flow_security/

oauth.rs

//! OAuth2 (authorization-code + refresh) for `service`-node connections.
//!
//! Vendor-neutral: every endpoint (authorize / token URL), client id, scope set,
//! and redirect URI is supplied by the caller from catalog + operator data -
//! nothing about any specific provider is hard-coded here. Tokens are stored in
//! the OS keyring under the `service:<slug>` account as a JSON [`OAuthToken`].

use std::collections::HashMap;
use std::time::Duration;

use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use thiserror::Error;
use tokio::io::{AsyncReadExt, AsyncWriteExt};
use tokio::net::TcpListener;

use crate::credentials::{CredentialError, CredentialKind, CredentialStore};

#[derive(Debug, Error)]
pub enum OAuthError {
    #[error("oauth http error: {0}")]
    Http(String),
    #[error("oauth token endpoint returned status {status}: {body}")]
    Token { status: u16, body: String },
    #[error("no refresh token stored; reconnect the service")]
    NoRefreshToken,
    #[error(transparent)]
    Credential(#[from] CredentialError),
    #[error("token store decode error: {0}")]
    Decode(String),
}

/// A stored OAuth2 token bundle. Serialized to JSON in the keyring.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuthToken {
    pub access_token: String,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub refresh_token: Option<String>,
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub expires_at: Option<DateTime<Utc>>,
    #[serde(default)]
    pub token_type: String,
    #[serde(default)]
    pub scope: String,
}

impl OAuthToken {
    /// True when the access token is expired (or within a 60s skew window).
    pub fn is_expired(&self) -> bool {
        match self.expires_at {
            Some(exp) => Utc::now() + chrono::Duration::seconds(60) >= exp,
            None => false,
        }
    }
}

/// Raw token-endpoint response (standard OAuth2 fields).
#[derive(Debug, Deserialize)]
struct TokenResponse {
    access_token: String,
    #[serde(default)]
    refresh_token: Option<String>,
    #[serde(default)]
    expires_in: Option<i64>,
    #[serde(default)]
    token_type: String,
    #[serde(default)]
    scope: String,
}

impl TokenResponse {
    fn into_token(self, prior_refresh: Option<String>) -> OAuthToken {
        OAuthToken {
            // Providers commonly omit `refresh_token` on refresh - keep the prior.
            refresh_token: self.refresh_token.or(prior_refresh),
            expires_at: self
                .expires_in
                .map(|s| Utc::now() + chrono::Duration::seconds(s)),
            access_token: self.access_token,
            token_type: self.token_type,
            scope: self.scope,
        }
    }
}

/// Build the authorization-code consent URL the user opens in a browser.
pub fn build_authorize_url(
    auth_url: &str,
    client_id: &str,
    redirect_uri: &str,
    scopes: &[String],
    state: &str,
) -> String {
    let scope = scopes.join(" ");
    let pairs = [
        ("response_type", "code"),
        ("client_id", client_id),
        ("redirect_uri", redirect_uri),
        ("scope", scope.as_str()),
        ("state", state),
        // Request a refresh token (offline access) + force the consent screen so
        // a refresh token is always returned on first connect.
        ("access_type", "offline"),
        ("prompt", "consent"),
    ];
    let query = pairs
        .iter()
        .map(|(k, v)| format!("{k}={}", urlencode(v)))
        .collect::<Vec<_>>()
        .join("&");
    let sep = if auth_url.contains('?') { "&" } else { "?" };
    format!("{auth_url}{sep}{query}")
}

/// Exchange an authorization code for a token bundle.
pub async fn exchange_code(
    token_url: &str,
    client_id: &str,
    client_secret: &str,
    code: &str,
    redirect_uri: &str,
) -> Result<OAuthToken, OAuthError> {
    let params = [
        ("grant_type", "authorization_code"),
        ("code", code),
        ("client_id", client_id),
        ("client_secret", client_secret),
        ("redirect_uri", redirect_uri),
    ];
    post_token(token_url, &params, None).await
}

/// Refresh an access token using a stored refresh token.
pub async fn refresh(
    token_url: &str,
    client_id: &str,
    client_secret: &str,
    refresh_token: &str,
) -> Result<OAuthToken, OAuthError> {
    let params = [
        ("grant_type", "refresh_token"),
        ("refresh_token", refresh_token),
        ("client_id", client_id),
        ("client_secret", client_secret),
    ];
    post_token(token_url, &params, Some(refresh_token.to_string())).await
}

async fn post_token(
    token_url: &str,
    params: &[(&str, &str)],
    prior_refresh: Option<String>,
) -> Result<OAuthToken, OAuthError> {
    let client = reqwest::Client::builder()
        .timeout(Duration::from_secs(30))
        .build()
        .map_err(|e| OAuthError::Http(e.to_string()))?;
    let resp = client
        .post(token_url)
        .form(params)
        .send()
        .await
        .map_err(|e| OAuthError::Http(e.to_string()))?;
    let status = resp.status();
    let body = resp
        .text()
        .await
        .map_err(|e| OAuthError::Http(e.to_string()))?;
    if !status.is_success() {
        return Err(OAuthError::Token {
            status: status.as_u16(),
            body,
        });
    }
    let parsed: TokenResponse =
        serde_json::from_str(&body).map_err(|e| OAuthError::Decode(e.to_string()))?;
    Ok(parsed.into_token(prior_refresh))
}

/// Persist a token bundle to the keyring under `service:<slug>`.
pub fn store_token(
    store: &dyn CredentialStore,
    slug: &str,
    token: &OAuthToken,
) -> Result<(), OAuthError> {
    let account = CredentialKind::Service.account_for(slug);
    let json = serde_json::to_string(token).map_err(|e| OAuthError::Decode(e.to_string()))?;
    store.set(&account, &json)?;
    Ok(())
}

/// Load a token bundle from the keyring. Returns `Ok(None)` when none is stored.
pub fn load_token(store: &dyn CredentialStore, slug: &str) -> Result<Option<OAuthToken>, OAuthError> {
    let account = CredentialKind::Service.account_for(slug);
    match store.get(&account) {
        Ok(raw) => Ok(Some(
            serde_json::from_str(&raw).map_err(|e| OAuthError::Decode(e.to_string()))?,
        )),
        Err(CredentialError::NotFound { .. }) => Ok(None),
        Err(e) => Err(e.into()),
    }
}

/// Bind a one-shot loopback listener for the OAuth redirect on
/// `127.0.0.1:<port>`. Bind **before** opening the browser so the redirect can
/// never arrive before we're listening.
pub async fn bind_loopback(port: u16) -> Result<TcpListener, OAuthError> {
    TcpListener::bind(("127.0.0.1", port))
        .await
        .map_err(|e| OAuthError::Http(format!("bind 127.0.0.1:{port}: {e}")))
}

/// Wait on `listener` for the provider's redirect and return the `code` once a
/// request arrives whose `state` matches `expected_state`. Serves a tiny
/// "you can close this tab" page; ignores non-callback hits (e.g. favicon).
pub async fn accept_oauth_code(
    listener: TcpListener,
    expected_state: &str,
    timeout: Duration,
) -> Result<String, OAuthError> {
    let work = async {
        loop {
            let (mut stream, _) = listener
                .accept()
                .await
                .map_err(|e| OAuthError::Http(e.to_string()))?;
            let mut buf = vec![0u8; 4096];
            let n = stream.read(&mut buf).await.unwrap_or(0);
            let req = String::from_utf8_lossy(&buf[..n]);
            // Request line: `GET /callback?code=...&state=... HTTP/1.1`.
            let path = req
                .lines()
                .next()
                .and_then(|l| l.split_whitespace().nth(1))
                .unwrap_or("");
            let params = parse_query(path);

            let (status, message) = if params.contains_key("error") {
                ("400 Bad Request", "Authorization was denied. You can close this tab.")
            } else if params.contains_key("code") {
                ("200 OK", "Connected. You can close this tab and return to Flow Studio.")
            } else {
                ("404 Not Found", "Not found.")
            };
            let body = format!(
                "<!doctype html><meta charset=utf-8><body style=\"font-family:system-ui;padding:2rem\">{message}</body>"
            );
            let resp = format!(
                "HTTP/1.1 {status}\r\nContent-Type: text/html; charset=utf-8\r\nContent-Length: {}\r\nConnection: close\r\n\r\n{body}",
                body.len()
            );
            let _ = stream.write_all(resp.as_bytes()).await;
            let _ = stream.shutdown().await;

            if let Some(err) = params.get("error") {
                return Err(OAuthError::Token {
                    status: 400,
                    body: format!("authorization denied: {err}"),
                });
            }
            if let Some(code) = params.get("code") {
                return match params.get("state") {
                    Some(s) if s == expected_state => Ok(code.clone()),
                    _ => Err(OAuthError::Token {
                        status: 400,
                        body: "OAuth state mismatch (possible CSRF)".into(),
                    }),
                };
            }
            // Not the callback - keep waiting for the real redirect.
        }
    };
    match tokio::time::timeout(timeout, work).await {
        Ok(res) => res,
        Err(_) => Err(OAuthError::Http(
            "timed out waiting for the OAuth redirect".into(),
        )),
    }
}

/// Parse a `?k=v&k2=v2` query string off a request target into a map.
fn parse_query(path: &str) -> HashMap<String, String> {
    let mut map = HashMap::new();
    if let Some((_, q)) = path.split_once('?') {
        for pair in q.split('&') {
            if let Some((k, v)) = pair.split_once('=') {
                map.insert(k.to_string(), urldecode(v));
            }
        }
    }
    map
}

/// Minimal percent-decode (`%XX` + `+` → space) for query values.
fn urldecode(s: &str) -> String {
    let s = s.replace('+', " ");
    let b = s.as_bytes();
    let mut out = Vec::with_capacity(b.len());
    let mut i = 0;
    while i < b.len() {
        if b[i] == b'%' && i + 3 <= b.len() {
            if let Ok(byte) = u8::from_str_radix(&s[i + 1..i + 3], 16) {
                out.push(byte);
                i += 3;
                continue;
            }
        }
        out.push(b[i]);
        i += 1;
    }
    String::from_utf8_lossy(&out).to_string()
}

/// Minimal percent-encoding for query values (RFC 3986 unreserved kept as-is).
fn urlencode(s: &str) -> String {
    let mut out = String::with_capacity(s.len());
    for b in s.bytes() {
        match b {
            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'-' | b'_' | b'.' | b'~' => {
                out.push(b as char)
            }
            _ => out.push_str(&format!("%{b:02X}")),
        }
    }
    out
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::credentials::InMemoryCredentialStore;
    use std::sync::Arc;

    #[test]
    fn authorize_url_encodes_scopes_and_state() {
        let url = build_authorize_url(
            "https://example.test/authorize",
            "client-123",
            "http://127.0.0.1:7421/callback",
            &["read".into(), "write things".into()],
            "xyz",
        );
        assert!(url.starts_with("https://example.test/authorize?"));
        assert!(url.contains("client_id=client-123"));
        assert!(url.contains("scope=read%20write%20things"));
        assert!(url.contains("redirect_uri=http%3A%2F%2F127.0.0.1%3A7421%2Fcallback"));
        assert!(url.contains("state=xyz"));
    }

    #[test]
    fn token_is_expired_within_skew() {
        let mut t = OAuthToken {
            access_token: "a".into(),
            refresh_token: None,
            expires_at: Some(Utc::now() + chrono::Duration::seconds(30)),
            token_type: "Bearer".into(),
            scope: String::new(),
        };
        assert!(t.is_expired(), "within 60s skew counts as expired");
        t.expires_at = Some(Utc::now() + chrono::Duration::seconds(3600));
        assert!(!t.is_expired());
        t.expires_at = None;
        assert!(!t.is_expired(), "no expiry => never expired");
    }

    #[test]
    fn store_and_load_round_trip() {
        let store: Arc<dyn CredentialStore> = Arc::new(InMemoryCredentialStore::new());
        let token = OAuthToken {
            access_token: "at".into(),
            refresh_token: Some("rt".into()),
            expires_at: None,
            token_type: "Bearer".into(),
            scope: "read".into(),
        };
        store_token(store.as_ref(), "acme.svc", &token).unwrap();
        let loaded = load_token(store.as_ref(), "acme.svc").unwrap().unwrap();
        assert_eq!(loaded.access_token, "at");
        assert_eq!(loaded.refresh_token.as_deref(), Some("rt"));
        assert!(load_token(store.as_ref(), "missing").unwrap().is_none());
    }

    #[test]
    fn parse_query_decodes_callback_params() {
        let m = parse_query("/callback?code=abc%2F123&state=xyz");
        assert_eq!(m.get("code").map(String::as_str), Some("abc/123"));
        assert_eq!(m.get("state").map(String::as_str), Some("xyz"));
        // A non-callback request (favicon, root) yields no params.
        assert!(parse_query("/favicon.ico").is_empty());
    }
}