omar/MosisService
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add OAuth authentication with JWT tokens and API key support

Browse Source
This commit is contained in:
omigamedev
2026-01-18 21:00:03 +01:00
parent 2eb6292dc2
commit 8601bb5ba3
8 changed files with 1004 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
portal/internal/auth/jwt.go Normal file
View File

@@ -0,0 +1,145 @@
// Package auth provides authentication and authorization functionality
package auth
import (
"crypto/rand"
"encoding/base64"
"errors"
"fmt"
"time"
"github.com/golang-jwt/jwt/v5"
)
var (
ErrInvalidToken = errors.New("invalid token")
ErrExpiredToken = errors.New("token has expired")
)
// TokenPair contains access and refresh tokens
type TokenPair struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
TokenType string `json:"token_type"`
ExpiresIn int64 `json:"expires_in"`
}
// Claims represents JWT claims for access tokens
type Claims struct {
jwt.RegisteredClaims
Type string `json:"type"`
Email string `json:"email,omitempty"`
}
// JWTManager handles JWT token operations
type JWTManager struct {
secretKey []byte
accessTokenExpiry time.Duration
refreshTokenExpiry time.Duration
}
// NewJWTManager creates a new JWT manager
func NewJWTManager(secret string) *JWTManager {
return &JWTManager{
secretKey: []byte(secret),
accessTokenExpiry: time.Hour,
refreshTokenExpiry: 30 * 24 * time.Hour,
}
}
// GenerateTokenPair creates a new access/refresh token pair
func (m *JWTManager) GenerateTokenPair(developerID, email string) (*TokenPair, error) {
accessToken, err := m.generateToken(developerID, email, "access", m.accessTokenExpiry)
if err != nil {
return nil, fmt.Errorf("generate access token: %w", err)
}
refreshToken, err := m.generateToken(developerID, email, "refresh", m.refreshTokenExpiry)
if err != nil {
return nil, fmt.Errorf("generate refresh token: %w", err)
}
return &TokenPair{
AccessToken: accessToken,
RefreshToken: refreshToken,
TokenType: "Bearer",
ExpiresIn: int64(m.accessTokenExpiry.Seconds()),
}, nil
}
func (m *JWTManager) generateToken(subject, email, tokenType string, expiry time.Duration) (string, error) {
now := time.Now()
claims := Claims{
RegisteredClaims: jwt.RegisteredClaims{
Subject: subject,
IssuedAt: jwt.NewNumericDate(now),
ExpiresAt: jwt.NewNumericDate(now.Add(expiry)),
Issuer: "mosis-portal",
},
Type: tokenType,
Email: email,
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(m.secretKey)
}
// ValidateAccessToken validates an access token and returns the claims
func (m *JWTManager) ValidateAccessToken(tokenString string) (*Claims, error) {
return m.validateToken(tokenString, "access")
}
// ValidateRefreshToken validates a refresh token and returns the claims
func (m *JWTManager) ValidateRefreshToken(tokenString string) (*Claims, error) {
return m.validateToken(tokenString, "refresh")
}
func (m *JWTManager) validateToken(tokenString, expectedType string) (*Claims, error) {
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
return m.secretKey, nil
})
if err != nil {
if errors.Is(err, jwt.ErrTokenExpired) {
return nil, ErrExpiredToken
}
return nil, ErrInvalidToken
}
claims, ok := token.Claims.(*Claims)
if !ok || !token.Valid {
return nil, ErrInvalidToken
}
if claims.Type != expectedType {
return nil, ErrInvalidToken
}
return claims, nil
}
// GenerateAPIKey generates a new API key with the given prefix
func GenerateAPIKey(prefix string) (string, error) {
// Generate 32 random bytes
bytes := make([]byte, 32)
if _, err := rand.Read(bytes); err != nil {
return "", err
}
// Encode as base64url (no padding)
encoded := base64.RawURLEncoding.EncodeToString(bytes)
return fmt.Sprintf("%s_%s", prefix, encoded), nil
}
// GenerateState generates a random state for OAuth
func GenerateState() (string, error) {
bytes := make([]byte, 16)
if _, err := rand.Read(bytes); err != nil {
return "", err
}
return base64.RawURLEncoding.EncodeToString(bytes), nil
}

238
portal/internal/auth/oauth.go Normal file
View File

@@ -0,0 +1,238 @@
package auth
import (
"context"
"encoding/json"
"fmt"
"net/http"
"golang.org/x/oauth2"
"golang.org/x/oauth2/github"
"golang.org/x/oauth2/google"
)
// OAuthProvider represents an OAuth2 provider
type OAuthProvider string
const (
ProviderGitHub OAuthProvider = "github"
ProviderGoogle OAuthProvider = "google"
)
// OAuthUser contains user information from OAuth provider
type OAuthUser struct {
Provider OAuthProvider
ID string
Email string
Name string
Avatar string
}
// OAuthManager handles OAuth2 authentication
type OAuthManager struct {
githubConfig *oauth2.Config
googleConfig *oauth2.Config
}
// NewOAuthManager creates a new OAuth manager
func NewOAuthManager(baseURL, githubClientID, githubClientSecret, googleClientID, googleClientSecret string) *OAuthManager {
m := &OAuthManager{}
if githubClientID != "" && githubClientSecret != "" {
m.githubConfig = &oauth2.Config{
ClientID: githubClientID,
ClientSecret: githubClientSecret,
Endpoint: github.Endpoint,
Scopes: []string{"read:user", "user:email"},
RedirectURL: baseURL + "/v1/auth/oauth/github/callback",
}
}
if googleClientID != "" && googleClientSecret != "" {
m.googleConfig = &oauth2.Config{
ClientID: googleClientID,
ClientSecret: googleClientSecret,
Endpoint: google.Endpoint,
Scopes: []string{"openid", "email", "profile"},
RedirectURL: baseURL + "/v1/auth/oauth/google/callback",
}
}
return m
}
// GetAuthURL returns the OAuth authorization URL for the given provider
func (m *OAuthManager) GetAuthURL(provider OAuthProvider, state string) (string, error) {
config, err := m.getConfig(provider)
if err != nil {
return "", err
}
return config.AuthCodeURL(state, oauth2.AccessTypeOffline), nil
}
// Exchange exchanges an authorization code for user information
func (m *OAuthManager) Exchange(ctx context.Context, provider OAuthProvider, code string) (*OAuthUser, error) {
config, err := m.getConfig(provider)
if err != nil {
return nil, err
}
token, err := config.Exchange(ctx, code)
if err != nil {
return nil, fmt.Errorf("exchange code: %w", err)
}
return m.fetchUserInfo(ctx, provider, token)
}
func (m *OAuthManager) getConfig(provider OAuthProvider) (*oauth2.Config, error) {
switch provider {
case ProviderGitHub:
if m.githubConfig == nil {
return nil, fmt.Errorf("github oauth not configured")
}
return m.githubConfig, nil
case ProviderGoogle:
if m.googleConfig == nil {
return nil, fmt.Errorf("google oauth not configured")
}
return m.googleConfig, nil
default:
return nil, fmt.Errorf("unknown provider: %s", provider)
}
}
func (m *OAuthManager) fetchUserInfo(ctx context.Context, provider OAuthProvider, token *oauth2.Token) (*OAuthUser, error) {
switch provider {
case ProviderGitHub:
return m.fetchGitHubUser(ctx, token)
case ProviderGoogle:
return m.fetchGoogleUser(ctx, token)
default:
return nil, fmt.Errorf("unknown provider: %s", provider)
}
}
func (m *OAuthManager) fetchGitHubUser(ctx context.Context, token *oauth2.Token) (*OAuthUser, error) {
client := m.githubConfig.Client(ctx, token)
// Fetch user info
resp, err := client.Get("https://api.github.com/user")
if err != nil {
return nil, fmt.Errorf("fetch user: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("github api returned %d", resp.StatusCode)
}
var ghUser struct {
ID int64 `json:"id"`
Login string `json:"login"`
Name string `json:"name"`
Email string `json:"email"`
AvatarURL string `json:"avatar_url"`
}
if err := json.NewDecoder(resp.Body).Decode(&ghUser); err != nil {
return nil, fmt.Errorf("decode user: %w", err)
}
// If email not public, fetch from emails endpoint
email := ghUser.Email
if email == "" {
email, _ = m.fetchGitHubEmail(ctx, client)
}
name := ghUser.Name
if name == "" {
name = ghUser.Login
}
return &OAuthUser{
Provider: ProviderGitHub,
ID: fmt.Sprintf("%d", ghUser.ID),
Email: email,
Name: name,
Avatar: ghUser.AvatarURL,
}, nil
}
func (m *OAuthManager) fetchGitHubEmail(ctx context.Context, client *http.Client) (string, error) {
resp, err := client.Get("https://api.github.com/user/emails")
if err != nil {
return "", err
}
defer resp.Body.Close()
var emails []struct {
Email string `json:"email"`
Primary bool `json:"primary"`
Verified bool `json:"verified"`
}
if err := json.NewDecoder(resp.Body).Decode(&emails); err != nil {
return "", err
}
// Find primary verified email
for _, e := range emails {
if e.Primary && e.Verified {
return e.Email, nil
}
}
// Fall back to any verified email
for _, e := range emails {
if e.Verified {
return e.Email, nil
}
}
return "", nil
}
func (m *OAuthManager) fetchGoogleUser(ctx context.Context, token *oauth2.Token) (*OAuthUser, error) {
client := m.googleConfig.Client(ctx, token)
resp, err := client.Get("https://www.googleapis.com/oauth2/v2/userinfo")
if err != nil {
return nil, fmt.Errorf("fetch user: %w", err)
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("google api returned %d", resp.StatusCode)
}
var gUser struct {
ID string `json:"id"`
Email string `json:"email"`
VerifiedEmail bool `json:"verified_email"`
Name string `json:"name"`
Picture string `json:"picture"`
}
if err := json.NewDecoder(resp.Body).Decode(&gUser); err != nil {
return nil, fmt.Errorf("decode user: %w", err)
}
return &OAuthUser{
Provider: ProviderGoogle,
ID: gUser.ID,
Email: gUser.Email,
Name: gUser.Name,
Avatar: gUser.Picture,
}, nil
}
// IsGitHubConfigured returns true if GitHub OAuth is configured
func (m *OAuthManager) IsGitHubConfigured() bool {
return m.githubConfig != nil
}
// IsGoogleConfigured returns true if Google OAuth is configured
func (m *OAuthManager) IsGoogleConfigured() bool {
return m.googleConfig != nil
}