refactor: oauth flow (#726)

* wip * feat: add oauth session impl in auth service * feat: move oauth logic into auth service and handle multiple sessions * tests: fix tests * fix: review comments * fix: prevent ddos attacks in oauth rate limit
2026-03-24 23:47:53 +00:00 · 2026-03-22 21:03:32 +02:00
parent d71a8e03cc
commit f26c217161
15 changed files with 520 additions and 558 deletions
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -17,8 +17,21 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/exp/slices"
+	"golang.org/x/oauth2"
 )

+const MaxOAuthPendingSessions = 256
+const OAuthCleanupCount = 16
+
+type OAuthPendingSession struct {
+	State     string
+	Verifier  string
+	Token     *oauth2.Token
+	Service   *OAuthServiceImpl
+	ExpiresAt time.Time
+}
+
 type LdapGroupsCache struct {
 	Groups  []string
 	Expires time.Time
@@ -45,28 +58,34 @@ type AuthServiceConfig struct {
 }

 type AuthService struct {
-	config          AuthServiceConfig
-	docker          *DockerService
-	loginAttempts   map[string]*LoginAttempt
-	ldapGroupsCache map[string]*LdapGroupsCache
-	loginMutex      sync.RWMutex
-	ldapGroupsMutex sync.RWMutex
-	ldap            *LdapService
-	queries         *repository.Queries
+	config               AuthServiceConfig
+	docker               *DockerService
+	loginAttempts        map[string]*LoginAttempt
+	ldapGroupsCache      map[string]*LdapGroupsCache
+	oauthPendingSessions map[string]*OAuthPendingSession
+	oauthMutex           sync.RWMutex
+	loginMutex           sync.RWMutex
+	ldapGroupsMutex      sync.RWMutex
+	ldap                 *LdapService
+	queries              *repository.Queries
+	oauthBroker          *OAuthBrokerService
 }

-func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, queries *repository.Queries) *AuthService {
+func NewAuthService(config AuthServiceConfig, docker *DockerService, ldap *LdapService, queries *repository.Queries, oauthBroker *OAuthBrokerService) *AuthService {
 	return &AuthService{
-		config:          config,
-		docker:          docker,
-		loginAttempts:   make(map[string]*LoginAttempt),
-		ldapGroupsCache: make(map[string]*LdapGroupsCache),
-		ldap:            ldap,
-		queries:         queries,
+		config:               config,
+		docker:               docker,
+		loginAttempts:        make(map[string]*LoginAttempt),
+		ldapGroupsCache:      make(map[string]*LdapGroupsCache),
+		oauthPendingSessions: make(map[string]*OAuthPendingSession),
+		ldap:                 ldap,
+		queries:              queries,
+		oauthBroker:          oauthBroker,
 	}
 }

 func (auth *AuthService) Init() error {
+	go auth.CleanupOAuthSessionsRoutine()
 	return nil
 }

@@ -553,3 +572,177 @@ func (auth *AuthService) IsBypassedIP(acls config.AppIP, ip string) bool {
 	tlog.App.Debug().Str("ip", ip).Msg("IP not in bypass list, continuing with authentication")
 	return false
 }
+
+func (auth *AuthService) NewOAuthSession(serviceName string) (string, OAuthPendingSession, error) {
+	auth.ensureOAuthSessionLimit()
+
+	service, ok := auth.oauthBroker.GetService(serviceName)
+
+	if !ok {
+		return "", OAuthPendingSession{}, fmt.Errorf("oauth service not found: %s", serviceName)
+	}
+
+	sessionId, err := uuid.NewRandom()
+
+	if err != nil {
+		return "", OAuthPendingSession{}, fmt.Errorf("failed to generate session ID: %w", err)
+	}
+
+	state := service.NewRandom()
+	verifier := service.NewRandom()
+
+	session := OAuthPendingSession{
+		State:     state,
+		Verifier:  verifier,
+		Service:   &service,
+		ExpiresAt: time.Now().Add(1 * time.Hour),
+	}
+
+	auth.oauthMutex.Lock()
+	auth.oauthPendingSessions[sessionId.String()] = &session
+	auth.oauthMutex.Unlock()
+
+	return sessionId.String(), session, nil
+}
+
+func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
+	session, err := auth.getOAuthPendingSession(sessionId)
+
+	if err != nil {
+		return "", err
+	}
+
+	return (*session.Service).GetAuthURL(session.State, session.Verifier), nil
+}
+
+func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.Token, error) {
+	session, err := auth.getOAuthPendingSession(sessionId)
+
+	if err != nil {
+		return nil, err
+	}
+
+	token, err := (*session.Service).GetToken(code, session.Verifier)
+
+	if err != nil {
+		return nil, fmt.Errorf("failed to exchange code for token: %w", err)
+	}
+
+	auth.oauthMutex.Lock()
+	session.Token = token
+	auth.oauthMutex.Unlock()
+
+	return token, nil
+}
+
+func (auth *AuthService) GetOAuthUserinfo(sessionId string) (config.Claims, error) {
+	session, err := auth.getOAuthPendingSession(sessionId)
+
+	if err != nil {
+		return config.Claims{}, err
+	}
+
+	if session.Token == nil {
+		return config.Claims{}, fmt.Errorf("oauth token not found for session: %s", sessionId)
+	}
+
+	userinfo, err := (*session.Service).GetUserinfo(session.Token)
+
+	if err != nil {
+		return config.Claims{}, fmt.Errorf("failed to get userinfo: %w", err)
+	}
+
+	return userinfo, nil
+}
+
+func (auth *AuthService) GetOAuthService(sessionId string) (OAuthServiceImpl, error) {
+	session, err := auth.getOAuthPendingSession(sessionId)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return *session.Service, nil
+}
+
+func (auth *AuthService) EndOAuthSession(sessionId string) {
+	auth.oauthMutex.Lock()
+	delete(auth.oauthPendingSessions, sessionId)
+	auth.oauthMutex.Unlock()
+}
+
+func (auth *AuthService) CleanupOAuthSessionsRoutine() {
+	ticker := time.NewTicker(30 * time.Minute)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		auth.oauthMutex.Lock()
+
+		now := time.Now()
+
+		for sessionId, session := range auth.oauthPendingSessions {
+			if now.After(session.ExpiresAt) {
+				delete(auth.oauthPendingSessions, sessionId)
+			}
+		}
+
+		auth.oauthMutex.Unlock()
+	}
+}
+
+func (auth *AuthService) getOAuthPendingSession(sessionId string) (*OAuthPendingSession, error) {
+	auth.ensureOAuthSessionLimit()
+
+	auth.oauthMutex.RLock()
+	session, exists := auth.oauthPendingSessions[sessionId]
+	auth.oauthMutex.RUnlock()
+
+	if !exists {
+		return &OAuthPendingSession{}, fmt.Errorf("oauth session not found: %s", sessionId)
+	}
+
+	if time.Now().After(session.ExpiresAt) {
+		auth.oauthMutex.Lock()
+		delete(auth.oauthPendingSessions, sessionId)
+		auth.oauthMutex.Unlock()
+		return &OAuthPendingSession{}, fmt.Errorf("oauth session expired: %s", sessionId)
+	}
+
+	return session, nil
+}
+
+func (auth *AuthService) ensureOAuthSessionLimit() {
+	auth.oauthMutex.Lock()
+	defer auth.oauthMutex.Unlock()
+
+	if len(auth.oauthPendingSessions) >= MaxOAuthPendingSessions {
+
+		cleanupIds := make([]string, 0, OAuthCleanupCount)
+
+		for range OAuthCleanupCount {
+			oldestId := ""
+			oldestTime := int64(0)
+
+			for id, session := range auth.oauthPendingSessions {
+				if oldestTime == 0 {
+					oldestId = id
+					oldestTime = session.ExpiresAt.Unix()
+					continue
+				}
+				if slices.Contains(cleanupIds, id) {
+					continue
+				}
+				if session.ExpiresAt.Unix() < oldestTime {
+					oldestId = id
+					oldestTime = session.ExpiresAt.Unix()
+				}
+			}
+
+			cleanupIds = append(cleanupIds, oldestId)
+		}
+
+		for _, id := range cleanupIds {
+			delete(auth.oauthPendingSessions, id)
+		}
+	}
+}