diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b75a8af..46204508 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ ## Changes since v5.0.0 +- [#385](https://github.com/pusher/oauth2_proxy/pull/385) Use the `Authorization` header instead of `access_token` for refreshing GitHub Provider sessions (@ibuclaw) - [#372](https://github.com/pusher/oauth2_proxy/pull/372) Allow fallback to secondary verified email address in GitHub provider (@dmnemec) - [#335](https://github.com/pusher/oauth2_proxy/pull/335) OIDC Provider support for empty id_tokens in the access token refresh response (@howzat) - [#363](https://github.com/pusher/oauth2_proxy/pull/363) Extension of Redis Session Store to Support Redis Cluster (@yan-dblinf) diff --git a/providers/github.go b/providers/github.go index a37d703d..40ec78d3 100644 --- a/providers/github.go +++ b/providers/github.go @@ -53,6 +53,13 @@ func NewGitHubProvider(p *ProviderData) *GitHubProvider { return &GitHubProvider{ProviderData: p} } +func getGitHubHeader(accessToken string) http.Header { + header := make(http.Header) + header.Set("Accept", "application/vnd.github.v3+json") + header.Set("Authorization", fmt.Sprintf("token %s", accessToken)) + return header +} + // SetOrgTeam adds GitHub org reading parameters to the OAuth2 scope func (p *GitHubProvider) SetOrgTeam(org, team string) { p.Org = org @@ -87,8 +94,7 @@ func (p *GitHubProvider) hasOrg(accessToken string) (bool, error) { RawQuery: params.Encode(), } req, _ := http.NewRequest("GET", endpoint.String(), nil) - req.Header.Set("Accept", "application/vnd.github.v3+json") - req.Header.Set("Authorization", fmt.Sprintf("token %s", accessToken)) + req.Header = getGitHubHeader(accessToken) resp, err := http.DefaultClient.Do(req) if err != nil { return false, err @@ -164,8 +170,7 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) { } req, _ := http.NewRequest("GET", endpoint.String(), nil) - req.Header.Set("Accept", "application/vnd.github.v3+json") - req.Header.Set("Authorization", fmt.Sprintf("token %s", accessToken)) + req.Header = getGitHubHeader(accessToken) resp, err := http.DefaultClient.Do(req) if err != nil { return false, err @@ -283,7 +288,7 @@ func (p *GitHubProvider) GetEmailAddress(s *sessions.SessionState) (string, erro Path: path.Join(p.ValidateURL.Path, "/user/emails"), } req, _ := http.NewRequest("GET", endpoint.String(), nil) - req.Header.Set("Authorization", fmt.Sprintf("token %s", s.AccessToken)) + req.Header = getGitHubHeader(s.AccessToken) resp, err := http.DefaultClient.Do(req) if err != nil { return "", err @@ -336,7 +341,7 @@ func (p *GitHubProvider) GetUserName(s *sessions.SessionState) (string, error) { return "", fmt.Errorf("could not create new GET request: %v", err) } - req.Header.Set("Authorization", fmt.Sprintf("token %s", s.AccessToken)) + req.Header = getGitHubHeader(s.AccessToken) resp, err := http.DefaultClient.Do(req) if err != nil { return "", err @@ -361,3 +366,8 @@ func (p *GitHubProvider) GetUserName(s *sessions.SessionState) (string, error) { return user.Login, nil } + +// ValidateSessionState validates the AccessToken +func (p *GitHubProvider) ValidateSessionState(s *sessions.SessionState) bool { + return validateToken(p, s.AccessToken, getGitHubHeader(s.AccessToken)) +}