func (s *Service) passwordGrant(w http.ResponseWriter, r *http.Request, client *Client) {
// Get user credentials from form data
username := r.Form.Get("username") // usually an email
password := r.Form.Get("password")
// Authenticate the user
user, err := s.AuthUser(username, password)
if err != nil {
// For security reasons, return a general error message
response.UnauthorizedError(w, "User authentication required")
return
}
// Get the scope string
scope, err := s.GetScope(r.Form.Get("scope"))
if err != nil {
response.Error(w, err.Error(), http.StatusBadRequest)
return
}
// Create a new access token
accessToken, err := s.GrantAccessToken(
client, // client
user, // user
scope, // scope
)
if err != nil {
response.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Create or retrieve a refresh token
refreshToken, err := s.GetOrCreateRefreshToken(
client, // client
user, // user
scope, // scope
)
if err != nil {
response.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Write the JSON access token to the response
accessTokenRespone := &AccessTokenResponse{
ID: accessToken.ID,
AccessToken: accessToken.Token,
ExpiresIn: s.cnf.Oauth.AccessTokenLifetime,
TokenType: "Bearer",
Scope: accessToken.Scope,
RefreshToken: refreshToken.Token,
}
response.WriteJSON(w, accessTokenRespone, 200)
}
// Handles all OAuth 2.0 grant types (POST /v1/oauth/tokens)
func (s *Service) tokensHandler(w http.ResponseWriter, r *http.Request) {
// Parse the form so r.Form becomes available
if err := r.ParseForm(); err != nil {
response.Error(w, err.Error(), http.StatusInternalServerError)
return
}
// Map of grant types against handler functions
grantTypes := map[string]func(w http.ResponseWriter, r *http.Request, client *Client){
"authorization_code": s.authorizationCodeGrant,
"password": s.passwordGrant,
"client_credentials": s.clientCredentialsGrant,
"refresh_token": s.refreshTokenGrant,
}
// Check the grant type
grantHandler, ok := grantTypes[r.Form.Get("grant_type")]
if !ok {
response.Error(w, errInvalidGrantType.Error(), http.StatusBadRequest)
return
}
// Get client credentials from basic auth
clientID, secret, ok := r.BasicAuth()
if !ok {
response.UnauthorizedError(w, errClientAuthenticationRequired.Error())
return
}
// Authenticate the client
client, err := s.AuthClient(clientID, secret)
if err != nil {
// For security reasons, return a general error message
response.UnauthorizedError(w, errClientAuthenticationRequired.Error())
return
}
// Execute the correct function based on the grant type
grantHandler(w, r, client)
}