Support oauth2 device grant flows in library (lispkit http oauth).

Author: objecthub

Sources/LispKit/Base/OAuth2DeviceGrantLK.swift

@@ -0,0 +1,197 @@
+//
+//  OAuth2DeviceGrantLK.swift
+//  LispKit
+//
+//  Created by Matthias Zenger on 12/07/2024.
+//  Copyright © 2024 ObjectHub. All rights reserved.
+//
+
+import Foundation
+import OAuth2
+
+/// https://www.ietf.org/rfc/rfc8628.html
+open class OAuth2DeviceGrantLK: OAuth2 {
+  public private(set) var deviceCode: String? = nil
+  public private(set) var pollingInterval: Double = 5.0
+  
+	override open class var grantType: String {
+		return "urn:ietf:params:oauth:grant-type:device_code"
+	}
+	
+	override open class var responseType: String? {
+		return ""
+	}
+		
+	open func deviceAccessTokenRequest(with deviceCode: String) throws -> OAuth2AuthRequest {
+		guard let clientId = clientConfig.clientId, !clientId.isEmpty else {
+			throw OAuth2Error.noClientId
+		}
+		let req = OAuth2AuthRequest(url: (clientConfig.tokenURL ?? clientConfig.authorizeURL))
+		req.params["device_code"] = deviceCode
+		req.params["grant_type"] = type(of: self).grantType
+		req.params["client_id"] = clientId
+		return req
+	}
+	
+	open func deviceAuthorizationRequest(params: OAuth2StringDict? = nil) throws -> OAuth2AuthRequest {
+		guard let clientId = clientConfig.clientId, !clientId.isEmpty else {
+			throw OAuth2Error.noClientId
+		}
+		guard let url = clientConfig.deviceAuthorizeURL else {
+			throw OAuth2Error.noDeviceCodeURL
+		}
+		let req = OAuth2AuthRequest(url: url)
+		req.params["client_id"] = clientId
+		if let scope = clientConfig.scope {
+			req.params["scope"] = scope
+		}
+		req.add(params: params)
+		return req
+	}
+	
+	open func parseDeviceAuthorizationResponse(data: Data) throws -> OAuth2JSON {
+		let dict = try parseJSON(data)
+		return try parseDeviceAuthorizationResponse(params: dict)
+	}
+	
+	public final func parseDeviceAuthorizationResponse(params: OAuth2JSON) throws -> OAuth2JSON {
+		try assureNoErrorInResponse(params)
+		return params
+	}
+	
+	/**
+	Start the device authorization flow.
+	
+	- parameter params:   Optional key/value pairs to pass during authorize device request
+	- parameter callback: The callback to call after the device authorization response has been received
+	*/
+	public func start(useNonTextualTransmission: Bool = false,
+                    params: OAuth2StringDict? = nil,
+                    queue: DispatchQueue? = .main,
+                    completion: @escaping (DeviceAuthCodes?, Error?) -> Void) {
+		authorizeDevice(params: params) { result, error in
+			guard let result else {
+				if let error {
+					self.logger?.warn("OAuth2", msg: "Unable to get device code: \(error)")
+				}
+				completion(nil, error)
+				return
+			}
+			guard let deviceCode = result["device_code"] as? String,
+            let userCode = result["user_code"] as? String,
+            let verificationUri = result["verification_uri"] as? String,
+            let verificationUrl = URL(string: verificationUri),
+            let expiresIn = result["expires_in"] as? Int else {
+        let error = OAuth2Error.generic("The response doesn't contain all required fields.")
+        self.logger?.warn("OAuth2", msg: String(describing: error))
+        completion(nil, error)
+        return
+      }
+      var verificationUrlComplete: URL?
+      if let verificationUriComplete = result["verification_uri_complete"] as? String {
+        verificationUrlComplete = URL(string: verificationUriComplete)
+      }
+      if useNonTextualTransmission, let url = verificationUrlComplete {
+        do {
+          try self.authorizer.openAuthorizeURLInBrowser(url)
+        } catch let error {
+          completion(nil, error)
+        }
+      }
+      self.deviceCode = deviceCode
+      self.pollingInterval = result["interval"] as? TimeInterval ?? 5.0
+      if let queue {
+        self.getDeviceAccessToken(deviceCode: deviceCode, interval: self.pollingInterval, queue: queue) { params, error in
+          if let params {
+            self.didAuthorize(withParameters: params)
+          }
+          else if let error {
+            self.didFail(with: error.asOAuth2Error)
+          }
+        }
+      }
+      let deviceAuthorization = DeviceAuthCodes(
+        deviceCode: deviceCode,
+        userCode: userCode,
+        verificationUrl: verificationUrl,
+        verificationUrlComplete: verificationUrlComplete,
+        expiresIn: expiresIn,
+        interval: self.pollingInterval)
+      completion(deviceAuthorization, nil)
+		}
+	}
+	
+	private func authorizeDevice(params: OAuth2StringDict?, completion: @escaping (OAuth2JSON?, Error?) -> Void) {
+		do {
+			let post = try deviceAuthorizationRequest(params: params).asURLRequest(for: self)
+			logger?.debug("OAuth2", msg: "Obtaining device code from \(post.url!)")
+			
+			perform(request: post) { response in
+				do {
+					let data = try response.responseData()
+					let params = try self.parseDeviceAuthorizationResponse(data: data)
+					completion(params, nil)
+				}
+				catch let error {
+					completion(nil, error.asOAuth2Error)
+				}
+			}
+		}
+		catch let error {
+			completion(nil, error.asOAuth2Error)
+		}
+	}
+	
+	public func getDeviceAccessToken(deviceCode: String,
+                                   interval: TimeInterval,
+                                   queue: DispatchQueue = .main,
+                                   completion: @escaping (OAuth2JSON?, Error?) -> Void) {
+		do {
+			let post = try deviceAccessTokenRequest(with: deviceCode).asURLRequest(for: self)
+			logger?.debug("OAuth2", msg: "Obtaining access token for device with code \(deviceCode) from \(post.url!)")
+			perform(request: post) { response in
+				do {
+					let data = try response.responseData()
+					let params = try self.parseAccessTokenResponse(data: data)
+					completion(params, nil)
+				}
+				catch let error {
+					let oaerror = error.asOAuth2Error
+					
+					if oaerror == .authorizationPending(nil) {
+						self.logger?.debug("OAuth2", msg: "AuthorizationPending, repeating in \(interval) seconds.")
+						queue.asyncAfter(deadline: .now() + interval) {
+              self.getDeviceAccessToken(deviceCode: deviceCode,
+                                        interval: interval,
+                                        queue: queue,
+                                        completion: completion)
+						}
+					} else if oaerror == .slowDown(nil) {
+						let updatedInterval = interval + 5 // The 5 seconds increase is required by the RFC8628 standard (https://www.rfc-editor.org/rfc/rfc8628#section-3.5)
+						self.logger?.debug("OAuth2", msg: "SlowDown, repeating in \(updatedInterval) seconds.")
+						queue.asyncAfter(deadline: .now() + updatedInterval) {
+              self.getDeviceAccessToken(deviceCode: deviceCode,
+                                        interval: updatedInterval,
+                                        queue: queue,
+                                        completion: completion)
+						}
+					} else {
+						completion(nil, oaerror)
+					}
+				}
+			}
+		}
+		catch let error {
+			completion(nil, error.asOAuth2Error)
+		}
+	}
+}
+
+public struct DeviceAuthCodes {
+  public let deviceCode: String
+	public let userCode: String
+	public let verificationUrl: URL
+	public let verificationUrlComplete: URL?
+	public let expiresIn: Int
+  public let interval: Double
+}

Sources/LispKit/Primitives/HTTPAOuthLibrary.swift

@@ -46,6 +46,12 @@ public final class HTTPOAuthLibrary: NativeLibrary {
   private let clientCredentialsReddit: Symbol
   private let passwordGrant: Symbol
   private let deviceGrant: Symbol
+  private let userCode: Symbol
+  private let verificationUrl: Symbol
+  private let verificationUrlComplete: Symbol
+  private let expiresIn: Symbol
+  private let interval: Symbol
+  private let deviceCode: Symbol
 
   /// Initialize symbols.
   public required init(in context: Context) throws {
@@ -62,6 +68,12 @@ public final class HTTPOAuthLibrary: NativeLibrary {
     self.clientCredentialsReddit = context.symbols.intern("client-credentials-reddit")
     self.passwordGrant = context.symbols.intern("password-grant")
     self.deviceGrant = context.symbols.intern("device-grant")
+    self.userCode = context.symbols.intern("user-code")
+    self.verificationUrl = context.symbols.intern("verification-url")
+    self.verificationUrlComplete = context.symbols.intern("verification-url-complete")
+    self.expiresIn = context.symbols.intern("expires-in")
+    self.interval = context.symbols.intern("interval")
+    self.deviceCode = context.symbols.intern("device-code")
     try super.init(in: context)
   }
 
@@ -88,6 +100,7 @@ public final class HTTPOAuthLibrary: NativeLibrary {
     self.define(Procedure("oauth2-refresh-token", self.oauth2RefreshToken))
     self.define(Procedure("oauth2-forget-tokens!", self.oauth2ForgetTokens))
     self.define(Procedure("oauth2-cancel-requests!", self.oauth2ForgetTokens))
+    self.define(Procedure("oauth2-request-codes", self.oauth2RequestCodes))
     self.define(Procedure("oauth2-authorize!", self.oauth2Authorize))
     self.define(Procedure("http-request-sign!", self.httpRequestSign))
     self.define(Procedure("oauth2-session?", self.isOAuth2Session))
@@ -161,7 +174,7 @@ public final class HTTPOAuthLibrary: NativeLibrary {
       case self.passwordGrant:
         oauth2 = OAuth2PasswordGrant(settings: settings)
       case self.deviceGrant:
-        oauth2 = OAuth2DeviceGrant(settings: settings)
+        oauth2 = OAuth2DeviceGrantLK(settings: settings)
       default:
         throw RuntimeError.custom("error", "unknown flow identifier", [.symbol(flow)])
     }
@@ -476,6 +489,21 @@ public final class HTTPOAuthLibrary: NativeLibrary {
     return settings
   }
 
+  private func oauth2Params(from: Expr?) throws -> OAuth2StringDict? {
+    guard var list = from else {
+      return nil
+    }
+    var dict: OAuth2StringDict = [:]
+    while case .pair(.pair(let key, let value), let rest) = list {
+      dict[try key.asString()] = try value.asString()
+      list = rest
+    }
+    guard case .null = list else {
+      throw RuntimeError.type(from!, expected: [.properListType])
+    }
+    return dict
+  }
+  
   private func oauth2AccessToken(expr: Expr) throws -> Expr {
     if let token = try self.oauth2(from: expr).oauth2.accessToken {
       return .makeString(token)
@@ -533,7 +561,49 @@ public final class HTTPOAuthLibrary: NativeLibrary {
     return res
   }
 
-  private func authorizeHandler(_ f: Future) -> (OAuth2JSON?, OAuth2Error?) -> Void {
+  private func oauth2RequestCodes(expr: Expr, nonTextual: Expr?, params: Expr?) throws -> Expr {
+    let oauth2 = try self.oauth2(from: expr)
+    guard let client = oauth2.oauth2 as? OAuth2DeviceGrantLK else {
+      throw RuntimeError.custom("error", "expecting oauth2 client for the device-grant flow: ", [expr])
+    }
+    let params = params == nil ? [:] : try self.oauth2Params(from: params!)
+    let f = Future(external: false)
+    HTTPOAuthLibrary.authRequestManager.register(oauth2: client, result: f, in: self.context)
+    client.start(useNonTextualTransmission: nonTextual?.isTrue ?? false, params: params, queue: nil) { codes, error in
+      defer {
+        HTTPOAuthLibrary.authRequestManager.unregister(future: f, in: self.context)
+      }
+      do {
+        if let error {
+          _ = try f.setResult(in: self.context, to: .error(RuntimeError.os(error)), raise: true)
+        } else if let codes {
+          var res = Expr.null
+          res = .pair(.pair(.symbol(self.interval), .makeNumber(codes.interval)), res)
+          res = .pair(.pair(.symbol(self.deviceCode), .makeString(codes.deviceCode)), res)
+          if let url = codes.verificationUrlComplete {
+            res = .pair(.pair(.symbol(self.verificationUrlComplete), .makeString(url.absoluteString)), res)
+          }
+          res = .pair(.pair(.symbol(self.verificationUrl), .makeString(codes.verificationUrl.absoluteString)), res)
+          res = .pair(.pair(.symbol(self.expiresIn), .makeNumber(codes.expiresIn)), res)
+          res = .pair(.pair(.symbol(self.userCode), .makeString(codes.userCode)), res)
+          _ = try f.setResult(in: self.context, to: res, raise: false)
+        } else {
+          _ = try f.setResult(in: self.context,
+                                   to: .error(RuntimeError.eval(.serverError)),
+                                   raise: true)
+        }
+      } catch {
+        do {
+          _ = try f.setResult(in: self.context,
+                                   to: .error(RuntimeError.eval(.serverError, .object(f))),
+                                   raise: true)
+        } catch {}
+      }
+    }
+    return .object(f)
+  }
+  
+  private func authorizeHandler(_ f: Future) -> (OAuth2JSON?, Error?) -> Void {
     return { params, error in
       defer {
         HTTPOAuthLibrary.authRequestManager.unregister(future: f, in: self.context)
@@ -562,7 +632,35 @@ public final class HTTPOAuthLibrary: NativeLibrary {
     let oauth2 = try self.oauth2(from: expr)
     let f = Future(external: false)
     HTTPOAuthLibrary.authRequestManager.register(oauth2: oauth2.oauth2, result: f, in: self.context)
-    oauth2.oauth2.authorize(callback: self.authorizeHandler(f))
+    if let oauth2DeviceGrant = oauth2.oauth2 as? OAuth2DeviceGrantLK {
+      if oauth2DeviceGrant.hasUnexpiredAccessToken() {
+        var params = Expr.null
+        params = .pair(.pair(.makeString("token_type"), .makeString("bearer")), params)
+        if let scope = oauth2DeviceGrant.scope {
+          params = .pair(.pair(.makeString("scope"), .makeString(scope)), params)
+        }
+        if let accessToken = oauth2DeviceGrant.accessToken {
+          params = .pair(.pair(.makeString("access_token"), .makeString(accessToken)), params)
+        }
+        _ = try f.setResult(in: self.context, to: params, raise: false)
+      } else if let deviceCode = oauth2DeviceGrant.deviceCode {
+        let callback = self.authorizeHandler(f)
+        oauth2DeviceGrant.getDeviceAccessToken(deviceCode: deviceCode,
+                                               interval: oauth2DeviceGrant.pollingInterval,
+                                               queue: .global(qos: .default)) { params, error in
+          if let params {
+            oauth2DeviceGrant.didAuthorize(withParameters: params)
+          } else if let error {
+            oauth2DeviceGrant.didFail(with: error.asOAuth2Error)
+          }
+          callback(params, error)
+        }
+      } else {
+        throw RuntimeError.custom("error", "OAuth2 device grant client did not yet receive device code: ", [expr])
+      }
+    } else {
+      oauth2.oauth2.authorize(callback: self.authorizeHandler(f))
+    }
     return .object(f)
   }