Feat: Twitch Provider (#135)

* fix(test): replace Fragment with RawQuery to make it work as intended

* feat(twitch): add twitch provider

* refactor(twitch): order twitch alphabetically and add aliasKey

* refactor: rename struct literal

Co-authored-by: ph1p <me@ph1p.dev>

Author: kangmingtay

README.md

@@ -172,7 +172,7 @@ The default group to assign all new users to.
 
 ### External Authentication Providers
 
-We support `apple`, `azure`, `bitbucket`, `discord`, `facebook`, `github`, `gitlab`, `google` and `twitter` for external authentication.
+We support `apple`, `azure`, `bitbucket`, `discord`, `facebook`, `github`, `gitlab`, `google`, `twitch` and `twitter` for external authentication.
 Use the names as the keys underneath `external` to configure each separately.
 
 ```properties
@@ -203,7 +203,7 @@ The URI a OAuth2 provider will redirect to with the `code` and `state` values.
 
 The base URL used for constructing the URLs to request authorization and access tokens. Used by `gitlab` only. Defaults to `https://gitlab.com`.
 
-#### Apple OAuth 
+#### Apple OAuth
 
 To try out external authentication with Apple locally, you will need to do the following:
 1. Remap localhost to \<my_custom_dns \> in your `/etc/hosts` config.
@@ -427,6 +427,7 @@ GoTrue exposes the following endpoints:
       "github": true,
       "gitlab": true,
       "google": true,
+      "twitch": true,
       "twitter": true
     },
     "disable_signup": false,
@@ -544,7 +545,7 @@ GoTrue exposes the following endpoints:
 
   Magic Link. Will deliver a link (e.g. `/verify?type=magiclink&token=fgtyuf68ddqdaDd`) to the user based on
   email address which they can use to redeem an access_token.
-  
+
   By default Magic Links can only be sent once every 60 seconds
 
   ```json
@@ -558,14 +559,14 @@ GoTrue exposes the following endpoints:
   ```json
   {}
   ```
-  
+
   when clicked the magic link will redirect the user to `<SITE_URL>#access_token=x&refresh_token=y&expires_in=z&token_type=bearer&type=magiclink` (see `/verify` above)
 
 ### **POST /recover**
 
   Password recovery. Will deliver a password recovery mail to the user based on
   email address.
-  
+
   By default recovery links can only be sent once every 60 seconds
 
   ```json
@@ -685,18 +686,17 @@ GoTrue exposes the following endpoints:
 
   query params:
   ```
-  provider=apple | azure | bitbucket | discord | facebook | github | gitlab | google | twitter
+  provider=apple | azure | bitbucket | discord | facebook | github | gitlab | google | twitch | twitter
   scopes=<optional additional scopes depending on the provider (email and name are requested by default)>
   ```
- 
+
   Redirects to provider and then to `/callback`
-  
+
   For apple specific setup see: https://github.com/supabase/gotrue#apple-oauth
-  
+
 ### **GET /callback**
 
   External provider should redirect to here
- 
-  Redirects to `<GOTRUE_SITE_URL>#access_token=<access_token>&refresh_token=<refresh_token>&provider_token=<provider_oauth_token>&expires_in=3600&provider=<provider_name>`
-  If additional scopes were requested then `provider_token` will be populated, you can use this to fetch additional data from the provider or interact with their services 
 
+  Redirects to `<GOTRUE_SITE_URL>#access_token=<access_token>&refresh_token=<refresh_token>&provider_token=<provider_oauth_token>&expires_in=3600&provider=<provider_name>`
+  If additional scopes were requested then `provider_token` will be populated, you can use this to fetch additional data from the provider or interact with their services

api/external.go

@@ -352,6 +352,8 @@ func (a *API) Provider(ctx context.Context, name string, scopes string) (provide
 		return provider.NewGoogleProvider(config.External.Google, scopes)
 	case "facebook":
 		return provider.NewFacebookProvider(config.External.Facebook, scopes)
+	case "twitch":
+		return provider.NewTwitchProvider(config.External.Twitch, scopes)
 	case "twitter":
 		return provider.NewTwitterProvider(config.External.Twitter, scopes)
 	case "saml":

api/external_test.go

@@ -100,7 +100,7 @@ func performAuthorization(ts *ExternalTestSuite, provider string, code string, i
 
 func assertAuthorizationSuccess(ts *ExternalTestSuite, u *url.URL, tokenCount int, userCount int, email string, name string, avatar string) {
 	// ensure redirect has #access_token=...
-	v, err := url.ParseQuery(u.Fragment)
+	v, err := url.ParseQuery(u.RawQuery)
 	ts.Require().NoError(err)
 	ts.Require().Empty(v.Get("error_description"))
 	ts.Require().Empty(v.Get("error"))
@@ -122,7 +122,7 @@ func assertAuthorizationSuccess(ts *ExternalTestSuite, u *url.URL, tokenCount in
 
 func assertAuthorizationFailure(ts *ExternalTestSuite, u *url.URL, errorDescription string, errorType string, email string) {
 	// ensure new sign ups error
-	v, err := url.ParseQuery(u.Fragment)
+	v, err := url.ParseQuery(u.RawQuery)
 	ts.Require().NoError(err)
 	ts.Require().Equal(errorDescription, v.Get("error_description"))
 	ts.Require().Equal(errorType, v.Get("error"))

api/external_twitch_test.go

@@ -0,0 +1,171 @@
+package api
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+
+	jwt "github.com/dgrijalva/jwt-go"
+)
+
+func (ts *ExternalTestSuite) TestSignupExternalTwitch() {
+	req := httptest.NewRequest(http.MethodGet, "http://localhost/authorize?provider=twitch", nil)
+	w := httptest.NewRecorder()
+	ts.API.handler.ServeHTTP(w, req)
+	ts.Require().Equal(http.StatusFound, w.Code)
+	u, err := url.Parse(w.Header().Get("Location"))
+	ts.Require().NoError(err, "redirect url parse failed")
+	q := u.Query()
+	ts.Equal(ts.Config.External.Twitch.RedirectURI, q.Get("redirect_uri"))
+	ts.Equal(ts.Config.External.Twitch.ClientID, q.Get("client_id"))
+	ts.Equal("code", q.Get("response_type"))
+	ts.Equal("user:read:email", q.Get("scope"))
+
+	claims := ExternalProviderClaims{}
+	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
+	_, err = p.ParseWithClaims(q.Get("state"), &claims, func(token *jwt.Token) (interface{}, error) {
+		return []byte(ts.API.config.OperatorToken), nil
+	})
+	ts.Require().NoError(err)
+
+	ts.Equal("twitch", claims.Provider)
+	ts.Equal(ts.Config.SiteURL, claims.SiteURL)
+}
+
+func TwitchTestSignupSetup(ts *ExternalTestSuite, tokenCount *int, userCount *int, code string, user string) *httptest.Server {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/oauth2/token":
+			*tokenCount++
+			ts.Equal(code, r.FormValue("code"))
+			ts.Equal("authorization_code", r.FormValue("grant_type"))
+			ts.Equal(ts.Config.External.Twitch.RedirectURI, r.FormValue("redirect_uri"))
+
+			w.Header().Add("Content-Type", "application/json")
+			fmt.Fprint(w, `{"access_token":"Twitch_token","expires_in":100000}`)
+		case "/helix/users":
+			*userCount++
+			w.Header().Add("Content-Type", "application/json")
+			fmt.Fprint(w, user)
+		default:
+			w.WriteHeader(500)
+			ts.Fail("unknown Twitch oauth call %s", r.URL.Path)
+		}
+	}))
+
+	ts.Config.External.Twitch.URL = server.URL
+
+	return server
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalTwitch_AuthorizationCode() {
+	ts.Config.DisableSignup = false
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch Test","display_name":"Twitch Test","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":"","email":"twitch@example.com"}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "twitch", code, "")
+
+	assertAuthorizationSuccess(ts, u, tokenCount, userCount, "twitch@example.com", "Twitch Test", "https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8")
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalTwitchDisableSignupErrorWhenNoUser() {
+	ts.Config.DisableSignup = true
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch user","display_name":"Twitch user","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":"","email":"twitch@example.com"}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "twitch", code, "")
+
+	assertAuthorizationFailure(ts, u, "Signups not allowed for this instance", "access_denied", "twitch@example.com")
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalTwitchDisableSignupErrorWhenEmptyEmail() {
+	ts.Config.DisableSignup = true
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch user","display_name":"Twitch user","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":""}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+
+	u := performAuthorization(ts, "twitch", code, "")
+
+	assertAuthorizationFailure(ts, u, "Error getting user email from external provider", "server_error", "twitch@example.com")
+}
+
+func (ts *ExternalTestSuite) TestSignupExternalTwitchDisableSignupSuccessWithPrimaryEmail() {
+	ts.Config.DisableSignup = true
+
+	ts.createUser("twitch@example.com", "Twitch Test", "https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8", "")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch user","display_name":"Twitch user","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":"","email":"twitch@example.com"}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "twitch", code, "")
+
+	assertAuthorizationSuccess(ts, u, tokenCount, userCount, "twitch@example.com", "Twitch Test", "https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8")
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalTwitchSuccessWhenMatchingToken() {
+	// name and avatar should be populated from Twitch API
+	ts.createUser("twitch@example.com", "", "", "invite_token")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch user","display_name":"Twitch user","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":"","email":"twitch@example.com"}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "twitch", code, "invite_token")
+
+	assertAuthorizationSuccess(ts, u, tokenCount, userCount, "twitch@example.com", "Twitch Test", "https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8")
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalTwitchErrorWhenNoMatchingToken() {
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch user","display_name":"Twitch user","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":"","email":"twitch@example.com"}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+	w := performAuthorizationRequest(ts, "twitch", "invite_token")
+	ts.Require().Equal(http.StatusNotFound, w.Code)
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalTwitchErrorWhenWrongToken() {
+	ts.createUser("twitch@example.com", "", "", "invite_token")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch user","display_name":"Twitch user","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":"","email":"twitch@example.com"}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+	w := performAuthorizationRequest(ts, "twitch", "wrong_token")
+	ts.Require().Equal(http.StatusNotFound, w.Code)
+}
+
+func (ts *ExternalTestSuite) TestInviteTokenExternalTwitchErrorWhenEmailDoesntMatch() {
+	ts.createUser("twitch@example.com", "", "", "invite_token")
+
+	tokenCount, userCount := 0, 0
+	code := "authcode"
+	TwitchUser := `{"data":[{"id":"1","login":"Twitch user","display_name":"Twitch user","type":"","broadcaster_type":"","description":"","profile_image_url":"https://s.gravatar.com/avatar/23463b99b62a72f26ed677cc556c44e8","offline_image_url":"","email":"other@example.com"}]}`
+	server := TwitchTestSignupSetup(ts, &tokenCount, &userCount, code, TwitchUser)
+	defer server.Close()
+
+	u := performAuthorization(ts, "twitch", code, "invite_token")
+
+	assertAuthorizationFailure(ts, u, "Invited email does not match emails from external provider", "invalid_request", "")
+}