Add Config.RedirectURLHostname (#34)

Author: int128

e2e_test/e2e_test.go

@@ -39,6 +39,46 @@ func TestGetToken(t *testing.T) {
 					t.Errorf("scope wants %s but %s", w, r.Scope)
 					return fmt.Sprintf("%s?error=invalid_scope", r.RedirectURI)
 				}
+				redirectURIPrefix := "http://localhost:"
+				if !strings.HasPrefix(r.RedirectURI, redirectURIPrefix) {
+					t.Errorf("redirect_uri wants prefix %s but was %s", redirectURIPrefix, r.RedirectURI)
+					return fmt.Sprintf("%s?error=invalid_redirect_uri", r.RedirectURI)
+				}
+				return fmt.Sprintf("%s?state=%s&code=%s", r.RedirectURI, r.State, "AUTH_CODE")
+			},
+			NewTokenResponse: func(r authserver.TokenRequest) (int, string) {
+				if w := "AUTH_CODE"; r.Code != w {
+					t.Errorf("code wants %s but %s", w, r.Code)
+					return 400, invalidGrantResponse
+				}
+				return 200, validTokenResponse
+			},
+		}
+		successfulTest(t, cfg, h)
+	})
+
+	t.Run("RedirectURLHostname", func(t *testing.T) {
+		cfg := oauth2cli.Config{
+			OAuth2Config: oauth2.Config{
+				ClientID:     "YOUR_CLIENT_ID",
+				ClientSecret: "YOUR_CLIENT_SECRET",
+				Scopes:       []string{"email", "profile"},
+			},
+			RedirectURLHostname:   "127.0.0.1",
+			LocalServerMiddleware: loggingMiddleware(t),
+		}
+		h := &authserver.Handler{
+			T: t,
+			NewAuthorizationResponse: func(r authserver.AuthorizationRequest) string {
+				if w := "email profile"; r.Scope != w {
+					t.Errorf("scope wants %s but %s", w, r.Scope)
+					return fmt.Sprintf("%s?error=invalid_scope", r.RedirectURI)
+				}
+				redirectURIPrefix := "http://127.0.0.1:"
+				if !strings.HasPrefix(r.RedirectURI, redirectURIPrefix) {
+					t.Errorf("redirect_uri wants prefix %s but was %s", redirectURIPrefix, r.RedirectURI)
+					return fmt.Sprintf("%s?error=invalid_redirect_uri", r.RedirectURI)
+				}
 				return fmt.Sprintf("%s?state=%s&code=%s", r.RedirectURI, r.State, "AUTH_CODE")
 			},
 			NewTokenResponse: func(r authserver.TokenRequest) (int, string) {
@@ -70,8 +110,9 @@ func TestGetToken(t *testing.T) {
 					t.Errorf("scope wants %s but %s", w, r.Scope)
 					return fmt.Sprintf("%s?error=invalid_scope", r.RedirectURI)
 				}
-				if !strings.HasPrefix(r.RedirectURI, "https://") {
-					t.Errorf("redirect_uri must start with https:// when using TLS config %s", r.RedirectURI)
+				redirectURIPrefix := "https://localhost:"
+				if !strings.HasPrefix(r.RedirectURI, redirectURIPrefix) {
+					t.Errorf("redirect_uri wants prefix %s but was %s", redirectURIPrefix, r.RedirectURI)
 					return fmt.Sprintf("%s?error=invalid_redirect_uri", r.RedirectURI)
 				}
 				return fmt.Sprintf("%s?state=%s&code=%s", r.RedirectURI, r.State, "AUTH_CODE")

oauth2cli.go

@@ -21,6 +21,10 @@ type Config struct {
 	// OAuth2 config.
 	// RedirectURL will be automatically set to the local server.
 	OAuth2Config oauth2.Config
+	// Hostname of the redirect URL.
+	// You can set this if your provider does not accept localhost.
+	// Default to localhost.
+	RedirectURLHostname string
 	// Options for an authorization request.
 	// You can set oauth2.AccessTypeOffline and the PKCE options here.
 	AuthCodeOptions []oauth2.AuthCodeOption
@@ -67,6 +71,30 @@ type Config struct {
 	LocalServerPort []int
 }
 
+func (c *Config) validateAndSetDefaults() error {
+	if (c.LocalServerCertFile != "" && c.LocalServerKeyFile == "") ||
+		(c.LocalServerCertFile == "" && c.LocalServerKeyFile != "") {
+		return fmt.Errorf("both LocalServerCertFile and LocalServerKeyFile must be set")
+	}
+	if c.RedirectURLHostname == "" {
+		c.RedirectURLHostname = "localhost"
+	}
+	if c.State == "" {
+		s, err := oauth2params.NewState()
+		if err != nil {
+			return fmt.Errorf("could not generate a state parameter: %w", err)
+		}
+		c.State = s
+	}
+	if c.LocalServerMiddleware == nil {
+		c.LocalServerMiddleware = noopMiddleware
+	}
+	if c.LocalServerSuccessHTML == "" {
+		c.LocalServerSuccessHTML = DefaultLocalServerSuccessHTML
+	}
+	return nil
+}
+
 func (c *Config) populateDeprecatedFields() {
 	if len(c.LocalServerPort) > 0 {
 		address := c.LocalServerAddress
@@ -92,18 +120,8 @@ func (c *Config) populateDeprecatedFields() {
 // 	6. Return the code.
 //
 func GetToken(ctx context.Context, config Config) (*oauth2.Token, error) {
-	if config.State == "" {
-		s, err := oauth2params.NewState()
-		if err != nil {
-			return nil, fmt.Errorf("could not generate a state parameter: %w", err)
-		}
-		config.State = s
-	}
-	if config.LocalServerMiddleware == nil {
-		config.LocalServerMiddleware = noopMiddleware
-	}
-	if config.LocalServerSuccessHTML == "" {
-		config.LocalServerSuccessHTML = DefaultLocalServerSuccessHTML
+	if err := config.validateAndSetDefaults(); err != nil {
+		return nil, fmt.Errorf("invalid config: %w", err)
 	}
 	config.populateDeprecatedFields()
 	code, err := receiveCodeViaLocalServer(ctx, &config)

server.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"net"
 	"net/http"
 
 	"github.com/int128/listener"
@@ -16,17 +17,7 @@ func receiveCodeViaLocalServer(ctx context.Context, c *Config) (string, error) {
 		return "", fmt.Errorf("could not start a local server: %w", err)
 	}
 	defer l.Close()
-
-	switch {
-	case c.LocalServerCertFile == "" && c.LocalServerKeyFile == "":
-	case c.LocalServerCertFile != "" && c.LocalServerKeyFile != "":
-		l.URL.Scheme = "https"
-	default:
-		return "", fmt.Errorf("both LocalServerCertFile and LocalServerKeyFile must be set")
-	}
-	if c.OAuth2Config.RedirectURL == "" {
-		c.OAuth2Config.RedirectURL = l.URL.String()
-	}
+	c.OAuth2Config.RedirectURL = computeRedirectURL(l, c)
 
 	respCh := make(chan *authorizationResponse)
 	server := http.Server{
@@ -72,7 +63,7 @@ func receiveCodeViaLocalServer(ctx context.Context, c *Config) (string, error) {
 		return nil
 	})
 	if c.LocalServerReadyChan != nil {
-		c.LocalServerReadyChan <- l.URL.String()
+		c.LocalServerReadyChan <- c.OAuth2Config.RedirectURL
 	}
 
 	if err := eg.Wait(); err != nil {
@@ -84,6 +75,14 @@ func receiveCodeViaLocalServer(ctx context.Context, c *Config) (string, error) {
 	return resp.code, resp.err
 }
 
+func computeRedirectURL(l net.Listener, c *Config) string {
+	hostPort := fmt.Sprintf("%s:%d", c.RedirectURLHostname, l.Addr().(*net.TCPAddr).Port)
+	if c.LocalServerCertFile != "" {
+		return "https://" + hostPort
+	}
+	return "http://" + hostPort
+}
+
 type authorizationResponse struct {
 	code string // non-empty if a valid code is received
 	err  error  // non-nil if an error is received or any error occurs
@@ -109,8 +108,8 @@ func (h *localServerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *localServerHandler) handleIndex(w http.ResponseWriter, r *http.Request) {
-	url := h.config.OAuth2Config.AuthCodeURL(h.config.State, h.config.AuthCodeOptions...)
-	http.Redirect(w, r, url, 302)
+	authCodeURL := h.config.OAuth2Config.AuthCodeURL(h.config.State, h.config.AuthCodeOptions...)
+	http.Redirect(w, r, authCodeURL, 302)
 }
 
 func (h *localServerHandler) handleCodeResponse(w http.ResponseWriter, r *http.Request) *authorizationResponse {