gotosocial/internal/oidc/handlecallback.go

// GoToSocial
// Copyright (C) GoToSocial Authors admin@gotosocial.org
// SPDX-License-Identifier: AGPL-3.0-or-later
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <http://www.gnu.org/licenses/>.

package oidc

import (
	"context"
	"errors"
	"fmt"

	"code.superseriousbusiness.org/gotosocial/internal/gtserror"
	"code.superseriousbusiness.org/gotosocial/internal/log"
)

func (i *idp) HandleCallback(ctx context.Context, code string) (*Claims, gtserror.WithCode) {
	if code == "" {
		err := errors.New("code was empty string")
		return nil, gtserror.NewErrorBadRequest(err, err.Error())
	}

	log.Debug(ctx, "exchanging code for oauth2token")
	oauth2Token, err := i.oauth2Config.Exchange(ctx, code)
	if err != nil {
		err := fmt.Errorf("error exchanging code for oauth2token: %s", err)
		return nil, gtserror.NewErrorInternalError(err)
	}

	log.Debug(ctx, "extracting id_token")
	rawIDToken, ok := oauth2Token.Extra("id_token").(string)
	if !ok {
		err := errors.New("no id_token in oauth2token")
		return nil, gtserror.NewErrorBadRequest(err, err.Error())
	}
	log.Debugf(ctx, "raw id token: %s", rawIDToken)

	// Parse and verify ID Token payload.
	log.Debug(ctx, "verifying id_token")
	idTokenVerifier := i.provider.Verifier(i.oidcConf)
	idToken, err := idTokenVerifier.Verify(ctx, rawIDToken)
	if err != nil {
		err = fmt.Errorf("could not verify id token: %s", err)
		return nil, gtserror.NewErrorUnauthorized(err, err.Error())
	}

	log.Debug(ctx, "extracting claims from id_token")
	claims := &Claims{}
	if err := idToken.Claims(claims); err != nil {
		err := fmt.Errorf("could not parse claims from idToken: %s", err)
		return nil, gtserror.NewErrorInternalError(err, err.Error())
	}

	return claims, nil
}

func (i *idp) AuthCodeURL(state string) string {
	return i.oauth2Config.AuthCodeURL(state)
}
[chore] Improve copyright header handling (#1608) * [chore] Remove years from all license headers Years or year ranges aren't required in license headers. Many projects have removed them in recent years and it avoids a bit of yearly toil. In many cases our copyright claim was also a bit dodgy since we added the 2021-2023 header to files created after 2021 but you can't claim copyright into the past that way. * [chore] Add license header check This ensures a license header is always added to any new file. This avoids maintainers/reviewers needing to remember to check for and ask for it in case a contribution doesn't include it. * [chore] Add missing license headers * [chore] Further updates to license header * Use the more common // indentend comment format * Remove the hack we had for the linter now that we use the // format * Add SPDX license identifier 2023-03-12 16:00:57 +01:00			`// GoToSocial`
			`// Copyright (C) GoToSocial Authors admin@gotosocial.org`
			`// SPDX-License-Identifier: AGPL-3.0-or-later`
			`//`
			`// This program is free software: you can redistribute it and/or modify`
			`// it under the terms of the GNU Affero General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
			`// This program is distributed in the hope that it will be useful,`
			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`// GNU Affero General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Affero General Public License`
			`// along with this program. If not, see <http://www.gnu.org/licenses/>.`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00
			`package oidc`

			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
Extend license notices to 2022 (#354) 2021-12-20 18:42:19 +01:00
[feature] Move to code.superseriousbusiness.org 2025-04-26 15:34:10 +02:00			`"code.superseriousbusiness.org/gotosocial/internal/gtserror"`
			`"code.superseriousbusiness.org/gotosocial/internal/log"`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`)`

[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 20:38:03 +02:00			`func (i idp) HandleCallback(ctx context.Context, code string) (Claims, gtserror.WithCode) {`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`if code == "" {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 20:38:03 +02:00			`err := errors.New("code was empty string")`
			`return nil, gtserror.NewErrorBadRequest(err, err.Error())`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`}`

[feature] Add a request ID and include it in logs (#1476) This adds a lightweight form of tracing to GTS. Each incoming request is assigned a Request ID which we then pass on and log in all our log lines. Any function that gets called downstream from an HTTP handler should now emit a requestID=value pair whenever it logs something. Co-authored-by: kim <grufwub@gmail.com> 2023-02-17 12:02:29 +01:00			`log.Debug(ctx, "exchanging code for oauth2token")`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`oauth2Token, err := i.oauth2Config.Exchange(ctx, code)`
			`if err != nil {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 20:38:03 +02:00			`err := fmt.Errorf("error exchanging code for oauth2token: %s", err)`
			`return nil, gtserror.NewErrorInternalError(err)`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`}`

[feature] Add a request ID and include it in logs (#1476) This adds a lightweight form of tracing to GTS. Each incoming request is assigned a Request ID which we then pass on and log in all our log lines. Any function that gets called downstream from an HTTP handler should now emit a requestID=value pair whenever it logs something. Co-authored-by: kim <grufwub@gmail.com> 2023-02-17 12:02:29 +01:00			`log.Debug(ctx, "extracting id_token")`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`rawIDToken, ok := oauth2Token.Extra("id_token").(string)`
			`if !ok {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 20:38:03 +02:00			`err := errors.New("no id_token in oauth2token")`
			`return nil, gtserror.NewErrorBadRequest(err, err.Error())`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`}`
[feature] Add a request ID and include it in logs (#1476) This adds a lightweight form of tracing to GTS. Each incoming request is assigned a Request ID which we then pass on and log in all our log lines. Any function that gets called downstream from an HTTP handler should now emit a requestID=value pair whenever it logs something. Co-authored-by: kim <grufwub@gmail.com> 2023-02-17 12:02:29 +01:00			`log.Debugf(ctx, "raw id token: %s", rawIDToken)`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00
			`// Parse and verify ID Token payload.`
[feature] Add a request ID and include it in logs (#1476) This adds a lightweight form of tracing to GTS. Each incoming request is assigned a Request ID which we then pass on and log in all our log lines. Any function that gets called downstream from an HTTP handler should now emit a requestID=value pair whenever it logs something. Co-authored-by: kim <grufwub@gmail.com> 2023-02-17 12:02:29 +01:00			`log.Debug(ctx, "verifying id_token")`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`idTokenVerifier := i.provider.Verifier(i.oidcConf)`
			`idToken, err := idTokenVerifier.Verify(ctx, rawIDToken)`
			`if err != nil {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 20:38:03 +02:00			`err = fmt.Errorf("could not verify id token: %s", err)`
			`return nil, gtserror.NewErrorUnauthorized(err, err.Error())`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`}`

[feature] Add a request ID and include it in logs (#1476) This adds a lightweight form of tracing to GTS. Each incoming request is assigned a Request ID which we then pass on and log in all our log lines. Any function that gets called downstream from an HTTP handler should now emit a requestID=value pair whenever it logs something. Co-authored-by: kim <grufwub@gmail.com> 2023-02-17 12:02:29 +01:00			`log.Debug(ctx, "extracting claims from id_token")`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`claims := &Claims{}`
			`if err := idToken.Claims(claims); err != nil {`
[feature] More consistent API error handling (#637) * update templates * start reworking api error handling * update template * return AP status at web endpoint if negotiated * start making api error handling much more consistent * update account endpoints to new error handling * use new api error handling in admin endpoints * go fmt ./... * use api error logic in app * use generic error handling in auth * don't export generic error handler * don't defer clearing session * user nicer error handling on oidc callback handler * tidy up the sign in handler * tidy up the token handler * use nicer error handling in blocksget * auth emojis endpoint * fix up remaining api endpoints * fix whoopsie during login flow * regenerate swagger docs * change http error logging to debug 2022-06-08 20:38:03 +02:00			`err := fmt.Errorf("could not parse claims from idToken: %s", err)`
			`return nil, gtserror.NewErrorInternalError(err, err.Error())`
Oidc (#109) * add oidc config * inching forward with oidc idp * lil webfingy fix * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * add oidc config * inching forward with oidc idp * bit more progress * further oidc * oidc now working * document dex config * replace broken images * add additional credits * tiny doc update * update * document * docs + comments 2021-07-23 10:36:28 +02:00			`}`

			`return claims, nil`
			`}`

			`func (i *idp) AuthCodeURL(state string) string {`
			`return i.oauth2Config.AuthCodeURL(state)`
			`}`