Implement OAuth (#373)

Author: aryanmehrotra

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/go-redis/redismock/v9 v9.2.0
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/gogo/protobuf v1.3.2
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/mux v1.8.1
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
@@ -30,6 +31,7 @@ require (
 	go.opentelemetry.io/otel/sdk/metric v1.24.0
 	go.opentelemetry.io/otel/trace v1.24.0
 	go.uber.org/mock v0.4.0
+	golang.org/x/oauth2 v0.17.0
 	golang.org/x/term v0.18.0
 	google.golang.org/api v0.166.0
 	google.golang.org/grpc v1.61.1
@@ -70,9 +72,8 @@ require (
 	go.einride.tech/aip v0.66.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.48.0 // indirect
-	golang.org/x/crypto v0.19.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
-	golang.org/x/oauth2 v0.17.0 // indirect
+	golang.org/x/crypto v0.21.0 // indirect
+	golang.org/x/net v0.22.0 // indirect
 	golang.org/x/sync v0.6.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
 	golang.org/x/text v0.14.0 // indirect

go.sum

@@ -69,6 +69,8 @@ github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -227,8 +229,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
-golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA=
+golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -252,8 +254,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
-golang.org/x/net v0.21.0 h1:AQyQV4dYCvJ7vGmJyKki9+PBdyvhkSd8EIx/qb0AYv4=
-golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
+golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.17.0 h1:6m3ZPmLEFdVxKKWnKq4VqZ60gutO35zm+zrAHVmHyDQ=
 golang.org/x/oauth2 v0.17.0/go.mod h1:OzPDGQiuQMguemayvdylqddI7qcD9lnSDb+1FiwQ5HA=

pkg/gofr/gofr.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"strconv"
 	"sync"
+	"time"
 
 	"go.opentelemetry.io/otel"
 	"go.opentelemetry.io/otel/exporters/zipkin"
@@ -18,6 +19,7 @@ import (
 
 	"gofr.dev/pkg/gofr/config"
 	"gofr.dev/pkg/gofr/container"
+	"gofr.dev/pkg/gofr/http/middleware"
 	"gofr.dev/pkg/gofr/logging"
 	"gofr.dev/pkg/gofr/metrics"
 	"gofr.dev/pkg/gofr/migration"
@@ -227,6 +229,17 @@ func (a *App) Migrate(migrationsMap map[int64]migration.Migrate) {
 	migration.Run(migrationsMap, a.container)
 }
 
+func (a *App) EnableOAuth(jwksEndpoint string, refreshInterval int) {
+	a.AddHTTPService("gofr_oauth", jwksEndpoint)
+
+	oauthOption := middleware.OauthConfigs{
+		Provider:        a.container.GetHTTPService("gofr_oauth"),
+		RefreshInterval: time.Second * time.Duration(refreshInterval),
+	}
+
+	a.httpServer.router.Use(middleware.OAuth(middleware.NewOAuth(oauthOption)))
+}
+
 func (a *App) initTracer() {
 	tracerHost := a.Config.Get("TRACER_HOST")
 	tracerPort := a.Config.GetOrDefault("TRACER_PORT", "9411")

pkg/gofr/gofr_test.go

@@ -13,6 +13,8 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
+	"gofr.dev/pkg/gofr/container"
+	gofrHTTP "gofr.dev/pkg/gofr/http"
 	"gofr.dev/pkg/gofr/logging"
 	"gofr.dev/pkg/gofr/migration"
 	"gofr.dev/pkg/gofr/testutil"
@@ -215,3 +217,48 @@ func Test_addRoute(t *testing.T) {
 
 	assert.Contains(t, logs, "handler called")
 }
+
+func TestEnableBasicAuthWithFunc(t *testing.T) {
+	jwksServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	c := container.NewContainer(testutil.NewMockConfig(nil))
+
+	// Initialize a new App instance
+	a := &App{
+		httpServer: &httpServer{
+			router: gofrHTTP.NewRouter(c),
+		},
+		container: c,
+	}
+
+	a.httpServer.router.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		fmt.Println(w, "Hello, world!")
+	}))
+
+	a.EnableOAuth(jwksServer.URL, 600)
+
+	server := httptest.NewServer(a.httpServer.router)
+	defer server.Close()
+
+	client := server.Client()
+
+	// Create a mock HTTP request
+	req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, server.URL, http.NoBody)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Add a basic authorization header
+	req.Header.Add("Authorization", "dXNlcjpwYXNzd29yZA==")
+
+	// Send the HTTP request
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode, "TestEnableBasicAuthWithFunc Failed!")
+}

pkg/gofr/http/middleware/oauth.go

@@ -0,0 +1,182 @@
+package middleware
+
+import (
+	"context"
+	"crypto/rsa"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"math/big"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type JWTClaim string
+
+type PublicKeys struct {
+	keys map[string]*rsa.PublicKey
+}
+
+type JWKNotFound struct {
+}
+
+func (i JWKNotFound) Error() string {
+	return "JWKS Not Found"
+}
+
+func (p *PublicKeys) Get(kid string) *rsa.PublicKey {
+	kid = strings.TrimSpace(kid)
+
+	return p.keys[kid]
+}
+
+type JWKSProvider interface {
+	GetWithHeaders(ctx context.Context, path string, queryParams map[string]interface{},
+		headers map[string]string) (*http.Response, error)
+}
+
+type OauthConfigs struct {
+	Provider        JWKSProvider
+	RefreshInterval time.Duration
+}
+
+func NewOAuth(config OauthConfigs) PublicKeyProvider {
+	var publicKeys PublicKeys
+
+	publicKeys.keys = make(map[string]*rsa.PublicKey)
+
+	go func() {
+		for {
+			resp, err := config.Provider.GetWithHeaders(context.Background(), "", nil, nil)
+			if err != nil || resp == nil {
+				continue
+			}
+
+			body, err := io.ReadAll(resp.Body)
+			if err != nil {
+				continue
+			}
+
+			resp.Body.Close()
+
+			var jwks JWKS
+
+			err = json.Unmarshal(body, &jwks)
+			if err != nil {
+				continue
+			}
+
+			publicKeys.keys = publicKeyFromJWKS(jwks)
+
+			time.Sleep(config.RefreshInterval)
+		}
+	}()
+
+	return &publicKeys
+}
+
+type PublicKeyProvider interface {
+	Get(kid string) *rsa.PublicKey
+}
+
+func OAuth(key PublicKeyProvider) func(inner http.Handler) http.Handler {
+	return func(inner http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			authHeader := r.Header.Get("Authorization")
+			if authHeader == "" {
+				http.Error(w, "Authorization header is required", http.StatusUnauthorized)
+				return
+			}
+
+			headerParts := strings.Split(authHeader, " ")
+			if len(headerParts) != 2 || headerParts[0] != "Bearer" {
+				http.Error(w, "Authorization header format must be Bearer {token}", http.StatusUnauthorized)
+				return
+			}
+
+			tokenString := headerParts[1]
+
+			token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+				kid := token.Header["kid"]
+
+				jwks := key.Get(fmt.Sprint(kid))
+				if jwks == nil {
+					return nil, JWKNotFound{}
+				}
+
+				return key.Get(fmt.Sprint(kid)), nil
+			})
+
+			if err != nil {
+				w.WriteHeader(http.StatusUnauthorized)
+				_, _ = w.Write([]byte(err.Error()))
+
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), JWTClaim("JWTClaims"), token.Claims)
+			*r = *r.Clone(ctx)
+
+			inner.ServeHTTP(w, r)
+		})
+	}
+}
+
+// JWKS represents a JSON Web Key Set.
+type JWKS struct {
+	Keys []JSONWebKey `json:"keys"`
+}
+
+type JSONWebKey struct {
+	ID   string `json:"kid"`
+	Type string `json:"kty"`
+
+	Modulus         string `json:"n"`
+	PublicExponent  string `json:"e"`
+	PrivateExponent string `json:"d"`
+}
+
+// PublicKeyFromJWKS creates a public key from a JWKS and returns it in string format.
+func publicKeyFromJWKS(jwks JWKS) map[string]*rsa.PublicKey {
+	if len(jwks.Keys) == 0 {
+		return nil
+	}
+
+	keys := make(map[string]*rsa.PublicKey)
+
+	for _, jwk := range jwks.Keys {
+		var val = jwk
+
+		keys[jwk.ID], _ = rsaPublicKeyStringFromJWK(&val)
+	}
+
+	// Store the result of rsaPublicKeyStringFromJWK before the next iteration
+
+	return keys
+}
+
+func rsaPublicKeyStringFromJWK(jwk *JSONWebKey) (*rsa.PublicKey, error) {
+	n, err := base64.RawURLEncoding.DecodeString(jwk.Modulus)
+	if err != nil {
+		return nil, err
+	}
+
+	e, err := base64.RawURLEncoding.DecodeString(jwk.PublicExponent)
+	if err != nil {
+		return nil, err
+	}
+
+	nInt := new(big.Int).SetBytes(n)
+	eInt := new(big.Int).SetBytes(e)
+
+	rsaPublicKey := &rsa.PublicKey{
+		N: nInt,
+		E: int(eInt.Int64()),
+	}
+
+	return rsaPublicKey, nil
+}