1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
package google
import (
"errors"
"fmt"
"net/http"
"strings"
"github.com/nsheridan/cashier/server/auth"
"github.com/nsheridan/cashier/server/config"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
googleapi "google.golang.org/api/oauth2/v2"
)
const (
revokeURL = "https://accounts.google.com/o/oauth2/revoke?token=%s"
name = "google"
)
// Config is an implementation of `auth.Provider` for authenticating using a
// Google account.
type Config struct {
config *oauth2.Config
domain string
}
// New creates a new Google provider from a configuration.
func New(c *config.Auth) (auth.Provider, error) {
if c.ProviderOpts["domain"] == "" {
return nil, errors.New("google_opts domain must not be empty")
}
return &Config{
config: &oauth2.Config{
ClientID: c.OauthClientID,
ClientSecret: c.OauthClientSecret,
RedirectURL: c.OauthCallbackURL,
Endpoint: google.Endpoint,
Scopes: []string{googleapi.UserinfoEmailScope, googleapi.UserinfoProfileScope},
},
domain: c.ProviderOpts["domain"],
}, nil
}
// A new oauth2 http client.
func (c *Config) newClient(token *oauth2.Token) *http.Client {
return c.config.Client(oauth2.NoContext, token)
}
// Name returns the name of the provider.
func (c *Config) Name() string {
return name
}
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
if !token.Valid() {
return false
}
svc, err := googleapi.New(c.newClient(token))
if err != nil {
return false
}
t := svc.Tokeninfo()
t.AccessToken(token.AccessToken)
ti, err := t.Do()
if err != nil {
return false
}
ui, err := svc.Userinfo.Get().Do()
if err != nil {
return false
}
switch {
case ti.Audience != c.config.ClientID:
case ui.Hd != c.domain:
return false
}
return true
}
// Revoke disables the access token.
func (c *Config) Revoke(token *oauth2.Token) error {
h := c.newClient(token)
_, err := h.Get(fmt.Sprintf(revokeURL, token.AccessToken))
return err
}
// StartSession retrieves an authentication endpoint from Google.
func (c *Config) StartSession(state string) *auth.Session {
return &auth.Session{
AuthURL: c.config.AuthCodeURL(state, oauth2.SetAuthURLParam("hd", c.domain)),
State: state,
}
}
// Exchange authorizes the session and returns an access token.
func (c *Config) Exchange(code string) (*oauth2.Token, error) {
return c.config.Exchange(oauth2.NoContext, code)
}
// Username retrieves the username portion of the user's email address.
func (c *Config) Username(token *oauth2.Token) string {
svc, err := googleapi.New(c.newClient(token))
if err != nil {
return ""
}
ui, err := svc.Userinfo.Get().Do()
if err != nil {
return ""
}
return strings.Split(ui.Email, "@")[0]
}
|