claude/mattermost-community-enterprise
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0c9610520e
mattermost-community-enterp.../public/model/oauth.go
Claude ec1f89217a Merge: Complete Mattermost Server with Community Enterprise 
Full Mattermost server source with integrated Community Enterprise features.
Includes vendor directory for offline/air-gapped builds.

Structure:
- enterprise-impl/: Enterprise feature implementations
- enterprise-community/: Init files that register implementations
- enterprise/: Bridge imports (community_imports.go)
- vendor/: All dependencies for offline builds

Build (online):
  go build ./cmd/mattermost

Build (offline/air-gapped):
  go build -mod=vendor ./cmd/mattermost

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2025-12-17 23:59:07 +09:00

268 lines
9.1 KiB
Go
Raw Blame History

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.
package model
import (
"crypto/subtle"
"fmt"
"net/http"
"slices"
"unicode/utf8"
)
const (
OAuthActionSignup = "signup"
OAuthActionLogin = "login"
OAuthActionEmailToSSO = "email_to_sso"
OAuthActionSSOToEmail = "sso_to_email"
OAuthActionMobile = "mobile"
)
type OAuthApp struct {
Id string `json:"id"`
CreatorId string `json:"creator_id"`
CreateAt int64 `json:"create_at"`
UpdateAt int64 `json:"update_at"`
ClientSecret string `json:"client_secret"`
Name string `json:"name"`
Description string `json:"description"`
IconURL string `json:"icon_url"`
CallbackUrls StringArray `json:"callback_urls"`
Homepage string `json:"homepage"`
IsTrusted bool `json:"is_trusted"`
MattermostAppID string `json:"mattermost_app_id"`
IsDynamicallyRegistered bool `json:"is_dynamically_registered,omitempty"`
}
// OAuthAppRequest represents the request body for creating an OAuth app
type OAuthAppRequest struct {
Name string `json:"name"`
Description string `json:"description"`
IconURL string `json:"icon_url"`
CallbackUrls StringArray `json:"callback_urls"`
Homepage string `json:"homepage"`
IsTrusted bool `json:"is_trusted"`
IsPublic bool `json:"is_public"`
}
func (a *OAuthApp) Auditable() map[string]any {
return map[string]any{
"id": a.Id,
"creator_id": a.CreatorId,
"create_at": a.CreateAt,
"update_at": a.UpdateAt,
"name": a.Name,
"description": a.Description,
"icon_url": a.IconURL,
"callback_urls:": a.CallbackUrls,
"homepage": a.Homepage,
"is_trusted": a.IsTrusted,
"mattermost_app_id": a.MattermostAppID,
"token_endpoint_auth_method": a.GetTokenEndpointAuthMethod(),
"is_dynamically_registered": a.IsDynamicallyRegistered,
}
}
func (a *OAuthApp) IsValid() *AppError {
if !IsValidId(a.Id) {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.app_id.app_error", nil, "", http.StatusBadRequest)
}
if a.CreateAt == 0 {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.create_at.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
if a.UpdateAt == 0 {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.update_at.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
if !IsValidId(a.CreatorId) && !a.IsDynamicallyRegistered {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.creator_id.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
// Validate client secret length if present
if a.ClientSecret != "" && len(a.ClientSecret) > 128 {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.client_secret.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
if a.Name == "" || len(a.Name) > 64 {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.name.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
if len(a.CallbackUrls) == 0 || len(fmt.Sprintf("%s", a.CallbackUrls)) > 1024 {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.callback.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
for _, callback := range a.CallbackUrls {
if !IsValidHTTPURL(callback) {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.callback.app_error", nil, "", http.StatusBadRequest)
}
}
if a.Homepage == "" && !a.IsDynamicallyRegistered {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.homepage.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
if a.Homepage != "" && (len(a.Homepage) > 256 || !IsValidHTTPURL(a.Homepage)) {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.homepage.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
if utf8.RuneCountInString(a.Description) > 512 {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.description.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
if a.IconURL != "" {
if len(a.IconURL) > 512 || !IsValidHTTPURL(a.IconURL) {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.icon_url.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
}
if len(a.MattermostAppID) > 32 {
return NewAppError("OAuthApp.IsValid", "model.oauth.is_valid.mattermost_app_id.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
return nil
}
// PreSave will set the Id and ClientSecret if missing. It will also fill
// in the CreateAt, UpdateAt times. It should be run before saving the app to the db.
func (a *OAuthApp) PreSave() {
if a.Id == "" {
a.Id = NewId()
}
// PreSave no longer generates client secrets - callers must explicitly set ClientSecret
// if they want to create a confidential client
a.CreateAt = GetMillis()
a.UpdateAt = a.CreateAt
}
// PreUpdate should be run before updating the app in the db.
func (a *OAuthApp) PreUpdate() {
a.UpdateAt = GetMillis()
}
// Generate a valid strong etag so the browser can cache the results
func (a *OAuthApp) Etag() string {
return Etag(a.Id, a.UpdateAt)
}
// Remove any private data from the app object
func (a *OAuthApp) Sanitize() {
a.ClientSecret = ""
}
func (a *OAuthApp) IsValidRedirectURL(url string) bool {
return slices.Contains(a.CallbackUrls, url)
}
// GetTokenEndpointAuthMethod returns the OAuth token endpoint authentication method
// based on whether the client has a secret
func (a *OAuthApp) GetTokenEndpointAuthMethod() string {
if a.ClientSecret == "" {
return ClientAuthMethodNone
}
return ClientAuthMethodClientSecretPost
}
// IsPublicClient returns true if this is a public client (uses "none" auth method)
func (a *OAuthApp) IsPublicClient() bool {
return a.GetTokenEndpointAuthMethod() == ClientAuthMethodNone
}
// ValidateForGrantType validates the OAuth app for a specific grant type and provided credentials
func (a *OAuthApp) ValidateForGrantType(grantType, clientSecret, codeVerifier string) *AppError {
if a.IsPublicClient() {
return a.validatePublicClientGrant(grantType, clientSecret, codeVerifier)
}
return a.validateConfidentialClientGrant(grantType, clientSecret)
}
// validatePublicClientGrant validates that public client requests follow OAuth 2.1 security requirements
func (a *OAuthApp) validatePublicClientGrant(grantType, clientSecret, codeVerifier string) *AppError {
// Public clients must not provide a client secret
if clientSecret != "" {
return NewAppError("OAuthApp.validatePublicClientGrant", "model.oauth.validate_grant.public_client_secret.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
// Public clients cannot use refresh token grant type
if grantType == RefreshTokenGrantType {
return NewAppError("OAuthApp.validatePublicClientGrant", "model.oauth.validate_grant.public_client_refresh_token.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
// Public clients must use PKCE for authorization code grant
if grantType == AccessTokenGrantType && codeVerifier == "" {
return NewAppError("OAuthApp.validatePublicClientGrant", "model.oauth.validate_grant.pkce_required.app_error", nil, "app_id="+a.Id, http.StatusBadRequest)
}
return nil
}
// validateConfidentialClientGrant validates confidential client authentication
func (a *OAuthApp) validateConfidentialClientGrant(grantType, clientSecret string) *AppError {
// Confidential clients must provide correct client secret
if subtle.ConstantTimeCompare([]byte(a.ClientSecret), []byte(clientSecret)) == 0 {
return NewAppError("OAuthApp.validateConfidentialClientGrant", "model.oauth.validate_grant.credentials.app_error", nil, "app_id="+a.Id, http.StatusUnauthorized)
}
return nil
}
func NewOAuthAppFromClientRegistration(req *ClientRegistrationRequest, creatorId string) *OAuthApp {
app := &OAuthApp{
CreatorId: creatorId,
CallbackUrls: req.RedirectURIs,
IsDynamicallyRegistered: true,
}
if req.ClientName != nil {
app.Name = *req.ClientName
} else {
app.Name = "Dynamically Registered Client"
}
// Generate client secret based on requested auth method, default to confidential client
requestedAuthMethod := ClientAuthMethodClientSecretPost
if req.TokenEndpointAuthMethod != nil {
requestedAuthMethod = *req.TokenEndpointAuthMethod
}
if requestedAuthMethod != ClientAuthMethodNone {
app.ClientSecret = NewId()
}
if req.ClientURI != nil {
app.Homepage = *req.ClientURI
}
return app
}
func (a *OAuthApp) ToClientRegistrationResponse(siteURL string) *ClientRegistrationResponse {
resp := &ClientRegistrationResponse{
ClientID: a.Id,
RedirectURIs: a.CallbackUrls,
TokenEndpointAuthMethod: a.GetTokenEndpointAuthMethod(),
GrantTypes: GetDefaultGrantTypes(),
ResponseTypes: GetDefaultResponseTypes(),
Scope: ScopeUser,
}
if !a.IsPublicClient() {
resp.ClientSecret = &a.ClientSecret
}
if a.Name != "" {
resp.ClientName = &a.Name
}
if a.Homepage != "" {
resp.ClientURI = &a.Homepage
}
return resp
}
Reference in New Issue View Git Blame Copy Permalink