fix(guard): set correct validation for github token (#111)

Author: forestileao

guard/lib/guard/api/bitbucket.ex

@@ -1,6 +1,7 @@
 defmodule Guard.Api.Bitbucket do
   require Logger
   use Tesla
+  alias Guard.Utils.OAuth
 
   @api_base_url "https://api.bitbucket.org"
   @base_url "https://bitbucket.org"
@@ -34,11 +35,11 @@ defmodule Guard.Api.Bitbucket do
   Fetch or refresh access token
   """
   def user_token(repo_host_account) do
-    cache_key = token_cache_key(repo_host_account.id)
+    cache_key = OAuth.token_cache_key(repo_host_account)
 
     case Cachex.get(:token_cache, cache_key) do
       {:ok, {token, expires_at}} when not is_nil(token) and token != "" ->
-        if valid_token?(expires_at) do
+        if OAuth.valid_token?(expires_at) do
           {:ok, {token, expires_at}}
         else
           fetch_and_cache_token(repo_host_account)
@@ -72,7 +73,7 @@ defmodule Guard.Api.Bitbucket do
 
     case Tesla.post(client, @oauth2_path, body_params) do
       {:ok, %Tesla.Env{status: status, body: body}} when status in 200..299 ->
-        handle_ok_token_response(repo_host_account, body)
+        OAuth.handle_ok_token_response(repo_host_account, body)
 
       {:ok, %Tesla.Env{status: status}} when status in 400..499 ->
         Logger.warn("Failed to refresh token, account might be revoked")
@@ -87,27 +88,6 @@ defmodule Guard.Api.Bitbucket do
     end
   end
 
-  defp handle_ok_token_response(repo_host_account, body) do
-    body =
-      if is_binary(body) do
-        Jason.decode!(body)
-      else
-        body
-      end
-
-    token = body["access_token"]
-    expires_in = body["expires_in"]
-
-    current_time = DateTime.utc_now() |> DateTime.to_unix()
-    expires_at = current_time + expires_in
-
-    if valid_token?(expires_at) do
-      Cachex.put(:token_cache, token_cache_key(repo_host_account.id), {token, expires_at})
-    end
-
-    {:ok, {token, expires_at}}
-  end
-
   defp build_token_client do
     {:ok, {client_id, client_secret}} = Guard.GitProviderCredentials.get(:bitbucket)
 
@@ -124,12 +104,4 @@ defmodule Guard.Api.Bitbucket do
       Tesla.Middleware.JSON
     ])
   end
-
-  defp token_cache_key(account_id), do: "bitbucket_token_#{account_id}"
-
-  defp valid_token?(expires_at) do
-    current_time = DateTime.utc_now() |> DateTime.to_unix()
-    # 5 minutes before expiration
-    expires_at - 300 > current_time
-  end
 end

guard/lib/guard/api/github.ex

@@ -3,6 +3,11 @@ defmodule Guard.Api.Github do
 
   use Tesla
 
+  alias Guard.Utils.OAuth
+
+  @oauth_base_url "https://github.com"
+  @oauth_path "/login/oauth/access_token"
+
   plug(Tesla.Middleware.BaseUrl, "https://api.github.com")
   plug(Tesla.Middleware.JSON)
 
@@ -29,16 +34,56 @@ defmodule Guard.Api.Github do
     end
   end
 
-  def validate_token(""), do: false
+  @doc """
+  Fetch or refresh access token
+  """
+  def user_token(repo_host_account) do
+    case validate_token(repo_host_account.token) do
+      {:ok, true} -> {:ok, {repo_host_account.token, nil}}
+      _ -> handle_fetch_token(repo_host_account)
+    end
+  end
 
-  def validate_token(token) do
+  defp handle_fetch_token(repo_host_account) do
     {:ok, {client_id, client_secret}} = Guard.GitProviderCredentials.get(:github)
 
-    body = %{"access_token" => token}
+    query_params = [
+      grant_type: "refresh_token",
+      refresh_token: repo_host_account.refresh_token,
+      client_id: client_id,
+      client_secret: client_secret
+    ]
+
+    client = build_token_client()
+
+    case Tesla.post(client, @oauth_path, nil, query: query_params) do
+      {:ok, %Tesla.Env{status: status, body: body}} when status in 200..299 ->
+        OAuth.handle_ok_token_response(repo_host_account, body, cache: false)
+
+      {:ok, %Tesla.Env{status: status}} when status in 400..499 ->
+        Logger.warning("Failed to refresh github token, account might be revoked")
+        {:error, :revoked}
+
+      {:ok, %Tesla.Env{status: _status}} ->
+        {:error, :failed}
 
-    case post("/applications/#{client_id}/token", body,
-           headers: authorization_headers(client_id, client_secret)
-         ) do
+      {:error, error} ->
+        Logger.error("Error fetching github token: #{inspect(error)}")
+        {:error, :network_error}
+    end
+  end
+
+  defp build_token_client do
+    Tesla.client([
+      {Tesla.Middleware.BaseUrl, @oauth_base_url},
+      Tesla.Middleware.JSON
+    ])
+  end
+
+  def validate_token(""), do: false
+
+  def validate_token(token) do
+    case get("", headers: authorization_headers(token)) do
       {:ok, res} ->
         is_valid = res.status in 200..299
 
@@ -56,11 +101,9 @@ defmodule Guard.Api.Github do
     end
   end
 
-  defp authorization_headers(client_id, client_secret) do
+  defp authorization_headers(token) do
     [
-      {"Accept", "application/vnd.github+json"},
-      {"Authorization", "Basic " <> Base.encode64("#{client_id}:#{client_secret}")},
-      {"X-GitHub-Api-Version", "2022-11-28"}
+      {"Authorization", "token #{token}"}
     ]
   end
 end

guard/lib/guard/api/gitlab.ex

@@ -1,7 +1,7 @@
 defmodule Guard.Api.Gitlab do
   require Logger
 
-  alias Guard.FrontRepo
+  alias Guard.Utils.OAuth
 
   @base_url "https://gitlab.com"
   @oauth_path "/oauth/token"
@@ -11,11 +11,11 @@ defmodule Guard.Api.Gitlab do
   Fetch or refresh access token
   """
   def user_token(repo_host_account) do
-    cache_key = token_cache_key(repo_host_account.id)
+    cache_key = OAuth.token_cache_key(repo_host_account)
 
     case Cachex.get(:token_cache, cache_key) do
       {:ok, {token, expires_at}} when not is_nil(token) and token != "" ->
-        if valid_token?(expires_at) do
+        if OAuth.valid_token?(expires_at) do
           {:ok, {token, expires_at}}
         else
           handle_fetch_and_cache_token(repo_host_account)
@@ -31,24 +31,15 @@ defmodule Guard.Api.Gitlab do
 
     case Tesla.get(client, @oauth_token_info_path) do
       {:ok, res} ->
-        expires_at = calc_expires_at(res.body["expires_in"])
-        {:ok, res.status in 200..299 && valid_token?(expires_at)}
+        expires_at = OAuth.calc_expires_at(res.body["expires_in"])
+        {:ok, res.status in 200..299 && OAuth.valid_token?(expires_at)}
 
       {:error, error} ->
         Logger.error("Error validating token: #{inspect(error)}")
         {:error, :network_error}
     end
   end
 
-  # Case where the token never expires
-  defp valid_token?(nil), do: true
-
-  defp valid_token?(expires_at) do
-    current_time = DateTime.utc_now() |> DateTime.to_unix()
-    # 5 minutes before expiration
-    expires_at - 300 > current_time
-  end
-
   defp handle_fetch_and_cache_token(repo_host_account) do
     body_params = %{
       "grant_type" => "refresh_token",
@@ -60,7 +51,7 @@ defmodule Guard.Api.Gitlab do
 
     case Tesla.post(client, @oauth_path, body_params) do
       {:ok, %Tesla.Env{status: status, body: body}} when status in 200..299 ->
-        handle_ok_token_response(repo_host_account, body)
+        OAuth.handle_ok_token_response(repo_host_account, body)
 
       {:ok, %Tesla.Env{status: status}} when status in 400..499 ->
         Logger.warning("Failed to refresh gitlab token, account might be revoked")
@@ -100,39 +91,4 @@ defmodule Guard.Api.Gitlab do
 
     gitlab_config[:default_scope]
   end
-
-  defp handle_ok_token_response(repo_host_account, body) do
-    body =
-      if is_binary(body) do
-        Jason.decode!(body)
-      else
-        body
-      end
-
-    token = body["access_token"]
-    expires_in = body["expires_in"]
-    refresh_token = body["refresh_token"]
-
-    expires_at = calc_expires_at(expires_in)
-
-    if valid_token?(expires_at) do
-      Cachex.put(:token_cache, token_cache_key(repo_host_account.id), {token, expires_at})
-      update_refresh_token(repo_host_account, refresh_token)
-    end
-
-    {:ok, {token, expires_at}}
-  end
-
-  defp calc_expires_at(nil), do: nil
-
-  defp calc_expires_at(expires_in) do
-    current_time = DateTime.utc_now() |> DateTime.to_unix()
-    current_time + expires_in
-  end
-
-  defp token_cache_key(account_id), do: "gitlab_token_#{account_id}"
-
-  defp update_refresh_token(repo_host_account, refresh_token) do
-    FrontRepo.RepoHostAccount.update_refresh_token(repo_host_account, refresh_token)
-  end
 end

guard/lib/guard/front_repo/repo_host_account.ex

@@ -128,7 +128,7 @@ defmodule Guard.FrontRepo.RepoHostAccount do
   end
 
   @spec get_github_token(String.t()) :: {:ok, String.t()} | {:error, :not_found}
-  def get_github_token(user_id) do
+  def get_github_token(user_id) when is_binary(user_id) do
     token =
       Guard.FrontRepo.RepoHostAccount
       |> where([rha], rha.user_id == ^user_id)
@@ -142,6 +142,20 @@ defmodule Guard.FrontRepo.RepoHostAccount do
     end
   end
 
+  def get_github_token(%__MODULE__{} = rha) do
+    case Guard.Api.Github.user_token(rha) do
+      {:ok, {_token, _expires_at}} = token_tuple ->
+        token_tuple
+
+      {:error, :revoked} ->
+        update_account(%{revoked: true}, rha)
+        {:error, {"", nil}}
+
+      {:error, _} ->
+        {:error, {"", nil}}
+    end
+  end
+
   def get_bitbucket_token(rha) do
     case Guard.Api.Bitbucket.user_token(rha) do
       {:ok, {_token, _expires_at}} = token_tuple ->
@@ -170,8 +184,8 @@ defmodule Guard.FrontRepo.RepoHostAccount do
     end
   end
 
-  def update_refresh_token(rha, refresh_token) do
-    update_account(%{refresh_token: refresh_token}, rha)
+  def update_token_pair(rha, token, refresh_token) do
+    update_account(%{token: token, refresh_token: refresh_token}, rha)
   end
 
   @spec get_uid_by_login(String.t(), String.t()) :: {:ok, String.t()} | {:error, :not_found}

guard/lib/guard/grpc_servers/user_server.ex

@@ -384,6 +384,11 @@ defmodule Guard.GrpcServers.UserServer do
           "Token for #{user.id} is #{if is_valid, do: "valid", else: "invalid"}. Updating revoke status."
         )
 
+        unless is_valid do
+          cache_key = Guard.Utils.OAuth.token_cache_key(repo_account)
+          Cachex.del(:token_cache, cache_key)
+        end
+
         FrontRepo.RepoHostAccount.update_revoke_status(repo_account, not is_valid)
 
       {:error, _} ->
@@ -745,8 +750,15 @@ defmodule Guard.GrpcServers.UserServer do
     end)
   end
 
-  defp get_token(%{token: token, repo_host: "github"}, _opts) do
-    {token, nil}
+  defp get_token(%{repo_host: "github"} = repo_host_account, user_id: user_id) do
+    case FrontRepo.RepoHostAccount.get_github_token(repo_host_account) do
+      {:error, _} ->
+        Logger.error("Token for User: '#{user_id}' and 'GITHUB' not found.")
+        grpc_error!(:not_found, "Token for not found.")
+
+      {:ok, {token, expires_at}} ->
+        {token, expires_at}
+    end
   end
 
   defp get_token(%{repo_host: "bitbucket"} = repo_host_account, user_id: user_id) do

guard/lib/guard/utils.ex

@@ -44,6 +44,55 @@ defmodule Guard.Utils do
   def timestamp_to_datetime(_, default), do: {:ok, default}
 end
 
+defmodule Guard.Utils.OAuth do
+  def handle_ok_token_response(repo_host_account, body, opts \\ [cache: true]) do
+    body =
+      if is_binary(body) do
+        Jason.decode!(body)
+      else
+        body
+      end
+
+    token = body["access_token"]
+    expires_in = body["expires_in"]
+    refresh_token = body["refresh_token"]
+
+    expires_at = calc_expires_at(expires_in)
+
+    if valid_token?(expires_at) do
+      update_token_pair(repo_host_account, token, refresh_token)
+    end
+
+    if opts[:cache] do
+      Cachex.put(:token_cache, token_cache_key(repo_host_account), {token, expires_at})
+    end
+
+    {:ok, {token, expires_at}}
+  end
+
+  defp update_token_pair(repo_host_account, token, refresh_token) do
+    Guard.FrontRepo.RepoHostAccount.update_token_pair(repo_host_account, token, refresh_token)
+  end
+
+  def calc_expires_at(nil), do: nil
+
+  def calc_expires_at(expires_in) do
+    current_time = DateTime.utc_now() |> DateTime.to_unix()
+    current_time + expires_in
+  end
+
+  # Case where the token never expires
+  def valid_token?(nil), do: true
+
+  def valid_token?(expires_at) do
+    current_time = DateTime.utc_now() |> DateTime.to_unix()
+    # 5 minutes before expiration
+    expires_at - 300 > current_time
+  end
+
+  def token_cache_key(%{repo_host: repo_host, id: id}), do: "#{repo_host}_token_#{id}"
+end
+
 defmodule Guard.Utils.Http do
   require Logger