Add oauth2 like auth service

Signed-off-by: Asai Neko <sugar@sne.moe>
2026-01-02 15:57:42 +08:00
parent 62da1e096e
commit a98ab26fa4
12 changed files with 292 additions and 83 deletions
--- a/service/auth/handler.go
+++ b/service/auth/handler.go
@@ -1,9 +1,13 @@
 package auth

-import "github.com/gin-gonic/gin"
+import (
+	"nixcn-cms/middleware"
+
+	"github.com/gin-gonic/gin"
+)

 func Handler(r *gin.RouterGroup) {
-	r.GET("/redirect", Redirect)
+	r.GET("/redirect", Redirect, middleware.JWTAuth(false))
 	r.POST("/magic", Magic)
 	r.POST("/refresh", Refresh)
 	r.POST("/token", Token)
--- a/service/auth/magic.go
+++ b/service/auth/magic.go
@@ -1,15 +1,12 @@
 package auth

 import (
-	"nixcn-cms/data"
-	"nixcn-cms/internal/cryptography"
+	"net/url"
 	"nixcn-cms/pkgs/authcode"
 	"nixcn-cms/pkgs/email"
 	"nixcn-cms/pkgs/turnstile"

-	"github.com/google/uuid"
 	log "github.com/sirupsen/logrus"
-	"gorm.io/gorm"

 	"github.com/gin-gonic/gin"
 	"github.com/spf13/viper"
@@ -43,15 +40,23 @@ func Magic(c *gin.Context) {
 		c.JSON(500, gin.H{"status": "code gen failed"})
 	}

-	uri := viper.GetString("server.external_url") +
-		"/api/v1/auth/redirect?" +
-		"code=" + code +
-		"&redirect_uri=" + req.RedirectUri +
-		"&state=" + req.State
+	externalUrl := viper.GetString("server.external_url")
+	url, err := url.Parse(externalUrl)
+	if err != nil {
+		c.JSON(500, gin.H{"status": "invalid external url"})
+	}

-	debugMode := viper.GetString("server.debug_mode")
-	if debugMode == "true" {
-		log.Info("Magic link for " + req.Email + " : " + uri)
+	url.Path = "/api/v1/auth/redirect"
+	query := url.Query()
+	query.Set("code", code)
+	query.Set("redirect_uri", req.RedirectUri)
+	query.Set("state", req.State)
+	url.RawQuery = query.Encode()
+
+	debugMode := viper.GetBool("server.debug_mode")
+	if debugMode {
+		c.JSON(200, gin.H{"status": "magiclink sent", "uri": url.String()})
+		return
 	} else {
 		// Send email using resend
 		resend, err := email.NewResendClient()
@@ -63,61 +68,9 @@ func Magic(c *gin.Context) {
 		resend.Send(
 			req.Email,
 			"NixCN CMS Email Verify",
-			"<p>Click the link below to verify your email. This link will expire in 10 minutes.</p><a href="+uri+">"+uri+"</a>",
+			"<p>Click the link below to verify your email. This link will expire in 10 minutes.</p><a href="+url.String()+">"+url.String()+"</a>",
 		)
 	}

 	c.JSON(200, gin.H{"status": "magic link sent"})
 }
-
-func VerifyMagicLink(c *gin.Context) {
-	// Get token from url
-	magicToken := c.Query("token")
-	if magicToken == "" {
-		c.JSON(400, gin.H{"error": "missing token"})
-		return
-	}
-
-	// Verify email token
-	email, ok := authcode.VerifyAuthCode(magicToken)
-	if !ok {
-		c.JSON(401, gin.H{"error": "invalid or expired token"})
-		return
-	}
-
-	// Verify if user exists
-	userData := new(data.User)
-	user, err := userData.GetByEmail(email)
-
-	if err != nil {
-		if err == gorm.ErrRecordNotFound {
-			// Create user
-			user.UUID = uuid.New()
-			user.UserId = uuid.New()
-			user.Email = email
-			user.PermissionLevel = 10
-			if err := user.Create(); err != nil {
-				c.JSON(500, gin.H{"status": "internal server error"})
-				return
-			}
-		} else {
-			c.JSON(500, gin.H{"status": "internal server error"})
-			return
-		}
-	}
-
-	// Generate jwt
-	JwtTool := cryptography.Token{
-		Application: viper.GetString("server.application"),
-	}
-	accessToken, refreshToken, err := JwtTool.IssueTokens(user.UserId)
-	if err != nil {
-		c.JSON(500, gin.H{"status": "error generating tokens"})
-		return
-	}
-
-	c.JSON(200, gin.H{
-		"access_token":  accessToken,
-		"refresh_token": refreshToken,
-	})
-}
--- a/service/auth/redirect.go
+++ b/service/auth/redirect.go
@@ -1,7 +1,122 @@
 package auth

-import "github.com/gin-gonic/gin"
+import (
+	"net/url"
+	"nixcn-cms/data"
+	"nixcn-cms/pkgs/authcode"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)

 func Redirect(c *gin.Context) {
+	clientId := c.Query("client_id")
+	if clientId == "" {
+		c.JSON(400, gin.H{"status": "invalid request"})
+		return
+	}

+	redirectUri := c.Query("redirect_uri")
+	if redirectUri == "" {
+		c.JSON(400, gin.H{"status": "invalid request"})
+		return
+	}
+
+	state := c.Query("state")
+	if state == "" {
+		c.JSON(400, gin.H{"status": "invalid request"})
+		return
+	}
+
+	code := c.Query("code")
+	if code == "" {
+		userIdOrig, ok := c.Get("user_id")
+		if !ok || userIdOrig == "" {
+			c.JSON(401, gin.H{"status": "unauthorized"})
+			return
+		}
+
+		userId, err := uuid.Parse(userIdOrig.(string))
+		if err != nil {
+			c.JSON(500, gin.H{"status": "failed to parse uuid"})
+			return
+		}
+
+		userData := new(data.User)
+		user, err := userData.GetByUserId(userId)
+		if err != nil {
+			c.JSON(500, gin.H{"status": "failed to get user id"})
+			return
+		}
+
+		code, err := authcode.NewAuthCode(user.Email)
+		if err != nil {
+			c.JSON(500, gin.H{"status": "code gen failed"})
+			return
+		}
+
+		url, err := url.Parse(redirectUri)
+		if err != nil {
+			c.JSON(400, gin.H{"status": "invalid redirect uri"})
+			return
+		}
+		query := url.Query()
+		query.Set("code", code)
+		url.RawQuery = query.Encode()
+
+		c.Redirect(302, url.String())
+	}
+
+	// Verify email token
+	email, ok := authcode.VerifyAuthCode(code)
+	if !ok {
+		c.JSON(403, gin.H{"status": "invalid or expired token"})
+		return
+	}
+
+	// Verify if user exists
+	userData := new(data.User)
+	user, err := userData.GetByEmail(email)
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			// Create user
+			user.UUID = uuid.New()
+			user.UserId = uuid.New()
+			user.Email = email
+			user.PermissionLevel = 10
+			if err := user.Create(); err != nil {
+				c.JSON(500, gin.H{"status": "internal server error"})
+				return
+			}
+		} else {
+			c.JSON(500, gin.H{"status": "internal server error"})
+			return
+		}
+	}
+
+	clientData := new(data.Client)
+	client, err := clientData.GetClientByClientId(clientId)
+	if err != nil {
+		c.JSON(400, gin.H{"status": "client not found"})
+		return
+	}
+
+	err = client.ValidateRedirectURI(redirectUri)
+	if err != nil {
+		c.JSON(400, gin.H{"status": "redirect uri not match"})
+		return
+	}
+
+	url, err := url.Parse(redirectUri)
+	if err != nil {
+		c.JSON(400, gin.H{"status": "invalid redirect uri"})
+		return
+	}
+	query := url.Query()
+	query.Set("code", code)
+	url.RawQuery = query.Encode()
+
+	c.Redirect(302, url.String())
 }
--- a/service/auth/refresh.go
+++ b/service/auth/refresh.go
@@ -1,7 +1,7 @@
 package auth

 import (
-	"nixcn-cms/internal/cryptography"
+	"nixcn-cms/pkgs/authtoken"

 	"github.com/gin-gonic/gin"
 	"github.com/spf13/viper"
@@ -17,7 +17,7 @@ func Refresh(c *gin.Context) {
 		return
 	}

-	JwtTool := cryptography.Token{
+	JwtTool := authtoken.Token{
 		Application: viper.GetString("server.application"),
 	}

--- a/service/auth/token.go
+++ b/service/auth/token.go
@@ -1,7 +1,52 @@
 package auth

-import "github.com/gin-gonic/gin"
+import (
+	"nixcn-cms/data"
+	"nixcn-cms/pkgs/authcode"
+	"nixcn-cms/pkgs/authtoken"
+
+	"github.com/gin-gonic/gin"
+	"github.com/spf13/viper"
+)
+
+type TokenRequest struct {
+	Code string `json:"code"`
+}

 func Token(c *gin.Context) {
+	var req TokenRequest

+	err := c.ShouldBindJSON(&req)
+	if err != nil {
+		c.JSON(400, gin.H{"status": "invalid request"})
+		return
+	}
+
+	email, ok := authcode.VerifyAuthCode(req.Code)
+	if !ok {
+		c.JSON(403, gin.H{"status": "invalid or expired token"})
+		return
+	}
+
+	userData := new(data.User)
+	user, err := userData.GetByEmail(email)
+	if err != nil {
+		c.JSON(500, gin.H{"status": "internal server error"})
+		return
+	}
+
+	// Generate jwt
+	JwtTool := authtoken.Token{
+		Application: viper.GetString("server.application"),
+	}
+	accessToken, refreshToken, err := JwtTool.IssueTokens(user.UserId)
+	if err != nil {
+		c.JSON(500, gin.H{"status": "error generating tokens"})
+		return
+	}
+
+	c.JSON(200, gin.H{
+		"access_token":  accessToken,
+		"refresh_token": refreshToken,
+	})
 }