diff --git a/internal/oauth/authorize.go b/internal/oauth/authorize.go index a2fe10e..9896cfd 100644 --- a/internal/oauth/authorize.go +++ b/internal/oauth/authorize.go @@ -3,8 +3,6 @@ package oauth import ( "fmt" "net/http" - "slices" - "strings" "gitea.local/admin/hspguard/internal/web" ) @@ -29,43 +27,11 @@ func (h *OAuthHandler) AuthorizeClient(w http.ResponseWriter, r *http.Request) { return } - client, err := h.repo.GetApiServiceCID(r.Context(), clientId) - if err != nil { - uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", redirectUri) - if state != "" { - uri += "&state=" + state - } - http.Redirect(w, r, uri, http.StatusFound) - return - } - - if !client.IsActive { - uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", redirectUri) - if state != "" { - uri += "&state=" + state - } - http.Redirect(w, r, uri, http.StatusFound) - return - } - - scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ") - - for scope := range scopes { - if !slices.Contains(client.Scopes, scope) { - uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", redirectUri, strings.ReplaceAll(scope, " ", "+")) - if state != "" { - uri += "&state=" + state - } - http.Redirect(w, r, uri, http.StatusFound) - return - } - } - - if !slices.Contains(client.RedirectUris, redirectUri) { - uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", redirectUri) - if state != "" { - uri += "&state=" + state - } + if uri, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{ + ClientID: clientId, + RedirectURI: redirectUri, + State: state, + }); err != nil { http.Redirect(w, r, uri, http.StatusFound) return } diff --git a/internal/oauth/client.go b/internal/oauth/client.go new file mode 100644 index 0000000..80227c8 --- /dev/null +++ b/internal/oauth/client.go @@ -0,0 +1,56 @@ +package oauth + +import ( + "fmt" + "net/http" + "slices" + "strings" +) + +type VerifyOAuthClientParams struct { + ClientID string `json:"client_id"` + RedirectURI string `json:"redirect_uri"` + State string `json:"state"` +} + +func (h *OAuthHandler) verifyOAuthClient(w http.ResponseWriter, r *http.Request, params *VerifyOAuthClientParams) (string, error) { + client, err := h.repo.GetApiServiceCID(r.Context(), params.ClientID) + if err != nil { + uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", params.RedirectURI) + if params.State != "" { + uri += "&state=" + params.State + } + return uri, fmt.Errorf("target oauth service with client id '%s' is not registered", params.ClientID) + } + + if !client.IsActive { + uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", params.RedirectURI) + if params.State != "" { + uri += "&state=" + params.State + } + return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID) + } + + scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ") + + for scope := range scopes { + if !slices.Contains(client.Scopes, scope) { + uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", params.RedirectURI, strings.ReplaceAll(scope, " ", "+")) + if params.State != "" { + uri += "&state=" + params.State + } + return uri, fmt.Errorf("unallowed scope '%s' requested", scope) + } + } + + if !slices.Contains(client.RedirectUris, params.RedirectURI) { + uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", params.RedirectURI) + if params.State != "" { + uri += "&state=" + params.State + } + http.Redirect(w, r, uri, http.StatusFound) + return uri, fmt.Errorf("redirect uri '%s' is unallowed", params.RedirectURI) + } + + return "", nil +} diff --git a/internal/oauth/code.go b/internal/oauth/code.go index 7645e62..4d47a74 100644 --- a/internal/oauth/code.go +++ b/internal/oauth/code.go @@ -39,6 +39,15 @@ func (h *OAuthHandler) getAuthCode(w http.ResponseWriter, r *http.Request) { return } + if _, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{ + ClientID: "", + RedirectURI: "", + State: "", + }); err != nil { + web.Error(w, err.Error(), http.StatusInternalServerError) + return + } + buf := make([]byte, 32) _, err = rand.Read(buf) if err != nil {