forked from x/icebergs
174 lines
7.2 KiB
Go
174 lines
7.2 KiB
Go
package oauth
|
|
|
|
import (
|
|
"net/http"
|
|
"path"
|
|
"strings"
|
|
"time"
|
|
|
|
ice "shylinux.com/x/icebergs"
|
|
"shylinux.com/x/icebergs/base/aaa"
|
|
"shylinux.com/x/icebergs/base/ctx"
|
|
"shylinux.com/x/icebergs/base/mdb"
|
|
"shylinux.com/x/icebergs/base/nfs"
|
|
"shylinux.com/x/icebergs/base/ssh"
|
|
"shylinux.com/x/icebergs/base/web"
|
|
"shylinux.com/x/icebergs/core/chat"
|
|
kit "shylinux.com/x/toolkits"
|
|
)
|
|
|
|
func _merge_url(m *ice.Message, domain, key string, arg ...ice.Any) string {
|
|
if domain == "" {
|
|
if m.Option(ice.MSG_USERPOD) == "" {
|
|
domain = web.MergeLink(m, ice.PS)
|
|
} else {
|
|
domain = web.MergeLink(m, "/chat/pod/"+m.Option(ice.MSG_USERPOD))
|
|
}
|
|
}
|
|
if domain = strings.TrimSuffix(domain, ice.PS); strings.Contains(domain, "/chat/pod/") {
|
|
domain += web.P(strings.TrimPrefix(m.Prefix(web.P(key)), "web.chat."))
|
|
} else {
|
|
domain += path.Join(strings.TrimPrefix(strings.Replace(m.Target().Cap(ice.CTX_FOLLOW), ice.PT, ice.PS, -1), "web"), path.Join(key))
|
|
}
|
|
return kit.MergeURL(domain, arg...)
|
|
}
|
|
|
|
const (
|
|
CHECK = "check"
|
|
APPLY = "apply"
|
|
REPLY = "reply"
|
|
OFFER = "offer"
|
|
)
|
|
const (
|
|
ACCESS_TOKEN = "access_token"
|
|
TOKEN_TYPE = "token_type"
|
|
EXPIRES_IN = "expires_in"
|
|
CODE = "code"
|
|
STATE = "state"
|
|
SCOPE = "scope"
|
|
CLIENT_ID = "client_id"
|
|
REDIRECT_URI = "redirect_uri"
|
|
)
|
|
const (
|
|
AUTHORIZE = "authorize"
|
|
TOKEN = "token"
|
|
ACCESS = "access"
|
|
USERINFO = "userinfo"
|
|
)
|
|
const OAUTH = "oauth"
|
|
|
|
var Index = &ice.Context{Name: OAUTH, Help: "认证授权", Commands: ice.Commands{
|
|
OAUTH: {Name: "oauth hash auto prunes", Help: "权限", Actions: ice.MergeActions(ice.Actions{
|
|
CHECK: {Name: "check scope domain", Help: "检查", Hand: func(m *ice.Message, arg ...string) {
|
|
m.Echo(_merge_url(m, kit.Select(ice.Info.Make.Domain, m.Option(web.DOMAIN)), APPLY, m.OptionSimple(SCOPE), REDIRECT_URI, _merge_url(m, "", REPLY)))
|
|
}},
|
|
APPLY: {Name: "apply scope redirect_uri", Help: "申请", Hand: func(m *ice.Message, arg ...string) {
|
|
if aaa.Right(m, m.Option(SCOPE)) {
|
|
token := m.Cmdx(OFFER, mdb.CREATE, aaa.USERNAME, m.Option(ice.MSG_USERNAME), m.OptionSimple(SCOPE, REDIRECT_URI))
|
|
m.ProcessReplace(m.Option(REDIRECT_URI), m.OptionSimple(SCOPE), OFFER, _merge_url(m, "", OFFER, ACCESS_TOKEN, token))
|
|
} else {
|
|
m.Cmdy(APPLY, mdb.CREATE, aaa.USERNAME, m.Option(ice.MSG_USERNAME), m.OptionSimple(SCOPE, REDIRECT_URI))
|
|
}
|
|
}},
|
|
REPLY: {Name: "reply scope offer", Help: "通过", Hand: func(m *ice.Message, arg ...string) {
|
|
m.Cmd(REPLY, mdb.CREATE, aaa.USERNAME, m.Option(ice.MSG_USERNAME), m.OptionSimple(SCOPE, OFFER))
|
|
|
|
m.Option(web.SPIDE_HEADER, web.UserAgent, m.PrefixKey())
|
|
m.Cmd(ssh.SOURCE, m.Option(SCOPE), kit.Dict(nfs.CAT_CONTENT, m.Cmdx(web.SPIDE, ice.DEV, http.MethodGet, m.Option(OFFER))))
|
|
m.ProcessHistory()
|
|
}},
|
|
})},
|
|
|
|
APPLY: {Name: "apply hash auto create prunes", Help: "申请", Actions: mdb.HashAction(mdb.EXPIRE, "72h", mdb.FIELD, "time,hash,username,scope,redirect_uri")},
|
|
REPLY: {Name: "reply hash auto create prunes", Help: "授权", Actions: mdb.HashAction(mdb.EXPIRE, "720h", mdb.SHORT, mdb.UNIQ, mdb.FIELD, "time,hash,username,scope,offer")},
|
|
OFFER: {Name: "offer hash auto create prunes", Help: "访问", Actions: mdb.HashAction(mdb.EXPIRE, "720h", mdb.SHORT, mdb.UNIQ, mdb.FIELD, "time,hash,username,scope,redirect_uri")},
|
|
|
|
web.P(APPLY): {Name: "/apply scope redirect_uri", Help: "申请", Actions: ctx.CmdAction(), Hand: func(m *ice.Message, arg ...string) {
|
|
if m.Option(REDIRECT_URI) == "" {
|
|
m.RenderStatusBadRequest() // 参数错误
|
|
|
|
} else { // 申请
|
|
web.RenderCmd(m, m.Prefix(OAUTH), APPLY)
|
|
}
|
|
}},
|
|
web.P(REPLY): {Name: "/reply scope offer", Help: "授权", Actions: ctx.CmdAction(), Hand: func(m *ice.Message, arg ...string) {
|
|
if m.Option(OFFER) == "" {
|
|
m.RenderStatusBadRequest() // 参数错误
|
|
|
|
} else { // 授权
|
|
web.RenderCmd(m, m.Prefix(OAUTH), REPLY)
|
|
}
|
|
}},
|
|
web.P(OFFER): {Name: "/offer access_token", Help: "访问", Hand: func(m *ice.Message, arg ...string) {
|
|
if m.Option(ACCESS_TOKEN) == "" {
|
|
m.RenderStatusBadRequest() // 参数错误
|
|
|
|
} else if msg := m.Cmd(OFFER, m.Option(ACCESS_TOKEN), ice.OptionFields("time,scope")); msg.Append(mdb.TIME) < msg.Time() {
|
|
m.RenderStatusUnauthorized() // 已过期
|
|
|
|
} else { // 访问
|
|
aaa.UserRoot(m).Cmdy(nfs.CAT, msg.Append(SCOPE)).RenderResult()
|
|
}
|
|
}},
|
|
|
|
AUTHORIZE: {Name: "authorize hash auto create prunes", Help: "认证", Actions: mdb.HashAction(mdb.SHORT, mdb.UNIQ, mdb.FIELD, "time,hash,redirect_uri")},
|
|
TOKEN: {Name: "token hash auto create prunes", Help: "授权", Actions: mdb.HashAction(mdb.EXPIRE, "72h", mdb.FIELD, "time,hash,used,state,scope,redirect_uri")},
|
|
ACCESS: {Name: "access hash auto create prunes", Help: "访问", Actions: mdb.HashAction(mdb.EXPIRE, "720h", mdb.SHORT, mdb.UNIQ, mdb.FIELD, "time,hash,username,scope,redirect_uri")},
|
|
|
|
web.P(AUTHORIZE): {Name: "/authorize state scope client_id redirect_uri", Help: "认证", Hand: func(m *ice.Message, arg ...string) {
|
|
if m.Option(CLIENT_ID) == "" || m.Option(REDIRECT_URI) == "" {
|
|
m.RenderStatusBadRequest() // 参数错误
|
|
|
|
} else if uri := m.Cmd(AUTHORIZE, m.Option(CLIENT_ID)).Append(REDIRECT_URI); m.Warn(uri == "", ice.ErrNotFound, CLIENT_ID) {
|
|
m.RenderStatusNotFound() // 未找到
|
|
|
|
} else if m.Warn(!strings.HasPrefix(m.Option(REDIRECT_URI), uri), ice.ErrNotRight, REDIRECT_URI) {
|
|
m.RenderStatusForbidden() // 未匹配
|
|
|
|
} else { // 认证
|
|
m.RenderRedirect(m.Option(REDIRECT_URI), CODE, m.Cmdx(TOKEN, mdb.CREATE, m.OptionSimple(STATE, SCOPE, REDIRECT_URI)), m.OptionSimple(STATE))
|
|
}
|
|
}},
|
|
web.P(TOKEN): {Name: "/token code redirect_uri", Help: "授权", Hand: func(m *ice.Message, arg ...string) {
|
|
if m.Option(CODE) == "" || m.Option(REDIRECT_URI) == "" {
|
|
m.RenderStatusBadRequest() // 参数错误
|
|
return
|
|
}
|
|
|
|
const USED = "used"
|
|
msg := m.Cmd(TOKEN, m.Option(CODE))
|
|
if uri := msg.Append(REDIRECT_URI); m.Warn(uri == "", ice.ErrNotFound, CODE) {
|
|
m.RenderStatusNotFound() // 未找到
|
|
|
|
} else if m.Warn(!strings.HasPrefix(m.Option(REDIRECT_URI), uri), ice.ErrNotRight, REDIRECT_URI) {
|
|
m.RenderStatusForbidden() // 未匹配
|
|
|
|
} else if m.Warn(msg.Append(USED) == ice.TRUE, ice.ErrNotRight, CODE) {
|
|
m.RenderStatusForbidden() // 已使用
|
|
|
|
} else if msg.Append(mdb.TIME) < m.Time() {
|
|
m.RenderStatusUnauthorized() // 已过期
|
|
|
|
} else { // 授权
|
|
token := m.Cmdx(ACCESS, mdb.CREATE, aaa.USERNAME, m.Option(ice.MSG_USERNAME), msg.AppendSimple(SCOPE, REDIRECT_URI))
|
|
m.RenderJson(ACCESS_TOKEN, token, TOKEN_TYPE, web.Bearer, EXPIRES_IN, kit.Duration(mdb.Conf(m, ACCESS, kit.Keym(mdb.EXPIRE)))/time.Second)
|
|
m.Cmdx(TOKEN, mdb.MODIFY, mdb.HASH, m.Option(CODE), USED, ice.TRUE)
|
|
}
|
|
}},
|
|
web.P(USERINFO): {Name: "/userinfo Authorization", Help: "信息", Hand: func(m *ice.Message, arg ...string) {
|
|
if ls := strings.SplitN(m.R.Header.Get(web.Authorization), ice.SP, 2); m.Warn(len(ls) != 2 || ls[1] == "", ice.ErrNotFound, web.Bearer) {
|
|
m.RenderStatusBadRequest() // 参数错误
|
|
|
|
} else if msg := m.Cmd(ACCESS, ls[1]); msg.Append(mdb.TIME) < m.Time() {
|
|
m.RenderStatusUnauthorized() // 已过期
|
|
|
|
} else { // 访问
|
|
m.RenderJson(mdb.NAME, msg.Append(aaa.USERNAME), aaa.EMAIL, msg.Append(aaa.USERNAME))
|
|
}
|
|
}},
|
|
}}
|
|
|
|
func init() { chat.Index.Register(Index, &web.Frame{}) }
|
|
|
|
func Prefix(arg ...string) string { return kit.Keys("web.chat.oauth", arg) }
|