Use OAuth Device flow

Signed-off-by: dusan <borovcanindusan1@gmail.com>

Author: dborovcanin

cmd/users/main.go

@@ -19,6 +19,7 @@ import (
 	grpcDomainsV1 "github.com/absmach/supermq/api/grpc/domains/v1"
 	grpcTokenV1 "github.com/absmach/supermq/api/grpc/token/v1"
 	grpcUsersV1 "github.com/absmach/supermq/api/grpc/users/v1"
+	redisclient "github.com/absmach/supermq/internal/clients/redis"
 	"github.com/absmach/supermq/internal/email"
 	smqlog "github.com/absmach/supermq/logger"
 	smqauthn "github.com/absmach/supermq/pkg/authn"
@@ -97,6 +98,7 @@ type config struct {
 	PasswordResetEmailTemplate string        `env:"SMQ_PASSWORD_RESET_EMAIL_TEMPLATE"     envDefault:"reset-password-email.tmpl"`
 	VerificationURLPrefix      string        `env:"SMQ_VERIFICATION_URL_PREFIX"           envDefault:"http://localhost/verify-email"`
 	VerificationEmailTemplate  string        `env:"SMQ_VERIFICATION_EMAIL_TEMPLATE"       envDefault:"verification-email.tmpl"`
+	CacheURL                   string        `env:"SMQ_USERS_CACHE_URL"                   envDefault:"redis://localhost:6379/0"`
 	PassRegex                  *regexp.Regexp
 }
 
@@ -152,6 +154,13 @@ func main() {
 		exitCode = 1
 		return
 	}
+	cacheClient, err := redisclient.Connect(cfg.CacheURL)
+	if err != nil {
+		logger.Error(fmt.Sprintf("failed to connect to redis: %s", err))
+		exitCode = 1
+		return
+	}
+	defer cacheClient.Close()
 
 	migration := postgres.Migration()
 	db, err := pgclient.Setup(dbConfig, *migration)
@@ -275,7 +284,7 @@ func main() {
 
 	mux := chi.NewRouter()
 	idp := uuid.New()
-	httpSrv := httpserver.NewServer(ctx, cancel, svcName, httpServerConfig, httpapi.MakeHandler(csvc, authnMiddleware, tokenClient, cfg.SelfRegister, mux, logger, cfg.InstanceID, cfg.PassRegex, idp, oauthProvider), logger)
+	httpSrv := httpserver.NewServer(ctx, cancel, svcName, httpServerConfig, httpapi.MakeHandler(csvc, authnMiddleware, tokenClient, cfg.SelfRegister, mux, logger, cfg.InstanceID, cfg.PassRegex, idp, cacheClient, oauthProvider), logger)
 
 	if cfg.SendTelemetry {
 		chc := chclient.New(svcName, supermq.Version, logger, cancel)

docker/.env

@@ -269,6 +269,7 @@ SMQ_PASSWORD_RESET_URL_PREFIX=http://localhost/password-reset
 SMQ_PASSWORD_RESET_EMAIL_TEMPLATE=reset-password-email.tmpl
 SMQ_VERIFICATION_URL_PREFIX=http://localhost/verify-email
 SMQ_VERIFICATION_EMAIL_TEMPLATE=verification-email.tmpl
+SMQ_USERS_CACHE_URL=redis://users-redis:${SMQ_REDIS_TCP_PORT}/0
 
 #### Users Client Config
 SMQ_USERS_URL=http://users:9002

docker/docker-compose.yaml

@@ -10,6 +10,7 @@ networks:
 
 volumes:
   supermq-users-db-volume:
+  supermq-users-redis-volume:
   supermq-groups-db-volume:
   supermq-clients-db-volume:
   supermq-channels-db-volume:
@@ -823,11 +824,21 @@ services:
     volumes:
       - supermq-users-db-volume:/var/lib/postgresql/data
 
+  users-redis:
+    image: docker.io/redis:8.2.2-alpine3.22
+    container_name: supermq-users-redis
+    restart: on-failure
+    networks:
+      - supermq-base-net
+    volumes:
+      - supermq-users-redis-volume:/data
+
   users:
     image: docker.io/supermq/users:${SMQ_RELEASE_TAG}
     container_name: supermq-users
     depends_on:
       - users-db
+      - users-redis
       - auth
       - nats
     restart: on-failure
@@ -864,6 +875,7 @@ services:
       SMQ_USERS_DB_SSL_CERT: ${SMQ_USERS_DB_SSL_CERT}
       SMQ_USERS_DB_SSL_KEY: ${SMQ_USERS_DB_SSL_KEY}
       SMQ_USERS_DB_SSL_ROOT_CERT: ${SMQ_USERS_DB_SSL_ROOT_CERT}
+      SMQ_USERS_CACHE_URL: ${SMQ_USERS_CACHE_URL}
       SMQ_USERS_ALLOW_SELF_REGISTER: ${SMQ_USERS_ALLOW_SELF_REGISTER}
       SMQ_EMAIL_HOST: ${SMQ_EMAIL_HOST}
       SMQ_EMAIL_PORT: ${SMQ_EMAIL_PORT}

users/README.md

@@ -57,6 +57,7 @@ The service is configured using the environment variables presented in the follo
 | `SMQ_JAEGER_TRACE_RATIO`            | Jaeger sampling ratio                                                   | 1.0                               |
 | `SMQ_SEND_TELEMETRY`                | Send telemetry to supermq call home server.                             | true                              |
 | `SMQ_USERS_INSTANCE_ID`             | SuperMQ instance ID                                                     | ""                                |
+| `SMQ_USERS_CACHE_URL`               | Cache database URL                                                      | redis://localhost:6379/0          |
 
 ## Deployment
 
@@ -120,6 +121,7 @@ SMQ_OAUTH_UI_ERROR_URL=http://localhost:9095/error \
 SMQ_USERS_DELETE_INTERVAL=24h \
 SMQ_USERS_DELETE_AFTER=720h \
 SMQ_USERS_INSTANCE_ID="" \
+SMQ_USERS_CACHE_URL=redis://localhost:6379/0 \
 $GOBIN/supermq-users
 ```
 

users/api/endpoint_test.go

@@ -29,6 +29,7 @@ import (
 	usersapi "github.com/absmach/supermq/users/api"
 	"github.com/absmach/supermq/users/mocks"
 	"github.com/go-chi/chi/v5"
+	"github.com/redis/go-redis/v9"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 )
@@ -97,7 +98,9 @@ func newUsersServer() (*httptest.Server, *mocks.Service, *authnmocks.Authenticat
 	authn := new(authnmocks.Authentication)
 	am := smqauthn.NewAuthNMiddleware(authn)
 	token := new(authmocks.TokenServiceClient)
-	usersapi.MakeHandler(svc, am, token, true, mux, logger, "", passRegex, idp, provider)
+	// Create a mock Redis client for testing (won't be used in these tests)
+	redisClient := redis.NewClient(&redis.Options{Addr: "localhost:6379"})
+	usersapi.MakeHandler(svc, am, token, true, mux, logger, "", passRegex, idp, redisClient, provider)
 
 	return httptest.NewServer(mux), svc, authn
 }

users/api/oauth.go

@@ -257,23 +257,23 @@ func handleDeviceFlowCallback(w http.ResponseWriter, r *http.Request, oauth oaut
 	deviceCode, err := deviceStore.GetByUserCode(userCode)
 	if err != nil {
 		w.Header().Set("Content-Type", "text/html")
-		fmt.Fprint(w, `<html><body><h1>Invalid Code</h1><p>The device code is invalid or has expired.</p></body></html>`)
+		fmt.Fprint(w, strings.Replace(errorHTML, "{{ERROR_MESSAGE}}", "The device code is invalid or has expired.", 1))
 		return
 	}
 
 	// Get OAuth authorization code
 	code := r.FormValue("code")
 	if code == "" {
 		w.Header().Set("Content-Type", "text/html")
-		fmt.Fprint(w, `<html><body><h1>Error</h1><p>No authorization code received.</p></body></html>`)
+		fmt.Fprint(w, strings.Replace(errorHTML, "{{ERROR_MESSAGE}}", "No authorization code received.", 1))
 		return
 	}
 
 	// Exchange OAuth code for token
 	token, err := oauth.Exchange(r.Context(), code)
 	if err != nil {
 		w.Header().Set("Content-Type", "text/html")
-		fmt.Fprintf(w, `<html><body><h1>Error</h1><p>Failed to exchange code: %s</p></body></html>`, err.Error())
+		fmt.Fprint(w, strings.Replace(errorHTML, "{{ERROR_MESSAGE}}", fmt.Sprintf("Failed to exchange code: %s.", err.Error()), 1))
 		return
 	}
 
@@ -282,87 +282,11 @@ func handleDeviceFlowCallback(w http.ResponseWriter, r *http.Request, oauth oaut
 	deviceCode.AccessToken = token.AccessToken
 	if err := deviceStore.Update(deviceCode); err != nil {
 		w.Header().Set("Content-Type", "text/html")
-		fmt.Fprintf(w, `<html><body><h1>Error</h1><p>Failed to approve device: %s</p></body></html>`, err.Error())
+		fmt.Fprint(w, strings.Replace(errorHTML, "{{ERROR_MESSAGE}}", fmt.Sprintf("Failed to approve device: %s.", err.Error()), 1))
 		return
 	}
 
 	// Show success page
 	w.Header().Set("Content-Type", "text/html")
-	successHTML := `<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Device Approved - Magistrala</title>
-    <style>
-        * { margin: 0; padding: 0; box-sizing: border-box; }
-        body {
-            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-            background: #073764;
-            min-height: 100vh;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-            padding: 20px;
-        }
-        .container {
-            background: white;
-            border-radius: 16px;
-            box-shadow: 0 20px 60px rgba(0, 0, 0, 0.3);
-            padding: 48px;
-            max-width: 500px;
-            width: 100%;
-            text-align: center;
-        }
-        .success-icon {
-            width: 80px;
-            height: 80px;
-            margin: 0 auto 24px;
-            background: #10b981;
-            border-radius: 50%;
-            display: flex;
-            align-items: center;
-            justify-content: center;
-        }
-        .checkmark {
-            width: 50px;
-            height: 50px;
-        }
-        .checkmark-path {
-            stroke: white;
-            stroke-width: 4;
-            fill: none;
-            stroke-linecap: round;
-            stroke-linejoin: round;
-        }
-        h1 {
-            color: #073764;
-            font-size: 32px;
-            margin-bottom: 16px;
-        }
-        p {
-            color: #4a5568;
-            font-size: 18px;
-            line-height: 1.6;
-        }
-        @media (max-width: 600px) {
-            .container { padding: 32px 24px; }
-            h1 { font-size: 28px; }
-        }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="success-icon">
-            <svg class="checkmark" viewBox="0 0 52 52">
-                <path class="checkmark-path" d="M14 27l10 10 18-20"/>
-            </svg>
-        </div>
-        <h1>Device Approved!</h1>
-        <p>Your device has been successfully authorized.</p>
-        <p>You can now close this window and return to your device.</p>
-    </div>
-</body>
-</html>`
 	fmt.Fprint(w, successHTML)
 }

users/api/oauth_device.go

@@ -40,13 +40,13 @@ type DeviceCode struct {
 	VerificationURI string    `json:"verification_uri"`
 	ExpiresIn       int       `json:"expires_in"`
 	Interval        int       `json:"interval"`
-	Provider        string    `json:"-"`
-	CreatedAt       time.Time `json:"-"`
-	State           string    `json:"-"`
-	AccessToken     string    `json:"-"`
-	Approved        bool      `json:"-"`
-	Denied          bool      `json:"-"`
-	LastPoll        time.Time `json:"-"`
+	Provider        string    `json:"provider,omitempty"`
+	CreatedAt       time.Time `json:"created_at,omitempty"`
+	State           string    `json:"state,omitempty"`
+	AccessToken     string    `json:"access_token,omitempty"`
+	Approved        bool      `json:"approved,omitempty"`
+	Denied          bool      `json:"denied,omitempty"`
+	LastPoll        time.Time `json:"last_poll,omitempty"`
 }
 
 // DeviceCodeStore manages device authorization codes.