tenseleyflow/shithub / f372f5b

+	"github.com/tenseleyFlow/shithub/internal/auth/devicecode"

+	// DeviceCode configures the RFC 8628 device-code grant exposed at

+	// /login/device, /login/device/code, and /login/oauth/access_token.

+	// Zero value uses devicecode.Defaults() so a deployment that never

+	// wires this still gets a working grant for the canonical

+	// shithub-cli client_id.

+	DeviceCode devicecode.Config

+	if len(d.DeviceCode.ClientIDs) == 0 {

+		d.DeviceCode = devicecode.Defaults()

+	}

+		// S50 §1 — device-code (RFC 8628) user verification page.

+		// The matching CSRF-exempt JSON endpoints land under

+		// /login/device/code and /login/oauth/access_token via

+		// MountDeviceCodeAPI, wired separately by handlers.go.

+		r.Get("/login/device", h.deviceCodeForm)

+		r.Post("/login/device", h.deviceCodeSubmit)

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"encoding/json"

+	"errors"

+	"net/http"

+	"net/url"

+	"strings"

+

+	"github.com/go-chi/chi/v5"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/devicecode"

+)

+

+// MountDeviceCodeAPI registers the RFC 8628 JSON endpoints. Caller is

+// responsible for placing r inside a CSRF-exempt group — these are

+// non-browser endpoints invoked by CLI / native clients.

+func (h *Handlers) MountDeviceCodeAPI(r chi.Router) {

+	r.Post("/login/device/code", h.deviceCodeIssue)

+	r.Post("/login/oauth/access_token", h.deviceCodeExchange)

+}

+

+type deviceCodeIssueResponse struct {

+	DeviceCode              string `json:"device_code"`

+	UserCode                string `json:"user_code"`

+	VerificationURI         string `json:"verification_uri"`

+	VerificationURIComplete string `json:"verification_uri_complete,omitempty"`

+	ExpiresIn               int    `json:"expires_in"`

+	Interval                int    `json:"interval"`

+}

+

+func (h *Handlers) deviceCodeIssue(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		writeOAuthError(w, http.StatusBadRequest, "invalid_request", "malformed form body")

+		return

+	}

+	clientID := strings.TrimSpace(r.PostForm.Get("client_id"))

+	if clientID == "" {

+		writeOAuthError(w, http.StatusBadRequest, "invalid_request", "client_id is required")

+		return

+	}

+	scope := r.PostForm.Get("scope")

+

+	auth, err := devicecode.Create(r.Context(), devicecode.Deps{Pool: h.d.Pool}, h.d.DeviceCode, clientID, scope)

+	if err != nil {

+		writeDeviceCodeError(w, err)

+		return

+	}

+

+	verifyBase := strings.TrimRight(h.d.Branding.BaseURL, "/") + "/login/device"

+	verifyComplete := verifyBase + "?user_code=" + url.QueryEscape(auth.UserCode)

+	writeJSON(w, http.StatusOK, deviceCodeIssueResponse{

+		DeviceCode:              auth.DeviceCode,

+		UserCode:                auth.UserCode,

+		VerificationURI:         verifyBase,

+		VerificationURIComplete: verifyComplete,

+		ExpiresIn:               int(auth.ExpiresIn.Seconds()),

+		Interval:                int(auth.PollInterval.Seconds()),

+	})

+}

+

+type deviceCodeExchangeResponse struct {

+	AccessToken string `json:"access_token"`

+	TokenType   string `json:"token_type"`

+	Scope       string `json:"scope"`

+}

+

+func (h *Handlers) deviceCodeExchange(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		writeOAuthError(w, http.StatusBadRequest, "invalid_request", "malformed form body")

+		return

+	}

+	clientID := strings.TrimSpace(r.PostForm.Get("client_id"))

+	deviceCode := strings.TrimSpace(r.PostForm.Get("device_code"))

+	grantType := r.PostForm.Get("grant_type")

+	const wantGrant = "urn:ietf:params:oauth:grant-type:device_code"

+	if grantType != wantGrant {

+		writeOAuthError(w, http.StatusBadRequest, "unsupported_grant_type", "expected "+wantGrant)

+		return

+	}

+	if clientID == "" || deviceCode == "" {

+		writeOAuthError(w, http.StatusBadRequest, "invalid_request", "client_id and device_code are required")

+		return

+	}

+

+	res, err := devicecode.Exchange(r.Context(), devicecode.Deps{Pool: h.d.Pool}, clientID, deviceCode, deviceCodeTokenName(r))

+	if err != nil {

+		writeDeviceCodeError(w, err)

+		return

+	}

+	writeJSON(w, http.StatusOK, deviceCodeExchangeResponse{

+		AccessToken: res.AccessToken,

+		TokenType:   res.TokenType,

+		Scope:       strings.Join(res.Scopes, ","),

+	})

+}

+

+// deviceCodeTokenName builds a recognisable name for the PAT minted on

+// behalf of the CLI so the user sees it on their /settings/tokens page.

+// We don't expose the device's own name (it's not in the protocol), so

+// the User-Agent is the only viable hint.

+func deviceCodeTokenName(r *http.Request) string {

+	ua := strings.TrimSpace(r.Header.Get("User-Agent"))

+	if ua == "" {

+		return "device-code"

+	}

+	if len(ua) > 64 {

+		ua = ua[:64]

+	}

+	return "device-code: " + ua

+}

+

+// writeDeviceCodeError maps a devicecode package error to the RFC 8628

+// JSON shape and HTTP status. Unknown errors are surfaced as 500

+// `server_error`; the package-level sentinels cover every well-formed

+// caller path.

+func writeDeviceCodeError(w http.ResponseWriter, err error) {

+	switch {

+	case errors.Is(err, devicecode.ErrUnauthorizedClient):

+		writeOAuthError(w, http.StatusBadRequest, "unauthorized_client", "client_id not allowed")

+	case errors.Is(err, devicecode.ErrInvalidScope):

+		writeOAuthError(w, http.StatusBadRequest, "invalid_scope", "unknown scope")

+	case errors.Is(err, devicecode.ErrInvalidGrant):

+		writeOAuthError(w, http.StatusBadRequest, "invalid_grant", "device_code unknown or already exchanged")

+	case errors.Is(err, devicecode.ErrAuthorizationPending):

+		writeOAuthError(w, http.StatusBadRequest, "authorization_pending", "user has not approved yet")

+	case errors.Is(err, devicecode.ErrSlowDown):

+		writeOAuthError(w, http.StatusBadRequest, "slow_down", "increase polling interval")

+	case errors.Is(err, devicecode.ErrAccessDenied):

+		writeOAuthError(w, http.StatusBadRequest, "access_denied", "user denied the request")

+	case errors.Is(err, devicecode.ErrExpiredToken):

+		writeOAuthError(w, http.StatusBadRequest, "expired_token", "device_code expired")

+	default:

+		writeOAuthError(w, http.StatusInternalServerError, "server_error", "internal error")

+	}

+}

+

+type oauthError struct {

+	Error            string `json:"error"`

+	ErrorDescription string `json:"error_description,omitempty"`

+}

+

+func writeOAuthError(w http.ResponseWriter, status int, code, desc string) {

+	w.Header().Set("Content-Type", "application/json; charset=utf-8")

+	w.Header().Set("Cache-Control", "no-store")

+	w.WriteHeader(status)

+	_ = json.NewEncoder(w).Encode(oauthError{Error: code, ErrorDescription: desc})

+}

+

+func writeJSON(w http.ResponseWriter, status int, body any) {

+	w.Header().Set("Content-Type", "application/json; charset=utf-8")

+	w.Header().Set("Cache-Control", "no-store")

+	w.WriteHeader(status)

+	_ = json.NewEncoder(w).Encode(body)

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"errors"

+	"net/http"

+	"net/url"

+	"strings"

+	"time"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/devicecode"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// deviceCodeForm renders the user-facing verification page. Three

+// shapes:

+//   - no user_code → show the entry form.

+//   - user_code present + recognised + pending → show the approve/deny form.

+//   - user_code present but already terminal (approved/denied/expired)

+//     → render the "you can close this window" terminal page so the

+//     polling device sees the result on its next exchange.

+//

+// Unauthenticated callers are redirected to /login with a `next=` that

+// preserves the user_code so the flow resumes after sign-in.

+func (h *Handlers) deviceCodeForm(w http.ResponseWriter, r *http.Request) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	if user.IsAnonymous() {

+		next := "/login/device"

+		if uc := strings.TrimSpace(r.URL.Query().Get("user_code")); uc != "" {

+			next += "?user_code=" + url.QueryEscape(uc)

+		}

+		http.Redirect(w, r, "/login?next="+url.QueryEscape(next), http.StatusSeeOther)

+		return

+	}

+	userCode := strings.TrimSpace(r.URL.Query().Get("user_code"))

+	data := map[string]any{

+		"Title":     "Authorize device",

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"UserCode":  userCode,

+	}

+	if userCode == "" {

+		h.renderPage(w, r, "auth/device_code", data)

+		return

+	}

+	row, err := devicecode.LookupByUserCode(r.Context(), devicecode.Deps{Pool: h.d.Pool}, userCode)

+	if err != nil {

+		data["Error"] = "We don't recognise that code. Check the value and try again."

+		h.renderPage(w, r, "auth/device_code", data)

+		return

+	}

+	switch {

+	case row.ApprovedAt.Valid:

+		data["Terminal"] = true

+		data["Notice"] = "Already authorized."

+	case row.DeniedAt.Valid:

+		data["Terminal"] = true

+		data["Notice"] = "Already denied."

+	case time.Now().After(row.ExpiresAt.Time):

+		data["Terminal"] = true

+		data["Notice"] = "This code expired. Ask your device for a new one."

+	default:

+		data["Approval"] = true

+		data["ClientID"] = row.ClientID

+		data["Scopes"] = row.Scopes

+		data["UserCode"] = row.UserCode

+	}

+	h.renderPage(w, r, "auth/device_code", data)

+}

+

+// deviceCodeSubmit handles the approve / deny click. We re-resolve the

+// row by user_code rather than trust the form id so a malicious page

+// can't trick the user into approving a different grant.

+func (h *Handlers) deviceCodeSubmit(w http.ResponseWriter, r *http.Request) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	if user.IsAnonymous() {

+		http.Redirect(w, r, "/login?next="+url.QueryEscape("/login/device"), http.StatusSeeOther)

+		return

+	}

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	userCode := strings.TrimSpace(r.PostForm.Get("user_code"))

+	action := r.PostForm.Get("action")

+	if userCode == "" {

+		http.Redirect(w, r, "/login/device", http.StatusSeeOther)

+		return

+	}

+	row, err := devicecode.LookupByUserCode(r.Context(), devicecode.Deps{Pool: h.d.Pool}, userCode)

+	if err != nil {

+		h.renderPage(w, r, "auth/device_code", map[string]any{

+			"Title":     "Authorize device",

+			"CSRFToken": middleware.CSRFTokenForRequest(r),

+			"Error":     "We don't recognise that code.",

+		})

+		return

+	}

+	deps := devicecode.Deps{Pool: h.d.Pool}

+	switch action {

+	case "approve":

+		err = devicecode.Approve(r.Context(), deps, row.ID, user.ID)

+	case "deny":

+		err = devicecode.Deny(r.Context(), deps, row.ID)

+	default:

+		http.Redirect(w, r, "/login/device?user_code="+url.QueryEscape(userCode), http.StatusSeeOther)

+		return

+	}

+	data := map[string]any{

+		"Title":     "Authorize device",

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Terminal":  true,

+	}

+	switch {

+	case err == nil && action == "approve":

+		data["Notice"] = "Authorized. Return to your device."

+	case err == nil && action == "deny":

+		data["Notice"] = "Denied. Your device will see the result on its next poll."

+	case errors.Is(err, devicecode.ErrExpiredToken):

+		data["Error"] = "This code expired before you could authorize it."

+	case errors.Is(err, devicecode.ErrAlreadyTerminal):

+		data["Notice"] = "Already finalized."

+	default:

+		h.d.Logger.ErrorContext(r.Context(), "device-code submit", "error", err)

+		data["Error"] = "Could not complete authorization. Please retry."

+	}

+	h.renderPage(w, r, "auth/device_code", data)

+}

+{{ define "page" -}}

+<section class="shithub-auth">

+  <h1>Authorize device</h1>

+  {{ with .Error }}<p class="shithub-flash shithub-flash-error" role="alert">{{ . }}</p>{{ end }}

+  {{ with .Notice }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+  {{ if .Terminal }}

+    <p>You can close this window and return to your device.</p>

+    <p class="shithub-auth-aside"><a href="/">Back to shithub</a></p>

+  {{ else if .Approval }}

+    <p>

+      A device using <code>{{ .ClientID }}</code> is asking for access to your shithub

+      account.

+    </p>

+    {{ if .Scopes }}

+    <p>Requested scopes:</p>

+    <ul>

+      {{ range .Scopes }}<li><code>{{ . }}</code></li>{{ end }}

+    </ul>

+    {{ else }}

+    <p>This device is asking for read access only.</p>

+    {{ end }}

+    <p>

+      User code: <code>{{ .UserCode }}</code>

+    </p>

+    <form method="POST" action="/login/device" novalidate>

+      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+      <input type="hidden" name="user_code" value="{{ .UserCode }}">

+      <button type="submit" name="action" value="approve"

+              class="shithub-button shithub-button-primary">Authorize</button>

+      <button type="submit" name="action" value="deny"

+              class="shithub-button">Deny</button>

+    </form>

+  {{ else }}

+    <p>Enter the code shown on your device.</p>

+    <form method="GET" action="/login/device" novalidate>

+      <label>

+        <span>User code</span>

+        <input type="text" name="user_code" required autofocus

+               autocomplete="off" inputmode="text"

+               pattern="[A-Za-z0-9-]+"

+               value="{{ .UserCode }}">

+      </label>

+      <button type="submit" class="shithub-button shithub-button-primary">Continue</button>

+    </form>

+  {{ end }}

+</section>

+{{- end }}