gowebmail/internal/auth/oauth.go

// Package auth handles OAuth2 flows for Gmail and Outlook.
package auth

import (
	"context"
	"encoding/json"
	"fmt"
	"net/http"
	"time"

	"golang.org/x/oauth2"
	"golang.org/x/oauth2/google"
	"golang.org/x/oauth2/microsoft"
)

// ---- Gmail OAuth2 ----

// GmailScopes are the OAuth2 scopes required for full Gmail access.
var GmailScopes = []string{
	"https://mail.google.com/",       // Full IMAP+SMTP access
	"https://www.googleapis.com/auth/userinfo.email",
	"https://www.googleapis.com/auth/userinfo.profile",
}

// NewGmailConfig creates an OAuth2 config for Gmail.
func NewGmailConfig(clientID, clientSecret, redirectURL string) *oauth2.Config {
	return &oauth2.Config{
		ClientID:     clientID,
		ClientSecret: clientSecret,
		RedirectURL:  redirectURL,
		Scopes:       GmailScopes,
		Endpoint:     google.Endpoint,
	}
}

// GoogleUserInfo holds the data returned by Google's userinfo endpoint.
type GoogleUserInfo struct {
	ID    string `json:"id"`
	Email string `json:"email"`
	Name  string `json:"name"`
}

// GetGoogleUserInfo fetches the authenticated user's email and name.
func GetGoogleUserInfo(ctx context.Context, token *oauth2.Token, cfg *oauth2.Config) (*GoogleUserInfo, error) {
	client := cfg.Client(ctx, token)
	resp, err := client.Get("https://www.googleapis.com/oauth2/v2/userinfo")
	if err != nil {
		return nil, fmt.Errorf("userinfo request: %w", err)
	}
	defer resp.Body.Close()
	if resp.StatusCode != http.StatusOK {
		return nil, fmt.Errorf("userinfo returned %d", resp.StatusCode)
	}
	var info GoogleUserInfo
	if err := json.NewDecoder(resp.Body).Decode(&info); err != nil {
		return nil, err
	}
	return &info, nil
}

// ---- Microsoft / Outlook OAuth2 ----

// OutlookScopes are required for Outlook/Microsoft 365 mail access.
var OutlookScopes = []string{
	"https://outlook.office.com/IMAP.AccessAsUser.All",
	"https://outlook.office.com/SMTP.Send",
	"offline_access",
	"openid",
	"profile",
	"email",
}

// NewOutlookConfig creates an OAuth2 config for Microsoft/Outlook.
func NewOutlookConfig(clientID, clientSecret, tenantID, redirectURL string) *oauth2.Config {
	return &oauth2.Config{
		ClientID:     clientID,
		ClientSecret: clientSecret,
		RedirectURL:  redirectURL,
		Scopes:       OutlookScopes,
		Endpoint:     microsoft.AzureADEndpoint(tenantID),
	}
}

// MicrosoftUserInfo holds data from Microsoft Graph /me endpoint.
type MicrosoftUserInfo struct {
	ID                string `json:"id"`
	DisplayName       string `json:"displayName"`
	Mail              string `json:"mail"`
	UserPrincipalName string `json:"userPrincipalName"`
}

// Email returns the best available email address.
func (m *MicrosoftUserInfo) Email() string {
	if m.Mail != "" {
		return m.Mail
	}
	return m.UserPrincipalName
}

// GetMicrosoftUserInfo fetches user info from Microsoft Graph.
func GetMicrosoftUserInfo(ctx context.Context, token *oauth2.Token, cfg *oauth2.Config) (*MicrosoftUserInfo, error) {
	client := cfg.Client(ctx, token)
	resp, err := client.Get("https://graph.microsoft.com/v1.0/me")
	if err != nil {
		return nil, fmt.Errorf("graph /me request: %w", err)
	}
	defer resp.Body.Close()
	if resp.StatusCode != http.StatusOK {
		return nil, fmt.Errorf("graph /me returned %d", resp.StatusCode)
	}
	var info MicrosoftUserInfo
	if err := json.NewDecoder(resp.Body).Decode(&info); err != nil {
		return nil, err
	}
	return &info, nil
}

// ---- Token refresh helpers ----

// IsTokenExpired reports whether the token expires within a 60-second buffer.
func IsTokenExpired(expiry time.Time) bool {
	if expiry.IsZero() {
		return false
	}
	return time.Now().Add(60 * time.Second).After(expiry)
}

// RefreshToken attempts to exchange a refresh token for a new access token.
func RefreshToken(ctx context.Context, cfg *oauth2.Config, refreshToken string) (*oauth2.Token, error) {
	ts := cfg.TokenSource(ctx, &oauth2.Token{RefreshToken: refreshToken})
	return ts.Token()
}