♻️ Improved profile token claims support
This commit is contained in:
parent
2a6c3a3447
commit
b5c29dd553
|
@ -6,10 +6,10 @@ import (
|
||||||
|
|
||||||
// Profile describes the data about the user.
|
// Profile describes the data about the user.
|
||||||
type Profile struct {
|
type Profile struct {
|
||||||
Photo []*URL `json:"photo"`
|
Photo []*URL `json:"photo,omitempty"`
|
||||||
URL []*URL `json:"url"`
|
URL []*URL `json:"url,omitempty"`
|
||||||
Email []*Email `json:"email"`
|
Email []*Email `json:"email,omitempty"`
|
||||||
Name []string `json:"name"`
|
Name []string `json:"name,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewProfile() *Profile {
|
func NewProfile() *Profile {
|
||||||
|
|
|
@ -19,8 +19,8 @@ type (
|
||||||
Expiry time.Time
|
Expiry time.Time
|
||||||
ClientID *ClientID
|
ClientID *ClientID
|
||||||
Me *Me
|
Me *Me
|
||||||
|
Profile *Profile
|
||||||
Scope Scopes
|
Scope Scopes
|
||||||
Extra map[string]interface{}
|
|
||||||
AccessToken string
|
AccessToken string
|
||||||
RefreshToken string
|
RefreshToken string
|
||||||
}
|
}
|
||||||
|
@ -30,9 +30,9 @@ type (
|
||||||
Expiration time.Duration
|
Expiration time.Duration
|
||||||
Issuer *ClientID
|
Issuer *ClientID
|
||||||
Subject *Me
|
Subject *Me
|
||||||
|
Profile *Profile
|
||||||
Scope Scopes
|
Scope Scopes
|
||||||
Secret []byte
|
Secret []byte
|
||||||
Claims map[string]interface{}
|
|
||||||
Algorithm string
|
Algorithm string
|
||||||
NonceLength int
|
NonceLength int
|
||||||
}
|
}
|
||||||
|
@ -48,7 +48,7 @@ var DefaultNewTokenOptions = NewTokenOptions{
|
||||||
Secret: nil,
|
Secret: nil,
|
||||||
Algorithm: "HS256",
|
Algorithm: "HS256",
|
||||||
NonceLength: 32,
|
NonceLength: 32,
|
||||||
Claims: nil,
|
Profile: nil,
|
||||||
}
|
}
|
||||||
|
|
||||||
// NewToken create a new token by provided options.
|
// NewToken create a new token by provided options.
|
||||||
|
@ -83,9 +83,20 @@ func NewToken(opts NewTokenOptions) (*Token, error) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
for key, val := range opts.Claims {
|
if opts.Profile != nil {
|
||||||
if err = tkn.Set(key, val); err != nil {
|
for key, val := range map[string]interface{}{
|
||||||
return nil, fmt.Errorf("failed to set JWT token claim: %w", err)
|
"name": opts.Profile.GetName(),
|
||||||
|
"url": opts.Profile.GetURL(),
|
||||||
|
"photo": opts.Profile.GetPhoto(),
|
||||||
|
"email": opts.Profile.GetEmail(),
|
||||||
|
} {
|
||||||
|
if val == nil {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if err = tkn.Set(key, val); err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to set JWT token claim: %w", err)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -111,8 +122,8 @@ func NewToken(opts NewTokenOptions) (*Token, error) {
|
||||||
ClientID: opts.Issuer,
|
ClientID: opts.Issuer,
|
||||||
CreatedAt: now,
|
CreatedAt: now,
|
||||||
Expiry: now.Add(opts.Expiration),
|
Expiry: now.Add(opts.Expiration),
|
||||||
Extra: opts.Claims,
|
|
||||||
Me: opts.Subject,
|
Me: opts.Subject,
|
||||||
|
Profile: opts.Profile,
|
||||||
RefreshToken: "", // TODO(toby3d)
|
RefreshToken: "", // TODO(toby3d)
|
||||||
Scope: opts.Scope,
|
Scope: opts.Scope,
|
||||||
}, nil
|
}, nil
|
||||||
|
@ -165,7 +176,7 @@ func TestToken(tb testing.TB) *Token {
|
||||||
ClientID: cid,
|
ClientID: cid,
|
||||||
Me: me,
|
Me: me,
|
||||||
Scope: scope,
|
Scope: scope,
|
||||||
Extra: nil,
|
Profile: TestProfile(tb),
|
||||||
AccessToken: string(accessToken),
|
AccessToken: string(accessToken),
|
||||||
RefreshToken: "", // TODO(toby3d)
|
RefreshToken: "", // TODO(toby3d)
|
||||||
}
|
}
|
||||||
|
|
|
@ -20,7 +20,10 @@ type tokenUseCase struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewTokenUseCase(tokens token.Repository, sessions session.Repository, config *domain.Config) token.UseCase {
|
func NewTokenUseCase(tokens token.Repository, sessions session.Repository, config *domain.Config) token.UseCase {
|
||||||
|
jwt.RegisterCustomField("email", new(domain.Email))
|
||||||
|
jwt.RegisterCustomField("photo", new(domain.URL))
|
||||||
jwt.RegisterCustomField("scope", make(domain.Scopes, 0))
|
jwt.RegisterCustomField("scope", make(domain.Scopes, 0))
|
||||||
|
jwt.RegisterCustomField("url", new(domain.URL))
|
||||||
|
|
||||||
return &tokenUseCase{
|
return &tokenUseCase{
|
||||||
config: config,
|
config: config,
|
||||||
|
@ -56,28 +59,27 @@ func (useCase *tokenUseCase) Exchange(ctx context.Context, opts token.ExchangeOp
|
||||||
return nil, nil, token.ErrEmptyScope
|
return nil, nil, token.ErrEmptyScope
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !session.Scope.Has(domain.ScopeProfile) {
|
||||||
|
session.Profile = nil
|
||||||
|
} else if !session.Scope.Has(domain.ScopeEmail) {
|
||||||
|
session.Profile.Email = nil
|
||||||
|
}
|
||||||
|
|
||||||
tkn, err := domain.NewToken(domain.NewTokenOptions{
|
tkn, err := domain.NewToken(domain.NewTokenOptions{
|
||||||
Algorithm: useCase.config.JWT.Algorithm,
|
|
||||||
Expiration: useCase.config.JWT.Expiry,
|
Expiration: useCase.config.JWT.Expiry,
|
||||||
Issuer: session.ClientID,
|
Issuer: session.ClientID,
|
||||||
NonceLength: useCase.config.JWT.NonceLength,
|
Subject: session.Me,
|
||||||
Scope: session.Scope,
|
Scope: session.Scope,
|
||||||
Secret: []byte(useCase.config.JWT.Secret),
|
Secret: []byte(useCase.config.JWT.Secret),
|
||||||
Subject: session.Me,
|
Profile: session.Profile,
|
||||||
|
Algorithm: useCase.config.JWT.Algorithm,
|
||||||
|
NonceLength: useCase.config.JWT.NonceLength,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, fmt.Errorf("cannot generate a new access token: %w", err)
|
return nil, nil, fmt.Errorf("cannot generate a new access token: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if !session.Scope.Has(domain.ScopeProfile) {
|
return tkn, session.Profile, nil
|
||||||
return tkn, nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
p := new(domain.Profile)
|
|
||||||
|
|
||||||
// TODO(toby3d): if session.Scope.Has(domain.ScopeEmail) {}
|
|
||||||
|
|
||||||
return tkn, p, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (useCase *tokenUseCase) Verify(ctx context.Context, accessToken string) (*domain.Token, error) {
|
func (useCase *tokenUseCase) Verify(ctx context.Context, accessToken string) (*domain.Token, error) {
|
||||||
|
@ -100,8 +102,16 @@ func (useCase *tokenUseCase) Verify(ctx context.Context, accessToken string) (*d
|
||||||
return nil, fmt.Errorf("cannot validate JWT token: %w", err)
|
return nil, fmt.Errorf("cannot validate JWT token: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
result := new(domain.Token)
|
result := &domain.Token{
|
||||||
result.AccessToken = accessToken
|
CreatedAt: tkn.IssuedAt(),
|
||||||
|
Expiry: tkn.Expiration(),
|
||||||
|
ClientID: nil,
|
||||||
|
Me: nil,
|
||||||
|
Profile: nil,
|
||||||
|
Scope: nil,
|
||||||
|
AccessToken: accessToken,
|
||||||
|
RefreshToken: "", // TODO(toby3d)
|
||||||
|
}
|
||||||
result.ClientID, _ = domain.ParseClientID(tkn.Issuer())
|
result.ClientID, _ = domain.ParseClientID(tkn.Issuer())
|
||||||
result.Me, _ = domain.ParseMe(tkn.Subject())
|
result.Me, _ = domain.ParseMe(tkn.Subject())
|
||||||
|
|
||||||
|
@ -109,6 +119,40 @@ func (useCase *tokenUseCase) Verify(ctx context.Context, accessToken string) (*d
|
||||||
result.Scope, _ = scope.(domain.Scopes)
|
result.Scope, _ = scope.(domain.Scopes)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if !result.Scope.Has(domain.ScopeProfile) {
|
||||||
|
return result, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
result.Profile = domain.NewProfile()
|
||||||
|
|
||||||
|
if name, ok := tkn.Get("name"); ok {
|
||||||
|
if n, ok := name.(string); ok {
|
||||||
|
result.Profile.Name = append(result.Profile.Name, n)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if url, ok := tkn.Get("url"); ok {
|
||||||
|
if u, ok := url.(*domain.URL); ok {
|
||||||
|
result.Profile.URL = append(result.Profile.URL, u)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if photo, ok := tkn.Get("photo"); ok {
|
||||||
|
if p, ok := photo.(*domain.URL); ok {
|
||||||
|
result.Profile.Photo = append(result.Profile.Photo, p)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if !result.Scope.Has(domain.ScopeEmail) {
|
||||||
|
return result, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if email, ok := tkn.Get("email"); ok {
|
||||||
|
if e, ok := email.(*domain.Email); ok {
|
||||||
|
result.Profile.Email = append(result.Profile.Email, e)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return result, nil
|
return result, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -88,18 +88,24 @@ func (h *RequestHandler) handleUserInformation(ctx *http.RequestCtx) {
|
||||||
}
|
}
|
||||||
|
|
||||||
resp := new(UserInformationResponse)
|
resp := new(UserInformationResponse)
|
||||||
if tkn.Extra == nil {
|
if tkn.Profile == nil {
|
||||||
_ = encoder.Encode(resp)
|
_ = encoder.Encode(resp)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
resp.Name, _ = tkn.Extra["name"].(string)
|
resp.Name = tkn.Profile.GetName()
|
||||||
resp.URL, _ = tkn.Extra["url"].(string)
|
|
||||||
resp.Photo, _ = tkn.Extra["photo"].(string)
|
|
||||||
|
|
||||||
if tkn.Scope.Has(domain.ScopeEmail) {
|
if url := tkn.Profile.GetURL(); url != nil {
|
||||||
resp.Email, _ = tkn.Extra["email"].(string)
|
resp.URL = url.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
if photo := tkn.Profile.GetPhoto(); photo != nil {
|
||||||
|
resp.Photo = photo.String()
|
||||||
|
}
|
||||||
|
|
||||||
|
if email := tkn.Profile.GetEmail(); email != nil && tkn.Scope.Has(domain.ScopeEmail) {
|
||||||
|
resp.Email = email.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
_ = encoder.Encode(resp)
|
_ = encoder.Encode(resp)
|
||||||
|
|
Loading…
Reference in New Issue