diff options
author | Mike Crute <mike@crute.us> | 2021-11-24 10:56:43 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2021-11-24 10:56:43 -0800 |
commit | bb96127a71d3d22825a35ffc6b6c8bea0590f202 (patch) | |
tree | 65f2c31b618ff913e08bc2d8fea7f896a01323d2 | |
parent | ff05652956161dd94aa109e2c5d40bd82d4cfd5d (diff) | |
download | cloud-identity-broker-bb96127a71d3d22825a35ffc6b6c8bea0590f202.tar.bz2 cloud-identity-broker-bb96127a71d3d22825a35ffc6b6c8bea0590f202.tar.xz cloud-identity-broker-bb96127a71d3d22825a35ffc6b6c8bea0590f202.zip |
Use x/oauth2 instead of custom token
-rw-r--r-- | app/controllers/api_user.go | 9 | ||||
-rw-r--r-- | app/middleware/auth.go | 6 | ||||
-rw-r--r-- | app/models/user.go | 28 | ||||
-rw-r--r-- | go.mod | 2 | ||||
-rw-r--r-- | go.sum | 2 |
5 files changed, 17 insertions, 30 deletions
diff --git a/app/controllers/api_user.go b/app/controllers/api_user.go index f265f26..e55d88d 100644 --- a/app/controllers/api_user.go +++ b/app/controllers/api_user.go | |||
@@ -82,15 +82,6 @@ func validateKeysAndTokens(in *models.User) error { | |||
82 | } | 82 | } |
83 | } | 83 | } |
84 | 84 | ||
85 | for k, v := range in.AuthTokens { | ||
86 | if k != v.Kind { | ||
87 | return &echo.HTTPError{ | ||
88 | Code: http.StatusBadRequest, | ||
89 | Message: "Token kind must match hash key.", | ||
90 | } | ||
91 | } | ||
92 | } | ||
93 | |||
94 | return nil | 85 | return nil |
95 | } | 86 | } |
96 | 87 | ||
diff --git a/app/middleware/auth.go b/app/middleware/auth.go index 7cef4d7..5a3c2f6 100644 --- a/app/middleware/auth.go +++ b/app/middleware/auth.go | |||
@@ -15,6 +15,7 @@ import ( | |||
15 | "github.com/labstack/echo/v4" | 15 | "github.com/labstack/echo/v4" |
16 | "github.com/prometheus/client_golang/prometheus" | 16 | "github.com/prometheus/client_golang/prometheus" |
17 | "github.com/prometheus/client_golang/prometheus/promauto" | 17 | "github.com/prometheus/client_golang/prometheus/promauto" |
18 | "golang.org/x/oauth2" | ||
18 | ) | 19 | ) |
19 | 20 | ||
20 | // apiKeyRequests tracks the number of requests made with the legacy X-API-Key | 21 | // apiKeyRequests tracks the number of requests made with the legacy X-API-Key |
@@ -202,9 +203,8 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error { | |||
202 | dbUser.AddKey(sk) | 203 | dbUser.AddKey(sk) |
203 | dbUser.GCKeys() // This is a convenient place to do it | 204 | dbUser.GCKeys() // This is a convenient place to do it |
204 | 205 | ||
205 | dbUser.AddToken(&models.AuthToken{ | 206 | dbUser.AddToken("github", &oauth2.Token{ |
206 | Kind: "github", | 207 | AccessToken: token.AccessToken, |
207 | Token: token.AccessToken, | ||
208 | RefreshToken: token.RefreshToken, | 208 | RefreshToken: token.RefreshToken, |
209 | }) | 209 | }) |
210 | 210 | ||
diff --git a/app/models/user.go b/app/models/user.go index 4e37377..eb0ccbf 100644 --- a/app/models/user.go +++ b/app/models/user.go | |||
@@ -7,6 +7,7 @@ import ( | |||
7 | "code.crute.us/mcrute/golib/db/mongodb" | 7 | "code.crute.us/mcrute/golib/db/mongodb" |
8 | "go.mongodb.org/mongo-driver/bson" | 8 | "go.mongodb.org/mongo-driver/bson" |
9 | "go.mongodb.org/mongo-driver/bson/primitive" | 9 | "go.mongodb.org/mongo-driver/bson/primitive" |
10 | "golang.org/x/oauth2" | ||
10 | ) | 11 | ) |
11 | 12 | ||
12 | const userCol = "users" | 13 | const userCol = "users" |
@@ -18,22 +19,13 @@ type UserStore interface { | |||
18 | Delete(context.Context, *User) error | 19 | Delete(context.Context, *User) error |
19 | } | 20 | } |
20 | 21 | ||
21 | type AuthToken struct { | ||
22 | Kind string `json:"kind"` | ||
23 | Token string `json:"token"` | ||
24 | |||
25 | // Do not expose refresh tokens in JSON as they are long-lived tokens that | ||
26 | // are harder to invalidate and thus rather security sensitive. | ||
27 | RefreshToken string `json:"-"` | ||
28 | } | ||
29 | |||
30 | type User struct { | 22 | type User struct { |
31 | Username string `bson:"_id" json:"username"` | 23 | Username string `bson:"_id" json:"username"` |
32 | IsAdmin bool `json:"is_admin"` | 24 | IsAdmin bool `json:"is_admin"` |
33 | IsService bool `json:"is_service"` | 25 | IsService bool `json:"is_service"` |
34 | Keys map[string]*SessionKey `json:"keys,omitempty"` // kid -> key | 26 | Keys map[string]*SessionKey `json:"keys,omitempty"` // kid -> key |
35 | AuthTokens map[string]*AuthToken `json:"auth_tokens,omitempty"` // kind -> token | 27 | AuthTokens map[string]*oauth2.Token `json:"auth_tokens,omitempty"` // kind -> token |
36 | Deleted *time.Time `json:"deleted,omitempty"` | 28 | Deleted *time.Time `json:"deleted,omitempty"` |
37 | } | 29 | } |
38 | 30 | ||
39 | // GCKeys garbage collects keys that are no longer valid | 31 | // GCKeys garbage collects keys that are no longer valid |
@@ -62,11 +54,11 @@ func (u *User) AddKey(k *SessionKey) { | |||
62 | u.Keys[k.KeyId] = k | 54 | u.Keys[k.KeyId] = k |
63 | } | 55 | } |
64 | 56 | ||
65 | func (u *User) AddToken(t *AuthToken) { | 57 | func (u *User) AddToken(name string, t *oauth2.Token) { |
66 | if u.AuthTokens == nil { | 58 | if u.AuthTokens == nil { |
67 | u.AuthTokens = map[string]*AuthToken{} | 59 | u.AuthTokens = map[string]*oauth2.Token{} |
68 | } | 60 | } |
69 | u.AuthTokens[t.Kind] = t | 61 | u.AuthTokens[name] = t |
70 | } | 62 | } |
71 | 63 | ||
72 | type MongoDbUserStore struct { | 64 | type MongoDbUserStore struct { |
@@ -13,6 +13,7 @@ require ( | |||
13 | github.com/prometheus/client_golang v1.11.0 | 13 | github.com/prometheus/client_golang v1.11.0 |
14 | github.com/spf13/cobra v1.2.1 | 14 | github.com/spf13/cobra v1.2.1 |
15 | go.mongodb.org/mongo-driver v1.7.4 | 15 | go.mongodb.org/mongo-driver v1.7.4 |
16 | golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c | ||
16 | golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 | 17 | golang.org/x/time v0.0.0-20201208040808-7e3f01d25324 |
17 | gopkg.in/square/go-jose.v2 v2.5.1 | 18 | gopkg.in/square/go-jose.v2 v2.5.1 |
18 | ) | 19 | ) |
@@ -80,6 +81,7 @@ require ( | |||
80 | golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect | 81 | golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect |
81 | golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect | 82 | golang.org/x/sys v0.0.0-20211103235746-7861aae1554b // indirect |
82 | golang.org/x/text v0.3.7 // indirect | 83 | golang.org/x/text v0.3.7 // indirect |
84 | google.golang.org/appengine v1.6.7 // indirect | ||
83 | google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect | 85 | google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect |
84 | google.golang.org/grpc v1.41.0 // indirect | 86 | google.golang.org/grpc v1.41.0 // indirect |
85 | google.golang.org/protobuf v1.26.0 // indirect | 87 | google.golang.org/protobuf v1.26.0 // indirect |
@@ -605,6 +605,7 @@ golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ | |||
605 | golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= | 605 | golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= |
606 | golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= | 606 | golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= |
607 | golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= | 607 | golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= |
608 | golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c h1:pkQiBZBvdos9qq4wBAHqlzuZHEXo07pqV06ef90u1WI= | ||
608 | golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= | 609 | golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= |
609 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | 610 | golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= |
610 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | 611 | golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= |
@@ -787,6 +788,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7 | |||
787 | google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= | 788 | google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0= |
788 | google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= | 789 | google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= |
789 | google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= | 790 | google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= |
791 | google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= | ||
790 | google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= | 792 | google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= |
791 | google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= | 793 | google.golang.org/genproto v0.0.0-20170818010345-ee236bd376b0/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= |
792 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= | 794 | google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= |