Remove the oauth_callback_url config option

Infer the redirect url from the request instead

12 files changed, 74 insertions, 25 deletions

diff --git a/server/auth/github/github.go b/server/auth/github/github.go
index 46cf76a..c985eed 100644
--- a/server/auth/github/github.go
+++ b/server/auth/github/github.go
@@ -40,7 +40,6 @@ func New(c *config.Auth) (*Config, error) {
 		config: &oauth2.Config{
 			ClientID:     c.OauthClientID,
 			ClientSecret: c.OauthClientSecret,
-			RedirectURL:  c.OauthCallbackURL,
 			Endpoint:     github.Endpoint,
 			Scopes: []string{
 				string(githubapi.ScopeUser),
@@ -91,7 +90,8 @@ func (c *Config) Revoke(token *oauth2.Token) error {
 }
 
 // StartSession retrieves an authentication endpoint from Github.
-func (c *Config) StartSession(state string) *auth.Session {
+func (c *Config) StartSession(state string, r *http.Request) *auth.Session {
+	c.config.RedirectURL = auth.Oauth2RedirectURL(r)
 	return &auth.Session{
 		AuthURL: c.config.AuthCodeURL(state),
 	}
diff --git a/server/auth/github/github_test.go b/server/auth/github/github_test.go
index 8c51f4f..d9d5f00 100644
--- a/server/auth/github/github_test.go
+++ b/server/auth/github/github_test.go
@@ -2,6 +2,7 @@ package github
 
 import (
 	"fmt"
+	"net/http"
 	"testing"
 
 	"github.com/nsheridan/cashier/server/config"
@@ -22,13 +23,11 @@ func TestNew(t *testing.T) {
 	p, _ := New(&config.Auth{
 		OauthClientID:     oauthClientID,
 		OauthClientSecret: oauthClientSecret,
-		OauthCallbackURL:  oauthCallbackURL,
 		ProviderOpts:      map[string]string{"organization": organization},
 		UsersWhitelist:    users,
 	})
 	a.Equal(p.config.ClientID, oauthClientID)
 	a.Equal(p.config.ClientSecret, oauthClientSecret)
-	a.Equal(p.config.RedirectURL, oauthCallbackURL)
 	a.Equal(p.organization, organization)
 	a.Equal(p.whitelist, map[string]bool{"user": true})
 }
@@ -37,7 +36,6 @@ func TestWhitelist(t *testing.T) {
 	c := &config.Auth{
 		OauthClientID:     oauthClientID,
 		OauthClientSecret: oauthClientSecret,
-		OauthCallbackURL:  oauthCallbackURL,
 		ProviderOpts:      map[string]string{"organization": ""},
 		UsersWhitelist:    []string{},
 	}
@@ -61,7 +59,10 @@ func TestStartSession(t *testing.T) {
 	a := assert.New(t)
 
 	p, _ := newGithub()
-	s := p.StartSession("test_state")
+	r := &http.Request{
+		Host: oauthCallbackURL,
+	}
+	s := p.StartSession("test_state", r)
 	a.Contains(s.AuthURL, "github.com/login/oauth/authorize")
 	a.Contains(s.AuthURL, "state=test_state")
 	a.Contains(s.AuthURL, fmt.Sprintf("client_id=%s", oauthClientID))
@@ -71,7 +72,6 @@ func newGithub() (*Config, error) {
 	c := &config.Auth{
 		OauthClientID:     oauthClientID,
 		OauthClientSecret: oauthClientSecret,
-		OauthCallbackURL:  oauthCallbackURL,
 		ProviderOpts:      map[string]string{"organization": organization},
 	}
 	return New(c)
diff --git a/server/auth/gitlab/gitlab.go b/server/auth/gitlab/gitlab.go
index f76b2e8..27edafa 100644
--- a/server/auth/gitlab/gitlab.go
+++ b/server/auth/gitlab/gitlab.go
@@ -2,6 +2,7 @@ package gitlab
 
 import (
 	"errors"
+	"net/http"
 	"strconv"
 
 	"github.com/nsheridan/cashier/server/auth"
@@ -51,7 +52,6 @@ func New(c *config.Auth) (*Config, error) {
 		config: &oauth2.Config{
 			ClientID:     c.OauthClientID,
 			ClientSecret: c.OauthClientSecret,
-			RedirectURL:  c.OauthCallbackURL,
 			Endpoint: oauth2.Endpoint{
 				AuthURL:  siteURL + "oauth/authorize",
 				TokenURL: siteURL + "oauth/token",
@@ -110,7 +110,8 @@ func (c *Config) Revoke(token *oauth2.Token) error {
 }
 
 // StartSession retrieves an authentication endpoint from Gitlab.
-func (c *Config) StartSession(state string) *auth.Session {
+func (c *Config) StartSession(state string, r *http.Request) *auth.Session {
+	c.config.RedirectURL = auth.Oauth2RedirectURL(r)
 	return &auth.Session{
 		AuthURL: c.config.AuthCodeURL(state),
 	}
diff --git a/server/auth/gitlab/gitlab_test.go b/server/auth/gitlab/gitlab_test.go
index 39c2701..676cda2 100644
--- a/server/auth/gitlab/gitlab_test.go
+++ b/server/auth/gitlab/gitlab_test.go
@@ -2,6 +2,7 @@ package gitlab
 
 import (
 	"fmt"
+	"net/http"
 	"testing"
 
 	"github.com/nsheridan/cashier/server/auth"
@@ -25,7 +26,6 @@ func TestNew(t *testing.T) {
 	g := p.(*Config)
 	a.Equal(g.config.ClientID, oauthClientID)
 	a.Equal(g.config.ClientSecret, oauthClientSecret)
-	a.Equal(g.config.RedirectURL, oauthCallbackURL)
 }
 
 func TestNewBrokenSiteURL(t *testing.T) {
@@ -55,7 +55,10 @@ func TestGoodAllUsers(t *testing.T) {
 	a := assert.New(t)
 
 	p, _ := newGitlab()
-	s := p.StartSession("test_state")
+	r := &http.Request{
+		Host: oauthCallbackURL,
+	}
+	s := p.StartSession("test_state", r)
 	a.Contains(s.AuthURL, "exampleorg/oauth/authorize")
 	a.Contains(s.AuthURL, "state=test_state")
 	a.Contains(s.AuthURL, fmt.Sprintf("client_id=%s", oauthClientID))
@@ -77,7 +80,10 @@ func TestStartSession(t *testing.T) {
 	a := assert.New(t)
 
 	p, _ := newGitlab()
-	s := p.StartSession("test_state")
+	r := &http.Request{
+		Host: oauthCallbackURL,
+	}
+	s := p.StartSession("test_state", r)
 	a.Contains(s.AuthURL, "exampleorg/oauth/authorize")
 	a.Contains(s.AuthURL, "state=test_state")
 	a.Contains(s.AuthURL, fmt.Sprintf("client_id=%s", oauthClientID))
@@ -87,7 +93,6 @@ func newGitlab() (auth.Provider, error) {
 	c := &config.Auth{
 		OauthClientID:     oauthClientID,
 		OauthClientSecret: oauthClientSecret,
-		OauthCallbackURL:  oauthCallbackURL,
 		ProviderOpts: map[string]string{
 			"group":    group,
 			"siteurl":  siteurl,
diff --git a/server/auth/google/google.go b/server/auth/google/google.go
index 8c6f53b..305b6f4 100644
--- a/server/auth/google/google.go
+++ b/server/auth/google/google.go
@@ -43,7 +43,6 @@ func New(c *config.Auth) (*Config, error) {
 		config: &oauth2.Config{
 			ClientID:     c.OauthClientID,
 			ClientSecret: c.OauthClientSecret,
-			RedirectURL:  c.OauthCallbackURL,
 			Endpoint:     google.Endpoint,
 			Scopes:       []string{googleapi.UserinfoEmailScope, googleapi.UserinfoProfileScope},
 		},
@@ -101,7 +100,8 @@ func (c *Config) Revoke(token *oauth2.Token) error {
 }
 
 // StartSession retrieves an authentication endpoint from Google.
-func (c *Config) StartSession(state string) *auth.Session {
+func (c *Config) StartSession(state string, r *http.Request) *auth.Session {
+	c.config.RedirectURL = auth.Oauth2RedirectURL(r)
 	return &auth.Session{
 		AuthURL: c.config.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", c.domain)),
 	}
diff --git a/server/auth/google/google_test.go b/server/auth/google/google_test.go
index b3d2633..4d6191b 100644
--- a/server/auth/google/google_test.go
+++ b/server/auth/google/google_test.go
@@ -2,6 +2,7 @@ package google
 
 import (
 	"fmt"
+	"net/http"
 	"testing"
 
 	"github.com/nsheridan/cashier/server/config"
@@ -22,7 +23,6 @@ func TestNew(t *testing.T) {
 	a.NoError(err)
 	a.Equal(p.config.ClientID, oauthClientID)
 	a.Equal(p.config.ClientSecret, oauthClientSecret)
-	a.Equal(p.config.RedirectURL, oauthCallbackURL)
 	a.Equal(p.domain, domain)
 	a.Equal(p.whitelist, map[string]bool{"user": true})
 }
@@ -31,7 +31,6 @@ func TestWhitelist(t *testing.T) {
 	c := &config.Auth{
 		OauthClientID:     oauthClientID,
 		OauthClientSecret: oauthClientSecret,
-		OauthCallbackURL:  oauthCallbackURL,
 		ProviderOpts:      map[string]string{"domain": ""},
 		UsersWhitelist:    []string{},
 	}
@@ -56,7 +55,10 @@ func TestStartSession(t *testing.T) {
 
 	p, err := newGoogle()
 	a.NoError(err)
-	s := p.StartSession("test_state")
+	r := &http.Request{
+		Host: oauthCallbackURL,
+	}
+	s := p.StartSession("test_state", r)
 	a.Contains(s.AuthURL, "accounts.google.com/o/oauth2/auth")
 	a.Contains(s.AuthURL, "state=test_state")
 	a.Contains(s.AuthURL, fmt.Sprintf("hd=%s", domain))
@@ -67,7 +69,6 @@ func newGoogle() (*Config, error) {
 	c := &config.Auth{
 		OauthClientID:     oauthClientID,
 		OauthClientSecret: oauthClientSecret,
-		OauthCallbackURL:  oauthCallbackURL,
 		ProviderOpts:      map[string]string{"domain": domain},
 		UsersWhitelist:    users,
 	}
diff --git a/server/auth/provider.go b/server/auth/provider.go
index 06dc1c9..d4a8e58 100644
--- a/server/auth/provider.go
+++ b/server/auth/provider.go
@@ -1,11 +1,16 @@
 package auth
 
-import "golang.org/x/oauth2"
+import (
+	"fmt"
+	"net/http"
+
+	"golang.org/x/oauth2"
+)
 
 // Provider is an abstraction of different auth methods.
 type Provider interface {
 	Name() string
-	StartSession(string) *Session
+	StartSession(string, *http.Request) *Session
 	Exchange(string) (*oauth2.Token, error)
 	Username(*oauth2.Token) string
 	Valid(*oauth2.Token) bool
@@ -28,3 +33,12 @@ func (s *Session) Authorize(provider Provider, code string) error {
 	s.Token = t
 	return nil
 }
+
+// Oauth2RedirectURL returns an OAuth redirect_uri for this request.
+func Oauth2RedirectURL(r *http.Request) string {
+	protocol := "http"
+	if r.TLS != nil {
+		protocol = "https"
+	}
+	return fmt.Sprintf("%s://%s/auth/callback", protocol, r.Host)
+}
diff --git a/server/auth/provider_test.go b/server/auth/provider_test.go
new file mode 100644
index 0000000..e35dcea
--- /dev/null
+++ b/server/auth/provider_test.go
@@ -0,0 +1,30 @@
+package auth
+
+import (
+	"crypto/tls"
+	"net/http"
+	"testing"
+)
+
+func TestHTTP(t *testing.T) {
+	want := "http://example.com/auth/callback"
+	r := &http.Request{
+		Host: "example.com",
+	}
+	ret := Oauth2RedirectURL(r)
+	if want != ret {
+		t.Errorf("Wanted %s, got %s", want, ret)
+	}
+}
+
+func TestHTTPS(t *testing.T) {
+	want := "https://example.com/auth/callback"
+	r := &http.Request{
+		Host: "example.com",
+		TLS:  &tls.ConnectionState{},
+	}
+	ret := Oauth2RedirectURL(r)
+	if want != ret {
+		t.Errorf("Wanted %s, got %s", want, ret)
+	}
+}
diff --git a/server/auth/testprovider/testprovider.go b/server/auth/testprovider/testprovider.go
index e30b04a..0bc2397 100644
--- a/server/auth/testprovider/testprovider.go
+++ b/server/auth/testprovider/testprovider.go
@@ -1,6 +1,7 @@
 package testprovider
 
 import (
+	"net/http"
 	"time"
 
 	"github.com/nsheridan/cashier/server/auth"
@@ -38,7 +39,7 @@ func (c *Config) Revoke(token *oauth2.Token) error {
 }
 
 // StartSession retrieves an authentication endpoint.
-func (c *Config) StartSession(state string) *auth.Session {
+func (c *Config) StartSession(state string, r *http.Request) *auth.Session {
 	return &auth.Session{
 		AuthURL: "https://www.example.com/auth",
 	}
diff --git a/server/config/config.go b/server/config/config.go
index 422a135..794ba8a 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -43,7 +43,6 @@ type Server struct {
 type Auth struct {
 	OauthClientID     string            `hcl:"oauth_client_id"`
 	OauthClientSecret string            `hcl:"oauth_client_secret"`
-	OauthCallbackURL  string            `hcl:"oauth_callback_url"`
 	Provider          string            `hcl:"provider"`
 	ProviderOpts      map[string]string `hcl:"provider_opts"`
 	UsersWhitelist    []string          `hcl:"users_whitelist"`
diff --git a/server/config/config_test.go b/server/config/config_test.go
index 5536a4e..e247917 100644
--- a/server/config/config_test.go
+++ b/server/config/config_test.go
@@ -23,7 +23,6 @@ var (
 		Auth: &Auth{
 			OauthClientID:     "client_id",
 			OauthClientSecret: "secret",
-			OauthCallbackURL:  "https://sshca.example.com/auth/callback",
 			Provider:          "google",
 			ProviderOpts:      map[string]string{"domain": "example.com"},
 			UsersWhitelist:    []string{"a_user"},
diff --git a/server/config/testdata/test.config b/server/config/testdata/test.config
index 96899e7..6584add 100644
--- a/server/config/testdata/test.config
+++ b/server/config/testdata/test.config
@@ -19,7 +19,6 @@ auth {
   provider = "google"
   oauth_client_id = "client_id"
   oauth_client_secret = "secret"
-  oauth_callback_url = "https://sshca.example.com/auth/callback"
   provider_opts {
     domain = "example.com"
   }