forked from mrjones/oauth
-
Notifications
You must be signed in to change notification settings - Fork 0
/
provider.go
147 lines (123 loc) · 3.46 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
package oauth
import (
"bytes"
"fmt"
"math"
"net/http"
"net/url"
"strconv"
"strings"
)
//
// OAuth1 2-legged provider
// Contributed by https://github.com/jacobpgallagher
//
// Provide an buffer reader which implements the Close() interface
type oauthBufferReader struct {
*bytes.Buffer
}
// So that it implements the io.ReadCloser interface
func (m oauthBufferReader) Close() error { return nil }
type ConsumerGetter func(key string, header map[string]string) (*Consumer, error)
// Provider provides methods for a 2-legged Oauth1 provider
type Provider struct {
ConsumerGetter ConsumerGetter
// For mocking
clock clock
}
// NewProvider takes a function to get the consumer secret from a datastore.
// Returns a Provider
func NewProvider(secretGetter ConsumerGetter) *Provider {
provider := &Provider{
secretGetter,
&defaultClock{},
}
return provider
}
// Combine a URL and Request to make the URL absolute
func makeURLAbs(url *url.URL, request *http.Request) {
if !url.IsAbs() {
url.Host = request.Host
if request.TLS != nil || request.Header.Get("X-Forwarded-Proto") == "https" {
url.Scheme = "https"
} else {
url.Scheme = "http"
}
}
}
// IsAuthorized takes an *http.Request and returns a pointer to a string containing the consumer key,
// or nil if not authorized
func (provider *Provider) IsAuthorized(request *http.Request) (*string, error) {
var err error
makeURLAbs(request.URL, request)
// Get the OAuth header vals. Probably would be better with regexp,
// but my regex foo is low today.
authHeader := request.Header.Get(HTTP_AUTH_HEADER)
if strings.EqualFold(OAUTH_HEADER, authHeader[0:5]) {
return nil, fmt.Errorf("no OAuth Authorization header")
}
authHeader = authHeader[5:]
params := strings.Split(authHeader, ",")
pars := make(map[string]string)
for _, param := range params {
vals := strings.SplitN(param, "=", 2)
k := strings.Trim(vals[0], " ")
v := strings.Trim(strings.Trim(vals[1], "\""), " ")
if strings.HasPrefix(k, "oauth") {
pars[k], err = url.QueryUnescape(v)
if err != nil {
return nil, err
}
}
}
oauthSignature, ok := pars[SIGNATURE_PARAM]
if !ok {
return nil, fmt.Errorf("no oauth signature")
}
delete(pars, SIGNATURE_PARAM)
// Check the timestamp
oauthTimeNumber, err := strconv.Atoi(pars[TIMESTAMP_PARAM])
if err != nil {
return nil, err
}
if math.Abs(float64(int64(oauthTimeNumber)-provider.clock.Seconds())) > 5*60 {
return nil, fmt.Errorf("too much clock skew")
}
consumerKey, ok := pars[CONSUMER_KEY_PARAM]
if !ok {
return nil, fmt.Errorf("no consumer key")
}
consumer, err := provider.ConsumerGetter(consumerKey, pars)
if err != nil {
return nil, err
}
if consumer.serviceProvider.BodyHash {
bodyHash, err := calculateBodyHash(request, consumer.signer)
if err != nil {
return nil, err
}
sentHash, ok := pars[BODY_HASH_PARAM]
if bodyHash == "" && ok {
return nil, fmt.Errorf("body_hash must not be set")
} else if sentHash != bodyHash {
return nil, fmt.Errorf("body_hash mismatch")
}
}
userParams, err := parseBody(request)
if err != nil {
return nil, err
}
allParams := NewOrderedParams()
for key, value := range pars {
allParams.Add(key, value)
}
for i := range userParams {
allParams.Add(userParams[i].key, userParams[i].value)
}
baseString := consumer.requestString(request.Method, canonicalizeUrl(request.URL), allParams)
err = consumer.signer.Verify(baseString, oauthSignature)
if err != nil {
return nil, err
}
return &consumerKey, nil
}