From 345d6e49e0b354c6ad6e3889fea3bfb5e7653fbf Mon Sep 17 00:00:00 2001
From: Vyrtsev Mikhail <reeywhaar@gmail.com>
Date: Sun, 30 Dec 2018 00:15:30 +0300
Subject: [PATCH 1/2] fix dev auth broken by go interpolation

---
 provider/dev_provider.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/provider/dev_provider.go b/provider/dev_provider.go
index cca9549e..4b3f218f 100644
--- a/provider/dev_provider.go
+++ b/provider/dev_provider.go
@@ -56,7 +56,7 @@ func (d *DevAuthServer) Run() {
 
 				// first time it will be called without username and will ask for one
 				if !d.Automatic && (r.ParseForm() != nil || r.Form.Get("username") == "") {
-					if _, err = w.Write([]byte(fmt.Sprintf(devUserForm, r.URL.RawQuery))); err != nil {
+					if _, err = w.Write([]byte(strings.Replace(devUserForm, "{urlparams}", r.URL.RawQuery, -1))); err != nil {
 						log.Printf("[WARN] can't write, %s", err)
 					}
 					return
@@ -268,7 +268,7 @@ var devUserForm = `
 		</style>
 	</head>
 	<body>
-		<form action="/login/oauth/authorize?%s" method="post">
+		<form action="/login/oauth/authorize?{urlparams}" method="post">
 			<header class="form-header">
 				<h1><a href="https://github.com/go-pkgz/auth">GO-PKGZ/AUTH</a></h1>
 				<p>Dev Provider</p>

From 4c984c178c9ebb7940bb7350850cf45172703b4a Mon Sep 17 00:00:00 2001
From: Vyrtsev Mikhail <reeywhaar@gmail.com>
Date: Sun, 30 Dec 2018 01:23:43 +0300
Subject: [PATCH 2/2] dev auth form test

---
 provider/dev_provider_test.go | 37 +++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/provider/dev_provider_test.go b/provider/dev_provider_test.go
index 299e751a..09a46bf2 100644
--- a/provider/dev_provider_test.go
+++ b/provider/dev_provider_test.go
@@ -72,3 +72,40 @@ func TestDevProvider(t *testing.T) {
 	assert.Equal(t, 985, len(body))
 	t.Logf("headers: %+v", resp.Header)
 }
+
+func TestDevProviderForm(t *testing.T) {
+	params := Params{Cid: "cid", Csecret: "csecret", URL: "http://127.0.0.1:8080",
+		JwtService: token.NewService(token.Opts{
+			SecretReader:   token.SecretFunc(func(id string) (string, error) { return "secret", nil }),
+			TokenDuration:  time.Hour,
+			CookieDuration: time.Hour * 24 * 31,
+		}),
+	}
+	srv := DevAuthServer{Provider: NewDev(params), Automatic: false, username: "dev_user"}
+
+	router := http.NewServeMux()
+	router.Handle("/auth/dev/", http.HandlerFunc(srv.Provider.Handler))
+
+	ts := &http.Server{Addr: fmt.Sprintf("127.0.0.1:%d", 8080), Handler: router}
+	go srv.Run()
+	go ts.ListenAndServe()
+	defer func() {
+		srv.Shutdown()
+		_ = ts.Shutdown(context.TODO())
+	}()
+
+	time.Sleep(200 * time.Millisecond)
+
+	client := &http.Client{Timeout: 5 * time.Second}
+
+	resp, err := client.Get("http://127.0.0.1:8080/auth/dev/login?site=my-test-site")
+	require.Nil(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+	body, err := ioutil.ReadAll(resp.Body)
+	assert.Nil(t, err)
+	t.Logf("resp %s", string(body))
+
+	// check form contains proper form action
+	bodyString := string(body)
+	require.Contains(t, bodyString, "form action=\"/login/oauth/authorize?client_id=cid&redirect_uri=http%3A%2F%2F127.0.0.1%3A8080%2Fauth%2Fdev%2Fcallback&response_type=code&scope=user%3Aemail")
+}