User authentication and session management for web applications
Add exchange_code and refresh_token that POST over TLS
The library now depends on requests and performs the token endpoint
POST itself, enforcing TLS transport for client_secret. The old
exchange_form_body and refresh_form_body are kept as low-level
primitives but documented to prefer the new functions.
ocaml-auth's exchange_code now delegates to Oauth.exchange_code.
+3
-15
+3
-15
lib/auth.ml
+3
-15
lib/auth.ml
···
347
347
348
348
let exchange_code (cfg : config) ~code =
349
349
let redirect_uri = oauth_redirect_uri cfg in
350
-
let token_url = Oauth.token_url cfg.session.oauth_provider in
351
-
let headers =
352
-
Headers.of_list
353
-
[
354
-
("Content-Type", "application/x-www-form-urlencoded");
355
-
("Accept", "application/json");
356
-
]
357
-
in
358
-
let form_str =
359
-
Oauth.exchange_form_body ~client_id:cfg.client_id
360
-
~client_secret:cfg.client_secret ~code ~redirect_uri ()
361
-
in
362
-
let body = Requests.Body.text form_str in
363
-
let resp = Requests.post cfg.http token_url ~body ~headers in
364
-
Oauth.parse_token_response (Requests.Response.text resp)
350
+
Oauth.exchange_code cfg.http cfg.session.oauth_provider
351
+
~client_id:cfg.client_id ~client_secret:cfg.client_secret ~code
352
+
~redirect_uri ()
365
353
366
354
(* Find or create a user from OAuth userinfo, handling concurrent races.
367
355
Requires a verified email — returns Error if the provider did not supply