* initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
sessions
gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.
The key features are:
- Simple API: use it as an easy way to set signed (and optionally encrypted) cookies.
- Built-in backends to store sessions in cookies or the filesystem.
- Flash messages: session values that last until read.
- Convenient way to switch session persistency (aka "remember me") and set other attributes.
- Mechanism to rotate authentication and encryption keys.
- Multiple sessions per request, even using different backends.
- Interfaces and infrastructure for custom session backends: sessions from different stores can be retrieved and batch-saved using a common API.
Let's start with an example that shows the sessions API in a nutshell:
import (
"net/http"
"github.com/gorilla/sessions"
)
var store = sessions.NewCookieStore([]byte("something-very-secret"))
func MyHandler(w http.ResponseWriter, r *http.Request) {
// Get a session. We're ignoring the error resulted from decoding an
// existing session: Get() always returns a session, even if empty.
session, _ := store.Get(r, "session-name")
// Set some session values.
session.Values["foo"] = "bar"
session.Values[42] = 43
// Save it before we write to the response/return from the handler.
session.Save(r, w)
}
First we initialize a session store calling NewCookieStore()
and passing a
secret key used to authenticate the session. Inside the handler, we call
store.Get()
to retrieve an existing session or a new one. Then we set some
session values in session.Values, which is a map[interface{}]interface{}
.
And finally we call session.Save()
to save the session in the response.
Important Note: If you aren't using gorilla/mux, you need to wrap your handlers
with
context.ClearHandler
as or else you will leak memory! An easy way to do this is to wrap the top-level
mux when calling http.ListenAndServe:
More examples are available on the Gorilla website.
Store Implementations
Other implementations of the sessions.Store
interface:
- github.com/starJammer/gorilla-sessions-arangodb - ArangoDB
- github.com/yosssi/boltstore - Bolt
- github.com/srinathgs/couchbasestore - Couchbase
- github.com/denizeren/dynamostore - Dynamodb on AWS
- github.com/bradleypeabody/gorilla-sessions-memcache - Memcache
- github.com/dsoprea/go-appengine-sessioncascade - Memcache/Datastore/Context in AppEngine
- github.com/kidstuff/mongostore - MongoDB
- github.com/srinathgs/mysqlstore - MySQL
- github.com/EnumApps/clustersqlstore - MySQL Cluster
- github.com/antonlindstrom/pgstore - PostgreSQL
- github.com/boj/redistore - Redis
- github.com/boj/rethinkstore - RethinkDB
- github.com/boj/riakstore - Riak
- github.com/michaeljs1990/sqlitestore - SQLite
- github.com/wader/gormstore - GORM (MySQL, PostgreSQL, SQLite)
- github.com/gernest/qlstore - ql
License
BSD licensed. See the LICENSE file for details.