
panic(errors.Wrap(err, "could not accept hydra consent request"))
|
|
||||||
}
|
|
||||||
|
|
||||||
http.Redirect(w, r, res2.RedirectTo, http.StatusTemporaryRedirect)
|
|
||||||
|
|
||||||
// spew.Dump(res)
|
|
||||||
|
|
||||||
// data := extendTemplateData(w, r, template.Data{
|
|
||||||
// csrf.TemplateTag: csrf.TemplateField(r),
|
|
||||||
// "RequestedScope": res.RequestedScope,
|
|
||||||
// "ConsentChallenge": challenge,
|
|
||||||
// })
|
|
||||||
|
|
||||||
// if err := tmpl.RenderPage(w, "consent.html.tmpl", data); err != nil {
|
|
||||||
// panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
|
||||||
// }
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,3 +22,21 @@ func extendTemplateData(w http.ResponseWriter, r *http.Request, data template.Da
|
||||||
|
|
||||||
return data
|
return data
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func renderErrorPage(w http.ResponseWriter, r *http.Request, statusCode int, title, description string) error {
|
||||||
|
ctn := container.Must(r.Context())
|
||||||
|
tmpl := template.Must(ctn)
|
||||||
|
|
||||||
|
data := extendTemplateData(w, r, template.Data{
|
||||||
|
"ErrorTitle": title,
|
||||||
|
"ErrorDescription": description,
|
||||||
|
})
|
||||||
|
|
||||||
|
w.WriteHeader(statusCode)
|
||||||
|
|
||||||
|
if err := tmpl.RenderPage(w, "error.html.tmpl", data); err != nil {
|
||||||
|
return errors.Wrap(err, "could not render error page")
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
package route
|
||||||
|
|
||||||
|
import (
|
||||||
|
"net/http"
|
||||||
|
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"gitlab.com/wpetit/goweb/middleware/container"
|
||||||
|
"gitlab.com/wpetit/goweb/service/template"
|
||||||
|
)
|
||||||
|
|
||||||
|
func serveHomePage(w http.ResponseWriter, r *http.Request) {
|
||||||
|
ctn := container.Must(r.Context())
|
||||||
|
tmpl := template.Must(ctn)
|
||||||
|
|
||||||
|
data := extendTemplateData(w, r, template.Data{})
|
||||||
|
|
||||||
|
if err := tmpl.RenderPage(w, "home.html.tmpl", data); err != nil {
|
||||||
|
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||||
|
}
|
||||||
|
}
|
|
@ -21,7 +21,15 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
|
||||||
challenge, err := hydr.LoginChallenge(r)
|
challenge, err := hydr.LoginChallenge(r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
if err == hydra.ErrChallengeNotFound {
|
if err == hydra.ErrChallengeNotFound {
|
||||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
err := renderErrorPage(
|
||||||
|
w, r,
|
||||||
|
http.StatusBadRequest,
|
||||||
|
"Requête invalide",
|
||||||
|
"Certaines informations requises afin de réaliser votre requête sont absentes.",
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||||
|
}
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -35,15 +43,20 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if res.Skip {
|
if res.Skip {
|
||||||
res, err := hydr.RejectLoginRequest(challenge, &hydra.RejectRequest{
|
accept := &hydra.AcceptLoginRequest{
|
||||||
Error: "email_not_validated",
|
Subject: res.Subject,
|
||||||
ErrorDescription: "The email adress could not be verified.",
|
Context: map[string]interface{}{
|
||||||
})
|
"email": res.Subject,
|
||||||
if err != nil {
|
},
|
||||||
panic(errors.Wrap(err, "could not reject hydra authentication request"))
|
|
||||||
}
|
}
|
||||||
|
|
||||||
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect)
|
res, err := hydr.AcceptLoginRequest(challenge, accept)
|
||||||
|
if err != nil {
|
||||||
|
panic(errors.Wrap(err, "could not retrieve hydra accept response"))
|
||||||
|
}
|
||||||
|
|
||||||
|
http.Redirect(w, r, res.RedirectTo, http.StatusSeeOther)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -53,6 +66,8 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
|
||||||
csrf.TemplateTag: csrf.TemplateField(r),
|
csrf.TemplateTag: csrf.TemplateField(r),
|
||||||
"LoginChallenge": challenge,
|
"LoginChallenge": challenge,
|
||||||
"Email": "",
|
"Email": "",
|
||||||
|
"ClientName": res.Client.ClientName,
|
||||||
|
"ClientURI": res.Client.ClientURI,
|
||||||
})
|
})
|
||||||
|
|
||||||
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
|
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
|
||||||
|
@ -64,6 +79,7 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
||||||
ctx := r.Context()
|
ctx := r.Context()
|
||||||
ctn := container.Must(ctx)
|
ctn := container.Must(ctx)
|
||||||
tmpl := template.Must(ctn)
|
tmpl := template.Must(ctn)
|
||||||
|
hydr := hydra.Must(ctn)
|
||||||
bus := cqrs.Must(ctn)
|
bus := cqrs.Must(ctn)
|
||||||
|
|
||||||
if err := r.ParseForm(); err != nil {
|
if err := r.ParseForm(); err != nil {
|
||||||
|
@ -72,9 +88,30 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
email := r.Form.Get("email")
|
|
||||||
challenge := r.Form.Get("challenge")
|
challenge := r.Form.Get("challenge")
|
||||||
|
|
||||||
|
if challenge == "" {
|
||||||
|
err := renderErrorPage(
|
||||||
|
w, r,
|
||||||
|
http.StatusBadRequest,
|
||||||
|
"Requête invalide",
|
||||||
|
"Certaines informations requises sont manquantes pour pouvoir réaliser votre requête.",
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
res, err := hydr.LoginRequest(challenge)
|
||||||
|
if err != nil {
|
||||||
|
panic(errors.Wrap(err, "could not retrieve hydra login response"))
|
||||||
|
}
|
||||||
|
|
||||||
|
email := r.Form.Get("email")
|
||||||
|
rememberMe := r.Form.Get("rememberMe")
|
||||||
|
|
||||||
renderFlashError := func(message string) {
|
renderFlashError := func(message string) {
|
||||||
sess, err := session.Must(ctn).Get(w, r)
|
sess, err := session.Must(ctn).Get(w, r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -91,6 +128,8 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
||||||
csrf.TemplateTag: csrf.TemplateField(r),
|
csrf.TemplateTag: csrf.TemplateField(r),
|
||||||
"LoginChallenge": challenge,
|
"LoginChallenge": challenge,
|
||||||
"Email": email,
|
"Email": email,
|
||||||
|
"ClientName": res.Client.ClientName,
|
||||||
|
"ClientURI": res.Client.ClientURI,
|
||||||
})
|
})
|
||||||
|
|
||||||
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
|
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
|
||||||
|
@ -104,17 +143,14 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if challenge == "" {
|
|
||||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
||||||
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
cmd := &command.SendConfirmationEmailRequest{
|
cmd := &command.SendConfirmationEmailRequest{
|
||||||
Email: email,
|
Email: email,
|
||||||
Challenge: challenge,
|
Challenge: challenge,
|
||||||
DefaultScheme: r.URL.Scheme,
|
DefaultScheme: r.URL.Scheme,
|
||||||
DefaultAddress: r.Host,
|
DefaultAddress: r.Host,
|
||||||
|
RememberMe: rememberMe == "on",
|
||||||
|
ClientName: res.Client.ClientName,
|
||||||
|
ClientURI: res.Client.ClientURI,
|
||||||
}
|
}
|
||||||
if _, err := bus.Exec(ctx, cmd); err != nil {
|
if _, err := bus.Exec(ctx, cmd); err != nil {
|
||||||
panic(errors.Wrap(err, "could not execute command"))
|
panic(errors.Wrap(err, "could not execute command"))
|
||||||
|
|
|
@ -2,8 +2,36 @@ package route
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"net/http"
|
"net/http"
|
||||||
|
|
||||||
|
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
|
||||||
|
"github.com/pkg/errors"
|
||||||
|
"gitlab.com/wpetit/goweb/middleware/container"
|
||||||
)
|
)
|
||||||
|
|
||||||
func serveLogoutPage(w http.ResponseWriter, r *http.Request) {
|
func serveLogoutPage(w http.ResponseWriter, r *http.Request) {
|
||||||
|
ctn := container.Must(r.Context())
|
||||||
|
hydr := hydra.Must(ctn)
|
||||||
|
|
||||||
|
challenge, err := hydr.LogoutChallenge(r)
|
||||||
|
if err != nil {
|
||||||
|
if err == hydra.ErrChallengeNotFound {
|
||||||
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||||
|
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
|
panic(errors.Wrap(err, "could not retrieve logout challenge"))
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = hydr.LogoutRequest(challenge)
|
||||||
|
if err != nil {
|
||||||
|
panic(errors.Wrap(err, "could not retrieve hydra logout response"))
|
||||||
|
}
|
||||||
|
|
||||||
|
acceptRes, err := hydr.AcceptLogoutRequest(challenge)
|
||||||
|
if err != nil {
|
||||||
|
panic(errors.Wrap(err, "could not retrieve hydra accept logout response"))
|
||||||
|
}
|
||||||
|
|
||||||
|
http.Redirect(w, r, acceptRes.RedirectTo, http.StatusSeeOther)
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,7 +23,7 @@ func Mount(r *chi.Mux, config *config.Config) error {
|
||||||
|
|
||||||
r.Group(func(r chi.Router) {
|
r.Group(func(r chi.Router) {
|
||||||
r.Use(csrfMiddleware)
|
r.Use(csrfMiddleware)
|
||||||
|
r.Get("/", serveHomePage)
|
||||||
r.Get("/login", serveLoginPage)
|
r.Get("/login", serveLoginPage)
|
||||||
r.Post("/login", handleLoginForm)
|
r.Post("/login", handleLoginForm)
|
||||||
r.Get("/logout", serveLogoutPage)
|
r.Get("/logout", serveLogoutPage)
|
||||||
|
|
|
@ -32,6 +32,18 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
logger.Error(ctx, "could not verify token", logger.E(err))
|
logger.Error(ctx, "could not verify token", logger.E(err))
|
||||||
|
|
||||||
|
err := renderErrorPage(
|
||||||
|
w, r,
|
||||||
|
http.StatusBadRequest,
|
||||||
|
"Lien invalide",
|
||||||
|
"Le lien de connexion utilisé est invalide ou a expiré.",
|
||||||
|
)
|
||||||
|
if err != nil {
|
||||||
|
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||||
|
}
|
||||||
|
|
||||||
|
return
|
||||||
|
|
||||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -44,6 +56,11 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
accept := &hydra.AcceptLoginRequest{
|
accept := &hydra.AcceptLoginRequest{
|
||||||
Subject: verifyUserData.Email,
|
Subject: verifyUserData.Email,
|
||||||
|
Remember: verifyUserData.RememberMe,
|
||||||
|
RememberFor: 3600,
|
||||||
|
Context: map[string]interface{}{
|
||||||
|
"email": verifyUserData.Email,
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
res, err := hydr.AcceptLoginRequest(verifyUserData.Challenge, accept)
|
res, err := hydr.AcceptLoginRequest(verifyUserData.Challenge, accept)
|
||||||
|
|
|
@ -12,9 +12,10 @@ const (
|
||||||
|
|
||||||
type privateClaims struct {
|
type privateClaims struct {
|
||||||
Challenge string `json:"challenge"`
|
Challenge string `json:"challenge"`
|
||||||
|
RememberMe bool `json:"remember"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func Generate(signingKey, encryptionKey, email, challenge string) (string, error) {
|
func Generate(signingKey, encryptionKey, email, challenge string, rememberMe bool) (string, error) {
|
||||||
sig, err := jose.NewSigner(
|
sig, err := jose.NewSigner(
|
||||||
jose.SigningKey{
|
jose.SigningKey{
|
||||||
Algorithm: jose.HS256,
|
Algorithm: jose.HS256,
|
||||||
|
@ -45,6 +46,7 @@ func Generate(signingKey, encryptionKey, email, challenge string) (string, error
|
||||||
|
|
||||||
privateClaims := privateClaims{
|
privateClaims := privateClaims{
|
||||||
Challenge: challenge,
|
Challenge: challenge,
|
||||||
|
RememberMe: rememberMe,
|
||||||
}
|
}
|
||||||
|
|
||||||
raw, err := jwt.SignedAndEncrypted(sig, enc).Claims(claims).Claims(privateClaims).CompactSerialize()
|
raw, err := jwt.SignedAndEncrypted(sig, enc).Claims(claims).Claims(privateClaims).CompactSerialize()
|
||||||
|
|
|
@ -5,23 +5,23 @@ import (
|
||||||
"gopkg.in/square/go-jose.v2/jwt"
|
"gopkg.in/square/go-jose.v2/jwt"
|
||||||
)
|
)
|
||||||
|
|
||||||
func Verify(signingKey, encryptionKey, raw string) (string, string, error) {
|
func Verify(signingKey, encryptionKey, raw string) (string, string, bool, error) {
|
||||||
token, err := jwt.ParseSignedAndEncrypted(raw)
|
token, err := jwt.ParseSignedAndEncrypted(raw)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", "", errors.Wrap(err, "could not parse token")
|
return "", "", false, errors.Wrap(err, "could not parse token")
|
||||||
}
|
}
|
||||||
|
|
||||||
nested, err := token.Decrypt([]byte(encryptionKey))
|
nested, err := token.Decrypt([]byte(encryptionKey))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return "", "", errors.Wrap(err, "could not decrypt token")
|
return "", "", false, errors.Wrap(err, "could not decrypt token")
|
||||||
}
|
}
|
||||||
|
|
||||||
baseClaims := jwt.Claims{}
|
baseClaims := jwt.Claims{}
|
||||||
privateClaims := privateClaims{}
|
privateClaims := privateClaims{}
|
||||||
|
|
||||||
if err := nested.Claims([]byte(signingKey), &baseClaims, &privateClaims); err != nil {
|
if err := nested.Claims([]byte(signingKey), &baseClaims, &privateClaims); err != nil {
|
||||||
return "", "", errors.Wrap(err, "could not validate claims")
|
return "", "", false, errors.Wrap(err, "could not validate claims")
|
||||||
}
|
}
|
||||||
|
|
||||||
return baseClaims.Subject, privateClaims.Challenge, nil
|
return baseClaims.Subject, privateClaims.Challenge, privateClaims.RememberMe, nil
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue