-
-
Notifications
You must be signed in to change notification settings - Fork 83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support of custom oauth2 server (issue#11) #29
Conversation
… same as domain of redir url
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[DELETED]
Pull Request Test Coverage Report for Build 250
💛 - Coveralls |
@@ -161,6 +161,8 @@ func (p Oauth2Handler) AuthHandler(w http.ResponseWriter, r *http.Request) { | |||
return | |||
} | |||
|
|||
p.conf.RedirectURL = p.makeRedirURL(r.URL.Path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
go-oauth2/oauth2 does check of redir url also during token exchange
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is impressive work, thx a lot. I didn't play with the code yet (going to do it later on, hopefully, today) and just noticed a few relatively minor things from the first sight.
provider/custom_server.go
Outdated
func (c *CustomOauthServer) handleAuthorize(w http.ResponseWriter, r *http.Request) { | ||
// Called for first time, ask for username | ||
if c.WithLoginPage && (r.ParseForm() != nil || r.Form.Get("username") == "") { | ||
userLoginTmpl, err := template.New("page").Parse(customLoginTmpl) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The customLoginTmpl
is fine as a default template but I'd suggest adding user-defined/injected one to CustomProviderOpt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added function LoginPageHandler
to allow user to handle login page on its own. Usage example in here _example/custom/main.go
Let me know if you prefer more stricter way to let pass just a template.
provider/custom_server.go
Outdated
} | ||
userID := ti.GetUserID() | ||
|
||
ava := fmt.Sprintf(c.Domain+":%d/avatar?user=%s", custOAuthPort, userID) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure yet how all these flows works (just spent a few minutes with this PR) but generally speaking making URL with "naked" sprintf makes me worry a little bit. Maybe we better sanitize the potentially vulnerable URL like this ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provider/custom_server.go
Outdated
func (c *CustomOauthServer) handleAuthorize(w http.ResponseWriter, r *http.Request) { | ||
// Called for first time, ask for username | ||
if c.WithLoginPage && (r.ParseForm() != nil || r.Form.Get("username") == "") { | ||
userLoginTmpl, err := template.New("page").Parse(customLoginTmpl) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test coverage for this file is below 70% and this branch of code (within if c.WithLoginPage && ...
) not covered at all.
Not sure if you can see coveralls report, but in case if it open publicly see https://coveralls.io/builds/24836939/source?filename=provider%2Fcustom_server.go#L80
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I can see coveralls report. I had to check test coverage before submitting pull request. sorry. I'll take care of it.
the build failed due to lint issue. They are probably minor, but will be nice to get them addressed:
|
oops, sorry my bad. It is 1am here, and after a day of heavy codding reading inversed order of commits got me confused. |
A question about |
Another suggestion regarding the example. Currently, it is a little bit confusing for someone running it as I'd suggest moving the custom provider example to top-level (example/main.go). This way, we will get it nicely integrated and easily demonstratable as it will be shown as one more provider in addition to others. |
A few things:
|
I got it. Thank you for your remarks. |
As you suggested I added the method to register custom provider in handler stack: service.AddCustomProvider("custom123", copts) After I removed this part from auth.go it is now responsibility of library user to initiate and start custom server. I added a helper method to initiate server instance and prefill some options needed later for AddCustomProvider. Tbh Im not sure about this. There are obvious things in this method but maybe you’ll find it useful. I changed a bit the names as well trying to differentiate the process of registering provider from starting oauth server. |
A few suggestions and observations. Pls note, I'm not 100% sure those are good suggestions, just smth to think about:
|
@umputun Regarding 3:
Note: it is not fully testable right now. I have to implement some changes (e.g. make UserData type public). But locally I played a bit with it and it looks good. |
makes sense. I have missed that use case, but it will be very nice to have. |
It seems Travis checks have failed because coveralls is on maintenance at the moment. |
Looks good to me. Thx for the amazing PR, appreciate it! |
I just realized we completely missed any documentation. I have added smth minimal to README, but feel free to extend/modify it. |
@umputun yes, you are right. I'll be back with a new PR for documentation maybe on the weekend. Thanks for your advices and remarks. I do not work with Golang on daily basis. it is nice way to learn smth new. Very appreciate it! |
@nbys due to known security-related issues in go-oauth2/oauth2 I have switched it to v4. The api for v4 is almost identical and the only thing I had to adjust was an extra param to However, I'm not sure if it works properly. I get all kind of errors as I try to auth with _example. Can you pls take a look ? |
I'll take care of this. To understand, do the errors occur only for UPD: I tested it a bit. It seems that the problem occurs only with custom oauth2 server: Line 153 in c7d6348
The another example of Lines 161 to 176 in c7d6348
I don't think it is critical, but nevertheless, I'll take a look at the weekend. |
To resolve #11
I used dev_provider as example for this implementation. Basically I just replaced hardcoded parts of dev_provider with corresponding methods of go-oauth2/oauth2.