1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
package sessions
import (
"context"
"net/http"
"github.com/xlgmokha/x/pkg/log"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
"golang.org/x/oauth2"
)
type Controller struct {
cfg *oidc.OpenID
http *http.Client
}
func New(cfg *oidc.OpenID, http *http.Client) *Controller {
return &Controller{
cfg: cfg,
http: http,
}
}
func (c *Controller) MountTo(mux *http.ServeMux) {
mux.HandleFunc("GET /session/new", c.New)
mux.HandleFunc("GET /session/callback", c.Create)
}
func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
// TODO:: Generate and store nonce and use as state param to compare as a CSRF token
url := c.cfg.Config.AuthCodeURL("todo-csrf-token", oauth2.SetAuthURLParam("audience", "todo"))
http.Redirect(w, r, url, http.StatusFound)
}
func (c *Controller) Create(w http.ResponseWriter, r *http.Request) {
ctx := context.WithValue(r.Context(), oauth2.HTTPClient, c.http)
token, err := c.cfg.Config.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
log.WithFields(ctx, log.Fields{"error": err})
w.WriteHeader(http.StatusBadRequest)
return
}
tokens := &oidc.Tokens{Token: token}
if rawIDToken, ok := token.Extra("id_token").(string); ok {
tokens.IDToken = rawIDToken
}
encoded, err := tokens.ToBase64String()
if err != nil {
w.WriteHeader(http.StatusBadRequest)
return
}
http.SetCookie(w, cookie.New("session", encoded, tokens.Expiry))
http.Redirect(w, r, "/dashboard", http.StatusFound)
}
|
