Add thirdparty Discord provider (OAuth 2.0)

backend/config/config.go

@@ -3,6 +3,10 @@ package config
 import (
 	"errors"
 	"fmt"
+	"log"
+	"strings"
+	"time"
+
 	"github.com/fatih/structs"
 	"github.com/gobwas/glob"
 	"github.com/kelseyhightower/envconfig"
@@ -11,9 +15,6 @@ import (
 	"github.com/knadh/koanf/providers/file"
 	"github.com/teamhanko/hanko/backend/ee/saml/config"
 	"golang.org/x/exp/slices"
-	"log"
-	"strings"
-	"time"
 )
 
 // Config is the central configuration type
@@ -582,9 +583,10 @@ func (p *ThirdPartyProvider) Validate() error {
 }
 
 type ThirdPartyProviders struct {
-	Google ThirdPartyProvider `yaml:"google" json:"google,omitempty" koanf:"google"`
-	GitHub ThirdPartyProvider `yaml:"github" json:"github,omitempty" koanf:"github"`
-	Apple  ThirdPartyProvider `yaml:"apple" json:"apple,omitempty" koanf:"apple"`
+	Google  ThirdPartyProvider `yaml:"google" json:"google,omitempty" koanf:"google"`
+	GitHub  ThirdPartyProvider `yaml:"github" json:"github,omitempty" koanf:"github"`
+	Apple   ThirdPartyProvider `yaml:"apple" json:"apple,omitempty" koanf:"apple"`
+	Discord ThirdPartyProvider `yaml:"discord" json:"discord,omitempty" koanf:"discord"`
 }
 
 func (p *ThirdPartyProviders) Validate() error {

backend/docs/Config.md

@@ -562,6 +562,34 @@ third_party:
       # Required if provider is enabled.
       #
       secret: "CHANGE_ME"
+    ##
+    #
+    # The Discord provider configuration
+    #
+    discord:
+      ##
+      #
+      # Enable or disable the Discord provider.
+      #
+      # Default: false
+      #
+      enabled: false
+      ##
+      #
+      # The client ID of your Discord OAuth credentials.
+      # See: https://docs.hanko.io/guides/authentication-methods/oauth/discord
+      #
+      # Required if provider is enabled.
+      #
+      client_id: "CHANGE_ME"
+      ##
+      #
+      # The secret of your Discord OAuth credentials.
+      # See: https://docs.hanko.io/guides/authentication-methods/oauth/discord
+      #
+      # Required if provider is enabled.
+      #
+      secret: "CHANGE_ME"
 log:
   ## log_health_and_metrics
   #

backend/handler/thirdparty_auth_test.go

@@ -1,11 +1,12 @@
 package handler
 
 import (
-	"github.com/teamhanko/hanko/backend/thirdparty"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
+
+	"github.com/teamhanko/hanko/backend/thirdparty"
 )
 
 func (s *thirdPartySuite) TestThirdPartyHandler_Auth() {
@@ -47,6 +48,15 @@ func (s *thirdPartySuite) TestThirdPartyHandler_Auth() {
 			requestedRedirectTo: "https://app.test.example",
 			expectedBaseURL:     thirdparty.AppleAuthEndpoint,
 		},
+		{
+			name:                "successful redirect to discord",
+			referer:             "https://login.test.example",
+			enabledProviders:    []string{"discord"},
+			allowedRedirectURLs: []string{"https://*.test.example"},
+			requestedProvider:   "discord",
+			requestedRedirectTo: "https://app.test.example",
+			expectedBaseURL:     thirdparty.DiscordOauthAuthEndpoint,
+		},
 		{
 			name:                     "error redirect on missing provider",
 			referer:                  "https://login.test.example",

backend/handler/thirdparty_callback_test.go

@@ -2,12 +2,13 @@ package handler
 
 import (
 	"fmt"
-	"github.com/h2non/gock"
-	"github.com/teamhanko/hanko/backend/thirdparty"
-	"github.com/teamhanko/hanko/backend/utils"
 	"net/http"
 	"net/http/httptest"
 	"testing"
+
+	"github.com/h2non/gock"
+	"github.com/teamhanko/hanko/backend/thirdparty"
+	"github.com/teamhanko/hanko/backend/utils"
 )
 
 func (s *thirdPartySuite) TestThirdPartyHandler_Callback_SignUp_Google() {
@@ -395,6 +396,129 @@ func (s *thirdPartySuite) TestThirdPartyHandler_Callback_SignIn_Apple() {
 	}
 }
 
+func (s *thirdPartySuite) TestThirdPartyHandler_Callback_SignUp_Discord() {
+	defer gock.Off()
+	if testing.Short() {
+		s.T().Skip("skipping test in short mode.")
+	}
+
+	gock.New(thirdparty.DiscordOauthTokenEndpoint).
+		Post("/").
+		Reply(200).
+		JSON(map[string]string{"access_token": "fakeAccessToken"})
+
+	gock.New(thirdparty.DiscordUserInfoEndpoint).
+		Get("/").
+		Reply(200).
+		JSON(&thirdparty.DiscordUser{
+			ID:       "discord_abcde",
+			Email:    "[email protected]",
+			Verified: true,
+		})
+
+	cfg := s.setUpConfig([]string{"discord"}, []string{"https://example.com"})
+
+	state, err := thirdparty.GenerateState(cfg, "discord", "https://example.com")
+	s.NoError(err)
+
+	req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/thirdparty/callback?code=abcde&state=%s", state), nil)
+	req.AddCookie(&http.Cookie{
+		Name:  utils.HankoThirdpartyStateCookie,
+		Value: string(state),
+	})
+
+	c, rec := s.setUpContext(req)
+	handler := s.setUpHandler(cfg)
+
+	if s.NoError(handler.Callback(c)) {
+		s.Equal(http.StatusTemporaryRedirect, rec.Code)
+
+		s.assertLocationHeaderHasToken(rec)
+		s.assertStateCookieRemoved(rec)
+
+		email, err := s.Storage.GetEmailPersister().FindByAddress("[email protected]")
+		s.NoError(err)
+		s.NotNil(email)
+		s.True(email.IsPrimary())
+
+		user, err := s.Storage.GetUserPersister().Get(*email.UserID)
+		s.NoError(err)
+		s.NotNil(user)
+
+		identity := email.Identity
+		s.NotNil(identity)
+		s.Equal("discord", identity.ProviderName)
+		s.Equal("discord_abcde", identity.ProviderID)
+
+		logs, lerr := s.Storage.GetAuditLogPersister().List(0, 0, nil, nil, []string{"thirdparty_signup_succeeded"}, user.ID.String(), email.Address, "", "")
+		s.NoError(lerr)
+		s.Len(logs, 1)
+	}
+}
+
+func (s *thirdPartySuite) TestThirdPartyHandler_Callback_SignIn_Discord() {
+	defer gock.Off()
+	if testing.Short() {
+		s.T().Skip("skipping test in short mode.")
+	}
+
+	err := s.LoadFixtures("../test/fixtures/thirdparty")
+	s.NoError(err)
+
+	gock.New(thirdparty.DiscordOauthTokenEndpoint).
+		Post("/").
+		Reply(200).
+		JSON(map[string]string{"access_token": "fakeAccessToken"})
+
+	gock.New(thirdparty.DiscordUserInfoEndpoint).
+		Get("/").
+		Reply(200).
+		JSON(&thirdparty.DiscordUser{
+			ID:       "discord_abcde",
+			Email:    "[email protected]",
+			Verified: true,
+		})
+
+	cfg := s.setUpConfig([]string{"discord"}, []string{"https://example.com"})
+
+	state, err := thirdparty.GenerateState(cfg, "discord", "https://example.com")
+	s.NoError(err)
+
+	req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/thirdparty/callback?code=abcde&state=%s", state), nil)
+	req.AddCookie(&http.Cookie{
+		Name:  utils.HankoThirdpartyStateCookie,
+		Value: string(state),
+	})
+
+	c, rec := s.setUpContext(req)
+	handler := s.setUpHandler(cfg)
+
+	if s.NoError(handler.Callback(c)) {
+		s.Equal(http.StatusTemporaryRedirect, rec.Code)
+
+		s.assertLocationHeaderHasToken(rec)
+		s.assertStateCookieRemoved(rec)
+
+		email, err := s.Storage.GetEmailPersister().FindByAddress("[email protected]")
+		s.NoError(err)
+		s.NotNil(email)
+		s.True(email.IsPrimary())
+
+		user, err := s.Storage.GetUserPersister().Get(*email.UserID)
+		s.NoError(err)
+		s.NotNil(user)
+
+		identity := email.Identity
+		s.NotNil(identity)
+		s.Equal("discord", identity.ProviderName)
+		s.Equal("discord_abcde", identity.ProviderID)
+
+		logs, lerr := s.Storage.GetAuditLogPersister().List(0, 0, nil, nil, []string{"thirdparty_signin_succeeded"}, user.ID.String(), "", "", "")
+		s.NoError(lerr)
+		s.Len(logs, 1)
+	}
+}
+
 func (s *thirdPartySuite) TestThirdPartyHandler_Callback_SignUp_WithUnclaimedEmail() {
 	defer gock.Off()
 	if testing.Short() {

backend/handler/thirdparty_test.go

@@ -1,6 +1,13 @@
 package handler
 
 import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strconv"
+	"testing"
+	"time"
+
 	"github.com/labstack/echo/v4"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	jwk2 "github.com/lestrrat-go/jwx/v2/jwk"
@@ -13,12 +20,6 @@ import (
 	"github.com/teamhanko/hanko/backend/session"
 	"github.com/teamhanko/hanko/backend/test"
 	"github.com/teamhanko/hanko/backend/utils"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"strconv"
-	"testing"
-	"time"
 )
 
 func TestThirdPartySuite(t *testing.T) {
@@ -64,11 +65,18 @@ func (s *thirdPartySuite) setUpConfig(enabledProviders []string, allowedRedirect
 					Enabled:  false,
 					ClientID: "fakeClientID",
 					Secret:   "fakeClientSecret",
-				}, GitHub: config.ThirdPartyProvider{
+				},
+				GitHub: config.ThirdPartyProvider{
 					Enabled:  false,
 					ClientID: "fakeClientID",
 					Secret:   "fakeClientSecret",
-				}},
+				},
+				Discord: config.ThirdPartyProvider{
+					Enabled:  false,
+					ClientID: "fakeClientID",
+					Secret:   "fakeClientSecret",
+				},
+			},
 			ErrorRedirectURL:    "https://error.test.example",
 			RedirectURL:         "https://api.test.example/callback",
 			AllowedRedirectURLS: allowedRedirectURLs,
@@ -92,6 +100,8 @@ func (s *thirdPartySuite) setUpConfig(enabledProviders []string, allowedRedirect
 			cfg.ThirdParty.Providers.Google.Enabled = true
 		case "github":
 			cfg.ThirdParty.Providers.GitHub.Enabled = true
+		case "discord":
+			cfg.ThirdParty.Providers.Discord.Enabled = true
 		}
 	}
 

backend/json_schema/hanko.config.json

@@ -695,6 +695,9 @@
         },
         "apple": {
           "$ref": "#/$defs/ThirdPartyProvider"
+        },
+        "discord": {
+          "$ref": "#/$defs/ThirdPartyProvider"
         }
       },
       "additionalProperties": false,

backend/thirdparty/provider.go

@@ -6,13 +6,14 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"github.com/fatih/structs"
-	"github.com/teamhanko/hanko/backend/config"
-	"golang.org/x/oauth2"
 	"io"
 	"net/http"
 	"strings"
 	"time"
+
+	"github.com/fatih/structs"
+	"github.com/teamhanko/hanko/backend/config"
+	"golang.org/x/oauth2"
 )
 
 type UserData struct {
@@ -85,6 +86,8 @@ func GetProvider(config config.ThirdParty, name string) (OAuthProvider, error) {
 		return NewGithubProvider(config.Providers.GitHub, config.RedirectURL)
 	case "apple":
 		return NewAppleProvider(config.Providers.Apple, config.RedirectURL)
+	case "discord":
+		return NewDiscordProvider(config.Providers.Discord, config.RedirectURL)
 	default:
 		return nil, fmt.Errorf("provider '%s' is not supported", name)
 	}