Basic logout flow and better UX
This commit is contained in:
parent
44338f06e3
commit
2851c879b6
4
Makefile
4
Makefile
|
@ -34,7 +34,9 @@ create-default-client:
|
|||
hydra \
|
||||
hydra clients create \
|
||||
-c http://localhost:3002/oauth2/callback \
|
||||
--post-logout-callbacks http://localhost:3002
|
||||
--post-logout-callbacks http://localhost:3002 \
|
||||
-n "Default App" \
|
||||
-a "openid" -a "email"
|
||||
|
||||
|
||||
list-clients:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
{{define "title"}}Connexion{{end}}
|
||||
{{define "title"}}Courriel envoyé.{{end}}
|
||||
{{define "body"}}
|
||||
<section class="hero is-fullheight">
|
||||
<div class="hero-body">
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
{{define "title"}}Erreur{{end}}
|
||||
{{define "body"}}
|
||||
<section class="hero is-fullheight">
|
||||
<div class="hero-body">
|
||||
<div class="container">
|
||||
<div class="columns">
|
||||
<div class="column is-4 is-offset-4">
|
||||
<div class="message is-danger">
|
||||
<div class="message-body">
|
||||
<p class="title is-size-4 has-text-danger">{{ .ErrorTitle }}</p>
|
||||
<p>{{ .ErrorDescription }}</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</section>
|
||||
{{end}}
|
||||
{{template "base" .}}
|
|
@ -0,0 +1,22 @@
|
|||
{{define "title"}}Connexion{{end}}
|
||||
{{define "body"}}
|
||||
<section class="hero is-fullheight">
|
||||
<div class="hero-body">
|
||||
<div class="container has-text-centered">
|
||||
<div class="columns">
|
||||
<div class="column is-4 is-offset-4">
|
||||
<p class="has-text-black title">
|
||||
Hydra Password<span class="has-text-grey">less</span>
|
||||
</p>
|
||||
<p class="is-size-7">
|
||||
Version: {{ .BuildInfo.ProjectVersion }} |
|
||||
Réf.: {{ .BuildInfo.GitRef }} |
|
||||
Date de construction: {{ .BuildInfo.BuildDate }}
|
||||
</p>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
</section>
|
||||
{{end}}
|
||||
{{template "base" .}}
|
|
@ -7,7 +7,7 @@
|
|||
<div class="column is-4 is-offset-4">
|
||||
{{template "flash" .}}
|
||||
<p class="has-text-black title">
|
||||
Connexion
|
||||
Connexion à <a href="{{.ClientURI }}" class="has-text-info">{{ .ClientName }}</a>
|
||||
</p>
|
||||
<p class="has-text-black subtitle">
|
||||
Veuillez entrer votre adresse courriel.
|
||||
|
@ -21,6 +21,14 @@
|
|||
name="email" placeholder="john.doe@email.com" />
|
||||
</div>
|
||||
</div>
|
||||
<div class="field is-grouped is-grouped-right">
|
||||
<p class="control">
|
||||
<label class="checkbox">
|
||||
<input type="checkbox" name="rememberMe">
|
||||
Se souvenir de moi
|
||||
</label>
|
||||
</p>
|
||||
</div>
|
||||
{{ .csrfField }}
|
||||
<input name="challenge" type="hidden" value="{{ .LoginChallenge }}" />
|
||||
<button type="submit" class="button is-link is-medium is-block is-fullwidth">Envoyer</button>
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
<table border="0" cellpadding="0" cellspacing="0">
|
||||
<tr>
|
||||
<td>
|
||||
<p>Bonjour {{ .Email }}</p>
|
||||
<p>Vous avez demandé à accéder à l'application "{{ .AppTitle }}". Cliquez sur le lien ci dessous pour vous authentifier. </p>
|
||||
<p>Bonjour,</p>
|
||||
<p>Vous avez demandé à accéder à l'application <a href="{{ .ClientURI }}">"{{ .ClientName }}"</a>. Cliquez sur le lien ci dessous pour vous authentifier. </p>
|
||||
<table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
|
||||
<tbody>
|
||||
<tr>
|
||||
|
|
|
@ -16,6 +16,10 @@ services:
|
|||
DSN: mysql://hydra:hydra@tcp(mysql:3306)/hydra
|
||||
URLS_LOGIN: http://localhost:3000/login
|
||||
URLS_CONSENT: http://localhost:3000/consent
|
||||
URLS_LOGOUT: http://localhost:3000/logout
|
||||
SUPPORTED_SCOPES: email
|
||||
SUPPORTED_CLAIMS: email,email_verified
|
||||
SECRETS_SYSTEM: fAAya66yXNib52lbXpo16bxy1jD4NZrX
|
||||
ports:
|
||||
- 4444:4444
|
||||
- 4445:4445
|
||||
|
|
|
@ -4,7 +4,6 @@ import (
|
|||
"bytes"
|
||||
"context"
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"forge.cadoles.com/wpetit/hydra-passwordless/internal/config"
|
||||
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
|
||||
|
@ -23,6 +22,9 @@ type SendConfirmationEmailRequest struct {
|
|||
Challenge string
|
||||
DefaultScheme string
|
||||
DefaultAddress string
|
||||
RememberMe bool
|
||||
ClientName string
|
||||
ClientURI string
|
||||
}
|
||||
|
||||
func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) error {
|
||||
|
@ -48,6 +50,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
|
|||
conf.HTTP.TokenEncryptionKey,
|
||||
req.Email,
|
||||
req.Challenge,
|
||||
req.RememberMe,
|
||||
)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "could not generate jwt")
|
||||
|
@ -67,13 +70,11 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
|
|||
scheme = conf.HTTP.PublicScheme
|
||||
}
|
||||
|
||||
log.Println(req, scheme)
|
||||
|
||||
verificationLink := fmt.Sprintf("%s//%s/verify?token=%s", scheme, address, token)
|
||||
|
||||
log.Println(verificationLink)
|
||||
|
||||
data := template.Data{
|
||||
"ClientName": req.ClientName,
|
||||
"ClientURI": req.ClientURI,
|
||||
"BuildInfo": info,
|
||||
"VerificationLink": verificationLink,
|
||||
}
|
||||
|
@ -92,7 +93,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
|
|||
err = ml.Send(
|
||||
mail.WithSender(conf.SMTP.SenderAddress, conf.SMTP.SenderName),
|
||||
mail.WithRecipients(req.Email),
|
||||
mail.WithSubject(fmt.Sprintf("[Authentification]")),
|
||||
mail.WithSubject(fmt.Sprintf("[%s] Connexion", req.ClientName)),
|
||||
mail.WithBody(mail.ContentTypeHTML, html, nil),
|
||||
mail.WithAlternativeBody(mail.ContentTypeText, "", nil),
|
||||
)
|
||||
|
|
|
@ -70,7 +70,57 @@ func (c *Client) RejectLoginRequest(challenge string, req *RejectRequest) (*Reje
|
|||
}
|
||||
|
||||
func (c *Client) LogoutRequest(challenge string) (*LogoutResponse, error) {
|
||||
return nil, nil
|
||||
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout", url.Values{
|
||||
"logout_challenge": []string{challenge},
|
||||
})
|
||||
|
||||
res, err := c.http.Get(u)
|
||||
if err != nil {
|
||||
return nil, errors.Wrap(err, "could not retrieve logout response")
|
||||
}
|
||||
|
||||
if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest {
|
||||
return nil, errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode)
|
||||
}
|
||||
|
||||
defer res.Body.Close()
|
||||
|
||||
decoder := json.NewDecoder(res.Body)
|
||||
logoutRes := &LogoutResponse{}
|
||||
|
||||
if err := decoder.Decode(logoutRes); err != nil {
|
||||
return nil, errors.Wrap(err, "could not decode json response")
|
||||
}
|
||||
|
||||
return logoutRes, nil
|
||||
}
|
||||
|
||||
func (c *Client) AcceptLogoutRequest(challenge string) (*AcceptResponse, error) {
|
||||
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/accept", url.Values{
|
||||
"logout_challenge": []string{challenge},
|
||||
})
|
||||
|
||||
res := &AcceptResponse{}
|
||||
|
||||
if err := c.putJSON(u, nil, res); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return res, nil
|
||||
}
|
||||
|
||||
func (c *Client) RejectLogoutRequest(challenge string, req *RejectRequest) (*RejectResponse, error) {
|
||||
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/reject", url.Values{
|
||||
"logout_challenge": []string{challenge},
|
||||
})
|
||||
|
||||
res := &RejectResponse{}
|
||||
|
||||
if err := c.putJSON(u, req, res); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return res, nil
|
||||
}
|
||||
|
||||
func (c *Client) ConsentRequest(challenge string) (*ConsentResponse, error) {
|
||||
|
|
|
@ -5,8 +5,11 @@ type AcceptLoginRequest struct {
|
|||
Remember bool `json:"remember"`
|
||||
RememberFor int `json:"remember_for"`
|
||||
ACR string `json:"acr"`
|
||||
Context map[string]interface{} `json:"context"`
|
||||
}
|
||||
|
||||
type AcceptLogoutRequest struct{}
|
||||
|
||||
type AcceptConsentRequest struct {
|
||||
GrantScope []string `json:"grant_scope"`
|
||||
GrantAccessTokenAudience []string `json:"grant_access_token_audience"`
|
||||
|
|
|
@ -68,6 +68,10 @@ type RejectResponse struct {
|
|||
}
|
||||
|
||||
type LogoutResponse struct {
|
||||
Subject string `json:"subject"`
|
||||
SessionID string `json:"sid"`
|
||||
RPInitiated bool `json:"rp_initiated"`
|
||||
RequestURL string `json:"request_url"`
|
||||
}
|
||||
|
||||
type ConsentResponse struct {
|
||||
|
@ -80,4 +84,5 @@ type ConsentResponse struct {
|
|||
OidcContext OidcContextResponseFragment `json:"oidc_context"`
|
||||
RequestedAccessTokenAudience []string `json:"requested_access_token_audience"`
|
||||
SessionID string `json:"session_id"`
|
||||
Context map[string]interface{} `json:"context"`
|
||||
}
|
||||
|
|
|
@ -17,6 +17,7 @@ type VerifyUserRequest struct {
|
|||
type VerifyUserData struct {
|
||||
Email string
|
||||
Challenge string
|
||||
RememberMe bool
|
||||
}
|
||||
|
||||
func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{}, error) {
|
||||
|
@ -28,7 +29,7 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
|
|||
ctn := container.Must(ctx)
|
||||
conf := config.Must(ctn)
|
||||
|
||||
email, challenge, err := token.Verify(
|
||||
email, challenge, rememberMe, err := token.Verify(
|
||||
conf.HTTP.TokenSigningKey,
|
||||
conf.HTTP.TokenEncryptionKey,
|
||||
req.Token,
|
||||
|
@ -41,6 +42,7 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
|
|||
data := &VerifyUserData{
|
||||
Email: email,
|
||||
Challenge: challenge,
|
||||
RememberMe: rememberMe,
|
||||
}
|
||||
|
||||
return data, nil
|
||||
|
|
|
@ -10,7 +10,6 @@ import (
|
|||
|
||||
func serveConsentPage(w http.ResponseWriter, r *http.Request) {
|
||||
ctn := container.Must(r.Context())
|
||||
//tmpl := template.Must(ctn)
|
||||
hydr := hydra.Must(ctn)
|
||||
|
||||
challenge, err := hydr.ConsentChallenge(r)
|
||||
|
@ -24,43 +23,29 @@ func serveConsentPage(w http.ResponseWriter, r *http.Request) {
|
|||
panic(errors.Wrap(err, "could not retrieve consent challenge"))
|
||||
}
|
||||
|
||||
res, err := hydr.ConsentRequest(challenge)
|
||||
consentRes, err := hydr.ConsentRequest(challenge)
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not retrieve hydra consent response"))
|
||||
}
|
||||
|
||||
if res.Skip {
|
||||
res, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{
|
||||
GrantScope: res.RequestedScope,
|
||||
GrantAccessTokenAudience: res.RequestedAccessTokenAudience,
|
||||
})
|
||||
scopes := []string{"email"}
|
||||
scopes = append(scopes, consentRes.RequestedScope...)
|
||||
|
||||
acceptConsentReq := &hydra.AcceptConsentRequest{
|
||||
GrantScope: scopes,
|
||||
GrantAccessTokenAudience: consentRes.RequestedAccessTokenAudience,
|
||||
Session: hydra.AcceptConsentSession{
|
||||
IDToken: map[string]interface{}{
|
||||
"email": consentRes.Context["email"],
|
||||
"email_verified": true,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
acceptRes, err := hydr.AcceptConsentRequest(challenge, acceptConsentReq)
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not accept hydra consent request"))
|
||||
}
|
||||
|
||||
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect)
|
||||
return
|
||||
}
|
||||
|
||||
res2, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{
|
||||
GrantScope: res.RequestedScope,
|
||||
GrantAccessTokenAudience: res.RequestedAccessTokenAudience,
|
||||
})
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not accept hydra consent request"))
|
||||
}
|
||||
|
||||
http.Redirect(w, r, res2.RedirectTo, http.StatusTemporaryRedirect)
|
||||
|
||||
// spew.Dump(res)
|
||||
|
||||
// data := extendTemplateData(w, r, template.Data{
|
||||
// csrf.TemplateTag: csrf.TemplateField(r),
|
||||
// "RequestedScope": res.RequestedScope,
|
||||
// "ConsentChallenge": challenge,
|
||||
// })
|
||||
|
||||
// if err := tmpl.RenderPage(w, "consent.html.tmpl", data); err != nil {
|
||||
// panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||
// }
|
||||
http.Redirect(w, r, acceptRes.RedirectTo, http.StatusTemporaryRedirect)
|
||||
}
|
||||
|
|
|
@ -22,3 +22,21 @@ func extendTemplateData(w http.ResponseWriter, r *http.Request, data template.Da
|
|||
|
||||
return data
|
||||
}
|
||||
|
||||
func renderErrorPage(w http.ResponseWriter, r *http.Request, statusCode int, title, description string) error {
|
||||
ctn := container.Must(r.Context())
|
||||
tmpl := template.Must(ctn)
|
||||
|
||||
data := extendTemplateData(w, r, template.Data{
|
||||
"ErrorTitle": title,
|
||||
"ErrorDescription": description,
|
||||
})
|
||||
|
||||
w.WriteHeader(statusCode)
|
||||
|
||||
if err := tmpl.RenderPage(w, "error.html.tmpl", data); err != nil {
|
||||
return errors.Wrap(err, "could not render error page")
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -0,0 +1,20 @@
|
|||
package route
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/middleware/container"
|
||||
"gitlab.com/wpetit/goweb/service/template"
|
||||
)
|
||||
|
||||
func serveHomePage(w http.ResponseWriter, r *http.Request) {
|
||||
ctn := container.Must(r.Context())
|
||||
tmpl := template.Must(ctn)
|
||||
|
||||
data := extendTemplateData(w, r, template.Data{})
|
||||
|
||||
if err := tmpl.RenderPage(w, "home.html.tmpl", data); err != nil {
|
||||
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||
}
|
||||
}
|
|
@ -21,7 +21,15 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
|
|||
challenge, err := hydr.LoginChallenge(r)
|
||||
if err != nil {
|
||||
if err == hydra.ErrChallengeNotFound {
|
||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||
err := renderErrorPage(
|
||||
w, r,
|
||||
http.StatusBadRequest,
|
||||
"Requête invalide",
|
||||
"Certaines informations requises afin de réaliser votre requête sont absentes.",
|
||||
)
|
||||
if err != nil {
|
||||
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
@ -35,15 +43,20 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
|
|||
}
|
||||
|
||||
if res.Skip {
|
||||
res, err := hydr.RejectLoginRequest(challenge, &hydra.RejectRequest{
|
||||
Error: "email_not_validated",
|
||||
ErrorDescription: "The email adress could not be verified.",
|
||||
})
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not reject hydra authentication request"))
|
||||
accept := &hydra.AcceptLoginRequest{
|
||||
Subject: res.Subject,
|
||||
Context: map[string]interface{}{
|
||||
"email": res.Subject,
|
||||
},
|
||||
}
|
||||
|
||||
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect)
|
||||
res, err := hydr.AcceptLoginRequest(challenge, accept)
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not retrieve hydra accept response"))
|
||||
}
|
||||
|
||||
http.Redirect(w, r, res.RedirectTo, http.StatusSeeOther)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -53,6 +66,8 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
|
|||
csrf.TemplateTag: csrf.TemplateField(r),
|
||||
"LoginChallenge": challenge,
|
||||
"Email": "",
|
||||
"ClientName": res.Client.ClientName,
|
||||
"ClientURI": res.Client.ClientURI,
|
||||
})
|
||||
|
||||
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
|
||||
|
@ -64,6 +79,7 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
|||
ctx := r.Context()
|
||||
ctn := container.Must(ctx)
|
||||
tmpl := template.Must(ctn)
|
||||
hydr := hydra.Must(ctn)
|
||||
bus := cqrs.Must(ctn)
|
||||
|
||||
if err := r.ParseForm(); err != nil {
|
||||
|
@ -72,9 +88,30 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
email := r.Form.Get("email")
|
||||
challenge := r.Form.Get("challenge")
|
||||
|
||||
if challenge == "" {
|
||||
err := renderErrorPage(
|
||||
w, r,
|
||||
http.StatusBadRequest,
|
||||
"Requête invalide",
|
||||
"Certaines informations requises sont manquantes pour pouvoir réaliser votre requête.",
|
||||
)
|
||||
if err != nil {
|
||||
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
res, err := hydr.LoginRequest(challenge)
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not retrieve hydra login response"))
|
||||
}
|
||||
|
||||
email := r.Form.Get("email")
|
||||
rememberMe := r.Form.Get("rememberMe")
|
||||
|
||||
renderFlashError := func(message string) {
|
||||
sess, err := session.Must(ctn).Get(w, r)
|
||||
if err != nil {
|
||||
|
@ -91,6 +128,8 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
|||
csrf.TemplateTag: csrf.TemplateField(r),
|
||||
"LoginChallenge": challenge,
|
||||
"Email": email,
|
||||
"ClientName": res.Client.ClientName,
|
||||
"ClientURI": res.Client.ClientURI,
|
||||
})
|
||||
|
||||
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
|
||||
|
@ -104,17 +143,14 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
|
|||
return
|
||||
}
|
||||
|
||||
if challenge == "" {
|
||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
cmd := &command.SendConfirmationEmailRequest{
|
||||
Email: email,
|
||||
Challenge: challenge,
|
||||
DefaultScheme: r.URL.Scheme,
|
||||
DefaultAddress: r.Host,
|
||||
RememberMe: rememberMe == "on",
|
||||
ClientName: res.Client.ClientName,
|
||||
ClientURI: res.Client.ClientURI,
|
||||
}
|
||||
if _, err := bus.Exec(ctx, cmd); err != nil {
|
||||
panic(errors.Wrap(err, "could not execute command"))
|
||||
|
|
|
@ -2,8 +2,36 @@ package route
|
|||
|
||||
import (
|
||||
"net/http"
|
||||
|
||||
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
|
||||
"github.com/pkg/errors"
|
||||
"gitlab.com/wpetit/goweb/middleware/container"
|
||||
)
|
||||
|
||||
func serveLogoutPage(w http.ResponseWriter, r *http.Request) {
|
||||
ctn := container.Must(r.Context())
|
||||
hydr := hydra.Must(ctn)
|
||||
|
||||
challenge, err := hydr.LogoutChallenge(r)
|
||||
if err != nil {
|
||||
if err == hydra.ErrChallengeNotFound {
|
||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
panic(errors.Wrap(err, "could not retrieve logout challenge"))
|
||||
}
|
||||
|
||||
_, err = hydr.LogoutRequest(challenge)
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not retrieve hydra logout response"))
|
||||
}
|
||||
|
||||
acceptRes, err := hydr.AcceptLogoutRequest(challenge)
|
||||
if err != nil {
|
||||
panic(errors.Wrap(err, "could not retrieve hydra accept logout response"))
|
||||
}
|
||||
|
||||
http.Redirect(w, r, acceptRes.RedirectTo, http.StatusSeeOther)
|
||||
}
|
||||
|
|
|
@ -23,7 +23,7 @@ func Mount(r *chi.Mux, config *config.Config) error {
|
|||
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(csrfMiddleware)
|
||||
|
||||
r.Get("/", serveHomePage)
|
||||
r.Get("/login", serveLoginPage)
|
||||
r.Post("/login", handleLoginForm)
|
||||
r.Get("/logout", serveLogoutPage)
|
||||
|
|
|
@ -32,6 +32,18 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
|
|||
if err != nil {
|
||||
logger.Error(ctx, "could not verify token", logger.E(err))
|
||||
|
||||
err := renderErrorPage(
|
||||
w, r,
|
||||
http.StatusBadRequest,
|
||||
"Lien invalide",
|
||||
"Le lien de connexion utilisé est invalide ou a expiré.",
|
||||
)
|
||||
if err != nil {
|
||||
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
|
||||
}
|
||||
|
||||
return
|
||||
|
||||
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
||||
}
|
||||
|
||||
|
@ -44,6 +56,11 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
|
|||
|
||||
accept := &hydra.AcceptLoginRequest{
|
||||
Subject: verifyUserData.Email,
|
||||
Remember: verifyUserData.RememberMe,
|
||||
RememberFor: 3600,
|
||||
Context: map[string]interface{}{
|
||||
"email": verifyUserData.Email,
|
||||
},
|
||||
}
|
||||
|
||||
res, err := hydr.AcceptLoginRequest(verifyUserData.Challenge, accept)
|
||||
|
|
|
@ -12,9 +12,10 @@ const (
|
|||
|
||||
type privateClaims struct {
|
||||
Challenge string `json:"challenge"`
|
||||
RememberMe bool `json:"remember"`
|
||||
}
|
||||
|
||||
func Generate(signingKey, encryptionKey, email, challenge string) (string, error) {
|
||||
func Generate(signingKey, encryptionKey, email, challenge string, rememberMe bool) (string, error) {
|
||||
sig, err := jose.NewSigner(
|
||||
jose.SigningKey{
|
||||
Algorithm: jose.HS256,
|
||||
|
@ -45,6 +46,7 @@ func Generate(signingKey, encryptionKey, email, challenge string) (string, error
|
|||
|
||||
privateClaims := privateClaims{
|
||||
Challenge: challenge,
|
||||
RememberMe: rememberMe,
|
||||
}
|
||||
|
||||
raw, err := jwt.SignedAndEncrypted(sig, enc).Claims(claims).Claims(privateClaims).CompactSerialize()
|
||||
|
|
|
@ -5,23 +5,23 @@ import (
|
|||
"gopkg.in/square/go-jose.v2/jwt"
|
||||
)
|
||||
|
||||
func Verify(signingKey, encryptionKey, raw string) (string, string, error) {
|
||||
func Verify(signingKey, encryptionKey, raw string) (string, string, bool, error) {
|
||||
token, err := jwt.ParseSignedAndEncrypted(raw)
|
||||
if err != nil {
|
||||
return "", "", errors.Wrap(err, "could not parse token")
|
||||
return "", "", false, errors.Wrap(err, "could not parse token")
|
||||
}
|
||||
|
||||
nested, err := token.Decrypt([]byte(encryptionKey))
|
||||
if err != nil {
|
||||
return "", "", errors.Wrap(err, "could not decrypt token")
|
||||
return "", "", false, errors.Wrap(err, "could not decrypt token")
|
||||
}
|
||||
|
||||
baseClaims := jwt.Claims{}
|
||||
privateClaims := privateClaims{}
|
||||
|
||||
if err := nested.Claims([]byte(signingKey), &baseClaims, &privateClaims); err != nil {
|
||||
return "", "", errors.Wrap(err, "could not validate claims")
|
||||
return "", "", false, errors.Wrap(err, "could not validate claims")
|
||||
}
|
||||
|
||||
return baseClaims.Subject, privateClaims.Challenge, nil
|
||||
return baseClaims.Subject, privateClaims.Challenge, privateClaims.RememberMe, nil
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue