feat(app): implement EVE SSO login and waypoint setting functionality
This commit is contained in:
394
esi_sso.go
Normal file
394
esi_sso.go
Normal file
@@ -0,0 +1,394 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/rand"
|
||||
"crypto/sha256"
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"net"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strconv"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
const (
|
||||
// SSO endpoints
|
||||
issuerAuthorizeURL = "https://login.eveonline.com/v2/oauth/authorize"
|
||||
issuerTokenURL = "https://login.eveonline.com/v2/oauth/token"
|
||||
|
||||
// ESI base
|
||||
esiBase = "https://esi.evetech.net"
|
||||
)
|
||||
|
||||
// ESISSO encapsulates a minimal PKCE SSO client and token store
|
||||
type ESISSO struct {
|
||||
clientID string
|
||||
redirectURI string
|
||||
scopes []string
|
||||
|
||||
state string
|
||||
codeVerifier string
|
||||
codeChallenge string
|
||||
|
||||
mu sync.Mutex
|
||||
accessToken string
|
||||
refreshToken string
|
||||
expiresAt time.Time
|
||||
|
||||
characterID int64
|
||||
characterName string
|
||||
|
||||
callbackOnce sync.Once
|
||||
server *http.Server
|
||||
}
|
||||
|
||||
func NewESISSO(clientID string, redirectURI string, scopes []string) *ESISSO {
|
||||
return &ESISSO{
|
||||
clientID: clientID,
|
||||
redirectURI: redirectURI,
|
||||
scopes: scopes,
|
||||
}
|
||||
}
|
||||
|
||||
// BuildAuthorizeURL prepares state and PKCE challenge and returns the browser URL
|
||||
func (s *ESISSO) BuildAuthorizeURL() (string, error) {
|
||||
if s.clientID == "" {
|
||||
return "", errors.New("EVE_SSO_CLIENT_ID not set")
|
||||
}
|
||||
verifier, challenge, err := generatePKCE()
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
s.codeVerifier = verifier
|
||||
s.codeChallenge = challenge
|
||||
s.state = randString(24)
|
||||
|
||||
q := url.Values{}
|
||||
q.Set("response_type", "code")
|
||||
q.Set("client_id", s.clientID)
|
||||
q.Set("redirect_uri", s.redirectURI)
|
||||
if len(s.scopes) > 0 {
|
||||
q.Set("scope", strings.Join(s.scopes, " "))
|
||||
}
|
||||
q.Set("state", s.state)
|
||||
q.Set("code_challenge", s.codeChallenge)
|
||||
q.Set("code_challenge_method", "S256")
|
||||
|
||||
return issuerAuthorizeURL + "?" + q.Encode(), nil
|
||||
}
|
||||
|
||||
// StartCallbackServer starts a temporary local HTTP server to receive the SSO callback
|
||||
func (s *ESISSO) StartCallbackServer() error {
|
||||
u, err := url.Parse(s.redirectURI)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if u.Scheme != "http" && u.Scheme != "https" {
|
||||
return errors.New("redirect URI must be http(s)")
|
||||
}
|
||||
// Bind exact host:port
|
||||
hostPort := u.Host
|
||||
if !strings.Contains(hostPort, ":") {
|
||||
// default ports
|
||||
if u.Scheme == "https" {
|
||||
hostPort += ":443"
|
||||
} else {
|
||||
hostPort += ":80"
|
||||
}
|
||||
}
|
||||
|
||||
mux := http.NewServeMux()
|
||||
mux.HandleFunc(u.Path, func(w http.ResponseWriter, r *http.Request) {
|
||||
// Receive code
|
||||
if r.Method != http.MethodGet {
|
||||
w.WriteHeader(http.StatusMethodNotAllowed)
|
||||
return
|
||||
}
|
||||
q := r.URL.Query()
|
||||
code := q.Get("code")
|
||||
st := q.Get("state")
|
||||
if code == "" || st == "" || st != s.state {
|
||||
w.WriteHeader(http.StatusBadRequest)
|
||||
_, _ = w.Write([]byte("Invalid SSO response"))
|
||||
return
|
||||
}
|
||||
// Exchange token
|
||||
if err := s.exchangeToken(r.Context(), code); err != nil {
|
||||
w.WriteHeader(http.StatusInternalServerError)
|
||||
_, _ = w.Write([]byte("Token exchange failed: " + err.Error()))
|
||||
return
|
||||
}
|
||||
_, _ = io.WriteString(w, "Login successful. You can close this window.")
|
||||
go func() {
|
||||
// stop shortly after responding
|
||||
time.Sleep(200 * time.Millisecond)
|
||||
_ = s.server.Shutdown(context.Background())
|
||||
}()
|
||||
})
|
||||
|
||||
ln, err := net.Listen("tcp", hostPort)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
s.server = &http.Server{Handler: mux}
|
||||
return s.server.Serve(ln)
|
||||
}
|
||||
|
||||
func (s *ESISSO) exchangeToken(ctx context.Context, code string) error {
|
||||
form := url.Values{}
|
||||
form.Set("grant_type", "authorization_code")
|
||||
form.Set("code", code)
|
||||
form.Set("client_id", s.clientID)
|
||||
form.Set("code_verifier", s.codeVerifier)
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodPost, issuerTokenURL, strings.NewReader(form.Encode()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
|
||||
b, _ := io.ReadAll(resp.Body)
|
||||
return fmt.Errorf("token exchange failed: %s: %s", resp.Status, string(b))
|
||||
}
|
||||
var tr tokenResponse
|
||||
if err := json.NewDecoder(resp.Body).Decode(&tr); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
s.mu.Lock()
|
||||
defer s.mu.Unlock()
|
||||
if tr.AccessToken != "" {
|
||||
s.accessToken = tr.AccessToken
|
||||
}
|
||||
if tr.RefreshToken != "" {
|
||||
s.refreshToken = tr.RefreshToken
|
||||
}
|
||||
if tr.ExpiresIn > 0 {
|
||||
s.expiresAt = time.Now().Add(time.Duration(tr.ExpiresIn-30) * time.Second)
|
||||
}
|
||||
// Parse basic claims for display
|
||||
name, cid := parseTokenCharacter(tr.AccessToken)
|
||||
s.characterName = name
|
||||
s.characterID = cid
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *ESISSO) refresh(ctx context.Context) error {
|
||||
s.mu.Lock()
|
||||
rt := s.refreshToken
|
||||
s.mu.Unlock()
|
||||
if rt == "" {
|
||||
return errors.New("no refresh token")
|
||||
}
|
||||
form := url.Values{}
|
||||
form.Set("grant_type", "refresh_token")
|
||||
form.Set("refresh_token", rt)
|
||||
form.Set("client_id", s.clientID)
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodPost, issuerTokenURL, strings.NewReader(form.Encode()))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode < 200 || resp.StatusCode >= 300 {
|
||||
b, _ := io.ReadAll(resp.Body)
|
||||
return fmt.Errorf("token refresh failed: %s: %s", resp.Status, string(b))
|
||||
}
|
||||
var tr tokenResponse
|
||||
if err := json.NewDecoder(resp.Body).Decode(&tr); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
s.mu.Lock()
|
||||
defer s.mu.Unlock()
|
||||
s.accessToken = tr.AccessToken
|
||||
if tr.RefreshToken != "" {
|
||||
s.refreshToken = tr.RefreshToken
|
||||
}
|
||||
if tr.ExpiresIn > 0 {
|
||||
s.expiresAt = time.Now().Add(time.Duration(tr.ExpiresIn-30) * time.Second)
|
||||
}
|
||||
name, cid := parseTokenCharacter(tr.AccessToken)
|
||||
s.characterName = name
|
||||
s.characterID = cid
|
||||
return nil
|
||||
}
|
||||
|
||||
func (s *ESISSO) ensureAccessToken(ctx context.Context) (string, error) {
|
||||
s.mu.Lock()
|
||||
tok := s.accessToken
|
||||
exp := s.expiresAt
|
||||
s.mu.Unlock()
|
||||
if tok == "" {
|
||||
return "", errors.New("not logged in")
|
||||
}
|
||||
if time.Now().After(exp.Add(-60 * time.Second)) {
|
||||
if err := s.refresh(ctx); err != nil {
|
||||
return "", err
|
||||
}
|
||||
s.mu.Lock()
|
||||
tok = s.accessToken
|
||||
s.mu.Unlock()
|
||||
}
|
||||
return tok, nil
|
||||
}
|
||||
|
||||
// PostWaypoint calls ESI to set destination or add waypoint
|
||||
func (s *ESISSO) PostWaypoint(destinationID int64, clearOthers bool, addToBeginning bool) error {
|
||||
tok, err := s.ensureAccessToken(context.Background())
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
q := url.Values{}
|
||||
q.Set("destination_id", strconv.FormatInt(destinationID, 10))
|
||||
q.Set("add_to_beginning", strconv.FormatBool(addToBeginning))
|
||||
q.Set("clear_other_waypoints", strconv.FormatBool(clearOthers))
|
||||
endpoint := esiBase + "/v2/ui/autopilot/waypoint/" + "?" + q.Encode()
|
||||
|
||||
req, err := http.NewRequest(http.MethodPost, endpoint, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
req.Header.Set("Authorization", "Bearer "+tok)
|
||||
req.Header.Set("Accept", "application/json")
|
||||
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode == http.StatusNoContent || resp.StatusCode == http.StatusOK {
|
||||
return nil
|
||||
}
|
||||
b, _ := io.ReadAll(resp.Body)
|
||||
return fmt.Errorf("waypoint failed: %s: %s", resp.Status, string(b))
|
||||
}
|
||||
|
||||
// Status reports current login state and character details
|
||||
type SSOStatus struct {
|
||||
LoggedIn bool
|
||||
CharacterID int64
|
||||
CharacterName string
|
||||
ExpiresAt time.Time
|
||||
}
|
||||
|
||||
func (s *ESISSO) Status() SSOStatus {
|
||||
s.mu.Lock()
|
||||
defer s.mu.Unlock()
|
||||
return SSOStatus{
|
||||
LoggedIn: s.accessToken != "",
|
||||
CharacterID: s.characterID,
|
||||
CharacterName: s.characterName,
|
||||
ExpiresAt: s.expiresAt,
|
||||
}
|
||||
}
|
||||
|
||||
// ResolveSystemIDByName searches ESI for a solar system by exact name and returns its ID
|
||||
func (s *ESISSO) ResolveSystemIDByName(ctx context.Context, name string) (int64, error) {
|
||||
name = strings.TrimSpace(name)
|
||||
if name == "" {
|
||||
return 0, errors.New("empty system name")
|
||||
}
|
||||
q := url.Values{}
|
||||
q.Set("categories", "solar_system")
|
||||
q.Set("search", name)
|
||||
q.Set("strict", "true")
|
||||
endpoint := esiBase + "/v3/search/?" + q.Encode()
|
||||
|
||||
req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
req.Header.Set("Accept", "application/json")
|
||||
resp, err := http.DefaultClient.Do(req)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
b, _ := io.ReadAll(resp.Body)
|
||||
return 0, fmt.Errorf("search failed: %s: %s", resp.Status, string(b))
|
||||
}
|
||||
var payload struct {
|
||||
SolarSystem []int64 `json:"solar_system"`
|
||||
}
|
||||
if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
|
||||
return 0, err
|
||||
}
|
||||
if len(payload.SolarSystem) == 0 {
|
||||
return 0, fmt.Errorf("system not found: %s", name)
|
||||
}
|
||||
return payload.SolarSystem[0], nil
|
||||
}
|
||||
|
||||
// Helpers
|
||||
|
||||
type tokenResponse struct {
|
||||
AccessToken string `json:"access_token"`
|
||||
RefreshToken string `json:"refresh_token"`
|
||||
TokenType string `json:"token_type"`
|
||||
ExpiresIn int `json:"expires_in"`
|
||||
}
|
||||
|
||||
func generatePKCE() (verifier string, challenge string, err error) {
|
||||
buf := make([]byte, 32)
|
||||
if _, err = rand.Read(buf); err != nil {
|
||||
return
|
||||
}
|
||||
v := base64.RawURLEncoding.EncodeToString(buf)
|
||||
h := sha256.Sum256([]byte(v))
|
||||
c := base64.RawURLEncoding.EncodeToString(h[:])
|
||||
return v, c, nil
|
||||
}
|
||||
|
||||
func randString(n int) string {
|
||||
buf := make([]byte, n)
|
||||
_, _ = rand.Read(buf)
|
||||
return base64.RawURLEncoding.EncodeToString(buf)
|
||||
}
|
||||
|
||||
func parseTokenCharacter(jwt string) (name string, id int64) {
|
||||
parts := strings.Split(jwt, ".")
|
||||
if len(parts) != 3 {
|
||||
return "", 0
|
||||
}
|
||||
payload, err := base64.RawURLEncoding.DecodeString(parts[1])
|
||||
if err != nil {
|
||||
return "", 0
|
||||
}
|
||||
var m map[string]any
|
||||
if err := json.Unmarshal(payload, &m); err != nil {
|
||||
return "", 0
|
||||
}
|
||||
if v, ok := m["name"].(string); ok {
|
||||
name = v
|
||||
}
|
||||
if v, ok := m["sub"].(string); ok {
|
||||
// format EVE:CHARACTER:<id>
|
||||
if idx := strings.LastIndexByte(v, ':'); idx > -1 {
|
||||
if idv, err := strconv.ParseInt(v[idx+1:], 10, 64); err == nil {
|
||||
id = idv
|
||||
}
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
Reference in New Issue
Block a user