143 lines
3.6 KiB
Go
143 lines
3.6 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
|
|
"mail_go/config"
|
|
|
|
"golang.org/x/oauth2"
|
|
"golang.org/x/oauth2/github"
|
|
"golang.org/x/oauth2/google"
|
|
)
|
|
|
|
// OAuth2Provider 实现 OAuth2 认证
|
|
type OAuth2Provider struct {
|
|
cfg config.AuthConfig
|
|
config *oauth2.Config
|
|
}
|
|
|
|
// NewOAuth2Provider 创建 OAuth2 认证提供者
|
|
func NewOAuth2Provider(cfg config.AuthConfig) *OAuth2Provider {
|
|
p := &OAuth2Provider{cfg: cfg}
|
|
|
|
var endpoint oauth2.Endpoint
|
|
switch cfg.OAuth2Provider {
|
|
case "google":
|
|
endpoint = google.Endpoint
|
|
case "github":
|
|
endpoint = github.Endpoint
|
|
default:
|
|
endpoint = oauth2.Endpoint{
|
|
AuthURL: fmt.Sprintf("https://%s/login/oauth/authorize", cfg.OAuth2Provider),
|
|
TokenURL: fmt.Sprintf("https://%s/login/oauth/access_token", cfg.OAuth2Provider),
|
|
}
|
|
}
|
|
|
|
p.config = &oauth2.Config{
|
|
ClientID: cfg.OAuth2ClientID,
|
|
ClientSecret: cfg.OAuth2ClientSecret,
|
|
RedirectURL: cfg.OAuth2RedirectURL,
|
|
Scopes: []string{"email", "profile"},
|
|
Endpoint: endpoint,
|
|
}
|
|
|
|
return p
|
|
}
|
|
|
|
// Name 返回提供者名称
|
|
func (p *OAuth2Provider) Name() string { return "oauth2" }
|
|
|
|
// GetAuthURL 返回 OAuth2 授权重定向URL
|
|
func (p *OAuth2Provider) GetAuthURL(state string) string {
|
|
return p.config.AuthCodeURL(state)
|
|
}
|
|
|
|
// HandleCallback 处理 OAuth2 回调,返回用户邮箱
|
|
func (p *OAuth2Provider) HandleCallback(code string) (string, error) {
|
|
token, err := p.config.Exchange(context.Background(), code)
|
|
if err != nil {
|
|
return "", fmt.Errorf("OAuth2 token 交换失败: %w", err)
|
|
}
|
|
|
|
email, err := p.fetchUserEmail(token)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
return email, nil
|
|
}
|
|
|
|
// fetchUserEmail 从 OAuth2 提供者获取用户邮箱
|
|
func (p *OAuth2Provider) fetchUserEmail(token *oauth2.Token) (string, error) {
|
|
client := p.config.Client(context.Background(), token)
|
|
|
|
var userinfoURL string
|
|
switch p.cfg.OAuth2Provider {
|
|
case "google":
|
|
userinfoURL = "https://www.googleapis.com/oauth2/v2/userinfo"
|
|
case "github":
|
|
userinfoURL = "https://api.github.com/user/emails"
|
|
default:
|
|
return "", fmt.Errorf("不支持的 OAuth2 提供者: %s", p.cfg.OAuth2Provider)
|
|
}
|
|
|
|
resp, err := client.Get(userinfoURL)
|
|
if err != nil {
|
|
return "", fmt.Errorf("获取用户信息失败: %w", err)
|
|
}
|
|
defer resp.Body.Close()
|
|
|
|
body, err := io.ReadAll(resp.Body)
|
|
if err != nil {
|
|
return "", fmt.Errorf("读取用户信息失败: %w", err)
|
|
}
|
|
|
|
if p.cfg.OAuth2Provider == "google" {
|
|
var userInfo struct {
|
|
Email string `json:"email"`
|
|
}
|
|
if err := json.Unmarshal(body, &userInfo); err != nil {
|
|
return "", fmt.Errorf("解析Google用户信息失败: %w", err)
|
|
}
|
|
if userInfo.Email == "" {
|
|
return "", fmt.Errorf("Google账户未关联邮箱")
|
|
}
|
|
return userInfo.Email, nil
|
|
}
|
|
|
|
if p.cfg.OAuth2Provider == "github" {
|
|
var emails []struct {
|
|
Email string `json:"email"`
|
|
Primary bool `json:"primary"`
|
|
}
|
|
if err := json.Unmarshal(body, &emails); err != nil {
|
|
return "", fmt.Errorf("解析GitHub用户信息失败: %w", err)
|
|
}
|
|
for _, e := range emails {
|
|
if e.Primary {
|
|
return e.Email, nil
|
|
}
|
|
}
|
|
if len(emails) > 0 {
|
|
return emails[0].Email, nil
|
|
}
|
|
return "", fmt.Errorf("GitHub账户未关联邮箱")
|
|
}
|
|
|
|
return "", fmt.Errorf("OAuth2 邮箱获取尚未实现")
|
|
}
|
|
|
|
// Authenticate 实现 Provider 接口(OAuth2 不使用此方法,通过回调流程认证)
|
|
func (p *OAuth2Provider) Authenticate(credentials map[string]string) (string, error) {
|
|
return "", fmt.Errorf("OAuth2 不支持直接认证,请使用回调流程")
|
|
}
|
|
|
|
// Ensure interfaces are satisfied
|
|
var (
|
|
_ Provider = (*LDAPProvider)(nil)
|
|
_ Provider = (*OAuth2Provider)(nil)
|
|
)
|