-
Notifications
You must be signed in to change notification settings - Fork 299
/
token.go
96 lines (86 loc) · 2.76 KB
/
token.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// Copyright © 2019 The Things Network Foundation, The Things Industries B.V.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package oauthclient
import (
"context"
stderrors "errors"
"net/http"
"time"
"go.thethings.network/lorawan-stack/v3/pkg/errors"
"go.thethings.network/lorawan-stack/v3/pkg/webhandlers"
"golang.org/x/oauth2"
)
var errRefresh = errors.DefinePermissionDenied("refresh", "token refresh refused")
// Token returns the OAuth 2.0 token.
// If the given token is about to expire, this method refreshes the token and returns the new token.
func (oc *OAuthClient) Token(ctx context.Context, token *oauth2.Token) (*oauth2.Token, error) {
conf, err := oc.oauthConfig(ctx)
if err != nil {
return nil, err
}
ctx, err = oc.withHTTPClient(ctx)
if err != nil {
return nil, err
}
freshToken, err := conf.TokenSource(ctx, token).Token()
if err != nil {
var retrieveError *oauth2.RetrieveError
if stderrors.As(err, &retrieveError) {
var ttnErr errors.Error
if decErr := ttnErr.UnmarshalJSON(retrieveError.Body); decErr == nil {
return nil, errRefresh.WithCause(&ttnErr)
}
}
return nil, errRefresh.WithCause(err)
}
return freshToken, nil
}
// HandleToken is a handler that returns a valid OAuth token.
// It reads the token from the authorization cookie and refreshes it if needed.
// If the authorization cookie is not there, it returns a 401 Unauthorized error.
func (oc *OAuthClient) HandleToken(w http.ResponseWriter, r *http.Request) {
value, err := oc.getAuthCookie(w, r)
if err != nil {
webhandlers.Error(w, r, err)
return
}
currentToken := &oauth2.Token{
AccessToken: value.AccessToken,
RefreshToken: value.RefreshToken,
Expiry: time.Now(),
}
freshToken, err := oc.Token(r.Context(), currentToken)
if err != nil {
webhandlers.Error(w, r, err)
return
}
if freshToken != currentToken {
err = oc.setAuthCookie(w, r, authCookie{
AccessToken: freshToken.AccessToken,
RefreshToken: freshToken.RefreshToken,
Expiry: freshToken.Expiry,
})
if err != nil {
webhandlers.Error(w, r, err)
return
}
}
webhandlers.JSON(w, r, struct {
AccessToken string `json:"access_token"`
Expiry time.Time `json:"expiry"`
}{
AccessToken: freshToken.AccessToken,
Expiry: freshToken.Expiry,
})
}