diff mbox series

[RFC] imap-send: support oauth2

Message ID ca1da892-f8ad-d878-a516-de5b08a99698@suse.com (mailing list archive)
State New, archived
Headers show
Series [RFC] imap-send: support oauth2 | expand

Commit Message

Nicolas Morey-Chaisemartin June 4, 2021, 7:23 a.m. UTC 
2FA/OAuth2 becoming a more and more regular thing these days (and a lot of SUSE devs being recently impacted by it), I've thrown together a quick patch
to allow imap-send to support it.
This uses https://github.com/jeffmahoney/oauth2-clientd. It can be used with Outlook365 or Gmail. It creates a file with a token to be used to authenticate.
As libcurl supports this type of authentication, it is quite easy from there.

With this patch you still get prompted for you password even though it is not used but it overall works.

Before going any further on this, I wanted some feedback on the approach itself.

---
 imap-send.c | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

Comments

Felipe Contreras June 4, 2021, 1:51 p.m. UTC | #1 
Nicolas Morey-Chaisemartin wrote:
> 2FA/OAuth2 becoming a more and more regular thing these days (and a lot of SUSE devs being recently impacted by it), I've thrown together a quick patch
> to allow imap-send to support it.
> This uses https://github.com/jeffmahoney/oauth2-clientd. It can be used with Outlook365 or Gmail. It creates a file with a token to be used to authenticate.
> As libcurl supports this type of authentication, it is quite easy from there.

While trying to implement this is nice, it takes way more effort just to
get a client id and secret than it takes to setup an app password.

Plus I think this is abusing Google Cloud Platform. The point is to
register an application once, and that application can have thousands of
users, not thousands of users registering thousands of applications each
used by a single user.

If you have an email service with OAuth2 authentication that doesn't
require a client secret, then yeah; OAuth2 makes sense. I am not aware
of any popular one though.

Cheers.
diff mbox series

Patch

diff --git a/imap-send.c b/imap-send.c
index bb085d66d105..951d6bca696a 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -91,6 +91,7 @@  struct imap_server_conf {
 	const char *folder;
 	const char *user;
 	const char *pass;
+	const char *oauth;
 	int use_ssl;
 	int ssl_verify;
 	int use_html;
@@ -105,6 +106,7 @@  static struct imap_server_conf server = {
 	NULL,	/* folder */
 	NULL,	/* user */
 	NULL,	/* pass */
+	NULL,   /* oauth */
 	0,   	/* use_ssl */
 	1,   	/* ssl_verify */
 	0,   	/* use_html */
@@ -1355,6 +1357,8 @@  static int git_imap_config(const char *var, const char *val, void *cb)
 		return git_config_string(&server.tunnel, var, val);
 	else if (!strcmp("imap.authmethod", var))
 		return git_config_string(&server.auth_method, var, val);
+	else if (!strcmp("imap.oauth", var))
+		return git_config_string(&server.oauth, var, val);
 	else if (!strcmp("imap.port", var))
 		server.port = git_config_int(var, val);
 	else if (!strcmp("imap.host", var)) {
@@ -1432,7 +1436,23 @@  static CURL *setup_curl(struct imap_server_conf *srvc, struct credential *cred)
 
 	server_fill_credential(&server, cred);
 	curl_easy_setopt(curl, CURLOPT_USERNAME, server.user);
-	curl_easy_setopt(curl, CURLOPT_PASSWORD, server.pass);
+
+	if (server.oauth) {
+		struct strbuf sb = STRBUF_INIT;
+		size_t sz;
+		char *token;
+
+		sz = strbuf_read_file(&sb, server.oauth, 0);
+		if (sz < 0)
+			die("failed to read oauth token file");
+
+		strbuf_trim_trailing_newline(&sb);
+		token = strbuf_detach(&sb, &sz);
+		curl_easy_setopt(curl, CURLOPT_XOAUTH2_BEARER, token);
+		free(token);
+	} else {
+		curl_easy_setopt(curl, CURLOPT_PASSWORD, server.pass);
+	}
 
 	strbuf_addstr(&path, server.use_ssl ? "imaps://" : "imap://");
 	strbuf_addstr(&path, server.host);