chore: switch to oauth2 package for token handling

Signed-off-by: Donnie Adams <donnie@acorn.io>

Author: thedadams

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
 	golang.org/x/crypto v0.41.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/text v0.28.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

go.sum

@@ -37,6 +37,8 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
 golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=

pkg/db/db.go

@@ -105,7 +105,7 @@ func (d *Store) StoreClient(client *types.ClientInfo) error {
 
 // StoreGrant stores a new grant
 func (d *Store) StoreGrant(grant *types.Grant) error {
-	// Convert []string to StringSlice and map[string]interface{} to JSON for GORM
+	// Convert []string to StringSlice and map[string]any to JSON for GORM
 	gormGrant := &types.Grant{
 		ID:                  grant.ID,
 		ClientID:            grant.ClientID,
@@ -157,8 +157,8 @@ func (d *Store) GetGrant(grantID, userID string) (*types.Grant, error) {
 		ClientID:            grant.ClientID,
 		UserID:              grant.UserID,
 		Scope:               []string(grant.Scope),
-		Metadata:            map[string]interface{}(grant.Metadata),
-		Props:               map[string]interface{}(grant.Props),
+		Metadata:            map[string]any(grant.Metadata),
+		Props:               map[string]any(grant.Props),
 		CreatedAt:           grant.CreatedAt,
 		ExpiresAt:           grant.ExpiresAt,
 		CodeChallenge:       grant.CodeChallenge,
@@ -275,7 +275,7 @@ func (d *Store) RevokeToken(token string) error {
 	now := time.Now()
 
 	// First try to revoke as access token
-	result := d.db.Model(&types.TokenData{}).Where("access_token = ?", hashedToken).Updates(map[string]interface{}{
+	result := d.db.Model(&types.TokenData{}).Where("access_token = ?", hashedToken).Updates(map[string]any{
 		"revoked":    true,
 		"revoked_at": &now,
 	})
@@ -288,7 +288,7 @@ func (d *Store) RevokeToken(token string) error {
 	}
 
 	// If not found as access token, try as refresh token
-	result = d.db.Model(&types.TokenData{}).Where("refresh_token = ?", hashedToken).Updates(map[string]interface{}{
+	result = d.db.Model(&types.TokenData{}).Where("refresh_token = ?", hashedToken).Updates(map[string]any{
 		"revoked":    true,
 		"revoked_at": &now,
 	})
@@ -344,7 +344,7 @@ func (d *Store) CleanupExpiredTokens() error {
 }
 
 // StoreAuthRequest stores an authorization request with a 15-minute TTL
-func (d *Store) StoreAuthRequest(key string, data map[string]interface{}) error {
+func (d *Store) StoreAuthRequest(key string, data map[string]any) error {
 	authRequest := &types.StoredAuthRequest{
 		Key:       key,
 		Data:      types.JSON(data),
@@ -354,15 +354,15 @@ func (d *Store) StoreAuthRequest(key string, data map[string]interface{}) error
 }
 
 // GetAuthRequest retrieves an authorization request by key and checks TTL
-func (d *Store) GetAuthRequest(key string) (map[string]interface{}, error) {
+func (d *Store) GetAuthRequest(key string) (map[string]any, error) {
 	var authRequest types.StoredAuthRequest
 	err := d.db.First(&authRequest, "key = ? AND expires_at > ?", key, time.Now()).Error
 	if err != nil {
 		return nil, err
 	}
 
 	// Convert JSON back to map
-	return map[string]interface{}(authRequest.Data), nil
+	return map[string]any(authRequest.Data), nil
 }
 
 // DeleteAuthRequest deletes an authorization request by key

pkg/db/db_test.go

@@ -128,8 +128,8 @@ func testGrantOperations(t *testing.T, db *Store) {
 		ClientID:            clientID,
 		UserID:              userID,
 		Scope:               []string{"read", "write", "admin"},
-		Metadata:            map[string]interface{}{"provider": "test", "ip": "127.0.0.1"},
-		Props:               map[string]interface{}{"email": "test@example.com", "name": "Test User"},
+		Metadata:            map[string]any{"provider": "test", "ip": "127.0.0.1"},
+		Props:               map[string]any{"email": "test@example.com", "name": "Test User"},
 		CreatedAt:           time.Now().Unix(),
 		ExpiresAt:           time.Now().Add(10 * time.Minute).Unix(),
 		CodeChallenge:       "test_challenge",
@@ -174,7 +174,7 @@ func testTokenOperations(t *testing.T, db *Store) {
 		ClientID: "test_client_db",
 		UserID:   "test_user_123",
 		Scope:    []string{"read", "write", "admin"},
-		Metadata: map[string]interface{}{"provider": "test", "ip": "127.0.0.1"},
+		Metadata: map[string]any{"provider": "test", "ip": "127.0.0.1"},
 	}
 
 	err = db.StoreGrant(grant)
@@ -262,7 +262,7 @@ func testAuthCodeOperations(t *testing.T, db *Store) {
 		ClientID: "test_client_db",
 		UserID:   userID,
 		Scope:    []string{"read", "write", "admin"},
-		Metadata: map[string]interface{}{"provider": "test", "ip": "127.0.0.1"},
+		Metadata: map[string]any{"provider": "test", "ip": "127.0.0.1"},
 	}
 
 	err = db.StoreGrant(grant)
@@ -298,7 +298,7 @@ func testCleanupOperations(t *testing.T, db *Store) {
 		ClientID: "test_client_db",
 		UserID:   userID,
 		Scope:    []string{"read", "write", "admin"},
-		Metadata: map[string]interface{}{"provider": "test", "ip": "127.0.0.1"},
+		Metadata: map[string]any{"provider": "test", "ip": "127.0.0.1"},
 	}
 
 	err = db.StoreGrant(grant)
@@ -382,7 +382,7 @@ func testRefreshTokenExpiration(t *testing.T, db *Store) {
 		ClientID:  clientID,
 		UserID:    "test_user_123",
 		Scope:     []string{"read", "write", "admin"},
-		Metadata:  map[string]interface{}{"provider": "test", "ip": "127.0.0.1"},
+		Metadata:  map[string]any{"provider": "test", "ip": "127.0.0.1"},
 		ExpiresAt: time.Now().Add(1 * time.Hour).Unix(),
 	}
 

pkg/db/sqlite_test.go

@@ -63,8 +63,8 @@ func TestSQLiteDatabase(t *testing.T) {
 			ClientID:  "test_client_sqlite",
 			UserID:    "test_user",
 			Scope:     []string{"openid", "profile"},
-			Metadata:  map[string]interface{}{"test": "value"},
-			Props:     map[string]interface{}{"prop": "value"},
+			Metadata:  map[string]any{"test": "value"},
+			Props:     map[string]any{"prop": "value"},
 			CreatedAt: time.Now().Unix(),
 			ExpiresAt: time.Now().Add(time.Hour).Unix(),
 		}

pkg/encryption/encryption.go

@@ -17,7 +17,7 @@ type EncryptedProps struct {
 }
 
 // EncryptData encrypts sensitive data using AES-256-GCM
-func EncryptData(data map[string]interface{}, encryptionKey []byte) (*EncryptedProps, error) {
+func EncryptData(data map[string]any, encryptionKey []byte) (*EncryptedProps, error) {
 	// Convert data to JSON
 	jsonData, err := json.Marshal(data)
 	if err != nil {
@@ -53,7 +53,7 @@ func EncryptData(data map[string]interface{}, encryptionKey []byte) (*EncryptedP
 }
 
 // DecryptData decrypts encrypted data using AES-256-GCM
-func DecryptData(encryptedProps *EncryptedProps, encryptionKey []byte) (map[string]interface{}, error) {
+func DecryptData(encryptedProps *EncryptedProps, encryptionKey []byte) (map[string]any, error) {
 	// Decode base64 data
 	ciphertext, err := base64.StdEncoding.DecodeString(encryptedProps.Data)
 	if err != nil {
@@ -84,7 +84,7 @@ func DecryptData(encryptedProps *EncryptedProps, encryptionKey []byte) (map[stri
 	}
 
 	// Unmarshal JSON data
-	var data map[string]interface{}
+	var data map[string]any
 	if err := json.Unmarshal(plaintext, &data); err != nil {
 		return nil, fmt.Errorf("failed to unmarshal decrypted data: %w", err)
 	}
@@ -93,7 +93,7 @@ func DecryptData(encryptedProps *EncryptedProps, encryptionKey []byte) (map[stri
 }
 
 // DecryptPropsIfNeeded decrypts props data if it's encrypted, otherwise returns the original data
-func DecryptPropsIfNeeded(encryptionKey []byte, props map[string]interface{}) (map[string]interface{}, error) {
+func DecryptPropsIfNeeded(encryptionKey []byte, props map[string]any) (map[string]any, error) {
 	// Check if data is encrypted
 	encrypted, ok := props["encrypted"].(bool)
 	if !ok || !encrypted {
@@ -131,7 +131,7 @@ func DecryptPropsIfNeeded(encryptionKey []byte, props map[string]interface{}) (m
 	}
 
 	// Merge decrypted data with non-sensitive props
-	result := make(map[string]interface{})
+	result := make(map[string]any)
 	for key, value := range props {
 		if key != "encrypted_data" && key != "iv" && key != "algorithm" && key != "encrypted" {
 			result[key] = value

pkg/handlerutils/handlerutils.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 )
 
-func JSON(w http.ResponseWriter, statusCode int, obj interface{}) {
+func JSON(w http.ResponseWriter, statusCode int, obj any) {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(statusCode)
 	if obj != nil {

pkg/oauth/authorize/authorize.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 
 	"github.com/obot-platform/mcp-oauth-proxy/pkg/encryption"
@@ -14,7 +15,7 @@ import (
 
 type AuthorizationStore interface {
 	GetClient(clientID string) (*types.ClientInfo, error)
-	StoreAuthRequest(key string, data map[string]interface{}) error
+	StoreAuthRequest(key string, data map[string]any) error
 }
 
 type Handler struct {
@@ -94,15 +95,7 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Validate redirect URI
-	validRedirect := false
-	for _, uri := range clientInfo.RedirectUris {
-		if uri == authReq.RedirectURI {
-			validRedirect = true
-			break
-		}
-	}
-	if !validRedirect {
+	if !slices.Contains(clientInfo.RedirectUris, authReq.RedirectURI) {
 		handlerutils.JSON(w, http.StatusBadRequest, types.OAuthError{
 			Error:            "invalid_request",
 			ErrorDescription: "Invalid redirect URI",
@@ -123,7 +116,7 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	stateKey := encryption.GenerateRandomString(32)
 
 	// Store the auth request data in the database
-	authData := map[string]interface{}{
+	authData := map[string]any{
 		"response_type":         authReq.ResponseType,
 		"client_id":             authReq.ClientID,
 		"redirect_uri":          authReq.RedirectURI,

pkg/oauth/callback/callback.go

@@ -17,7 +17,7 @@ import (
 type Store interface {
 	StoreGrant(grant *types.Grant) error
 	StoreAuthCode(code, grantID, userID string) error
-	GetAuthRequest(key string) (map[string]interface{}, error)
+	GetAuthRequest(key string) (map[string]any, error)
 	DeleteAuthRequest(key string) error
 }
 
@@ -49,8 +49,8 @@ func (p *Handler) scopeContainsProfileOrEmail(scopes []string) bool {
 	return false
 }
 
-// getStringFromMap safely extracts a string value from a map[string]interface{}
-func getStringFromMap(data map[string]interface{}, key string) string {
+// getStringFromMap safely extracts a string value from a map[string]any
+func getStringFromMap(data map[string]any, key string) string {
 	if value, ok := data[key]; ok {
 		if str, ok := value.(string); ok {
 			return str
@@ -149,10 +149,10 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	now := time.Now().Unix()
 
 	// Prepare sensitive props data
-	sensitiveProps := map[string]interface{}{
+	sensitiveProps := map[string]any{
 		"access_token":  tokenInfo.AccessToken,
 		"refresh_token": tokenInfo.RefreshToken,
-		"expires_at":    tokenInfo.ExpireAt,
+		"expires_at":    tokenInfo.Expiry.Unix(),
 	}
 
 	// Only add user info if we have it
@@ -162,7 +162,7 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Initialize props map
-	props := make(map[string]interface{})
+	props := make(map[string]any)
 
 	// Encrypt the sensitive props data
 	encryptedProps, err := encryption.EncryptData(sensitiveProps, p.encryptionKey)
@@ -186,7 +186,7 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		ClientID: authReq.ClientID,
 		UserID:   userInfo.ID,
 		Scope:    scopes,
-		Metadata: map[string]interface{}{
+		Metadata: map[string]any{
 			"provider": p.provider,
 		},
 		Props:               props,

pkg/oauth/register/register.go

@@ -49,7 +49,7 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Parse request.JSON body
-	var clientMetadata map[string]interface{}
+	var clientMetadata map[string]any
 	if err := json.NewDecoder(io.LimitReader(r.Body, 1024*1024)).Decode(&clientMetadata); err != nil {
 		handlerutils.JSON(w, http.StatusBadRequest, types.OAuthError{
 			Error:            "invalid_request",
@@ -112,7 +112,7 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	// Build response
 	baseURL := handlerutils.GetBaseURL(r)
-	response := map[string]interface{}{
+	response := map[string]any{
 		"client_id":                  clientInfo.ClientID,
 		"redirect_uris":              clientInfo.RedirectUris,
 		"client_name":                clientInfo.ClientName,
@@ -138,9 +138,9 @@ func (p *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	handlerutils.JSON(w, http.StatusCreated, response)
 }
 
-func (p *Handler) validateClientMetadata(metadata map[string]interface{}) (*types.ClientInfo, error) {
+func (p *Handler) validateClientMetadata(metadata map[string]any) (*types.ClientInfo, error) {
 	// Helper function to validate string fields
-	validateStringField := func(field interface{}, name string) (string, error) {
+	validateStringField := func(field any, name string) (string, error) {
 		if field == nil {
 			return "", nil
 		}
@@ -151,11 +151,11 @@ func (p *Handler) validateClientMetadata(metadata map[string]interface{}) (*type
 	}
 
 	// Helper function to validate string arrays
-	validateStringArray := func(arr interface{}, name string) ([]string, error) {
+	validateStringArray := func(arr any, name string) ([]string, error) {
 		if arr == nil {
 			return nil, nil
 		}
-		if array, ok := arr.([]interface{}); ok {
+		if array, ok := arr.([]any); ok {
 			result := make([]string, len(array))
 			for i, item := range array {
 				if str, ok := item.(string); ok {