feat: add oauth2 and ecommerce test apis (#17)

OAuth2
--------

This change adds a new OAuth2 middleware and token endpoint that can be
used to enforce OAuth2 on any test endpoints. Test code can opt into
OAuth2 enforcement by setting the `x-require-oauth2: 1` header on any
SDK methods. This is usually done with a custom http client, per-method
custom headers or a SDK-wide hook depending on the language and test.

The following OAuth2 flows are supported:

- Client Credentials
- Authorization Code
- Resource Owner Password Credentials
- Refresh Token

When requesting an access token against `POST /oauth2/token`, the
following credentials are expected based on the flow used:

- Client ID: `beezy`
- Client Secret: `super-secret`
- Username: `testuser`
- Password: `testpassword`
- Code: `secret-auth-code`
- Refresh Token: `secret-refresh-token`

Test code can look for the `x-oauth2: pass` header to determine if the
test service detected and validated OAuth2 access tokens in the response
of any non-auth endpoints

E-commerce API
-----------------

This is a new set of test APIs that are inspired by real world
e-commerce APIs. These APIs can enforce OAuth2 scopes if incoming
requests have passed the OAuth2 middleware.

Author: disintegrator

cmd/server/main.go

@@ -1,12 +1,14 @@
 package main
 
 import (
+	"context"
 	"flag"
 	"log"
 	"net/http"
 
 	"github.com/speakeasy-api/speakeasy-api-test-service/internal/acceptHeaders"
 	"github.com/speakeasy-api/speakeasy-api-test-service/internal/clientcredentials"
+	"github.com/speakeasy-api/speakeasy-api-test-service/internal/ecommerce"
 	"github.com/speakeasy-api/speakeasy-api-test-service/internal/errors"
 	"github.com/speakeasy-api/speakeasy-api-test-service/internal/eventstreams"
 	"github.com/speakeasy-api/speakeasy-api-test-service/internal/method"
@@ -28,11 +30,12 @@ func main() {
 	flag.Parse()
 
 	r := mux.NewRouter()
+	r.HandleFunc("/oauth2/token", auth.HandleOAuth2).Methods(http.MethodPost)
+	r.HandleFunc("/auth", auth.HandleAuth).Methods(http.MethodPost)
+	r.HandleFunc("/auth/customsecurity/{customSchemeType}", auth.HandleCustomAuth).Methods(http.MethodGet)
 	r.HandleFunc("/ping", func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write([]byte("pong"))
 	}).Methods(http.MethodGet)
-	r.HandleFunc("/auth", auth.HandleAuth).Methods(http.MethodPost)
-	r.HandleFunc("/auth/customsecurity/{customSchemeType}", auth.HandleCustomAuth).Methods(http.MethodGet)
 	r.HandleFunc("/requestbody", requestbody.HandleRequestBody).Methods(http.MethodPost)
 	r.HandleFunc("/vendorjson", responseHeaders.HandleVendorJsonResponseHeaders).Methods(http.MethodGet)
 	r.HandleFunc("/pagination/limitoffset/page", pagination.HandleLimitOffsetPage).Methods(http.MethodGet, http.MethodPut)
@@ -69,6 +72,14 @@ func main() {
 	r.HandleFunc("/method/put", method.HandlePut).Methods(http.MethodPut)
 	r.HandleFunc("/method/trace", method.HandleTrace).Methods(http.MethodTrace)
 
+	oauth2router := r.NewRoute().Subrouter()
+	oauth2router.Use(middleware.OAuth2)
+	oauth2router.HandleFunc("/ecommerce/products", ecommerce.HandleListProducts).Methods(http.MethodGet)
+	oauth2router.HandleFunc("/ecommerce/products", ecommerce.HandleCreateProduct).Methods(http.MethodPost)
+	oauth2router.HandleFunc("/ecommerce/products/{id}", ecommerce.HandleFetchProduct).Methods(http.MethodGet)
+	oauth2router.HandleFunc("/ecommerce/products/{id}", ecommerce.HandleDeleteProduct).Methods(http.MethodDelete)
+	oauth2router.HandleFunc("/ecommerce/products/{id}/inventory", ecommerce.HandleUpdateProductStock).Methods(http.MethodPut)
+
 	handler := middleware.Fault(r)
 	handler = middleware.Teapot(handler)
 
@@ -77,6 +88,10 @@ func main() {
 		bind = *bindArg
 	}
 
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go auth.StartTokenDBCompaction(ctx)
+
 	log.Printf("Listening on %s\n", bind)
 	if err := http.ListenAndServe(bind, handler); err != nil {
 		log.Fatal(err)

go.mod

@@ -1,8 +1,10 @@
 module github.com/speakeasy-api/speakeasy-api-test-service
 
-go 1.22
+go 1.23
 
 require (
+	github.com/brianvoe/gofakeit/v7 v7.0.4
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/gorilla/mux v1.8.0
 	github.com/lingrino/go-fault v1.0.2
 )

go.sum

@@ -1,5 +1,9 @@
+github.com/brianvoe/gofakeit/v7 v7.0.4 h1:Mkxwz9jYg8Ad8NvT9HA27pCMZGFQo08MK6jD0QTKEww=
+github.com/brianvoe/gofakeit/v7 v7.0.4/go.mod h1:QXuPeBw164PJCzCUZVmgpgHJ3Llj49jSLVkKPMtxtxA=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/lingrino/go-fault v1.0.2 h1:I7gj2vsxw0wdOwQIX7AZ7kdZRXPX2AgVvRyFXCqSvLA=

internal/auth/oauth2.go

@@ -0,0 +1,312 @@
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/brianvoe/gofakeit/v7"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+const (
+	oauth2JWTSigningSecret = "fancy-jwt-signing-secret"
+)
+
+type OAuth2ErrorCode string
+
+const (
+	ErrCodeInvalidRequest       OAuth2ErrorCode = "invalid_request"
+	ErrCodeInvalidClient        OAuth2ErrorCode = "invalid_client"
+	ErrCodeInvalidGrant         OAuth2ErrorCode = "invalid_grant"
+	ErrCodeUnauthorizedClient   OAuth2ErrorCode = "unauthorized_client"
+	ErrCodeUnsupportedGrantType OAuth2ErrorCode = "unsupported_grant_type"
+	ErrCodeInvalidScope         OAuth2ErrorCode = "invalid_scope"
+)
+
+func (e OAuth2ErrorCode) Error() string {
+	return string(e)
+}
+
+type oauth2Error struct {
+	Code    OAuth2ErrorCode `json:"error"`
+	Message string          `json:"error_description,omitempty"`
+}
+
+func SendOAuth2Error(w http.ResponseWriter, code OAuth2ErrorCode, description string) {
+	payload := oauth2Error{
+		Code:    code,
+		Message: description,
+	}
+
+	enc := json.NewEncoder(w)
+	enc.SetIndent("", "  ")
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusBadRequest)
+	if err := enc.Encode(payload); err != nil {
+		log.Println(err)
+
+		http.Error(w, `{"error": "failed to encode response"}`, http.StatusInternalServerError)
+		return
+	}
+}
+
+type TokenForm struct {
+	GrantType    string `json:"grant_type"`
+	ClientID     string `json:"client_id"`
+	ClientSecret string `json:"client_secret"`
+	Username     string `json:"username"`
+	Password     string `json:"password"`
+	Code         string `json:"code"`
+	RedirectURI  string `json:"redirect_uri"`
+	RefreshToken string `json:"refresh_token"`
+	Scope        string `json:"scope"`
+}
+
+type OAuth2TokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token,omitempty"`
+	TokenType    string `json:"token_type"`
+	ExpiresIn    int    `json:"expires_in"`
+}
+
+func HandleOAuth2(w http.ResponseWriter, r *http.Request) {
+	enc := json.NewEncoder(w)
+	enc.SetIndent("", "  ")
+
+	w.Header().Set("Content-Type", "application/json")
+
+	defer r.Body.Close()
+
+	if err := r.ParseForm(); err != nil {
+		log.Println(err)
+		SendOAuth2Error(w, ErrCodeInvalidRequest, "cannot parse url-encoded request body")
+		return
+	}
+
+	form := TokenForm{
+		GrantType:    r.PostForm.Get("grant_type"),
+		ClientID:     r.PostForm.Get("client_id"),
+		ClientSecret: r.PostForm.Get("client_secret"),
+		Username:     r.PostForm.Get("username"),
+		Password:     r.PostForm.Get("password"),
+		Code:         r.PostForm.Get("code"),
+		RedirectURI:  r.PostForm.Get("redirect_uri"),
+		RefreshToken: r.PostForm.Get("refresh_token"),
+		Scope:        r.PostForm.Get("scope"),
+	}
+
+	switch form.GrantType {
+	case "client_credentials":
+		if form.ClientID == "" || form.ClientSecret == "" {
+			SendOAuth2Error(w, ErrCodeInvalidRequest, "missing client credentials")
+			return
+		}
+
+		if !validateClientCredentials(r, form) {
+			SendOAuth2Error(w, ErrCodeInvalidClient, "invalid client id or secret")
+			return
+		}
+	case "password":
+		if form.ClientID == "" || form.ClientSecret == "" || form.Username == "" || form.Password == "" {
+			SendOAuth2Error(w, ErrCodeInvalidRequest, "missing resource owner password credentials")
+			return
+		}
+		if !validateClientCredentials(r, form) {
+			SendOAuth2Error(w, ErrCodeInvalidClient, "invalid client id or secret")
+			return
+		}
+		if form.Username != "testuser" || form.Password != "testpassword" {
+			SendOAuth2Error(w, ErrCodeInvalidGrant, "invalid username or password")
+			return
+		}
+	case "authorization_code":
+		if form.ClientID == "" || form.Code == "" {
+			SendOAuth2Error(w, ErrCodeInvalidRequest, "missing authorization code credentials")
+			return
+		}
+		if form.ClientID != "beezy" {
+			SendOAuth2Error(w, ErrCodeInvalidClient, "invalid client id")
+			return
+		}
+		if form.Code != "secret-auth-code" {
+			SendOAuth2Error(w, ErrCodeInvalidGrant, "")
+			return
+		}
+	case "refresh_token":
+		if form.RefreshToken == "" {
+			SendOAuth2Error(w, ErrCodeInvalidRequest, "missing refresh token")
+			return
+		}
+
+		if !validateClientCredentials(r, form) {
+			SendOAuth2Error(w, ErrCodeInvalidGrant, "invalid client id or secret")
+			return
+		}
+
+		rt, err := ParseToken(form.RefreshToken)
+		if err != nil {
+			SendOAuth2Error(w, ErrCodeInvalidRequest, "invalid refresh token")
+			return
+		}
+		if IsTokenExpired(rt) {
+			SendOAuth2Error(w, ErrCodeInvalidGrant, "refresh token has expired")
+			return
+		}
+	default:
+		SendOAuth2Error(w, ErrCodeUnsupportedGrantType, "unsupported grant type")
+		return
+	}
+
+	now := time.Now()
+	expires := now.Add(time.Hour)
+
+	accessTokenID := gofakeit.UUID()
+	accessTokenClaims := jwt.MapClaims{
+		"exp":       float64(expires.Unix()),
+		"id":        accessTokenID,
+		"grantType": form.GrantType,
+		"clientID":  form.ClientID,
+		"username":  form.Username,
+		"scope":     form.Scope,
+	}
+	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessTokenClaims)
+	signedAccessToken, err := accessToken.SignedString([]byte(oauth2JWTSigningSecret))
+	if err != nil {
+		log.Println(err)
+		SendOAuth2Error(w, ErrCodeInvalidRequest, err.Error())
+		return
+	}
+
+	refreshTokenClaims := jwt.MapClaims{
+		"exp":       float64(now.Add(60 * 24 * time.Hour).Unix()),
+		"id":        gofakeit.UUID(),
+		"sub":       accessTokenID,
+		"grantType": "refresh_token",
+		"clientID":  form.ClientID,
+		"username":  form.Username,
+		"scope":     form.Scope,
+	}
+	refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshTokenClaims)
+	signedRefreshToken, err := refreshToken.SignedString([]byte(oauth2JWTSigningSecret))
+	if err != nil {
+		log.Println(err)
+		http.Error(w, `{"error": "failed to sign refresh token"}`, http.StatusInternalServerError)
+		return
+	}
+
+	res := OAuth2TokenResponse{
+		AccessToken:  signedAccessToken,
+		RefreshToken: signedRefreshToken,
+		TokenType:    "Bearer",
+		ExpiresIn:    max(int(expires.Sub(now).Seconds()), 0),
+	}
+
+	RegisterToken(accessTokenClaims)
+	RegisterToken(refreshTokenClaims)
+
+	if err := enc.Encode(res); err != nil {
+		http.Error(w, `{"error": "failed to encode response"}`, http.StatusInternalServerError)
+		return
+	}
+}
+
+func validateClientCredentials(r *http.Request, form TokenForm) bool {
+	clientID := form.ClientID
+	clientSecret := form.ClientSecret
+	if clientID == "" && clientSecret == "" {
+		clientID, clientSecret, _ = r.BasicAuth()
+	}
+
+	return clientID == "beezy" && clientSecret == "super-secret"
+}
+
+var tokenDB sync.Map
+var tokenDBLastAccess atomic.Value
+
+func RegisterToken(tokenClaims jwt.MapClaims) {
+	tokenDBLastAccess.Store(time.Now())
+
+	tokenID := tokenClaims["id"].(string)
+	expiry, err := tokenClaims.GetExpirationTime()
+	if err != nil {
+		panic(err)
+	}
+	tokenDB.Store(tokenID, expiry.Time)
+}
+
+func RefreshToken(refreshClaims jwt.MapClaims) {
+	tokenDBLastAccess.Store(time.Now())
+
+	tokenID := refreshClaims["sub"].(string)
+	expiry := time.Now().Add(time.Hour)
+	tokenDB.Store(tokenID, expiry)
+}
+
+func IsTokenExpired(tokenClaims jwt.MapClaims) bool {
+	tokenDBLastAccess.Store(time.Now())
+
+	tokenID := tokenClaims["id"].(string)
+	expiryClaim, err := tokenClaims.GetExpirationTime()
+	if err != nil {
+		panic(err)
+	}
+
+	exp, found := tokenDB.Load(tokenID)
+	if !found {
+		RegisterToken(tokenClaims)
+		exp = expiryClaim.Time
+	}
+
+	expiry := exp.(time.Time)
+
+	return expiry.Before(time.Now())
+}
+
+func StartTokenDBCompaction(ctx context.Context) {
+	ticker := time.NewTicker(time.Minute)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			lastAccess, ok := tokenDBLastAccess.Load().(time.Time)
+			now := time.Now()
+			if !ok {
+				lastAccess = now
+			}
+
+			delta := now.Sub(lastAccess)
+			if delta > 5*time.Minute {
+				tokenDB.Clear()
+			}
+		}
+	}
+}
+
+func ParseToken(encodedToken string) (jwt.MapClaims, error) {
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation(), jwt.WithValidMethods([]string{"HS256"}))
+	token, err := parser.Parse(encodedToken, func(token *jwt.Token) (any, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+
+		return []byte(oauth2JWTSigningSecret), nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, fmt.Errorf("invalid access token string")
+	}
+
+	return claims, nil
+}