-
Notifications
You must be signed in to change notification settings - Fork 0
/
invitation.go
100 lines (88 loc) · 3.12 KB
/
invitation.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
package server
import (
"net/http"
"net/url"
"time"
"github.com/coreos/dex/pkg/log"
"github.com/coreos/dex/user"
"github.com/coreos/dex/user/manager"
"github.com/coreos/go-oidc/jose"
"github.com/coreos/go-oidc/key"
)
type invitationTemplateData struct {
Error, Message string
}
type InvitationHandler struct {
issuerURL url.URL
passwordResetURL url.URL
um *manager.UserManager
keysFunc func() ([]key.PublicKey, error)
signerFunc func() (jose.Signer, error)
redirectValidityWindow time.Duration
}
func (h *InvitationHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case "GET":
h.handleGET(w, r)
default:
writeAPIError(w, http.StatusMethodNotAllowed, newAPIError(errorInvalidRequest,
"method not allowed"))
}
}
func (h *InvitationHandler) handleGET(w http.ResponseWriter, r *http.Request) {
q := r.URL.Query()
token := q.Get("token")
keys, err := h.keysFunc()
if err != nil {
log.Errorf("internal error getting public keys: %v", err)
writeAPIError(w, http.StatusInternalServerError, newAPIError(errorServerError,
"There's been an error processing your request."))
return
}
invite, err := user.ParseAndVerifyInvitationToken(token, h.issuerURL, keys)
if err != nil {
log.Debugf("invalid invitation token: %v (%v)", err, token)
writeAPIError(w, http.StatusBadRequest, newAPIError(errorInvalidRequest,
"Your invitation could not be verified"))
return
}
_, err = h.um.VerifyEmail(invite)
if err != nil && err != manager.ErrorEmailAlreadyVerified {
// Allow AlreadyVerified folks to pass through- otherwise
// folks who encounter an error after passing this point will
// never be able to set their passwords.
log.Debugf("error attempting to verify email: %v", err)
switch err {
case manager.ErrorEVEmailDoesntMatch:
writeAPIError(w, http.StatusBadRequest, newAPIError(errorInvalidRequest,
"Your email does not match the email address on file"))
return
default:
log.Errorf("internal error verifying email: %v", err)
writeAPIError(w, http.StatusInternalServerError, newAPIError(errorServerError,
"There's been an error processing your request."))
return
}
}
passwordReset := invite.PasswordReset(h.issuerURL, h.redirectValidityWindow)
signer, err := h.signerFunc()
if err != nil || signer == nil {
log.Errorf("error getting signer: %v (signer: %v)", err, signer)
writeAPIError(w, http.StatusInternalServerError, newAPIError(errorServerError,
"There's been an error processing your request."))
return
}
jwt, err := jose.NewSignedJWT(passwordReset.Claims, signer)
if err != nil {
log.Errorf("error constructing or signing PasswordReset from Invitation JWT: %v", err)
writeAPIError(w, http.StatusInternalServerError, newAPIError(errorServerError,
"There's been an error processing your request."))
return
}
passwordResetToken := jwt.Encode()
passwordResetURL := h.passwordResetURL
newQuery := passwordResetURL.Query()
newQuery.Set("token", passwordResetToken)
passwordResetURL.RawQuery = newQuery.Encode()
http.Redirect(w, r, passwordResetURL.String(), http.StatusSeeOther)
}