From fafabc6e4a549393992dc93075e30d26d8c63731 Mon Sep 17 00:00:00 2001 From: William Carroll Date: Wed, 5 Feb 2020 23:28:20 +0000 Subject: Support OAuth 2.0 login flow for Monzo API After some toil and lots of learning, monzo_ynab is receiving access and refresh tokens from Monzo. I can now use these tokens to fetch my transactions from the past 24 hours and then forward them along to YNAB. If YNAB's API requires OAuth 2.0 login flow for authorization, I should be able to set that up in about an hour, which would be much faster than it took me to setup the login flow for Monzo. Learning can be a powerful thing. See the TODOs scattered around for a general idea of some (but not all) of the work that remains. TL;DR - Package monzo_ynab with buildGo - Move some utility functions to sibling packages - Add a README with a project overview, installation instructions, and a brief note about my ideas for deployment Note: I have some outstanding questions about how to manage state in Go. Should I use channels? Should I use a library? Are top-level variables enough? Answers to some or all of these questions and more coming soon... --- monzo_ynab/main.go | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 monzo_ynab/main.go (limited to 'monzo_ynab/main.go') diff --git a/monzo_ynab/main.go b/monzo_ynab/main.go new file mode 100644 index 0000000000..5b6c654e28 --- /dev/null +++ b/monzo_ynab/main.go @@ -0,0 +1,125 @@ +// Exporting Monzo transactions to my YouNeedABudget.com (i.e. YNAB) +// account. YNAB unfortunately doesn't currently offer an Monzo integration. As +// a workaround and a practical excuse to learn Go, I decided to write one +// myself. +// +// This job is going to run N times per 24 hours. Monzo offers webhooks for +// reacting to certain types of events. I don't expect I'll need realtime data +// for my YNAB integration. That may change, however, so it's worth noting. + +package main + +import ( + "encoding/json" + "fmt" + "log" + "net/http" + "net/url" + "os" + "os/exec" +) + +//////////////////////////////////////////////////////////////////////////////// +// Constants +//////////////////////////////////////////////////////////////////////////////// + +var ( + clientId = os.Getenv("client_id") + clientSecret = os.Getenv("client_secret") +) + +const ( + redirectURI = "http://localhost:8080/authorization-code" + // TODO(wpcarro): Consider generating a random string for the state when the + // application starts instead of hardcoding it here. + state = "xyz123" +) + +//////////////////////////////////////////////////////////////////////////////// +// Business Logic +//////////////////////////////////////////////////////////////////////////////// + +// This is the response returned from Monzo when we exchange our authorization +// code for an access token. While Monzo returns additional fields, I'm only +// interested in AccessToken and RefreshToken. +type accessTokenResponse struct { + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` +} + +// TODO(wpcarro): Replace http.PostForm and other similar calls with +// client.postForm. The default http.Get and other methods doesn't timeout, so +// it's better to create a configured client with a value for the timeout. + +func getAccessToken(code string) { + res, err := http.PostForm("https://api.monzo.com/oauth2/token", url.Values{ + "grant_type": {"authorization_code"}, + "client_id": {clientId}, + "client_secret": {clientSecret}, + "redirect_uri": {redirectURI}, + "code": {code}, + }) + failOn(err) + defer res.Body.Close() + + payload := accessTokenResponse{} + json.NewDecoder(res.Body).Decode(&payload) + + log.Printf("Access token: %s\n", payload.AccessToken) + log.Printf("Refresh token: %s\n", payload.AccessToken) +} + +func listenHttp(sigint chan os.Signal) { + // Use a go-routine to listen for interrupt signals to shutdown our HTTP + // server. + go func() { + <-sigint + // TODO(wpcarro): Do we need context here? I took this example from the + // example on golang.org. + log.Println("Warning: I should be shutting down and closing the connection here, but I'm not.") + close(sigint) + }() + + log.Fatal(http.ListenAndServe(":8080", http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) { + // 1. Get authorization code from Monzo. + if req.URL.Path == "/authorization-code" { + params := req.URL.Query() + reqState := params["state"][0] + code := params["code"][0] + + if reqState != state { + log.Fatalf("Value for state returned by Monzo does not equal our state. %s != %s", reqState, state) + } + + // TODO(wpcarro): Add a more interesting authorization confirmation + // screen -- or even nothing at all. + fmt.Fprintf(w, "Authorized!") + + // Exchange the authorization code for an access token. + getAccessToken(code) + return + } + + log.Printf("Unhandled request: %v\n", *req) + }))) +} + +// Open a web browser to allow the user to authorize this application. +// TODO(wpcarro): Prefer using an environment variable for the web browser +// instead of assuming it will be google-chrome. +func authorizeClient() { + url := fmt.Sprintf("https://auth.monzo.com/?client_id=%s&redirect_uri=%s&response_type=code&state=%s", clientId, redirectURI, state) + exec.Command("google-chrome", url).Start() +} + +func main() { + sigint := make(chan os.Signal, 1) + // TODO(wpcarro): Remove state here. I'm using as a hack to prevent my + // program from halting before I'd like it to. Once I'm more comfortable + // using channels, this should be a trivial change. + state := make(chan bool) + + authorizeClient() + listenHttp(sigint) + <-state +} -- cgit 1.4.1