How can I use data received as response from google api? - go

I'm trying to create login with google api authentication with oauth2.
I'm getting response from google api (response.body) as:
{
"id": "received ID",
"email": "EMAIL",
"verified_email": true,
"name": "Name",
}
How can I access that data inside go program so that I can store it in database?
package main
import (
"fmt"
"io/ioutil"
"log"
"net/http"
"net/url"
"strings"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
"encoding/json"
)
var (
oauthConf = &oauth2.Config{
ClientID: "CLIENTID",
ClientSecret: "Secret",
RedirectURL: "http://localhost:8011/showprofile",
//Scopes: []string{"https://www.googleapis.com/auth/plus.login"},
Scopes:[]string{"profile","email"},
Endpoint: google.Endpoint,
}
oauthStateString = "thisshouldberandom"
)
const htmlIndex = `<html><body>
Logged in with facebook
</body></html>
`
func handleMain(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusOK)
w.Write([]byte(htmlIndex))
}
func handleGoogleLogin(w http.ResponseWriter, r *http.Request) {
Url, err := url.Parse(oauthConf.Endpoint.AuthURL)
if err != nil {
log.Fatal("Parse: ", err)
}
parameters := url.Values{}
parameters.Add("client_id", oauthConf.ClientID)
parameters.Add("scope", strings.Join(oauthConf.Scopes, " "))
parameters.Add("redirect_uri", oauthConf.RedirectURL)
parameters.Add("response_type", "code")
parameters.Add("state", oauthStateString)
Url.RawQuery = parameters.Encode()
url := Url.String()
fmt.Println("URL" + url)
http.Redirect(w, r, url, http.StatusTemporaryRedirect)
}
func handleGoogleCallback(w http.ResponseWriter, r *http.Request) {
fmt.Println("Call back working")
state := r.FormValue("state")
if state != oauthStateString {
fmt.Printf("invalid oauth state, expected '%s', got '%s'\n", oauthStateString, state)
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
return
}
code := r.FormValue("code")
token, err := oauthConf.Exchange(oauth2.NoContext, code)
if err != nil {
fmt.Printf("oauthConf.Exchange() failed with '%s'\n", err)
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
return
}
resp,err:= http.Get("https://www.googleapis.com/oauth2/v2/userinfo?access_token=" + token.AccessToken)
if err != nil {
fmt.Printf("Get: %s\n", err)
http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
return
}
fmt.Println(resp.Body)
defer resp.Body.Close()
response, err := ioutil.ReadAll(resp.Body)
if err != nil {
fmt.Printf("ReadAll: %s\n", err)
http.Redirect(w, r, "/showprofile", http.StatusTemporaryRedirect)
return
}
log.Printf("parseResponseBody: %s\n", string(response))
http.Redirect(w, r, "/showprofile", http.StatusTemporaryRedirect)
}
func main() {
http.HandleFunc("/", handleMain)
http.HandleFunc("/login", handleGoogleLogin)
http.HandleFunc("/showprofile", handleGoogleCallback)
fmt.Print("Started running on http://localhost:8011\n")
log.Fatal(http.ListenAndServe(":8011", nil))
}

Fixed it by using json.Unmarshal.

Related

Reverse Proxy using Go to Cloud Run Instance

I feel like I'm close to having this working but so far I"m running into an issue building a small reverse proxy in Go to a GCP Cloud Run instance. The request 'goes through' but the response from the request is the default GCP Cloud Run 404. It appears when making the request back to Cloud Run the Host header is being ignored and therefore the request is not being routed correction.
What might I be missing here?
package main
import (
"log"
"net/http"
"net/http/httputil"
"net/url"
)
const apiUrl = "MY_CLOUD_RUN.a.run.app"
func main() {
http.HandleFunc("/", proxy)
log.Fatal(http.ListenAndServe(":8081", nil))
}
func proxy(res http.ResponseWriter, req *http.Request) {
// gets past CORS checks
if req.Method == http.MethodOptions {
headers := res.Header()
headers.Add("Access-Control-Allow-Origin", "*")
headers.Add("Vary", "Origin")
headers.Add("Vary", "Access-Control-Request-Method")
headers.Add("Vary", "Access-Control-Request-Headers")
headers.Add("Access-Control-Allow-Headers", "*")
headers.Add("Access-Control-Allow-Methods", "GET,HEAD,PUT,PATCH,POST,DELETE")
res.WriteHeader(http.StatusOK)
return
}
p := httputil.NewSingleHostReverseProxy(&url.URL{
Scheme: "http",
Host: apiUrl,
})
p.Director = func(req *http.Request) {
req.Header.Add("X-Forwarded-Host", req.Host)
req.Header.Add("X-Origin-Host", apiUrl)
req.Header.Add("Host", apiUrl)
req.Header.Add("Access-Control-Allow-Origin", "*")
req.URL.Scheme = "https"
req.URL.Host = apiUrl
}
p.ModifyResponse = func(res *http.Response) error {
res.Header.Set("Access-Control-Allow-Methods", "GET,HEAD,PUT,PATCH,POST,DELETE")
res.Header.Set("Access-Control-Allow-Credentials", "true")
res.Header.Set("Access-Control-Allow-Origin", "*")
res.Header.Set("Access-Control-Allow-Headers", "*")
return nil
}
p.ServeHTTP(res, req)
}
This is a bit more elaborate than the original initial write-up but what we wound up with was as follows.
package main
import (
"context"
"fmt"
"log"
"net/http"
"net/http/httputil"
"net/url"
"os"
"os/signal"
"time"
"golang.org/x/oauth2"
"google.golang.org/api/idtoken"
)
var port = ":8080"
var backend = "[CLOUD_RUN_INSTANCE_TO_PROXY].a.run.app"
func main() {
logger := log.New(os.Stdout, "proxy: ", log.LstdFlags)
logger.Println(fmt.Sprintf("Proxy server is starting for: %s on port: %s", backend, port))
router := http.NewServeMux()
router.Handle("/", proxyHandler())
server := &http.Server{
Addr: port,
Handler: logging(logger)(router),
ErrorLog: logger,
ReadTimeout: 30 * time.Second,
WriteTimeout: 30 * time.Second,
IdleTimeout: 15 * time.Second,
}
done := make(chan bool)
quit := make(chan os.Signal, 1)
signal.Notify(quit, os.Interrupt)
go func() {
<-quit
logger.Println("Proxy server is shutting down...")
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
defer cancel()
server.SetKeepAlivesEnabled(false)
if err := server.Shutdown(ctx); err != nil {
logger.Fatalf("Could not gracefully shutdown the server: %v\n", err)
}
close(done)
}()
if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
logger.Fatalf("Could not listen on %s: %v\n", port, err)
}
<-done
logger.Println("Server stopped")
}
func proxyHandler() http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.Method == http.MethodOptions {
headers := w.Header()
headers.Add("Access-Control-Allow-Origin", "*")
headers.Add("Access-Control-Allow-Headers", "*")
headers.Add("Access-Control-Allow-Methods", "GET,HEAD,PUT,PATCH,POST,DELETE")
w.WriteHeader(http.StatusOK)
return
}
path := fmt.Sprintf("https://%s%s", backend, r.RequestURI)
at, _ := idTokenTokenSource(path)
p := httputil.NewSingleHostReverseProxy(&url.URL{
Scheme: "https",
Host: backend,
})
p.Director = func(r *http.Request) {
if at != nil {
at.SetAuthHeader(r)
}
}
p.ModifyResponse = func(res *http.Response) error {
res.Header.Set("Access-Control-Allow-Methods", "GET,HEAD,PUT,PATCH,POST,DELETE")
res.Header.Set("Access-Control-Allow-Credentials", "true")
res.Header.Set("Access-Control-Allow-Origin", "*")
res.Header.Set("Access-Control-Allow-Headers", "*")
return nil
}
r.URL.Scheme = "https"
r.URL.Host = backend
r.Header.Set("X-Forwarded-Host", r.Header.Get("Host"))
r.Host = backend
if at != nil {
at.SetAuthHeader(r)
}
p.ServeHTTP(w, r)
})
}
func logging(l *log.Logger) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
defer func() {
requestId := r.Header.Get("X-Request-Id")
if requestId == "" {
requestId = fmt.Sprintf("%d", time.Now().UnixNano())
}
w.Header().Set("X-Request-Id", requestId)
l.Println(requestId, r.Method, r.URL.Path, r.RemoteAddr, r.UserAgent())
}()
next.ServeHTTP(w, r)
})
}
}
func idTokenTokenSource(audience string) (*oauth2.Token, error) {
ts, err := idtoken.NewTokenSource(context.Background(), audience)
if err != nil {
return nil, err
}
t, err := ts.Token()
if err != nil {
return nil, err
}
return t, nil
}
A good chunk of some of the graceful shutdown, http setup, and logging came from: https://gist.github.com/enricofoltran/10b4a980cd07cb02836f70a4ab3e72d7

XSS Protection using golang

I'm following this tutorial for golang.
I don't really understand where should I put this code inside of my code
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
following is my main.go
package main
import (
"fmt"
//"html/template"
"log"
"net/http"
"strings"
"text/template"
)
func sayhelloName(w http.ResponseWriter, r *http.Request) {
r.ParseForm() //Parse url parameters passed, then parse the response packet for the POST body (request body)
// attention: If you do not call ParseForm method, the following data can not be obtained form
fmt.Println(r.Form) // print information on server side.
fmt.Println("path", r.URL.Path)
fmt.Println("scheme", r.URL.Scheme)
fmt.Println(r.Form["url_long"])
for k, v := range r.Form {
fmt.Println("key:", k)
fmt.Println("val:", strings.Join(v, ""))
}
fmt.Fprintf(w, "Hello astaxie!") // write data to response
}
func login(w http.ResponseWriter, r *http.Request) {
fmt.Println("method:", r.Method) //get request method
if r.Method == "GET" {
t, _ := template.ParseFiles("login.gtpl")
t.Execute(w, nil)
} else {
r.ParseForm()
// logic part of log in
fmt.Println("username:", r.Form["username"])
fmt.Println("password:", r.Form["password"])
//I put the sample code here
t, err := template.New("foo").Parse(`{{define "T"}}Hello, {{.}}!{{end}}`)
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
}
}
func main() {
http.HandleFunc("/", sayhelloName) // setting router rule
http.HandleFunc("/login", login)
err := http.ListenAndServe(":9090", nil) // setting listening port
if err != nil {
log.Fatal("ListenAndServe: ", err)
}
}
After I put the sample code in func login and compile, it wants out to "out" undefined on this line
err = t.ExecuteTemplate(out, "T", "<script>alert('you have been pwned')</script>")
Can anyone help me to figure out the problem?
thanks
You have to write the output to the response writer:
err = t.ExecuteTemplate(w, "T", "<script>alert('you have been pwned')</script>")

Go equivalent of Python's requests.Session for making many requests with the same basic authentication?

Consider this example for making an HTTP request in Go with basic authentication:
package main
import (
"encoding/base64"
"fmt"
"io/ioutil"
"net/http"
"net/http/httptest"
"strings"
)
var userName = "myUserName"
var password = "myPassword"
func main() {
ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if !checkAuth(w, r) {
http.Error(w, "You're not authorized!", http.StatusUnauthorized)
return
}
w.Write([]byte("You're authorized!"))
}))
defer ts.Close()
req, err := http.NewRequest("GET", ts.URL, nil)
check(err)
req.SetBasicAuth(userName, password+"foo")
resp, err := http.DefaultClient.Do(req)
check(err)
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
check(err)
fmt.Println(string(body))
}
// checkAuth checks authentication (cf. https://stackoverflow.com/questions/21936332/idiomatic-way-of-requiring-http-basic-auth-in-go/21937924#21937924)
func checkAuth(w http.ResponseWriter, r *http.Request) bool {
s := strings.SplitN(r.Header.Get("Authorization"), " ", 2)
if len(s) != 2 {
return false
}
b, err := base64.StdEncoding.DecodeString(s[1])
if err != nil {
return false
}
pair := strings.SplitN(string(b), ":", 2)
if len(pair) != 2 {
return false
}
return pair[0] == userName && pair[1] == password
}
func check(err error) {
if err != nil {
panic(err)
}
}
Note that SetBasicAuth is a method of an *http.Request, so if I want to make many requests, I would have to call this method on each request.
In Python, you can define a requests.Session like in this example (from https://requests.readthedocs.io/en/master/user/advanced/#session-objects):
s = requests.Session()
s.auth = ('user', 'pass')
s.headers.update({'x-test': 'true'})
# both 'x-test' and 'x-test2' are sent
s.get('https://httpbin.org/headers', headers={'x-test2': 'true'})
Is there an idiomatic way of defining the equivalent of a requests.Session in Go (preferably using the standard library)? All I can think of is defining a custom client struct with its own Do() method:
type MyClient struct {
UserName, Password string
}
func (client *MyClient) Do(req *http.Request) (*http.Response, error) {
req.SetBasicAuth(client.UserName, client.Password)
return http.DefaultClient.Do(req)
}
and invoking it in the above script like
client := MyClient{UserName: userName, Password: password}
resp, err := client.Do(req)
Would this be an idiomatic way to avoid multiple calls to SetBasicAuth()?

Want to get session values when client sends new request

I want to get server's session value when client creates a new request.
But, server returns nil always.
I don't know what is the problem in this case.
Client
package main
import (
"io/ioutil"
"log"
"net/http"
"github.com/gorilla/mux"
"github.com/gorilla/securecookie"
"github.com/gorilla/sessions"
)
var (
store *sessions.CookieStore = sessions.NewCookieStore(securecookie.GenerateRandomKey(64))
session *sessions.Session
SessionName = "client"
)
func main() {
store.Options = &sessions.Options{
Path: "/",
MaxAge: 60 * 15,
Secure: false,
HttpOnly: true,
}
router := mux.NewRouter()
router.HandleFunc("/", cIndex)
router.HandleFunc("/test", cTest)
http.ListenAndServe(":7000", router)
}
func cIndex(w http.ResponseWriter, r *http.Request) {
session, err := store.Get(r, SessionName)
if err != nil {
log.Println("cIndex Session Error : ", err.Error())
return
}
session.Values["foo"] = "bar"
session.Save(r, w)
w.Header().Set("Location", "http://localhost:8080?foo=bar")
w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
w.WriteHeader(http.StatusFound)
}
func cTest(w http.ResponseWriter, r *http.Request) {
req, err := http.NewRequest("GET", "http://localhost:8080/test", nil)
if err != nil {
log.Println("cTest Request Error : ", err.Error())
return
}
req.SetBasicAuth("sample_id", "sample_secret")
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
c := &http.Client{
Transport: &http.Transport{},
}
resp, err := c.Do(req)
if err != nil {
log.Println("cTest Response Error : ", err.Error())
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Println("cTest Body Error : ", err.Error())
return
}
log.Println(string(body))
}
Server
package main
import (
"encoding/json"
"log"
"net/http"
"github.com/gorilla/mux"
"github.com/gorilla/securecookie"
"github.com/gorilla/sessions"
)
var (
store *sessions.CookieStore = sessions.NewCookieStore(securecookie.GenerateRandomKey(64))
session *sessions.Session
SessionName = "server"
)
func main() {
store.Options = &sessions.Options{
Path: "/",
MaxAge: 60 * 15,
Secure: false,
HttpOnly: true,
}
router := mux.NewRouter()
router.HandleFunc("/", sIndex)
router.HandleFunc("/test", sTest)
http.ListenAndServe(":8080", router)
}
func sIndex(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
v := r.FormValue("foo")
session, err := store.Get(r, SessionName)
if err != nil {
log.Println("sIndex Session Error : ", err.Error())
return
}
session.Values["foo"] = v
session.Save(r, w)
w.Header().Set("Location", "http://localhost:7000/test")
w.Header().Set("Content-Type", "application/x-www-form-urlencoded")
w.WriteHeader(http.StatusFound)
}
func sTest(w http.ResponseWriter, r *http.Request) {
session, err := store.Get(r, SessionName)
if err != nil {
log.Println("sTest Session Error : ", err.Error())
return
}
v, ok := session.Values["foo"].(string)
if !ok {
log.Printf("foo = %v\n", v)
}
data := struct {
Foo string
}{
v, // I expected v is bar,but v was nil.
}
bytes, err := json.Marshal(data)
if err != nil {
log.Println("sTest JSON Error : ", err.Error())
return
}
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusOK)
w.Write(bytes)
}
Details
Client sends request to server with query foo=bar.
Server receives the request and parsing.
Server saves query parameter in session.(I used gorilla/session)
Client makes *http.Client and send new Request to server.
Server receives request, and loads value in session, and set the value at response.
Client receives value bar
In 5, I expected that server can load the value bar from session, but session value was nil.
I wrote some codes and it moves.
Is it correct way?
Client
func cTest(w http.ResponseWrite, r *http.Request) {
serverURL := "http://localhost:8080/test"
r.Method = http.MethodGet
r.Host = serverURL // server
v, err := url.Parse(serverURL)
if err != nil {
log.Println("url parsing error occurred : ", err.Error())
return
}
c := &http.Client{Transport: &http.Transport{}}
resp, err := c.Transport.RoundTrip(r)
if err != nil {
log.Println("client roundtrip error occurred : ", err.Error())
return
}
defer resp.Body.Close()
body, err := ioutil.ReadAll(resp.Body)
if err != nil {
log.Println("response body reading error occurred : ", err.Error())
return
}
w.Write(body)
}

I am not able to retrieve the access token using the following go code

func handler(w http.ResponseWriter, r *http.Request) {
t := &oauth.Transport{Config: config}
c := r.FormValue("code")
token, err := t.Exchange(c)
fmt.Println("token: ", token, "\nerr: ", err)
}
Error:
token: <nil>
err: OAuthError: updateToken: Unexpected HTTP status 400 Bad Request
Do you use goauth2 package, which is deprecated? If so you can try golang.org/x/oauth2 instead
package main
import (
"log"
"net/http"
"code.google.com/p/google-api-go-client/youtube/v3"
"golang.org/x/oauth2"
"golang.org/x/oauth2/google"
)
// variables used during oauth protocol flow of authentication
var (
code = ""
token = ""
)
var oauthCfg = &oauth2.Config{
ClientID: "...",
ClientSecret: "...",
RedirectURL: "http://localhost:8888/oauth2callback",
Scopes: []string{
youtube.YoutubeScope, //e.g.
},
Endpoint: google.Endpoint,
}
func main() {
http.HandleFunc("/", mainHander)
http.HandleFunc("/oauth2callback", callbackHandler)
http.ListenAndServe(":8888", nil)
}
func mainHander(w http.ResponseWriter, r *http.Request) {
url := oauthCfg.AuthCodeURL("")
http.Redirect(w, r, url, http.StatusFound)
}
func callbackHandler(w http.ResponseWriter, r *http.Request) {
code := r.FormValue("code")
tok, err := oauthCfg.Exchange(oauth2.NoContext, code)
if err != nil {
log.Fatal(err)
}
log.Println(tok)
}

Resources