polycule-connect/polyculeconnect/controller/auth/approval.go

package auth

import (
	"bytes"
	"fmt"
	"html/template"
	"io"
	"net/http"
	"path/filepath"

	"git.faercol.me/faercol/polyculeconnect/polyculeconnect/helpers"
	"git.faercol.me/faercol/polyculeconnect/polyculeconnect/internal/db"
	"github.com/google/uuid"
	"go.uber.org/zap"
)

const ApprovalRoute = "/approval"

var scopeDescriptions = map[string]string{
	"offline_access": "Have offline access",
	"profile":        "View basic profile information",
	"email":          "View your email address",
	"groups":         "View your groups",
}

func scopeDescription(rawScope string) string {
	if desc, ok := scopeDescriptions[rawScope]; ok {
		return desc
	}
	return rawScope
}

type approvalData struct {
	Scopes    []string
	Client    string
	AuthReqID string
}

type ApprovalController struct {
	l       *zap.SugaredLogger
	st      db.Storage
	baseDir string
}

func NewApprovalController(l *zap.SugaredLogger, st db.Storage, baseDir string) *ApprovalController {
	return &ApprovalController{
		l:       l,
		st:      st,
		baseDir: baseDir,
	}
}

func (c *ApprovalController) handleFormResponse(w http.ResponseWriter, r *http.Request) {
	reqID, err := uuid.Parse(r.Form.Get("req"))
	if err != nil {
		c.l.Errorf("Invalid request ID: %s", err)
		helpers.HandleResponse(w, r, http.StatusBadRequest, []byte("invalid query format"), c.l)
		return
	}

	if r.Form.Get("approval") != "approve" {
		c.l.Debug("Approval rejected")
		helpers.HandleResponse(w, r, http.StatusBadRequest, []byte("approval rejected"), c.l)
		return
	}

	if err := c.st.AuthRequestStorage().GiveConsent(r.Context(), reqID); err != nil {
		c.l.Errorf("Failed to approve request: %s", err)
		helpers.HandleResponse(w, r, http.StatusInternalServerError, nil, c.l)
		return
	}

	http.Redirect(w, r, fmt.Sprintf("/callback?code=%s&state=%s", r.Form.Get("code"), reqID.String()), http.StatusSeeOther)
}

func (c *ApprovalController) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	if err := r.ParseForm(); err != nil {
		c.l.Errorf("Failed to parse query: %s", err)
		helpers.HandleResponse(w, r, http.StatusBadRequest, []byte("invalid query format"), c.l)
		return
	}

	if r.Method == http.MethodPost {
		c.handleFormResponse(w, r)
		return
	}

	state := r.Form.Get("state")
	reqID, err := uuid.Parse(state)
	if err != nil {
		c.l.Errorf("Invalid state %q: %s", state, err)
		helpers.HandleResponse(w, r, http.StatusBadRequest, []byte("unexpected state"), c.l)
		return
	}

	req, err := c.st.AuthRequestStorage().GetAuthRequestByID(r.Context(), reqID)
	if err != nil {
		c.l.Errorf("Failed to get auth request from DB: %s", err)
		helpers.HandleResponse(w, r, http.StatusInternalServerError, nil, c.l)
		return
	}

	app, err := c.st.ClientStorage().GetClientByID(r.Context(), req.ClientID)
	if err != nil {
		c.l.Errorf("Failed to get client details from DB: %s", err)
		helpers.HandleResponse(w, r, http.StatusInternalServerError, nil, c.l)
		return
	}

	data := approvalData{
		Scopes:    []string{},
		Client:    app.Name,
		AuthReqID: reqID.String(),
	}
	for _, s := range req.Scopes {
		if s == "openid" { // it's implied we want that, no consent is really important there
			continue
		}
		data.Scopes = append(data.Scopes, scopeDescription(s))
	}

	lp := filepath.Join(c.baseDir, "templates", "approval.html")
	hdrTpl := filepath.Join(c.baseDir, "templates", "header.html")
	footTpl := filepath.Join(c.baseDir, "templates", "footer.html")
	tmpl, err := template.New("approval.html").ParseFiles(hdrTpl, footTpl, lp)
	if err != nil {
		c.l.Errorf("Failed to parse templates: %s", err)
		helpers.HandleResponse(w, r, http.StatusInternalServerError, nil, c.l)
		return
	}
	buf := new(bytes.Buffer)

	if err := tmpl.Execute(buf, data); err != nil {
		c.l.Errorf("Failed to execute template: %s", err)
		helpers.HandleResponse(w, r, http.StatusInternalServerError, nil, c.l)
		return
	}
	_, err = io.Copy(w, buf)
	if err != nil {
		c.l.Errorf("Failed to write response: %s", err)
		helpers.HandleResponse(w, r, http.StatusInternalServerError, nil, c.l)
		return
	}
}