/
oauth.go
109 lines (96 loc) · 2.2 KB
/
oauth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
package explore
import (
"errors"
"fmt"
"html"
"log"
"net/http"
"net/url"
"os"
"github.com/google/go-containerregistry/pkg/v1/remote/transport"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
)
func (h *handler) maybeOauthErr(w http.ResponseWriter, r *http.Request, err error) error {
if h.oauth == nil {
return err
}
var terr *transport.Error
if !errors.As(err, &terr) {
return err
}
if !isGoogle(terr.Request.URL.Host) {
return err
}
if terr.StatusCode != http.StatusForbidden && terr.StatusCode != http.StatusUnauthorized {
return err
}
data := OauthData{
Error: html.EscapeString(err.Error()),
Redirect: h.oauth.AuthCodeURL(r.URL.String()),
}
if err := oauthTmpl.Execute(w, data); err != nil {
return fmt.Errorf("failed to render oauth page: %w", err)
}
return nil
}
func (h *handler) oauthHandler(w http.ResponseWriter, r *http.Request) {
if h.oauth == nil {
return
}
qs := r.URL.Query()
code := qs.Get("code")
tok, err := h.oauth.Exchange(r.Context(), code)
if err != nil {
log.Printf("Exchange: %v", err)
return
}
if debug {
log.Printf("tok = %v", tok)
}
state := qs.Get("state")
u, err := url.ParseRequestURI(state)
if err != nil {
log.Printf("ParseRequestURI: %v", err)
return
}
if tok.AccessToken != "" {
cookie := &http.Cookie{
Name: "access_token",
Value: tok.AccessToken,
Expires: tok.Expiry,
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
}
http.SetCookie(w, cookie)
}
if tok.RefreshToken != "" {
cookie := &http.Cookie{
Name: "refresh_token",
Value: tok.RefreshToken,
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteLaxMode,
}
http.SetCookie(w, cookie)
}
http.Redirect(w, r, u.String(), http.StatusFound)
}
func buildOauth() *oauth2.Config {
ClientID := os.Getenv("CLIENT_ID")
ClientSecret := os.Getenv("CLIENT_SECRET")
RedirectURL := os.Getenv("REDIRECT_URL")
if ClientID != "" && ClientSecret != "" {
return &oauth2.Config{
ClientID: ClientID,
ClientSecret: ClientSecret,
RedirectURL: RedirectURL,
Scopes: []string{
"https://www.googleapis.com/auth/cloud-platform.read-only",
},
Endpoint: google.Endpoint,
}
}
return nil
}