Merge pull request #21 from speakeasy-api/feat/basic-auth-token-server

ThomasRooney · web-flow · commit 3f27a7af2f2a · 2025-03-06T12:07:41.000Z
feat: basic auth token server
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
-.idea
+.idea
+*.iml
diff --git a/internal/clientcredentials/service.go b/internal/clientcredentials/service.go
@@ -1,6 +1,7 @@
 package clientcredentials
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"net/http"
 	"slices"
@@ -15,21 +16,57 @@ const (
 	secondAccessToken = "second-super-duper-access-token"
 )
 
+func handleBasicAuth(authHeader string) (clientID, clientSecret string, ok bool) {
+	// Remove "Basic " prefix (case-insensitive)
+	if !strings.HasPrefix(strings.ToLower(authHeader), "basic ") {
+		return "", "", false
+	}
+	encodedCreds := strings.TrimSpace(authHeader[6:])
+
+	// Decode base64
+	decodedCreds, err := base64.StdEncoding.DecodeString(strings.TrimSpace(encodedCreds))
+	if err != nil {
+		return "", "", false
+	}
+
+	// Split into username:password
+	creds := strings.SplitN(string(decodedCreds), ":", 2)
+	if len(creds) != 2 {
+		return "", "", false
+	}
+
+	return creds[0], creds[1], true
+}
+
+
 func HandleTokenRequest(w http.ResponseWriter, r *http.Request) {
+	var clientID, clientSecret string
 	err := r.ParseForm()
 	if err != nil {
 		http.Error(w, "invalid_request", http.StatusBadRequest)
 		return
 	}
 
+	// Check for Basic Auth header
+	if authHeader := r.Header.Get("Authorization"); strings.HasPrefix(strings.ToLower(authHeader), "basic ") {
+		var ok bool
+		clientID, clientSecret, ok = handleBasicAuth(authHeader)
+		if !ok {
+			http.Error(w, "invalid_client", http.StatusUnauthorized)
+			return
+		}
+	} else {
+		clientID = r.Form.Get("client_id")
+		clientSecret = r.Form.Get("client_secret")
+	}
 	grant_type := r.Form.Get("grant_type")
 	if grant_type != "client_credentials" {
 		http.Error(w, "invalid_grant", http.StatusBadRequest)
 		return
 	}
 
-	clientID := r.Form.Get("client_id")
-	clientSecret := r.Form.Get("client_secret")
+
+
 	if clientID == "" || clientSecret == "" {
 		http.Error(w, "invalid_request", http.StatusBadRequest)
 		return
diff --git a/internal/clientcredentials/service_test.go b/internal/clientcredentials/service_test.go
@@ -0,0 +1,142 @@
+package clientcredentials
+
+import (
+	"encoding/base64"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+func TestHandleTokenRequest(t *testing.T) {
+	tests := []struct {
+		name           string
+		setupRequest   func() *http.Request
+		wantStatus     int
+		wantAccessToken string
+	}{
+		{
+			name: "valid form credentials",
+			setupRequest: func() *http.Request {
+				form := url.Values{}
+				form.Set("grant_type", "client_credentials")
+				form.Set("client_id", "speakeasy-sdks")
+				form.Set("client_secret", "supersecret-123")
+				form.Set("scope", "read write")
+
+				req := httptest.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				return req
+			},
+			wantStatus:     http.StatusOK,
+			wantAccessToken: firstAccessToken,
+		},
+		{
+			name: "valid basic auth",
+			setupRequest: func() *http.Request {
+				form := url.Values{}
+				form.Set("grant_type", "client_credentials")
+				form.Set("scope", "read write")
+
+				req := httptest.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+				// Create basic auth header
+				creds := base64.StdEncoding.EncodeToString([]byte("speakeasy-sdks:supersecret-123"))
+				req.Header.Set("Authorization", fmt.Sprintf("Basic %s", creds))
+
+				return req
+			},
+			wantStatus:     http.StatusOK,
+			wantAccessToken: firstAccessToken,
+		},
+		{
+			name: "invalid basic auth format",
+			setupRequest: func() *http.Request {
+				req := httptest.NewRequest(http.MethodPost, "/token", nil)
+				req.Header.Set("Authorization", "Basic invalid-base64")
+				return req
+			},
+			wantStatus: http.StatusUnauthorized,
+		},
+		{
+			name: "missing credentials in basic auth",
+			setupRequest: func() *http.Request {
+				req := httptest.NewRequest(http.MethodPost, "/token", nil)
+				// Encode just username without password
+				creds := base64.StdEncoding.EncodeToString([]byte("speakeasy-sdks"))
+				req.Header.Set("Authorization", fmt.Sprintf("Basic %s", creds))
+				return req
+			},
+			wantStatus: http.StatusUnauthorized,
+		},
+		{
+			name: "invalid credentials in basic auth",
+			setupRequest: func() *http.Request {
+				form := url.Values{}
+				form.Set("grant_type", "client_credentials")
+				req := httptest.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+				creds := base64.StdEncoding.EncodeToString([]byte("wrong:wrong"))
+				req.Header.Set("Authorization", fmt.Sprintf("Basic %s", creds))
+
+				return req
+			},
+			wantStatus: http.StatusUnauthorized,
+		},
+		{
+			name: "missing required scope in basic auth",
+			setupRequest: func() *http.Request {
+				form := url.Values{}
+				form.Set("grant_type", "client_credentials")
+				form.Set("scope", "read") // missing write scope
+
+				req := httptest.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+				creds := base64.StdEncoding.EncodeToString([]byte("speakeasy-sdks:supersecret-123"))
+				req.Header.Set("Authorization", fmt.Sprintf("Basic %s", creds))
+
+				return req
+			},
+			wantStatus: http.StatusBadRequest,
+		},
+		{
+			name: "case insensitive basic prefix",
+			setupRequest: func() *http.Request {
+				form := url.Values{}
+				form.Set("grant_type", "client_credentials")
+				form.Set("scope", "read write")
+
+				req := httptest.NewRequest(http.MethodPost, "/token", strings.NewReader(form.Encode()))
+				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+				creds := base64.StdEncoding.EncodeToString([]byte("speakeasy-sdks:supersecret-123"))
+				req.Header.Set("Authorization", fmt.Sprintf("BASIC %s", creds))
+
+				return req
+			},
+			wantStatus:     http.StatusOK,
+			wantAccessToken: firstAccessToken,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			w := httptest.NewRecorder()
+			HandleTokenRequest(w, tt.setupRequest())
+
+			if got := w.Code; got != tt.wantStatus {
+				t.Errorf("HandleTokenRequest() status = %v, want %v", got, tt.wantStatus)
+			}
+
+			if tt.wantStatus == http.StatusOK {
+				if !strings.Contains(w.Body.String(), tt.wantAccessToken) {
+					t.Errorf("HandleTokenRequest() response doesn't contain expected access token")
+				}
+			}
+		})
+	}
+}
