admin/hspguard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: admin:b4699e987cc8769fba0c854ac3381e24e842f8a5
Branches Tags
admin:main admin:group-role-permission
...
compare: admin:dc41521a99442c1ce3f6e40439cfca6811ba21e0
Branches Tags
admin:group-role-permission admin:main

2 Commits
b4699e987c ... dc41521a99

Author SHA1 Message Date
LandaMm
dc41521a99 fix+feat: use verify oauth client helper in token as well 2025-06-09 15:55:36 +02:00
LandaMm
299e7eddc4 feat: verify api service in code generation 2025-06-09 15:39:56 +02:00
4 changed files with 89 additions and 39 deletions
Expand all files Collapse all files

44
internal/oauth/authorize.go
View File

@ -3,7 +3,6 @@ package oauth
import ( import (
"fmt" "fmt"
"net/http" "net/http"
"slices"
"strings" "strings"
"gitea.local/admin/hspguard/internal/web" "gitea.local/admin/hspguard/internal/web"
@ -29,43 +28,14 @@ func (h *OAuthHandler) AuthorizeClient(w http.ResponseWriter, r *http.Request) {
return return
} }
client, err := h.repo.GetApiServiceCID(r.Context(), clientId) scopes := strings.Split(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
if err != nil {
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", redirectUri)
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
if !client.IsActive { if uri, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", redirectUri) ClientID: clientId,
if state != "" { RedirectURI: &redirectUri,
uri += "&state=" + state State: state,
} Scopes: &scopes,
http.Redirect(w, r, uri, http.StatusFound) }); err != nil {
return
}
scopes := strings.SplitSeq(strings.TrimSpace(r.URL.Query().Get("scope")), " ")
for scope := range scopes {
if !slices.Contains(client.Scopes, scope) {
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", redirectUri, strings.ReplaceAll(scope, " ", "+"))
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound)
return
}
}
if !slices.Contains(client.RedirectUris, redirectUri) {
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", redirectUri)
if state != "" {
uri += "&state=" + state
}
http.Redirect(w, r, uri, http.StatusFound) http.Redirect(w, r, uri, http.StatusFound)
return return
} }

58
internal/oauth/client.go Normal file
View File

@ -0,0 +1,58 @@
package oauth
import (
"context"
"fmt"
"slices"
"strings"
)
type VerifyOAuthClientParams struct {
ClientID string `json:"client_id"`
RedirectURI *string `json:"redirect_uri"`
State string `json:"state"`
Scopes *[]string `json:"scopes"`
}
func (h *OAuthHandler) verifyOAuthClient(ctx context.Context, params *VerifyOAuthClientParams) (string, error) {
client, err := h.repo.GetApiServiceCID(ctx, params.ClientID)
if err != nil {
uri := fmt.Sprintf("%s?error=access_denied&error_description=Service+not+authorized", *params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("target oauth service with client id '%s' is not registered", params.ClientID)
}
if !client.IsActive {
uri := fmt.Sprintf("%s?error=temporarily_unavailable&error_description=Service+not+active", *params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("target oauth service with client id '%s' is not available", client.ClientID)
}
if params.Scopes != nil {
for _, scope := range *params.Scopes {
if !slices.Contains(client.Scopes, scope) {
uri := fmt.Sprintf("%s?error=invalid_scope&error_description=Scope+%s+is+not+allowed", *params.RedirectURI, strings.ReplaceAll(scope, " ", "+"))
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("unallowed scope '%s' requested", scope)
}
}
}
if params.RedirectURI != nil {
if !slices.Contains(client.RedirectUris, *params.RedirectURI) {
uri := fmt.Sprintf("%s?error=invalid_request&error_description=Redirect+URI+is+not+allowed", *params.RedirectURI)
if params.State != "" {
uri += "&state=" + params.State
}
return uri, fmt.Errorf("redirect uri '%s' is unallowed", *params.RedirectURI)
}
}
return "", nil
}

10
internal/oauth/code.go
View File

@ -39,6 +39,16 @@ func (h *OAuthHandler) getAuthCode(w http.ResponseWriter, r *http.Request) {
return return
} }
if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: req.ClientID,
RedirectURI: nil,
State: "",
Scopes: nil,
}); err != nil {
web.Error(w, err.Error(), http.StatusInternalServerError)
return
}
buf := make([]byte, 32) buf := make([]byte, 32)
_, err = rand.Read(buf) _, err = rand.Read(buf)
if err != nil { if err != nil {

16
internal/oauth/token.go
View File

@ -152,12 +152,24 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
} }
grantType := r.FormValue("grant_type") grantType := r.FormValue("grant_type")
redirectUri := r.FormValue("redirect_uri")
log.Printf("Redirect URI is %s\n", redirectUri) log.Println("DEBUG: Verifying target oauth client before proceeding...")
if _, err := h.verifyOAuthClient(r.Context(), &VerifyOAuthClientParams{
ClientID: clientId,
RedirectURI: nil,
State: "",
Scopes: nil,
}); err != nil {
web.Error(w, err.Error(), http.StatusInternalServerError)
return
}
switch grantType { switch grantType {
case "authorization_code": case "authorization_code":
redirectUri := r.FormValue("redirect_uri")
log.Printf("Redirect URI is %s\n", redirectUri)
code := r.FormValue("code") code := r.FormValue("code")
fmt.Printf("Code received: %s\n", code) fmt.Printf("Code received: %s\n", code)