Geo OAuth authentication refactor

app/controllers/oauth/geo_auth_controller.rb

 class Oauth::GeoAuthController < ActionController::Base
-  # skip_before_action :authenticate_user!
 
   def auth
     oauth = Geo::OauthSession.new(state: params[:state])
@@ -8,10 +7,7 @@ class Oauth::GeoAuthController < ActionController::Base
       return
     end
 
-    redirect_to client.auth_code.authorize_url({
-                                                 redirect_uri: oauth_geo_callback_url,
-                                                 state: params[:state]
-                                               })
+    redirect_to oauth.authorize_url(redirect_uri: oauth_geo_callback_url, state: params[:state])
   end
 
   def callback
@@ -21,15 +17,13 @@ class Oauth::GeoAuthController < ActionController::Base
       return
     end
 
-    token = client.auth_code.get_token(params[:code], redirect_uri: oauth_geo_callback_url).token
-
-    @user_session = Geo::OauthSession.new(state: params[:state])
-    remote_user = @user_session.authenticate(access_token: token)
+    token = oauth.get_token(params[:code], redirect_uri: oauth_geo_callback_url)
+    remote_user = oauth.authenticate(access_token: token)
 
     user = User.find(remote_user['id'])
 
     if user && sign_in(user)
-      return_to = @user_session.get_oauth_state_return_to
+      return_to = oauth.get_oauth_state_return_to
       redirect_to(return_to || root_path)
     else
       @error = 'Invalid credentials'
@@ -37,18 +31,4 @@ class Oauth::GeoAuthController < ActionController::Base
     end
   end
 
-  private
-
-  def client
-    app = Gitlab::Geo.oauth_authentication
-    @client ||= ::OAuth2::Client.new(
-      app.uid,
-      app.secret,
-      {
-        site: Gitlab::Geo.primary_node.url,
-        authorize_url: 'oauth/authorize',
-        token_url: 'oauth/token'
-      }
-    )
-  end
 end

app/controllers/sessions_controller.rb

@@ -112,7 +112,7 @@ class SessionsController < Devise::SessionsController
       oauth = Geo::OauthSession.new
 
       # share full url with primary node by shared session
-      user_return_to = URI.join(root_url, session[:user_return_to]).to_s
+      user_return_to = URI.join(root_url, session[:user_return_to].to_s).to_s
       oauth.return_to = @redirect_to || user_return_to
 
       redirect_to oauth_geo_auth_url(state: oauth.generate_oauth_state)

app/models/geo/oauth_session.rb

@@ -17,9 +17,8 @@ class Geo::OauthSession
 
   def generate_oauth_state
     return unless return_to
-    salt = generate_oauth_salt
-    hmac = generate_oauth_hmac(salt, return_to)
-    "#{salt}:#{hmac}:#{return_to}"
+    hmac = generate_oauth_hmac(oauth_salt, return_to)
+    "#{oauth_salt}:#{hmac}:#{return_to}"
   end
 
   def get_oauth_state_return_to
@@ -30,18 +29,21 @@ class Geo::OauthSession
     opts = {
       query: access_token
     }
-    endpoint = File.join(primary_node_url, API_PREFIX, 'user')
-    response = self.class.get(endpoint, default_opts.merge(opts))
+    response = self.class.get(authenticate_endpoint, default_opts.merge(opts))
 
     build_response(response)
   end
 
-  private
+  def authorize_url(params = {})
+    oauth_client.auth_code.authorize_url(params)
+  end
 
-  def generate_oauth_salt
-    SecureRandom.hex(16)
+  def get_token(code, params = {}, opts = {})
+    oauth_client.auth_code.get_token(code, params, opts).token
   end
 
+  private
+
   def generate_oauth_hmac(salt, return_to)
     return false unless return_to
     digest = OpenSSL::Digest.new('sha256')
@@ -49,6 +51,32 @@ class Geo::OauthSession
     OpenSSL::HMAC.hexdigest(digest, key, return_to)
   end
 
+  def oauth_salt
+    @salt ||= SecureRandom.hex(16)
+  end
+
+  def oauth_client
+    @client ||= begin
+      ::OAuth2::Client.new(
+        oauth_app.uid,
+        oauth_app.secret,
+        {
+          site: primary_node_url,
+          authorize_url: 'oauth/authorize',
+          token_url: 'oauth/token'
+        }
+      )
+    end
+  end
+
+  def oauth_app
+    Gitlab::Geo.oauth_authentication
+  end
+
+  def authenticate_endpoint
+    File.join(primary_node_url, API_PREFIX, 'user')
+  end
+
   def primary_node_url
     Gitlab::Geo.primary_node.url
   end

lib/gitlab/geo.rb

@@ -43,7 +43,7 @@ module Gitlab
     def self.oauth_authentication
       return false unless Gitlab::Geo.secondary?
 
-      Gitlab::Geo.current_node.oauth_application
+      RequestStore.store[:geo_oauth_application] ||= Gitlab::Geo.current_node.oauth_application
     end
   end
 end