Fixed server package

Author: LyricTian

manage.go

@@ -29,9 +29,8 @@ type Manager interface {
 	GenerateAccessToken(rt GrantType, tgr *TokenGenerateRequest) (accessToken TokenInfo, err error)
 
 	// RefreshAccessToken 更新访问令牌
-	// refresh 更新令牌
-	// scope 作用域
-	RefreshAccessToken(refresh, scope string) (accessToken TokenInfo, err error)
+	// tgr 生成令牌的请求参数
+	RefreshAccessToken(tgr *TokenGenerateRequest) (accessToken TokenInfo, err error)
 
 	// RemoveAccessToken 删除访问令牌
 	// access 访问令牌

server/authorize.go

@@ -1,9 +1,7 @@
 package server
 
 import (
-	"encoding/base64"
 	"net/http"
-	"strings"
 
 	"gopkg.in/oauth2.v2"
 )
@@ -18,36 +16,40 @@ type AuthorizeRequest struct {
 	UserID      string
 }
 
-// ClientHandler 获取客户端信息
+// ClientHandler 客户端处理(获取请求的客户端认证信息)
 type ClientHandler func(r *http.Request) (clientID, clientSecret string, err error)
 
-// UserHandler 获取用户信息
+// UserHandler 用户处理(密码模式,根据用户名、密码获取用户标识)
 type UserHandler func(username, password string) (userID string, err error)
 
+// ScopeHandler 授权范围处理(更新令牌时的授权范围检查)
+type ScopeHandler func(new, old string) (err error)
+
+// TokenRequestHandler 令牌请求处理
+type TokenRequestHandler struct {
+	ClientHandler ClientHandler
+	UserHandler   UserHandler
+	ScopeHandler  ScopeHandler
+}
+
 // ClientFormHandler 客户端表单信息
 func ClientFormHandler(r *http.Request) (clientID, clientSecret string, err error) {
 	clientID = r.Form.Get("client_id")
 	clientSecret = r.Form.Get("client_secret")
+	if clientID == "" || clientSecret == "" {
+		err = ErrAuthorizationFormInvalid
+	}
 	return
 }
 
 // ClientBasicHandler 客户端基础认证信息
 func ClientBasicHandler(r *http.Request) (clientID, clientSecret string, err error) {
-	s := strings.SplitN(r.Header.Get("Authorization"), " ", 2)
-	if len(s) != 2 || s[0] != "Basic" {
-		err = ErrAuthorizationHeaderInvalid
-		return
-	}
-	b, err := base64.StdEncoding.DecodeString(s[1])
-	if err != nil {
-		return
-	}
-	pair := strings.SplitN(string(b), ":", 2)
-	if len(pair) != 2 {
+	username, password, ok := r.BasicAuth()
+	if !ok {
 		err = ErrAuthorizationHeaderInvalid
 		return
 	}
-	clientID = pair[0]
-	clientSecret = pair[1]
+	clientID = username
+	clientSecret = password
 	return
 }

server/config.go

@@ -10,6 +10,8 @@ type Config struct {
 	AllowedResponseType []oauth2.ResponseType
 	// AllowedGrantType 允许的授权模式（默认authorization_code）
 	AllowedGrantType []oauth2.GrantType
+	// Handler 令牌请求处理
+	Handler *TokenRequestHandler
 }
 
 // NewConfig 创建默认的配置参数
@@ -18,5 +20,6 @@ func NewConfig() *Config {
 		TokenType:           "Bearer",
 		AllowedResponseType: []oauth2.ResponseType{oauth2.Code},
 		AllowedGrantType:    []oauth2.GrantType{oauth2.AuthorizationCodeCredentials},
+		Handler:             &TokenRequestHandler{},
 	}
 }

server/error.go

@@ -18,6 +18,12 @@ var (
 	// ErrUserInvalid User invalid
 	ErrUserInvalid = errors.New("user invalid")
 
+	// ErrAuthorizationFormInvalid Authorization form invalid
+	ErrAuthorizationFormInvalid = errors.New("authorization form invalid")
+
 	// ErrAuthorizationHeaderInvalid Authorization header invalid
 	ErrAuthorizationHeaderInvalid = errors.New("authorization header invalid")
+
+	// ErrRefreshInvalid Refresh token invalid
+	ErrRefreshInvalid = errors.New("refresh token invalid")
 )

server/server.go

@@ -24,6 +24,21 @@ type Server struct {
 	manager oauth2.Manager
 }
 
+// SetClientHandler 设置客户端处理
+func (s *Server) SetClientHandler(handler ClientHandler) {
+	s.cfg.Handler.ClientHandler = handler
+}
+
+// SetUserHandler 设置用户处理
+func (s *Server) SetUserHandler(handler UserHandler) {
+	s.cfg.Handler.UserHandler = handler
+}
+
+// SetScopeHandler 设置授权范围处理
+func (s *Server) SetScopeHandler(handler ScopeHandler) {
+	s.cfg.Handler.ScopeHandler = handler
+}
+
 // checkResponseType 检查允许的授权类型
 func (s *Server) checkResponseType(rt oauth2.ResponseType) bool {
 	for _, art := range s.cfg.AllowedResponseType {
@@ -95,7 +110,7 @@ func (s *Server) HandleAuthorizeRequest(w http.ResponseWriter, authReq *Authoriz
 // HandleTokenRequest 处理令牌请求
 // cli 获取客户端信息
 // user 获取用户信息
-func (s *Server) HandleTokenRequest(w http.ResponseWriter, r *http.Request, ch ClientHandler, uh UserHandler) (err error) {
+func (s *Server) HandleTokenRequest(w http.ResponseWriter, r *http.Request) (err error) {
 	if r.Method != "POST" {
 		err = ErrRequestMethodInvalid
 		return
@@ -111,14 +126,10 @@ func (s *Server) HandleTokenRequest(w http.ResponseWriter, r *http.Request, ch C
 	}
 
 	var ti oauth2.TokenInfo
-	clientID, clientSecret, err := ch(r)
+	clientID, clientSecret, err := s.cfg.Handler.ClientHandler(r)
 	if err != nil {
 		return
 	}
-	if clientID == "" || clientSecret == "" {
-		err = ErrClientInvalid
-		return
-	}
 	tgr := &oauth2.TokenGenerateRequest{
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
@@ -131,19 +142,38 @@ func (s *Server) HandleTokenRequest(w http.ResponseWriter, r *http.Request, ch C
 		tgr.IsGenerateRefresh = true
 		ti, err = s.manager.GenerateAccessToken(oauth2.AuthorizationCodeCredentials, tgr)
 	case oauth2.PasswordCredentials:
-		userID, uerr := uh(r.Form.Get("username"), r.Form.Get("password"))
+		userID, uerr := s.cfg.Handler.UserHandler(r.Form.Get("username"), r.Form.Get("password"))
 		if uerr != nil {
 			err = uerr
 			return
 		}
 		tgr.UserID = userID
 		tgr.Scope = r.Form.Get("scope")
 		tgr.IsGenerateRefresh = true
+		ti, err = s.manager.GenerateAccessToken(oauth2.PasswordCredentials, tgr)
 	case oauth2.ClientCredentials:
 		tgr.Scope = r.Form.Get("scope")
+		ti, err = s.manager.GenerateAccessToken(oauth2.ClientCredentials, tgr)
 	case oauth2.RefreshCredentials:
 		tgr.Refresh = r.Form.Get("refresh_token")
 		tgr.Scope = r.Form.Get("scope")
+		if tgr.Scope != "" { // 检查授权范围
+			rti, rerr := s.manager.LoadRefreshToken(tgr.Refresh)
+			if rerr != nil {
+				err = rerr
+				return
+			} else if rti.GetClientID() != tgr.ClientID {
+				err = ErrRefreshInvalid
+				return
+			} else if verr := s.cfg.Handler.ScopeHandler(tgr.Scope, rti.GetScope()); verr != nil {
+				err = verr
+				return
+			}
+		}
+		ti, err = s.manager.RefreshAccessToken(tgr)
+		if err == nil {
+			ti.SetRefresh("")
+		}
 	}
 
 	if err != nil {