get the refresh token from the request with a customizable handler function

Author: Azridum

server/handler.go

@@ -51,6 +51,9 @@ type (
 
 	// ResponseTokenHandler response token handling
 	ResponseTokenHandler func(w http.ResponseWriter, data map[string]interface{}, header http.Header, statusCode ...int) error
+
+	// Handler to fetch the refresh token from the request
+	RefreshTokenResolveHandler func(r *http.Request) (string, error)
 )
 
 // ClientFormHandler get client data from form
@@ -71,3 +74,21 @@ func ClientBasicHandler(r *http.Request) (string, string, error) {
 	}
 	return username, password, nil
 }
+
+func RefreshTokenFormResolveHandler(r *http.Request) (string, error) {
+	rt := r.FormValue("refresh_token")
+	if rt == "" {
+		return "", errors.ErrInvalidRequest
+	}
+
+	return rt, nil
+}
+
+func RefreshTokenCookieResolveHandler(r *http.Request) (string, error) {
+	c, err := r.Cookie("refresh_token")
+	if err != nil {
+		return "", errors.ErrInvalidRequest
+	}
+
+	return c.Value, nil
+}

server/handler_test.go

@@ -0,0 +1,64 @@
+package server
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/go-oauth2/oauth2/v4/errors"
+	. "github.com/smartystreets/goconvey/convey"
+)
+
+func TestRefreshTokenFormResolveHandler(t *testing.T) {
+	Convey("Correct Request", t, func() {
+		f := url.Values{}
+		f.Add("refresh_token", "test_token")
+
+		r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(f.Encode()))
+		r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+		token, err := RefreshTokenFormResolveHandler(r)
+		So(err, ShouldBeNil)
+		So(token, ShouldEqual, "test_token")
+	})
+
+	Convey("Missing Refresh Token", t, func() {
+		r := httptest.NewRequest("POST", "/", nil)
+		r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+		token, err := RefreshTokenFormResolveHandler(r)
+		So(err, ShouldBeError, errors.ErrInvalidRequest)
+		So(token, ShouldBeEmpty)
+	})
+}
+
+func TestRefreshTokenCookieResolveHandler(t *testing.T) {
+	Convey("Correct Request", t, func() {
+		r := httptest.NewRequest(http.MethodPost, "/", nil)
+		r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		r.AddCookie(&http.Cookie{
+			Name:     "refresh_token",
+			Value:    "test_token",
+			HttpOnly: true,
+			Path:     "/",
+			Domain:   ".example.com",
+			Expires:  time.Now().Add(time.Hour),
+		})
+
+		token, err := RefreshTokenCookieResolveHandler(r)
+		So(err, ShouldBeNil)
+		So(token, ShouldEqual, "test_token")
+	})
+
+	Convey("Missing Refresh Token", t, func() {
+		r := httptest.NewRequest("POST", "/", nil)
+		r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+		token, err := RefreshTokenCookieResolveHandler(r)
+		So(err, ShouldBeError, errors.ErrInvalidRequest)
+		So(token, ShouldBeEmpty)
+	})
+}

server/server.go

@@ -25,8 +25,9 @@ func NewServer(cfg *Config, manager oauth2.Manager) *Server {
 		Manager: manager,
 	}
 
-	// default handler
+	// default handlers
 	srv.ClientInfoHandler = ClientBasicHandler
+	srv.RefreshTokenResolveHandler = RefreshTokenFormResolveHandler
 
 	srv.UserAuthorizationHandler = func(w http.ResponseWriter, r *http.Request) (string, error) {
 		return "", errors.ErrAccessDenied
@@ -56,6 +57,7 @@ type Server struct {
 	AccessTokenExpHandler        AccessTokenExpHandler
 	AuthorizeScopeHandler        AuthorizeScopeHandler
 	ResponseTokenHandler         ResponseTokenHandler
+	RefreshTokenResolveHandler   RefreshTokenResolveHandler
 }
 
 func (s *Server) handleError(w http.ResponseWriter, req *AuthorizeRequest, err error) error {
@@ -367,10 +369,10 @@ func (s *Server) ValidationTokenRequest(r *http.Request) (oauth2.GrantType, *oau
 	case oauth2.ClientCredentials:
 		tgr.Scope = r.FormValue("scope")
 	case oauth2.Refreshing:
-		tgr.Refresh = r.FormValue("refresh_token")
+		tgr.Refresh, err = s.RefreshTokenResolveHandler(r)
 		tgr.Scope = r.FormValue("scope")
-		if tgr.Refresh == "" {
-			return "", nil, errors.ErrInvalidRequest
+		if err != nil {
+			return "", nil, err
 		}
 	}
 	return gt, tgr, nil