oauth.go 16.4 KB
Newer Older
1 2 3 4 5 6 7 8
// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved.
// See License.txt for license information.

package api4

import (
	"net/http"
	"net/url"
9
	"path/filepath"
10 11
	"strings"

Christopher Speller's avatar
Christopher Speller committed
12
	"github.com/mattermost/mattermost-server/app"
13
	"github.com/mattermost/mattermost-server/mlog"
Christopher Speller's avatar
Christopher Speller committed
14 15
	"github.com/mattermost/mattermost-server/model"
	"github.com/mattermost/mattermost-server/utils"
16 17
)

18 19 20 21 22 23 24 25
func (api *API) InitOAuth() {
	api.BaseRoutes.OAuthApps.Handle("", api.ApiSessionRequired(createOAuthApp)).Methods("POST")
	api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(updateOAuthApp)).Methods("PUT")
	api.BaseRoutes.OAuthApps.Handle("", api.ApiSessionRequired(getOAuthApps)).Methods("GET")
	api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(getOAuthApp)).Methods("GET")
	api.BaseRoutes.OAuthApp.Handle("/info", api.ApiSessionRequired(getOAuthAppInfo)).Methods("GET")
	api.BaseRoutes.OAuthApp.Handle("", api.ApiSessionRequired(deleteOAuthApp)).Methods("DELETE")
	api.BaseRoutes.OAuthApp.Handle("/regen_secret", api.ApiSessionRequired(regenerateOAuthAppSecret)).Methods("POST")
26

27
	api.BaseRoutes.User.Handle("/oauth/apps/authorized", api.ApiSessionRequired(getAuthorizedOAuthApps)).Methods("GET")
28 29

	// API version independent OAuth 2.0 as a service provider endpoints
30 31 32 33
	api.BaseRoutes.Root.Handle("/oauth/authorize", api.ApiHandlerTrustRequester(authorizeOAuthPage)).Methods("GET")
	api.BaseRoutes.Root.Handle("/oauth/authorize", api.ApiSessionRequired(authorizeOAuthApp)).Methods("POST")
	api.BaseRoutes.Root.Handle("/oauth/deauthorize", api.ApiSessionRequired(deauthorizeOAuthApp)).Methods("POST")
	api.BaseRoutes.Root.Handle("/oauth/access_token", api.ApiHandlerTrustRequester(getAccessToken)).Methods("POST")
34 35

	// API version independent OAuth as a client endpoints
36 37 38 39
	api.BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/complete", api.ApiHandler(completeOAuth)).Methods("GET")
	api.BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/login", api.ApiHandler(loginWithOAuth)).Methods("GET")
	api.BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/mobile_login", api.ApiHandler(mobileLoginWithOAuth)).Methods("GET")
	api.BaseRoutes.Root.Handle("/oauth/{service:[A-Za-z0-9]+}/signup", api.ApiHandler(signupWithOAuth)).Methods("GET")
40 41

	// Old endpoints for backwards compatibility, needed to not break SSO for any old setups
42 43 44
	api.BaseRoutes.Root.Handle("/api/v3/oauth/{service:[A-Za-z0-9]+}/complete", api.ApiHandler(completeOAuth)).Methods("GET")
	api.BaseRoutes.Root.Handle("/signup/{service:[A-Za-z0-9]+}/complete", api.ApiHandler(completeOAuth)).Methods("GET")
	api.BaseRoutes.Root.Handle("/login/{service:[A-Za-z0-9]+}/complete", api.ApiHandler(completeOAuth)).Methods("GET")
45 46 47 48 49 50 51 52 53 54
}

func createOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
	oauthApp := model.OAuthAppFromJson(r.Body)

	if oauthApp == nil {
		c.SetInvalidParam("oauth_app")
		return
	}

55
	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) {
56 57 58 59
		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
		return
	}

60
	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) {
JoramWilander's avatar
JoramWilander committed
61 62 63
		oauthApp.IsTrusted = false
	}

64 65
	oauthApp.CreatorId = c.Session.UserId

Chris's avatar
Chris committed
66
	rapp, err := c.App.CreateOAuthApp(oauthApp)
67 68 69 70 71 72 73 74 75 76
	if err != nil {
		c.Err = err
		return
	}

	c.LogAudit("client_id=" + rapp.Id)
	w.WriteHeader(http.StatusCreated)
	w.Write([]byte(rapp.ToJson()))
}

77 78 79 80 81 82
func updateOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireAppId()
	if c.Err != nil {
		return
	}

83
	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) {
84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
		return
	}

	oauthApp := model.OAuthAppFromJson(r.Body)
	if oauthApp == nil {
		c.SetInvalidParam("oauth_app")
		return
	}

	c.LogAudit("attempt")

	oldOauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
	if err != nil {
		c.Err = err
		return
	}

Joram Wilander's avatar
Joram Wilander committed
102
	if c.Session.UserId != oldOauthApp.CreatorId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117
		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
		return
	}

	updatedOauthApp, err := c.App.UpdateOauthApp(oldOauthApp, oauthApp)
	if err != nil {
		c.Err = err
		return
	}

	c.LogAudit("success")

	w.Write([]byte(updatedOauthApp.ToJson()))
}

118
func getOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) {
119
	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) {
120 121 122 123 124 125
		c.Err = model.NewAppError("getOAuthApps", "api.command.admin_only.app_error", nil, "", http.StatusForbidden)
		return
	}

	var apps []*model.OAuthApp
	var err *model.AppError
126
	if c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
Chris's avatar
Chris committed
127
		apps, err = c.App.GetOAuthApps(c.Params.Page, c.Params.PerPage)
128
	} else if c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) {
Chris's avatar
Chris committed
129
		apps, err = c.App.GetOAuthAppsByCreator(c.Session.UserId, c.Params.Page, c.Params.PerPage)
130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
	} else {
		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
		return
	}

	if err != nil {
		c.Err = err
		return
	}

	w.Write([]byte(model.OAuthAppListToJson(apps)))
}

func getOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireAppId()
	if c.Err != nil {
		return
	}

149
	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) {
150 151 152 153
		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
		return
	}

Chris's avatar
Chris committed
154
	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
155 156 157 158 159
	if err != nil {
		c.Err = err
		return
	}

160
	if oauthApp.CreatorId != c.Session.UserId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
161 162 163 164 165 166 167 168 169 170 171 172 173
		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
		return
	}

	w.Write([]byte(oauthApp.ToJson()))
}

func getOAuthAppInfo(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireAppId()
	if c.Err != nil {
		return
	}

Chris's avatar
Chris committed
174
	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191
	if err != nil {
		c.Err = err
		return
	}

	oauthApp.Sanitize()
	w.Write([]byte(oauthApp.ToJson()))
}

func deleteOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireAppId()
	if c.Err != nil {
		return
	}

	c.LogAudit("attempt")

192
	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) {
193 194 195 196
		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
		return
	}

Chris's avatar
Chris committed
197
	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
198 199 200 201 202
	if err != nil {
		c.Err = err
		return
	}

203
	if c.Session.UserId != oauthApp.CreatorId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
204 205 206 207
		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
		return
	}

Chris's avatar
Chris committed
208
	err = c.App.DeleteOAuthApp(oauthApp.Id)
209 210 211 212 213 214 215 216 217 218 219 220 221 222 223
	if err != nil {
		c.Err = err
		return
	}

	c.LogAudit("success")
	ReturnStatusOK(w)
}

func regenerateOAuthAppSecret(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireAppId()
	if c.Err != nil {
		return
	}

224
	if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_OAUTH) {
225 226 227 228
		c.SetPermissionError(model.PERMISSION_MANAGE_OAUTH)
		return
	}

Chris's avatar
Chris committed
229
	oauthApp, err := c.App.GetOAuthApp(c.Params.AppId)
230 231 232 233 234
	if err != nil {
		c.Err = err
		return
	}

235
	if oauthApp.CreatorId != c.Session.UserId && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH) {
236 237 238 239
		c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM_WIDE_OAUTH)
		return
	}

Chris's avatar
Chris committed
240
	oauthApp, err = c.App.RegenerateOAuthAppSecret(oauthApp)
241 242 243 244 245 246 247 248 249 250 251 252 253 254 255
	if err != nil {
		c.Err = err
		return
	}

	c.LogAudit("success")
	w.Write([]byte(oauthApp.ToJson()))
}

func getAuthorizedOAuthApps(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireUserId()
	if c.Err != nil {
		return
	}

256
	if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) {
257 258 259 260
		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
		return
	}

Chris's avatar
Chris committed
261
	apps, err := c.App.GetAuthorizedAppsForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage)
262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280
	if err != nil {
		c.Err = err
		return
	}

	w.Write([]byte(model.OAuthAppListToJson(apps)))
}

func authorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
	authRequest := model.AuthorizeRequestFromJson(r.Body)
	if authRequest == nil {
		c.SetInvalidParam("authorize_request")
	}

	if err := authRequest.IsValid(); err != nil {
		c.Err = err
		return
	}

281 282 283 284 285 286
	if c.Session.IsOAuth {
		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
		c.Err.DetailedError += ", attempted access by oauth app"
		return
	}

287 288
	c.LogAudit("attempt")

Chris's avatar
Chris committed
289
	redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest)
290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309

	if err != nil {
		c.Err = err
		return
	}

	c.LogAudit("")

	w.Write([]byte(model.MapToJson(map[string]string{"redirect": redirectUrl})))
}

func deauthorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) {
	requestData := model.MapFromJson(r.Body)
	clientId := requestData["client_id"]

	if len(clientId) != 26 {
		c.SetInvalidParam("client_id")
		return
	}

Chris's avatar
Chris committed
310
	err := c.App.DeauthorizeOAuthAppForUser(c.Session.UserId, clientId)
311 312 313 314 315 316 317 318 319 320
	if err != nil {
		c.Err = err
		return
	}

	c.LogAudit("success")
	ReturnStatusOK(w)
}

func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) {
Chris's avatar
Chris committed
321
	if !c.App.Config().ServiceSettings.EnableOAuthServiceProvider {
322
		err := model.NewAppError("authorizeOAuth", "api.oauth.authorize_oauth.disabled.app_error", nil, "", http.StatusNotImplemented)
Jesse Hallam's avatar
Jesse Hallam committed
323
		utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
324 325 326 327 328 329 330 331 332 333 334 335
		return
	}

	authRequest := &model.AuthorizeRequest{
		ResponseType: r.URL.Query().Get("response_type"),
		ClientId:     r.URL.Query().Get("client_id"),
		RedirectUri:  r.URL.Query().Get("redirect_uri"),
		Scope:        r.URL.Query().Get("scope"),
		State:        r.URL.Query().Get("state"),
	}

	if err := authRequest.IsValid(); err != nil {
Jesse Hallam's avatar
Jesse Hallam committed
336
		utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
337 338 339
		return
	}

Chris's avatar
Chris committed
340
	oauthApp, err := c.App.GetOAuthApp(authRequest.ClientId)
341
	if err != nil {
Jesse Hallam's avatar
Jesse Hallam committed
342
		utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
343 344 345 346 347 348 349 350 351
		return
	}

	// here we should check if the user is logged in
	if len(c.Session.UserId) == 0 {
		http.Redirect(w, r, c.GetSiteURLHeader()+"/login?redirect_to="+url.QueryEscape(r.RequestURI), http.StatusFound)
		return
	}

JoramWilander's avatar
JoramWilander committed
352
	if !oauthApp.IsValidRedirectURL(authRequest.RedirectUri) {
353
		err := model.NewAppError("authorizeOAuthPage", "api.oauth.allow_oauth.redirect_callback.app_error", nil, "", http.StatusBadRequest)
Jesse Hallam's avatar
Jesse Hallam committed
354
		utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
JoramWilander's avatar
JoramWilander committed
355 356 357
		return
	}

358 359
	isAuthorized := false

Chris's avatar
Chris committed
360
	if _, err := c.App.GetPreferenceByCategoryAndNameForUser(c.Session.UserId, model.PREFERENCE_CATEGORY_AUTHORIZED_OAUTH_APP, authRequest.ClientId); err == nil {
361 362 363 364 365 366
		// when we support scopes we should check if the scopes match
		isAuthorized = true
	}

	// Automatically allow if the app is trusted
	if oauthApp.IsTrusted || isAuthorized {
Chris's avatar
Chris committed
367
		redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest)
368 369

		if err != nil {
Jesse Hallam's avatar
Jesse Hallam committed
370
			utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
371 372 373 374 375 376 377 378 379
			return
		}

		http.Redirect(w, r, redirectUrl, http.StatusFound)
		return
	}

	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
	w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'")
380
	w.Header().Set("Content-Type", "text/html; charset=utf-8")
381
	w.Header().Set("Cache-Control", "no-cache, max-age=31556926, public")
382 383

	staticDir, _ := utils.FindDir(model.CLIENT_DIR)
384
	http.ServeFile(w, r, filepath.Join(staticDir, "root.html"))
385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425
}

func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
	r.ParseForm()

	code := r.FormValue("code")
	refreshToken := r.FormValue("refresh_token")

	grantType := r.FormValue("grant_type")
	switch grantType {
	case model.ACCESS_TOKEN_GRANT_TYPE:
		if len(code) == 0 {
			c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_code.app_error", nil, "", http.StatusBadRequest)
			return
		}
	case model.REFRESH_TOKEN_GRANT_TYPE:
		if len(refreshToken) == 0 {
			c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.missing_refresh_token.app_error", nil, "", http.StatusBadRequest)
			return
		}
	default:
		c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_grant.app_error", nil, "", http.StatusBadRequest)
		return
	}

	clientId := r.FormValue("client_id")
	if len(clientId) != 26 {
		c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_id.app_error", nil, "", http.StatusBadRequest)
		return
	}

	secret := r.FormValue("client_secret")
	if len(secret) == 0 {
		c.Err = model.NewAppError("getAccessToken", "api.oauth.get_access_token.bad_client_secret.app_error", nil, "", http.StatusBadRequest)
		return
	}

	redirectUri := r.FormValue("redirect_uri")

	c.LogAudit("attempt")

426
	accessRsp, err := c.App.GetOAuthAccessTokenForCodeFlow(clientId, grantType, redirectUri, code, secret, refreshToken)
427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450
	if err != nil {
		c.Err = err
		return
	}

	w.Header().Set("Content-Type", "application/json")
	w.Header().Set("Cache-Control", "no-store")
	w.Header().Set("Pragma", "no-cache")

	c.LogAudit("success")

	w.Write([]byte(accessRsp.ToJson()))
}

func completeOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireService()
	if c.Err != nil {
		return
	}

	service := c.Params.Service

	code := r.URL.Query().Get("code")
	if len(code) == 0 {
Jesse Hallam's avatar
Jesse Hallam committed
451
		utils.RenderWebError(c.App.Config(), w, r, http.StatusTemporaryRedirect, url.Values{
452 453 454
			"type":    []string{"oauth_missing_code"},
			"service": []string{strings.Title(service)},
		}, c.App.AsymmetricSigningKey())
455 456 457 458 459 460 461
		return
	}

	state := r.URL.Query().Get("state")

	uri := c.GetSiteURLHeader() + "/signup/" + service + "/complete"

Chris's avatar
Chris committed
462
	body, teamId, props, err := c.App.AuthorizeOAuthUser(w, r, service, code, state, uri)
463 464 465 466 467 468

	action := ""
	if props != nil {
		action = props["action"]
	}

469
	if err != nil {
470
		err.Translate(c.T)
471
		mlog.Error(err.Error())
472 473 474
		if action == model.OAUTH_ACTION_MOBILE {
			w.Write([]byte(err.ToJson()))
		} else {
Jesse Hallam's avatar
Jesse Hallam committed
475
			utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
476
		}
477 478 479
		return
	}

Chris's avatar
Chris committed
480
	user, err := c.App.CompleteOAuth(service, body, teamId, props)
481
	if err != nil {
482
		err.Translate(c.T)
483
		mlog.Error(err.Error())
484 485 486
		if action == model.OAUTH_ACTION_MOBILE {
			w.Write([]byte(err.ToJson()))
		} else {
Jesse Hallam's avatar
Jesse Hallam committed
487
			utils.RenderWebAppError(c.App.Config(), w, r, err, c.App.AsymmetricSigningKey())
488
		}
489 490 491 492 493 494 495 496 497 498
		return
	}

	var redirectUrl string
	if action == model.OAUTH_ACTION_EMAIL_TO_SSO {
		redirectUrl = c.GetSiteURLHeader() + "/login?extra=signin_change"
	} else if action == model.OAUTH_ACTION_SSO_TO_EMAIL {

		redirectUrl = app.GetProtocol(r) + "://" + r.Host + "/claim?email=" + url.QueryEscape(props["email"])
	} else {
Chris's avatar
Chris committed
499
		session, err := c.App.DoLogin(w, r, user, "")
500
		if err != nil {
501
			err.Translate(c.T)
502
			c.Err = err
503 504 505
			if action == model.OAUTH_ACTION_MOBILE {
				w.Write([]byte(err.ToJson()))
			}
506 507 508 509 510 511 512 513
			return
		}

		c.Session = *session

		redirectUrl = c.GetSiteURLHeader()
	}

514 515 516 517 518 519
	if action == model.OAUTH_ACTION_MOBILE {
		ReturnStatusOK(w)
		return
	} else {
		http.Redirect(w, r, redirectUrl, http.StatusTemporaryRedirect)
	}
520 521 522 523 524 525 526 527 528 529 530
}

func loginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireService()
	if c.Err != nil {
		return
	}

	loginHint := r.URL.Query().Get("login_hint")
	redirectTo := r.URL.Query().Get("redirect_to")

Chris's avatar
Chris committed
531
	teamId, err := c.App.GetTeamIdFromQuery(r.URL.Query())
532 533 534 535 536
	if err != nil {
		c.Err = err
		return
	}

Chris's avatar
Chris committed
537
	if authUrl, err := c.App.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_LOGIN, redirectTo, loginHint); err != nil {
538 539 540 541 542 543 544 545 546 547 548 549 550
		c.Err = err
		return
	} else {
		http.Redirect(w, r, authUrl, http.StatusFound)
	}
}

func mobileLoginWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireService()
	if c.Err != nil {
		return
	}

Chris's avatar
Chris committed
551
	teamId, err := c.App.GetTeamIdFromQuery(r.URL.Query())
552 553 554 555 556
	if err != nil {
		c.Err = err
		return
	}

Chris's avatar
Chris committed
557
	if authUrl, err := c.App.GetOAuthLoginEndpoint(w, r, c.Params.Service, teamId, model.OAUTH_ACTION_MOBILE, "", ""); err != nil {
558 559 560 561 562 563 564 565 566 567 568 569 570
		c.Err = err
		return
	} else {
		http.Redirect(w, r, authUrl, http.StatusFound)
	}
}

func signupWithOAuth(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireService()
	if c.Err != nil {
		return
	}

571
	if !*c.App.Config().TeamSettings.EnableUserCreation {
Jesse Hallam's avatar
Jesse Hallam committed
572
		utils.RenderWebError(c.App.Config(), w, r, http.StatusBadRequest, url.Values{
573 574
			"message": []string{utils.T("api.oauth.singup_with_oauth.disabled.app_error")},
		}, c.App.AsymmetricSigningKey())
575 576 577
		return
	}

Chris's avatar
Chris committed
578
	teamId, err := c.App.GetTeamIdFromQuery(r.URL.Query())
579 580 581 582 583
	if err != nil {
		c.Err = err
		return
	}

Chris's avatar
Chris committed
584
	if authUrl, err := c.App.GetOAuthSignupEndpoint(w, r, c.Params.Service, teamId); err != nil {
585 586 587 588 589 590
		c.Err = err
		return
	} else {
		http.Redirect(w, r, authUrl, http.StatusFound)
	}
}