Better auth

Author: gschier

auth_get_token.go

@@ -0,0 +1,38 @@
+package yaakcli
+
+import (
+	"crypto/subtle"
+	"fmt"
+	"golang.org/x/oauth2"
+	"net/http"
+)
+
+type OAuthRedirectHandler struct {
+	State        string
+	CodeVerifier string
+	OAuthConfig  *oauth2.Config
+}
+
+func (h *OAuthRedirectHandler) ExchangeCode(r *http.Request) (string, error) {
+	state := r.URL.Query().Get("state")
+	code := r.URL.Query().Get("code")
+
+	if subtle.ConstantTimeCompare([]byte(h.State), []byte(state)) == 0 {
+		return "", fmt.Errorf("invalid state")
+	}
+
+	if code == "" {
+		return "", fmt.Errorf("missing code")
+	}
+
+	token, err := h.OAuthConfig.Exchange(
+		r.Context(),
+		code,
+		oauth2.VerifierOption(h.CodeVerifier),
+	)
+	if err != nil {
+		return "", fmt.Errorf("could not exchange code for token: %w", err)
+	}
+
+	return token.AccessToken, nil
+}

auth.go auth_token.goauth.go renamed to auth_token.go

@@ -0,0 +1,59 @@
+package yaakcli
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"io"
+
+	"golang.org/x/oauth2"
+)
+
+type AuthURL struct {
+	URL          string
+	State        string
+	CodeVerifier string
+}
+
+func (u *AuthURL) String() string {
+	return u.URL
+}
+
+func AuthorizationURL(config *oauth2.Config) (*AuthURL, error) {
+	codeVerifier, verifierErr := randomBytesInHex(32) // 64-character string here
+	if verifierErr != nil {
+		return nil, fmt.Errorf("could not create a code verifier: %w", verifierErr)
+	}
+	sha2 := sha256.New()
+	_, _ = io.WriteString(sha2, codeVerifier)
+	codeChallenge := base64.RawURLEncoding.EncodeToString(sha2.Sum(nil))
+
+	state, stateErr := randomBytesInHex(24)
+	if stateErr != nil {
+		return nil, fmt.Errorf("could not generate random state: %w", stateErr)
+	}
+
+	authUrl := config.AuthCodeURL(
+		state,
+		oauth2.SetAuthURLParam("code_challenge_method", "S256"),
+		oauth2.SetAuthURLParam("code_challenge", codeChallenge),
+	)
+
+	return &AuthURL{
+		URL:          authUrl,
+		State:        state,
+		CodeVerifier: codeVerifier,
+	}, nil
+}
+
+func randomBytesInHex(count int) (string, error) {
+	buf := make([]byte, count)
+	_, err := io.ReadFull(rand.Reader, buf)
+	if err != nil {
+		return "", fmt.Errorf("could not generate %d random bytes: %w", count, err)
+	}
+
+	return hex.EncodeToString(buf), nil
+}

auth_url.go

@@ -2,12 +2,14 @@ package yaakcli
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"github.com/pkg/browser"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
+	"golang.org/x/oauth2"
+	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"os/signal"
 	"time"
@@ -19,72 +21,84 @@ var loginCmd = &cobra.Command{
 	Long:  "Open a web browser to authenticate with Yaak. Works with all browsers including Safari.",
 	Run: func(cmd *cobra.Command, args []string) {
 		CheckError(deleteAuthToken())
-
-		pterm.Info.Println("Starting browser-based login...")
-
-		// Save the token to a config file
-		confirm := pterm.DefaultInteractiveConfirm
-		confirm.DefaultValue = true
-		open, err := confirm.Show("Open default browser")
-		CheckError(err)
-
-		if !open {
-			os.Exit(0)
-			return
-		}
+		baseURL := prodStagingDevStr("https://yaak.app", "https://todo.yaak.app", "http://localhost:9444")
 
 		// Create a channel to receive the auth token
 		tokenChan := make(chan string, 1)
 
 		// Set up a simple HTTP server to handle the OAuth callback
-		server := &http.Server{
-			Addr: "localhost:8085",
+		listener, err := net.Listen("tcp", "127.0.0.1:0")
+		CheckError(err)
+
+		addr := listener.Addr().(*net.TCPAddr)
+		redirectURL := fmt.Sprintf("http://127.0.0.1:%d/oauth/callback", addr.Port)
+
+		// Open the browser to the login page
+		oauthConfig := oauth2.Config{
+			ClientID:     "yaak-cli",
+			ClientSecret: "",
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  baseURL + "/login/oauth/authorize",
+				TokenURL: baseURL + "/login/oauth/access_token",
+			},
+			RedirectURL: redirectURL,
+			Scopes:      nil,
 		}
+		loginURL, err := AuthorizationURL(&oauthConfig)
+		CheckError(err)
 
-		// Define the handler for the callback
-		http.HandleFunc("/oauth/callback", func(w http.ResponseWriter, r *http.Request) {
+		mux := http.NewServeMux()
+
+		mux.HandleFunc("/oauth/callback", func(w http.ResponseWriter, r *http.Request) {
+			h := OAuthRedirectHandler{
+				State:        loginURL.State,
+				CodeVerifier: loginURL.CodeVerifier,
+				OAuthConfig:  &oauthConfig,
+			}
+			token, err := h.ExchangeCode(r)
 			// Get the token from the query parameters
-			token := r.URL.Query().Get("token")
-			if token == "" {
+			if err != nil {
 				w.WriteHeader(http.StatusBadRequest)
-				_, _ = fmt.Fprintf(w, "Error: No token provided")
+				_, _ = fmt.Fprintf(w, "Failed to get access token: %s", err.Error())
 				return
 			}
 
 			// Send the token to the channel
 			tokenChan <- token
 
 			// Return a success message to the browser
-			redirectTo := prodStagingDevStr(
-				"https://yaak.app/login-cli/success",
-				"https://todo.yaak.app/login-cli/success",
-				"http://localhost:9444/login-cli/success",
-			)
+			redirectTo := baseURL + "/login/oauth/success"
 			http.Redirect(w, r, redirectTo, http.StatusFound)
 		})
 
+		server := &http.Server{Handler: mux}
+
 		// Start the server in a goroutine
 		go func() {
-			if err := server.ListenAndServe(); err != http.ErrServerClosed {
+			if err := server.Serve(listener); !errors.Is(err, http.ErrServerClosed) {
 				pterm.Error.Printf("HTTP server error: %v\n", err)
 				os.Exit(1)
 			}
 		}()
 
+		pterm.Info.Println("Initiating login to", loginURL)
+
+		confirm := pterm.DefaultInteractiveConfirm
+		confirm.DefaultValue = true
+		open, err := confirm.Show("Open default browser")
+		CheckError(err)
+
+		if !open {
+			os.Exit(0)
+			return
+		}
+
 		// Set up a signal handler to gracefully shut down the server
 		sigChan := make(chan os.Signal, 1)
 		signal.Notify(sigChan, os.Interrupt)
 
-		// Open the browser to the login page
-		redirect := "http://localhost:8085/oauth/callback"
-		loginURL := prodStagingDevStr(
-			"https://yaak.app/login-cli?redirect=",
-			"https://todo.yaak.app/login-cli?redirect=",
-			"http://localhost:9444/login-cli?redirect=",
-		) + url.QueryEscape(redirect)
-
 		// Open the browser based on the operating system
-		err = browser.OpenURL(loginURL)
+		err = browser.OpenURL(loginURL.String())
 		if err != nil {
 			pterm.Error.Printf("Failed to open browser: %v\n", err)
 			pterm.Info.Println("Please open the following URL manually:")

cmd_login.go

@@ -10,6 +10,7 @@ require (
 	github.com/pterm/pterm v0.12.81
 	github.com/spf13/cobra v1.8.1
 	github.com/zalando/go-keyring v0.2.6
+	golang.org/x/oauth2 v0.30.0
 )
 
 require (

go.mod

@@ -19,8 +19,6 @@ github.com/MarvinJWendt/testza v0.5.2 h1:53KDo64C1z/h/d/stCYCPY69bt/OSwjq5KpFNwi
 github.com/MarvinJWendt/testza v0.5.2/go.mod h1:xu53QFE5sCdjtMCKk8YMQ2MnymimEctc4n3EjyIYvEY=
 github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkUiF/RuIk=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81 h1:q2hJAaP1k2wIvVRd/hEHD7lacgqrCPS+k8g1MndzfWY=
-github.com/containerd/console v1.0.4-0.20230313162750-1ae8d489ac81/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
 github.com/containerd/console v1.0.5 h1:R0ymNeydRqH2DmakFNdmjR2k0t7UPuiOV/N/27/qqsc=
 github.com/containerd/console v1.0.5/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
@@ -65,8 +63,6 @@ github.com/pterm/pterm v0.12.31/go.mod h1:32ZAWZVXD7ZfG0s8qqHXePte42kdz8ECtRyEej
 github.com/pterm/pterm v0.12.33/go.mod h1:x+h2uL+n7CP/rel9+bImHD5lF3nM9vJj80k9ybiiTTE=
 github.com/pterm/pterm v0.12.36/go.mod h1:NjiL09hFhT/vWjQHSj1athJpx6H8cjpHXNAK5bUw8T8=
 github.com/pterm/pterm v0.12.40/go.mod h1:ffwPLwlbXxP+rxT0GsgDTzS3y3rmpAO1NMjUkGTYf8s=
-github.com/pterm/pterm v0.12.79 h1:lH3yrYMhdpeqX9y5Ep1u7DejyHy7NSQg9qrBjF9dFT4=
-github.com/pterm/pterm v0.12.79/go.mod h1:1v/gzOF1N0FsjbgTHZ1wVycRkKiatFvJSJC4IGaQAAo=
 github.com/pterm/pterm v0.12.81 h1:ju+j5I2++FO1jBKMmscgh5h5DPFDFMB7epEjSoKehKA=
 github.com/pterm/pterm v0.12.81/go.mod h1:TyuyrPjnxfwP+ccJdBTeWHtd/e0ybQHkOS/TakajZCw=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -103,6 +99,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -118,26 +116,20 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
-golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=