uauth/internal/serve/handler/token.go

package handler

import (
	"encoding/base64"
	"errors"
	"github.com/google/uuid"
	"github.com/loveuer/nf"
	"github.com/loveuer/nf/nft/log"
	"gorm.io/gorm"
	"net/http"
	"strings"
	"uauth/internal/store/cache"
	"uauth/internal/store/db"
	"uauth/internal/tool"
	"uauth/model"
)

func verifyClient(c *nf.Ctx) (*model.Client, error) {
	var (
		err    error
		basic  string
		bs     []byte
		strs   []string
		client = new(model.Client)
	)

	if basic = c.Get("Authorization"); basic == "" {
		return nil, errors.New("authorization header missing")
	}

	switch {
	case strings.HasPrefix(basic, "Basic "):
		basic = strings.TrimPrefix(basic, "Basic ")
	default:
		return nil, errors.New("authorization scheme not supported")
	}

	if bs, err = base64.StdEncoding.DecodeString(basic); err != nil {
		log.Warn("[Token] base64 decode failed, raw = %s, err = %s", basic, err.Error())
		return nil, errors.New("invalid basic authorization")
	}

	if strs = strings.SplitN(string(bs), ":", 2); len(strs) != 2 {
		log.Warn("[Token] basic split err, decode = %s", string(bs))
		return nil, errors.New("invalid basic authorization")
	}

	clientId, clientSecret := strs[0], strs[1]
	if err = db.Default.Session().Model(&model.Client{}).
		Where("client_id", clientId).
		Take(client).
		Error; err != nil {
		if errors.Is(err, gorm.ErrRecordNotFound) {
			return nil, errors.New("client invalid")
		}

		log.Error("[Token] db take client by id = %s, err = %s", clientId, err.Error())
		return nil, errors.New("unknown server error")
	}

	if client.ClientSecret != clientSecret {
		log.Warn("[Token] client_secret invalid, want = %s, got = %s", client.ClientSecret, clientSecret)
		return nil, errors.New("client secret invalid")
	}

	return client, nil
}

func HandleToken(c *nf.Ctx) error {
	var (
		err       error
		opId      uint64
		op        = new(model.User)
		token     string
		client    *model.Client
		grantType = c.Form("grant_type")
	)

	switch grantType {
	case "password":
		if client, err = verifyClient(c); err != nil {
			return c.Status(http.StatusBadRequest).SendString("Bad Request: " + err.Error())
		}

		username := c.Form("username")
		password := c.Form("password")
		if err = db.Default.Session().Model(&model.User{}).
			Where("username = ?", username).
			Take(op).Error; err != nil {
			if errors.Is(err, gorm.ErrRecordNotFound) {
				return c.Status(http.StatusBadRequest).SendString("Bad Request: invalid username or password")
			}

			log.Error("[Token] db take user by username = %s, err = %s", username, err.Error())
			return c.Status(http.StatusInternalServerError).SendString("Internal Server Error")
		}

		if !tool.ComparePassword(password, op.Password) {
			return c.Status(http.StatusBadRequest).SendString("Bad Request: invalid username or password")
		}
	case "authorization_code":
		if client, err = verifyClient(c); err != nil {
			return c.Status(http.StatusBadRequest).SendString("Bad Request: " + err.Error())
		}

		code := c.Form("code")
		if code == "" {
			return c.Status(http.StatusBadRequest).SendString("Bad Request: no code provided")
		}

		if err = cache.Client.GetScan(tool.Timeout(2), cache.Prefix+"auth_code:"+code).Scan(&opId); err != nil {
			if errors.Is(err, cache.ErrorKeyNotFound) {
				return c.Status(http.StatusBadRequest).SendString("Bad Request: invalid code")
			}

			log.Error("[S] handleToken: get code from cache err = %s", err.Error())
			return c.Status(http.StatusInternalServerError).SendString("Internal Server Error")
		}

		op.Id = opId
		if err = db.Default.Session().Take(op).Error; err != nil {
			log.Error("[S] handleToken: get op by id err, id = %d, err = %s", opId, err.Error())
			return c.Status(http.StatusInternalServerError).SendString("Internal Server Error")
		}
	default:
		return c.Status(http.StatusBadRequest).SendString("Bad Request: invalid grant type")
	}

	if token, err = op.JwtEncode(); err != nil {
		log.Error("[S] handleToken: encode token err, id = %d, err = %s", opId, err.Error())
		return c.Status(http.StatusInternalServerError).SendString("Internal Server Error")
	}

	refreshToken := uuid.New().String()

	_ = client

	return c.JSON(map[string]any{
		"access_token":  token,
		"refresh_token": refreshToken,
		"token_type":    "Bearer",
		"expires_in":    24 * 3600,
	})
}