Merge pull request #98 from supabase/twitter-provider-jwt

Feature: Twitter OAuth🐦

Author: awalias

api/context.go

@@ -29,6 +29,8 @@ const (
 	externalReferrerKey     = contextKey("external_referrer")
 	functionHooksKey        = contextKey("function_hooks")
 	adminUserKey            = contextKey("admin_user")
+	oauthTokenKey           = contextKey("oauth_token") // for OAuth1.0, also known as request token
+	oauthVerifierKey        = contextKey("oauth_verifier")
 )
 
 // withToken adds the JWT token to the context.
@@ -223,3 +225,28 @@ func getAdminUser(ctx context.Context) *models.User {
 	}
 	return obj.(*models.User)
 }
+
+// withRequestToken adds the request token to the context
+func withRequestToken(ctx context.Context, token string) context.Context {
+	return context.WithValue(ctx, oauthTokenKey, token)
+}
+
+func getRequestToken(ctx context.Context) string {
+	obj := ctx.Value(oauthTokenKey)
+	if obj == nil {
+		return ""
+	}
+	return obj.(string)
+}
+
+func withOAuthVerifier(ctx context.Context, token string) context.Context {
+	return context.WithValue(ctx, oauthVerifierKey, token)
+}
+
+func getOAuthVerifier(ctx context.Context) string {
+	obj := ctx.Value(oauthVerifierKey)
+	if obj == nil {
+		return ""
+	}
+	return obj.(string)
+}

api/external.go

@@ -11,6 +11,7 @@ import (
 
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/gofrs/uuid"
+	"github.com/markbates/goth/gothic"
 	"github.com/netlify/gotrue/api/provider"
 	"github.com/netlify/gotrue/models"
 	"github.com/netlify/gotrue/storage"
@@ -37,7 +38,7 @@ func (a *API) ExternalProviderRedirect(w http.ResponseWriter, r *http.Request) e
 	providerType := r.URL.Query().Get("provider")
 	scopes := r.URL.Query().Get("scopes")
 
-	provider, err := a.Provider(ctx, providerType, scopes)
+	p, err := a.Provider(ctx, providerType, scopes)
 	if err != nil {
 		return badRequestError("Unsupported provider: %+v", err).WithInternalError(err)
 	}
@@ -78,7 +79,18 @@ func (a *API) ExternalProviderRedirect(w http.ResponseWriter, r *http.Request) e
 		return internalServerError("Error creating state").WithInternalError(err)
 	}
 
-	http.Redirect(w, r, provider.AuthCodeURL(tokenString), http.StatusFound)
+	var url string
+	if twitterProvider, ok := p.(*provider.TwitterProvider); ok {
+		url = twitterProvider.AuthCodeURL(tokenString)
+		err := gothic.StoreInSession(providerType, twitterProvider.Marshal(), r, w)
+		if err != nil {
+			return internalServerError("Error storing request token in session").WithInternalError(err)
+		}
+	} else {
+		url = p.AuthCodeURL(tokenString)
+	}
+
+	http.Redirect(w, r, url, http.StatusFound)
 	return nil
 }
 
@@ -101,6 +113,14 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 			return err
 		}
 		userData = samlUserData
+	} else if providerType == "twitter" {
+		// future OAuth1.0 providers will use this method
+		oAuthResponseData, err := a.oAuth1Callback(ctx, r, providerType)
+		if err != nil {
+			return err
+		}
+		userData = oAuthResponseData.userData
+		providerToken = oAuthResponseData.token
 	} else {
 		oAuthResponseData, err := a.oAuthCallback(ctx, r, providerType)
 		if err != nil {
@@ -316,6 +336,8 @@ func (a *API) Provider(ctx context.Context, name string, scopes string) (provide
 		return provider.NewGoogleProvider(config.External.Google, scopes)
 	case "facebook":
 		return provider.NewFacebookProvider(config.External.Facebook, scopes)
+	case "twitter":
+		return provider.NewTwitterProvider(config.External.Twitter, scopes)
 	case "azure":
 		return provider.NewAzureProvider(config.External.Azure, scopes)
 	case "saml":

api/external_oauth.go

@@ -4,13 +4,15 @@ import (
 	"context"
 	"net/http"
 
+	"github.com/markbates/goth/gothic"
+	"github.com/mrjones/oauth"
 	"github.com/netlify/gotrue/api/provider"
 	"github.com/sirupsen/logrus"
 )
 
 type OAuthProviderData struct {
 	userData *provider.UserProvidedData
-	token string
+	token    string
 }
 
 // loadOAuthState parses the `state` query parameter as a JWS payload,
@@ -22,6 +24,14 @@ func (a *API) loadOAuthState(w http.ResponseWriter, r *http.Request) (context.Co
 	}
 
 	ctx := r.Context()
+	oauthToken := r.URL.Query().Get("oauth_token")
+	if oauthToken != "" {
+		ctx = withRequestToken(ctx, oauthToken)
+	}
+	oauthVerifier := r.URL.Query().Get("oauth_verifier")
+	if oauthVerifier != "" {
+		ctx = withOAuthVerifier(ctx, oauthVerifier)
+	}
 	return a.loadExternalState(ctx, state)
 }
 
@@ -61,8 +71,44 @@ func (a *API) oAuthCallback(ctx context.Context, r *http.Request, providerType s
 
 	return &OAuthProviderData{
 		userData: userData,
-		token: token.AccessToken,
+		token:    token.AccessToken,
+	}, nil
+}
+
+func (a *API) oAuth1Callback(ctx context.Context, r *http.Request, providerType string) (*OAuthProviderData, error) {
+	oAuthProvider, err := a.OAuthProvider(ctx, providerType)
+	if err != nil {
+		return nil, badRequestError("Unsupported provider: %+v", err).WithInternalError(err)
+	}
+	value, err := gothic.GetFromSession(providerType, r)
+	if err != nil {
+		return &OAuthProviderData{}, err
+	}
+	oauthVerifier := getOAuthVerifier(ctx)
+	var accessToken *oauth.AccessToken
+	var userData *provider.UserProvidedData
+	if twitterProvider, ok := oAuthProvider.(*provider.TwitterProvider); ok {
+		requestToken, err := twitterProvider.Unmarshal(value)
+		if err != nil {
+			return &OAuthProviderData{}, err
+		}
+		twitterProvider.OauthVerifier = oauthVerifier
+		accessToken, err = twitterProvider.Consumer.AuthorizeToken(requestToken, oauthVerifier)
+		if err != nil {
+			return nil, internalServerError("Unable to retrieve access token").WithInternalError(err)
+		}
+		userData, err = twitterProvider.FetchUserData(ctx, accessToken)
+	}
+
+	if err != nil {
+		return nil, internalServerError("Error getting user email from external provider").WithInternalError(err)
+	}
+
+	return &OAuthProviderData{
+		userData: userData,
+		token:    accessToken.Token,
 	}, nil
+
 }
 
 func (a *API) OAuthProvider(ctx context.Context, name string) (provider.OAuthProvider, error) {

api/provider/twitter.go

@@ -0,0 +1,125 @@
+package provider
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
+	"github.com/mrjones/oauth"
+	"github.com/netlify/gotrue/conf"
+	"golang.org/x/oauth2"
+)
+
+const (
+	requestURL      = "https://api.twitter.com/oauth/request_token"
+	authorizeURL    = "https://api.twitter.com/oauth/authorize"
+	tokenURL        = "https://api.twitter.com/oauth/access_token"
+	endpointProfile = "https://api.twitter.com/1.1/account/verify_credentials.json"
+)
+
+type TwitterProvider struct {
+	ClientKey     string
+	Secret        string
+	CallbackURL   string
+	AuthURL       string
+	RequestToken  *oauth.RequestToken
+	OauthVerifier string
+	Consumer      *oauth.Consumer
+}
+
+type twitterUser struct {
+	Name      string `json:"name"`
+	AvatarURL string `json:"profile_image_url"`
+	Email     string `json:"email"`
+}
+
+func NewTwitterProvider(ext conf.OAuthProviderConfiguration, scopes string) (OAuthProvider, error) {
+	p := &TwitterProvider{
+		ClientKey:   ext.ClientID,
+		Secret:      ext.Secret,
+		CallbackURL: ext.RedirectURI,
+	}
+	p.Consumer = newConsumer(p)
+	return p, nil
+}
+
+func (t TwitterProvider) GetOAuthToken(_ string) (*oauth2.Token, error) {
+	// stub method for OAuthProvider interface, unused in OAuth1.0 protocol
+	return &oauth2.Token{}, nil
+}
+
+func (t TwitterProvider) GetUserData(ctx context.Context, tok *oauth2.Token) (*UserProvidedData, error) {
+	// stub method for OAuthProvider interface, unused in OAuth1.0 protocol
+	return &UserProvidedData{}, nil
+}
+
+func (t TwitterProvider) FetchUserData(ctx context.Context, tok *oauth.AccessToken) (*UserProvidedData, error) {
+	var u twitterUser
+	resp, err := t.Consumer.Get(
+		endpointProfile,
+		map[string]string{"include_entities": "false", "skip_status": "true", "include_email": "true"},
+		tok)
+	if err != nil {
+		return &UserProvidedData{}, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return &UserProvidedData{}, fmt.Errorf("Twitter responded with a %d trying to fetch user information", resp.StatusCode)
+	}
+	bits, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		return &UserProvidedData{}, nil
+	}
+	err = json.NewDecoder(bytes.NewReader(bits)).Decode(&u)
+
+	data := &UserProvidedData{
+		Metadata: map[string]string{
+			nameKey:      u.Name,
+			avatarURLKey: u.AvatarURL,
+		},
+		Emails: []Email{{
+			Email:    u.Email,
+			Verified: true,
+			Primary:  true,
+		}},
+	}
+	return data, nil
+}
+
+func (t *TwitterProvider) AuthCodeURL(state string, args ...oauth2.AuthCodeOption) string {
+	// we do nothing with the state here as the state is passed in the requestURL step
+	requestToken, url, err := t.Consumer.GetRequestTokenAndUrl(t.CallbackURL + "?state=" + state)
+	if err != nil {
+		return ""
+	}
+	t.RequestToken = requestToken
+	t.AuthURL = url
+	return t.AuthURL
+}
+
+func newConsumer(provider *TwitterProvider) *oauth.Consumer {
+	c := oauth.NewConsumer(
+		provider.ClientKey,
+		provider.Secret,
+		oauth.ServiceProvider{
+			RequestTokenUrl:   requestURL,
+			AuthorizeTokenUrl: authorizeURL,
+			AccessTokenUrl:    tokenURL,
+		})
+	return c
+}
+
+func (t TwitterProvider) Marshal() string {
+	b, _ := json.Marshal(t.RequestToken)
+	return string(b)
+}
+
+func (t TwitterProvider) Unmarshal(data string) (*oauth.RequestToken, error) {
+	requestToken := &oauth.RequestToken{}
+	err := json.NewDecoder(strings.NewReader(data)).Decode(requestToken)
+	return requestToken, err
+}

api/settings.go

@@ -8,6 +8,7 @@ type ProviderSettings struct {
 	GitLab    bool `json:"gitlab"`
 	Google    bool `json:"google"`
 	Facebook  bool `json:"facebook"`
+	Twitter   bool `json:"twitter"`
 	Azure     bool `json:"azure"`
 	Email     bool `json:"email"`
 	SAML      bool `json:"saml"`
@@ -34,6 +35,7 @@ func (a *API) Settings(w http.ResponseWriter, r *http.Request) error {
 			GitLab:    config.External.Gitlab.Enabled,
 			Google:    config.External.Google.Enabled,
 			Facebook:  config.External.Facebook.Enabled,
+			Twitter:   config.External.Twitter.Enabled,
 			Azure:     config.External.Azure.Enabled,
 			Email:     !config.External.Email.Disabled,
 			SAML:      config.External.Saml.Enabled,

conf/configuration.go

@@ -85,6 +85,7 @@ type ProviderConfiguration struct {
 	Gitlab      OAuthProviderConfiguration `json:"gitlab"`
 	Google      OAuthProviderConfiguration `json:"google"`
 	Facebook    OAuthProviderConfiguration `json:"facebook"`
+	Twitter     OAuthProviderConfiguration `json:"twitter"`
 	Azure       OAuthProviderConfiguration `json:"azure"`
 	Email       EmailProviderConfiguration `json:"email"`
 	Saml        SamlProviderConfiguration  `json:"saml"`
@@ -109,8 +110,8 @@ type MailerConfiguration struct {
 
 // Configuration holds all the per-instance configuration.
 type Configuration struct {
-	SiteURL       string                `json:"site_url" split_words:"true" required:"true"`
-	URIAllowList  []string              `json:"uri_allow_list" split_words:"true"`
+	SiteURL           string                `json:"site_url" split_words:"true" required:"true"`
+	URIAllowList      []string              `json:"uri_allow_list" split_words:"true"`
 	PasswordMinLength int                   `json:"password_min_length" default:"6"`
 	JWT               JWTConfiguration      `json:"jwt"`
 	SMTP              SMTPConfiguration     `json:"smtp"`