Basic logout flow and better UX

This commit is contained in:
wpetit 2020-05-26 11:11:53 +02:00
parent 44338f06e3
commit 2851c879b6
21 changed files with 298 additions and 75 deletions

View File

@ -34,7 +34,9 @@ create-default-client:
hydra \
hydra clients create \
-c http://localhost:3002/oauth2/callback \
--post-logout-callbacks http://localhost:3002
--post-logout-callbacks http://localhost:3002 \
-n "Default App" \
-a "openid" -a "email"
list-clients:

View File

@ -1,4 +1,4 @@
{{define "title"}}Connexion{{end}}
{{define "title"}}Courriel envoyé.{{end}}
{{define "body"}}
<section class="hero is-fullheight">
<div class="hero-body">

View File

@ -0,0 +1,20 @@
{{define "title"}}Erreur{{end}}
{{define "body"}}
<section class="hero is-fullheight">
<div class="hero-body">
<div class="container">
<div class="columns">
<div class="column is-4 is-offset-4">
<div class="message is-danger">
<div class="message-body">
<p class="title is-size-4 has-text-danger">{{ .ErrorTitle }}</p>
<p>{{ .ErrorDescription }}</p>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
{{end}}
{{template "base" .}}

View File

@ -0,0 +1,22 @@
{{define "title"}}Connexion{{end}}
{{define "body"}}
<section class="hero is-fullheight">
<div class="hero-body">
<div class="container has-text-centered">
<div class="columns">
<div class="column is-4 is-offset-4">
<p class="has-text-black title">
Hydra Password<span class="has-text-grey">less</span>
</p>
<p class="is-size-7">
Version: {{ .BuildInfo.ProjectVersion }} |
Réf.: {{ .BuildInfo.GitRef }} |
Date de construction: {{ .BuildInfo.BuildDate }}
</p>
</div>
</div>
</div>
</div>
</section>
{{end}}
{{template "base" .}}

View File

@ -7,7 +7,7 @@
<div class="column is-4 is-offset-4">
{{template "flash" .}}
<p class="has-text-black title">
Connexion
Connexion à <a href="{{.ClientURI }}" class="has-text-info">{{ .ClientName }}</a>
</p>
<p class="has-text-black subtitle">
Veuillez entrer votre adresse courriel.
@ -21,6 +21,14 @@
name="email" placeholder="john.doe@email.com" />
</div>
</div>
<div class="field is-grouped is-grouped-right">
<p class="control">
<label class="checkbox">
<input type="checkbox" name="rememberMe">
Se souvenir de moi
</label>
</p>
</div>
{{ .csrfField }}
<input name="challenge" type="hidden" value="{{ .LoginChallenge }}" />
<button type="submit" class="button is-link is-medium is-block is-fullwidth">Envoyer</button>

View File

@ -4,8 +4,8 @@
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<p>Bonjour {{ .Email }}</p>
<p>Vous avez demandé à accéder à l'application "{{ .AppTitle }}". Cliquez sur le lien ci dessous pour vous authentifier. </p>
<p>Bonjour,</p>
<p>Vous avez demandé à accéder à l'application <a href="{{ .ClientURI }}">"{{ .ClientName }}"</a>. Cliquez sur le lien ci dessous pour vous authentifier. </p>
<table border="0" cellpadding="0" cellspacing="0" class="btn btn-primary">
<tbody>
<tr>

View File

@ -16,6 +16,10 @@ services:
DSN: mysql://hydra:hydra@tcp(mysql:3306)/hydra
URLS_LOGIN: http://localhost:3000/login
URLS_CONSENT: http://localhost:3000/consent
URLS_LOGOUT: http://localhost:3000/logout
SUPPORTED_SCOPES: email
SUPPORTED_CLAIMS: email,email_verified
SECRETS_SYSTEM: fAAya66yXNib52lbXpo16bxy1jD4NZrX
ports:
- 4444:4444
- 4445:4445

View File

@ -4,7 +4,6 @@ import (
"bytes"
"context"
"fmt"
"log"
"forge.cadoles.com/wpetit/hydra-passwordless/internal/config"
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
@ -23,6 +22,9 @@ type SendConfirmationEmailRequest struct {
Challenge string
DefaultScheme string
DefaultAddress string
RememberMe bool
ClientName string
ClientURI string
}
func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) error {
@ -48,6 +50,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
conf.HTTP.TokenEncryptionKey,
req.Email,
req.Challenge,
req.RememberMe,
)
if err != nil {
return errors.Wrap(err, "could not generate jwt")
@ -67,13 +70,11 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
scheme = conf.HTTP.PublicScheme
}
log.Println(req, scheme)
verificationLink := fmt.Sprintf("%s//%s/verify?token=%s", scheme, address, token)
log.Println(verificationLink)
data := template.Data{
"ClientName": req.ClientName,
"ClientURI": req.ClientURI,
"BuildInfo": info,
"VerificationLink": verificationLink,
}
@ -92,7 +93,7 @@ func HandleSendConfirmationEmailRequest(ctx context.Context, cmd cqrs.Command) e
err = ml.Send(
mail.WithSender(conf.SMTP.SenderAddress, conf.SMTP.SenderName),
mail.WithRecipients(req.Email),
mail.WithSubject(fmt.Sprintf("[Authentification]")),
mail.WithSubject(fmt.Sprintf("[%s] Connexion", req.ClientName)),
mail.WithBody(mail.ContentTypeHTML, html, nil),
mail.WithAlternativeBody(mail.ContentTypeText, "", nil),
)

View File

@ -70,7 +70,57 @@ func (c *Client) RejectLoginRequest(challenge string, req *RejectRequest) (*Reje
}
func (c *Client) LogoutRequest(challenge string) (*LogoutResponse, error) {
return nil, nil
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout", url.Values{
"logout_challenge": []string{challenge},
})
res, err := c.http.Get(u)
if err != nil {
return nil, errors.Wrap(err, "could not retrieve logout response")
}
if res.StatusCode < http.StatusOK || res.StatusCode >= http.StatusBadRequest {
return nil, errors.Wrapf(ErrUnexpectedHydraResponse, "hydra responded with status code '%d'", res.StatusCode)
}
defer res.Body.Close()
decoder := json.NewDecoder(res.Body)
logoutRes := &LogoutResponse{}
if err := decoder.Decode(logoutRes); err != nil {
return nil, errors.Wrap(err, "could not decode json response")
}
return logoutRes, nil
}
func (c *Client) AcceptLogoutRequest(challenge string) (*AcceptResponse, error) {
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/accept", url.Values{
"logout_challenge": []string{challenge},
})
res := &AcceptResponse{}
if err := c.putJSON(u, nil, res); err != nil {
return nil, err
}
return res, nil
}
func (c *Client) RejectLogoutRequest(challenge string, req *RejectRequest) (*RejectResponse, error) {
u := fromURL(*c.baseURL, "/oauth2/auth/requests/logout/reject", url.Values{
"logout_challenge": []string{challenge},
})
res := &RejectResponse{}
if err := c.putJSON(u, req, res); err != nil {
return nil, err
}
return res, nil
}
func (c *Client) ConsentRequest(challenge string) (*ConsentResponse, error) {

View File

@ -1,12 +1,15 @@
package hydra
type AcceptLoginRequest struct {
Subject string `json:"subject"`
Remember bool `json:"remember"`
RememberFor int `json:"remember_for"`
ACR string `json:"acr"`
Subject string `json:"subject"`
Remember bool `json:"remember"`
RememberFor int `json:"remember_for"`
ACR string `json:"acr"`
Context map[string]interface{} `json:"context"`
}
type AcceptLogoutRequest struct{}
type AcceptConsentRequest struct {
GrantScope []string `json:"grant_scope"`
GrantAccessTokenAudience []string `json:"grant_access_token_audience"`

View File

@ -68,6 +68,10 @@ type RejectResponse struct {
}
type LogoutResponse struct {
Subject string `json:"subject"`
SessionID string `json:"sid"`
RPInitiated bool `json:"rp_initiated"`
RequestURL string `json:"request_url"`
}
type ConsentResponse struct {
@ -80,4 +84,5 @@ type ConsentResponse struct {
OidcContext OidcContextResponseFragment `json:"oidc_context"`
RequestedAccessTokenAudience []string `json:"requested_access_token_audience"`
SessionID string `json:"session_id"`
Context map[string]interface{} `json:"context"`
}

View File

@ -15,8 +15,9 @@ type VerifyUserRequest struct {
}
type VerifyUserData struct {
Email string
Challenge string
Email string
Challenge string
RememberMe bool
}
func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{}, error) {
@ -28,7 +29,7 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
ctn := container.Must(ctx)
conf := config.Must(ctn)
email, challenge, err := token.Verify(
email, challenge, rememberMe, err := token.Verify(
conf.HTTP.TokenSigningKey,
conf.HTTP.TokenEncryptionKey,
req.Token,
@ -39,8 +40,9 @@ func HandleVerifyUserRequest(ctx context.Context, qry cqrs.Query) (interface{},
}
data := &VerifyUserData{
Email: email,
Challenge: challenge,
Email: email,
Challenge: challenge,
RememberMe: rememberMe,
}
return data, nil

View File

@ -10,7 +10,6 @@ import (
func serveConsentPage(w http.ResponseWriter, r *http.Request) {
ctn := container.Must(r.Context())
//tmpl := template.Must(ctn)
hydr := hydra.Must(ctn)
challenge, err := hydr.ConsentChallenge(r)
@ -24,43 +23,29 @@ func serveConsentPage(w http.ResponseWriter, r *http.Request) {
panic(errors.Wrap(err, "could not retrieve consent challenge"))
}
res, err := hydr.ConsentRequest(challenge)
consentRes, err := hydr.ConsentRequest(challenge)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra consent response"))
}
if res.Skip {
res, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{
GrantScope: res.RequestedScope,
GrantAccessTokenAudience: res.RequestedAccessTokenAudience,
})
if err != nil {
panic(errors.Wrap(err, "could not accept hydra consent request"))
}
scopes := []string{"email"}
scopes = append(scopes, consentRes.RequestedScope...)
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect)
return
acceptConsentReq := &hydra.AcceptConsentRequest{
GrantScope: scopes,
GrantAccessTokenAudience: consentRes.RequestedAccessTokenAudience,
Session: hydra.AcceptConsentSession{
IDToken: map[string]interface{}{
"email": consentRes.Context["email"],
"email_verified": true,
},
},
}
res2, err := hydr.AcceptConsentRequest(challenge, &hydra.AcceptConsentRequest{
GrantScope: res.RequestedScope,
GrantAccessTokenAudience: res.RequestedAccessTokenAudience,
})
acceptRes, err := hydr.AcceptConsentRequest(challenge, acceptConsentReq)
if err != nil {
panic(errors.Wrap(err, "could not accept hydra consent request"))
}
http.Redirect(w, r, res2.RedirectTo, http.StatusTemporaryRedirect)
// spew.Dump(res)
// data := extendTemplateData(w, r, template.Data{
// csrf.TemplateTag: csrf.TemplateField(r),
// "RequestedScope": res.RequestedScope,
// "ConsentChallenge": challenge,
// })
// if err := tmpl.RenderPage(w, "consent.html.tmpl", data); err != nil {
// panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
// }
http.Redirect(w, r, acceptRes.RedirectTo, http.StatusTemporaryRedirect)
}

View File

@ -22,3 +22,21 @@ func extendTemplateData(w http.ResponseWriter, r *http.Request, data template.Da
return data
}
func renderErrorPage(w http.ResponseWriter, r *http.Request, statusCode int, title, description string) error {
ctn := container.Must(r.Context())
tmpl := template.Must(ctn)
data := extendTemplateData(w, r, template.Data{
"ErrorTitle": title,
"ErrorDescription": description,
})
w.WriteHeader(statusCode)
if err := tmpl.RenderPage(w, "error.html.tmpl", data); err != nil {
return errors.Wrap(err, "could not render error page")
}
return nil
}

20
internal/route/home.go Normal file
View File

@ -0,0 +1,20 @@
package route
import (
"net/http"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/middleware/container"
"gitlab.com/wpetit/goweb/service/template"
)
func serveHomePage(w http.ResponseWriter, r *http.Request) {
ctn := container.Must(r.Context())
tmpl := template.Must(ctn)
data := extendTemplateData(w, r, template.Data{})
if err := tmpl.RenderPage(w, "home.html.tmpl", data); err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
}

View File

@ -21,7 +21,15 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
challenge, err := hydr.LoginChallenge(r)
if err != nil {
if err == hydra.ErrChallengeNotFound {
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
err := renderErrorPage(
w, r,
http.StatusBadRequest,
"Requête invalide",
"Certaines informations requises afin de réaliser votre requête sont absentes.",
)
if err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
return
}
@ -35,15 +43,20 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
}
if res.Skip {
res, err := hydr.RejectLoginRequest(challenge, &hydra.RejectRequest{
Error: "email_not_validated",
ErrorDescription: "The email adress could not be verified.",
})
if err != nil {
panic(errors.Wrap(err, "could not reject hydra authentication request"))
accept := &hydra.AcceptLoginRequest{
Subject: res.Subject,
Context: map[string]interface{}{
"email": res.Subject,
},
}
http.Redirect(w, r, res.RedirectTo, http.StatusTemporaryRedirect)
res, err := hydr.AcceptLoginRequest(challenge, accept)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra accept response"))
}
http.Redirect(w, r, res.RedirectTo, http.StatusSeeOther)
return
}
@ -53,6 +66,8 @@ func serveLoginPage(w http.ResponseWriter, r *http.Request) {
csrf.TemplateTag: csrf.TemplateField(r),
"LoginChallenge": challenge,
"Email": "",
"ClientName": res.Client.ClientName,
"ClientURI": res.Client.ClientURI,
})
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
@ -64,6 +79,7 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
ctn := container.Must(ctx)
tmpl := template.Must(ctn)
hydr := hydra.Must(ctn)
bus := cqrs.Must(ctn)
if err := r.ParseForm(); err != nil {
@ -72,9 +88,30 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
return
}
email := r.Form.Get("email")
challenge := r.Form.Get("challenge")
if challenge == "" {
err := renderErrorPage(
w, r,
http.StatusBadRequest,
"Requête invalide",
"Certaines informations requises sont manquantes pour pouvoir réaliser votre requête.",
)
if err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
return
}
res, err := hydr.LoginRequest(challenge)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra login response"))
}
email := r.Form.Get("email")
rememberMe := r.Form.Get("rememberMe")
renderFlashError := func(message string) {
sess, err := session.Must(ctn).Get(w, r)
if err != nil {
@ -91,6 +128,8 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
csrf.TemplateTag: csrf.TemplateField(r),
"LoginChallenge": challenge,
"Email": email,
"ClientName": res.Client.ClientName,
"ClientURI": res.Client.ClientURI,
})
if err := tmpl.RenderPage(w, "login.html.tmpl", data); err != nil {
@ -104,17 +143,14 @@ func handleLoginForm(w http.ResponseWriter, r *http.Request) {
return
}
if challenge == "" {
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
return
}
cmd := &command.SendConfirmationEmailRequest{
Email: email,
Challenge: challenge,
DefaultScheme: r.URL.Scheme,
DefaultAddress: r.Host,
RememberMe: rememberMe == "on",
ClientName: res.Client.ClientName,
ClientURI: res.Client.ClientURI,
}
if _, err := bus.Exec(ctx, cmd); err != nil {
panic(errors.Wrap(err, "could not execute command"))

View File

@ -2,8 +2,36 @@ package route
import (
"net/http"
"forge.cadoles.com/wpetit/hydra-passwordless/internal/hydra"
"github.com/pkg/errors"
"gitlab.com/wpetit/goweb/middleware/container"
)
func serveLogoutPage(w http.ResponseWriter, r *http.Request) {
ctn := container.Must(r.Context())
hydr := hydra.Must(ctn)
challenge, err := hydr.LogoutChallenge(r)
if err != nil {
if err == hydra.ErrChallengeNotFound {
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
return
}
panic(errors.Wrap(err, "could not retrieve logout challenge"))
}
_, err = hydr.LogoutRequest(challenge)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra logout response"))
}
acceptRes, err := hydr.AcceptLogoutRequest(challenge)
if err != nil {
panic(errors.Wrap(err, "could not retrieve hydra accept logout response"))
}
http.Redirect(w, r, acceptRes.RedirectTo, http.StatusSeeOther)
}

View File

@ -23,7 +23,7 @@ func Mount(r *chi.Mux, config *config.Config) error {
r.Group(func(r chi.Router) {
r.Use(csrfMiddleware)
r.Get("/", serveHomePage)
r.Get("/login", serveLoginPage)
r.Post("/login", handleLoginForm)
r.Get("/logout", serveLogoutPage)

View File

@ -32,6 +32,18 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
if err != nil {
logger.Error(ctx, "could not verify token", logger.E(err))
err := renderErrorPage(
w, r,
http.StatusBadRequest,
"Lien invalide",
"Le lien de connexion utilisé est invalide ou a expiré.",
)
if err != nil {
panic(errors.Wrapf(err, "could not render '%s' page", r.URL.Path))
}
return
http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
}
@ -43,7 +55,12 @@ func handleVerification(w http.ResponseWriter, r *http.Request) {
hydr := hydra.Must(ctn)
accept := &hydra.AcceptLoginRequest{
Subject: verifyUserData.Email,
Subject: verifyUserData.Email,
Remember: verifyUserData.RememberMe,
RememberFor: 3600,
Context: map[string]interface{}{
"email": verifyUserData.Email,
},
}
res, err := hydr.AcceptLoginRequest(verifyUserData.Challenge, accept)

View File

@ -11,10 +11,11 @@ const (
)
type privateClaims struct {
Challenge string `json:"challenge"`
Challenge string `json:"challenge"`
RememberMe bool `json:"remember"`
}
func Generate(signingKey, encryptionKey, email, challenge string) (string, error) {
func Generate(signingKey, encryptionKey, email, challenge string, rememberMe bool) (string, error) {
sig, err := jose.NewSigner(
jose.SigningKey{
Algorithm: jose.HS256,
@ -44,7 +45,8 @@ func Generate(signingKey, encryptionKey, email, challenge string) (string, error
}
privateClaims := privateClaims{
Challenge: challenge,
Challenge: challenge,
RememberMe: rememberMe,
}
raw, err := jwt.SignedAndEncrypted(sig, enc).Claims(claims).Claims(privateClaims).CompactSerialize()

View File

@ -5,23 +5,23 @@ import (
"gopkg.in/square/go-jose.v2/jwt"
)
func Verify(signingKey, encryptionKey, raw string) (string, string, error) {
func Verify(signingKey, encryptionKey, raw string) (string, string, bool, error) {
token, err := jwt.ParseSignedAndEncrypted(raw)
if err != nil {
return "", "", errors.Wrap(err, "could not parse token")
return "", "", false, errors.Wrap(err, "could not parse token")
}
nested, err := token.Decrypt([]byte(encryptionKey))
if err != nil {
return "", "", errors.Wrap(err, "could not decrypt token")
return "", "", false, errors.Wrap(err, "could not decrypt token")
}
baseClaims := jwt.Claims{}
privateClaims := privateClaims{}
if err := nested.Claims([]byte(signingKey), &baseClaims, &privateClaims); err != nil {
return "", "", errors.Wrap(err, "could not validate claims")
return "", "", false, errors.Wrap(err, "could not validate claims")
}
return baseClaims.Subject, privateClaims.Challenge, nil
return baseClaims.Subject, privateClaims.Challenge, privateClaims.RememberMe, nil
}