feat: update Feishu to current spec and adapt to DingTalk style

Author: xymopen

providers/feishu/feishu.go

@@ -6,69 +6,61 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/url"
-	"strings"
-	"sync"
-	"time"
 
 	"github.com/markbates/goth"
 	"golang.org/x/oauth2"
 )
 
-const (
-	appAccessTokenURL string = "https://open.feishu.cn/open-apis/auth/v3/app_access_token/internal/" // get app_access_token
-
-	authURL         string = "https://open.feishu.cn/open-apis/authen/v1/authorize"                 // obtain authorization code
-	tokenURL        string = "https://open.feishu.cn/open-apis/authen/v1/oidc/access_token"         // get user_access_token
-	refreshTokenURL string = "https://open.feishu.cn/open-apis/authen/v1/oidc/refresh_access_token" // refresh user_access_token
-	endpointProfile string = "https://open.feishu.cn/open-apis/authen/v1/user_info"                 // get user info
+// See: https://open.feishu.cn/document/sso/web-application-sso/login-overview
+var (
+	AuthURL    = "https://accounts.feishu.cn/open-apis/authen/v1/authorize"
+	TokenURL   = "https://open.feishu.cn/open-apis/authen/v2/oauth/token"
+	ProfileURL = "https://open.feishu.cn/open-apis/authen/v1/user_info"
 )
 
-// Feishu is the implementation of `goth.Provider` for accessing Feishu
-type Feishu interface {
-	GetAppAccessToken() error // get app access token
-}
-
-// Provider is the implementation of `goth.Provider` for accessing Feishu
+// Provider is the implementation of `goth.Provider` for accessing Feishu.
 type Provider struct {
 	ClientKey    string
 	Secret       string
 	CallbackURL  string
 	HTTPClient   *http.Client
 	config       *oauth2.Config
 	providerName string
-
-	appAccessToken *appAccessToken
 }
 
-// New creates a new Feishu provider and sets up important connection details.
+// New creates a new Feishu provider, and sets up important connection details.
+// You should always call `feishu.New` to get a new Provider. Never try to create
+// one manually.
 func New(clientKey, secret, callbackURL string, scopes ...string) *Provider {
 	p := &Provider{
-		ClientKey:      clientKey,
-		Secret:         secret,
-		CallbackURL:    callbackURL,
-		providerName:   "feishu",
-		appAccessToken: &appAccessToken{},
+		ClientKey:    clientKey,
+		Secret:       secret,
+		CallbackURL:  callbackURL,
+		providerName: "feishu",
 	}
-	p.config = newConfig(p, authURL, tokenURL, scopes)
+	p.config = newConfig(p, scopes)
 	return p
 }
 
-func newConfig(provider *Provider, authURL, tokenURL string, scopes []string) *oauth2.Config {
+func newConfig(provider *Provider, scopes []string) *oauth2.Config {
 	c := &oauth2.Config{
 		ClientID:     provider.ClientKey,
 		ClientSecret: provider.Secret,
 		RedirectURL:  provider.CallbackURL,
 		Endpoint: oauth2.Endpoint{
-			AuthURL:  authURL,
-			TokenURL: tokenURL,
+			AuthURL:  AuthURL,
+			TokenURL: TokenURL,
 		},
 		Scopes: []string{},
 	}
 
 	if len(scopes) > 0 {
 		c.Scopes = append(c.Scopes, scopes...)
+	} else {
+		// If no scope is provided, add the default "auth:user.id:read"
+		c.Scopes = []string{"auth:user.id:read"}
 	}
+
 	return c
 }
 
@@ -80,175 +72,54 @@ func (p *Provider) Name() string {
 	return p.providerName
 }
 
+// SetName is to update the name of the provider (needed in case of multiple providers of 1 type)
 func (p *Provider) SetName(name string) {
 	p.providerName = name
 }
 
-type appAccessToken struct {
-	Token     string
-	ExpiresAt time.Time
-	rMutex    sync.RWMutex
-}
-
-type appAccessTokenReq struct {
-	AppID     string `json:"app_id"`     // 自建应用的 app_id
-	AppSecret string `json:"app_secret"` // 自建应用的 app_secret
-}
-
-type appAccessTokenResp struct {
-	Code           int    `json:"code"`             // 错误码
-	Msg            string `json:"msg"`              // 错误信息
-	AppAccessToken string `json:"app_access_token"` // 用于调用应用级接口的 app_access_token
-	Expire         int64  `json:"expire"`           // app_access_token 的过期时间
-}
-
-// GetAppAccessToken get feishu app access token
-func (p *Provider) GetAppAccessToken() error {
-	// get from cache app access token
-	p.appAccessToken.rMutex.RLock()
-	if time.Now().Before(p.appAccessToken.ExpiresAt) {
-		p.appAccessToken.rMutex.RUnlock()
-		return nil
-	}
-	p.appAccessToken.rMutex.RUnlock()
-
-	reqBody, err := json.Marshal(&appAccessTokenReq{
-		AppID:     p.ClientKey,
-		AppSecret: p.Secret,
-	})
-	if err != nil {
-		return fmt.Errorf("failed to marshal request body: %w", err)
-	}
-
-	req, err := http.NewRequest(http.MethodPost, appAccessTokenURL, bytes.NewBuffer(reqBody))
-	if err != nil {
-		return fmt.Errorf("failed to create app access token request: %w", err)
-	}
-	req.Header.Set("Content-Type", "application/json")
-
-	resp, err := p.Client().Do(req)
-	if err != nil {
-		return fmt.Errorf("failed to send app access token request: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("unexpected status code while fetching app access token: %d", resp.StatusCode)
-	}
-
-	tokenResp := new(appAccessTokenResp)
-	if err = json.NewDecoder(resp.Body).Decode(tokenResp); err != nil {
-		return fmt.Errorf("failed to decode app access token response: %w", err)
-	}
-
-	if tokenResp.Code != 0 {
-		return fmt.Errorf("failed to get app access token: code:%v msg: %s", tokenResp.Code, tokenResp.Msg)
-	}
-
-	// update local cache
-	expirationDuration := time.Duration(tokenResp.Expire) * time.Second
-	p.appAccessToken.rMutex.Lock()
-	p.appAccessToken.Token = tokenResp.AppAccessToken
-	p.appAccessToken.ExpiresAt = time.Now().Add(expirationDuration)
-	p.appAccessToken.rMutex.Unlock()
-
-	return nil
-}
-
+// BeginAuth asks Feishu for an authentication end-point.
 func (p *Provider) BeginAuth(state string) (goth.Session, error) {
-	// build feishu auth url
-	u, err := url.Parse(p.config.AuthCodeURL(state))
-	if err != nil {
-		panic(err)
+	url := p.config.AuthCodeURL(state)
+	session := &Session{
+		AuthURL: url,
 	}
-	query := u.Query()
-	query.Del("response_type")
-	query.Del("client_id")
-	query.Add("app_id", p.ClientKey)
-	u.RawQuery = query.Encode()
-
-	return &Session{
-		AuthURL: u.String(),
-	}, nil
-}
-
-func (p *Provider) UnmarshalSession(data string) (goth.Session, error) {
-	s := &Session{}
-	err := json.NewDecoder(strings.NewReader(data)).Decode(s)
-	return s, err
-}
-
-func (p *Provider) Debug(b bool) {
+	return session, nil
 }
 
-type getUserAccessTokenResp struct {
-	AccessToken      string `json:"access_token"`
-	RefreshToken     string `json:"refresh_token"`
-	TokenType        string `json:"token_type"`
-	ExpiresIn        int    `json:"expires_in"`
-	RefreshExpiresIn int    `json:"refresh_expires_in"`
-	Scope            string `json:"scope"`
-}
+// Debug is a no-op for the amazon package.
+func (p *Provider) Debug(debug bool) {}
 
+// RefreshToken get new access token based on the refresh token
 func (p *Provider) RefreshToken(refreshToken string) (*oauth2.Token, error) {
-	if err := p.GetAppAccessToken(); err != nil {
-		return nil, fmt.Errorf("failed to get app access token: %w", err)
-	}
-	reqBody := strings.NewReader(`{"grant_type":"refresh_token","refresh_token":"` + refreshToken + `"}`)
-
-	req, err := http.NewRequest(http.MethodPost, refreshTokenURL, reqBody)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create refresh token request: %w", err)
-	}
-	req.Header.Set("Content-Type", "application/json")
-	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", p.appAccessToken.Token))
-
-	resp, err := p.Client().Do(req)
+	token := &oauth2.Token{RefreshToken: refreshToken}
+	ts := p.config.TokenSource(goth.ContextForClient(p.Client()), token)
+	newToken, err := ts.Token()
 	if err != nil {
-		return nil, fmt.Errorf("failed to send refresh token request: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("unexpected status code while refreshing token: %d", resp.StatusCode)
+		return nil, err
 	}
-
-	var oauthResp commResponse[getUserAccessTokenResp]
-	err = json.NewDecoder(resp.Body).Decode(&oauthResp)
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode refreshed token: %w", err)
-	}
-	if oauthResp.Code != 0 {
-		return nil, fmt.Errorf("failed to refresh token: code:%v msg: %s", oauthResp.Code, oauthResp.Msg)
-	}
-
-	token := oauth2.Token{
-		AccessToken:  oauthResp.Data.AccessToken,
-		RefreshToken: oauthResp.Data.RefreshToken,
-		Expiry:       time.Now().Add(time.Duration(oauthResp.Data.ExpiresIn) * time.Second),
-	}
-
-	return &token, nil
+	return newToken, err
 }
 
+// RefreshTokenAvailable refresh token is provided by Feishu
 func (p *Provider) RefreshTokenAvailable() bool {
 	return true
 }
 
-type commResponse[T any] struct {
-	Code int    `json:"code"`
-	Msg  string `json:"msg"`
-	Data T      `json:"data"`
-}
-
 type feishuUser struct {
-	OpenID    string `json:"open_id"`
-	UnionID   string `json:"union_id"`
-	UserID    string `json:"user_id"`
-	Name      string `json:"name"`
-	Email     string `json:"enterprise_email"`
-	AvatarURL string `json:"avatar_url"`
-	Mobile    string `json:"mobile,omitempty"`
+	Name            string `json:"name"`
+	EnName          string `json:"en_name"`
+	AvatarURL       string `json:"avatar_url"`
+	AvatarThumb     string `json:"avatar_thumb"`
+	AvatarMiddle    string `json:"avatar_middle"`
+	AvatarBig       string `json:"avatar_big"`
+	OpenID          string `json:"open_id"`
+	UnionID         string `json:"union_id"`
+	Email           string `json:"email,omitempty"`
+	EnterpriseEmail string `json:"enterprise_email,omitempty"`
+	UserID          string `json:"user_id,omitempty"`
+	Mobile          string `json:"mobile,omitempty"`
+	TenantKey       string `json:"tenant_key"`
+	EmployeeNo      string `json:"employee_no,omitempty"`
 }
 
 // FetchUser will go to Feishu and access basic information about the user.
@@ -260,48 +131,74 @@ func (p *Provider) FetchUser(session goth.Session) (goth.User, error) {
 		RefreshToken: sess.RefreshToken,
 		ExpiresAt:    sess.ExpiresAt,
 	}
+
 	if user.AccessToken == "" {
+		// data is not yet retrieved since accessToken is still empty
 		return user, fmt.Errorf("%s cannot get user information without accessToken", p.providerName)
 	}
 
-	req, err := http.NewRequest("GET", endpointProfile, nil)
+	// Get user information
+	reqProfile, err := http.NewRequest("GET", ProfileURL, nil)
 	if err != nil {
-		return user, fmt.Errorf("%s failed to create request: %w", p.providerName, err)
+		return user, err
 	}
-	req.Header.Set("Authorization", "Bearer "+user.AccessToken)
 
-	resp, err := p.Client().Do(req)
+	reqProfile.Header.Add("Authorization", fmt.Sprintf("Bearer %s", user.AccessToken))
+	reqProfile.Header.Add("Content-Type", "application/json")
+
+	response, err := p.Client().Do(reqProfile)
 	if err != nil {
-		return user, fmt.Errorf("%s failed to get user information: %w", p.providerName, err)
+		return user, err
 	}
-	defer resp.Body.Close()
+	defer response.Body.Close()
 
-	if resp.StatusCode != http.StatusOK {
-		return user, fmt.Errorf("%s responded with a %d trying to fetch user information", p.providerName, resp.StatusCode)
+	if response.StatusCode != http.StatusOK {
+		return user, fmt.Errorf("%s responded with a %d trying to fetch user information", p.providerName, response.StatusCode)
 	}
 
-	responseBytes, err := io.ReadAll(resp.Body)
+	bits, err := io.ReadAll(response.Body)
 	if err != nil {
-		return user, fmt.Errorf("failed to read response body: %w", err)
+		return user, err
 	}
 
-	var oauthResp commResponse[feishuUser]
-	if err = json.Unmarshal(responseBytes, &oauthResp); err != nil {
-		return user, fmt.Errorf("failed to decode user info: %w", err)
+	resBody := struct {
+		Code int                    `json:"code"`
+		Msg  string                 `json:"msg"`
+		Data map[string]interface{} `json:"data"`
+	}{}
+	err = json.Unmarshal(bits, &resBody)
+	if err != nil {
+		return user, err
 	}
-	if oauthResp.Code != 0 {
-		return user, fmt.Errorf("failed to get user info: code:%v msg: %s", oauthResp.Code, oauthResp.Msg)
+	if resBody.Code != 0 {
+		return user, fmt.Errorf(resBody.Msg)
 	}
 
-	u := oauthResp.Data
-	user.UserID = u.UserID
+	dataBits, err := json.Marshal(resBody.Data)
+	if err != nil {
+		return user, err
+	}
+
+	err = userFromReader(bytes.NewReader(dataBits), &user)
+	return user, err
+}
+
+func userFromReader(r io.Reader, user *goth.User) error {
+	// Extract user fields directly
+	u := feishuUser{}
+	err := json.NewDecoder(r).Decode(&u)
+	if err != nil {
+		return err
+	}
+	bits, _ := json.Marshal(u)
+	json.NewDecoder(bytes.NewReader(bits)).Decode(&user.RawData)
+
+	// Populate user struct
+	user.Email = u.EnterpriseEmail
 	user.Name = u.Name
-	user.Email = u.Email
-	user.AvatarURL = u.AvatarURL
 	user.NickName = u.Name
+	user.UserID = u.OpenID
+	user.AvatarURL = u.AvatarURL
 
-	if err = json.Unmarshal(responseBytes, &user.RawData); err != nil {
-		return user, err
-	}
-	return user, nil
+	return nil
 }