felipeweb / osin-mysql Goto Github PK

A MySQL storage backend for osin oauth2

Go 100.00%

osin-mysql's Introduction

osin-mysql

A MySQL storage backend for osin oauth2. Additional to implementing the osin.Storage interface, the github.com/felipeweb/osin-mysql/storage.Storage interface defines new methods:

// CreateClient stores the client in the database and returns an error, if something went wrong.
CreateClient(client osin.Client) error

// UpdateClient updates the client (identified by its id) and replaces the values with the values of client.
// Returns an error if something went wrong.
UpdateClient(client osin.Client) error

// RemoveClient removes a client (identified by id) from the database. Returns an error if something went wrong.
RemoveClient(id string) error

Encrypt your tokens

Unfortunately, the osin library offers little capabilities for storing credentials like access or refresh tokens in a hashed or encrypted way. An attacker could gain access to your database through various attack vectors, steal these tokens and gain, for example, administrative access to your application.

Please be aware, that this library stores all data as-is and does not perform any sort of encryption or hashing.

Usage

First, install this library with go get "github.com/felipeweb/osin-mysql".

import (
	"database/sql"
	_ "github.com/go-sql-driver/mysql"

	"github.com/felipeweb/osin-mysql"
	"github.com/RangelReale/osin"
)

func main() {
    url := "user:password@tcp(host:3306)/dbname?parseTime=true"
    db, err := sql.Open("mysql", url)
    if err != nil {
        return nil, err
    }

    store := mysql.New(db,"osin_")
    store.CreateSchemas()
    server := osin.NewServer(osin.NewServerConfig(), store)

    // See the osin documentation for more information
    // e.g.: server.HandleAuthorizeRequest(resp, r)
}

Limitations

TL;DR AuthorizeData's Client's and AccessData's UserData field must be string due to language restrictions or an error will be thrown.

In osin, Client, AuthorizeData and AccessData have a UserData property of type interface{}. This does not work well with SQL, because it is not possible to gob decode or unmarshall the data back, since the concrete type is not known. Because osin's storage interface does not support setting the UserData type, this library tries to convert UserData to string and return it as such. With this, you could for example gob encode (use e.g. base64 encode for SQL storage type compatibility) the data before passing it to e.g. FinishAccessRequest and decode it when needed.

2016-10-23 BREAKING CHANGES

Now New() recives a db object and a table prefix as parameter

osin-mysql's People

Contributors

Stargazers

Watchers

osin-mysql's Issues

MySQL error in UpdateClient method

Hi,

First: thanks for your work !

I think I've found an error the 'UpdateClient' method:

	if _, err := s.db.Exec(fmt.Sprintf("UPDATE %sclient SET (secret, redirect_uri, extra) = (?, ?, ?) WHERE id=?", s.tablePrefix), c.GetSecret(), c.GetRedirectUri(), data, c.GetId()); err != nil {

Shouldn't the UPDATE statement be like: "set secret = ?, redirect_uri = ?, extra = ?" ?

Thanks again.

SQL error

I always get SQL error like this:

ERROR: sql: Scan error on column index 6: unsupported Scan, storing driver.Value type []uint8 into type *time.Time

Fixed with change url to database from:

url := "user:password@tcp(host:3306)/dbname"

url := "user:password@tcp(host:3306)/dbname?parseTime=true"

During refresh grant type, prevAccessToken is NULL

https://github.com/felipeweb/osin-mysql/blob/master/mysql.go#L281

In LoadAccess, prevAccessToken is initially ""

Once accessToken is found, then LoadAccess is called again but this time code is "" due to prevAccessToken being null in the database.

Due to this, ErrNotFound is returned the second time LoadAccess is called.

This causes the refresh_token grant type to fail when tokenHandler is called.

Any idea how I can fix this?

doesn't work vendor

Example output:

$ GOPATH=~/.go get github.com/felipeweb/osin-mysql
$ GOPATH=~/.go go run simple.go                                   
# command-line-arguments
./simple.go:33: cannot use store (type *"github.com/felipeweb/osin-mysql".Storage) as type "github.com/RangelReale/osin".Storage in argument to "github.com/RangelReale/osin".NewServer:
    *"github.com/felipeweb/osin-mysql".Storage does not implement "github.com/RangelReale/osin".Storage (wrong type for Clone method)
        have Clone() "github.com/felipeweb/osin-mysql/vendor/github.com/RangelReale/osin".Storage
        want Clone() "github.com/RangelReale/osin".Storage                               
$ rm -fr ~/.go/src/github.com/felipeweb/osin-mysql/vendor/github.com/RangelReale 
$ GOPATH=~/.go go run simple.go

With autogenerated tables on token are not case sensitive

When I execute something like SELECT client, authorize, previous, access_token, refresh_token, expires_in, scope, redirect_uri, created_at, extra FROM access WHERE access_token="some-token" LIMIT 1 it ignore token letter case. In my project I change column collation to utf8_bin. Is it good solution or you know better?
BTW, when we decide how to solve it I can create PR to improve this.

Foreign key usage?

Why no foreign keys on auto generation tables?

password grant type

Does this work with the password grant type?
I don't see in the schema creation any place where it stores username and password

sql error

First of all, I'm very sorry my English is poor
In use i get a error info ：
“sql: Scan error on column index 6: unsupported Scan, storing driver.Value type []uint8 into type *time.Time auth_code_request=error loading authorize data”
how can i fixed it？