github.com/resonatecoop/id@v1.1.0-43/oauth/login.go (about) 1 package oauth 2 3 import ( 4 "context" 5 "errors" 6 "strings" 7 8 "github.com/resonatecoop/user-api/model" 9 ) 10 11 // Login creates an access token and refresh token for a user (logs him/her in) 12 func (s *Service) Login(client *model.Client, user *model.User, scope string) (*model.AccessToken, *model.RefreshToken, error) { 13 14 if user == nil { 15 return nil, nil, errors.New("valid user must be supplied") 16 } 17 18 // Return error if user's role is not allowed to use this service 19 if !s.IsRoleAllowed(user.RoleID) { 20 // For security reasons, return a general error message 21 return nil, nil, ErrInvalidUsernameOrPassword 22 } 23 24 scope, err := s.updateUserScopeWithRole(user, scope) 25 26 if err != nil { 27 return nil, nil, err 28 } 29 30 // Create a new access token 31 accessToken, err := s.GrantAccessToken( 32 client, 33 user, 34 s.cnf.Oauth.AccessTokenLifetime, // expires in 35 scope, 36 ) 37 if err != nil { 38 return nil, nil, err 39 } 40 41 // Create or retrieve a refresh token 42 refreshToken, err := s.GetOrCreateRefreshToken( 43 client, 44 user, 45 s.cnf.Oauth.RefreshTokenLifetime, // expires in 46 scope, 47 ) 48 if err != nil { 49 return nil, nil, err 50 } 51 52 return accessToken, refreshToken, nil 53 } 54 55 func (s *Service) updateUserScopeWithRole(user *model.User, scope string) (string, error) { 56 57 ctx := context.Background() 58 59 scopes := strings.Split(scope, " ") 60 61 if scopes[0] != "read" && scopes[0] != "read_write" { 62 return "", errors.New("invalid scope format") 63 } 64 65 scopeRole := new(model.Role) 66 67 err := s.db.NewSelect(). 68 Model(scopeRole). 69 Where("id = ?", user.RoleID). 70 Scan(ctx) 71 72 if err != nil { 73 return "", errors.New("problem determining role from user record") 74 } 75 76 scope = scopes[0] + " " + scopeRole.Name 77 78 return scope, nil 79 }