unboundsoftware/auth0mock
6
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 14 Activity

Compare commits

base: unboundsoftware:0.4.0
Branches Tags
unboundsoftware:main unboundsoftware:next-release
unboundsoftware:0.7.2 unboundsoftware:0.7.1 unboundsoftware:0.7.0 unboundsoftware:0.6.0 unboundsoftware:0.5.1 unboundsoftware:0.5.0 unboundsoftware:0.4.0 unboundsoftware:0.3.0 unboundsoftware:0.2.0 unboundsoftware:0.1.5 unboundsoftware:0.1.4 unboundsoftware:0.1.3 unboundsoftware:0.1.2 unboundsoftware:0.1.1 unboundsoftware:0.1.0 unboundsoftware:0.0.17 unboundsoftware:0.0.16 unboundsoftware:0.0.15 unboundsoftware:0.0.14 unboundsoftware:0.0.13 unboundsoftware:0.0.12 unboundsoftware:0.0.11 unboundsoftware:0.0.10 unboundsoftware:0.0.9 unboundsoftware:0.0.8 unboundsoftware:0.0.7 unboundsoftware:0.0.6 unboundsoftware:0.0.5 unboundsoftware:0.0.4 unboundsoftware:0.0.3 unboundsoftware:0.0.2 unboundsoftware:0.0.1
..
compare: unboundsoftware:0.5.0
Branches Tags
unboundsoftware:next-release unboundsoftware:main
unboundsoftware:0.7.2 unboundsoftware:0.7.1 unboundsoftware:0.7.0 unboundsoftware:0.6.0 unboundsoftware:0.5.1 unboundsoftware:0.5.0 unboundsoftware:0.4.0 unboundsoftware:0.3.0 unboundsoftware:0.2.0 unboundsoftware:0.1.5 unboundsoftware:0.1.4 unboundsoftware:0.1.3 unboundsoftware:0.1.2 unboundsoftware:0.1.1 unboundsoftware:0.1.0 unboundsoftware:0.0.17 unboundsoftware:0.0.16 unboundsoftware:0.0.15 unboundsoftware:0.0.14 unboundsoftware:0.0.13 unboundsoftware:0.0.12 unboundsoftware:0.0.11 unboundsoftware:0.0.10 unboundsoftware:0.0.9 unboundsoftware:0.0.8 unboundsoftware:0.0.7 unboundsoftware:0.0.6 unboundsoftware:0.0.5 unboundsoftware:0.0.4 unboundsoftware:0.0.3 unboundsoftware:0.0.2 unboundsoftware:0.0.1

4 Commits
0.4.0 .. 0.5.0

Author SHA1 Message Date
argoyle 7dc063d57e Merge branch 'next-release' into 'main' 
chore(release): prepare for 0.5.0

See merge request unboundsoftware/auth0mock!219
 2025-12-29 16:54:06 +01:00
Unbound Release 0789e3e3fb chore(release): prepare for 0.5.0 2025-12-29 16:54:06 +01:00
argoyle 0e85cfff29 Merge branch 'migrate-auth0mock-node-go' into 'main' 
feat: migrate auth0mock from Node.js to Go

See merge request unboundsoftware/auth0mock!218
 2025-12-29 16:49:36 +01:00
argoyle 9992fb4ef1 feat: migrate auth0mock from Node.js to Go 
Refactor the application to a Go-based architecture for improved
performance and maintainability. Replace the Dockerfile to utilize a
multi-stage build process, enhancing image efficiency. Implement
comprehensive session store tests to ensure reliability and create
new OAuth handlers for managing authentication efficiently. Update 
documentation to reflect these structural changes.
 2025-12-29 16:30:37 +01:00
27 changed files with 1982 additions and 1992 deletions
Expand all files Collapse all files
.gitignore
+11 -1
View File
@@ -1,3 +1,13 @@
node_modules/
# IDE
.idea/
.vscode/
# Claude
.claude/
# Go
auth0mock
*.exe
*.test
*.out
coverage.txt
.nvmrc
-1
View File
@@ -1 +0,0 @@
24
.prettierignore
-2
View File
@@ -1,2 +0,0 @@
*.yaml
*.yml
.prettierrc
-9
View File
@@ -1,9 +0,0 @@
{
"semi": false,
"singleQuote": true,
"trailingComma": "none",
"arrowParens": "always",
"quoteProps": "as-needed",
"bracketSpacing": true,
"bracketSameLine": false
}
.version
+1 -1
View File
@@ -1 +1 @@
{"version":"0.4.0"}
{"version":"0.5.0"}
CHANGELOG.md
+5
View File
@@ -1,3 +1,8 @@
## [0.5.0] - 2025-12-29
### 🚀 Features
- Migrate auth0mock from Node.js to Go
## [0.4.0] - 2025-12-29
### 🚀 Features
CLAUDE.md
+63 -31
View File
@@ -4,64 +4,88 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
## Project Overview
auth0mock is a Node.js/Express application that simulates an Auth0 authentication server for local development. It provides OAuth 2.0 and OpenID Connect (OIDC) endpoints compatible with the Auth0 API, allowing developers to test authentication flows without connecting to the actual Auth0 service.
auth0mock is a Go application that simulates an Auth0 authentication server for local development. It provides OAuth 2.0 and OpenID Connect (OIDC) endpoints compatible with the Auth0 API, allowing developers to test authentication flows without connecting to the actual Auth0 service.
## Development Commands
```bash
# Install dependencies
yarn install
# Build the service
go build -o auth0mock ./cmd/service
# Start production server (port 3333)
yarn start
# Run the service
go run ./cmd/service
# Development with auto-reload (nodemon)
yarn dev
# Run tests
go test ./... -v
# Run tests with coverage
go test ./... -coverprofile=coverage.txt -covermode=atomic
# Format code
yarn lintfix
gofumpt -w .
goimports -w .
# Check formatting
yarn lint
# Run pre-commit hooks
pre-commit run --all-files
```
## Architecture
This is a single-file Express application (`app.js`) that implements:
```
auth0mock/
├── cmd/service/ # Entry point, HTTP server setup, configuration
├── auth/ # JWT/JWK generation and signing, PKCE verification
├── handlers/ # HTTP handlers for all endpoints
│ └── templates/ # Embedded HTML templates (login form)
├── store/ # In-memory session and user storage
├── public/ # Static files (favicon)
├── k8s/ # Kubernetes deployment manifests
└── Dockerfile # Multi-stage Go build
```
**Authentication Endpoints:**
**Key Packages:**
- `auth/jwt.go` - RSA key generation, JWT signing using lestrrat-go/jwx/v2
- `auth/pkce.go` - PKCE verification (S256 and plain methods)
- `store/sessions.go` - Thread-safe session storage with TTL and cleanup
- `store/users.go` - Thread-safe user storage with JSON file loading
- `handlers/oauth.go` - OAuth token exchange, authorization, code generation
- `handlers/discovery.go` - OIDC discovery and JWKS endpoints
- `handlers/management.go` - Auth0 Management API endpoints
- `POST /oauth/token` - Token exchange (OAuth 2.0 authorization code flow)
## HTTP Endpoints
**Authentication:**
- `POST /oauth/token` - Token exchange (authorization code and client_credentials)
- `GET /authorize` - Authorization endpoint with HTML login form
- `POST /code` - Code generation for PKCE flow
**Discovery Endpoints:**
**Discovery:**
- `GET /.well-known/openid-configuration` - OIDC discovery document
- `GET /.well-known/jwks.json` - JSON Web Key Set for token verification
**Management API (Auth0-compatible):**
- `GET /.well-known/jwks.json` - JSON Web Key Set
**Management API:**
- `GET /api/v2/users-by-email` - Get user by email
- `POST /api/v2/users` - Create user
- `PATCH /api/v2/users/:userid` - Update user
- `PATCH /api/v2/users/{userid}` - Update user
- `POST /api/v2/tickets/password-change` - Password change ticket
**Key Implementation Details:**
- RSA 2048-bit key pair generated at startup using `node-jose`
- In-memory session and user storage (not persistent)
- PKCE support with code challenge verification
- Custom claims for admin (`https://unbound.se/admin`) and email (`https://unbound.se/email`)
**Session:**
- `GET /userinfo` - User information
- `POST /tokeninfo` - Decode JWT token
- `GET /v2/logout` - Logout and session cleanup
## Environment Variables
| Variable | Default | Purpose |
| ------------ | -------------------------- | -------------------------------- |
| `ISSUER` | `localhost:3333` | JWT issuer claim |
| `AUDIENCE` | `https://generic-audience` | JWT audience claim |
| `USERS_FILE` | `./users.json` | Path to initial users JSON file |
| `DEBUG` | (unset) | Debug logging (`app*` to enable) |
| Variable | Default | Purpose |
|----------|---------|---------|
| `PORT` | `3333` | HTTP listen port |
| `ISSUER` | `localhost:3333` | JWT issuer (without https://) |
| `AUDIENCE` | `https://generic-audience` | JWT audience |
| `USERS_FILE` | `./users.json` | Path to initial users JSON file |
| `ADMIN_CUSTOM_CLAIM` | `https://unbound.se/admin` | Admin custom claim key |
| `EMAIL_CUSTOM_CLAIM` | `https://unbound.se/email` | Email custom claim key |
| `LOG_LEVEL` | `info` | Log level (debug, info, warn, error) |
| `LOG_FORMAT` | `text` | Log format (text, json) |
## Initial Users
@@ -78,6 +102,14 @@ Create a `users.json` file to seed users on startup:
}
```
## Key Implementation Details
- RSA 2048-bit key pair generated at startup using `lestrrat-go/jwx/v2`
- In-memory session storage with 5-minute TTL and automatic cleanup
- Proper PKCE verification (S256 method with SHA256 hash)
- Thread-safe stores using `sync.RWMutex`
- Graceful shutdown with signal handling
## Integration with Shiny
This service is used for local development and acceptance testing of the Shiny platform. The gateway and frontend services are configured to accept tokens signed by this mock server when running locally.
Dockerfile
+24 -10
View File
@@ -1,12 +1,26 @@
FROM amd64/node:24.12.0@sha256:e8bb5aafe1964147c8344b1ea7698218e3675340407a07a14c49901df97455f6
FROM golang:1.24 AS build
ARG GITLAB_USER
ARG GITLAB_TOKEN
WORKDIR /build
ENV CGO_ENABLED=0
ENV GOPRIVATE=gitlab.com/unboundsoftware/*
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN go build -ldflags="-s -w" -o /release/service ./cmd/service
FROM gcr.io/distroless/static-debian12
ENV TZ=Europe/Stockholm
ENV AUDIENCE="https://shiny.unbound.se"
ENV ORIGIN_HOST="auth0mock"
ENV ORIGIN="https://auth0mock:3333"
COPY --from=build /release/service /service
COPY public /public
EXPOSE 3333
WORKDIR /app
ADD package.json yarn.lock /app/
RUN yarn install --frozen-lockfile
ADD *.js /app/
ADD public /app/public
RUN mkdir -p /root/.config
ENTRYPOINT ["yarn", "start"]
ENTRYPOINT ["/service"]
app.js
-462
View File
@@ -1,462 +0,0 @@
process.env.DEBUG = 'app*'
const express = require('express')
const cookieParser = require('cookie-parser')
const app = express()
const jwt = require('jsonwebtoken')
const Debug = require('debug')
const path = require('path')
const cors = require('cors')
const bodyParser = require('body-parser')
const jose = require('node-jose')
const favicon = require('serve-favicon')
const initialUsers = require('./users')
const issuer = process.env.ISSUER || 'localhost:3333'
const jwksOrigin = `https://${issuer}/`
const audience = process.env.AUDIENCE || 'https://generic-audience'
const adminCustomClaim =
process.env.ADMIN_CUSTOM_CLAIM || 'https://unbound.se/admin'
const emailCustomClaim =
process.env.EMAIL_CUSTOM_CLAIM || 'https://unbound.se/email'
const debug = Debug('app')
const keyStore = jose.JWK.createKeyStore()
keyStore.generate('RSA', 2048, { alg: 'RS256', use: 'sig' })
// let { privateKey, certDer, thumbprint, exponent, modulus } = cert(jwksOrigin)
const users = initialUsers(process.env.USERS_FILE || './users.json')
const sessions = {}
const challenges = {}
// Session TTL in milliseconds (5 minutes)
const SESSION_TTL_MS = 5 * 60 * 1000
// Periodically clean up old sessions to prevent memory leaks
setInterval(() => {
const now = Date.now()
let cleaned = 0
for (const [key, session] of Object.entries(sessions)) {
if (session.createdAt && now - session.createdAt > SESSION_TTL_MS) {
delete sessions[key]
delete challenges[key]
cleaned++
}
}
if (cleaned > 0) {
debug(`Cleaned up ${cleaned} expired sessions`)
}
}, 60000) // Run every minute
const corsOpts = (req, cb) => {
cb(null, { origin: req.headers.origin })
}
const addCustomClaims = (email, customClaims, token) => {
const emailClaim = {}
emailClaim[emailCustomClaim] = email
return [...customClaims, emailClaim].reduce((acc, claim) => {
return {
...acc,
...claim
}
}, token)
}
const signToken = async (token) => {
const [key] = keyStore.all({ use: 'sig' })
const opt = { compact: true, jwk: key, fields: { typ: 'jwt' } }
return await jose.JWS.createSign(opt, key)
.update(JSON.stringify(token))
.final()
}
// Configure our small auth0-mock-server
app
.options('*all', cors(corsOpts))
.use(cors())
.use(bodyParser.json({ strict: false }))
.use(bodyParser.urlencoded({ extended: true }))
.use(cookieParser())
.use(express.static(`${__dirname}/public`))
.use(favicon(path.join(__dirname, 'public', 'favicon.ico')))
// This route can be used to generate a valid jwt-token.
app.post('/oauth/token', async (req, res) => {
const date = Math.floor(Date.now() / 1000)
if (req.body.grant_type === 'client_credentials' && req.body.client_id) {
const accessToken = await signToken({
iss: jwksOrigin,
aud: [audience],
sub: 'auth0|management',
iat: date,
exp: date + 7200,
azp: req.body.client_id
})
const idToken = await signToken({
iss: jwksOrigin,
aud: req.body.client_id,
sub: 'auth0|management',
iat: date,
exp: date + 7200,
azp: req.body.client_id,
name: 'Management API'
})
debug('Signed token for management API')
res.json({
access_token: accessToken,
id_token: idToken,
scope: 'openid%20profile%20email',
expires_in: 7200,
token_type: 'Bearer'
})
} else if (req.body.code) {
const code = req.body.code
const session = sessions[code]
const accessToken = await signToken(
addCustomClaims(session.email, session.customClaims, {
iss: jwksOrigin,
aud: [audience],
sub: 'auth0|' + session.email,
iat: date,
exp: date + 7200,
azp: session.clientId
})
)
const idToken = await signToken(
addCustomClaims(session.email, session.customClaims, {
iss: jwksOrigin,
aud: session.clientId,
nonce: session.nonce,
sub: 'auth0|' + session.email,
iat: date,
exp: date + 7200,
azp: session.clientId,
name: 'Example Person',
given_name: 'Example',
family_name: 'Person',
email: session.email,
picture:
'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
})
)
debug('Signed token for ' + session.email)
// Clean up session and challenge after successful token exchange
delete sessions[code]
delete challenges[code]
res.json({
access_token: accessToken,
id_token: idToken,
scope: 'openid%20profile%20email',
expires_in: 7200,
token_type: 'Bearer'
})
} else {
res.status(401)
res.send('Missing client_id or client_secret')
}
})
app.post('/code', (req, res) => {
if (!req.body.email || !req.body.password || !req.body.codeChallenge) {
debug('Body is invalid!', req.body)
return res.status(400).send('Email or password is missing!')
}
const code = req.body.codeChallenge
challenges[req.body.codeChallenge] = code
const state = req.body.state
const claim = {}
claim[adminCustomClaim] = req.body.admin === 'true'
sessions[code] = {
email: req.body.email,
password: req.body.password,
state: req.body.state,
nonce: req.body.nonce,
clientId: req.body.clientId,
codeChallenge: req.body.codeChallenge,
customClaims: [claim],
createdAt: Date.now()
}
res.redirect(
`${req.body.redirect}?code=${code}&state=${encodeURIComponent(state)}`
)
})
app.get('/authorize', (req, res) => {
const redirect = req.query.redirect_uri
const state = req.query.state
const nonce = req.query.nonce
const clientId = req.query.client_id
const codeChallenge = req.query.code_challenge
const prompt = req.query.prompt
const responseMode = req.query.response_mode
if (responseMode === 'query') {
const code = req.cookies['auth0']
const session = sessions[code]
if (session) {
session.nonce = nonce
session.state = state
session.codeChallenge = codeChallenge
session.createdAt = Date.now() // Refresh timestamp
sessions[codeChallenge] = session
// Clean up old session entry if different key
if (code !== codeChallenge) {
delete sessions[code]
delete challenges[code]
}
res.redirect(`${redirect}?code=${codeChallenge}&state=${state}`)
return
}
}
if (prompt === 'none' && responseMode === 'web_message') {
const code = req.cookies['auth0']
const session = sessions[code]
if (session) {
session.nonce = nonce
session.state = state
session.codeChallenge = codeChallenge
session.createdAt = Date.now() // Refresh timestamp
res.send(`
<!DOCTYPE html>
<html>
<body>
<script type="text/javascript">
(() => {
const msg = {
type: 'authorization_response',
response: {
code: '${code}',
state: '${state}'
}
}
parent.postMessage(msg, "*")
})()
</script>
</body>
</html>`)
return
}
}
res.cookie('auth0', codeChallenge, {
sameSite: 'None',
secure: true,
httpOnly: true
})
res.send(`
<html lang='en'>
<head>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'>
<title>Auth</title>
<link rel='stylesheet' href='https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css' integrity='sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh' crossorigin='anonymous'>
</head>
<body>
<div class='container'>
<form method='post' action='/code'>
<div class='card' style='width: 18rem;'>
<div class='card-body'>
<h5 class='card-title'>Login</h5>
<div class='form-group'>
<label for='email'>Email</label>
<input type='text' name='email' id='email' class='form-control'>
</div>
<div class='form-group'>
<label for='password'>Password</label>
<input type='password' name='password' id='password' class='form-control'>
</div>
<div class='form-check'>
<input class='form-check-input' type='checkbox' name='admin' value='true' id='admin'>
<label class='form-check-label' for='admin'>
Admin
</label>
</div>
<button type='submit' class='btn btn-primary'>Login</button>
<input type='hidden' value='${redirect}' name='redirect'>
<input type='hidden' value='${state}' name='state'>
<input type='hidden' value='${nonce}' name='nonce'>
<input type='hidden' value='${clientId}' name='clientId'>
<input type='hidden' value='${codeChallenge}' name='codeChallenge'>
</div>
</div>
</form>
</div>
</body>
</html>
`)
})
app.get('/userinfo', (req, res) => {
res.contentType('application/json').send(
JSON.stringify({
picture:
'https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg'
})
)
})
app.get('/v2/logout', (req, res) => {
const code = req.cookies['auth0']
const session = sessions[code]
if (session) {
delete sessions[code]
}
res.redirect(req.query.returnTo)
})
app.get('/.well-known/openid-configuration', (req, res) => {
debug('Fetching OpenID configuration')
res.contentType('application/json').send(
JSON.stringify({
issuer: `${jwksOrigin}`,
authorization_endpoint: `${jwksOrigin}authorize`,
token_endpoint: `${jwksOrigin}oauth/token`,
token_endpoint_auth_methods_supported: [
'client_secret_basic',
'private_key_jwt'
],
token_endpoint_auth_signing_alg_values_supported: ['RS256'],
userinfo_endpoint: `${jwksOrigin}userinfo`,
check_session_iframe: `${jwksOrigin}check_session`,
end_session_endpoint: `${jwksOrigin}end_session`,
jwks_uri: `${jwksOrigin}.well-known/jwks.json`,
registration_endpoint: `${jwksOrigin}register`,
scopes_supported: [
'openid',
'profile',
'email',
'address',
'phone',
'offline_access'
],
response_types_supported: [
'code',
'code id_token',
'id_token',
'id_token token'
],
acr_values_supported: [],
subject_types_supported: ['public', 'pairwise'],
userinfo_signing_alg_values_supported: ['RS256', 'ES256', 'HS256'],
userinfo_encryption_alg_values_supported: ['RSA-OAEP-256', 'A128KW'],
userinfo_encryption_enc_values_supported: ['A128CBC-HS256', 'A128GCM'],
id_token_signing_alg_values_supported: ['RS256', 'ES256', 'HS256'],
id_token_encryption_alg_values_supported: ['RSA-OAEP-256', 'A128KW'],
id_token_encryption_enc_values_supported: ['A128CBC-HS256', 'A128GCM'],
request_object_signing_alg_values_supported: ['none', 'RS256', 'ES256'],
display_values_supported: ['page', 'popup'],
claim_types_supported: ['normal', 'distributed'],
claims_supported: [
'sub',
'iss',
'auth_time',
'acr',
'name',
'given_name',
'family_name',
'nickname',
'profile',
'picture',
'website',
'email',
'email_verified',
'locale',
'zoneinfo',
'https://unbound.se/email',
'https://unbound.se/admin'
],
claims_parameter_supported: true,
service_documentation: 'http://auth0/',
ui_locales_supported: ['en-US']
})
)
})
app.get('/.well-known/jwks.json', (req, res) => {
debug('Fetching JWKS')
res.contentType('application/json').send(keyStore.toJSON())
})
// This route returns the inside of a jwt-token. Your main application
// should use this route to keep the auth0-flow
app.post('/tokeninfo', (req, res) => {
if (!req.body.id_token) {
debug('No token given in the body!')
return res.status(401).send('missing id_token')
}
const data = jwt.decode(req.body.id_token)
if (data) {
debug('Return token data from ' + data.user_id)
res.json(data)
} else {
debug('The token was invalid and could not be decoded!')
res.status(401).send('invalid id_token')
}
})
app.get('/api/v2/users-by-email', (req, res) => {
const email = req.query.email
console.log('users', users)
const user = users[email]
if (user === undefined) {
res.json([])
} else {
res.json([user])
}
})
app.patch('/api/v2/users/:userid', (req, res) => {
const email = req.params.userid.slice(6)
console.log('patching user with id', email)
const user = users[email]
if (!user) {
res.sendStatus(404)
return
}
users[email] = {
email: email,
given_name: req.body.given_name || user.given_name,
family_name: req.body.family_name || user.family_name,
user_id: email,
picture: req.body.picture || user.picture
}
res.json({
user_id: `auth0|${email}`
})
})
app.post('/api/v2/users', (req, res) => {
const email = req.body.email
users[email] = {
email: email,
given_name: 'Given',
family_name: 'Last',
user_id: email
}
res.json({
user_id: `auth0|${email}`
})
})
app.post('/api/v2/tickets/password-change', (req, res) => {
res.json({
ticket: `https://some-url`
})
})
app.use(function (req, res, next) {
console.log('404', req.path)
res.status(404).send('error: 404 Not Found ' + req.path)
})
app.listen(3333, () => {
debug('Auth0-Mock-Server listening on port 3333!')
})
auth/jwt.go
+212
View File
@@ -0,0 +1,212 @@
package auth
import (
"crypto/rand"
"crypto/rsa"
"encoding/json"
"fmt"
"time"
"github.com/google/uuid"
"github.com/lestrrat-go/jwx/v2/jwa"
"github.com/lestrrat-go/jwx/v2/jwk"
"github.com/lestrrat-go/jwx/v2/jws"
"github.com/lestrrat-go/jwx/v2/jwt"
)
const (
// TokenExpiry is the default token expiration time
TokenExpiry = 2 * time.Hour
)
// JWTService handles JWT signing and JWKS generation
type JWTService struct {
privateKey *rsa.PrivateKey
jwkSet jwk.Set
issuer string
audience string
adminClaim string
emailClaim string
}
// NewJWTService creates a new JWT service with a generated RSA key pair
func NewJWTService(issuer, audience, adminClaim, emailClaim string) (*JWTService, error) {
// Generate RSA 2048-bit key pair
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, fmt.Errorf("generate RSA key: %w", err)
}
// Create JWK from private key
key, err := jwk.FromRaw(privateKey)
if err != nil {
return nil, fmt.Errorf("create JWK from private key: %w", err)
}
// Set key metadata
keyID := uuid.New().String()
if err := key.Set(jwk.KeyIDKey, keyID); err != nil {
return nil, fmt.Errorf("set key ID: %w", err)
}
if err := key.Set(jwk.AlgorithmKey, jwa.RS256); err != nil {
return nil, fmt.Errorf("set algorithm: %w", err)
}
if err := key.Set(jwk.KeyUsageKey, "sig"); err != nil {
return nil, fmt.Errorf("set key usage: %w", err)
}
// Create public key for JWKS
publicKey, err := key.PublicKey()
if err != nil {
return nil, fmt.Errorf("get public key: %w", err)
}
// Create JWKS with public key
jwkSet := jwk.NewSet()
if err := jwkSet.AddKey(publicKey); err != nil {
return nil, fmt.Errorf("add key to set: %w", err)
}
return &JWTService{
privateKey: privateKey,
jwkSet: jwkSet,
issuer: issuer,
audience: audience,
adminClaim: adminClaim,
emailClaim: emailClaim,
}, nil
}
// SignToken creates a signed JWT with the given claims
func (s *JWTService) SignToken(claims map[string]interface{}) (string, error) {
// Build JWT token
builder := jwt.NewBuilder()
now := time.Now()
builder.Issuer(s.issuer)
builder.IssuedAt(now)
builder.Expiration(now.Add(TokenExpiry))
// Add all claims
for key, value := range claims {
builder.Claim(key, value)
}
token, err := builder.Build()
if err != nil {
return "", fmt.Errorf("build token: %w", err)
}
// Create JWK from private key for signing
key, err := jwk.FromRaw(s.privateKey)
if err != nil {
return "", fmt.Errorf("create signing key: %w", err)
}
// Get key ID from JWKS
pubKey, _ := s.jwkSet.Key(0)
keyID := pubKey.KeyID()
if err := key.Set(jwk.KeyIDKey, keyID); err != nil {
return "", fmt.Errorf("set key ID: %w", err)
}
// Sign the token
signed, err := jwt.Sign(token, jwt.WithKey(jwa.RS256, key))
if err != nil {
return "", fmt.Errorf("sign token: %w", err)
}
return string(signed), nil
}
// SignAccessToken creates an access token for the given subject
func (s *JWTService) SignAccessToken(subject, clientID, email string, customClaims []map[string]interface{}) (string, error) {
claims := map[string]interface{}{
"sub": subject,
"aud": []string{s.audience},
"azp": clientID,
}
// Add custom claims
for _, cc := range customClaims {
for k, v := range cc {
claims[k] = v
}
}
// Add email claim
claims[s.emailClaim] = email
return s.SignToken(claims)
}
// SignIDToken creates an ID token for the given subject
func (s *JWTService) SignIDToken(subject, clientID, nonce, email, name, givenName, familyName, picture string, customClaims []map[string]interface{}) (string, error) {
claims := map[string]interface{}{
"sub": subject,
"aud": clientID,
"azp": clientID,
"name": name,
"given_name": givenName,
"family_name": familyName,
"email": email,
"picture": picture,
}
if nonce != "" {
claims["nonce"] = nonce
}
// Add custom claims
for _, cc := range customClaims {
for k, v := range cc {
claims[k] = v
}
}
// Add email claim
claims[s.emailClaim] = email
return s.SignToken(claims)
}
// GetJWKS returns the JSON Web Key Set as JSON bytes
func (s *JWTService) GetJWKS() ([]byte, error) {
return json.Marshal(s.jwkSet)
}
// DecodeToken decodes a JWT without verifying the signature
func (s *JWTService) DecodeToken(tokenString string) (map[string]interface{}, error) {
// Parse without verification
msg, err := jws.Parse([]byte(tokenString))
if err != nil {
return nil, fmt.Errorf("parse token: %w", err)
}
var claims map[string]interface{}
if err := json.Unmarshal(msg.Payload(), &claims); err != nil {
return nil, fmt.Errorf("unmarshal claims: %w", err)
}
return claims, nil
}
// Issuer returns the issuer URL
func (s *JWTService) Issuer() string {
return s.issuer
}
// Audience returns the audience
func (s *JWTService) Audience() string {
return s.audience
}
// AdminClaim returns the admin custom claim key
func (s *JWTService) AdminClaim() string {
return s.adminClaim
}
// EmailClaim returns the email custom claim key
func (s *JWTService) EmailClaim() string {
return s.emailClaim
}
auth/jwt_test.go
+151
View File
@@ -0,0 +1,151 @@
package auth
import (
"encoding/json"
"testing"
)
func TestNewJWTService(t *testing.T) {
service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
if err != nil {
t.Fatalf("failed to create JWT service: %v", err)
}
if service.Issuer() != "https://test.example.com/" {
t.Errorf("expected issuer https://test.example.com/, got %s", service.Issuer())
}
if service.Audience() != "https://audience" {
t.Errorf("expected audience https://audience, got %s", service.Audience())
}
}
func TestSignToken(t *testing.T) {
service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
if err != nil {
t.Fatalf("failed to create JWT service: %v", err)
}
claims := map[string]interface{}{
"sub": "test-subject",
"aud": "test-audience",
}
token, err := service.SignToken(claims)
if err != nil {
t.Fatalf("failed to sign token: %v", err)
}
if token == "" {
t.Error("expected non-empty token")
}
// Verify token can be decoded
decoded, err := service.DecodeToken(token)
if err != nil {
t.Fatalf("failed to decode token: %v", err)
}
if decoded["sub"] != "test-subject" {
t.Errorf("expected sub=test-subject, got %v", decoded["sub"])
}
}
func TestSignAccessToken(t *testing.T) {
service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
if err != nil {
t.Fatalf("failed to create JWT service: %v", err)
}
customClaims := []map[string]interface{}{
{"https://admin": true},
}
token, err := service.SignAccessToken("auth0|user@example.com", "client-id", "user@example.com", customClaims)
if err != nil {
t.Fatalf("failed to sign access token: %v", err)
}
decoded, err := service.DecodeToken(token)
if err != nil {
t.Fatalf("failed to decode token: %v", err)
}
if decoded["sub"] != "auth0|user@example.com" {
t.Errorf("expected sub=auth0|user@example.com, got %v", decoded["sub"])
}
if decoded["https://email"] != "user@example.com" {
t.Errorf("expected email claim, got %v", decoded["https://email"])
}
}
func TestSignIDToken(t *testing.T) {
service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
if err != nil {
t.Fatalf("failed to create JWT service: %v", err)
}
token, err := service.SignIDToken(
"auth0|user@example.com",
"client-id",
"test-nonce",
"user@example.com",
"Test User",
"Test",
"User",
"https://example.com/picture.jpg",
nil,
)
if err != nil {
t.Fatalf("failed to sign ID token: %v", err)
}
decoded, err := service.DecodeToken(token)
if err != nil {
t.Fatalf("failed to decode token: %v", err)
}
if decoded["name"] != "Test User" {
t.Errorf("expected name=Test User, got %v", decoded["name"])
}
if decoded["nonce"] != "test-nonce" {
t.Errorf("expected nonce=test-nonce, got %v", decoded["nonce"])
}
}
func TestGetJWKS(t *testing.T) {
service, err := NewJWTService("https://test.example.com/", "https://audience", "https://admin", "https://email")
if err != nil {
t.Fatalf("failed to create JWT service: %v", err)
}
jwks, err := service.GetJWKS()
if err != nil {
t.Fatalf("failed to get JWKS: %v", err)
}
var result map[string]interface{}
if err := json.Unmarshal(jwks, &result); err != nil {
t.Fatalf("failed to parse JWKS: %v", err)
}
keys, ok := result["keys"].([]interface{})
if !ok {
t.Fatal("expected keys array in JWKS")
}
if len(keys) != 1 {
t.Errorf("expected 1 key, got %d", len(keys))
}
key := keys[0].(map[string]interface{})
if key["kty"] != "RSA" {
t.Errorf("expected kty=RSA, got %v", key["kty"])
}
if key["use"] != "sig" {
t.Errorf("expected use=sig, got %v", key["use"])
}
}
auth/pkce.go
+49
View File
@@ -0,0 +1,49 @@
package auth
import (
"crypto/sha256"
"encoding/base64"
"strings"
)
// PKCEMethod represents the code challenge method
type PKCEMethod string
const (
// PKCEMethodPlain uses the verifier directly as the challenge
PKCEMethodPlain PKCEMethod = "plain"
// PKCEMethodS256 uses SHA256 hash of the verifier
PKCEMethodS256 PKCEMethod = "S256"
)
// VerifyPKCE verifies that the code verifier matches the code challenge
func VerifyPKCE(verifier, challenge string, method PKCEMethod) bool {
if verifier == "" || challenge == "" {
return false
}
switch method {
case PKCEMethodPlain, "":
// Plain method or no method specified - direct comparison
return verifier == challenge
case PKCEMethodS256:
// S256 method - SHA256 hash, base64url encoded
computed := ComputeS256Challenge(verifier)
return computed == challenge
default:
return false
}
}
// ComputeS256Challenge computes the S256 code challenge from a verifier
func ComputeS256Challenge(verifier string) string {
hash := sha256.Sum256([]byte(verifier))
return base64URLEncode(hash[:])
}
// base64URLEncode encodes bytes to base64url without padding
func base64URLEncode(data []byte) string {
encoded := base64.URLEncoding.EncodeToString(data)
// Remove padding
return strings.TrimRight(encoded, "=")
}
auth/pkce_test.go
+74
View File
@@ -0,0 +1,74 @@
package auth
import (
"testing"
)
func TestVerifyPKCE_Plain(t *testing.T) {
verifier := "test-verifier-12345"
challenge := "test-verifier-12345"
if !VerifyPKCE(verifier, challenge, PKCEMethodPlain) {
t.Error("expected plain PKCE verification to succeed")
}
if VerifyPKCE("wrong-verifier", challenge, PKCEMethodPlain) {
t.Error("expected plain PKCE verification to fail with wrong verifier")
}
}
func TestVerifyPKCE_S256(t *testing.T) {
// Test vector from RFC 7636
verifier := "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
challenge := ComputeS256Challenge(verifier)
if !VerifyPKCE(verifier, challenge, PKCEMethodS256) {
t.Error("expected S256 PKCE verification to succeed")
}
if VerifyPKCE("wrong-verifier", challenge, PKCEMethodS256) {
t.Error("expected S256 PKCE verification to fail with wrong verifier")
}
}
func TestVerifyPKCE_EmptyValues(t *testing.T) {
if VerifyPKCE("", "challenge", PKCEMethodS256) {
t.Error("expected PKCE verification to fail with empty verifier")
}
if VerifyPKCE("verifier", "", PKCEMethodS256) {
t.Error("expected PKCE verification to fail with empty challenge")
}
}
func TestVerifyPKCE_DefaultMethod(t *testing.T) {
verifier := "test-verifier"
challenge := "test-verifier"
// Empty method should default to plain
if !VerifyPKCE(verifier, challenge, "") {
t.Error("expected PKCE verification with empty method to use plain")
}
}
func TestComputeS256Challenge(t *testing.T) {
// Known test case
verifier := "abc123"
challenge := ComputeS256Challenge(verifier)
// Challenge should be base64url encoded without padding
if challenge == "" {
t.Error("expected non-empty challenge")
}
// Should not contain padding
if len(challenge) > 0 && challenge[len(challenge)-1] == '=' {
t.Error("challenge should not have padding")
}
// Same verifier should produce same challenge
challenge2 := ComputeS256Challenge(verifier)
if challenge != challenge2 {
t.Error("same verifier should produce same challenge")
}
}
cmd/service/service.go
+194
View File
@@ -0,0 +1,194 @@
package main
import (
"context"
"errors"
"fmt"
"log/slog"
"net/http"
"os"
"os/signal"
"sync"
"syscall"
"time"
"github.com/alecthomas/kong"
"github.com/rs/cors"
"gitlab.com/unboundsoftware/auth0mock/auth"
"gitlab.com/unboundsoftware/auth0mock/handlers"
"gitlab.com/unboundsoftware/auth0mock/store"
)
var (
buildVersion = "dev"
serviceName = "auth0mock"
)
// CLI defines the command-line interface
type CLI struct {
Port int `name:"port" env:"PORT" help:"Listen port" default:"3333"`
Issuer string `name:"issuer" env:"ISSUER" help:"JWT issuer (without https://)" default:"localhost:3333"`
Audience string `name:"audience" env:"AUDIENCE" help:"JWT audience" default:"https://generic-audience"`
UsersFile string `name:"users-file" env:"USERS_FILE" help:"Path to initial users JSON file" default:"./users.json"`
AdminClaim string `name:"admin-claim" env:"ADMIN_CUSTOM_CLAIM" help:"Admin custom claim key" default:"https://unbound.se/admin"`
EmailClaim string `name:"email-claim" env:"EMAIL_CUSTOM_CLAIM" help:"Email custom claim key" default:"https://unbound.se/email"`
LogLevel string `name:"log-level" env:"LOG_LEVEL" help:"Log level" default:"info" enum:"debug,info,warn,error"`
LogFormat string `name:"log-format" env:"LOG_FORMAT" help:"Log format" default:"text" enum:"json,text"`
}
func main() {
var cli CLI
_ = kong.Parse(&cli)
// Setup logger
logger := setupLogger(cli.LogLevel, cli.LogFormat)
logger.Info("starting auth0mock",
"version", buildVersion,
"port", cli.Port,
"issuer", cli.Issuer,
)
// Initialize stores
userStore := store.NewUserStore()
if err := userStore.LoadFromFile(cli.UsersFile); err != nil {
logger.Warn("failed to load users file", "path", cli.UsersFile, "error", err)
}
sessionStore := store.NewSessionStore(logger)
// Initialize JWT service
issuerURL := fmt.Sprintf("https://%s/", cli.Issuer)
jwtService, err := auth.NewJWTService(issuerURL, cli.Audience, cli.AdminClaim, cli.EmailClaim)
if err != nil {
logger.Error("failed to create JWT service", "error", err)
os.Exit(1)
}
// Initialize handlers
discoveryHandler := handlers.NewDiscoveryHandler(jwtService)
oauthHandler, err := handlers.NewOAuthHandler(jwtService, sessionStore, logger)
if err != nil {
logger.Error("failed to create OAuth handler", "error", err)
os.Exit(1)
}
managementHandler := handlers.NewManagementHandler(userStore, logger)
sessionHandler := handlers.NewSessionHandler(jwtService, sessionStore, logger)
// Setup routes
mux := http.NewServeMux()
// CORS middleware
corsHandler := cors.New(cors.Options{
AllowedOrigins: []string{"*"},
AllowedMethods: []string{"GET", "POST", "PATCH", "OPTIONS"},
AllowedHeaders: []string{"*"},
AllowCredentials: true,
})
// Discovery endpoints
mux.HandleFunc("GET /.well-known/openid-configuration", discoveryHandler.OpenIDConfiguration)
mux.HandleFunc("GET /.well-known/jwks.json", discoveryHandler.JWKS)
// OAuth endpoints
mux.HandleFunc("POST /oauth/token", oauthHandler.Token)
mux.HandleFunc("GET /authorize", oauthHandler.Authorize)
mux.HandleFunc("POST /code", oauthHandler.Code)
// Session endpoints
mux.HandleFunc("GET /userinfo", sessionHandler.UserInfo)
mux.HandleFunc("POST /tokeninfo", sessionHandler.TokenInfo)
mux.HandleFunc("GET /v2/logout", sessionHandler.Logout)
// Management API endpoints
mux.HandleFunc("GET /api/v2/users-by-email", managementHandler.GetUsersByEmail)
mux.HandleFunc("POST /api/v2/users", managementHandler.CreateUser)
mux.HandleFunc("PATCH /api/v2/users/", managementHandler.UpdateUser)
mux.HandleFunc("POST /api/v2/tickets/password-change", managementHandler.PasswordChangeTicket)
// Health check
mux.HandleFunc("GET /health", func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte("OK"))
})
// Static files
mux.Handle("GET /favicon.ico", http.FileServer(http.Dir("public")))
// Create HTTP server
httpSrv := &http.Server{
Addr: fmt.Sprintf(":%d", cli.Port),
Handler: corsHandler.Handler(mux),
}
// Start session cleanup
rootCtx, rootCancel := context.WithCancel(context.Background())
sessionStore.StartCleanup(rootCtx)
// Graceful shutdown
wg := sync.WaitGroup{}
sigint := make(chan os.Signal, 1)
signal.Notify(sigint, os.Interrupt, syscall.SIGTERM)
// Signal handler goroutine
wg.Add(1)
go func() {
defer wg.Done()
sig := <-sigint
if sig != nil {
signal.Reset(os.Interrupt, syscall.SIGTERM)
logger.Info("received shutdown signal")
rootCancel()
}
}()
// Shutdown handler goroutine
wg.Add(1)
go func() {
defer wg.Done()
<-rootCtx.Done()
shutdownCtx, shutdownRelease := context.WithTimeout(context.Background(), 10*time.Second)
defer shutdownRelease()
if err := httpSrv.Shutdown(shutdownCtx); err != nil {
logger.Error("failed to shutdown HTTP server", "error", err)
}
close(sigint)
}()
// HTTP server goroutine
wg.Add(1)
go func() {
defer wg.Done()
defer rootCancel()
logger.Info("listening", "port", cli.Port)
if err := httpSrv.ListenAndServe(); !errors.Is(err, http.ErrServerClosed) {
logger.Error("HTTP server error", "error", err)
}
}()
wg.Wait()
logger.Info("shutdown complete")
}
func setupLogger(level, format string) *slog.Logger {
var leveler slog.LevelVar
if err := leveler.UnmarshalText([]byte(level)); err != nil {
leveler.Set(slog.LevelInfo)
}
handlerOpts := &slog.HandlerOptions{
Level: leveler.Level(),
}
var handler slog.Handler
switch format {
case "json":
handler = slog.NewJSONHandler(os.Stdout, handlerOpts)
default:
handler = slog.NewTextHandler(os.Stdout, handlerOpts)
}
return slog.New(handler).With("service", serviceName, "version", buildVersion)
}
go.mod
+23
View File
@@ -0,0 +1,23 @@
module gitlab.com/unboundsoftware/auth0mock
go 1.24
require (
github.com/alecthomas/kong v1.13.0
github.com/google/uuid v1.6.0
github.com/lestrrat-go/jwx/v2 v2.1.6
github.com/rs/cors v1.11.1
)
require (
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
github.com/goccy/go-json v0.10.3 // indirect
github.com/lestrrat-go/blackmagic v1.0.3 // indirect
github.com/lestrrat-go/httpcc v1.0.1 // indirect
github.com/lestrrat-go/httprc v1.0.6 // indirect
github.com/lestrrat-go/iter v1.0.2 // indirect
github.com/lestrrat-go/option v1.0.1 // indirect
github.com/segmentio/asm v1.2.0 // indirect
golang.org/x/crypto v0.32.0 // indirect
golang.org/x/sys v0.31.0 // indirect
)
go.sum
+48
View File
@@ -0,0 +1,48 @@
github.com/alecthomas/assert/v2 v2.11.0 h1:2Q9r3ki8+JYXvGsDyBXwH3LcJ+WK5D0gc5E8vS6K3D0=
github.com/alecthomas/assert/v2 v2.11.0/go.mod h1:Bze95FyfUr7x34QZrjL+XP+0qgp/zg8yS+TtBj1WA3k=
github.com/alecthomas/kong v1.13.0 h1:5e/7XC3ugvhP1DQBmTS+WuHtCbcv44hsohMgcvVxSrA=
github.com/alecthomas/kong v1.13.0/go.mod h1:wrlbXem1CWqUV5Vbmss5ISYhsVPkBb1Yo7YKJghju2I=
github.com/alecthomas/repr v0.5.2 h1:SU73FTI9D1P5UNtvseffFSGmdNci/O6RsqzeXJtP0Qs=
github.com/alecthomas/repr v0.5.2/go.mod h1:Fr0507jx4eOXV7AlPV6AVZLYrLIuIeSOWtW57eE/O/4=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvwDRwnI3hwNaAHRnc=
github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hexops/gotextdiff v1.0.3 h1:gitA9+qJrrTCsiCl7+kh75nPqQt1cx4ZkudSTLoUqJM=
github.com/hexops/gotextdiff v1.0.3/go.mod h1:pSWU5MAI3yDq+fZBTazCSJysOMbxWL1BSow5/V2vxeg=
github.com/lestrrat-go/blackmagic v1.0.3 h1:94HXkVLxkZO9vJI/w2u1T0DAoprShFd13xtnSINtDWs=
github.com/lestrrat-go/blackmagic v1.0.3/go.mod h1:6AWFyKNNj0zEXQYfTMPfZrAXUWUfTIZ5ECEUEJaijtw=
github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
github.com/lestrrat-go/jwx/v2 v2.1.6 h1:hxM1gfDILk/l5ylers6BX/Eq1m/pnxe9NBwW6lVfecA=
github.com/lestrrat-go/jwx/v2 v2.1.6/go.mod h1:Y722kU5r/8mV7fYDifjug0r8FK8mZdw0K0GpJw/l8pU=
github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc=
golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc=
golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
handlers/discovery.go
+77
View File
@@ -0,0 +1,77 @@
package handlers
import (
"encoding/json"
"net/http"
"gitlab.com/unboundsoftware/auth0mock/auth"
)
// DiscoveryHandler handles OIDC discovery endpoints
type DiscoveryHandler struct {
jwtService *auth.JWTService
}
// NewDiscoveryHandler creates a new discovery handler
func NewDiscoveryHandler(jwtService *auth.JWTService) *DiscoveryHandler {
return &DiscoveryHandler{
jwtService: jwtService,
}
}
// OpenIDConfiguration returns the OIDC discovery document
func (h *DiscoveryHandler) OpenIDConfiguration(w http.ResponseWriter, r *http.Request) {
issuer := h.jwtService.Issuer()
config := map[string]interface{}{
"issuer": issuer,
"authorization_endpoint": issuer + "authorize",
"token_endpoint": issuer + "oauth/token",
"token_endpoint_auth_methods_supported": []string{"client_secret_basic", "private_key_jwt"},
"token_endpoint_auth_signing_alg_values_supported": []string{"RS256"},
"userinfo_endpoint": issuer + "userinfo",
"check_session_iframe": issuer + "check_session",
"end_session_endpoint": issuer + "end_session",
"jwks_uri": issuer + ".well-known/jwks.json",
"registration_endpoint": issuer + "register",
"scopes_supported": []string{"openid", "profile", "email", "address", "phone", "offline_access"},
"response_types_supported": []string{"code", "code id_token", "id_token", "id_token token"},
"acr_values_supported": []string{},
"subject_types_supported": []string{"public", "pairwise"},
"userinfo_signing_alg_values_supported": []string{"RS256", "ES256", "HS256"},
"userinfo_encryption_alg_values_supported": []string{"RSA-OAEP-256", "A128KW"},
"userinfo_encryption_enc_values_supported": []string{"A128CBC-HS256", "A128GCM"},
"id_token_signing_alg_values_supported": []string{"RS256", "ES256", "HS256"},
"id_token_encryption_alg_values_supported": []string{"RSA-OAEP-256", "A128KW"},
"id_token_encryption_enc_values_supported": []string{"A128CBC-HS256", "A128GCM"},
"request_object_signing_alg_values_supported": []string{"none", "RS256", "ES256"},
"display_values_supported": []string{"page", "popup"},
"claim_types_supported": []string{"normal", "distributed"},
"claims_supported": []string{
"sub", "iss", "auth_time", "acr",
"name", "given_name", "family_name", "nickname",
"profile", "picture", "website",
"email", "email_verified", "locale", "zoneinfo",
h.jwtService.EmailClaim(), h.jwtService.AdminClaim(),
},
"claims_parameter_supported": true,
"service_documentation": "http://auth0/",
"ui_locales_supported": []string{"en-US"},
"code_challenge_methods_supported": []string{"plain", "S256"},
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(config)
}
// JWKS returns the JSON Web Key Set
func (h *DiscoveryHandler) JWKS(w http.ResponseWriter, r *http.Request) {
jwks, err := h.jwtService.GetJWKS()
if err != nil {
http.Error(w, "Failed to get JWKS", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json")
w.Write(jwks)
}
handlers/management.go
+154
View File
@@ -0,0 +1,154 @@
package handlers
import (
"encoding/json"
"fmt"
"log/slog"
"net/http"
"strings"
"gitlab.com/unboundsoftware/auth0mock/store"
)
// ManagementHandler handles Auth0 Management API endpoints
type ManagementHandler struct {
userStore *store.UserStore
logger *slog.Logger
}
// NewManagementHandler creates a new management handler
func NewManagementHandler(userStore *store.UserStore, logger *slog.Logger) *ManagementHandler {
return &ManagementHandler{
userStore: userStore,
logger: logger,
}
}
// UserResponse represents the user response format
type UserResponse struct {
Email string `json:"email,omitempty"`
GivenName string `json:"given_name,omitempty"`
FamilyName string `json:"family_name,omitempty"`
UserID string `json:"user_id"`
Picture string `json:"picture,omitempty"`
}
// GetUsersByEmail handles GET /api/v2/users-by-email
func (h *ManagementHandler) GetUsersByEmail(w http.ResponseWriter, r *http.Request) {
email := r.URL.Query().Get("email")
h.logger.Debug("getting user by email", "email", email)
user, ok := h.userStore.GetByEmail(email)
if !ok {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode([]interface{}{})
return
}
response := []UserResponse{
{
Email: user.Email,
GivenName: user.GivenName,
FamilyName: user.FamilyName,
UserID: fmt.Sprintf("auth0|%s", user.UserID),
Picture: user.Picture,
},
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(response)
}
// CreateUser handles POST /api/v2/users
func (h *ManagementHandler) CreateUser(w http.ResponseWriter, r *http.Request) {
var req struct {
Email string `json:"email"`
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
if req.Email == "" {
http.Error(w, "Email is required", http.StatusBadRequest)
return
}
user := &store.User{
Email: req.Email,
GivenName: req.GivenName,
FamilyName: req.FamilyName,
UserID: req.Email,
}
// Set defaults if not provided
if user.GivenName == "" {
user.GivenName = "Given"
}
if user.FamilyName == "" {
user.FamilyName = "Last"
}
h.userStore.Create(req.Email, user)
h.logger.Info("created user", "email", req.Email)
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"user_id": fmt.Sprintf("auth0|%s", req.Email),
})
}
// UpdateUser handles PATCH /api/v2/users/{userid}
func (h *ManagementHandler) UpdateUser(w http.ResponseWriter, r *http.Request) {
// Extract user ID from path - format: /api/v2/users/auth0|email@example.com
path := r.URL.Path
userID := strings.TrimPrefix(path, "/api/v2/users/")
// Strip "auth0|" prefix to get email
email := strings.TrimPrefix(userID, "auth0|")
h.logger.Debug("patching user", "userid", userID, "email", email)
var req struct {
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
Picture string `json:"picture"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
updates := &store.User{
GivenName: req.GivenName,
FamilyName: req.FamilyName,
Picture: req.Picture,
}
_, ok := h.userStore.Update(email, updates)
if !ok {
http.Error(w, "User not found", http.StatusNotFound)
return
}
h.logger.Info("updated user", "email", email)
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"user_id": fmt.Sprintf("auth0|%s", email),
})
}
// PasswordChangeTicket handles POST /api/v2/tickets/password-change
func (h *ManagementHandler) PasswordChangeTicket(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"ticket": "https://some-url",
})
}
handlers/oauth.go
+337
View File
@@ -0,0 +1,337 @@
package handlers
import (
"embed"
"encoding/json"
"fmt"
"html/template"
"log/slog"
"net/http"
"net/url"
"gitlab.com/unboundsoftware/auth0mock/auth"
"gitlab.com/unboundsoftware/auth0mock/store"
)
//go:embed templates/login.html
var templateFS embed.FS
// OAuthHandler handles OAuth/OIDC endpoints
type OAuthHandler struct {
jwtService *auth.JWTService
sessionStore *store.SessionStore
loginTemplate *template.Template
logger *slog.Logger
}
// NewOAuthHandler creates a new OAuth handler
func NewOAuthHandler(jwtService *auth.JWTService, sessionStore *store.SessionStore, logger *slog.Logger) (*OAuthHandler, error) {
tmpl, err := template.ParseFS(templateFS, "templates/login.html")
if err != nil {
return nil, fmt.Errorf("parse login template: %w", err)
}
return &OAuthHandler{
jwtService: jwtService,
sessionStore: sessionStore,
loginTemplate: tmpl,
logger: logger,
}, nil
}
// TokenRequest represents the token endpoint request body
type TokenRequest struct {
GrantType string `json:"grant_type"`
ClientID string `json:"client_id"`
ClientSecret string `json:"client_secret"`
Code string `json:"code"`
CodeVerifier string `json:"code_verifier"`
RedirectURI string `json:"redirect_uri"`
}
// TokenResponse represents the token endpoint response
type TokenResponse struct {
AccessToken string `json:"access_token"`
IDToken string `json:"id_token"`
Scope string `json:"scope"`
ExpiresIn int `json:"expires_in"`
TokenType string `json:"token_type"`
}
// Token handles the POST /oauth/token endpoint
func (h *OAuthHandler) Token(w http.ResponseWriter, r *http.Request) {
if err := r.ParseForm(); err != nil {
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
grantType := r.FormValue("grant_type")
clientID := r.FormValue("client_id")
code := r.FormValue("code")
codeVerifier := r.FormValue("code_verifier")
w.Header().Set("Content-Type", "application/json")
switch grantType {
case "client_credentials":
h.handleClientCredentials(w, clientID)
case "authorization_code", "":
if code != "" {
h.handleAuthorizationCode(w, code, codeVerifier, clientID)
} else {
w.WriteHeader(http.StatusUnauthorized)
json.NewEncoder(w).Encode(map[string]string{"error": "Missing code"})
}
default:
w.WriteHeader(http.StatusBadRequest)
json.NewEncoder(w).Encode(map[string]string{"error": "Unsupported grant type"})
}
}
func (h *OAuthHandler) handleClientCredentials(w http.ResponseWriter, clientID string) {
if clientID == "" {
w.WriteHeader(http.StatusUnauthorized)
json.NewEncoder(w).Encode(map[string]string{"error": "Missing client_id"})
return
}
adminClaim := map[string]interface{}{
h.jwtService.AdminClaim(): true,
}
accessToken, err := h.jwtService.SignAccessToken(
"auth0|management",
clientID,
"management@example.org",
[]map[string]interface{}{adminClaim},
)
if err != nil {
h.logger.Error("failed to sign access token", "error", err)
http.Error(w, "Failed to generate token", http.StatusInternalServerError)
return
}
idToken, err := h.jwtService.SignIDToken(
"auth0|management",
clientID,
"",
"management@example.org",
"Management API",
"Management",
"API",
"",
[]map[string]interface{}{adminClaim},
)
if err != nil {
h.logger.Error("failed to sign ID token", "error", err)
http.Error(w, "Failed to generate token", http.StatusInternalServerError)
return
}
h.logger.Info("signed token for management API")
json.NewEncoder(w).Encode(TokenResponse{
AccessToken: accessToken,
IDToken: idToken,
Scope: "openid%20profile%20email",
ExpiresIn: 7200,
TokenType: "Bearer",
})
}
func (h *OAuthHandler) handleAuthorizationCode(w http.ResponseWriter, code, codeVerifier, clientID string) {
session, ok := h.sessionStore.Get(code)
if !ok {
w.WriteHeader(http.StatusUnauthorized)
json.NewEncoder(w).Encode(map[string]string{"error": "Invalid code"})
return
}
// Verify PKCE if code_verifier is provided
if codeVerifier != "" && session.CodeChallenge != "" {
// Determine method - default to S256 if challenge looks like a hash
method := auth.PKCEMethodS256
if len(session.CodeChallenge) < 43 {
method = auth.PKCEMethodPlain
}
if !auth.VerifyPKCE(codeVerifier, session.CodeChallenge, method) {
w.WriteHeader(http.StatusUnauthorized)
json.NewEncoder(w).Encode(map[string]string{"error": "Invalid code_verifier"})
return
}
}
accessToken, err := h.jwtService.SignAccessToken(
"auth0|"+session.Email,
session.ClientID,
session.Email,
session.CustomClaims,
)
if err != nil {
h.logger.Error("failed to sign access token", "error", err)
http.Error(w, "Failed to generate token", http.StatusInternalServerError)
return
}
idToken, err := h.jwtService.SignIDToken(
"auth0|"+session.Email,
session.ClientID,
session.Nonce,
session.Email,
"Example Person",
"Example",
"Person",
"https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg",
session.CustomClaims,
)
if err != nil {
h.logger.Error("failed to sign ID token", "error", err)
http.Error(w, "Failed to generate token", http.StatusInternalServerError)
return
}
h.logger.Info("signed token", "email", session.Email)
// Clean up session after successful token exchange
h.sessionStore.Delete(code)
json.NewEncoder(w).Encode(TokenResponse{
AccessToken: accessToken,
IDToken: idToken,
Scope: "openid%20profile%20email",
ExpiresIn: 7200,
TokenType: "Bearer",
})
}
// Code handles the POST /code endpoint (form submission from login page)
func (h *OAuthHandler) Code(w http.ResponseWriter, r *http.Request) {
if err := r.ParseForm(); err != nil {
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
email := r.FormValue("email")
password := r.FormValue("password")
codeChallenge := r.FormValue("codeChallenge")
redirect := r.FormValue("redirect")
state := r.FormValue("state")
nonce := r.FormValue("nonce")
clientID := r.FormValue("clientId")
admin := r.FormValue("admin") == "true"
if email == "" || password == "" || codeChallenge == "" {
h.logger.Debug("invalid code request", "email", email, "hasPassword", password != "", "hasChallenge", codeChallenge != "")
http.Error(w, "Email, password, or code challenge is missing", http.StatusBadRequest)
return
}
adminClaim := map[string]interface{}{
h.jwtService.AdminClaim(): admin,
}
session := &store.Session{
Email: email,
Password: password,
State: state,
Nonce: nonce,
ClientID: clientID,
CodeChallenge: codeChallenge,
CustomClaims: []map[string]interface{}{adminClaim},
}
h.sessionStore.Create(codeChallenge, session)
redirectURL := fmt.Sprintf("%s?code=%s&state=%s", redirect, codeChallenge, url.QueryEscape(state))
http.Redirect(w, r, redirectURL, http.StatusFound)
}
// Authorize handles the GET /authorize endpoint
func (h *OAuthHandler) Authorize(w http.ResponseWriter, r *http.Request) {
redirect := r.URL.Query().Get("redirect_uri")
state := r.URL.Query().Get("state")
nonce := r.URL.Query().Get("nonce")
clientID := r.URL.Query().Get("client_id")
codeChallenge := r.URL.Query().Get("code_challenge")
prompt := r.URL.Query().Get("prompt")
responseMode := r.URL.Query().Get("response_mode")
// Try to get existing session from cookie
cookie, err := r.Cookie("auth0")
var existingCode string
if err == nil {
existingCode = cookie.Value
}
// Handle response_mode=query with existing session
if responseMode == "query" && existingCode != "" {
if h.sessionStore.Update(existingCode, codeChallenge, func(s *store.Session) {
s.Nonce = nonce
s.State = state
s.CodeChallenge = codeChallenge
}) {
redirectURL := fmt.Sprintf("%s?code=%s&state=%s", redirect, codeChallenge, state)
http.Redirect(w, r, redirectURL, http.StatusFound)
return
}
}
// Handle prompt=none with response_mode=web_message (silent auth)
if prompt == "none" && responseMode == "web_message" && existingCode != "" {
session, ok := h.sessionStore.Get(existingCode)
if ok {
h.sessionStore.Update(existingCode, existingCode, func(s *store.Session) {
s.Nonce = nonce
s.State = state
s.CodeChallenge = codeChallenge
})
// Send postMessage response
w.Header().Set("Content-Type", "text/html")
fmt.Fprintf(w, `<!DOCTYPE html>
<html>
<body>
<script type="text/javascript">
(() => {
const msg = {
type: 'authorization_response',
response: {
code: '%s',
state: '%s'
}
}
parent.postMessage(msg, "*")
})()
</script>
</body>
</html>`, existingCode, session.State)
return
}
}
// Set cookie for session tracking
http.SetCookie(w, &http.Cookie{
Name: "auth0",
Value: codeChallenge,
Path: "/",
SameSite: http.SameSiteNoneMode,
Secure: true,
HttpOnly: true,
})
// Render login form
w.Header().Set("Content-Type", "text/html")
data := map[string]string{
"Redirect": redirect,
"State": state,
"Nonce": nonce,
"ClientID": clientID,
"CodeChallenge": codeChallenge,
}
if err := h.loginTemplate.Execute(w, data); err != nil {
h.logger.Error("failed to render login template", "error", err)
http.Error(w, "Internal server error", http.StatusInternalServerError)
}
}
handlers/session.go
+97
View File
@@ -0,0 +1,97 @@
package handlers
import (
"encoding/json"
"log/slog"
"net/http"
"gitlab.com/unboundsoftware/auth0mock/auth"
"gitlab.com/unboundsoftware/auth0mock/store"
)
// SessionHandler handles session-related endpoints
type SessionHandler struct {
jwtService *auth.JWTService
sessionStore *store.SessionStore
logger *slog.Logger
}
// NewSessionHandler creates a new session handler
func NewSessionHandler(jwtService *auth.JWTService, sessionStore *store.SessionStore, logger *slog.Logger) *SessionHandler {
return &SessionHandler{
jwtService: jwtService,
sessionStore: sessionStore,
logger: logger,
}
}
// UserInfo handles GET /userinfo
func (h *SessionHandler) UserInfo(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(map[string]string{
"picture": "https://cdn.playbuzz.com/cdn/5458360f-32ea-460e-a707-1a2d26760558/70bda687-cb84-4756-8a44-8cf735ed87b3.jpg",
})
}
// TokenInfo handles POST /tokeninfo
func (h *SessionHandler) TokenInfo(w http.ResponseWriter, r *http.Request) {
var req struct {
IDToken string `json:"id_token"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
if req.IDToken == "" {
h.logger.Debug("no token given in body")
http.Error(w, "missing id_token", http.StatusUnauthorized)
return
}
claims, err := h.jwtService.DecodeToken(req.IDToken)
if err != nil {
h.logger.Debug("failed to decode token", "error", err)
http.Error(w, "invalid id_token", http.StatusUnauthorized)
return
}
if userID, ok := claims["sub"].(string); ok {
h.logger.Debug("returning token data", "user_id", userID)
}
w.Header().Set("Content-Type", "application/json")
json.NewEncoder(w).Encode(claims)
}
// Logout handles GET /v2/logout
func (h *SessionHandler) Logout(w http.ResponseWriter, r *http.Request) {
returnTo := r.URL.Query().Get("returnTo")
// Try to get session from cookie
cookie, err := r.Cookie("auth0")
if err == nil && cookie.Value != "" {
h.sessionStore.Delete(cookie.Value)
h.logger.Debug("deleted session", "code", cookie.Value)
}
// Clear the cookie
http.SetCookie(w, &http.Cookie{
Name: "auth0",
Value: "",
Path: "/",
MaxAge: -1,
SameSite: http.SameSiteNoneMode,
Secure: true,
HttpOnly: true,
})
if returnTo != "" {
http.Redirect(w, r, returnTo, http.StatusFound)
return
}
w.WriteHeader(http.StatusOK)
w.Write([]byte("Logged out"))
}
handlers/templates/login.html
+40
View File
@@ -0,0 +1,40 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>Auth</title>
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css" integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
</head>
<body>
<div class="container">
<form method="post" action="/code">
<div class="card" style="width: 18rem; margin-top: 2rem;">
<div class="card-body">
<h5 class="card-title">Login</h5>
<div class="form-group">
<label for="email">Email</label>
<input type="text" name="email" id="email" class="form-control">
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" name="password" id="password" class="form-control">
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="admin" value="true" id="admin">
<label class="form-check-label" for="admin">
Admin
</label>
</div>
<button type="submit" class="btn btn-primary mt-3">Login</button>
<input type="hidden" value="{{.Redirect}}" name="redirect">
<input type="hidden" value="{{.State}}" name="state">
<input type="hidden" value="{{.Nonce}}" name="nonce">
<input type="hidden" value="{{.ClientID}}" name="clientId">
<input type="hidden" value="{{.CodeChallenge}}" name="codeChallenge">
</div>
</div>
</form>
</div>
</body>
</html>
package.json
-31
View File
@@ -1,31 +0,0 @@
{
"name": "auth0-mock-server",
"version": "1.0.0",
"description": "Helps us to develop locally with seeded data and keep the flow of auth0.",
"main": "app.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"dev": "nodemon ./app.js",
"start": "node ./app.js",
"lint:prettier": "prettier --check .",
"lint": "yarn lint:prettier",
"lintfix": "prettier --write --list-different ."
},
"author": "",
"license": "MIT",
"dependencies": {
"body-parser": "2.2.1",
"cookie-parser": "1.4.7",
"cors": "2.8.5",
"debug": "4.4.3",
"express": "5.2.1",
"https-localhost": "4.7.1",
"jsonwebtoken": "9.0.3",
"node-jose": "2.2.0",
"nodemon": "3.1.11",
"serve-favicon": "2.5.1"
},
"devDependencies": {
"prettier": "3.7.4"
}
}
store/sessions.go
+133
View File
@@ -0,0 +1,133 @@
package store
import (
"context"
"log/slog"
"sync"
"time"
)
const (
// SessionTTL is the time-to-live for sessions
SessionTTL = 5 * time.Minute
// CleanupInterval is how often expired sessions are cleaned up
CleanupInterval = 60 * time.Second
)
// Session represents an OAuth session
type Session struct {
Email string
Password string
State string
Nonce string
ClientID string
CodeChallenge string
CodeVerifier string
CustomClaims []map[string]interface{}
CreatedAt time.Time
}
// SessionStore provides thread-safe session storage with TTL
type SessionStore struct {
mu sync.RWMutex
sessions map[string]*Session
challenges map[string]string
logger *slog.Logger
}
// NewSessionStore creates a new session store
func NewSessionStore(logger *slog.Logger) *SessionStore {
return &SessionStore{
sessions: make(map[string]*Session),
challenges: make(map[string]string),
logger: logger,
}
}
// Create stores a new session
func (s *SessionStore) Create(code string, session *Session) {
s.mu.Lock()
defer s.mu.Unlock()
session.CreatedAt = time.Now()
s.sessions[code] = session
s.challenges[code] = code
}
// Get retrieves a session by code
func (s *SessionStore) Get(code string) (*Session, bool) {
s.mu.RLock()
defer s.mu.RUnlock()
session, ok := s.sessions[code]
return session, ok
}
// Update updates an existing session and optionally re-indexes it
func (s *SessionStore) Update(oldCode, newCode string, updateFn func(*Session)) bool {
s.mu.Lock()
defer s.mu.Unlock()
session, ok := s.sessions[oldCode]
if !ok {
return false
}
updateFn(session)
session.CreatedAt = time.Now() // Refresh timestamp
if oldCode != newCode {
s.sessions[newCode] = session
s.challenges[newCode] = newCode
delete(s.sessions, oldCode)
delete(s.challenges, oldCode)
}
return true
}
// Delete removes a session
func (s *SessionStore) Delete(code string) {
s.mu.Lock()
defer s.mu.Unlock()
delete(s.sessions, code)
delete(s.challenges, code)
}
// Cleanup removes expired sessions
func (s *SessionStore) Cleanup() int {
s.mu.Lock()
defer s.mu.Unlock()
now := time.Now()
cleaned := 0
for code, session := range s.sessions {
if now.Sub(session.CreatedAt) > SessionTTL {
delete(s.sessions, code)
delete(s.challenges, code)
cleaned++
}
}
return cleaned
}
// StartCleanup starts a background goroutine to clean up expired sessions
func (s *SessionStore) StartCleanup(ctx context.Context) {
ticker := time.NewTicker(CleanupInterval)
go func() {
for {
select {
case <-ctx.Done():
ticker.Stop()
return
case <-ticker.C:
if cleaned := s.Cleanup(); cleaned > 0 {
s.logger.Info("cleaned up expired sessions", "count", cleaned)
}
}
}
}()
}
store/sessions_test.go
+161
View File
@@ -0,0 +1,161 @@
package store
import (
"log/slog"
"os"
"testing"
"time"
)
func TestSessionStore_CreateAndGet(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
store := NewSessionStore(logger)
session := &Session{
Email: "test@example.com",
ClientID: "client-123",
CodeChallenge: "challenge-abc",
}
store.Create("code-123", session)
retrieved, ok := store.Get("code-123")
if !ok {
t.Fatal("expected to find session")
}
if retrieved.Email != "test@example.com" {
t.Errorf("expected email test@example.com, got %s", retrieved.Email)
}
if retrieved.CreatedAt.IsZero() {
t.Error("expected CreatedAt to be set")
}
}
func TestSessionStore_Delete(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
store := NewSessionStore(logger)
session := &Session{Email: "test@example.com"}
store.Create("code-123", session)
store.Delete("code-123")
_, ok := store.Get("code-123")
if ok {
t.Error("expected session to be deleted")
}
}
func TestSessionStore_Update(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
store := NewSessionStore(logger)
session := &Session{
Email: "test@example.com",
Nonce: "old-nonce",
}
store.Create("old-code", session)
// Update and re-index
ok := store.Update("old-code", "new-code", func(s *Session) {
s.Nonce = "new-nonce"
})
if !ok {
t.Fatal("expected update to succeed")
}
// Old code should not exist
_, ok = store.Get("old-code")
if ok {
t.Error("expected old code to be removed")
}
// New code should exist
retrieved, ok := store.Get("new-code")
if !ok {
t.Fatal("expected to find session with new code")
}
if retrieved.Nonce != "new-nonce" {
t.Errorf("expected nonce new-nonce, got %s", retrieved.Nonce)
}
}
func TestSessionStore_UpdateSameCode(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
store := NewSessionStore(logger)
session := &Session{
Email: "test@example.com",
Nonce: "old-nonce",
}
store.Create("code-123", session)
originalTime := session.CreatedAt
time.Sleep(10 * time.Millisecond)
// Update without re-indexing
store.Update("code-123", "code-123", func(s *Session) {
s.Nonce = "new-nonce"
})
retrieved, _ := store.Get("code-123")
if retrieved.Nonce != "new-nonce" {
t.Errorf("expected nonce new-nonce, got %s", retrieved.Nonce)
}
// CreatedAt should be refreshed
if !retrieved.CreatedAt.After(originalTime) {
t.Error("expected CreatedAt to be refreshed")
}
}
func TestSessionStore_UpdateNotFound(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
store := NewSessionStore(logger)
ok := store.Update("nonexistent", "new-code", func(s *Session) {})
if ok {
t.Error("expected update to fail for nonexistent session")
}
}
func TestSessionStore_Cleanup(t *testing.T) {
logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
store := NewSessionStore(logger)
// Create an expired session
session := &Session{Email: "test@example.com"}
store.Create("code-123", session)
// Manually set CreatedAt to expired time
store.mu.Lock()
store.sessions["code-123"].CreatedAt = time.Now().Add(-10 * time.Minute)
store.mu.Unlock()
// Create a valid session
validSession := &Session{Email: "valid@example.com"}
store.Create("code-456", validSession)
// Run cleanup
cleaned := store.Cleanup()
if cleaned != 1 {
t.Errorf("expected 1 session cleaned, got %d", cleaned)
}
// Expired session should be gone
_, ok := store.Get("code-123")
if ok {
t.Error("expected expired session to be cleaned up")
}
// Valid session should still exist
_, ok = store.Get("code-456")
if !ok {
t.Error("expected valid session to still exist")
}
}
store/users.go
+128
View File
@@ -0,0 +1,128 @@
package store
import (
"encoding/json"
"fmt"
"os"
"sync"
)
// User represents a user in the system
type User struct {
Email string `json:"email"`
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
UserID string `json:"user_id"`
Picture string `json:"picture,omitempty"`
}
// UserStore provides thread-safe user storage
type UserStore struct {
mu sync.RWMutex
users map[string]*User
}
// NewUserStore creates a new user store
func NewUserStore() *UserStore {
return &UserStore{
users: make(map[string]*User),
}
}
// LoadFromFile loads users from a JSON file
func (s *UserStore) LoadFromFile(path string) error {
data, err := os.ReadFile(path)
if err != nil {
if os.IsNotExist(err) {
return nil // File doesn't exist, start with empty store
}
return fmt.Errorf("read users file: %w", err)
}
var rawUsers map[string]json.RawMessage
if err := json.Unmarshal(data, &rawUsers); err != nil {
return fmt.Errorf("parse users file: %w", err)
}
s.mu.Lock()
defer s.mu.Unlock()
for email, raw := range rawUsers {
var user User
if err := json.Unmarshal(raw, &user); err != nil {
return fmt.Errorf("parse user %s: %w", email, err)
}
user.Email = email // Ensure email is set
if user.UserID == "" {
user.UserID = email
}
s.users[email] = &user
}
return nil
}
// GetByEmail retrieves a user by email
func (s *UserStore) GetByEmail(email string) (*User, bool) {
s.mu.RLock()
defer s.mu.RUnlock()
user, ok := s.users[email]
if !ok {
return nil, false
}
// Return a copy to prevent external modification
userCopy := *user
return &userCopy, true
}
// Create adds a new user
func (s *UserStore) Create(email string, user *User) {
s.mu.Lock()
defer s.mu.Unlock()
user.Email = email
if user.UserID == "" {
user.UserID = email
}
s.users[email] = user
}
// Update modifies an existing user
func (s *UserStore) Update(email string, updates *User) (*User, bool) {
s.mu.Lock()
defer s.mu.Unlock()
existing, ok := s.users[email]
if !ok {
return nil, false
}
// Apply updates (only non-empty fields)
if updates.GivenName != "" {
existing.GivenName = updates.GivenName
}
if updates.FamilyName != "" {
existing.FamilyName = updates.FamilyName
}
if updates.Picture != "" {
existing.Picture = updates.Picture
}
// Return a copy
userCopy := *existing
return &userCopy, true
}
// List returns all users
func (s *UserStore) List() []*User {
s.mu.RLock()
defer s.mu.RUnlock()
users := make([]*User, 0, len(s.users))
for _, user := range s.users {
userCopy := *user
users = append(users, &userCopy)
}
return users
}
users.js
-18
View File
@@ -1,18 +0,0 @@
const fs = require('fs')
const setup = (usersFile) => {
let users = {}
if (fs.existsSync(usersFile)) {
console.log(`initial users file "${usersFile}" exists, reading`)
const read = fs.readFileSync(usersFile, { encoding: 'utf8', flag: 'r' })
users = JSON.parse(read)
for (let key of Object.keys(users)) {
users[key] = { ...users[key], email: key }
}
console.log('users:', users)
} else {
console.log(`initial users file "${usersFile}" missing`)
}
return users
}
module.exports = setup
yarn.lock
-1426
View File
File diff suppressed because it is too large Load Diff