From f0c979cfbb8d614d71e7e32c2eb74087ca04ae2e Mon Sep 17 00:00:00 2001
From: Simon Ser <contact@emersion.fr>
Date: Mon, 19 Feb 2024 10:41:19 +0100
Subject: [PATCH] Advertise OAuth server metadata

Closes: https://todo.sr.ht/~emersion/sinwon/1

---
 main.go   |  1 +
 oauth2.go | 30 ++++++++++++++++++++++++++++++

diff --git a/main.go b/main.go
index fa22cc8900fc27c0133a302a3afac8eb408a9b2e..0bd4b34e47e787cada66cc3e6e4f6da673418f75 100644
--- a/main.go
+++ b/main.go
@@ -56,6 +56,7 @@ 	mux.HandleFunc("/login", login)
 	mux.Post("/logout", logout)
 	mux.HandleFunc("/user/new", updateUser)
 	mux.HandleFunc("/user/{id}", updateUser)
+	mux.Get("/.well-known/oauth-authorization-server", getOAuthServerMetadata)
 	mux.HandleFunc("/authorize", authorize)
 	mux.Post("/token", exchangeToken)
 
diff --git a/oauth2.go b/oauth2.go
index b0dfba011300ebc94e45f1d9847bc81a5d3c89a9..c684bd4e4299f0a33d6210eab447b9aa8a3745c3 100644
--- a/oauth2.go
+++ b/oauth2.go
@@ -7,6 +7,7 @@ 	"fmt"
 	"io"
 	"log"
 	"mime"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
@@ -14,6 +15,35 @@ 	"time"
 
 	"git.sr.ht/~emersion/go-oauth2"
 )
+
+func getOAuthServerMetadata(w http.ResponseWriter, req *http.Request) {
+	issuerURL := url.URL{
+		Scheme: "https",
+		Host:   req.Host,
+	}
+	if !isForwardedHTTPS(req) && isLoopback(req) {
+		// TODO: add config option for allowed reverse proxy IPs
+		issuerURL.Scheme = "http"
+	}
+	issuer := issuerURL.String()
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(&oauth2.ServerMetadata{
+		Issuer:                            issuer,
+		AuthorizationEndpoint:             issuer + "/authorize",
+		TokenEndpoint:                     issuer + "/token",
+		ResponseTypesSupported:            []oauth2.ResponseType{oauth2.ResponseTypeCode},
+		ResponseModesSupported:            []oauth2.ResponseMode{oauth2.ResponseModeQuery},
+		GrantTypesSupported:               []oauth2.GrantType{oauth2.GrantTypeAuthorizationCode},
+		TokenEndpointAuthMethodsSupported: []oauth2.AuthMethod{oauth2.AuthMethodClientSecretBasic},
+	})
+}
+
+func isLoopback(req *http.Request) bool {
+	host, _, _ := net.SplitHostPort(req.RemoteAddr)
+	ip := net.ParseIP(host)
+	return ip.IsLoopback()
+}
 
 func authorize(w http.ResponseWriter, req *http.Request) {
 	ctx := req.Context()

-- 
2.48.1