Support JWTs for oauth authentication

Lionelf329 · Mar 25, 2024 · 85db6cc · 85db6cc
1 parent 7ce2545
commit 85db6cc
Show file tree

Hide file tree

Showing 5 changed files with 93 additions and 71 deletions.
diff --git a/.github/workflows/package.yaml b/.github/workflows/package.yaml
@@ -0,0 +1,30 @@
+name: package
+
+on:
+  push:
+    branches:
+      - auth
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    - name: Setup Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.21
+
+    - name: Build
+      run: |
+        cd examples/base
+        GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build
+
+    - name: Publish
+      uses: actions/upload-artifact@v2
+      with:
+        name: pocketbase
+        path: examples/base/base
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
diff --git a/forms/record_oauth2_login.go b/forms/record_oauth2_login.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"github.com/pocketbase/pocketbase/tools/types"
+	"google.golang.org/api/idtoken"
 	"time"
 
 	validation "github.com/go-ozzo/ozzo-validation/v4"
@@ -140,24 +142,56 @@ func (form *RecordOAuth2Login) Submit(
 		return nil, nil, err
 	}
 
-	provider.SetRedirectUrl(form.RedirectUrl)
+	var authUser *auth.AuthUser
+	if form.Provider == "google" && form.RedirectUrl == "Jwt" {
+		payload, err := idtoken.Validate(context.Background(), form.Code, provider.ClientId())
+		if err != nil {
+			return nil, nil, err
+		}
+		expiry, err := types.ParseDateTime(payload.Expires)
+		if err != nil {
+			return nil, nil, err
+		}
+		authUser = &auth.AuthUser{
+			Id:           payload.Claims["sub"].(string),
+			Name:         payload.Claims["name"].(string),
+			Email:        payload.Claims["email"].(string),
+			AvatarUrl:    payload.Claims["picture"].(string),
+			Username:     "",
+			AccessToken:  "",
+			RefreshToken: "",
+			Expiry:       expiry,
+			RawUser: map[string]any{
+				"email":          payload.Claims["email"],
+				"family_name":    payload.Claims["family_name"],
+				"given_name":     payload.Claims["given_name"],
+				"id":             payload.Claims["sub"],
+				"locale":         payload.Claims["locale"],
+				"name":           payload.Claims["name"],
+				"picture":        payload.Claims["picture"],
+				"verified_email": payload.Claims["email_verified"],
+			},
+		}
+	} else {
+		provider.SetRedirectUrl(form.RedirectUrl)
 
-	var opts []oauth2.AuthCodeOption
+		var opts []oauth2.AuthCodeOption
 
-	if provider.PKCE() {
-		opts = append(opts, oauth2.SetAuthURLParam("code_verifier", form.CodeVerifier))
-	}
+		if provider.PKCE() {
+			opts = append(opts, oauth2.SetAuthURLParam("code_verifier", form.CodeVerifier))
+		}
 
-	// fetch token
-	token, err := provider.FetchToken(form.Code, opts...)
-	if err != nil {
-		return nil, nil, err
-	}
+		// fetch token
+		token, err := provider.FetchToken(form.Code, opts...)
+		if err != nil {
+			return nil, nil, err
+		}
 
-	// fetch external auth user
-	authUser, err := provider.FetchAuthUser(token)
-	if err != nil {
-		return nil, nil, err
+		// fetch external auth user
+		authUser, err = provider.FetchAuthUser(token)
+		if err != nil {
+			return nil, nil, err
+		}
 	}
 
 	var authRecord *models.Record

diff --git a/go.mod b/go.mod
@@ -31,10 +31,13 @@ require (
 	golang.org/x/net v0.22.0
 	golang.org/x/oauth2 v0.18.0
 	golang.org/x/sync v0.6.0
+	google.golang.org/api v0.171.0
 	modernc.org/sqlite v1.29.5
 )
 
 require (
+	cloud.google.com/go/compute v1.25.0 // indirect
+	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go v1.51.6 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.1 // indirect
@@ -53,12 +56,17 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.28.5 // indirect
 	github.com/dlclark/regexp2 v1.10.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/pprof v0.0.0-20230926050212-f7f687d19a98 // indirect
+	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.3 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -73,6 +81,10 @@ require (
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
+	go.opentelemetry.io/otel v1.24.0 // indirect
+	go.opentelemetry.io/otel/metric v1.24.0 // indirect
+	go.opentelemetry.io/otel/trace v1.24.0 // indirect
 	golang.org/x/image v0.15.0 // indirect
 	golang.org/x/mod v0.16.0 // indirect
 	golang.org/x/sys v0.18.0 // indirect
@@ -81,7 +93,6 @@ require (
 	golang.org/x/time v0.5.0 // indirect
 	golang.org/x/tools v0.19.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
-	google.golang.org/api v0.171.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240318140521-94a12d6c2237 // indirect
 	google.golang.org/grpc v1.62.1 // indirect

diff --git a/go.sum b/go.sum
@@ -105,6 +105,7 @@ github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uq
 github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/ganigeorgiev/fexpr v0.4.0 h1:ojitI+VMNZX/odeNL1x3RzTTE8qAIVvnSSYPNAnQFDI=
 github.com/ganigeorgiev/fexpr v0.4.0/go.mod h1:RyGiGqmeXhEQ6+mlGdnUleLHgtzzu/VGO2WtJkF5drE=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -234,8 +235,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasttemplate v1.2.2 h1:lxLXG0uE3Qnshl9QyaK6XJxMXlQZELvChBOCmQD0Loo=