mirror of
https://github.com/netbirdio/netbird.git
synced 2025-04-14 22:48:30 +02:00
1f29975737
* feature: basic auth0 support * refactor: improve auth flow * refactor: extract HttpServer config * feature: merge HTTP API layer with Let's Encrypt
97 lines
3.3 KiB
Go
97 lines
3.3 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"github.com/coreos/go-oidc"
|
|
"github.com/gorilla/sessions"
|
|
"github.com/wiretrustee/wiretrustee/management/http_server/middleware"
|
|
"log"
|
|
"net/http"
|
|
)
|
|
|
|
// Callback handler used to receive a callback from the identity provider
|
|
type Callback struct {
|
|
authenticator *middleware.Authenticator
|
|
sessionStore sessions.Store
|
|
}
|
|
|
|
func NewCallback(authenticator *middleware.Authenticator, sessionStore sessions.Store) *Callback {
|
|
return &Callback{
|
|
authenticator: authenticator,
|
|
sessionStore: sessionStore,
|
|
}
|
|
}
|
|
|
|
// ServeHTTP checks the user session, verifies the state, verifies the token, stores user profile in a session,
|
|
// and in case of the successful auth redirects user to the main page
|
|
func (h *Callback) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|
session, err := h.sessionStore.Get(r, "auth-session")
|
|
if err != nil {
|
|
//todo redirect to the error page stating: "error occurred plz try again later and a link to login"
|
|
//http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
if r.URL.Query().Get("state") != session.Values["state"] {
|
|
//todo redirect to the error page stating: "error authenticating plz try to login once again"
|
|
//http.Error(w, "invalid state parameter", http.StatusBadRequest)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
token, err := h.authenticator.Config.Exchange(context.TODO(), r.URL.Query().Get("code"))
|
|
if err != nil {
|
|
log.Printf("no token found: %v", err)
|
|
//todo redirect to the error page stating: "error authenticating plz try to login once again"
|
|
//w.WriteHeader(http.StatusUnauthorized)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
rawIDToken, ok := token.Extra("id_token").(string)
|
|
if !ok {
|
|
//todo redirect to the error page stating: "error occurred plz try again later and a link to login"
|
|
//http.Error(w, "no id_token field in oauth2 token.", http.StatusInternalServerError)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
oidcConfig := &oidc.Config{
|
|
ClientID: h.authenticator.Config.ClientID,
|
|
}
|
|
|
|
idToken, err := h.authenticator.Provider.Verifier(oidcConfig).Verify(context.TODO(), rawIDToken)
|
|
|
|
if err != nil {
|
|
//todo redirect to the error page stating: "error occurred plz try again later and a link to login"
|
|
//http.Error(w, "failed to verify ID Token: "+err.Error(), http.StatusInternalServerError)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// get the userInfo from the token
|
|
var profile map[string]interface{}
|
|
if err := idToken.Claims(&profile); err != nil {
|
|
//todo redirect to the error page stating: "error occurred plz try again later and a link to login"
|
|
//http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
session.Values["id_token"] = rawIDToken
|
|
session.Values["access_token"] = token.AccessToken
|
|
session.Values["profile"] = profile
|
|
|
|
err = session.Save(r, w)
|
|
if err != nil {
|
|
//todo redirect to the error page stating: "error occurred plz try again later and a link to login"
|
|
//http.Error(w, err.Error(), http.StatusInternalServerError)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// redirect to logged in page
|
|
http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
|
|
}
|