New method of authorisation "Oauth2"

[Zekhap]

Hello,

I've been working on an authentication for Zoraxy for users who want to use Oauth2 for their domains, currently we only have Basic and Authelia.
I have tested it with Defguard and Authentik and it works, But i would like you to point out if i have missed something.
I will push this when i think its good enough.

What do you think? is it good?

So we have
NewOauthRouter - When the app starts.
HandleData - When we update things in the UI
HandleOauthAuth - When we visit a page/subdomain (If Oauth2 is enabled)
CallbackHandler - The provider will return to this url after you have signed in to the provider.

package oauth

import (
	"context"
	"encoding/json"
	"errors"
	"net/http"
	"strings"
	"time"

	"github.com/coreos/go-oidc"
	"golang.org/x/oauth2"
	"imuslab.com/zoraxy/mod/database"
	"imuslab.com/zoraxy/mod/info/logger"
	"imuslab.com/zoraxy/mod/utils"
)

type OauthRouterOptions struct {
	ClientID     string
	ClientSecret string
	IssuerURL    string
	RedirectURL  string
	Logger       *logger.Logger
	Database     *database.Database
}

type OauthRouter struct {
	options  *OauthRouterOptions
	config   oauth2.Config
	provider *oidc.Provider
}

func NewOauthRouter(options *OauthRouterOptions) *OauthRouter {
	options.Database.NewTable("oauth")

	//Read settings from database, if exists
	options.Database.Read("oauth", "clientID", &options.ClientID)
	options.Database.Read("oauth", "clientSecret", &options.ClientSecret)
	options.Database.Read("oauth", "issuerURL", &options.IssuerURL)
	options.Database.Read("oauth", "redirectURL", &options.RedirectURL)

	return &OauthRouter{
		options: options,
	}
}

// HandleDatais the internal handler for setting the Oauth settings
func (or *OauthRouter) HandleData(w http.ResponseWriter, r *http.Request) {

	if r.Method == http.MethodGet {
		//Return the current settings
		js, _ := json.Marshal(map[string]interface{}{
			"clientID":     or.options.ClientID,
			"clientSecret": or.options.ClientSecret,
			"issuerURL":    or.options.IssuerURL,
			"redirectURL":  or.options.RedirectURL,
		})

		utils.SendJSONResponse(w, string(js))
		return
	}

	//Update the settings
	if r.Method == http.MethodPost {

		clientID, err := utils.PostPara(r, "clientID")
		if err != nil {
			clientID = ""
		}
		clientSecret, err := utils.PostPara(r, "clientSecret")
		if err != nil {
			clientSecret = ""
		}

		issuerURL, err := utils.PostPara(r, "issuerURL")
		if err != nil {
			issuerURL = ""
		}

		redirectURL, err := utils.PostPara(r, "redirectURL")
		if err != nil {
			redirectURL = ""
		}

		//Write changes to runtime
		or.options.ClientID = clientID
		or.options.ClientSecret = clientSecret
		or.options.IssuerURL = issuerURL
		or.options.RedirectURL = redirectURL

		//Write changes to database
		or.options.Database.Write("oauth", "clientID", clientID)
		or.options.Database.Write("oauth", "clientSecret", clientSecret)
		or.options.Database.Write("oauth", "issuerURL", issuerURL)
		or.options.Database.Write("oauth", "redirectURL", redirectURL)
		or.config.ClientID = ""
		or.provider = nil
		utils.SendOK(w)
		return
	}

	http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}

func (or *OauthRouter) HandleOauthAuth(w http.ResponseWriter, r *http.Request) error {
	if !or.VerifyToken(w, r) {
		redirectURL := "http://" + r.Host + r.URL.Path
		query := r.URL.RawQuery
		if query != "" {
			redirectURL += "?" + query
		}
		authURL := or.GetConfig().AuthCodeURL(redirectURL, oauth2.AccessTypeOffline)
		http.Redirect(w, r, authURL, http.StatusFound)
		return errors.New("unauthorized")
	}
	return nil
}

func (or *OauthRouter) CallbackHandler(w http.ResponseWriter, r *http.Request) {
	code := r.URL.Query().Get("code")
	redirectURL := r.URL.Query().Get("state")
	if code == "" || redirectURL == "" {
		http.Error(w, "Invalid request", http.StatusBadRequest)
		return
	}

	// Exchange the authorization code for a token
	token, err := or.GetConfig().Exchange(r.Context(), code)
	if err != nil {
		http.Error(w, "Failed to exchange code for token: "+err.Error(), http.StatusInternalServerError)
		or.options.Logger.PrintAndLog("Oauth", "Failed to exchange code for token", err)
		return
	}

	idToken, ok := token.Extra("id_token").(string)
	if !ok {
		http.Error(w, "ID token not found", http.StatusInternalServerError)
		return
	}
	or.SetCookie(w, r, idToken)
	http.Redirect(w, r, redirectURL, http.StatusFound)
}

func (or *OauthRouter) VerifyToken(w http.ResponseWriter, r *http.Request) bool {
	// Get the token from the session
	cookie, err := r.Cookie("auth_token")
	if err != nil || cookie.Value == "" {
		return false
	}

	parts := strings.Split(cookie.Value, ".")
	if len(parts) != 3 {
		or.options.Logger.PrintAndLog("Oauth", "Invalid JWT Format", err)
		return false
	}

	verifier := or.GetProvider().Verifier(&oidc.Config{SkipClientIDCheck: false, ClientID: or.options.ClientID})
	_, err = verifier.Verify(r.Context(), cookie.Value)
	return err == nil
}

func (or *OauthRouter) SetCookie(w http.ResponseWriter, r *http.Request, token string) {
	var domain = or.GetDomain(r)
	http.SetCookie(w, &http.Cookie{
		Name:     "auth_token",
		Value:    token,
		Path:     "/",
		Domain:   domain,
		Expires:  time.Now().Add(1 * time.Hour),
		HttpOnly: true,
		Secure:   true,
		SameSite: http.SameSiteLaxMode,
	})
}

func (or *OauthRouter) GetDomain(r *http.Request) string {
	host := r.Host
	if host == "localhost" {
		return ""
	}
	if strings.HasPrefix(host, "localhost:") {
		return ""
	}

	domainParts := strings.Split(host, ".")
	if len(domainParts) > 1 {
		// Return the domain for subdomains (e.g., ".domain.com")
		return "." + domainParts[len(domainParts)-2] + "." + domainParts[len(domainParts)-1]
	}
	return host
}

func (or *OauthRouter) GetProvider() *oidc.Provider {
	if or.provider == nil {
		var err error
		or.provider, err = oidc.NewProvider(context.Background(), or.options.IssuerURL)
		if err != nil {
			or.options.Logger.PrintAndLog("OpenID", "Failed to get OpenID provider", err)
		}
	}
	return or.provider
}

func (or *OauthRouter) GetConfig() *oauth2.Config {
	if or.config.ClientID == "" {
		or.config = oauth2.Config{
			ClientID:     or.options.ClientID,
			ClientSecret: or.options.ClientSecret,
			Scopes:       []string{oidc.ScopeOpenID},
			RedirectURL:  or.options.RedirectURL,
			Endpoint:     or.GetProvider().Endpoint(),
		}
	}
	return &or.config
}

[tobychui]

Hey @Zekhap , thanks for the snippet!

I am not really expert in authentications, but from me it seems the structure make sense (although there are a few places where some optimization can be done, like checking for a nil options when creating the oauth2 object instance), but those can be easily fix and reviewed in a pull request.

@yeungalan What do you think about this? I feel like this can plug into our current auth provider architecture easily.

[Zekhap]

Thanks for the reply :)
I will fix some mirror things in this code.
Where do you want me to push it?(I have never pushed into someones project before)

[yeungalan]

overall lgtm, on top of this maybe we can add auto-discovery protocol and JWT token validation as well

[Zekhap]

Don't we already get the discovery when we use the issuerURL?
Like when i use that url it will fill in all fields automatically, like for instance, logout url, token url, authorize url.....
The only thing the user needs to fill in is the ClientID, ClientSecret, IssuerURL, RedirectURL(This url could be improved i think)
I believe that the idToken is checked with Verify(r.context(), cookie.Value), if im correct.
with expirery and parseJWT. Link to Verify