forked from deanishe/alfred-gcal
-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.go
175 lines (149 loc) · 4.28 KB
/
auth.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
//
// Copyright (c) 2017 Dean Jackson <[email protected]>
//
// MIT Licence. See http://opensource.org/licenses/MIT
//
// Created on 2017-11-25
//
package main
import (
"crypto/rand"
"encoding/json"
"fmt"
"io"
"log"
"net/http"
"os"
"os/exec"
"golang.org/x/net/context"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"google.golang.org/api/calendar/v3"
)
const (
authServerURL = "localhost:61432"
)
type response struct {
code string
err error
}
// Authenticator creates an authenticated Google API client
type Authenticator struct {
Secret []byte
TokenFile string
state string
client *http.Client
}
// NewAuthenticator creates a new Authenticator
func NewAuthenticator(tokenFile string, secret []byte) *Authenticator {
return &Authenticator{Secret: secret, TokenFile: tokenFile}
}
// GetClient returns an authenticated Google API client
func (a *Authenticator) GetClient() (*http.Client, error) {
if a.client != nil {
return a.client, nil
}
// generate CSRF token
b := make([]byte, 32)
_, err := rand.Read(b)
if err != nil {
return nil, fmt.Errorf("couldn't read random bytes: %v", err)
}
a.state = fmt.Sprintf("%x", b)
ctx := context.Background()
cfg, err := google.ConfigFromJSON(a.Secret, calendar.CalendarReadonlyScope)
if err != nil {
return nil, fmt.Errorf("couldn't load config: %v", err)
}
tok, err := a.tokenFromFile()
if err != nil {
tok, err = a.tokenFromWeb(cfg)
if err != nil {
return nil, fmt.Errorf("couldn't get token from web: %v", err)
}
a.saveToken(tok)
}
a.client = cfg.Client(ctx, tok)
return a.client, nil
}
// tokenFromFile loads the oauth2 token from a file
func (a *Authenticator) tokenFromFile() (*oauth2.Token, error) {
f, err := os.Open(a.TokenFile)
if err != nil {
return nil, fmt.Errorf("couldn't open token file: %v", err)
}
tok := &oauth2.Token{}
err = json.NewDecoder(f).Decode(tok)
defer f.Close()
return tok, err
}
// saveToken saves an oauth2 token to a file
func (a *Authenticator) saveToken(tok *oauth2.Token) error {
f, err := os.OpenFile(a.TokenFile, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
if err != nil {
return fmt.Errorf("couldn't open token file: %v", err)
}
defer f.Close()
return json.NewEncoder(f).Encode(tok)
}
// tokenFromWeb initiates web-based authentication and retrieves the oauth2 token
func (a *Authenticator) tokenFromWeb(cfg *oauth2.Config) (*oauth2.Token, error) {
if err := a.openAuthURL(cfg); err != nil {
return nil, fmt.Errorf("couldn't open auth URL: %v", err)
}
code, err := a.codeFromLocalServer()
if err != nil {
return nil, fmt.Errorf("couldn't get token from local server: %v", err)
}
tok, err := cfg.Exchange(oauth2.NoContext, code)
if err != nil {
return nil, fmt.Errorf("couldn't retrieve token from web: %v", err)
}
return tok, nil
}
// openAuthURL opens the Google API authentication URL in the default browser
func (a *Authenticator) openAuthURL(cfg *oauth2.Config) error {
authURL := cfg.AuthCodeURL(a.state, oauth2.AccessTypeOffline, oauth2.ApprovalForce)
cmd := exec.Command("/usr/bin/open", authURL)
if err := cmd.Run(); err != nil {
return fmt.Errorf("couldn't open auth URL: %v", err)
}
return nil
}
// codeFromLocalServer starts a local webserver to receive the oauth2 token
// from Google
func (a *Authenticator) codeFromLocalServer() (string, error) {
c := make(chan response)
srv := &http.Server{Addr: authServerURL}
go func() {
log.Printf("local webserver started")
if err := srv.ListenAndServe(); err != nil {
c <- response{err: err}
}
}()
http.HandleFunc("/", func(w http.ResponseWriter, req *http.Request) {
vars := req.URL.Query()
code := vars.Get("code")
state := vars.Get("state")
log.Printf("oauth2 state=%v", state)
log.Printf("oauth2 code=%s", code)
// Verify state to prevent CSRF
if state != a.state {
c <- response{err: fmt.Errorf("state mismatch: expected=%s, got=%s", a.state, state)}
io.WriteString(w, "bad state\n")
return
}
c <- response{code: code}
io.WriteString(w, "ok\n")
})
r := <-c
// log.Printf("srv=%+v, response=%+v", srv, r)
if err := srv.Shutdown(context.Background()); err != nil {
log.Printf("shutdown error: %v", err)
if err != http.ErrServerClosed {
return "", fmt.Errorf("local webserver error: %v", err)
}
}
log.Printf("local webserver stopped")
return r.code, r.err
}