1
0
mirror of https://github.com/pocketbase/pocketbase.git synced 2025-03-19 22:19:23 +02:00
pocketbase/tools/auth/github.go

137 lines
3.5 KiB
Go
Raw Normal View History

2022-07-07 00:19:05 +03:00
package auth
import (
2023-03-01 23:29:45 +02:00
"context"
2022-07-07 00:19:05 +03:00
"encoding/json"
2022-12-16 17:06:03 +02:00
"io"
2022-07-07 00:19:05 +03:00
"strconv"
"github.com/pocketbase/pocketbase/tools/types"
2022-07-07 00:19:05 +03:00
"golang.org/x/oauth2"
"golang.org/x/oauth2/github"
2022-07-07 00:19:05 +03:00
)
2024-09-29 19:23:19 +03:00
func init() {
Providers[NameGithub] = wrapFactory(NewGithubProvider)
}
2022-07-07 00:19:05 +03:00
var _ Provider = (*Github)(nil)
// NameGithub is the unique name of the Github provider.
const NameGithub string = "github"
// Github allows authentication via Github OAuth2.
type Github struct {
2024-09-29 19:23:19 +03:00
BaseProvider
2022-07-07 00:19:05 +03:00
}
// NewGithubProvider creates new Github provider instance with some defaults.
func NewGithubProvider() *Github {
2024-09-29 19:23:19 +03:00
return &Github{BaseProvider{
ctx: context.Background(),
displayName: "GitHub",
pkce: true, // technically is not supported yet but it is safe as the PKCE params are just ignored
scopes: []string{"read:user", "user:email"},
2024-09-29 19:23:19 +03:00
authURL: github.Endpoint.AuthURL,
tokenURL: github.Endpoint.TokenURL,
userInfoURL: "https://api.github.com/user",
2022-07-07 00:19:05 +03:00
}}
}
// FetchAuthUser returns an AuthUser instance based the Github's user api.
//
// API reference: https://docs.github.com/en/rest/reference/users#get-the-authenticated-user
2022-07-07 00:19:05 +03:00
func (p *Github) FetchAuthUser(token *oauth2.Token) (*AuthUser, error) {
2024-09-29 19:23:19 +03:00
data, err := p.FetchRawUserInfo(token)
if err != nil {
return nil, err
}
rawUser := map[string]any{}
if err := json.Unmarshal(data, &rawUser); err != nil {
return nil, err
}
extracted := struct {
Login string `json:"login"`
2022-07-07 00:19:05 +03:00
Id int `json:"id"`
Name string `json:"name"`
Email string `json:"email"`
2024-09-29 19:23:19 +03:00
AvatarURL string `json:"avatar_url"`
2022-07-07 00:19:05 +03:00
}{}
if err := json.Unmarshal(data, &extracted); err != nil {
2022-07-07 00:19:05 +03:00
return nil, err
}
user := &AuthUser{
2023-01-07 22:25:56 +02:00
Id: strconv.Itoa(extracted.Id),
Name: extracted.Name,
Username: extracted.Login,
Email: extracted.Email,
2024-09-29 19:23:19 +03:00
AvatarURL: extracted.AvatarURL,
2023-01-07 22:25:56 +02:00
RawUser: rawUser,
AccessToken: token.AccessToken,
RefreshToken: token.RefreshToken,
2022-07-07 00:19:05 +03:00
}
user.Expiry, _ = types.ParseDateTime(token.Expiry)
// in case user has set "Keep my email address private", send an
// **optional** API request to retrieve the verified primary email
2022-07-07 00:19:05 +03:00
if user.Email == "" {
email, err := p.fetchPrimaryEmail(token)
2022-07-07 00:19:05 +03:00
if err != nil {
return nil, err
2022-07-07 00:19:05 +03:00
}
user.Email = email
}
2022-07-07 00:19:05 +03:00
return user, nil
}
// fetchPrimaryEmail sends an API request to retrieve the verified
// primary email, in case "Keep my email address private" was set.
//
// NB! This method can succeed and still return an empty email.
// Error responses that are result of insufficient scopes permissions are ignored.
//
// API reference: https://docs.github.com/en/rest/users/emails?apiVersion=2022-11-28
func (p *Github) fetchPrimaryEmail(token *oauth2.Token) (string, error) {
client := p.Client(token)
2022-07-07 00:19:05 +03:00
2024-09-29 19:23:19 +03:00
response, err := client.Get(p.userInfoURL + "/emails")
if err != nil {
return "", err
}
defer response.Body.Close()
// ignore common http errors caused by insufficient scope permissions
// (the email field is optional, aka. return the auth user without it)
if response.StatusCode == 401 || response.StatusCode == 403 || response.StatusCode == 404 {
return "", nil
}
content, err := io.ReadAll(response.Body)
if err != nil {
return "", err
}
2022-07-07 00:19:05 +03:00
emails := []struct {
Email string
Verified bool
Primary bool
}{}
if err := json.Unmarshal(content, &emails); err != nil {
return "", err
}
// extract the verified primary email
for _, email := range emails {
if email.Verified && email.Primary {
return email.Email, nil
2022-07-07 00:19:05 +03:00
}
}
return "", nil
2022-07-07 00:19:05 +03:00
}