feat(api/v2): add OAuth 2.0 token and authorize endpoints

Port oauth/token and oauth/authorize to /api/v2, delegating to the
shared oauth2server.ExchangeToken / Authorize cores.

The token endpoint accepts spec-compliant application/x-www-form-urlencoded
bodies (RFC 6749) in addition to JSON; a form-urlencoded format is
registered on the v2 API that binds into the same json-tagged request
struct. The response carries Cache-Control: no-store. The token endpoint
is public; authorize inherits the global JWT auth.
This commit is contained in:
kolaente 2026-06-11 21:45:35 +02:00 committed by kolaente
parent 37a174b99e
commit dc4c3a6a17
2 changed files with 153 additions and 0 deletions

View File

@ -19,7 +19,10 @@ package apiv2
import (
"context"
"encoding/json"
"io"
"net/http"
"net/url"
"strings"
"code.vikunja.io/api/pkg/config"
@ -31,6 +34,36 @@ import (
"github.com/labstack/echo/v5"
)
// formURLEncodedContentType is the content type the OAuth token endpoint accepts
// in addition to JSON, per RFC 6749.
const formURLEncodedContentType = "application/x-www-form-urlencoded"
// formURLEncodedFormat lets Huma bind application/x-www-form-urlencoded request
// bodies into the same json-tagged structs it uses for JSON: the form values are
// re-marshaled to JSON and decoded via the standard path. Only string scalars
// are produced, which is all the form-encoded endpoints (OAuth token) need.
var formURLEncodedFormat = huma.Format{
Marshal: func(io.Writer, any) error {
// Responses are always JSON; this format is request-body only.
return huma.ErrUnknownContentType
},
Unmarshal: func(data []byte, v any) error {
values, err := url.ParseQuery(string(data))
if err != nil {
return err
}
flat := make(map[string]string, len(values))
for key := range values {
flat[key] = values.Get(key)
}
raw, err := json.Marshal(flat)
if err != nil {
return err
}
return json.Unmarshal(raw, v)
},
}
// GroupPrefix is the URL prefix the Echo group for /api/v2 is mounted at.
const GroupPrefix = "/api/v2"
@ -44,6 +77,14 @@ func NewAPI(e *echo.Echo, g *echo.Group) huma.API {
// Real presence/format rules live in `valid:` tags, enforced by govalidator in
// the Register wrapper; leave the schema permissive so partial updates match v1.
cfg.FieldsOptionalByDefault = true
// Accept application/x-www-form-urlencoded bodies (the OAuth token endpoint)
// alongside JSON. Copy the default map so we don't mutate the package global.
formats := make(map[string]huma.Format, len(cfg.Formats)+1)
for ct, f := range cfg.Formats {
formats[ct] = f
}
formats[formURLEncodedContentType] = formURLEncodedFormat
cfg.Formats = formats
api := humaecho5.NewWithGroup(e, g, GroupPrefix, cfg)
oapi := api.OpenAPI()

112
pkg/routes/api/v2/oauth.go Normal file
View File

@ -0,0 +1,112 @@
// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package apiv2
import (
"context"
"net/http"
"code.vikunja.io/api/pkg/modules/auth/oauth2server"
"code.vikunja.io/api/pkg/modules/humaecho5"
"code.vikunja.io/api/pkg/user"
"github.com/danielgtaylor/huma/v2"
"github.com/labstack/echo/v5"
)
// oauthTokenBody wraps the OAuth 2.0 token response.
type oauthTokenBody struct {
// Cache-Control: no-store is required by RFC 6749 §5.1 so tokens are not
// cached. v2 already sets it globally, but declaring it keeps the contract
// explicit in the spec.
CacheControl string `header:"Cache-Control"`
Body *oauth2server.TokenResponse
}
// oauthAuthorizeBody wraps the OAuth 2.0 authorization response.
type oauthAuthorizeBody struct {
Body *oauth2server.AuthorizeResponse
}
func init() { AddRouteRegistrar(RegisterOAuthRoutes) }
// RegisterOAuthRoutes wires the OAuth 2.0 token and authorize endpoints. The
// token endpoint is public (it authenticates the request itself); authorize
// inherits the global JWT auth.
func RegisterOAuthRoutes(api huma.API) {
tags := []string{"auth"}
Register(api, huma.Operation{
OperationID: "oauth-token",
Summary: "OAuth 2.0 token endpoint",
Description: "Exchanges an authorization code (grant_type=authorization_code) or a refresh token (grant_type=refresh_token) for an access token. Accepts application/x-www-form-urlencoded per RFC 6749 as well as JSON.",
Method: http.MethodPost,
Path: "/oauth/token",
DefaultStatus: http.StatusOK,
Tags: tags,
Security: publicSecurity,
}, oauthToken)
Register(api, huma.Operation{
OperationID: "oauth-authorize",
Summary: "OAuth 2.0 authorize endpoint",
Description: "Creates a single-use authorization code for the authenticated user. PKCE (code_challenge with method S256) and a loopback or vikunja- scheme redirect_uri are required.",
Method: http.MethodPost,
Path: "/oauth/authorize",
DefaultStatus: http.StatusOK,
Tags: tags,
}, oauthAuthorize)
}
func oauthToken(ctx context.Context, in *struct {
Body oauth2server.TokenRequest `contentType:"application/x-www-form-urlencoded"`
}) (*oauthTokenBody, error) {
deviceInfo, ipAddress := requestClientInfo(ctx)
resp, err := oauth2server.ExchangeToken(&in.Body, deviceInfo, ipAddress)
if err != nil {
return nil, translateDomainError(err)
}
return &oauthTokenBody{CacheControl: "no-store", Body: resp}, nil
}
func oauthAuthorize(ctx context.Context, in *struct{ Body oauth2server.AuthorizeRequest }) (*oauthAuthorizeBody, error) {
a, err := authFromCtx(ctx)
if err != nil {
return nil, err
}
u, err := user.GetFromAuth(a)
if err != nil {
return nil, translateDomainError(err)
}
resp, err := oauth2server.Authorize(&in.Body, u.ID)
if err != nil {
return nil, translateDomainError(err)
}
return &oauthAuthorizeBody{Body: resp}, nil
}
// requestClientInfo pulls the user agent and client IP off the underlying Echo
// request so the authorization_code grant can record them on the session it
// creates, mirroring v1. Both fall back to "" when the context is unavailable.
func requestClientInfo(ctx context.Context) (deviceInfo, ipAddress string) {
ec, ok := ctx.Value(humaecho5.EchoContextKey).(*echo.Context)
if !ok || ec == nil {
return "", ""
}
return (*ec).Request().UserAgent(), (*ec).RealIP()
}