Added github OAuth endpoints

backend/.env.template

@@ -6,4 +6,9 @@ DB_USER=
 DB_PASSWORD=
 STATIC_FILES_STORAGE_LOCATION=/srv/static
 UPLOADED_QPS_PATH=iqps/uploaded # Relative to `STATIC_FILES_STORAGE_LOCATION`. Final upload location will be /srv/static/iqps/uploaded
-MAX_UPLOAD_LIMIT=10
+MAX_UPLOAD_LIMIT=10
+GH_CLIENT_ID= # public token of the oauth app
+GH_PRIVATE_ID= # Private token of the oauth app
+JWT_SECRET= # JWT encryption secret
+GH_ORG_NAME= # name of the org
+GH_ORG_TEAM_SLUG= #URL friendly team Name

backend/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.21 AS builder
+FROM golang:1.22.4 AS builder
 
 WORKDIR /src
 COPY . .

backend/docker-compose.yaml

@@ -21,6 +21,11 @@ services:
  - DB_USER=${DB_USER}
  - DB_PASSWORD=${DB_PASSWORD}
  - UPLOADED_QPS_PATH=${UPLOADED_QPS_PATH}
+ - GH_CLIENT_ID=${GH_CLIENT_ID}
+ - GH_PRIVATE_ID=${GH_PRIVATE_ID}
+ - JWT_SECRET=${JWT_SECRET}
+ - GH_ORG_NAME=${GH_ORG_NAME}
+ - GH_ORG_TEAM_SLUG=${GH_ORG_TEAM_SLUG}
 
 networks:
  metaploy-network:

backend/go.mod

@@ -1,10 +1,12 @@
 module github.com/metakgp/iqps/backend
 
-go 1.21.6
+go 1.22.4
 
 require (
  github.com/joho/godotenv v1.5.1
  github.com/rs/cors v1.10.1
 )
 
 require github.com/lib/pq v1.10.9
+
+require github.com/golang-jwt/jwt/v5 v5.2.1

backend/go.sum

@@ -1,3 +1,5 @@
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=

backend/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+ "context"
  "database/sql"
  "encoding/json"
  "errors"
@@ -14,12 +15,16 @@ import (
  "strings"
  "time"
 
+ "github.com/golang-jwt/jwt/v5"
  "github.com/joho/godotenv"
- "github.com/rs/cors"
-
  _ "github.com/lib/pq"
+ "github.com/rs/cors"
 )
 
+type contextKey string
+
+const claimsKey = contextKey("claims")
+
 type QuestionPaper struct {
  ID int `json:"id"`
  CourseCode string `json:"course_code"`
@@ -44,8 +49,32 @@ var (
  staticFilesUrl string
  staticFilesStorageLocation string
  uploadedQpsPath string
+ gh_pubKey string
+ gh_pvtKey string
+ jwt_secret string
+ org_name string
+ org_team string
 )
 
+type GhOAuthReqBody struct {
+ GhCode string `json:"code"`
+}
+
+type GithubAccessTokenResponse struct {
+ AccessToken string `json:"access_token"`
+ Scope string `json:"scope"`
+ TokenType string `json:"token_type"`
+}
+
+type GithubUserResponse struct {
+ Login string `json:"login"`
+ ID int `json:"id"`
+}
+
+var respData struct {
+ Token string `json:"token"`
+}
+
 const init_db = `CREATE TABLE IF NOT EXISTS qp (
  id SERIAL PRIMARY KEY,
  course_code TEXT NOT NULL DEFAULT '',
@@ -159,10 +188,6 @@ func search(w http.ResponseWriter, r *http.Request) {
 }
 
 func upload(w http.ResponseWriter, r *http.Request) {
- if r.Method != "POST" {
- http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
- return
- }
  var response []uploadEndpointRes
  // Max total size of 50MB
  const MaxBodySize = 50 << 20 // 1<<20 = 1024*1024 = 1MB
@@ -308,12 +333,215 @@ func populateDB(filename string) error {
  return nil
 }
 
+func GhAuth(w http.ResponseWriter, r *http.Request) {
+
+ ghOAuthReqBody := GhOAuthReqBody{}
+ if err := json.NewDecoder(r.Body).Decode(&ghOAuthReqBody); err != nil {
+ http.Error(w, err.Error(), http.StatusBadRequest)
+ return
+ }
+
+ if ghOAuthReqBody.GhCode == "" {
+ http.Error(w, "Github OAuth Code cannot be empty", http.StatusBadRequest)
+ return
+ }
+
+ // Get the access token for authenticating other endpoints
+ uri := fmt.Sprintf("https://github.com/login/oauth/access_token?client_id=%s&client_secret=%s&code=%s", gh_pubKey, gh_pvtKey, ghOAuthReqBody.GhCode)
+
+ req, _ := http.NewRequest("POST", uri, nil)
+ req.Header.Set("Accept", "application/json")
+
+ client := &http.Client{}
+ resp, err := client.Do(req)
+ if err != nil {
+ fmt.Println("Error Getting Github Access Token: ", err.Error())
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+ defer resp.Body.Close()
+
+ // Decode the response
+ var tokenResponse GithubAccessTokenResponse
+ if err := json.NewDecoder(resp.Body).Decode(&tokenResponse); err != nil {
+ fmt.Println("Error Decoding Github Access Token: ", err.Error())
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+
+ // Get the username of the user who made the request
+ req, _ = http.NewRequest("GET", "https://api.github.com/user", nil)
+ req.Header.Set("Authorization", "Bearer "+tokenResponse.AccessToken)
+
+ resp, err = client.Do(req)
+ if err != nil {
+ fmt.Println("Error getting username: ", err.Error())
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+ defer resp.Body.Close()
+
+ // Decode the response
+ var userResponse GithubUserResponse
+ if err := json.NewDecoder(resp.Body).Decode(&userResponse); err != nil {
+ fmt.Println("Error decoding username: ", err.Error())
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+
+ uname := userResponse.Login
+ // check if uname is empty
+ if uname == "" {
+ http.Error(w, "No user found", http.StatusUnauthorized)
+ return
+ }
+
+ // Send request to check status of the user in the given org's team
+ url := fmt.Sprintf("https://api.github.com/orgs/%s/teams/%s/memberships/%s", org_name, org_team, uname)
+ req, _ = http.NewRequest("GET", url, nil)
+ req.Header.Set("Authorization", "Bearer "+tokenResponse.AccessToken)
+ resp, err = client.Do(req)
+
+ var checkResp struct {
+ State string `json:"state"`
+ }
+
+ if err != nil {
+ fmt.Println("Error validating user membership: ", err.Error())
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+
+ defer resp.Body.Close()
+ //decode the response
+ if err := json.NewDecoder(resp.Body).Decode(&checkResp); err != nil {
+ fmt.Println("Error decoding gh validation body: ", err.Error())
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+
+ // Check if user is present in the team
+ if checkResp.State != "active" {
+
+ http.Error(w, "User is not authenticated", http.StatusUnauthorized)
+ return
+ }
+
+ // Create the response JWT
+ token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+ "username": uname,
+ })
+
+ tokenString, err := token.SignedString([]byte(jwt_secret))
+ if err != nil {
+ fmt.Println("Error Sigining JWT: ", err.Error())
+ http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+ return
+ }
+
+ http.Header.Add(w.Header(), "content-type", "application/json")
+
+ // Send the response
+
+ respData.Token = tokenString
+ err = json.NewEncoder(w).Encode(&respData)
+ if err != nil {
+ http.Error(w, err.Error(), http.StatusInternalServerError)
+ return
+ }
+}
+
+func JWTMiddleware(handler http.Handler) http.Handler {
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ // get the authorisation header
+ tokenString := r.Header.Get("Authorization")
+ if tokenString == "" {
+ w.WriteHeader(http.StatusUnauthorized)
+ fmt.Fprint(w, "Missing authorization header")
+ return
+ }
+ JWTtoken := strings.Split(tokenString, " ")
+
+ if len(JWTtoken) != 2 {
+ w.WriteHeader(http.StatusBadRequest)
+ fmt.Fprint(w, "Authorisation head is of incorrect type")
+ return
+ }
+ //parse the token
+ token, err := jwt.Parse(JWTtoken[1], func(t *jwt.Token) (interface{}, error) {
+ if _, OK := t.Method.(*jwt.SigningMethodHMAC); !OK {
+ return nil, errors.New("bad signed method received")
+ }
+
+ return []byte(jwt_secret), nil
+ })
+
+ // Check if error in parsing jwt token
+ if err != nil {
+ http.Error(w, "Bad JWT token", http.StatusUnauthorized)
+ return
+ }
+ // Get the claims
+ claims, ok := token.Claims.(jwt.MapClaims)
+
+ if ok && token.Valid && claims["username"] != nil {
+ // If valid claims found, send response
+ ctx := context.WithValue(r.Context(), claimsKey, claims)
+ handler.ServeHTTP(w, r.WithContext(ctx))
+ } else {
+ http.Error(w, "Invalid JWT token", http.StatusUnauthorized)
+ }
+ })
+}
+
+func getClaims(r *http.Request) jwt.MapClaims {
+ if claims, ok := r.Context().Value(claimsKey).(jwt.MapClaims); ok {
+ return claims
+ }
+ return nil
+}
+
+// func protectedRoute(w http.ResponseWriter, r *http.Request) {
+// claims := getClaims(r)
+
+// if claims != nil {
+// fmt.Fprintf(w, "Hello, %s", claims["username"])
+// } else {
+// http.Error(w, "No claims found", http.StatusUnauthorized)
+// }
+// }
+
 func CheckError(err error) {
  if err != nil {
  panic(err)
  }
 }
 
+func LoadGhEnv() {
+ gh_pubKey = os.Getenv("GH_CLIENT_ID")
+ gh_pvtKey = os.Getenv("GH_PRIVATE_ID")
+ org_name = os.Getenv("GH_ORG_NAME")
+ org_team = os.Getenv("GH_ORG_TEAM_SLUG")
+
+ jwt_secret = os.Getenv("JWT_SECRET")
+
+ if gh_pubKey == "" {
+ panic("Client id for Github OAuth cannot be empty")
+ }
+ if gh_pvtKey == "" {
+ panic("Client Private Key for Github OAuth cannot be empty")
+ }
+ if org_name == "" {
+ panic("Organisation name cannot be empty")
+ }
+ if org_team == "" {
+ panic("Team name of the Organistion cannot be empty")
+ }
+ if jwt_secret == "" {
+ panic("JWT Secret Key cannot be empty")
+ }
+}
+
 func main() {
  err := godotenv.Load(".env")
  if err != nil {
@@ -324,6 +552,8 @@ func main() {
  port, err := strconv.Atoi(os.Getenv("DB_PORT"))
  CheckError(err)
 
+ LoadGhEnv()
+
  user := os.Getenv("DB_USER")
  password := os.Getenv("DB_PASSWORD")
  dbname := os.Getenv("DB_NAME")
@@ -350,7 +580,9 @@ func main() {
  http.HandleFunc("/search", search)
  http.HandleFunc("/year", year)
  http.HandleFunc("/library", library)
- http.HandleFunc("/upload", upload)
+ http.HandleFunc("POST /upload", upload)
+ http.HandleFunc("GET /oauth", GhAuth)
+ //http.Handle("/protected", JWTMiddleware(http.HandlerFunc(protectedRoute)))
 
  c := cors.New(cors.Options{
  AllowedOrigins: []string{"https://qp.metakgp.org", "http://localhost:3000"},

go.work

@@ -1,4 +1,4 @@
-go 1.21.6
+go 1.22.4
 
 use (
  ./backend