wangwei
/
aiforge
Not watched
1
0
Fork 0
Code
Releases 128 Wiki Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
7568 Commits
197 Branches
346 MB
814 Download
Tree: 43cf2f3b55
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '43cf2f3b55'
${ noResults }
aiforge/routers/user/oauth.go

oauth.go 16 kB
Raw Normal View History

Integrate OAuth2 Provider (#5378)
6 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
Use AppURL for Oauth user link (#6894) * Use AppURL for Oauth user link Fix #6843 * Update oauth.go * Update oauth.go
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
fix missing return (#6751)
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
Add option to disable refresh token invalidation (#6584) * Add option to disable refresh token invalidation Signed-off-by: Jonas Franz <info@jonasfranz.software> * Add integration tests and remove wrong todos Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix typo Signed-off-by: Jonas Franz <info@jonasfranz.software> * Fix tests and add documentation Signed-off-by: Jonas Franz <info@jonasfranz.software>
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
Add support for client basic auth for exchanging access tokens (#6293) * Add support for client basic auth for exchanging access tokens * Improve error messages * Fix tests
6 years ago
Integrate OAuth2 Provider (#5378)
6 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480 
  1. // Copyright 2019 The Gitea Authors. All rights reserved.

  2. // Use of this source code is governed by a MIT-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package user

  6. 

  7. import (

  8. 	"encoding/base64"

  9. 	"fmt"

  10. 	"net/url"

  11. 	"strings"

  12. 

  13. 	"github.com/dgrijalva/jwt-go"

  14. 	"github.com/go-macaron/binding"

  15. 

  16. 	"code.gitea.io/gitea/models"

  17. 	"code.gitea.io/gitea/modules/auth"

  18. 	"code.gitea.io/gitea/modules/base"

  19. 	"code.gitea.io/gitea/modules/context"

  20. 	"code.gitea.io/gitea/modules/log"

  21. 	"code.gitea.io/gitea/modules/setting"

  22. 	"code.gitea.io/gitea/modules/util"

  23. )

  24. 

  25. const (

  26. 	tplGrantAccess base.TplName = "user/auth/grant"

  27. 	tplGrantError  base.TplName = "user/auth/grant_error"

  28. )

  29. 

  30. // TODO move error and responses to SDK or models

  31. 

  32. // AuthorizeErrorCode represents an error code specified in RFC 6749

  33. type AuthorizeErrorCode string

  34. 

  35. const (

  36. 	// ErrorCodeInvalidRequest represents the according error in RFC 6749

  37. 	ErrorCodeInvalidRequest AuthorizeErrorCode = "invalid_request"

  38. 	// ErrorCodeUnauthorizedClient represents the according error in RFC 6749

  39. 	ErrorCodeUnauthorizedClient AuthorizeErrorCode = "unauthorized_client"

  40. 	// ErrorCodeAccessDenied represents the according error in RFC 6749

  41. 	ErrorCodeAccessDenied AuthorizeErrorCode = "access_denied"

  42. 	// ErrorCodeUnsupportedResponseType represents the according error in RFC 6749

  43. 	ErrorCodeUnsupportedResponseType AuthorizeErrorCode = "unsupported_response_type"

  44. 	// ErrorCodeInvalidScope represents the according error in RFC 6749

  45. 	ErrorCodeInvalidScope AuthorizeErrorCode = "invalid_scope"

  46. 	// ErrorCodeServerError represents the according error in RFC 6749

  47. 	ErrorCodeServerError AuthorizeErrorCode = "server_error"

  48. 	// ErrorCodeTemporaryUnavailable represents the according error in RFC 6749

  49. 	ErrorCodeTemporaryUnavailable AuthorizeErrorCode = "temporarily_unavailable"

  50. )

  51. 

  52. // AuthorizeError represents an error type specified in RFC 6749

  53. type AuthorizeError struct {

  54. 	ErrorCode        AuthorizeErrorCode `json:"error" form:"error"`

  55. 	ErrorDescription string

  56. 	State            string

  57. }

  58. 

  59. // Error returns the error message

  60. func (err AuthorizeError) Error() string {

  61. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  62. }

  63. 

  64. // AccessTokenErrorCode represents an error code specified in RFC 6749

  65. type AccessTokenErrorCode string

  66. 

  67. const (

  68. 	// AccessTokenErrorCodeInvalidRequest represents an error code specified in RFC 6749

  69. 	AccessTokenErrorCodeInvalidRequest AccessTokenErrorCode = "invalid_request"

  70. 	// AccessTokenErrorCodeInvalidClient represents an error code specified in RFC 6749

  71. 	AccessTokenErrorCodeInvalidClient = "invalid_client"

  72. 	// AccessTokenErrorCodeInvalidGrant represents an error code specified in RFC 6749

  73. 	AccessTokenErrorCodeInvalidGrant = "invalid_grant"

  74. 	// AccessTokenErrorCodeUnauthorizedClient represents an error code specified in RFC 6749

  75. 	AccessTokenErrorCodeUnauthorizedClient = "unauthorized_client"

  76. 	// AccessTokenErrorCodeUnsupportedGrantType represents an error code specified in RFC 6749

  77. 	AccessTokenErrorCodeUnsupportedGrantType = "unsupported_grant_type"

  78. 	// AccessTokenErrorCodeInvalidScope represents an error code specified in RFC 6749

  79. 	AccessTokenErrorCodeInvalidScope = "invalid_scope"

  80. )

  81. 

  82. // AccessTokenError represents an error response specified in RFC 6749

  83. type AccessTokenError struct {

  84. 	ErrorCode        AccessTokenErrorCode `json:"error" form:"error"`

  85. 	ErrorDescription string               `json:"error_description"`

  86. }

  87. 

  88. // Error returns the error message

  89. func (err AccessTokenError) Error() string {

  90. 	return fmt.Sprintf("%s: %s", err.ErrorCode, err.ErrorDescription)

  91. }

  92. 

  93. // TokenType specifies the kind of token

  94. type TokenType string

  95. 

  96. const (

  97. 	// TokenTypeBearer represents a token type specified in RFC 6749

  98. 	TokenTypeBearer TokenType = "bearer"

  99. 	// TokenTypeMAC represents a token type specified in RFC 6749

  100. 	TokenTypeMAC = "mac"

  101. )

  102. 

  103. // AccessTokenResponse represents a successful access token response

  104. type AccessTokenResponse struct {

  105. 	AccessToken  string    `json:"access_token"`

  106. 	TokenType    TokenType `json:"token_type"`

  107. 	ExpiresIn    int64     `json:"expires_in"`

  108. 	RefreshToken string    `json:"refresh_token"`

  109. }

  110. 

  111. func newAccessTokenResponse(grant *models.OAuth2Grant) (*AccessTokenResponse, *AccessTokenError) {

  112. 	if setting.OAuth2.InvalidateRefreshTokens {

  113. 		if err := grant.IncreaseCounter(); err != nil {

  114. 			return nil, &AccessTokenError{

  115. 				ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  116. 				ErrorDescription: "cannot increase the grant counter",

  117. 			}

  118. 		}

  119. 	}

  120. 	// generate access token to access the API

  121. 	expirationDate := util.TimeStampNow().Add(setting.OAuth2.AccessTokenExpirationTime)

  122. 	accessToken := &models.OAuth2Token{

  123. 		GrantID: grant.ID,

  124. 		Type:    models.TypeAccessToken,

  125. 		StandardClaims: jwt.StandardClaims{

  126. 			ExpiresAt: expirationDate.AsTime().Unix(),

  127. 		},

  128. 	}

  129. 	signedAccessToken, err := accessToken.SignToken()

  130. 	if err != nil {

  131. 		return nil, &AccessTokenError{

  132. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  133. 			ErrorDescription: "cannot sign token",

  134. 		}

  135. 	}

  136. 

  137. 	// generate refresh token to request an access token after it expired later

  138. 	refreshExpirationDate := util.TimeStampNow().Add(setting.OAuth2.RefreshTokenExpirationTime * 60 * 60).AsTime().Unix()

  139. 	refreshToken := &models.OAuth2Token{

  140. 		GrantID: grant.ID,

  141. 		Counter: grant.Counter,

  142. 		Type:    models.TypeRefreshToken,

  143. 		StandardClaims: jwt.StandardClaims{

  144. 			ExpiresAt: refreshExpirationDate,

  145. 		},

  146. 	}

  147. 	signedRefreshToken, err := refreshToken.SignToken()

  148. 	if err != nil {

  149. 		return nil, &AccessTokenError{

  150. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  151. 			ErrorDescription: "cannot sign token",

  152. 		}

  153. 	}

  154. 

  155. 	return &AccessTokenResponse{

  156. 		AccessToken:  signedAccessToken,

  157. 		TokenType:    TokenTypeBearer,

  158. 		ExpiresIn:    setting.OAuth2.AccessTokenExpirationTime,

  159. 		RefreshToken: signedRefreshToken,

  160. 	}, nil

  161. }

  162. 

  163. // AuthorizeOAuth manages authorize requests

  164. func AuthorizeOAuth(ctx *context.Context, form auth.AuthorizationForm) {

  165. 	errs := binding.Errors{}

  166. 	errs = form.Validate(ctx.Context, errs)

  167. 

  168. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  169. 	if err != nil {

  170. 		if models.IsErrOauthClientIDInvalid(err) {

  171. 			handleAuthorizeError(ctx, AuthorizeError{

  172. 				ErrorCode:        ErrorCodeUnauthorizedClient,

  173. 				ErrorDescription: "Client ID not registered",

  174. 				State:            form.State,

  175. 			}, "")

  176. 			return

  177. 		}

  178. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  179. 		return

  180. 	}

  181. 	if err := app.LoadUser(); err != nil {

  182. 		ctx.ServerError("LoadUser", err)

  183. 		return

  184. 	}

  185. 

  186. 	if !app.ContainsRedirectURI(form.RedirectURI) {

  187. 		handleAuthorizeError(ctx, AuthorizeError{

  188. 			ErrorCode:        ErrorCodeInvalidRequest,

  189. 			ErrorDescription: "Unregistered Redirect URI",

  190. 			State:            form.State,

  191. 		}, "")

  192. 		return

  193. 	}

  194. 

  195. 	if form.ResponseType != "code" {

  196. 		handleAuthorizeError(ctx, AuthorizeError{

  197. 			ErrorCode:        ErrorCodeUnsupportedResponseType,

  198. 			ErrorDescription: "Only code response type is supported.",

  199. 			State:            form.State,

  200. 		}, form.RedirectURI)

  201. 		return

  202. 	}

  203. 

  204. 	// pkce support

  205. 	switch form.CodeChallengeMethod {

  206. 	case "S256":

  207. 	case "plain":

  208. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallengeMethod); err != nil {

  209. 			handleAuthorizeError(ctx, AuthorizeError{

  210. 				ErrorCode:        ErrorCodeServerError,

  211. 				ErrorDescription: "cannot set code challenge method",

  212. 				State:            form.State,

  213. 			}, form.RedirectURI)

  214. 			return

  215. 		}

  216. 		if err := ctx.Session.Set("CodeChallengeMethod", form.CodeChallenge); err != nil {

  217. 			handleAuthorizeError(ctx, AuthorizeError{

  218. 				ErrorCode:        ErrorCodeServerError,

  219. 				ErrorDescription: "cannot set code challenge",

  220. 				State:            form.State,

  221. 			}, form.RedirectURI)

  222. 			return

  223. 		}

  224. 		break

  225. 	case "":

  226. 		break

  227. 	default:

  228. 		handleAuthorizeError(ctx, AuthorizeError{

  229. 			ErrorCode:        ErrorCodeInvalidRequest,

  230. 			ErrorDescription: "unsupported code challenge method",

  231. 			State:            form.State,

  232. 		}, form.RedirectURI)

  233. 		return

  234. 	}

  235. 

  236. 	grant, err := app.GetGrantByUserID(ctx.User.ID)

  237. 	if err != nil {

  238. 		handleServerError(ctx, form.State, form.RedirectURI)

  239. 		return

  240. 	}

  241. 

  242. 	// Redirect if user already granted access

  243. 	if grant != nil {

  244. 		code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, form.CodeChallenge, form.CodeChallengeMethod)

  245. 		if err != nil {

  246. 			handleServerError(ctx, form.State, form.RedirectURI)

  247. 			return

  248. 		}

  249. 		redirect, err := code.GenerateRedirectURI(form.State)

  250. 		if err != nil {

  251. 			handleServerError(ctx, form.State, form.RedirectURI)

  252. 			return

  253. 		}

  254. 		ctx.Redirect(redirect.String(), 302)

  255. 		return

  256. 	}

  257. 

  258. 	// show authorize page to grant access

  259. 	ctx.Data["Application"] = app

  260. 	ctx.Data["RedirectURI"] = form.RedirectURI

  261. 	ctx.Data["State"] = form.State

  262. 	ctx.Data["ApplicationUserLink"] = "<a href=\"" + setting.AppURL + app.User.LowerName + "\">@" + app.User.Name + "</a>"

  263. 	ctx.Data["ApplicationRedirectDomainHTML"] = "<strong>" + form.RedirectURI + "</strong>"

  264. 	// TODO document SESSION <=> FORM

  265. 	ctx.Session.Set("client_id", app.ClientID)

  266. 	ctx.Session.Set("redirect_uri", form.RedirectURI)

  267. 	ctx.Session.Set("state", form.State)

  268. 	ctx.HTML(200, tplGrantAccess)

  269. }

  270. 

  271. // GrantApplicationOAuth manages the post request submitted when a user grants access to an application

  272. func GrantApplicationOAuth(ctx *context.Context, form auth.GrantApplicationForm) {

  273. 	if ctx.Session.Get("client_id") != form.ClientID || ctx.Session.Get("state") != form.State ||

  274. 		ctx.Session.Get("redirect_uri") != form.RedirectURI {

  275. 		ctx.Error(400)

  276. 		return

  277. 	}

  278. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  279. 	if err != nil {

  280. 		ctx.ServerError("GetOAuth2ApplicationByClientID", err)

  281. 		return

  282. 	}

  283. 	grant, err := app.CreateGrant(ctx.User.ID)

  284. 	if err != nil {

  285. 		handleAuthorizeError(ctx, AuthorizeError{

  286. 			State:            form.State,

  287. 			ErrorDescription: "cannot create grant for user",

  288. 			ErrorCode:        ErrorCodeServerError,

  289. 		}, form.RedirectURI)

  290. 		return

  291. 	}

  292. 

  293. 	var codeChallenge, codeChallengeMethod string

  294. 	codeChallenge, _ = ctx.Session.Get("CodeChallenge").(string)

  295. 	codeChallengeMethod, _ = ctx.Session.Get("CodeChallengeMethod").(string)

  296. 

  297. 	code, err := grant.GenerateNewAuthorizationCode(form.RedirectURI, codeChallenge, codeChallengeMethod)

  298. 	if err != nil {

  299. 		handleServerError(ctx, form.State, form.RedirectURI)

  300. 		return

  301. 	}

  302. 	redirect, err := code.GenerateRedirectURI(form.State)

  303. 	if err != nil {

  304. 		handleServerError(ctx, form.State, form.RedirectURI)

  305. 		return

  306. 	}

  307. 	ctx.Redirect(redirect.String(), 302)

  308. }

  309. 

  310. // AccessTokenOAuth manages all access token requests by the client

  311. func AccessTokenOAuth(ctx *context.Context, form auth.AccessTokenForm) {

  312. 	if form.ClientID == "" {

  313. 		authHeader := ctx.Req.Header.Get("Authorization")

  314. 		authContent := strings.SplitN(authHeader, " ", 2)

  315. 		if len(authContent) == 2 && authContent[0] == "Basic" {

  316. 			payload, err := base64.StdEncoding.DecodeString(authContent[1])

  317. 			if err != nil {

  318. 				handleAccessTokenError(ctx, AccessTokenError{

  319. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  320. 					ErrorDescription: "cannot parse basic auth header",

  321. 				})

  322. 				return

  323. 			}

  324. 			pair := strings.SplitN(string(payload), ":", 2)

  325. 			if len(pair) != 2 {

  326. 				handleAccessTokenError(ctx, AccessTokenError{

  327. 					ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  328. 					ErrorDescription: "cannot parse basic auth header",

  329. 				})

  330. 				return

  331. 			}

  332. 			form.ClientID = pair[0]

  333. 			form.ClientSecret = pair[1]

  334. 		}

  335. 	}

  336. 	switch form.GrantType {

  337. 	case "refresh_token":

  338. 		handleRefreshToken(ctx, form)

  339. 		return

  340. 	case "authorization_code":

  341. 		handleAuthorizationCode(ctx, form)

  342. 		return

  343. 	default:

  344. 		handleAccessTokenError(ctx, AccessTokenError{

  345. 			ErrorCode:        AccessTokenErrorCodeUnsupportedGrantType,

  346. 			ErrorDescription: "Only refresh_token or authorization_code grant type is supported",

  347. 		})

  348. 	}

  349. }

  350. 

  351. func handleRefreshToken(ctx *context.Context, form auth.AccessTokenForm) {

  352. 	token, err := models.ParseOAuth2Token(form.RefreshToken)

  353. 	if err != nil {

  354. 		handleAccessTokenError(ctx, AccessTokenError{

  355. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  356. 			ErrorDescription: "client is not authorized",

  357. 		})

  358. 		return

  359. 	}

  360. 	// get grant before increasing counter

  361. 	grant, err := models.GetOAuth2GrantByID(token.GrantID)

  362. 	if err != nil || grant == nil {

  363. 		handleAccessTokenError(ctx, AccessTokenError{

  364. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  365. 			ErrorDescription: "grant does not exist",

  366. 		})

  367. 		return

  368. 	}

  369. 

  370. 	// check if token got already used

  371. 	if setting.OAuth2.InvalidateRefreshTokens && (grant.Counter != token.Counter || token.Counter == 0) {

  372. 		handleAccessTokenError(ctx, AccessTokenError{

  373. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  374. 			ErrorDescription: "token was already used",

  375. 		})

  376. 		log.Warn("A client tried to use a refresh token for grant_id = %d was used twice!", grant.ID)

  377. 		return

  378. 	}

  379. 	accessToken, tokenErr := newAccessTokenResponse(grant)

  380. 	if tokenErr != nil {

  381. 		handleAccessTokenError(ctx, *tokenErr)

  382. 		return

  383. 	}

  384. 	ctx.JSON(200, accessToken)

  385. }

  386. 

  387. func handleAuthorizationCode(ctx *context.Context, form auth.AccessTokenForm) {

  388. 	app, err := models.GetOAuth2ApplicationByClientID(form.ClientID)

  389. 	if err != nil {

  390. 		handleAccessTokenError(ctx, AccessTokenError{

  391. 			ErrorCode:        AccessTokenErrorCodeInvalidClient,

  392. 			ErrorDescription: fmt.Sprintf("cannot load client with client id: '%s'", form.ClientID),

  393. 		})

  394. 		return

  395. 	}

  396. 	if !app.ValidateClientSecret([]byte(form.ClientSecret)) {

  397. 		handleAccessTokenError(ctx, AccessTokenError{

  398. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  399. 			ErrorDescription: "client is not authorized",

  400. 		})

  401. 		return

  402. 	}

  403. 	if form.RedirectURI != "" && !app.ContainsRedirectURI(form.RedirectURI) {

  404. 		handleAccessTokenError(ctx, AccessTokenError{

  405. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  406. 			ErrorDescription: "client is not authorized",

  407. 		})

  408. 		return

  409. 	}

  410. 	authorizationCode, err := models.GetOAuth2AuthorizationByCode(form.Code)

  411. 	if err != nil || authorizationCode == nil {

  412. 		handleAccessTokenError(ctx, AccessTokenError{

  413. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  414. 			ErrorDescription: "client is not authorized",

  415. 		})

  416. 		return

  417. 	}

  418. 	// check if code verifier authorizes the client, PKCE support

  419. 	if !authorizationCode.ValidateCodeChallenge(form.CodeVerifier) {

  420. 		handleAccessTokenError(ctx, AccessTokenError{

  421. 			ErrorCode:        AccessTokenErrorCodeUnauthorizedClient,

  422. 			ErrorDescription: "client is not authorized",

  423. 		})

  424. 		return

  425. 	}

  426. 	// check if granted for this application

  427. 	if authorizationCode.Grant.ApplicationID != app.ID {

  428. 		handleAccessTokenError(ctx, AccessTokenError{

  429. 			ErrorCode:        AccessTokenErrorCodeInvalidGrant,

  430. 			ErrorDescription: "invalid grant",

  431. 		})

  432. 		return

  433. 	}

  434. 	// remove token from database to deny duplicate usage

  435. 	if err := authorizationCode.Invalidate(); err != nil {

  436. 		handleAccessTokenError(ctx, AccessTokenError{

  437. 			ErrorCode:        AccessTokenErrorCodeInvalidRequest,

  438. 			ErrorDescription: "cannot proceed your request",

  439. 		})

  440. 	}

  441. 	resp, tokenErr := newAccessTokenResponse(authorizationCode.Grant)

  442. 	if tokenErr != nil {

  443. 		handleAccessTokenError(ctx, *tokenErr)

  444. 		return

  445. 	}

  446. 	// send successful response

  447. 	ctx.JSON(200, resp)

  448. }

  449. 

  450. func handleAccessTokenError(ctx *context.Context, acErr AccessTokenError) {

  451. 	ctx.JSON(400, acErr)

  452. }

  453. 

  454. func handleServerError(ctx *context.Context, state string, redirectURI string) {

  455. 	handleAuthorizeError(ctx, AuthorizeError{

  456. 		ErrorCode:        ErrorCodeServerError,

  457. 		ErrorDescription: "A server error occurred",

  458. 		State:            state,

  459. 	}, redirectURI)

  460. }

  461. 

  462. func handleAuthorizeError(ctx *context.Context, authErr AuthorizeError, redirectURI string) {

  463. 	if redirectURI == "" {

  464. 		log.Warn("Authorization failed: %v", authErr.ErrorDescription)

  465. 		ctx.Data["Error"] = authErr

  466. 		ctx.HTML(400, tplGrantError)

  467. 		return

  468. 	}

  469. 	redirect, err := url.Parse(redirectURI)

  470. 	if err != nil {

  471. 		ctx.ServerError("url.Parse", err)

  472. 		return

  473. 	}

  474. 	q := redirect.Query()

  475. 	q.Set("error", string(authErr.ErrorCode))

  476. 	q.Set("error_description", authErr.ErrorDescription)

  477. 	q.Set("state", authErr.State)

  478. 	redirect.RawQuery = q.Encode()

  479. 	ctx.Redirect(redirect.String(), 302)

  480. }

No Description