Make HTTP middleware easier to use

server/auth/openid/method.go

 // Copyright 2015 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 package openid
 
 import (
         "fmt"
         "net/http"
         "net/url"
         "time"
 
-        "github.com/julienschmidt/httprouter"
         "golang.org/x/net/context"
 
         "github.com/luci/luci-go/common/clock"
         "github.com/luci/luci-go/common/errors"
         "github.com/luci/luci-go/common/logging"
         "github.com/luci/luci-go/server/auth"
-        "github.com/luci/luci-go/server/middleware"
+        "github.com/luci/luci-go/server/router"
 )
 
 // These are installed into a HTTP router by AuthMethod.InstallHandlers(...).
 const (
         loginURL    = "/auth/openid/login"
         logoutURL   = "/auth/openid/logout"
         callbackURL = "/auth/openid/callback"
 )
 
 // AuthMethod implements auth.Method and auth.UsersAPI and can be used as
@@ skipping 14 matching lines @@
         Insecure bool
 
         // IncompatibleCookies is a list of cookies to remove when setting or clearing
         // session cookie. It is useful to get rid of GAE cookies when OpenID cookies
         // are being used. Having both is very confusing.
         IncompatibleCookies []string
 }
 
 // InstallHandlers installs HTTP handlers used in OpenID protocol. Must be
 // installed in server HTTP router for OpenID authentication flow to work.
-func (m *AuthMethod) InstallHandlers(r *httprouter.Router, base middleware.Base) {
-        r.GET(loginURL, base(m.loginHandler))
-        r.GET(logoutURL, base(m.logoutHandler))
-        r.GET(callbackURL, base(m.callbackHandler))
+func (m *AuthMethod) InstallHandlers(r *router.Router, handlers []router.Handler) {
+        r.GET(loginURL, append(handlers, m.loginHandler)...)
+        r.GET(logoutURL, append(handlers, m.logoutHandler)...)
+        r.GET(callbackURL, append(handlers, m.callbackHandler)...)
 }
 
 // Warmup prepares local caches. It's optional.
 func (m *AuthMethod) Warmup(c context.Context) error {
         cfg, err := fetchCachedSettings(c)
         if err != nil {
                 return err
         }
         _, err = fetchDiscoveryDoc(c, cfg.DiscoveryURL)
         return err
@@ skipping 42 matching lines @@
 func (m *AuthMethod) LogoutURL(c context.Context, dest string) (string, error) {
         if m.SessionStore == nil {
                 return "", ErrNotConfigured
         }
         return makeRedirectURL(logoutURL, dest)
 }
 
 ////
 
 // loginHandler initiates login flow by redirecting user to OpenID login page.
-func (m *AuthMethod) loginHandler(c context.Context, rw http.ResponseWriter, r *http.Request, p httprouter.Params) {
-        dest, err := normalizeURL(r.URL.Query().Get("r"))
+func (m *AuthMethod) loginHandler(c *router.Context) {
+        dest, err := normalizeURL(c.Request.URL.Query().Get("r"))
         if err != nil {
-                replyError(c, rw, err, "Bad redirect URI (%q) - %s", dest, err)
+                replyError(c.Context, c.Writer, err, "Bad redirect URI (%q) - %s", dest, err)
+                c.Abort()
                 return
         }
 
-        cfg, err := fetchCachedSettings(c)
+        cfg, err := fetchCachedSettings(c.Context)
         if err != nil {
-                replyError(c, rw, err, "Can't load OpenID settings - %s", err)
+                replyError(c.Context, c.Writer, err, "Can't load OpenID settings - %s", err)
+                c.Abort()
                 return
         }
 
         // `state` will be propagated by OpenID backend and will eventually show up
         // in callback URI handler. See callbackHandler.
         state := map[string]string{
                 "dest_url": dest,
-                "host_url": r.Host,
+                "host_url": c.Request.Host,
         }
-        authURI, err := authenticationURI(c, cfg, state)
+        authURI, err := authenticationURI(c.Context, cfg, state)
         if err != nil {
-                replyError(c, rw, err, "Can't generate authentication URI - %s", err)
+                replyError(c.Context, c.Writer, err, "Can't generate authentication URI - %s", err)
+                c.Abort()
                 return
         }
-        http.Redirect(rw, r, authURI, http.StatusFound)
+        http.Redirect(c.Writer, c.Request, authURI, http.StatusFound)
 }
 
 // logoutHandler nukes active session and redirect back to destination URL.
-func (m *AuthMethod) logoutHandler(c context.Context, rw http.ResponseWriter, r *http.Request, p httprouter.Params) {
-        dest, err := normalizeURL(r.URL.Query().Get("r"))
+func (m *AuthMethod) logoutHandler(c *router.Context) {
+        dest, err := normalizeURL(c.Request.URL.Query().Get("r"))
         if err != nil {
-                replyError(c, rw, err, "Bad redirect URI (%q) - %s", dest, err)
+                replyError(c.Context, c.Writer, err, "Bad redirect URI (%q) - %s", dest, err)
                 return
         }
 
         // Close a session if there's one.
-        sid, err := decodeSessionCookie(c, r)
+        sid, err := decodeSessionCookie(c.Context, c.Request)
         if err != nil {
-                replyError(c, rw, err, "Error when decoding session cookie - %s", err)
+                replyError(c.Context, c.Writer, err, "Error when decoding session cookie - %s", err)
+                c.Abort()
                 return
         }
         if sid != "" {
-                if err = m.SessionStore.CloseSession(c, sid); err != nil {
-                        replyError(c, rw, err, "Error when closing the session - %s", err)
+                if err = m.SessionStore.CloseSession(c.Context, sid); err != nil {
+                        replyError(c.Context, c.Writer, err, "Error when closing the session - %s", err)
+                        c.Abort()
                         return
                 }
         }
 
         // Nuke all session cookies to get to a completely clean state.
-        removeCookie(rw, r, sessionCookieName)
-        m.removeIncompatibleCookies(rw, r)
+        removeCookie(c.Writer, c.Request, sessionCookieName)
+        m.removeIncompatibleCookies(c.Writer, c.Request)
 
         // Redirect to the final destination.
-        http.Redirect(rw, r, dest, http.StatusFound)
+        http.Redirect(c.Writer, c.Request, dest, http.StatusFound)
 }
 
 // callbackHandler handles redirect from OpenID backend. Parameters contain
 // authorization code that can be exchanged for user profile.
-func (m *AuthMethod) callbackHandler(c context.Context, rw http.ResponseWriter, r *http.Request, p httprouter.Params) {
+func (m *AuthMethod) callbackHandler(ctx *router.Context) {
+        c, rw, r := ctx.Context, ctx.Writer, ctx.Request
+
         // This code path is hit when user clicks "Deny" on consent page.
         q := r.URL.Query()
         errorMsg := q.Get("error")
         if errorMsg != "" {
                 replyError(c, rw, errors.New("login error"), "OpenID login error: %s", errorMsg)
+                ctx.Abort()
                 return
         }
 
         // Validate inputs.
         code := q.Get("code")
         if code == "" {
                 replyError(c, rw, errors.New("login error"), "Missing 'code' parameter")
+                ctx.Abort()
                 return
         }
         stateTok := q.Get("state")
         if stateTok == "" {
                 replyError(c, rw, errors.New("login error"), "Missing 'state' parameter")
+                ctx.Abort()
                 return
         }
         state, err := validateStateToken(c, stateTok)
         if err != nil {
                 replyError(c, rw, err, "Failed to validate 'state' token")
+                ctx.Abort()
                 return
         }
 
         // Revalidate "dest_url". It was already validate in loginHandler when
         // generating state token, but just in case.
         dest, err := normalizeURL(state["dest_url"])
         if err != nil {
                 replyError(c, rw, err, "Bad redirect URI (%q) - %s", dest, err)
+                ctx.Abort()
                 return
         }
 
         // Callback URI is hardcoded in OAuth2 client config and must always point
         // to default version on GAE. Yet we want to support logging to non-default
         // versions that have different hostnames. Do some redirect dance here to pass
         // control to required version if necessary (so that it can set cookie on
         // non-default version domain). Same handler with same params, just with
         // different hostname. For most common case of signing in into default version
         // this code path is not triggered.
         if state["host_url"] != r.Host {
                 // There's no Scheme in r.URL. Append one, otherwise url.String() returns
                 // relative (broken) URL. And replace the hostname with desired one.
                 url := *r.URL
                 if m.Insecure {
                         url.Scheme = "http"
                 } else {
                         url.Scheme = "https"
                 }
                 url.Host = state["host_url"]
                 logging.Warningf(c, "Redirecting to callback URI on another host %q", url.Host)
                 http.Redirect(rw, r, url.String(), http.StatusFound)
+                ctx.Abort()
                 return
         }
 
         // Use authorization code to grab user profile.
         cfg, err := fetchCachedSettings(c)
         if err != nil {
                 replyError(c, rw, err, "Can't load OpenID settings - %s", err)
+                ctx.Abort()
                 return
         }
         uid, user, err := handleAuthorizationCode(c, cfg, code)
         if err != nil {
                 replyError(c, rw, err, "Error when fetching user profile - %s", err)
+                ctx.Abort()
                 return
         }
 
         // Grab previous session from the cookie to close it once new one is created.
         prevSid, err := decodeSessionCookie(c, r)
         if err != nil {
                 replyError(c, rw, err, "Error when decoding session cookie - %s", err)
+                ctx.Abort()
                 return
         }
 
         // Create session in the session store.
         expTime := clock.Now(c).Add(sessionCookieToken.Expiration)
         sid, err := m.SessionStore.OpenSession(c, uid, user, expTime)
         if err != nil {
                 replyError(c, rw, err, "Error when creating the session - %s", err)
+                ctx.Abort()
                 return
         }
 
         // Kill previous session now that new one is successfully created.
         if prevSid != "" {
                 if err = m.SessionStore.CloseSession(c, sid); err != nil {
                         replyError(c, rw, err, "Error when closing the session - %s", err)
+                        ctx.Abort()
                         return
                 }
         }
 
         // Set the cookies.
         cookie, err := makeSessionCookie(c, sid, !m.Insecure)
         if err != nil {
                 replyError(c, rw, err, "Can't make session cookie - %s", err)
+                ctx.Abort()
                 return
         }
         http.SetCookie(rw, cookie)
         m.removeIncompatibleCookies(rw, r)
 
         // Redirect to the final destination page.
         http.Redirect(rw, r, dest, http.StatusFound)
 }
 
 // removeIncompatibleCookies removes cookies specified by m.IncompatibleCookies.
@@ skipping 46 matching lines @@
 // HTTP 400 on fatal errors (that can happen only on bad requests).
 func replyError(c context.Context, rw http.ResponseWriter, err error, msg string, args ...interface{}) {
         code := http.StatusBadRequest
         if errors.IsTransient(err) {
                 code = http.StatusInternalServerError
         }
         msg = fmt.Sprintf(msg, args...)
         logging.Errorf(c, "HTTP %d: %s", code, msg)
         http.Error(rw, msg, code)
 }