mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2025-11-05 08:35:44 +00:00
refactor: only accept claims following the OIDC spec
This commit is contained in:
Stavros
@@ -189,7 +189,7 @@ func init() {
|
|||||||
rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
|
rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
|
||||||
rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
|
rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
|
||||||
rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
|
rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
|
||||||
rootCmd.Flags().String("generic-name", "Other", "Generic OAuth provider name.")
|
rootCmd.Flags().String("generic-name", "Generic", "Generic OAuth provider name.")
|
||||||
rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
|
rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
|
||||||
rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
|
rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
|
||||||
rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
|
rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
|
||||||
|
|||||||
@@ -7,3 +7,14 @@ var TinyauthLabels = []string{
|
|||||||
"tinyauth.allowed",
|
"tinyauth.allowed",
|
||||||
"tinyauth.headers",
|
"tinyauth.headers",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Claims are the OIDC supported claims
|
||||||
|
type Claims struct {
|
||||||
|
Name string `json:"name"`
|
||||||
|
FamilyName string `json:"family_name"`
|
||||||
|
GivenName string `json:"given_name"`
|
||||||
|
MiddleName string `json:"middle_name"`
|
||||||
|
Nickname string `json:"nickname"`
|
||||||
|
Picture string `json:"picture"`
|
||||||
|
Email string `json:"email"`
|
||||||
|
}
|
||||||
|
|||||||
@@ -625,22 +625,20 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
|
|||||||
|
|
||||||
log.Debug().Msg("Got user")
|
log.Debug().Msg("Got user")
|
||||||
|
|
||||||
// Get email
|
// Check that email is not empty
|
||||||
email, ok := user["email"].(string)
|
if user.Email == "" {
|
||||||
|
log.Warn().Msg("Email is empty")
|
||||||
if !ok {
|
|
||||||
log.Error().Msg("Failed to get email from user")
|
|
||||||
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
c.Redirect(http.StatusPermanentRedirect, fmt.Sprintf("%s/error", h.Config.AppURL))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Email is not whitelisted
|
// Email is not whitelisted
|
||||||
if !h.Auth.EmailWhitelisted(email) {
|
if !h.Auth.EmailWhitelisted(user.Email) {
|
||||||
log.Warn().Str("email", email).Msg("Email not whitelisted")
|
log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
|
||||||
|
|
||||||
// Build query
|
// Build query
|
||||||
queries, err := query.Values(types.UnauthorizedQuery{
|
queries, err := query.Values(types.UnauthorizedQuery{
|
||||||
Username: email,
|
Username: user.Email,
|
||||||
})
|
})
|
||||||
|
|
||||||
// Handle error
|
// Handle error
|
||||||
@@ -658,7 +656,7 @@ func (h *Handlers) OauthCallbackHandler(c *gin.Context) {
|
|||||||
|
|
||||||
// Create session cookie (also cleans up redirect cookie)
|
// Create session cookie (also cleans up redirect cookie)
|
||||||
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
|
h.Auth.CreateSessionCookie(c, &types.SessionCookie{
|
||||||
Username: email,
|
Username: user.Email,
|
||||||
Provider: providerName.Provider,
|
Provider: providerName.Provider,
|
||||||
})
|
})
|
||||||
|
|
||||||
|
|||||||
@@ -4,13 +4,14 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"tinyauth/internal/constants"
|
||||||
|
|
||||||
"github.com/rs/zerolog/log"
|
"github.com/rs/zerolog/log"
|
||||||
)
|
)
|
||||||
|
|
||||||
func GetGenericUser(client *http.Client, url string) (map[string]interface{}, error) {
|
func GetGenericUser(client *http.Client, url string) (constants.Claims, error) {
|
||||||
// Create user struct
|
// Create user struct
|
||||||
user := make(map[string]interface{})
|
var user constants.Claims
|
||||||
|
|
||||||
// Using the oauth client get the user info url
|
// Using the oauth client get the user info url
|
||||||
res, err := client.Get(url)
|
res, err := client.Get(url)
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"tinyauth/internal/constants"
|
||||||
|
|
||||||
"github.com/rs/zerolog/log"
|
"github.com/rs/zerolog/log"
|
||||||
)
|
)
|
||||||
@@ -20,9 +21,9 @@ func GithubScopes() []string {
|
|||||||
return []string{"user:email"}
|
return []string{"user:email"}
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
|
func GetGithubUser(client *http.Client) (constants.Claims, error) {
|
||||||
// Create user struct
|
// Create user struct
|
||||||
user := make(map[string]interface{})
|
var user constants.Claims
|
||||||
|
|
||||||
// Get the user emails from github using the oauth http client
|
// Get the user emails from github using the oauth http client
|
||||||
res, err := client.Get("https://api.github.com/user/emails")
|
res, err := client.Get("https://api.github.com/user/emails")
|
||||||
@@ -60,7 +61,7 @@ func GetGithubUser(client *http.Client) (map[string]interface{}, error) {
|
|||||||
// Find and return the primary email
|
// Find and return the primary email
|
||||||
for _, email := range emails {
|
for _, email := range emails {
|
||||||
if email.Primary {
|
if email.Primary {
|
||||||
user["email"] = email.Email
|
user.Email = email.Email
|
||||||
return user, nil
|
return user, nil
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"tinyauth/internal/constants"
|
||||||
|
|
||||||
"github.com/rs/zerolog/log"
|
"github.com/rs/zerolog/log"
|
||||||
)
|
)
|
||||||
@@ -13,9 +14,9 @@ func GoogleScopes() []string {
|
|||||||
return []string{"https://www.googleapis.com/auth/userinfo.email"}
|
return []string{"https://www.googleapis.com/auth/userinfo.email"}
|
||||||
}
|
}
|
||||||
|
|
||||||
func GetGoogleUser(client *http.Client) (map[string]interface{}, error) {
|
func GetGoogleUser(client *http.Client) (constants.Claims, error) {
|
||||||
// Create user struct
|
// Create user struct
|
||||||
user := make(map[string]interface{})
|
var user constants.Claims
|
||||||
|
|
||||||
// Get the user info from google using the oauth http client
|
// Get the user info from google using the oauth http client
|
||||||
res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
|
res, err := client.Get("https://www.googleapis.com/userinfo/v2/me")
|
||||||
|
|||||||
@@ -2,6 +2,7 @@ package providers
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"tinyauth/internal/constants"
|
||||||
"tinyauth/internal/oauth"
|
"tinyauth/internal/oauth"
|
||||||
"tinyauth/internal/types"
|
"tinyauth/internal/types"
|
||||||
|
|
||||||
@@ -93,9 +94,9 @@ func (providers *Providers) GetProvider(provider string) *oauth.OAuth {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (providers *Providers) GetUser(provider string) (map[string]interface{}, error) {
|
func (providers *Providers) GetUser(provider string) (constants.Claims, error) {
|
||||||
// Create user struct
|
// Create user struct
|
||||||
user := make(map[string]interface{})
|
var user constants.Claims
|
||||||
|
|
||||||
// Get the user from the provider
|
// Get the user from the provider
|
||||||
switch provider {
|
switch provider {
|
||||||
|
|||||||
Reference in New Issue
Block a user