feat(backend): add OAuth2/JWT authentication support
- Add OAuth2 client for Authentik integration - Implement JWT token generation and validation - Add refresh token support with database storage - Update database schema with oauth_subject, oauth_provider, and refresh_tokens table - Create auth package with config, jwt, oauth, and token management - Add OAuth endpoints: /auth/login, /auth/callback, /auth/refresh, /auth/logout - Update AuthMiddleware to support both JWT and API key authentication - Add user helper functions for OAuth user creation and retrieval - Add .env.example with OAuth configuration template API keys still work for CLI compatibility while JWT tokens support web/mobile clients.
This commit is contained in:
@@ -0,0 +1,41 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"os"
|
||||
"strconv"
|
||||
)
|
||||
|
||||
type Config struct {
|
||||
OAuthEnabled bool
|
||||
OAuthIssuer string
|
||||
OAuthClientID string
|
||||
OAuthClientSecret string
|
||||
OAuthRedirectURI string
|
||||
JWTSecret []byte
|
||||
JWTExpiry int
|
||||
RefreshTokenExpiry int
|
||||
}
|
||||
|
||||
func LoadConfig() *Config {
|
||||
enabled, _ := strconv.ParseBool(getEnv("OAUTH_ENABLED", "false"))
|
||||
jwtExpiry, _ := strconv.Atoi(getEnv("JWT_EXPIRY", "3600"))
|
||||
refreshExpiry, _ := strconv.Atoi(getEnv("REFRESH_TOKEN_EXPIRY", "604800"))
|
||||
|
||||
return &Config{
|
||||
OAuthEnabled: enabled,
|
||||
OAuthIssuer: getEnv("OAUTH_ISSUER", ""),
|
||||
OAuthClientID: getEnv("OAUTH_CLIENT_ID", ""),
|
||||
OAuthClientSecret: getEnv("OAUTH_CLIENT_SECRET", ""),
|
||||
OAuthRedirectURI: getEnv("OAUTH_REDIRECT_URI", ""),
|
||||
JWTSecret: []byte(getEnv("JWT_SECRET", "change-me-in-production")),
|
||||
JWTExpiry: jwtExpiry,
|
||||
RefreshTokenExpiry: refreshExpiry,
|
||||
}
|
||||
}
|
||||
|
||||
func getEnv(key, fallback string) string {
|
||||
if value := os.Getenv(key); value != "" {
|
||||
return value
|
||||
}
|
||||
return fallback
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
)
|
||||
|
||||
type Claims struct {
|
||||
UserID int `json:"user_id"`
|
||||
Username string `json:"username"`
|
||||
Email string `json:"email,omitempty"`
|
||||
jwt.RegisteredClaims
|
||||
}
|
||||
|
||||
func GenerateJWT(userID int, username, email string, cfg *Config) (string, int64, error) {
|
||||
expiresAt := time.Now().Add(time.Duration(cfg.JWTExpiry) * time.Second)
|
||||
|
||||
claims := &Claims{
|
||||
UserID: userID,
|
||||
Username: username,
|
||||
Email: email,
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
ExpiresAt: jwt.NewNumericDate(expiresAt),
|
||||
IssuedAt: jwt.NewNumericDate(time.Now()),
|
||||
Issuer: "opal-task",
|
||||
},
|
||||
}
|
||||
|
||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
signedToken, err := token.SignedString(cfg.JWTSecret)
|
||||
if err != nil {
|
||||
return "", 0, err
|
||||
}
|
||||
|
||||
return signedToken, expiresAt.Unix(), nil
|
||||
}
|
||||
|
||||
func ValidateJWT(tokenString string, cfg *Config) (*Claims, error) {
|
||||
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
|
||||
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
||||
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
||||
}
|
||||
return cfg.JWTSecret, nil
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if claims, ok := token.Claims.(*Claims); ok && token.Valid {
|
||||
return claims, nil
|
||||
}
|
||||
|
||||
return nil, fmt.Errorf("invalid token")
|
||||
}
|
||||
@@ -0,0 +1,74 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io"
|
||||
"net/http"
|
||||
|
||||
"golang.org/x/oauth2"
|
||||
)
|
||||
|
||||
type OAuthClient struct {
|
||||
config *oauth2.Config
|
||||
cfg *Config
|
||||
}
|
||||
|
||||
func NewOAuthClient(cfg *Config) *OAuthClient {
|
||||
return &OAuthClient{
|
||||
config: &oauth2.Config{
|
||||
ClientID: cfg.OAuthClientID,
|
||||
ClientSecret: cfg.OAuthClientSecret,
|
||||
RedirectURL: cfg.OAuthRedirectURI,
|
||||
Endpoint: oauth2.Endpoint{
|
||||
AuthURL: cfg.OAuthIssuer + "../authorize/",
|
||||
TokenURL: cfg.OAuthIssuer + "../token/",
|
||||
},
|
||||
Scopes: []string{"openid", "profile", "email"},
|
||||
},
|
||||
cfg: cfg,
|
||||
}
|
||||
}
|
||||
|
||||
func (c *OAuthClient) GetAuthURL(state string) string {
|
||||
return c.config.AuthCodeURL(state)
|
||||
}
|
||||
|
||||
func (c *OAuthClient) ExchangeCode(ctx context.Context, code string) (*oauth2.Token, error) {
|
||||
return c.config.Exchange(ctx, code)
|
||||
}
|
||||
|
||||
type UserInfo struct {
|
||||
Sub string `json:"sub"`
|
||||
Username string `json:"preferred_username"`
|
||||
Email string `json:"email"`
|
||||
Name string `json:"name"`
|
||||
}
|
||||
|
||||
func (c *OAuthClient) GetUserInfo(ctx context.Context, accessToken string) (*UserInfo, error) {
|
||||
req, err := http.NewRequestWithContext(ctx, "GET", c.cfg.OAuthIssuer+"../userinfo/", nil)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
req.Header.Set("Authorization", "Bearer "+accessToken)
|
||||
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode != 200 {
|
||||
body, _ := io.ReadAll(resp.Body)
|
||||
return nil, fmt.Errorf("userinfo request failed: %s", string(body))
|
||||
}
|
||||
|
||||
var userInfo UserInfo
|
||||
if err := json.NewDecoder(resp.Body).Decode(&userInfo); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &userInfo, nil
|
||||
}
|
||||
@@ -0,0 +1,91 @@
|
||||
package auth
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"git.jnss.me/joakim/opal/internal/engine"
|
||||
)
|
||||
|
||||
func GenerateRefreshToken() (string, error) {
|
||||
b := make([]byte, 32)
|
||||
if _, err := rand.Read(b); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return base64.URLEncoding.EncodeToString(b), nil
|
||||
}
|
||||
|
||||
func HashToken(token string) string {
|
||||
hash := sha256.Sum256([]byte(token))
|
||||
return base64.URLEncoding.EncodeToString(hash[:])
|
||||
}
|
||||
|
||||
func StoreRefreshToken(userID int, token string, expiresIn int) error {
|
||||
db := engine.GetDB()
|
||||
if db == nil {
|
||||
return fmt.Errorf("database not initialized")
|
||||
}
|
||||
|
||||
hash := HashToken(token)
|
||||
expiresAt := time.Now().Add(time.Duration(expiresIn) * time.Second).Unix()
|
||||
|
||||
_, err := db.Exec(`
|
||||
INSERT INTO refresh_tokens (user_id, token_hash, expires_at, created_at)
|
||||
VALUES (?, ?, ?, ?)
|
||||
`, userID, hash, expiresAt, time.Now().Unix())
|
||||
|
||||
return err
|
||||
}
|
||||
|
||||
func ValidateRefreshToken(token string) (int, error) {
|
||||
db := engine.GetDB()
|
||||
if db == nil {
|
||||
return 0, fmt.Errorf("database not initialized")
|
||||
}
|
||||
|
||||
hash := HashToken(token)
|
||||
|
||||
var userID int
|
||||
var expiresAt int64
|
||||
var revoked int
|
||||
|
||||
err := db.QueryRow(`
|
||||
SELECT user_id, expires_at, revoked
|
||||
FROM refresh_tokens
|
||||
WHERE token_hash = ?
|
||||
`, hash).Scan(&userID, &expiresAt, &revoked)
|
||||
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
|
||||
if revoked == 1 {
|
||||
return 0, fmt.Errorf("token revoked")
|
||||
}
|
||||
|
||||
if time.Now().Unix() > expiresAt {
|
||||
return 0, fmt.Errorf("token expired")
|
||||
}
|
||||
|
||||
return userID, nil
|
||||
}
|
||||
|
||||
func RevokeRefreshToken(token string) error {
|
||||
db := engine.GetDB()
|
||||
if db == nil {
|
||||
return fmt.Errorf("database not initialized")
|
||||
}
|
||||
|
||||
hash := HashToken(token)
|
||||
|
||||
_, err := db.Exec(`
|
||||
UPDATE refresh_tokens
|
||||
SET revoked = 1
|
||||
WHERE token_hash = ?
|
||||
`, hash)
|
||||
|
||||
return err
|
||||
}
|
||||
Reference in New Issue
Block a user