package handlers import ( "fmt" "net/http" "net/url" "strings" "time" "gauth-central/config" "gauth-central/internal/models" "gauth-central/internal/services" "gauth-central/pkg/utils" "github.com/gin-gonic/gin" "github.com/markbates/goth/gothic" ) type AuthHandler struct { authService *services.AuthService } func NewAuthHandler(authService *services.AuthService) *AuthHandler { return &AuthHandler{authService: authService} } type RegisterRequest struct { UserName string `json:"username" binding:"required,min=3"` Email string `json:"email" binding:"required,email"` Password string `json:"password" binding:"required,min=6"` } type LoginRequest struct { Email string `json:"email" binding:"required,email"` Password string `json:"password" binding:"required"` } type RefreshRequest struct { RefreshToken string `json:"refresh_token" binding:"required"` } // Register godoc // @Summary Register a new user // @Description Register with username, email and password // @Tags auth // @Accept json // @Produce json // @Param request body RegisterRequest true "Register Request" // @Success 201 {object} map[string]interface{} // @Failure 400 {object} map[string]string // @Router /auth/register [post] func (h *AuthHandler) Register(c *gin.Context) { var req RegisterRequest if err := c.ShouldBindJSON(&req); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } // Register creates user with email_verified=false; tokens only after email verification user, _, _, verifyToken, err := h.authService.Register(req.UserName, req.Email, req.Password) if err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } // Send verification email asynchronously go func() { if err := utils.SendVerificationEmail(user.Email, verifyToken); err != nil { fmt.Printf("Failed to send verification email to %s: %v\n", user.Email, err) } else { fmt.Printf("Verification email sent to %s\n", user.Email) } }() roles := user.Roles if roles == nil { roles = []models.Role{} } c.JSON(http.StatusCreated, gin.H{ "message": "User created. Please verify your email.", "user_id": user.ID, "username": user.UserName, "email": user.Email, "avatar": user.Avatar, "roles": roles, "email_verified": false, "verification_token": verifyToken, // Returned for dev convenience, usually hidden in prod }) } // Login godoc // @Summary Login user // @Description Login with email and password to get JWT token // @Tags auth // @Accept json // @Produce json // @Param request body LoginRequest true "Login Request" // @Success 200 {object} map[string]string // @Failure 400 {object} map[string]string // @Failure 401 {object} map[string]string // @Router /auth/login [post] func (h *AuthHandler) Login(c *gin.Context) { var req LoginRequest if err := c.ShouldBindJSON(&req); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } user, accessToken, refreshToken, err := h.authService.Login(req.Email, req.Password) if err != nil { c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()}) return } // Ensure roles is always returned, even if empty roles := user.Roles if roles == nil { roles = []models.Role{} } // Calculate expires timestamp (15 minutes from now, matching JWT expiry) expiresAt := time.Now().Add(15 * time.Minute) // Match OAuth response format for frontend consistency c.JSON(http.StatusOK, gin.H{ "user": gin.H{ "id": user.ID, "name": user.UserName, "email": user.Email, "avatar": user.Avatar, }, "accessToken": accessToken, "refreshToken": refreshToken, "expires": expiresAt.Format(time.RFC3339), "roles": roles, }) } // BeginAuth godoc // @Summary Start OAuth2 flow // @Description Redirect to OAuth2 provider // @Tags oauth // @Param provider path string true "Provider (google, github)" // @Router /auth/{provider} [get] func (h *AuthHandler) BeginAuth(c *gin.Context) { // Try to complete user auth if we've already got a session // but context is not set correctly for gin with gothic usually provider := c.Param("provider") q := c.Request.URL.Query() q.Add("provider", provider) c.Request.URL.RawQuery = q.Encode() gothic.BeginAuthHandler(c.Writer, c.Request) } // Callback godoc // @Summary OAuth2 Callback // @Description Handle callback from OAuth2 provider // @Tags oauth // @Param provider path string true "Provider (google, github)" // @Success 200 {object} map[string]string // @Failure 401 {object} map[string]string // @Router /auth/{provider}/callback [get] func (h *AuthHandler) Callback(c *gin.Context) { provider := c.Param("provider") q := c.Request.URL.Query() q.Add("provider", provider) c.Request.URL.RawQuery = q.Encode() gothUser, err := gothic.CompleteUserAuth(c.Writer, c.Request) if err != nil { c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()}) return } _, accessToken, refreshToken, err := h.authService.FindOrCreateSocialUser(gothUser, provider) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return } // Always redirect to frontend with tokens in URL fragment redirectBase := strings.TrimSpace(config.AppConfig.OAuthRedirectURL) if redirectBase == "" { // Default to localhost frontend if not configured redirectBase = "http://localhost:3000/auth/callback" } // Construct redirect URL with tokens in fragment (hash) format redirectURL := fmt.Sprintf( "%s#access_token=%s&refresh_token=%s&provider=%s", strings.TrimRight(redirectBase, "#"), url.QueryEscape(accessToken), url.QueryEscape(refreshToken), url.QueryEscape(provider), ) c.Redirect(http.StatusFound, redirectURL) } // Refresh godoc // @Summary Refresh Access Token // @Description usage: send refresh_token to get new access_token // @Tags auth // @Accept json // @Produce json // @Param request body RefreshRequest true "Refresh Request" // @Success 200 {object} map[string]string // @Failure 400 {object} map[string]string // @Failure 401 {object} map[string]string // @Router /auth/refresh [post] func (h *AuthHandler) Refresh(c *gin.Context) { var req RefreshRequest if err := c.ShouldBindJSON(&req); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } accessToken, refreshToken, err := h.authService.RefreshToken(req.RefreshToken) if err != nil { c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()}) return } c.JSON(http.StatusOK, gin.H{ "access_token": accessToken, "refresh_token": refreshToken, }) } // VerifyEmail godoc // @Summary Verify email address // @Description Verify email with token sent after email/password registration // @Tags auth // @Param token query string true "Verification token" // @Success 200 {object} map[string]string // @Failure 400 {object} map[string]string // @Router /auth/verify-email [get] func (h *AuthHandler) VerifyEmail(c *gin.Context) { token := c.Query("token") if token == "" { c.JSON(http.StatusBadRequest, gin.H{"error": "token is required"}) return } if err := h.authService.VerifyEmail(token); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } c.JSON(http.StatusOK, gin.H{"message": "Email verified successfully"}) } // Me godoc // @Summary Get Current User Profile // @Description Get details of the currently authenticated user // @Tags auth // @Security ApiKeyAuth // @Produce json // @Success 200 {object} models.User // @Failure 401 {object} map[string]string // @Router /auth/me [get] func (h *AuthHandler) Me(c *gin.Context) { userID := c.GetString("user_id") if userID == "" { c.JSON(http.StatusUnauthorized, gin.H{"error": "Unauthorized"}) return } user, err := h.authService.GetUserByID(userID) if err != nil { c.JSON(http.StatusUnauthorized, gin.H{"error": err.Error()}) return } c.JSON(http.StatusOK, user) }