removed membership local volatile and better use os state in OAuth flow

Author: dstpierre

membership.go

@@ -18,7 +18,7 @@ import (
 )
 
 type membership struct {
-	volatile internal.Volatilizer
+	//volatile internal.Volatilizer
 }
 
 func (m *membership) emailExists(w http.ResponseWriter, r *http.Request) {
@@ -83,11 +83,11 @@ func (m *membership) login(w http.ResponseWriter, r *http.Request) {
 
 	//TODO: find a good way to find all occurences of those two
 	// and make them easily callable via a shared function
-	if err := m.volatile.SetTyped(token, auth); err != nil {
+	if err := volatile.SetTyped(token, auth); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	if err := m.volatile.SetTyped("base:"+token, conf); err != nil {
+	if err := volatile.SetTyped("base:"+token, conf); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
@@ -151,11 +151,11 @@ func (m *membership) register(w http.ResponseWriter, r *http.Request) {
 		Token:     tok.Token,
 	}
 
-	if err := m.volatile.SetTyped(token, auth); err != nil {
+	if err := volatile.SetTyped(token, auth); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
-	if err := m.volatile.SetTyped("base:"+token, conf); err != nil {
+	if err := volatile.SetTyped("base:"+token, conf); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
@@ -212,7 +212,7 @@ func (m *membership) createUser(dbName, accountID, email, password string, role
 		Role:      role,
 		Token:     tok.Token,
 	}
-	if err := m.volatile.SetTyped(token, auth); err != nil {
+	if err := volatile.SetTyped(token, auth); err != nil {
 		return nil, tok, err
 	}
 
@@ -394,7 +394,7 @@ func (m *membership) sudoGetTokenFromAccountID(w http.ResponseWriter, r *http.Re
 		Role:      tok.Role,
 		Token:     tok.Token,
 	}
-	if err := m.volatile.SetTyped(token, auth); err != nil {
+	if err := volatile.SetTyped(token, auth); err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}

oauth.go

@@ -76,7 +76,7 @@ func (el *ExternalLogins) login() http.Handler {
 		}
 
 		next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			sess, err := p.BeginAuth(reqID)
+			sess, err := p.BeginAuth(el.toState(provider, reqID, conf.ID))
 			if err != nil {
 				http.Error(w, err.Error(), http.StatusInternalServerError)
 				return
@@ -102,13 +102,15 @@ func (el *ExternalLogins) login() http.Handler {
 
 func (el *ExternalLogins) callback() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		provider := r.URL.Query().Get("provider")
-		reqID := r.URL.Query().Get("reqid")
+		provider, reqID, baseID := el.fromState(el.getState(r))
 
 		var conf internal.BaseConfig
 		if err := volatile.GetTyped("oauth_"+reqID, &conf); err != nil {
 			http.Error(w, err.Error(), http.StatusBadRequest)
 			return
+		} else if conf.ID != baseID {
+			http.Error(w, "invalid request", http.StatusBadRequest)
+			return
 		}
 
 		customer, err := datastore.FindAccount(conf.CustomerID)
@@ -237,7 +239,7 @@ func (el *ExternalLogins) signIn(dbName, email string) (sessionToken string, err
 func (el *ExternalLogins) signUp(dbName, provider, email, accessToken string) (sessionToken string, err error) {
 	pw := fmt.Sprintf("%s:%s", provider, accessToken)
 
-	b, _, err := el.membership.createAccountAndUser(dbName, email, pw, 100)
+	b, _, err := el.membership.createAccountAndUser(dbName, email, pw, 0)
 	if err != nil {
 		return
 	}
@@ -248,11 +250,8 @@ func (el *ExternalLogins) signUp(dbName, provider, email, accessToken string) (s
 
 func (el *ExternalLogins) getProvider(dbID, provider, reqID string, info internal.OAuthConfig) (p goth.Provider, err error) {
 	callbackURL := fmt.Sprintf(
-		"%s/oauth/callback?provider=%s&reqid=%s&sbpk=%s",
+		"%s/oauth/callback",
 		config.Current.AppURL,
-		provider,
-		reqID,
-		dbID,
 	)
 
 	if provider == OAuthProviderTwitter {
@@ -272,3 +271,19 @@ func (*ExternalLogins) getState(r *http.Request) string {
 	}
 	return params.Get("state")
 }
+
+func (*ExternalLogins) toState(provider, reqID, baseID string) string {
+	return fmt.Sprintf("%s_%s_%s", provider, reqID, baseID)
+}
+
+func (*ExternalLogins) fromState(state string) (provider, reqID, baseID string) {
+	parts := strings.Split(state, "_")
+	if len(parts) != 3 {
+		return
+	}
+
+	provider = parts[0]
+	reqID = parts[1]
+	baseID = parts[2]
+	return
+}

server.go

@@ -138,7 +138,7 @@ func Start(c config.AppConfig) {
 		middleware.RequireRoot(datastore),
 	}
 
-	m := &membership{volatile: volatile}
+	m := &membership{}
 
 	http.Handle("/login", middleware.Chain(http.HandlerFunc(m.login), pubWithDB...))
 	http.Handle("/register", middleware.Chain(http.HandlerFunc(m.register), pubWithDB...))
@@ -151,7 +151,7 @@ func Start(c config.AppConfig) {
 	// oauth handlers
 	el := &ExternalLogins{}
 	http.Handle("/oauth/login", middleware.Chain(el.login(), pubWithDB...))
-	http.Handle("/oauth/callback/", middleware.Chain(el.callback(), pubWithDB...))
+	http.Handle("/oauth/callback/", middleware.Chain(el.callback(), stdPub...))
 	http.Handle("/oauth/get-user", middleware.Chain(http.HandlerFunc(el.getUser), pubWithDB...))
 
 	http.Handle("/sudogettoken/", middleware.Chain(http.HandlerFunc(m.sudoGetTokenFromAccountID), stdRoot...))