lavender/server/flow.go

package server

import (
	"context"
	_ "embed"
	"fmt"
	"github.com/1f349/lavender/issuer"
	"github.com/1f349/lavender/server/pages"
	"github.com/google/uuid"
	"github.com/julienschmidt/httprouter"
	"golang.org/x/oauth2"
	"net/http"
	"net/url"
	"strings"
	"time"
)

var uuidNewStringState = uuid.NewString
var uuidNewStringAti = uuid.NewString
var uuidNewStringRti = uuid.NewString

var testOa2Exchange = func(oa2conf oauth2.Config, ctx context.Context, code string) (*oauth2.Token, error) {
	return oa2conf.Exchange(ctx, code)
}

var testOa2UserInfo = func(oidc *issuer.WellKnownOIDC, ctx context.Context, exchange *oauth2.Token) (*http.Response, error) {
	client := oidc.OAuth2Config.Client(ctx, exchange)
	return client.Get(oidc.UserInfoEndpoint)
}

func (h *HttpServer) flowPopup(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
	cookie, err := req.Cookie("lavender-login-name")
	if err == nil && cookie.Valid() == nil {
		pages.RenderPageTemplate(rw, "flow-popup-memory", map[string]any{
			"ServiceName": h.conf.Load().ServiceName,
			"Origin":      req.URL.Query().Get("origin"),
			"LoginName":   cookie.Value,
		})
		return
	}
	pages.RenderPageTemplate(rw, "flow-popup", map[string]any{
		"ServiceName": h.conf.Load().ServiceName,
		"Origin":      req.URL.Query().Get("origin"),
	})
}

func (h *HttpServer) flowPopupPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
	if req.PostFormValue("not-you") == "1" {
		http.SetCookie(rw, &http.Cookie{
			Name:     "lavender-login-name",
			Value:    "",
			Path:     "/",
			MaxAge:   -1,
			Secure:   true,
			SameSite: http.SameSiteStrictMode,
		})
		http.Redirect(rw, req, (&url.URL{
			Path: "/popup",
			RawQuery: url.Values{
				"origin": []string{req.PostFormValue("origin")},
			}.Encode(),
		}).String(), http.StatusFound)
		return
	}
	loginName := req.PostFormValue("loginname")
	login := h.manager.Load().FindServiceFromLogin(loginName)
	if login == nil {
		http.Error(rw, "No login service defined for this username", http.StatusBadRequest)
		return
	}
	// the @ must exist if the service is defined
	n := strings.IndexByte(loginName, '@')
	loginUn := loginName[:n]

	now := time.Now()
	future := now.AddDate(1, 0, 0)
	http.SetCookie(rw, &http.Cookie{
		Name:     "lavender-login-name",
		Value:    loginName,
		Path:     "/",
		Expires:  future,
		MaxAge:   int(future.Sub(now).Seconds()),
		Secure:   true,
		SameSite: http.SameSiteStrictMode,
	})

	targetOrigin := req.PostFormValue("origin")
	allowedService, found := (*h.services.Load())[targetOrigin]
	if !found {
		http.Error(rw, "Invalid target origin", http.StatusBadRequest)
		return
	}

	// save state for use later
	state := login.Config.Namespace + ":" + uuidNewStringState()
	h.flowState.Set(state, flowStateData{
		login,
		allowedService,
	}, time.Now().Add(15*time.Minute))

	// generate oauth2 config and redirect to authorize URL
	oa2conf := login.OAuth2Config
	oa2conf.RedirectURL = h.conf.Load().BaseUrl + "/callback"
	nextUrl := oa2conf.AuthCodeURL(state, oauth2.SetAuthURLParam("login_name", loginUn))
	http.Redirect(rw, req, nextUrl, http.StatusFound)
}

func (h *HttpServer) flowCallback(rw http.ResponseWriter, req *http.Request, _ httprouter.Params) {
	err := req.ParseForm()
	if err != nil {
		http.Error(rw, "Error parsing form", http.StatusBadRequest)
		return
	}

	q := req.URL.Query()
	state := q.Get("state")
	n := strings.IndexByte(state, ':')
	if n == -1 || !h.manager.Load().CheckNamespace(state[:n]) {
		http.Error(rw, "Invalid state namespace", http.StatusBadRequest)
		return
	}
	v, found := h.flowState.Get(state)
	if !found {
		http.Error(rw, "Invalid state", http.StatusBadRequest)
		return
	}

	oa2conf := v.sso.OAuth2Config
	oa2conf.RedirectURL = h.conf.Load().BaseUrl + "/callback"
	exchange, err := testOa2Exchange(oa2conf, context.Background(), q.Get("code"))
	if err != nil {
		fmt.Println("Failed exchange:", err)
		http.Error(rw, "Failed to exchange code", http.StatusInternalServerError)
		return
	}

	h.finishTokenGenerateFlow(rw, req, v, exchange, func(accessToken, refreshToken string, v3 map[string]any) {
		pages.RenderPageTemplate(rw, "flow-callback", map[string]any{
			"ServiceName":   h.conf.Load().ServiceName,
			"TargetOrigin":  v.target.Url.String(),
			"TargetMessage": v3,
			"AccessToken":   accessToken,
			"RefreshToken":  refreshToken,
		})
	})
}
Start coding lavender 2023-10-01 21:44:49 +01:00			`package server`

			`import (`
Finish up working flow and setup test client 2023-10-04 21:53:20 +01:00			`"context"`
Start coding lavender 2023-10-01 21:44:49 +01:00			`_ "embed"`
Finish up working flow and setup test client 2023-10-04 21:53:20 +01:00			`"fmt"`
Write flow tests 2023-10-09 16:29:10 +01:00			`"github.com/1f349/lavender/issuer"`
Load templates with overlapfs to allow custom templates 2023-10-08 16:43:27 +01:00			`"github.com/1f349/lavender/server/pages"`
Generate oauth2 config from login SSO service metadata 2023-10-03 01:14:25 +01:00			`"github.com/google/uuid"`
Start coding lavender 2023-10-01 21:44:49 +01:00			`"github.com/julienschmidt/httprouter"`
Finish up working flow and setup test client 2023-10-04 21:53:20 +01:00			`"golang.org/x/oauth2"`
Start coding lavender 2023-10-01 21:44:49 +01:00			`"net/http"`
Save login name to cookie, correct public key path, fix test client 2023-11-08 11:38:31 +00:00			`"net/url"`
Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`"strings"`
Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`"time"`
Start coding lavender 2023-10-01 21:44:49 +01:00			`)`

Write flow popup tests 2023-10-09 00:04:28 +01:00			`var uuidNewStringState = uuid.NewString`
			`var uuidNewStringAti = uuid.NewString`
			`var uuidNewStringRti = uuid.NewString`

Write flow tests 2023-10-09 16:29:10 +01:00			`var testOa2Exchange = func(oa2conf oauth2.Config, ctx context.Context, code string) (*oauth2.Token, error) {`
			`return oa2conf.Exchange(ctx, code)`
			`}`

			`var testOa2UserInfo = func(oidc issuer.WellKnownOIDC, ctx context.Context, exchange oauth2.Token) (*http.Response, error) {`
			`client := oidc.OAuth2Config.Client(ctx, exchange)`
			`return client.Get(oidc.UserInfoEndpoint)`
			`}`

Start coding lavender 2023-10-01 21:44:49 +01:00			`func (h HttpServer) flowPopup(rw http.ResponseWriter, req http.Request, _ httprouter.Params) {`
Save login name to cookie, correct public key path, fix test client 2023-11-08 11:38:31 +00:00			`cookie, err := req.Cookie("lavender-login-name")`
			`if err == nil && cookie.Valid() == nil {`
			`pages.RenderPageTemplate(rw, "flow-popup-memory", map[string]any{`
Add reloading config 2023-11-15 09:21:09 +00:00			`"ServiceName": h.conf.Load().ServiceName,`
Save login name to cookie, correct public key path, fix test client 2023-11-08 11:38:31 +00:00			`"Origin": req.URL.Query().Get("origin"),`
			`"LoginName": cookie.Value,`
			`})`
			`return`
			`}`
Write flow popup tests 2023-10-09 00:04:28 +01:00			`pages.RenderPageTemplate(rw, "flow-popup", map[string]any{`
Add reloading config 2023-11-15 09:21:09 +00:00			`"ServiceName": h.conf.Load().ServiceName,`
Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`"Origin": req.URL.Query().Get("origin"),`
Start coding lavender 2023-10-01 21:44:49 +01:00			`})`
			`}`

Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`func (h HttpServer) flowPopupPost(rw http.ResponseWriter, req http.Request, _ httprouter.Params) {`
Save login name to cookie, correct public key path, fix test client 2023-11-08 11:38:31 +00:00			`if req.PostFormValue("not-you") == "1" {`
			`http.SetCookie(rw, &http.Cookie{`
			`Name: "lavender-login-name",`
			`Value: "",`
			`Path: "/",`
			`MaxAge: -1,`
			`Secure: true,`
			`SameSite: http.SameSiteStrictMode,`
			`})`
			`http.Redirect(rw, req, (&url.URL{`
			`Path: "/popup",`
			`RawQuery: url.Values{`
			`"origin": []string{req.PostFormValue("origin")},`
			`}.Encode(),`
			`}).String(), http.StatusFound)`
			`return`
			`}`
Finish up working flow and setup test client 2023-10-04 21:53:20 +01:00			`loginName := req.PostFormValue("loginname")`
Add reloading config 2023-11-15 09:21:09 +00:00			`login := h.manager.Load().FindServiceFromLogin(loginName)`
Start coding lavender 2023-10-01 21:44:49 +01:00			`if login == nil {`
			`http.Error(rw, "No login service defined for this username", http.StatusBadRequest)`
			`return`
			`}`
Check if email address can be used, and display perms in the test client 2023-10-10 18:06:06 +01:00			`// the @ must exist if the service is defined`
			`n := strings.IndexByte(loginName, '@')`
			`loginUn := loginName[:n]`
Start coding lavender 2023-10-01 21:44:49 +01:00
Save login name to cookie, correct public key path, fix test client 2023-11-08 11:38:31 +00:00			`now := time.Now()`
			`future := now.AddDate(1, 0, 0)`
			`http.SetCookie(rw, &http.Cookie{`
			`Name: "lavender-login-name",`
			`Value: loginName,`
			`Path: "/",`
			`Expires: future,`
			`MaxAge: int(future.Sub(now).Seconds()),`
			`Secure: true,`
			`SameSite: http.SameSiteStrictMode,`
			`})`

Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`targetOrigin := req.PostFormValue("origin")`
Add reloading config 2023-11-15 09:21:09 +00:00			`allowedService, found := (*h.services.Load())[targetOrigin]`
Allowed client specific perms 2023-10-26 11:30:04 +01:00			`if !found {`
Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`http.Error(rw, "Invalid target origin", http.StatusBadRequest)`
Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`return`
			`}`

			`// save state for use later`
Write flow popup tests 2023-10-09 00:04:28 +01:00			`state := login.Config.Namespace + ":" + uuidNewStringState()`
Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`h.flowState.Set(state, flowStateData{`
			`login,`
Allowed client specific perms 2023-10-26 11:30:04 +01:00			`allowedService,`
Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`}, time.Now().Add(15*time.Minute))`
Start coding lavender 2023-10-01 21:44:49 +01:00
Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`// generate oauth2 config and redirect to authorize URL`
Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`oa2conf := login.OAuth2Config`
Add reloading config 2023-11-15 09:21:09 +00:00			`oa2conf.RedirectURL = h.conf.Load().BaseUrl + "/callback"`
Check if email address can be used, and display perms in the test client 2023-10-10 18:06:06 +01:00			`nextUrl := oa2conf.AuthCodeURL(state, oauth2.SetAuthURLParam("login_name", loginUn))`
Generate oauth2 config from login SSO service metadata 2023-10-03 01:14:25 +01:00			`http.Redirect(rw, req, nextUrl, http.StatusFound)`
Start coding lavender 2023-10-01 21:44:49 +01:00			`}`

Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`func (h HttpServer) flowCallback(rw http.ResponseWriter, req http.Request, _ httprouter.Params) {`
Generate oauth2 config from login SSO service metadata 2023-10-03 01:14:25 +01:00			`err := req.ParseForm()`
			`if err != nil {`
			`http.Error(rw, "Error parsing form", http.StatusBadRequest)`
			`return`
			`}`
Start coding lavender 2023-10-01 21:44:49 +01:00
Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`q := req.URL.Query()`
			`state := q.Get("state")`
Load templates with overlapfs to allow custom templates 2023-10-08 16:43:27 +01:00			`n := strings.IndexByte(state, ':')`
Add reloading config 2023-11-15 09:21:09 +00:00			`if n == -1 \|\| !h.manager.Load().CheckNamespace(state[:n]) {`
Write flow tests 2023-10-09 16:29:10 +01:00			`http.Error(rw, "Invalid state namespace", http.StatusBadRequest)`
Continue adding to popup flow 2023-10-03 23:20:28 +01:00			`return`
			`}`
			`v, found := h.flowState.Get(state)`
			`if !found {`
			`http.Error(rw, "Invalid state", http.StatusBadRequest)`
			`return`
			`}`

Finish up working flow and setup test client 2023-10-04 21:53:20 +01:00			`oa2conf := v.sso.OAuth2Config`
Add reloading config 2023-11-15 09:21:09 +00:00			`oa2conf.RedirectURL = h.conf.Load().BaseUrl + "/callback"`
Write flow tests 2023-10-09 16:29:10 +01:00			`exchange, err := testOa2Exchange(oa2conf, context.Background(), q.Get("code"))`
Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`if err != nil {`
Finish up working flow and setup test client 2023-10-04 21:53:20 +01:00			`fmt.Println("Failed exchange:", err)`
Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`http.Error(rw, "Failed to exchange code", http.StatusInternalServerError)`
			`return`
			`}`
Add domain ownership info 2023-10-27 09:40:10 +01:00
Start implementing refresh tokens 2023-12-05 18:10:47 +00:00			`h.finishTokenGenerateFlow(rw, req, v, exchange, func(accessToken, refreshToken string, v3 map[string]any) {`
			`pages.RenderPageTemplate(rw, "flow-callback", map[string]any{`
			`"ServiceName": h.conf.Load().ServiceName,`
			`"TargetOrigin": v.target.Url.String(),`
			`"TargetMessage": v3,`
			`"AccessToken": accessToken,`
			`"RefreshToken": refreshToken,`
			`})`
Continued working on OAuth flow 2023-10-04 14:51:38 +01:00			`})`
Start coding lavender 2023-10-01 21:44:49 +01:00			`}`