chore: format using Make (ory#703)

.github/workflows/format.yml

@@ -0,0 +1,17 @@
+name: Format
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  format:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - run: make format
+      - name: Indicate formatting issues
+        run: git diff HEAD --exit-code --color

.github/workflows/test.yml

@@ -0,0 +1,15 @@
+name: Unit tests
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: 1.19
+      - run: make test

.gitignore

@@ -1,3 +1,4 @@
+.bin
 .idea
 *.iml
 .cover

.prettierignore

@@ -0,0 +1,7 @@
+.github/ISSUE_TEMPLATE/BUG-REPORT.yml
+.github/ISSUE_TEMPLATE/DESIGN-DOC.yml
+.github/ISSUE_TEMPLATE/FEATURE-REQUEST.yml
+.github/ISSUE_TEMPLATE/config.yml
+.github/pull_request_template.md
+CHANGELOG.md
+CONTRIBUTING.md

.travis.yml

@@ -8,7 +8,9 @@ go:
 install:
   - go install github.com/mattn/goveralls
   - go install github.com/ory/go-acc
-  - curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.24.0
+  - curl -sSfL
+    https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh |
+    sh -s -- -b $(go env GOPATH)/bin v1.24.0
 
 script:
   - golangci-lint run

Makefile

@@ -1,6 +1,18 @@
-format:
-		goreturns -w -local github.com/ory $$(listx .)
+format: .bin/goimports node_modules  # formats the source code
+	.bin/goimports -w .
+	npm exec -- prettier --write .
 
-test:
-		go test ./...
+help:
+	@cat Makefile | grep '^[^ ]*:' | grep -v '^\.bin/' | grep -v '.SILENT:' | grep -v '^node_modules:' | grep -v help | sed 's/:.*#/#/' | column -s "#" -t
 
+test:  # runs all tests
+	go test ./...
+
+.bin/goimports: Makefile
+	GOBIN=$(shell pwd)/.bin go install golang.org/x/tools/cmd/goimports@latest
+
+node_modules: package-lock.json
+	npm ci
+	touch node_modules
+
+.DEFAULT_GOAL := help

README.md

@@ -246,29 +246,35 @@ looking at some examples:
 
 ### Globalization
 
-Fosite does not natively carry translations for error messages and hints, but offers an interface that allows the
-consumer to define catalog bundles and an implementation to translate. This is available through
-the [MessageCatalog](i18n/i18n.go) interface. The functions defined are self-explanatory. The `DefaultMessageCatalog`
-illustrates this. Compose config has been extended to take in an instance of the `MessageCatalog`.
+Fosite does not natively carry translations for error messages and hints, but
+offers an interface that allows the consumer to define catalog bundles and an
+implementation to translate. This is available through the
+[MessageCatalog](i18n/i18n.go) interface. The functions defined are
+self-explanatory. The `DefaultMessageCatalog` illustrates this. Compose config
+has been extended to take in an instance of the `MessageCatalog`.
 
 #### Building translated files
 
 There are three possible "message key" types:
 
-1. Value of `RFC6749Error.ErrorField`: This is a string like `invalid_request` and correlates to most errors produced by
-   Fosite.
-2. Hint identifier passed into `RFC6749Error.WithHintIDOrDefaultf`: This func is not used extensively in Fosite but, in
-   time, most `WithHint` and `WithHintf` will be replaced with this function.
-3. Free text string format passed into `RFC6749Error.WithHint` and `RFC6749Error.WithHintf`: This function is used in
-   Fosite and Hydra extensively and any message catalog implementation can use the format string parameter as the
-   message key.
+1. Value of `RFC6749Error.ErrorField`: This is a string like `invalid_request`
+   and correlates to most errors produced by Fosite.
+2. Hint identifier passed into `RFC6749Error.WithHintIDOrDefaultf`: This func is
+   not used extensively in Fosite but, in time, most `WithHint` and `WithHintf`
+   will be replaced with this function.
+3. Free text string format passed into `RFC6749Error.WithHint` and
+   `RFC6749Error.WithHintf`: This function is used in Fosite and Hydra
+   extensively and any message catalog implementation can use the format string
+   parameter as the message key.
 
-An example of a message catalog can be seen in the [i18n_test.go](i18n/i18n_test.go).
+An example of a message catalog can be seen in the
+[i18n_test.go](i18n/i18n_test.go).
 
 #### Generating the `en` messages file
 
-This is a WIP at the moment, but effectively any scripting language can be used to generate this. It would need to
-traverse all files in the source code and extract the possible message identifiers based on the different message key
+This is a WIP at the moment, but effectively any scripting language can be used
+to generate this. It would need to traverse all files in the source code and
+extract the possible message identifiers based on the different message key
 types.
 
 ### Quickstart

access_request_handler.go

@@ -33,30 +33,30 @@ import (
 )
 
 // Implements
-// * https://tools.ietf.org/html/rfc6749#section-2.3.1
-//   Clients in possession of a client password MAY use the HTTP Basic
-//   authentication scheme as defined in [RFC2617] to authenticate with
-//   the authorization server.  The client identifier is encoded using the
-//   "application/x-www-form-urlencoded" encoding algorithm per
-//   Appendix B, and the encoded value is used as the username; the client
-//   password is encoded using the same algorithm and used as the
-//   password.  The authorization server MUST support the HTTP Basic
-//   authentication scheme for authenticating clients that were issued a
-//   client password.
-//   Including the client credentials in the request-body using the two
-//   parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
-//   to directly utilize the HTTP Basic authentication scheme (or other
-//   password-based HTTP authentication schemes).  The parameters can only
-//   be transmitted in the request-body and MUST NOT be included in the
-//   request URI.
-//   * https://tools.ietf.org/html/rfc6749#section-3.2.1
+//   - https://tools.ietf.org/html/rfc6749#section-2.3.1
+//     Clients in possession of a client password MAY use the HTTP Basic
+//     authentication scheme as defined in [RFC2617] to authenticate with
+//     the authorization server.  The client identifier is encoded using the
+//     "application/x-www-form-urlencoded" encoding algorithm per
+//     Appendix B, and the encoded value is used as the username; the client
+//     password is encoded using the same algorithm and used as the
+//     password.  The authorization server MUST support the HTTP Basic
+//     authentication scheme for authenticating clients that were issued a
+//     client password.
+//     Including the client credentials in the request-body using the two
+//     parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
+//     to directly utilize the HTTP Basic authentication scheme (or other
+//     password-based HTTP authentication schemes).  The parameters can only
+//     be transmitted in the request-body and MUST NOT be included in the
+//     request URI.
+//   - https://tools.ietf.org/html/rfc6749#section-3.2.1
 //   - Confidential clients or other clients issued client credentials MUST
-//   authenticate with the authorization server as described in
-//   Section 2.3 when making requests to the token endpoint.
+//     authenticate with the authorization server as described in
+//     Section 2.3 when making requests to the token endpoint.
 //   - If the client type is confidential or the client was issued client
-//   credentials (or assigned other authentication requirements), the
-//   client MUST authenticate with the authorization server as described
-//   in Section 3.2.1.
+//     credentials (or assigned other authentication requirements), the
+//     client MUST authenticate with the authorization server as described
+//     in Section 3.2.1.
 func (f *Fosite) NewAccessRequest(ctx context.Context, r *http.Request, session Session) (AccessRequester, error) {
 	accessRequest := NewAccessRequest(session)
 	accessRequest.Request.Lang = i18n.GetLangFromRequest(f.Config.GetMessageCatalog(ctx), r)

arguments.go

@@ -28,8 +28,8 @@ type Arguments []string
 // Matches performs an case-insensitive, out-of-order check that the items
 // provided exist and equal all of the args in arguments.
 // Note:
-// - Providing a list that includes duplicate string-case items will return not
-//   matched.
+//   - Providing a list that includes duplicate string-case items will return not
+//     matched.
 func (r Arguments) Matches(items ...string) bool {
 	if len(r) != len(items) {
 		return false

authorize_error_test.go

@@ -36,19 +36,19 @@ import (
 )
 
 // Test for
-// * https://tools.ietf.org/html/rfc6749#section-4.1.2.1
-//   If the request fails due to a missing, invalid, or mismatching
-//   redirection URI, or if the client identifier is missing or invalid,
-//   the authorization server SHOULD inform the resource owner of the
-//   error and MUST NOT automatically redirect the user-agent to the
-//   invalid redirection URI.
-// * https://tools.ietf.org/html/rfc6749#section-3.1.2
-//   The redirection endpoint URI MUST be an absolute URI as defined by
-//   [RFC3986] Section 4.3.  The endpoint URI MAY include an
-//   "application/x-www-form-urlencoded" formatted (per Appendix B) query
-//   component ([RFC3986] Section 3.4), which MUST be retained when adding
-//   additional query parameters.  The endpoint URI MUST NOT include a
-//   fragment component.
+//   - https://tools.ietf.org/html/rfc6749#section-4.1.2.1
+//     If the request fails due to a missing, invalid, or mismatching
+//     redirection URI, or if the client identifier is missing or invalid,
+//     the authorization server SHOULD inform the resource owner of the
+//     error and MUST NOT automatically redirect the user-agent to the
+//     invalid redirection URI.
+//   - https://tools.ietf.org/html/rfc6749#section-3.1.2
+//     The redirection endpoint URI MUST be an absolute URI as defined by
+//     [RFC3986] Section 4.3.  The endpoint URI MAY include an
+//     "application/x-www-form-urlencoded" formatted (per Appendix B) query
+//     component ([RFC3986] Section 3.4), which MUST be retained when adding
+//     additional query parameters.  The endpoint URI MUST NOT include a
+//     fragment component.
 func TestWriteAuthorizeError(t *testing.T) {
 	var urls = []string{
 		"https://foobar.com/",

authorize_helper.go

@@ -54,26 +54,27 @@ var DefaultFormPostTemplate = template.Must(template.New("form_post").Parse(`<ht
 // uri validation.
 //
 // Considered specifications
-// * https://tools.ietf.org/html/rfc6749#section-3.1.2.3
-//   If multiple redirection URIs have been registered, if only part of
-//   the redirection URI has been registered, or if no redirection URI has
-//   been registered, the client MUST include a redirection URI with the
-//   authorization request using the "redirect_uri" request parameter.
 //
-//   When a redirection URI is included in an authorization request, the
-//   authorization server MUST compare and match the value received
-//   against at least one of the registered redirection URIs (or URI
-//   components) as defined in [RFC3986] Section 6, if any redirection
-//   URIs were registered.  If the client registration included the full
-//   redirection URI, the authorization server MUST compare the two URIs
-//   using simple string comparison as defined in [RFC3986] Section 6.2.1.
+//   - https://tools.ietf.org/html/rfc6749#section-3.1.2.3
+//     If multiple redirection URIs have been registered, if only part of
+//     the redirection URI has been registered, or if no redirection URI has
+//     been registered, the client MUST include a redirection URI with the
+//     authorization request using the "redirect_uri" request parameter.
+//
+//     When a redirection URI is included in an authorization request, the
+//     authorization server MUST compare and match the value received
+//     against at least one of the registered redirection URIs (or URI
+//     components) as defined in [RFC3986] Section 6, if any redirection
+//     URIs were registered.  If the client registration included the full
+//     redirection URI, the authorization server MUST compare the two URIs
+//     using simple string comparison as defined in [RFC3986] Section 6.2.1.
 //
 // * https://tools.ietf.org/html/rfc6819#section-4.4.1.7
-//   * The authorization server may also enforce the usage and validation
+//   - The authorization server may also enforce the usage and validation
 //     of pre-registered redirect URIs (see Section 5.2.3.5).  This will
 //     allow for early recognition of authorization "code" disclosure to
 //     counterfeit clients.
-//   * The attacker will need to use another redirect URI for its
+//   - The attacker will need to use another redirect URI for its
 //     authorization process rather than the target web site because it
 //     needs to intercept the flow.  So, if the authorization server
 //     associates the authorization "code" with the redirect URI of a
@@ -168,11 +169,11 @@ func isLoopbackAddress(address string) bool {
 // IsValidRedirectURI validates a redirect_uri as specified in:
 //
 // * https://tools.ietf.org/html/rfc6749#section-3.1.2
-//   * The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3.
-//   * The endpoint URI MUST NOT include a fragment component.
-// * https://tools.ietf.org/html/rfc3986#section-4.3
-//   absolute-URI  = scheme ":" hier-part [ "?" query ]
-// * https://tools.ietf.org/html/rfc6819#section-5.1.1
+//   - The redirection endpoint URI MUST be an absolute URI as defined by [RFC3986] Section 4.3.
+//   - The endpoint URI MUST NOT include a fragment component.
+//   - https://tools.ietf.org/html/rfc3986#section-4.3
+//     absolute-URI  = scheme ":" hier-part [ "?" query ]
+//   - https://tools.ietf.org/html/rfc6819#section-5.1.1
 func IsValidRedirectURI(redirectURI *url.URL) bool {
 	// We need to explicitly check for a scheme
 	if !govalidator.IsRequestURL(redirectURI.String()) {

authorize_request_handler_test.go

@@ -39,10 +39,10 @@ import (
 
 // Should pass
 //
-// * https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Terminology
-//   The OAuth 2.0 specification allows for registration of space-separated response_type parameter values.
-//   If a Response Type contains one of more space characters (%20), it is compared as a space-delimited list of
-//   values in which the order of values does not matter.
+//   - https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Terminology
+//     The OAuth 2.0 specification allows for registration of space-separated response_type parameter values.
+//     If a Response Type contains one of more space characters (%20), it is compared as a space-delimited list of
+//     values in which the order of values does not matter.
 func TestNewAuthorizeRequest(t *testing.T) {
 	var store *MockStorage
 

client_authentication.go

@@ -42,7 +42,7 @@ import (
 // ClientAuthenticationStrategy provides a method signature for authenticating a client request
 type ClientAuthenticationStrategy func(context.Context, *http.Request, url.Values) (Client, error)
 
-//#nosec:gosec G101 - False Positive
+// #nosec:gosec G101 - False Positive
 const clientAssertionJWTBearerType = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
 
 func (f *Fosite) findClientPublicJWK(ctx context.Context, oidcClient OpenIDConnectClient, t *jwt.Token, expectsRSAKey bool) (interface{}, error) {

compose/compose.go

@@ -32,24 +32,24 @@ type Factory func(config fosite.Configurator, storage interface{}, strategy inte
 
 // Compose takes a config, a storage, a strategy and handlers to instantiate an OAuth2Provider:
 //
-//  import "github.com/ory/fosite/compose"
+//	 import "github.com/ory/fosite/compose"
 //
-//  // var storage = new(MyFositeStorage)
-//  var config = Config {
-//  	AccessTokenLifespan: time.Minute * 30,
-// 		// check Config for further configuration options
-//  }
+//	 // var storage = new(MyFositeStorage)
+//	 var config = Config {
+//	 	AccessTokenLifespan: time.Minute * 30,
+//			// check Config for further configuration options
+//	 }
 //
-//  var strategy = NewOAuth2HMACStrategy(config)
+//	 var strategy = NewOAuth2HMACStrategy(config)
 //
-//  var oauth2Provider = Compose(
-//  	config,
-// 		storage,
-// 		strategy,
-//		NewOAuth2AuthorizeExplicitHandler,
-//		OAuth2ClientCredentialsGrantFactory,
-// 		// for a complete list refer to the docs of this package
-//  )
+//	 var oauth2Provider = Compose(
+//	 	config,
+//			storage,
+//			strategy,
+//			NewOAuth2AuthorizeExplicitHandler,
+//			OAuth2ClientCredentialsGrantFactory,
+//			// for a complete list refer to the docs of this package
+//	 )
 //
 // Compose makes use of interface{} types in order to be able to handle a all types of stores, strategies and handlers.
 func Compose(config *fosite.Config, storage interface{}, strategy interface{}, factories ...Factory) fosite.OAuth2Provider {

docs/how-tos/client_credentials_grant.md

@@ -1,13 +1,24 @@
 # Client Credentials Grant
 
-The following example configures a _fosite_ _OAuth2 Provider_ for issuing _JWT_ _access tokens_ using the _Client Credentials Grant_. This grant allows a client to request access tokens using only its client credentials at the _Token Endpoint_(see [rfc6749 Section 4.4](https://tools.ietf.org/html/rfc6749#section-4.4). For this aim, this _how-to_ configures:
+The following example configures a _fosite_ _OAuth2 Provider_ for issuing _JWT_
+_access tokens_ using the _Client Credentials Grant_. This grant allows a client
+to request access tokens using only its client credentials at the _Token
+Endpoint_(see
+[rfc6749 Section 4.4](https://tools.ietf.org/html/rfc6749#section-4.4). For this
+aim, this _how-to_ configures:
 
 - RSA _JWT Strategy_ to sign JWT _access tokens_
 - _Token Endpoint_ http handler
 - A `fosite.OAuth2Provider` that provides the following services:
-  - Create and validate [_OAuth2 Access Token Requests_](https://tools.ietf.org/html/rfc6749#section-4.1.3) with _Client Credentials Grant_
-  - Create an [_Access Token Response_](https://tools.ietf.org/html/rfc6749#section-4.1.4) and
-  - Sends a [successful](https://tools.ietf.org/html/rfc6749#section-5.1) or [error](https://tools.ietf.org/html/rfc6749#section-5.2) HTTP response to client
+  - Create and validate
+    [_OAuth2 Access Token Requests_](https://tools.ietf.org/html/rfc6749#section-4.1.3)
+    with _Client Credentials Grant_
+  - Create an
+    [_Access Token Response_](https://tools.ietf.org/html/rfc6749#section-4.1.4)
+    and
+  - Sends a [successful](https://tools.ietf.org/html/rfc6749#section-5.1) or
+    [error](https://tools.ietf.org/html/rfc6749#section-5.2) HTTP response to
+    client
 
 ## Code Example