265 lines
7.1 KiB
Go
265 lines
7.1 KiB
Go
package handlers
|
|
|
|
import (
|
|
"encoding/json"
|
|
"log"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/omixlab/mosis-portal/internal/api/middleware"
|
|
"github.com/omixlab/mosis-portal/internal/auth"
|
|
"github.com/omixlab/mosis-portal/internal/database"
|
|
)
|
|
|
|
// AuthHandler handles authentication endpoints
|
|
type AuthHandler struct {
|
|
oauthManager *auth.OAuthManager
|
|
jwtManager *auth.JWTManager
|
|
db *database.DB
|
|
}
|
|
|
|
// NewAuthHandler creates a new auth handler
|
|
func NewAuthHandler(oauthManager *auth.OAuthManager, jwtManager *auth.JWTManager, db *database.DB) *AuthHandler {
|
|
return &AuthHandler{
|
|
oauthManager: oauthManager,
|
|
jwtManager: jwtManager,
|
|
db: db,
|
|
}
|
|
}
|
|
|
|
// OAuthStart initiates OAuth flow
|
|
func (h *AuthHandler) OAuthStart(provider auth.OAuthProvider) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
state, err := auth.GenerateState()
|
|
if err != nil {
|
|
http.Error(w, "Failed to generate state", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Store state in cookie for verification
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "oauth_state",
|
|
Value: state,
|
|
Path: "/",
|
|
MaxAge: 300, // 5 minutes
|
|
HttpOnly: true,
|
|
Secure: r.TLS != nil,
|
|
SameSite: http.SameSiteLaxMode,
|
|
})
|
|
|
|
authURL, err := h.oauthManager.GetAuthURL(provider, state)
|
|
if err != nil {
|
|
http.Error(w, "OAuth not configured: "+err.Error(), http.StatusNotImplemented)
|
|
return
|
|
}
|
|
|
|
http.Redirect(w, r, authURL, http.StatusTemporaryRedirect)
|
|
}
|
|
}
|
|
|
|
// OAuthCallback handles OAuth callback
|
|
func (h *AuthHandler) OAuthCallback(provider auth.OAuthProvider) http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
// Verify state
|
|
stateCookie, err := r.Cookie("oauth_state")
|
|
if err != nil || stateCookie.Value != r.URL.Query().Get("state") {
|
|
http.Error(w, "Invalid state", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Clear state cookie
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "oauth_state",
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
})
|
|
|
|
// Check for error from provider
|
|
if errMsg := r.URL.Query().Get("error"); errMsg != "" {
|
|
http.Error(w, "OAuth error: "+errMsg, http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
code := r.URL.Query().Get("code")
|
|
if code == "" {
|
|
http.Error(w, "No code provided", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Exchange code for user info
|
|
oauthUser, err := h.oauthManager.Exchange(r.Context(), provider, code)
|
|
if err != nil {
|
|
log.Printf("OAuth exchange failed: %v", err)
|
|
http.Error(w, "Authentication failed", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if oauthUser.Email == "" {
|
|
http.Error(w, "Email not available from OAuth provider", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Find or create developer
|
|
developer, err := h.db.FindOrCreateDeveloper(r.Context(), &database.Developer{
|
|
Email: oauthUser.Email,
|
|
Name: oauthUser.Name,
|
|
OAuthProvider: string(oauthUser.Provider),
|
|
OAuthID: oauthUser.ID,
|
|
AvatarURL: oauthUser.Avatar,
|
|
})
|
|
if err != nil {
|
|
log.Printf("Failed to find/create developer: %v", err)
|
|
http.Error(w, "Failed to create account", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Generate tokens
|
|
tokenPair, err := h.jwtManager.GenerateTokenPair(developer.ID, developer.Email)
|
|
if err != nil {
|
|
log.Printf("Failed to generate tokens: %v", err)
|
|
http.Error(w, "Failed to generate tokens", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Set refresh token in HttpOnly cookie
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "refresh_token",
|
|
Value: tokenPair.RefreshToken,
|
|
Path: "/",
|
|
MaxAge: 30 * 24 * 60 * 60, // 30 days
|
|
HttpOnly: true,
|
|
Secure: r.TLS != nil,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
|
|
// Log the authentication
|
|
h.db.LogAudit(r.Context(), developer.ID, "oauth_login", r.RemoteAddr, r.UserAgent(), true, "")
|
|
|
|
// Return access token
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"access_token": tokenPair.AccessToken,
|
|
"token_type": tokenPair.TokenType,
|
|
"expires_in": tokenPair.ExpiresIn,
|
|
"developer": map[string]interface{}{
|
|
"id": developer.ID,
|
|
"email": developer.Email,
|
|
"name": developer.Name,
|
|
"avatar_url": developer.AvatarURL,
|
|
},
|
|
})
|
|
}
|
|
}
|
|
|
|
// Refresh refreshes the access token using refresh token
|
|
func (h *AuthHandler) Refresh(w http.ResponseWriter, r *http.Request) {
|
|
// Get refresh token from cookie or body
|
|
var refreshToken string
|
|
|
|
cookie, err := r.Cookie("refresh_token")
|
|
if err == nil {
|
|
refreshToken = cookie.Value
|
|
}
|
|
|
|
// If not in cookie, try request body
|
|
if refreshToken == "" {
|
|
var body struct {
|
|
RefreshToken string `json:"refresh_token"`
|
|
}
|
|
if err := json.NewDecoder(r.Body).Decode(&body); err == nil {
|
|
refreshToken = body.RefreshToken
|
|
}
|
|
}
|
|
|
|
if refreshToken == "" {
|
|
http.Error(w, "Refresh token required", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
// Validate refresh token
|
|
claims, err := h.jwtManager.ValidateRefreshToken(refreshToken)
|
|
if err != nil {
|
|
// Clear invalid cookie
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "refresh_token",
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
})
|
|
http.Error(w, "Invalid refresh token", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
// Generate new token pair
|
|
tokenPair, err := h.jwtManager.GenerateTokenPair(claims.Subject, claims.Email)
|
|
if err != nil {
|
|
http.Error(w, "Failed to generate tokens", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Set new refresh token in cookie
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "refresh_token",
|
|
Value: tokenPair.RefreshToken,
|
|
Path: "/",
|
|
MaxAge: 30 * 24 * 60 * 60,
|
|
HttpOnly: true,
|
|
Secure: r.TLS != nil,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"access_token": tokenPair.AccessToken,
|
|
"token_type": tokenPair.TokenType,
|
|
"expires_in": tokenPair.ExpiresIn,
|
|
})
|
|
}
|
|
|
|
// Logout invalidates the current session
|
|
func (h *AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
|
|
// Clear refresh token cookie
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "refresh_token",
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
Secure: r.TLS != nil,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
|
|
// Log the logout if authenticated
|
|
developerID := middleware.GetDeveloperID(r.Context())
|
|
if developerID != "" {
|
|
h.db.LogAudit(r.Context(), developerID, "logout", r.RemoteAddr, r.UserAgent(), true, "")
|
|
}
|
|
|
|
w.WriteHeader(http.StatusNoContent)
|
|
}
|
|
|
|
// Me returns the current user's information
|
|
func (h *AuthHandler) Me(w http.ResponseWriter, r *http.Request) {
|
|
developerID := middleware.GetDeveloperID(r.Context())
|
|
if developerID == "" {
|
|
http.Error(w, "Not authenticated", http.StatusUnauthorized)
|
|
return
|
|
}
|
|
|
|
developer, err := h.db.GetDeveloper(r.Context(), developerID)
|
|
if err != nil {
|
|
http.Error(w, "Developer not found", http.StatusNotFound)
|
|
return
|
|
}
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
json.NewEncoder(w).Encode(map[string]interface{}{
|
|
"id": developer.ID,
|
|
"email": developer.Email,
|
|
"name": developer.Name,
|
|
"avatar_url": developer.AvatarURL,
|
|
"created_at": developer.CreatedAt.Format(time.RFC3339),
|
|
})
|
|
}
|