2022-02-13 23:39:27 +08:00
|
|
|
// Copyright 2021 The Casdoor Authors. All Rights Reserved.
|
2021-03-13 23:47:35 +08:00
|
|
|
//
|
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
//
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
//
|
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
|
// limitations under the License.
|
|
|
|
|
|
|
|
|
|
package object
|
|
|
|
|
|
|
|
|
|
import (
|
2022-01-21 09:29:19 +08:00
|
|
|
"crypto/sha256"
|
|
|
|
|
"encoding/base64"
|
2021-12-04 00:39:14 +08:00
|
|
|
"fmt"
|
2022-01-29 00:32:57 +08:00
|
|
|
"time"
|
2021-03-14 18:18:03 +08:00
|
|
|
|
2022-10-23 15:16:24 +08:00
|
|
|
"github.com/casdoor/casdoor/i18n"
|
2022-04-15 11:49:56 +08:00
|
|
|
"github.com/casdoor/casdoor/idp"
|
2022-01-20 14:11:46 +08:00
|
|
|
"github.com/casdoor/casdoor/util"
|
2023-02-12 09:33:24 +08:00
|
|
|
"github.com/xorm-io/core"
|
2021-03-13 23:47:35 +08:00
|
|
|
)
|
|
|
|
|
|
2022-04-18 10:57:51 +08:00
|
|
|
const (
|
2023-02-14 08:18:30 +07:00
|
|
|
hourSeconds = int(time.Hour / time.Second)
|
2022-08-09 16:50:49 +08:00
|
|
|
InvalidRequest = "invalid_request"
|
|
|
|
|
InvalidClient = "invalid_client"
|
|
|
|
|
InvalidGrant = "invalid_grant"
|
|
|
|
|
UnauthorizedClient = "unauthorized_client"
|
|
|
|
|
UnsupportedGrantType = "unsupported_grant_type"
|
|
|
|
|
InvalidScope = "invalid_scope"
|
|
|
|
|
EndpointError = "endpoint_error"
|
2022-04-18 10:57:51 +08:00
|
|
|
)
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
type Code struct {
|
|
|
|
|
Message string `xorm:"varchar(100)" json:"message"`
|
|
|
|
|
Code string `xorm:"varchar(100)" json:"code"`
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-13 23:47:35 +08:00
|
|
|
type Token struct {
|
|
|
|
|
Owner string `xorm:"varchar(100) notnull pk" json:"owner"`
|
|
|
|
|
Name string `xorm:"varchar(100) notnull pk" json:"name"`
|
|
|
|
|
CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
|
|
|
|
|
|
2021-05-04 22:36:05 +08:00
|
|
|
Application string `xorm:"varchar(100)" json:"application"`
|
|
|
|
|
Organization string `xorm:"varchar(100)" json:"organization"`
|
|
|
|
|
User string `xorm:"varchar(100)" json:"user"`
|
2021-03-13 23:47:35 +08:00
|
|
|
|
2023-03-27 14:05:44 +08:00
|
|
|
Code string `xorm:"varchar(100) index" json:"code"`
|
2022-01-21 09:29:19 +08:00
|
|
|
AccessToken string `xorm:"mediumtext" json:"accessToken"`
|
|
|
|
|
RefreshToken string `xorm:"mediumtext" json:"refreshToken"`
|
|
|
|
|
ExpiresIn int `json:"expiresIn"`
|
|
|
|
|
Scope string `xorm:"varchar(100)" json:"scope"`
|
|
|
|
|
TokenType string `xorm:"varchar(100)" json:"tokenType"`
|
|
|
|
|
CodeChallenge string `xorm:"varchar(100)" json:"codeChallenge"`
|
2022-01-29 00:32:57 +08:00
|
|
|
CodeIsUsed bool `json:"codeIsUsed"`
|
|
|
|
|
CodeExpireIn int64 `json:"codeExpireIn"`
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
type TokenWrapper struct {
|
2021-12-28 19:44:17 +08:00
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
|
IdToken string `json:"id_token"`
|
|
|
|
|
RefreshToken string `json:"refresh_token"`
|
|
|
|
|
TokenType string `json:"token_type"`
|
|
|
|
|
ExpiresIn int `json:"expires_in"`
|
|
|
|
|
Scope string `json:"scope"`
|
2022-07-01 14:53:34 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type TokenError struct {
|
|
|
|
|
Error string `json:"error"`
|
|
|
|
|
ErrorDescription string `json:"error_description,omitempty"`
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
2022-03-03 17:48:47 +08:00
|
|
|
type IntrospectionResponse struct {
|
|
|
|
|
Active bool `json:"active"`
|
|
|
|
|
Scope string `json:"scope,omitempty"`
|
|
|
|
|
ClientId string `json:"client_id,omitempty"`
|
|
|
|
|
Username string `json:"username,omitempty"`
|
|
|
|
|
TokenType string `json:"token_type,omitempty"`
|
|
|
|
|
Exp int64 `json:"exp,omitempty"`
|
|
|
|
|
Iat int64 `json:"iat,omitempty"`
|
|
|
|
|
Nbf int64 `json:"nbf,omitempty"`
|
|
|
|
|
Sub string `json:"sub,omitempty"`
|
|
|
|
|
Aud []string `json:"aud,omitempty"`
|
|
|
|
|
Iss string `json:"iss,omitempty"`
|
|
|
|
|
Jti string `json:"jti,omitempty"`
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetTokenCount(owner, organization, field, value string) (int64, error) {
|
2022-01-26 19:36:36 +08:00
|
|
|
session := GetSession(owner, -1, -1, field, value, "", "")
|
2023-05-30 15:49:39 +08:00
|
|
|
return session.Count(&Token{Organization: organization})
|
2021-11-06 11:32:22 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetTokens(owner string, organization string) ([]*Token, error) {
|
2021-03-13 23:47:35 +08:00
|
|
|
tokens := []*Token{}
|
2023-07-29 15:07:04 +08:00
|
|
|
err := ormer.Engine.Desc("created_time").Find(&tokens, &Token{Owner: owner, Organization: organization})
|
2023-05-30 15:49:39 +08:00
|
|
|
return tokens, err
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetPaginationTokens(owner, organization string, offset, limit int, field, value, sortField, sortOrder string) ([]*Token, error) {
|
2021-11-06 11:32:22 +08:00
|
|
|
tokens := []*Token{}
|
2021-12-25 10:55:10 +08:00
|
|
|
session := GetSession(owner, offset, limit, field, value, sortField, sortOrder)
|
2023-05-09 00:06:52 +08:00
|
|
|
err := session.Find(&tokens, &Token{Organization: organization})
|
2023-05-30 15:49:39 +08:00
|
|
|
return tokens, err
|
2021-11-06 11:32:22 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func getToken(owner string, name string) (*Token, error) {
|
2021-06-21 01:01:16 +08:00
|
|
|
if owner == "" || name == "" {
|
2023-05-30 15:49:39 +08:00
|
|
|
return nil, nil
|
2021-06-21 01:01:16 +08:00
|
|
|
}
|
|
|
|
|
|
2021-03-13 23:47:35 +08:00
|
|
|
token := Token{Owner: owner, Name: name}
|
2023-07-29 15:07:04 +08:00
|
|
|
existed, err := ormer.Engine.Get(&token)
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return nil, err
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if existed {
|
2023-05-30 15:49:39 +08:00
|
|
|
return &token, nil
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
2021-11-06 11:32:22 +08:00
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return nil, nil
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func getTokenByCode(code string) (*Token, error) {
|
2022-01-28 17:45:41 +08:00
|
|
|
token := Token{Code: code}
|
2023-07-29 15:07:04 +08:00
|
|
|
existed, err := ormer.Engine.Get(&token)
|
2021-03-14 18:18:03 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return nil, err
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if existed {
|
2023-05-30 15:49:39 +08:00
|
|
|
return &token, nil
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
2021-11-06 11:32:22 +08:00
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return nil, nil
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
2022-01-29 00:32:57 +08:00
|
|
|
func updateUsedByCode(token *Token) bool {
|
2023-07-29 15:07:04 +08:00
|
|
|
affected, err := ormer.Engine.Where("code=?", token.Code).Cols("code_is_used").Update(token)
|
2022-01-29 00:32:57 +08:00
|
|
|
if err != nil {
|
|
|
|
|
panic(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return affected != 0
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetToken(id string) (*Token, error) {
|
2021-03-13 23:47:35 +08:00
|
|
|
owner, name := util.GetOwnerAndNameFromId(id)
|
|
|
|
|
return getToken(owner, name)
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-18 01:49:42 +08:00
|
|
|
func (token *Token) GetId() string {
|
|
|
|
|
return fmt.Sprintf("%s/%s", token.Owner, token.Name)
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func UpdateToken(id string, token *Token) (bool, error) {
|
2021-03-13 23:47:35 +08:00
|
|
|
owner, name := util.GetOwnerAndNameFromId(id)
|
2023-05-30 15:49:39 +08:00
|
|
|
if t, err := getToken(owner, name); err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
} else if t == nil {
|
|
|
|
|
return false, nil
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-07-29 15:07:04 +08:00
|
|
|
affected, err := ormer.Engine.ID(core.PK{owner, name}).AllCols().Update(token)
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return false, err
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return affected != 0, nil
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func AddToken(token *Token) (bool, error) {
|
2023-07-29 15:07:04 +08:00
|
|
|
affected, err := ormer.Engine.Insert(token)
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return false, err
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return affected != 0, nil
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func DeleteToken(token *Token) (bool, error) {
|
2023-07-29 15:07:04 +08:00
|
|
|
affected, err := ormer.Engine.ID(core.PK{token.Owner, token.Name}).Delete(&Token{})
|
2021-03-13 23:47:35 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return false, err
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return affected != 0, nil
|
2021-03-13 23:47:35 +08:00
|
|
|
}
|
2021-03-14 00:08:59 +08:00
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func ExpireTokenByAccessToken(accessToken string) (bool, *Application, *Token, error) {
|
2022-03-02 20:37:31 +08:00
|
|
|
token := Token{AccessToken: accessToken}
|
2023-07-29 15:07:04 +08:00
|
|
|
existed, err := ormer.Engine.Get(&token)
|
2022-03-02 20:37:31 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return false, nil, nil, err
|
2022-03-02 20:37:31 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !existed {
|
2023-05-30 15:49:39 +08:00
|
|
|
return false, nil, nil, nil
|
2022-03-02 20:37:31 +08:00
|
|
|
}
|
2023-01-17 22:57:05 +08:00
|
|
|
|
|
|
|
|
token.ExpiresIn = 0
|
2023-07-29 15:07:04 +08:00
|
|
|
affected, err := ormer.Engine.ID(core.PK{token.Owner, token.Name}).Cols("expires_in").Update(&token)
|
2022-03-02 20:37:31 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return false, nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
application, err := getApplication(token.Owner, token.Application)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, nil, nil, err
|
2022-03-02 20:37:31 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return affected != 0, application, &token, nil
|
2022-03-02 20:37:31 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetTokenByAccessToken(accessToken string) (*Token, error) {
|
2022-08-07 12:26:14 +08:00
|
|
|
// Check if the accessToken is in the database
|
2022-01-28 17:45:41 +08:00
|
|
|
token := Token{AccessToken: accessToken}
|
2023-07-29 15:07:04 +08:00
|
|
|
existed, err := ormer.Engine.Get(&token)
|
2023-05-30 15:49:39 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2022-01-28 15:07:42 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
|
|
|
|
|
if !existed {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &token, nil
|
2022-01-28 15:07:42 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetTokenByTokenAndApplication(token string, application string) (*Token, error) {
|
2022-03-03 17:48:47 +08:00
|
|
|
tokenResult := Token{}
|
2023-07-29 15:07:04 +08:00
|
|
|
existed, err := ormer.Engine.Where("(refresh_token = ? or access_token = ? ) and application = ?", token, token, application).Get(&tokenResult)
|
2023-05-30 15:49:39 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2022-03-03 17:48:47 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
|
|
|
|
|
if !existed {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &tokenResult, nil
|
2022-03-03 17:48:47 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func CheckOAuthLogin(clientId string, responseType string, redirectUri string, scope string, state string, lang string) (string, *Application, error) {
|
2022-03-01 19:09:59 +08:00
|
|
|
if responseType != "code" && responseType != "token" && responseType != "id_token" {
|
2023-05-30 15:49:39 +08:00
|
|
|
return fmt.Sprintf(i18n.Translate(lang, "token:Grant_type: %s is not supported in this application"), responseType), nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
application, err := GetApplicationByClientId(clientId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", nil, err
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application == nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return i18n.Translate(lang, "token:Invalid client_id"), nil, nil
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
|
|
|
|
|
2022-12-21 00:35:33 +08:00
|
|
|
if !application.IsRedirectUriValid(redirectUri) {
|
2023-05-30 15:49:39 +08:00
|
|
|
return fmt.Sprintf(i18n.Translate(lang, "token:Redirect URI: %s doesn't exist in the allowed Redirect URI list"), redirectUri), application, nil
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
|
|
|
|
|
2021-09-28 23:41:27 +08:00
|
|
|
// Mask application for /api/get-app-login
|
|
|
|
|
application.ClientSecret = ""
|
2023-05-30 15:49:39 +08:00
|
|
|
return "", application, nil
|
2021-03-20 10:51:00 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetOAuthCode(userId string, clientId string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
|
|
|
|
|
user, err := GetUser(userId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-14 22:48:09 +08:00
|
|
|
if user == nil {
|
|
|
|
|
return &Code{
|
2023-01-06 20:12:32 +08:00
|
|
|
Message: fmt.Sprintf("general:The user: %s doesn't exist", userId),
|
2021-03-14 22:48:09 +08:00
|
|
|
Code: "",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-03-14 22:48:09 +08:00
|
|
|
}
|
2021-12-28 19:44:17 +08:00
|
|
|
if user.IsForbidden {
|
|
|
|
|
return &Code{
|
|
|
|
|
Message: "error: the user is forbidden to sign in, please contact the administrator",
|
|
|
|
|
Code: "",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
msg, application, err := CheckOAuthLogin(clientId, responseType, redirectUri, scope, state, lang)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2021-12-28 19:44:17 +08:00
|
|
|
}
|
2021-03-14 22:48:09 +08:00
|
|
|
|
2021-03-20 13:05:34 +08:00
|
|
|
if msg != "" {
|
2021-03-14 18:18:03 +08:00
|
|
|
return &Code{
|
2021-03-20 13:05:34 +08:00
|
|
|
Message: msg,
|
2021-03-14 18:18:03 +08:00
|
|
|
Code: "",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-03-14 00:08:59 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
err = ExtendUserWithRolesAndPermissions(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-08-11 14:32:47 +08:00
|
|
|
accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
|
2021-03-14 22:48:09 +08:00
|
|
|
if err != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return nil, err
|
2021-03-14 22:48:09 +08:00
|
|
|
}
|
|
|
|
|
|
2022-01-26 11:56:01 +08:00
|
|
|
if challenge == "null" {
|
2022-01-21 09:29:19 +08:00
|
|
|
challenge = ""
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-14 00:08:59 +08:00
|
|
|
token := &Token{
|
2022-01-21 09:29:19 +08:00
|
|
|
Owner: application.Owner,
|
2022-08-11 14:32:47 +08:00
|
|
|
Name: tokenName,
|
2022-01-21 09:29:19 +08:00
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: user.Owner,
|
|
|
|
|
User: user.Name,
|
|
|
|
|
Code: util.GenerateClientId(),
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
2023-02-14 08:18:30 +07:00
|
|
|
ExpiresIn: application.ExpireInHours * hourSeconds,
|
2022-01-21 09:29:19 +08:00
|
|
|
Scope: scope,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
CodeChallenge: challenge,
|
2022-01-29 00:32:57 +08:00
|
|
|
CodeIsUsed: false,
|
|
|
|
|
CodeExpireIn: time.Now().Add(time.Minute * 5).Unix(),
|
2021-03-14 00:08:59 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
_, err = AddToken(token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-03-14 00:08:59 +08:00
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
return &Code{
|
|
|
|
|
Message: "",
|
|
|
|
|
Code: token.Code,
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string) (interface{}, error) {
|
|
|
|
|
application, err := GetApplicationByClientId(clientId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
if application == nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidClient,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "client_id is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
2022-08-07 12:26:14 +08:00
|
|
|
// Check if grantType is allowed in the current application
|
2022-04-15 11:49:56 +08:00
|
|
|
|
|
|
|
|
if !IsGrantTypeValid(grantType, application.GrantTypes) && tag == "" {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: UnsupportedGrantType,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: fmt.Sprintf("grant_type: %s is not supported in this application", grantType),
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-06-01 21:14:41 +08:00
|
|
|
}
|
|
|
|
|
|
2022-02-27 14:05:07 +08:00
|
|
|
var token *Token
|
2022-07-01 14:53:34 +08:00
|
|
|
var tokenError *TokenError
|
2022-02-27 14:05:07 +08:00
|
|
|
switch grantType {
|
|
|
|
|
case "authorization_code": // Authorization Code Grant
|
2023-05-30 15:49:39 +08:00
|
|
|
token, tokenError, err = GetAuthorizationCodeToken(application, clientSecret, code, verifier)
|
2022-02-27 14:05:07 +08:00
|
|
|
case "password": // Resource Owner Password Credentials Grant
|
2023-05-30 15:49:39 +08:00
|
|
|
token, tokenError, err = GetPasswordToken(application, username, password, scope, host)
|
2022-02-27 14:05:07 +08:00
|
|
|
case "client_credentials": // Client Credentials Grant
|
2023-05-30 15:49:39 +08:00
|
|
|
token, tokenError, err = GetClientCredentialsToken(application, clientSecret, scope, host)
|
2023-02-10 22:52:13 +07:00
|
|
|
case "refresh_token":
|
2023-05-30 15:49:39 +08:00
|
|
|
refreshToken2, err := RefreshToken(grantType, refreshToken, scope, clientId, clientSecret, host)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return refreshToken2, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2022-01-29 00:32:57 +08:00
|
|
|
}
|
2022-02-08 20:52:20 +08:00
|
|
|
|
2022-04-15 11:49:56 +08:00
|
|
|
if tag == "wechat_miniprogram" {
|
|
|
|
|
// Wechat Mini Program
|
2023-05-30 15:49:39 +08:00
|
|
|
token, tokenError, err = GetWechatMiniProgramToken(application, code, host, username, avatar, lang)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
|
|
|
|
|
2022-07-01 14:53:34 +08:00
|
|
|
if tokenError != nil {
|
2023-05-30 15:49:39 +08:00
|
|
|
return tokenError, nil
|
2022-01-29 00:32:57 +08:00
|
|
|
}
|
2021-03-14 18:18:03 +08:00
|
|
|
|
2022-01-29 00:32:57 +08:00
|
|
|
token.CodeIsUsed = true
|
2023-05-30 15:49:39 +08:00
|
|
|
|
2023-03-27 14:05:44 +08:00
|
|
|
go updateUsedByCode(token)
|
|
|
|
|
|
2021-03-14 18:18:03 +08:00
|
|
|
tokenWrapper := &TokenWrapper{
|
2021-12-28 19:44:17 +08:00
|
|
|
AccessToken: token.AccessToken,
|
|
|
|
|
IdToken: token.AccessToken,
|
|
|
|
|
RefreshToken: token.RefreshToken,
|
|
|
|
|
TokenType: token.TokenType,
|
|
|
|
|
ExpiresIn: token.ExpiresIn,
|
|
|
|
|
Scope: token.Scope,
|
2021-03-14 18:18:03 +08:00
|
|
|
}
|
|
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return tokenWrapper, nil
|
2021-03-14 00:08:59 +08:00
|
|
|
}
|
2021-12-18 18:49:38 +08:00
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
func RefreshToken(grantType string, refreshToken string, scope string, clientId string, clientSecret string, host string) (interface{}, error) {
|
2021-12-18 18:49:38 +08:00
|
|
|
// check parameters
|
|
|
|
|
if grantType != "refresh_token" {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: UnsupportedGrantType,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "grant_type should be refresh_token",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
application, err := GetApplicationByClientId(clientId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-18 18:49:38 +08:00
|
|
|
if application == nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidClient,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "client_id is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
2022-03-07 13:52:51 +08:00
|
|
|
if clientSecret != "" && application.ClientSecret != clientSecret {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidClient,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "client_secret is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
// check whether the refresh token is valid, and has not expired.
|
|
|
|
|
token := Token{RefreshToken: refreshToken}
|
2023-07-29 15:07:04 +08:00
|
|
|
existed, err := ormer.Engine.Get(&token)
|
2021-12-18 18:49:38 +08:00
|
|
|
if err != nil || !existed {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "refresh token is invalid, expired or revoked",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cert, err := getCertByApplication(application)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
2021-12-31 09:36:48 +08:00
|
|
|
|
2022-01-01 15:20:49 +08:00
|
|
|
_, err = ParseJwtToken(refreshToken, cert)
|
2021-12-18 18:49:38 +08:00
|
|
|
if err != nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: fmt.Sprintf("parse refresh token error: %s", err.Error()),
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
// generate a new token
|
2023-05-30 15:49:39 +08:00
|
|
|
user, err := getUser(application.Organization, token.User)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-28 19:44:17 +08:00
|
|
|
if user.IsForbidden {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-12-28 19:44:17 +08:00
|
|
|
}
|
2022-08-11 14:32:47 +08:00
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
err = ExtendUserWithRolesAndPermissions(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2022-08-11 14:32:47 +08:00
|
|
|
newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
|
2021-12-18 18:49:38 +08:00
|
|
|
if err != nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: EndpointError,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newToken := &Token{
|
|
|
|
|
Owner: application.Owner,
|
2022-08-11 14:32:47 +08:00
|
|
|
Name: tokenName,
|
2021-12-18 18:49:38 +08:00
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: user.Owner,
|
|
|
|
|
User: user.Name,
|
|
|
|
|
Code: util.GenerateClientId(),
|
|
|
|
|
AccessToken: newAccessToken,
|
|
|
|
|
RefreshToken: newRefreshToken,
|
2023-02-14 08:18:30 +07:00
|
|
|
ExpiresIn: application.ExpireInHours * hourSeconds,
|
2021-12-18 18:49:38 +08:00
|
|
|
Scope: scope,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
_, err = AddToken(newToken)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = DeleteToken(&token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2021-12-18 18:49:38 +08:00
|
|
|
|
2022-01-01 15:20:49 +08:00
|
|
|
tokenWrapper := &TokenWrapper{
|
2022-03-27 23:10:05 +08:00
|
|
|
AccessToken: newToken.AccessToken,
|
|
|
|
|
IdToken: newToken.AccessToken,
|
|
|
|
|
RefreshToken: newToken.RefreshToken,
|
|
|
|
|
TokenType: newToken.TokenType,
|
|
|
|
|
ExpiresIn: newToken.ExpiresIn,
|
|
|
|
|
Scope: newToken.Scope,
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
2022-01-01 15:20:49 +08:00
|
|
|
|
2023-05-30 15:49:39 +08:00
|
|
|
return tokenWrapper, nil
|
2021-12-18 18:49:38 +08:00
|
|
|
}
|
2022-01-21 09:29:19 +08:00
|
|
|
|
|
|
|
|
// PkceChallenge: base64-URL-encoded SHA256 hash of verifier, per rfc 7636
|
|
|
|
|
func pkceChallenge(verifier string) string {
|
|
|
|
|
sum := sha256.Sum256([]byte(verifier))
|
|
|
|
|
challenge := base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(sum[:])
|
|
|
|
|
return challenge
|
|
|
|
|
}
|
2022-02-27 14:05:07 +08:00
|
|
|
|
2022-08-09 16:50:49 +08:00
|
|
|
// IsGrantTypeValid
|
2022-02-27 14:05:07 +08:00
|
|
|
// Check if grantType is allowed in the current application
|
|
|
|
|
// authorization_code is allowed by default
|
2022-03-01 19:09:59 +08:00
|
|
|
func IsGrantTypeValid(method string, grantTypes []string) bool {
|
2022-02-27 14:05:07 +08:00
|
|
|
if method == "authorization_code" {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
for _, m := range grantTypes {
|
|
|
|
|
if m == method {
|
|
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-09 16:50:49 +08:00
|
|
|
// GetAuthorizationCodeToken
|
2022-02-27 14:05:07 +08:00
|
|
|
// Authorization code flow
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetAuthorizationCodeToken(application *Application, clientSecret string, code string, verifier string) (*Token, *TokenError, error) {
|
2022-02-27 14:05:07 +08:00
|
|
|
if code == "" {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidRequest,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "authorization code should not be empty",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token, err := getTokenByCode(code)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if token == nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "authorization code is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
if token.CodeIsUsed {
|
|
|
|
|
// anti replay attacks
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "authorization code has been used",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
2022-03-02 13:15:14 +08:00
|
|
|
|
|
|
|
|
if token.CodeChallenge != "" && pkceChallenge(verifier) != token.CodeChallenge {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "verifier is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-03-02 13:15:14 +08:00
|
|
|
}
|
|
|
|
|
|
2022-02-27 14:05:07 +08:00
|
|
|
if application.ClientSecret != clientSecret {
|
2022-03-02 13:15:14 +08:00
|
|
|
// when using PKCE, the Client Secret can be empty,
|
|
|
|
|
// but if it is provided, it must be accurate.
|
|
|
|
|
if token.CodeChallenge == "" {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidClient,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "client_secret is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-03-02 13:15:14 +08:00
|
|
|
} else {
|
|
|
|
|
if clientSecret != "" {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidClient,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "client_secret is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-03-02 13:15:14 +08:00
|
|
|
}
|
|
|
|
|
}
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if application.Name != token.Application {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "the token is for wrong application (client_id)",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if time.Now().Unix() > token.CodeExpireIn {
|
|
|
|
|
// code must be used within 5 minutes
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "authorization code has expired",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
return token, nil, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
|
2022-08-09 16:50:49 +08:00
|
|
|
// GetPasswordToken
|
2022-02-27 14:05:07 +08:00
|
|
|
// Resource Owner Password Credentials flow
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetPasswordToken(application *Application, username string, password string, scope string, host string) (*Token, *TokenError, error) {
|
|
|
|
|
user, err := getUser(application.Organization, username)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-27 14:05:07 +08:00
|
|
|
if user == nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "the user does not exist",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
2023-06-15 21:04:09 +08:00
|
|
|
var msg string
|
|
|
|
|
if user.Ldap != "" {
|
|
|
|
|
msg = checkLdapUserPassword(user, password, "en")
|
|
|
|
|
} else {
|
|
|
|
|
msg = CheckPassword(user, password, "en")
|
|
|
|
|
}
|
2022-03-30 05:37:38 +13:00
|
|
|
if msg != "" {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "invalid username or password",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
if user.IsForbidden {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "the user is forbidden to sign in, please contact the administrator",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = ExtendUserWithRolesAndPermissions(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
2022-08-11 14:32:47 +08:00
|
|
|
|
|
|
|
|
accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
|
2022-02-27 14:05:07 +08:00
|
|
|
if err != nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: EndpointError,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
token := &Token{
|
|
|
|
|
Owner: application.Owner,
|
2022-08-11 14:32:47 +08:00
|
|
|
Name: tokenName,
|
2022-02-27 14:05:07 +08:00
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: user.Owner,
|
|
|
|
|
User: user.Name,
|
|
|
|
|
Code: util.GenerateClientId(),
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
2023-02-14 08:18:30 +07:00
|
|
|
ExpiresIn: application.ExpireInHours * hourSeconds,
|
2022-02-27 14:05:07 +08:00
|
|
|
Scope: scope,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
CodeIsUsed: true,
|
|
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
_, err = AddToken(token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return token, nil, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
|
2022-08-09 16:50:49 +08:00
|
|
|
// GetClientCredentialsToken
|
2022-02-27 14:05:07 +08:00
|
|
|
// Client Credentials flow
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetClientCredentialsToken(application *Application, clientSecret string, scope string, host string) (*Token, *TokenError, error) {
|
2022-02-27 14:05:07 +08:00
|
|
|
if application.ClientSecret != clientSecret {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidClient,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "client_secret is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
nullUser := &User{
|
2022-03-04 22:57:31 +08:00
|
|
|
Owner: application.Owner,
|
|
|
|
|
Id: application.GetId(),
|
2023-03-25 23:02:08 +08:00
|
|
|
Name: application.Name,
|
|
|
|
|
Type: "application",
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
2022-08-11 14:32:47 +08:00
|
|
|
|
|
|
|
|
accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", scope, host)
|
2022-02-27 14:05:07 +08:00
|
|
|
if err != nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: EndpointError,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
|
|
|
|
token := &Token{
|
|
|
|
|
Owner: application.Owner,
|
2022-08-11 14:32:47 +08:00
|
|
|
Name: tokenName,
|
2022-02-27 14:05:07 +08:00
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: application.Organization,
|
|
|
|
|
User: nullUser.Name,
|
|
|
|
|
Code: util.GenerateClientId(),
|
|
|
|
|
AccessToken: accessToken,
|
2023-02-14 08:18:30 +07:00
|
|
|
ExpiresIn: application.ExpireInHours * hourSeconds,
|
2022-02-27 14:05:07 +08:00
|
|
|
Scope: scope,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
CodeIsUsed: true,
|
|
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
_, err = AddToken(token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return token, nil, nil
|
2022-02-27 14:05:07 +08:00
|
|
|
}
|
2022-03-01 19:09:59 +08:00
|
|
|
|
2022-08-09 16:50:49 +08:00
|
|
|
// GetTokenByUser
|
2022-03-01 19:09:59 +08:00
|
|
|
// Implicit flow
|
|
|
|
|
func GetTokenByUser(application *Application, user *User, scope string, host string) (*Token, error) {
|
2023-05-30 15:49:39 +08:00
|
|
|
err := ExtendUserWithRolesAndPermissions(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-11 14:32:47 +08:00
|
|
|
accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
|
2022-03-01 19:09:59 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
|
2022-03-01 19:09:59 +08:00
|
|
|
token := &Token{
|
|
|
|
|
Owner: application.Owner,
|
2022-08-11 14:32:47 +08:00
|
|
|
Name: tokenName,
|
2022-03-01 19:09:59 +08:00
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: user.Owner,
|
|
|
|
|
User: user.Name,
|
|
|
|
|
Code: util.GenerateClientId(),
|
|
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
2023-02-14 08:18:30 +07:00
|
|
|
ExpiresIn: application.ExpireInHours * hourSeconds,
|
2022-03-01 19:09:59 +08:00
|
|
|
Scope: scope,
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
CodeIsUsed: true,
|
|
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
_, err = AddToken(token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-03-01 19:09:59 +08:00
|
|
|
return token, nil
|
|
|
|
|
}
|
2022-04-15 11:49:56 +08:00
|
|
|
|
2022-08-09 16:50:49 +08:00
|
|
|
// GetWechatMiniProgramToken
|
2022-04-15 11:49:56 +08:00
|
|
|
// Wechat Mini Program flow
|
2023-05-30 15:49:39 +08:00
|
|
|
func GetWechatMiniProgramToken(application *Application, code string, host string, username string, avatar string, lang string) (*Token, *TokenError, error) {
|
2022-04-15 11:49:56 +08:00
|
|
|
mpProvider := GetWechatMiniProgramProvider(application)
|
|
|
|
|
if mpProvider == nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidClient,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "the application does not support wechat mini program",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
provider, err := GetProvider(util.GetId("admin", mpProvider.Name))
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2022-04-15 11:49:56 +08:00
|
|
|
mpIdp := idp.NewWeChatMiniProgramIdProvider(provider.ClientId, provider.ClientSecret)
|
|
|
|
|
session, err := mpIdp.GetSessionByCode(code)
|
|
|
|
|
if err != nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: fmt.Sprintf("get wechat mini program session error: %s", err.Error()),
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
|
2022-04-15 11:49:56 +08:00
|
|
|
openId, unionId := session.Openid, session.Unionid
|
|
|
|
|
if openId == "" && unionId == "" {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidRequest,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "the wechat mini program session is invalid",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
|
|
|
|
}
|
2023-06-21 20:54:19 +08:00
|
|
|
user, err := getUserByWechatId(application.Organization, openId, unionId)
|
2023-05-30 15:49:39 +08:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
|
2022-04-15 11:49:56 +08:00
|
|
|
if user == nil {
|
|
|
|
|
if !application.EnableSignUp {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: InvalidGrant,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: "the application does not allow to sign up new account",
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
2022-08-07 12:26:14 +08:00
|
|
|
// Add new user
|
2022-04-15 11:49:56 +08:00
|
|
|
var name string
|
2022-10-23 15:16:24 +08:00
|
|
|
if CheckUsername(username, lang) == "" {
|
2022-04-15 11:49:56 +08:00
|
|
|
name = username
|
|
|
|
|
} else {
|
|
|
|
|
name = fmt.Sprintf("wechat-%s", openId)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user = &User{
|
|
|
|
|
Owner: application.Organization,
|
|
|
|
|
Id: util.GenerateId(),
|
|
|
|
|
Name: name,
|
|
|
|
|
Avatar: avatar,
|
|
|
|
|
SignupApplication: application.Name,
|
|
|
|
|
WeChat: openId,
|
|
|
|
|
Type: "normal-user",
|
|
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
IsAdmin: false,
|
|
|
|
|
IsForbidden: false,
|
|
|
|
|
IsDeleted: false,
|
2022-08-08 18:43:12 +08:00
|
|
|
Properties: map[string]string{
|
2022-08-09 16:50:49 +08:00
|
|
|
UserPropertiesWechatOpenId: openId,
|
|
|
|
|
UserPropertiesWechatUnionId: unionId,
|
2022-08-08 18:43:12 +08:00
|
|
|
},
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
_, err = AddUser(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = ExtendUserWithRolesAndPermissions(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
|
|
|
|
|
2022-08-11 14:32:47 +08:00
|
|
|
accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", host)
|
2022-04-15 11:49:56 +08:00
|
|
|
if err != nil {
|
2022-07-01 14:53:34 +08:00
|
|
|
return nil, &TokenError{
|
2022-08-09 16:50:49 +08:00
|
|
|
Error: EndpointError,
|
2022-07-01 14:53:34 +08:00
|
|
|
ErrorDescription: fmt.Sprintf("generate jwt token error: %s", err.Error()),
|
2023-05-30 15:49:39 +08:00
|
|
|
}, nil
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
token := &Token{
|
|
|
|
|
Owner: application.Owner,
|
2022-08-11 14:32:47 +08:00
|
|
|
Name: tokenName,
|
2022-04-15 11:49:56 +08:00
|
|
|
CreatedTime: util.GetCurrentTime(),
|
|
|
|
|
Application: application.Name,
|
|
|
|
|
Organization: user.Owner,
|
|
|
|
|
User: user.Name,
|
2022-08-07 12:26:14 +08:00
|
|
|
Code: session.SessionKey, // a trick, because miniprogram does not use the code, so use the code field to save the session_key
|
2022-04-15 11:49:56 +08:00
|
|
|
AccessToken: accessToken,
|
|
|
|
|
RefreshToken: refreshToken,
|
|
|
|
|
ExpiresIn: application.ExpireInHours * 60,
|
|
|
|
|
Scope: "",
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
CodeIsUsed: true,
|
|
|
|
|
}
|
2023-05-30 15:49:39 +08:00
|
|
|
_, err = AddToken(token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
}
|
|
|
|
|
return token, nil, nil
|
2022-04-15 11:49:56 +08:00
|
|
|
}
|
