admin/hspguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix+feat: use verify oauth client helper in token as well

Browse Source
This commit is contained in:
Amir Adal
2025-06-09 15:55:36 +02:00
parent 299e7eddc4
commit dc41521a99
4 changed files with 48 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
internal/oauth/authorize.go
View File

@ -3,6 +3,7 @@ package oauth
import ( import (
"fmt" "fmt"
"net/http" "net/http"
"strings"
"gitea.local/admin/hspguard/internal/web" "gitea.local/admin/hspguard/internal/web"
) )
@ -27,10 +28,13 @@ func (h *OAuthHandler) AuthorizeClient(w http.ResponseWriter, r *http.Request) {
return return
} }
if uri, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{ scopes := strings.Split(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
if uri, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: clientId, ClientID: clientId,
RedirectURI: redirectUri, RedirectURI: &redirectUri,
State: state, State: state,
Scopes: &scopes,
}); err != nil { }); err != nil {
http.Redirect(w, r, uri, http.StatusFound) http.Redirect(w, r, uri, http.StatusFound)
return return

46
internal/oauth/client.go
View File

@ -1,22 +1,23 @@
package oauth package oauth
import ( import (
"context"
"fmt" "fmt"
"net/http"
"slices" "slices"
"strings" "strings"
) )
type VerifyOAuthClientParams struct { type VerifyOAuthClientParams struct {
ClientID string `json:"client_id"` ClientID string `json:"client_id"`
RedirectURI string `json:"redirect_uri"` RedirectURI *string `json:"redirect_uri"`
State string `json:"state"` State string `json:"state"`
Scopes *[]string `json:"scopes"`
} }
func (h *OAuthHandler) verifyOAuthClient(w http.ResponseWriter, r *http.Request, params *VerifyOAuthClientParams) (string, error) { func (h *OAuthHandler) verifyOAuthClient(ctx context.Context, params *VerifyOAuthClientParams) (string, error) {
client, err := h.repo.GetApiServiceCID(r.Context(), params.ClientID) client, err := h.repo.GetApiServiceCID(ctx, params.ClientID)
if err != nil { if err != nil {
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", params.RedirectURI) uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", *params.RedirectURI)
if params.State != "" { if params.State != "" {
uri += "&state=" + params.State uri += "&state=" + params.State
} }
@ -24,32 +25,33 @@ func (h *OAuthHandler) verifyOAuthClient(w http.ResponseWriter, r *http.Request,
} }
if !client.IsActive { if !client.IsActive {
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", params.RedirectURI) uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", *params.RedirectURI)
if params.State != "" { if params.State != "" {
uri += "&state=" + params.State uri += "&state=" + params.State
} }
return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID) return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
} }
scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ") if params.Scopes != nil {
for _, scope := range *params.Scopes {
for scope := range scopes { if !slices.Contains(client.Scopes, scope) {
if !slices.Contains(client.Scopes, scope) { uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", *params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", params.RedirectURI, strings.ReplaceAll(scope, " ", "+")) if params.State != "" {
if params.State != "" { uri += "&state=" + params.State
uri += "&state=" + params.State }
return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
} }
return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
} }
} }
if !slices.Contains(client.RedirectUris, params.RedirectURI) { if params.RedirectURI != nil {
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", params.RedirectURI) if !slices.Contains(client.RedirectUris, *params.RedirectURI) {
if params.State != "" { uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", *params.RedirectURI)
uri += "&state=" + params.State if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("redirect uri '%s' is unallowed", *params.RedirectURI)
} }
http.Redirect(w, r, uri, http.StatusFound)
return uri, fmt.Errorf("redirect uri '%s' is unallowed", params.RedirectURI)
} }
return "", nil return "", nil

7
internal/oauth/code.go
View File

@ -39,10 +39,11 @@ func (h *OAuthHandler) getAuthCode(w http.ResponseWriter, r *http.Request) {
return return
} }
if _, err := h.verifyOAuthClient(w, r, &VerifyOAuthClientParams{ if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: "", ClientID: req.ClientID,
RedirectURI: "", RedirectURI: nil,
State: "", State: "",
Scopes: nil,
}); err != nil { }); err != nil {
web.Error(w, err.Error(), http.StatusInternalServerError) web.Error(w, err.Error(), http.StatusInternalServerError)
return return

16
internal/oauth/token.go
View File

@ -152,12 +152,24 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
} }
grantType := r.FormValue("grant_type") grantType := r.FormValue("grant_type")
redirectUri := r.FormValue("redirect_uri")
log.Printf("Redirect URI is %s\n", redirectUri) log.Println("DEBUG: Verifying target oauth client before proceeding...")
if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: clientId,
RedirectURI: nil,
State: "",
Scopes: nil,
}); err != nil {
web.Error(w, err.Error(), http.StatusInternalServerError)
return
}
switch grantType { switch grantType {
case "authorization_code": case "authorization_code":
redirectUri := r.FormValue("redirect_uri")
log.Printf("Redirect URI is %s\n", redirectUri)
code := r.FormValue("code") code := r.FormValue("code")
fmt.Printf("Code received: %s\n", code) fmt.Printf("Code received: %s\n", code)