fix+feat: use verify oauth client helper in token as well
This commit is contained in:
@ -3,6 +3,7 @@ package oauth
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"gitea.local/admin/hspguard/internal/web"
|
||||
)
|
||||
@ -27,10 +28,13 @@ func (h *OAuthHandler) AuthorizeClient(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if uri, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{
|
||||
scopes := strings.Split(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
|
||||
|
||||
if uri, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
|
||||
ClientID: clientId,
|
||||
RedirectURI: redirectUri,
|
||||
RedirectURI: &redirectUri,
|
||||
State: state,
|
||||
Scopes: &scopes,
|
||||
}); err != nil {
|
||||
http.Redirect(w, r, uri, http.StatusFound)
|
||||
return
|
||||
|
||||
@ -1,22 +1,23 @@
|
||||
package oauth
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"slices"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type VerifyOAuthClientParams struct {
|
||||
ClientID string `json:"client_id"`
|
||||
RedirectURI string `json:"redirect_uri"`
|
||||
State string `json:"state"`
|
||||
ClientID string `json:"client_id"`
|
||||
RedirectURI *string `json:"redirect_uri"`
|
||||
State string `json:"state"`
|
||||
Scopes *[]string `json:"scopes"`
|
||||
}
|
||||
|
||||
func (h *OAuthHandler) verifyOAuthClient(w http.ResponseWriter, r *http.Request, params *VerifyOAuthClientParams) (string, error) {
|
||||
client, err := h.repo.GetApiServiceCID(r.Context(), params.ClientID)
|
||||
func (h *OAuthHandler) verifyOAuthClient(ctx context.Context, params *VerifyOAuthClientParams) (string, error) {
|
||||
client, err := h.repo.GetApiServiceCID(ctx, params.ClientID)
|
||||
if err != nil {
|
||||
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", params.RedirectURI)
|
||||
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", *params.RedirectURI)
|
||||
if params.State != "" {
|
||||
uri += "&state=" + params.State
|
||||
}
|
||||
@ -24,32 +25,33 @@ func (h *OAuthHandler) verifyOAuthClient(w http.ResponseWriter, r *http.Request,
|
||||
}
|
||||
|
||||
if !client.IsActive {
|
||||
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", params.RedirectURI)
|
||||
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", *params.RedirectURI)
|
||||
if params.State != "" {
|
||||
uri += "&state=" + params.State
|
||||
}
|
||||
return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
|
||||
}
|
||||
|
||||
scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
|
||||
|
||||
for scope := range scopes {
|
||||
if !slices.Contains(client.Scopes, scope) {
|
||||
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
|
||||
if params.State != "" {
|
||||
uri += "&state=" + params.State
|
||||
if params.Scopes != nil {
|
||||
for _, scope := range *params.Scopes {
|
||||
if !slices.Contains(client.Scopes, scope) {
|
||||
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", *params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
|
||||
if params.State != "" {
|
||||
uri += "&state=" + params.State
|
||||
}
|
||||
return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
|
||||
}
|
||||
return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
|
||||
}
|
||||
}
|
||||
|
||||
if !slices.Contains(client.RedirectUris, params.RedirectURI) {
|
||||
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", params.RedirectURI)
|
||||
if params.State != "" {
|
||||
uri += "&state=" + params.State
|
||||
if params.RedirectURI != nil {
|
||||
if !slices.Contains(client.RedirectUris, *params.RedirectURI) {
|
||||
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", *params.RedirectURI)
|
||||
if params.State != "" {
|
||||
uri += "&state=" + params.State
|
||||
}
|
||||
return uri, fmt.Errorf("redirect uri '%s' is unallowed", *params.RedirectURI)
|
||||
}
|
||||
http.Redirect(w, r, uri, http.StatusFound)
|
||||
return uri, fmt.Errorf("redirect uri '%s' is unallowed", params.RedirectURI)
|
||||
}
|
||||
|
||||
return "", nil
|
||||
|
||||
@ -39,10 +39,11 @@ func (h *OAuthHandler) getAuthCode(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
|
||||
if _, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{
|
||||
ClientID: "",
|
||||
RedirectURI: "",
|
||||
if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
|
||||
ClientID: req.ClientID,
|
||||
RedirectURI: nil,
|
||||
State: "",
|
||||
Scopes: nil,
|
||||
}); err != nil {
|
||||
web.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
|
||||
@ -152,12 +152,24 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
grantType := r.FormValue("grant_type")
|
||||
redirectUri := r.FormValue("redirect_uri")
|
||||
|
||||
log.Printf("Redirect URI is %s\n", redirectUri)
|
||||
log.Println("DEBUG: Verifying target oauth client before proceeding...")
|
||||
|
||||
if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
|
||||
ClientID: clientId,
|
||||
RedirectURI: nil,
|
||||
State: "",
|
||||
Scopes: nil,
|
||||
}); err != nil {
|
||||
web.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
switch grantType {
|
||||
case "authorization_code":
|
||||
redirectUri := r.FormValue("redirect_uri")
|
||||
log.Printf("Redirect URI is %s\n", redirectUri)
|
||||
|
||||
code := r.FormValue("code")
|
||||
|
||||
fmt.Printf("Code received: %s\n", code)
|
||||
|
||||
Reference in New Issue
Block a user