Add Google OAuth authentication

2026-02-14 21:11:25 -08:00
parent 45f4332539
commit 23083bf5a8
5 changed files with 337 additions and 4 deletions
--- a/main.go
+++ b/main.go
@@ -1,19 +1,30 @@
 package main

 import (
+	"context"
+	"crypto/hmac"
+	"crypto/sha256"
 	"database/sql"
 	_ "embed"
+	"encoding/base64"
+	"encoding/json"
 	"fmt"
+	"html/template"
 	"log"
 	"net/http"
 	"os"
+	"path/filepath"
+	"strings"

 	_ "github.com/lib/pq"
+	"google.golang.org/api/idtoken"
 )

 //go:embed schema.sql
 var schema string

+var templates *template.Template
+
 func main() {
 	dsn := os.Getenv("PGCONN")
 	if dsn == "" {
@@ -35,8 +46,11 @@ func main() {
 		log.Fatalf("failed to apply schema: %v", err)
 	}

-	http.Handle("/", http.FileServer(http.Dir("static")))
+	templates = template.Must(template.New("").ParseGlob("static/*.html"))
+	template.Must(templates.ParseGlob("static/*.js"))

+	http.HandleFunc("/", handleStatic)
+	http.HandleFunc("POST /auth/google/callback", handleGoogleCallback)
 	http.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
 		if err := db.Ping(); err != nil {
 			http.Error(w, "db unhealthy", http.StatusServiceUnavailable)
@@ -48,3 +62,98 @@ func main() {
 	log.Println("listening on :8080")
 	log.Fatal(http.ListenAndServe(":8080", nil))
 }
+
+func templateData() map[string]any {
+	return map[string]any{
+		"env": envMap(),
+	}
+}
+
+func envMap() map[string]string {
+	m := map[string]string{}
+	for _, e := range os.Environ() {
+		if parts := strings.SplitN(e, "=", 2); len(parts) == 2 {
+			m[parts[0]] = parts[1]
+		}
+	}
+	return m
+}
+
+func handleStatic(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Cache-Control", "no-cache")
+
+	path := r.URL.Path
+	if path == "/" {
+		path = "/index.html"
+	}
+
+	name := strings.TrimPrefix(path, "/")
+
+	if strings.HasSuffix(name, ".html") || strings.HasSuffix(name, ".js") {
+		t := templates.Lookup(name)
+		if t == nil {
+			http.NotFound(w, r)
+			return
+		}
+		if strings.HasSuffix(name, ".html") {
+			w.Header().Set("Content-Type", "text/html")
+		} else {
+			w.Header().Set("Content-Type", "application/javascript")
+		}
+		t.Execute(w, templateData())
+		return
+	}
+
+	http.ServeFile(w, r, filepath.Join("static", name))
+}
+
+func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
+	credential := r.FormValue("credential")
+	if credential == "" {
+		http.Error(w, "missing credential", http.StatusBadRequest)
+		return
+	}
+
+	payload, err := idtoken.Validate(context.Background(), credential, os.Getenv("GOOGLE_CLIENT_ID"))
+	if err != nil {
+		log.Println("failed to validate token:", err)
+		http.Error(w, "invalid token", http.StatusUnauthorized)
+		return
+	}
+
+	email := payload.Claims["email"].(string)
+
+	profile := map[string]any{
+		"email":   email,
+		"name":    payload.Claims["name"],
+		"picture": payload.Claims["picture"],
+		"token":   signEmail(email),
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(profile)
+}
+
+func signEmail(email string) string {
+	h := hmac.New(sha256.New, []byte(os.Getenv("TOKEN_SECRET")))
+	h.Write([]byte(email))
+	sig := base64.RawURLEncoding.EncodeToString(h.Sum(nil))
+	return base64.RawURLEncoding.EncodeToString([]byte(email)) + "." + sig
+}
+
+func authorize(r *http.Request) (string, bool) {
+	token := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+	parts := strings.SplitN(token, ".", 2)
+	if len(parts) != 2 {
+		return "", false
+	}
+	emailBytes, err := base64.RawURLEncoding.DecodeString(parts[0])
+	if err != nil {
+		return "", false
+	}
+	email := string(emailBytes)
+	if signEmail(email) != token {
+		return "", false
+	}
+	return email, true
+}