admin/hspguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: verify api service in code generation

Browse Source
This commit is contained in:
Amir Adal
2025-06-09 15:39:56 +02:00
parent b4699e987c
commit 299e7eddc4
3 changed files with 70 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
internal/oauth/authorize.go
View File

@ -3,8 +3,6 @@ package oauth
import ( import (
"fmt" "fmt"
"net/http" "net/http"
"slices"
"strings"
"gitea.local/admin/hspguard/internal/web" "gitea.local/admin/hspguard/internal/web"
) )
@ -29,43 +27,11 @@ func (h *OAuthHandler) AuthorizeClient(w http.ResponseWriter, r *http.Request) {
return return
} }
client, err := h.repo.GetApiServiceCID(r.Context(), clientId) if uri, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{
if err != nil { ClientID: clientId,
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", redirectUri) RedirectURI: redirectUri,
if state != "" { State: state,
uri += "&state=" + state }); err != nil {
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
if !client.IsActive {
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", redirectUri)
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
for scope := range scopes {
if !slices.Contains(client.Scopes, scope) {
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", redirectUri, strings.ReplaceAll(scope, " ", "+"))
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
}
if !slices.Contains(client.RedirectUris, redirectUri) {
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", redirectUri)
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound) http.Redirect(w, r, uri, http.StatusFound)
return return
} }

56
internal/oauth/client.go Normal file
View File

@ -0,0 +1,56 @@
package oauth
import (
"fmt"
"net/http"
"slices"
"strings"
)
type VerifyOAuthClientParams struct {
ClientID string `json:"client_id"`
RedirectURI string `json:"redirect_uri"`
State string `json:"state"`
}
func (h *OAuthHandler) verifyOAuthClient(w http.ResponseWriter, r *http.Request, params *VerifyOAuthClientParams) (string, error) {
client, err := h.repo.GetApiServiceCID(r.Context(), params.ClientID)
if err != nil {
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("target oauth service with client id '%s' is not registered", params.ClientID)
}
if !client.IsActive {
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
}
scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
for scope := range scopes {
if !slices.Contains(client.Scopes, scope) {
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
}
}
if !slices.Contains(client.RedirectUris, params.RedirectURI) {
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
http.Redirect(w, r, uri, http.StatusFound)
return uri, fmt.Errorf("redirect uri '%s' is unallowed", params.RedirectURI)
}
return "", nil
}

9
internal/oauth/code.go
View File

@ -39,6 +39,15 @@ func (h *OAuthHandler) getAuthCode(w http.ResponseWriter, r *http.Request) {
return return
} }
if _, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{
ClientID: "",
RedirectURI: "",
State: "",
}); err != nil {
web.Error(w, err.Error(), http.StatusInternalServerError)
return
}
buf := make([]byte, 32) buf := make([]byte, 32)
_, err = rand.Read(buf) _, err = rand.Read(buf)
if err != nil { if err != nil {