Add functionality to revoke tokens

.travis.yml

@@ -3,9 +3,8 @@ language: go
 sudo: false
 
 go:
-  - 1.5
-  - 1.6
   - 1.7
+  - 1.8
   - tip
 
 matrix:

README.md

@@ -27,6 +27,7 @@ $ go get github.com/markbates/goth
 * Digital Ocean
 * Discord
 * Dropbox
+* Eve Online
 * Facebook
 * Fitbit
 * GitHub

examples/main.go

@@ -25,6 +25,7 @@ import (
 	"github.com/markbates/goth/providers/digitalocean"
 	"github.com/markbates/goth/providers/discord"
 	"github.com/markbates/goth/providers/dropbox"
+	"github.com/markbates/goth/providers/eveonline"
 	"github.com/markbates/goth/providers/facebook"
 	"github.com/markbates/goth/providers/fitbit"
 	"github.com/markbates/goth/providers/github"
@@ -92,6 +93,7 @@ func main() {
 		yammer.New(os.Getenv("YAMMER_KEY"), os.Getenv("YAMMER_SECRET"), "http://localhost:3000/auth/yammer/callback"),
 		onedrive.New(os.Getenv("ONEDRIVE_KEY"), os.Getenv("ONEDRIVE_SECRET"), "http://localhost:3000/auth/onedrive/callback"),
 		battlenet.New(os.Getenv("BATTLENET_KEY"), os.Getenv("BATTLENET_SECRET"), "http://localhost:3000/auth/battlenet/callback"),
+		eveonline.New(os.Getenv("EVEONLINE_KEY"), os.Getenv("EVEONLINE_SECRET"), "http://localhost:3000/auth/eveonline/callback"),
 
 		//Pointed localhost.com to http://localhost:3000/auth/yahoo/callback through proxy as yahoo
 		// does not allow to put custom ports in redirection uri
@@ -134,6 +136,7 @@ func main() {
 	m["digitalocean"] = "Digital Ocean"
 	m["discord"] = "Discord"
 	m["dropbox"] = "Dropbox"
+	m["eveonline"] = "Eve Online"
 	m["facebook"] = "Facebook"
 	m["fitbit"] = "Fitbit"
 	m["github"] = "Github"
@@ -185,7 +188,11 @@ func main() {
 	})
 
 	p.Get("/logout/{provider}", func(res http.ResponseWriter, req *http.Request) {
-		gothic.Logout(res, req)
+		err := gothic.Logout(res, req)
+		if err != nil {
+			fmt.Fprintln(res, "Error occured during logout: ", err)
+		}
+
 		res.Header().Set("Location", "/")
 		res.WriteHeader(http.StatusTemporaryRedirect)
 	})

gothic/gothic.go

@@ -8,11 +8,14 @@ See https://github.com/markbates/goth/examples/main.go to see this in action.
 package gothic
 
 import (
+	"encoding/base64"
 	"errors"
 	"fmt"
+	"math/rand"
 	"net/http"
 	"net/url"
 	"os"
+	"time"
 
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
@@ -28,6 +31,8 @@ var defaultStore sessions.Store
 
 var keySet = false
 
+var gothicRand *rand.Rand
+
 func init() {
 	key := []byte(os.Getenv("SESSION_SECRET"))
 	keySet = len(key) != 0
@@ -36,6 +41,7 @@ func init() {
 	cookieStore.Options.HttpOnly = true
 	Store = cookieStore
 	defaultStore = Store
+	gothicRand = rand.New(rand.NewSource(time.Now().UnixNano()))
 }
 
 /*
@@ -69,8 +75,16 @@ var SetState = func(req *http.Request) string {
 		return state
 	}
 
-	return "state"
-
+	// If a state query param is not passed in, generate a random
+	// base64-encoded nonce so that the state on the auth URL
+	// is unguessable, preventing CSRF attacks, as described in
+	//
+	// https://auth0.com/docs/protocols/oauth2/oauth-state#keep-reading
+	nonceBytes := make([]byte, 64)
+	for i := 0; i < 64; i++ {
+		nonceBytes[i] = byte(gothicRand.Int63() % 256)
+	}
+	return base64.URLEncoding.EncodeToString(nonceBytes)
 }
 
 // GetState gets the state returned by the provider during the callback.
@@ -152,6 +166,8 @@ var CompleteUserAuth = func(res http.ResponseWriter, req *http.Request) (goth.Us
 		return goth.User{}, err
 	}
 
+	defer Logout(res, req)
+
 	sess, err := provider.UnmarshalSession(value)
 	if err != nil {
 		return goth.User{}, err
@@ -180,7 +196,8 @@ var CompleteUserAuth = func(res http.ResponseWriter, req *http.Request) (goth.Us
 		return goth.User{}, err
 	}
 
-	return provider.FetchUser(sess)
+	gu, err := provider.FetchUser(sess)
+	return gu, err
 }
 
 // validateState ensures that the state token param from the original
@@ -214,12 +231,37 @@ func Logout(res http.ResponseWriter, req *http.Request) error {
 	if err != nil {
 		return err
 	}
+
+	// do revoke call only if we have a session
+	if len(session.Values) != 0 {
+		provider, err := goth.GetProvider(providerName)
+		if err != nil {
+			return err
+		}
+
+		value, err := getFromSession(providerName, req)
+		if err != nil {
+			return err
+		}
+		sess, err := provider.UnmarshalSession(value)
+		if err != nil {
+			return err
+		}
+
+		err = session.Save(req, res)
+
+		err = provider.Revoke(sess)
+		if err != nil {
+			return errors.New("Could not revoke token")
+		}
+	}
 	session.Options.MaxAge = -1
 	session.Values = make(map[interface{}]interface{})
 	err = session.Save(req, res)
 	if err != nil {
 		return errors.New("Could not delete user session ")
 	}
+
 	return nil
 }
 
@@ -231,6 +273,20 @@ func Logout(res http.ResponseWriter, req *http.Request) error {
 var GetProviderName = getProviderName
 
 func getProviderName(req *http.Request) (string, error) {
+
+	// get all the used providers
+	providers := goth.GetProviders()
+
+	// loop over the used providers, if we already have a valid session for any provider (ie. user is already logged-in with a provider), then return that provider name
+	for _, provider := range providers {
+		p := provider.Name()
+		session, _ := Store.Get(req, p+SessionName)
+		value := session.Values[p]
+		if _, ok := value.(string); ok {
+			return p, nil
+		}
+	}
+
 	// try to get it from the url param "provider"
 	if p := req.URL.Query().Get("provider"); p != "" {
 		return p, nil
@@ -246,6 +302,11 @@ func getProviderName(req *http.Request) (string, error) {
 		return p, nil
 	}
 
+	//  try to get it from the go-context's value of "provider" key
+	if p, ok := req.Context().Value("provider").(string); ok {
+		return p, nil
+	}
+
 	// if not found then return an empty string with the corresponding error
 	return "", errors.New("you must select a provider")
 }

gothic/gothic_test.go

@@ -1,8 +1,11 @@
 package gothic_test
 
 import (
+	"fmt"
+	"html"
 	"net/http"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
 	"github.com/gorilla/sessions"
@@ -44,9 +47,12 @@ func (p ProviderStore) Save(r *http.Request, w http.ResponseWriter, s *sessions.
 	return nil
 }
 
+var fauxProvider goth.Provider
+
 func init() {
 	Store = NewProviderStore()
-	goth.UseProviders(&faux.Provider{})
+	fauxProvider = &faux.Provider{}
+	goth.UseProviders(fauxProvider)
 }
 
 func Test_BeginAuthHandler(t *testing.T) {
@@ -58,9 +64,24 @@ func Test_BeginAuthHandler(t *testing.T) {
 
 	BeginAuthHandler(res, req)
 
+	sess, err := Store.Get(req, "faux"+SessionName)
+	if err != nil {
+		t.Fatalf("error getting faux Gothic session: %v", err)
+	}
+	sessStr, ok := sess.Values["faux"].(string)
+	if !ok {
+		t.Fatalf("Gothic session not stored as marshalled string; was %T (value %v)",
+			sess.Values["faux"], sess.Values["faux"])
+	}
+	gothSession, err := fauxProvider.UnmarshalSession(sessStr)
+	if err != nil {
+		t.Fatalf("error unmarshalling faux Gothic session: %v", err)
+	}
+	au, _ := gothSession.GetAuthURL()
+
 	a.Equal(http.StatusTemporaryRedirect, res.Code)
 	a.Contains(res.Body.String(),
-		`<a href="http://example.com/auth?client_id=&amp;response_type=code&amp;state=state">Temporary Redirect</a>`)
+		fmt.Sprintf(`<a href="%s">Temporary Redirect</a>`, html.EscapeString(au)))
 }
 
 func Test_GetAuthURL(t *testing.T) {
@@ -70,11 +91,28 @@ func Test_GetAuthURL(t *testing.T) {
 	req, err := http.NewRequest("GET", "/auth?provider=faux", nil)
 	a.NoError(err)
 
-	url, err := GetAuthURL(res, req)
-
+	u, err := GetAuthURL(res, req)
 	a.NoError(err)
 
-	a.Equal("http://example.com/auth?client_id=&response_type=code&state=state", url)
+	// Check that we get the correct auth URL with a state parameter
+	parsed, err := url.Parse(u)
+	a.NoError(err)
+	a.Equal("http", parsed.Scheme)
+	a.Equal("example.com", parsed.Host)
+	q := parsed.Query()
+	a.Contains(q, "client_id")
+	a.Equal("code", q.Get("response_type"))
+	a.NotZero(q, "state")
+
+	// Check that if we run GetAuthURL on another request, that request's
+	// auth URL has a different state from the previous one.
+	req2, err := http.NewRequest("GET", "/auth?provider=faux", nil)
+	a.NoError(err)
+	url2, err := GetAuthURL(httptest.NewRecorder(), req2)
+	a.NoError(err)
+	parsed2, err := url.Parse(url2)
+	a.NoError(err)
+	a.NotEqual(parsed.Query().Get("state"), parsed2.Query().Get("state"))
 }
 
 func Test_CompleteUserAuth(t *testing.T) {

provider.go

@@ -19,6 +19,7 @@ type Provider interface {
 	Debug(bool)
 	RefreshToken(refreshToken string) (*oauth2.Token, error) //Get new access token based on the refresh token
 	RefreshTokenAvailable() bool                             //Refresh token is provided by auth provider or not
+	Revoke(Session) error
 }
 
 const NoAuthUrlErrorMessage = "an AuthURL has not been set"

providers/amazon/amazon.go

@@ -10,9 +10,10 @@ import (
 	"net/http"
 	"net/url"
 
+	"fmt"
+
 	"github.com/markbates/goth"
 	"golang.org/x/oauth2"
-	"fmt"
 )
 
 const (
@@ -36,10 +37,10 @@ type Provider struct {
 // create one manually.
 func New(clientKey, secret, callbackURL string, scopes ...string) *Provider {
 	p := &Provider{
-		ClientKey:           clientKey,
-		Secret:              secret,
-		CallbackURL:         callbackURL,
-		providerName:        "amazon",
+		ClientKey:    clientKey,
+		Secret:       secret,
+		CallbackURL:  callbackURL,
+		providerName: "amazon",
 	}
 	p.config = newConfig(p, scopes)
 	return p
@@ -165,3 +166,8 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
 	}
 	return newToken, err
 }
+
+// Revoke is not supported by the amazon oauth api
+func (p *Provider) Revoke(session goth.Session) error {
+	return nil
+}

providers/auth0/auth0.go

@@ -8,9 +8,10 @@ import (
 	"io"
 	"net/http"
 
+	"fmt"
+
 	"github.com/markbates/goth"
 	"golang.org/x/oauth2"
-	"fmt"
 )
 
 const (
@@ -44,11 +45,11 @@ type auth0UserResp struct {
 // create one manually.
 func New(clientKey, secret, callbackURL string, auth0Domain string, scopes ...string) *Provider {
 	p := &Provider{
-		ClientKey:           clientKey,
-		Secret:              secret,
-		CallbackURL:         callbackURL,
-		Domain:              auth0Domain,
-		providerName:        "auth0",
+		ClientKey:    clientKey,
+		Secret:       secret,
+		CallbackURL:  callbackURL,
+		Domain:       auth0Domain,
+		providerName: "auth0",
 	}
 	p.config = newConfig(p, scopes)
 	return p
@@ -181,3 +182,7 @@ func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
 	}
 	return newToken, err
 }
+
+func (p *Provider) Revoke(session goth.Session) error {
+	return nil
+}

providers/battlenet/battlenet.go

@@ -144,3 +144,8 @@ func (p *Provider) RefreshTokenAvailable() bool {
 func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
 	return nil, nil
 }
+
+// Revoke is not supported by the amazon oauth api
+func (p *Provider) Revoke(session goth.Session) error {
+	return nil
+}