rob05c commented on a change in pull request #3505: Oauth integration
URL: https://github.com/apache/trafficcontrol/pull/3505#discussion_r280103959
##########
File path: traffic_ops/traffic_ops_golang/login/login.go
##########
@@ -104,3 +108,119 @@ func LoginHandler(db *sqlx.DB, cfg config.Config)
http.HandlerFunc {
fmt.Fprintf(w, "%s", respBts)
}
}
+
+func OauthLoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
+ return func(w http.ResponseWriter, r *http.Request) {
+ handleErrs := tc.GetHandleErrorsFunc(w, r)
+ defer r.Body.Close()
+ authenticated := false
+ resp := struct {
+ tc.Alerts
+ }{}
+
+ form := auth.PasswordForm{}
+ tokenForm := struct {
+ Token string `json:"t"`
+ }{}
+
+ if err := json.NewDecoder(r.Body).Decode(&tokenForm); err !=
nil {
+ handleErrs(http.StatusBadRequest, err)
+ return
+ }
+
+ encodedToken := tokenForm.Token
+
+ if encodedToken == "" {
+ log.Errorf("Token not found in request but is required")
+ handleErrs(http.StatusBadRequest, errors.New("Token not
found in request but is required"))
+ return
+ }
+
+ decodedToken, err := jwt.Parse(encodedToken,
func(unverifiedToken *jwt.Token) (interface{}, error) {
+ publicKeyUrl := unverifiedToken.Header["jku"].(string)
+ publicKeyId := unverifiedToken.Header["kid"].(string)
+
+ if !VerifyUrlOnWhiteList(publicKeyUrl,
cfg.ConfigTrafficOpsGolang.WhitelistedOAuthUrls) {
+ return nil, errors.New("Key URL from token is
not included in the whitelisted urls. Received: " + publicKeyUrl)
+ }
+
+ keys, err := jwk.FetchHTTP(publicKeyUrl)
+ if err != nil {
+ return nil, err
+ }
+
+ keyById := keys.LookupKeyID(publicKeyId)
+ selectedKey, err := keyById[0].Materialize()
+
+ if err != nil {
+ return nil, err
+ }
+
+ return selectedKey, nil
+ })
+ if err != nil {
+ handleErrs(http.StatusInternalServerError,
errors.New("Error decoding token with message: "+err.Error()))
+ log.Errorf("Error decoding token: %s\n", err.Error())
+ return
+ }
+
+ authenticated = decodedToken.Valid
+
+ userId := decodedToken.Claims.(jwt.MapClaims)["sub"].(string)
+ form.Username = userId
+
+ userAllowed, err, blockingErr :=
auth.CheckLocalUserIsAllowed(form, db,
time.Duration(cfg.DBQueryTimeoutSeconds)*time.Second)
+ if blockingErr != nil {
+ api.HandleErr(w, r, nil, http.StatusServiceUnavailable,
nil, fmt.Errorf("error checking local user password: %s\n",
blockingErr.Error()))
+ return
+ }
+ if err != nil {
+ log.Errorf("checking local user: %s\n", err.Error())
+ return
+ }
+
+ if userAllowed && authenticated {
+ expiry := time.Now().Add(time.Hour * 6)
+ cookie := tocookie.New(userId, expiry, cfg.Secrets[0])
+ httpCookie := http.Cookie{Name: "mojolicious", Value:
cookie, Path: "/", Expires: expiry, HttpOnly: true}
+ http.SetCookie(w, &httpCookie)
+ resp = struct {
+ tc.Alerts
+ }{tc.CreateAlerts(tc.SuccessLevel, "Successfully logged
in.")}
+ } else {
+ resp = struct {
+ tc.Alerts
+ }{tc.CreateAlerts(tc.ErrorLevel, "Invalid username or
password.")}
+ }
+
+ respBts, err := json.Marshal(resp)
+ if err != nil {
+ handleErrs(http.StatusInternalServerError, err)
+ return
+ }
+ w.Header().Set(tc.ContentType, tc.ApplicationJson)
Review comment:
Symbols instead of duplicate text prevent typos. `tc.ContemtType` won't
compile, but `"Contemt-Type"` will. Of course, enum.go `const ContentType =
"Content-Type"` could have a typo, but by making it a symbol, we limit the
potential bugs to 1 place instead of the 500 places we need the string
"Content-Type"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
