Support JWTs for oauth authentication

Lionelf329 · Dec 8, 2024 · cc8e95b · cc8e95b
1 parent c6695b6
commit cc8e95b
Show file tree

Hide file tree

Showing 5 changed files with 94 additions and 74 deletions.
diff --git a/.github/workflows/package.yaml b/.github/workflows/package.yaml
@@ -0,0 +1,30 @@
+name: package
+
+on:
+  push:
+    branches:
+      - auth
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2
+
+    - name: Setup Go
+      uses: actions/setup-go@v2
+      with:
+        go-version: 1.21
+
+    - name: Build
+      run: |
+        cd examples/base
+        GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build
+
+    - name: Publish
+      uses: actions/upload-artifact@v4
+      with:
+        name: pocketbase
+        path: examples/base/base
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
diff --git a/apis/record_auth_with_oauth2.go b/apis/record_auth_with_oauth2.go
@@ -9,6 +9,8 @@ import (
 	"maps"
 	"net/http"
 	"time"
+	"github.com/pocketbase/pocketbase/tools/types"
+	"google.golang.org/api/idtoken"
 
 	validation "github.com/go-ozzo/ozzo-validation/v4"
 	"github.com/pocketbase/dbx"
@@ -68,24 +70,56 @@ func recordAuthWithOAuth2(e *core.RequestEvent) error {
 	defer cancel()
 
 	provider.SetContext(ctx)
-	provider.SetRedirectURL(form.RedirectURL)
+	var authUser *auth.AuthUser
+	if form.Provider == "google" && form.RedirectUrl == "Jwt" {
+		payload, err := idtoken.Validate(context.Background(), form.Code, provider.ClientId())
+		if err != nil {
+			return firstApiError(err, e.BadRequestError("Token validation failed.", err))
+		}
+		expiry, err := types.ParseDateTime(payload.Expires)
+		if err != nil {
+			return firstApiError(err, e.BadRequestError("Expiry check failed.", err))
+		}
+		authUser = &auth.AuthUser{
+			Id:           payload.Claims["sub"].(string),
+			Name:         payload.Claims["name"].(string),
+			Email:        payload.Claims["email"].(string),
+			AvatarUrl:    payload.Claims["picture"].(string),
+			Username:     "",
+			AccessToken:  "",
+			RefreshToken: "",
+			Expiry:       expiry,
+			RawUser: map[string]any{
+				"email":          payload.Claims["email"],
+				"family_name":    payload.Claims["family_name"],
+				"given_name":     payload.Claims["given_name"],
+				"id":             payload.Claims["sub"],
+				"locale":         payload.Claims["locale"],
+				"name":           payload.Claims["name"],
+				"picture":        payload.Claims["picture"],
+				"verified_email": payload.Claims["email_verified"],
+			},
+		}
+	} else {
+		provider.SetRedirectURL(form.RedirectURL)
 
-	var opts []oauth2.AuthCodeOption
+		var opts []oauth2.AuthCodeOption
 
-	if provider.PKCE() {
-		opts = append(opts, oauth2.SetAuthURLParam("code_verifier", form.CodeVerifier))
-	}
+		if provider.PKCE() {
+			opts = append(opts, oauth2.SetAuthURLParam("code_verifier", form.CodeVerifier))
+		}
 
-	// fetch token
-	token, err := provider.FetchToken(form.Code, opts...)
-	if err != nil {
-		return firstApiError(err, e.BadRequestError("Failed to fetch OAuth2 token.", err))
-	}
+		// fetch token
+		token, err := provider.FetchToken(form.Code, opts...)
+		if err != nil {
+			return firstApiError(err, e.BadRequestError("Failed to fetch OAuth2 token.", err))
+		}
 
-	// fetch external auth user
-	authUser, err := provider.FetchAuthUser(token)
-	if err != nil {
-		return firstApiError(err, e.BadRequestError("Failed to fetch OAuth2 user.", err))
+		// fetch external auth user
+		authUser, err = provider.FetchAuthUser(token)
+		if err != nil {
+			return firstApiError(err, e.BadRequestError("Failed to fetch OAuth2 user.", err))
+		}
 	}
 
 	var authRecord *core.Record

diff --git a/go.mod b/go.mod
@@ -29,10 +29,14 @@ require (
 	golang.org/x/net v0.31.0
 	golang.org/x/oauth2 v0.24.0
 	golang.org/x/sync v0.9.0
+	google.golang.org/api v0.209.0
 	modernc.org/sqlite v1.34.2
 )
 
 require (
+	cloud.google.com/go/auth v0.10.2 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.5 // indirect
+	cloud.google.com/go/compute/metadata v0.5.2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 // indirect
@@ -50,10 +54,15 @@ require (
 	github.com/dlclark/regexp2 v1.11.4 // indirect
 	github.com/dop251/base64dec v0.0.0-20231022112746-c6c9f9a96217 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-sourcemap/sourcemap v2.1.4+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/pprof v0.0.0-20240727154555-813a5fbdbec8 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.0 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -64,8 +73,11 @@ require (
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.8.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.29.0 // indirect
+	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	golang.org/x/exp v0.0.0-20241108190413-2d47ceb2692f // indirect
 	golang.org/x/image v0.22.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
@@ -74,7 +86,6 @@ require (
 	golang.org/x/text v0.20.0 // indirect
 	golang.org/x/tools v0.27.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/api v0.209.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241118233622-e639e219e697 // indirect
 	google.golang.org/grpc v1.68.0 // indirect
 	google.golang.org/protobuf v1.35.2 // indirect

diff --git a/go.sum b/go.sum
@@ -102,6 +102,7 @@ github.com/gabriel-vasile/mimetype v1.4.7 h1:SKFKl7kD0RiPdbht0s7hFtjl489WcQ1VyPW
 github.com/gabriel-vasile/mimetype v1.4.7/go.mod h1:GDlAgAyIRT27BhFl53XNAFtfjzOkLaF35JdEG0P7LtU=
 github.com/ganigeorgiev/fexpr v0.4.1 h1:hpUgbUEEWIZhSDBtf4M9aUNfQQ0BZkGRaMePy7Gcx5k=
 github.com/ganigeorgiev/fexpr v0.4.1/go.mod h1:RyGiGqmeXhEQ6+mlGdnUleLHgtzzu/VGO2WtJkF5drE=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -205,8 +206,8 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=