in pan-domain-auth-play/src/main/scala/com/gu/pandomainauth/service/OAuth.scala [67:113]
def validatedUserIdentity(expectedAntiForgeryToken: String)
(implicit request: RequestHeader, context: ExecutionContext, ws: WSClient): Future[AuthenticatedUser] = {
if (!request.queryString.getOrElse("state", Nil).contains(expectedAntiForgeryToken)) {
throw new IllegalArgumentException("The anti forgery token did not match")
} else {
discoveryDocument.flatMap { dd =>
val code = request.queryString("code")
ws.url(dd.token_endpoint).post {
Map(
"code" -> code,
"client_id" -> Seq(config.clientId),
"client_secret" -> Seq(config.clientSecret),
"redirect_uri" -> Seq(redirectUrl),
"grant_type" -> Seq("authorization_code")
)
}.flatMap { response =>
oAuthResponse(response) { json =>
val token = Token.fromJson(json)
val jwt = token.jwt
ws.url(dd.userinfo_endpoint)
.withHttpHeaders("Authorization" -> s"Bearer ${token.access_token}")
.get().map { response =>
oAuthResponse(response) { json =>
val userInfo = UserInfo.fromJson(json)
AuthenticatedUser(
user = User(
userInfo.given_name,
userInfo.family_name,
jwt.claims.email.getOrElse(userInfo.email),
userInfo.picture
),
authenticatingSystem = system,
authenticatedIn = Set(system),
// The JWT standard specifies that `exp` is a `NumericDate`,
// which is defined as an epoch time in *seconds*
// (unlike the Panda cookie `expires` which is in milliseconds)
// https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4
expires = Instant.ofEpochSecond(jwt.claims.exp),
multiFactor = false
)
}
}
}
}
}
}
}