devstack/authorizer
4
0
Fork 0
Code Pull Requests Actions Activity

feat: add form_post method

Browse Source
This commit is contained in:
Lakhan Samani 2022-10-16 20:46:54 +05:30
parent ff805e3ef2
commit 2bd92d6028
4 changed files with 118 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

180
server/handlers/authorize.go
View File

@ -27,6 +27,12 @@ import (
// code_challenge_method = to prevent CSRF attack [only sh256 is supported] // code_challenge_method = to prevent CSRF attack [only sh256 is supported]
// check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge. // check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.
const (
authorizeWebMessageTemplate = "authorize_web_message.tmpl"
authorizeFormPostTemplate = "authorize_form_post.tmpl"
)
func AuthorizeHandler() gin.HandlerFunc { func AuthorizeHandler() gin.HandlerFunc {
return func(gc *gin.Context) { return func(gc *gin.Context) {
redirectURI := strings.TrimSpace(gc.Query("redirect_uri")) redirectURI := strings.TrimSpace(gc.Query("redirect_uri"))
@ -35,7 +41,6 @@ func AuthorizeHandler() gin.HandlerFunc {
codeChallenge := strings.TrimSpace(gc.Query("code_challenge")) codeChallenge := strings.TrimSpace(gc.Query("code_challenge"))
scopeString := strings.TrimSpace(gc.Query("scope")) scopeString := strings.TrimSpace(gc.Query("scope"))
clientID := strings.TrimSpace(gc.Query("client_id")) clientID := strings.TrimSpace(gc.Query("client_id"))
template := "authorize.tmpl"
responseMode := strings.TrimSpace(gc.Query("response_mode")) responseMode := strings.TrimSpace(gc.Query("response_mode"))
var scope []string var scope []string
@ -63,10 +68,22 @@ func AuthorizeHandler() gin.HandlerFunc {
return return
} }
// used for response mode query or fragment
loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
loginURL := "/app?" + loginState
if responseMode == constants.ResponseModeFragment {
loginURL = "/app#" + loginState
}
loginError := map[string]interface{}{
"error": "login_required",
"error_description": "Login is required",
}
sessionToken, err := cookie.GetSession(gc) sessionToken, err := cookie.GetSession(gc)
if err != nil { if err != nil {
log.Debug("GetSession failed: ", err) log.Debug("GetSession failed: ", err)
gc.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("login required. %v", err)}) handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
return return
} }
@ -74,14 +91,17 @@ func AuthorizeHandler() gin.HandlerFunc {
claims, err := token.ValidateBrowserSession(gc, sessionToken) claims, err := token.ValidateBrowserSession(gc, sessionToken)
if err != nil { if err != nil {
log.Debug("ValidateBrowserSession failed: ", err) log.Debug("ValidateBrowserSession failed: ", err)
gc.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("login required. %v", err)}) handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
return return
} }
userID := claims.Subject userID := claims.Subject
user, err := db.Provider.GetUserByID(gc, userID) user, err := db.Provider.GetUserByID(gc, userID)
if err != nil { if err != nil {
log.Debug("GetUserByID failed: ", err) log.Debug("GetUserByID failed: ", err)
gc.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("sign up required. %v", err)}) handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
"error": "signup_required",
"error_description": "Sign up required",
}, http.StatusOK)
return return
} }
@ -90,44 +110,34 @@ func AuthorizeHandler() gin.HandlerFunc {
sessionKey = claims.LoginMethod + ":" + user.ID sessionKey = claims.LoginMethod + ":" + user.ID
} }
// used for response mode query or fragment
loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
loginURL := "/app?" + loginState
if responseMode == constants.ResponseModeFragment {
loginURL = "/app#" + loginState
}
// rollover the session for security // rollover the session for security
go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce) go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
if responseType == constants.ResponseTypeCode {
// if user is logged in
// based on the response type code, generate the response
if isResponseTypeCode {
nonce := uuid.New().String() nonce := uuid.New().String()
newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod) newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
if err != nil { if err != nil {
if isQuery { log.Debug("CreateSessionToken failed: ", err)
gc.Redirect(http.StatusFound, loginURL) handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
} else { return
gc.HTML(http.StatusOK, template, gin.H{ }
"target_origin": redirectURI,
"authorization_response": map[string]interface{}{ if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken); err != nil {
"type": "authorization_response", log.Debug("SetUserSession failed: ", err)
"response": map[string]string{ handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
"error": "login_required",
"error_description": "Login is required",
},
},
})
}
return return
} }
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken)
cookie.SetSession(gc, newSessionToken) cookie.SetSession(gc, newSessionToken)
code := uuid.New().String() code := uuid.New().String()
memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken) if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
gc.HTML(http.StatusOK, template, gin.H{ log.Debug("SetState failed: ", err)
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
return
}
// in case, response type is code and user is already logged in send the code and state
// and cookie session will already be rolled over and set
gc.HTML(http.StatusOK, authorizeWebMessageTemplate, gin.H{
"target_origin": redirectURI, "target_origin": redirectURI,
"authorization_response": map[string]interface{}{ "authorization_response": map[string]interface{}{
"type": "authorization_response", "type": "authorization_response",
@ -140,29 +150,27 @@ func AuthorizeHandler() gin.HandlerFunc {
return return
} }
if isResponseTypeToken { if responseType == constants.ResponseTypeToken {
// rollover the session for security // rollover the session for security
authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod) authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod)
if err != nil { if err != nil {
if isQuery { log.Debug("CreateAuthToken failed: ", err)
gc.Redirect(http.StatusFound, loginURL) handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
} else { return
gc.HTML(http.StatusOK, template, gin.H{ }
"target_origin": redirectURI,
"authorization_response": map[string]interface{}{ if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash); err != nil {
"type": "authorization_response", log.Debug("SetUserSession failed: ", err)
"response": map[string]string{ handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
"error": "login_required", return
"error_description": "Login is required", }
},
}, if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token); err != nil {
}) log.Debug("SetUserSession failed: ", err)
} handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
return return
} }
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
cookie.SetSession(gc, authToken.FingerPrintHash) cookie.SetSession(gc, authToken.FingerPrintHash)
expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix() expiresIn := authToken.AccessToken.ExpiresAt - time.Now().Unix()
@ -188,39 +196,28 @@ func AuthorizeHandler() gin.HandlerFunc {
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token) memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token)
} }
if isQuery { if responseMode == constants.ResponseModeQuery {
if strings.Contains(redirectURI, "?") { if strings.Contains(redirectURI, "?") {
gc.Redirect(http.StatusFound, redirectURI+"&"+params) redirectURI = redirectURI + "&" + params
} else { } else {
gc.Redirect(http.StatusFound, redirectURI+"?"+params) redirectURI = redirectURI + "?" + params
}
} else if responseMode == constants.ResponseModeFragment {
if strings.Contains(redirectURI, "#") {
redirectURI = redirectURI + "&" + params
} else {
redirectURI = redirectURI + "#" + params
} }
} else {
gc.HTML(http.StatusOK, template, gin.H{
"target_origin": redirectURI,
"authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": res,
},
})
} }
handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
"type": "authorization_response",
"response": res,
}, http.StatusOK)
return return
} }
if isQuery { handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
gc.Redirect(http.StatusFound, loginURL)
} else {
// by default return with error
gc.HTML(http.StatusOK, template, gin.H{
"target_origin": redirectURI,
"authorization_response": map[string]interface{}{
"type": "authorization_response",
"response": map[string]string{
"error": "login_required",
"error_description": "Login is required",
},
},
})
}
} }
} }
@ -230,7 +227,7 @@ func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeC
} }
if responseMode != constants.ResponseModeQuery && responseMode != constants.ResponseModeWebMessage && responseMode != constants.ResponseModeFragment && responseMode != constants.ResponseModeFormPost { if responseMode != constants.ResponseModeQuery && responseMode != constants.ResponseModeWebMessage && responseMode != constants.ResponseModeFragment && responseMode != constants.ResponseModeFormPost {
return fmt.Errorf("invalid response mode %s. 'query', 'fragment', 'form_post' and 'web_message' are valid response_mode") return fmt.Errorf("invalid response mode %s. 'query', 'fragment', 'form_post' and 'web_message' are valid response_mode", responseMode)
} }
if responseType == constants.ResponseTypeCode && strings.TrimSpace(codeChallenge) == "" { if responseType == constants.ResponseTypeCode && strings.TrimSpace(codeChallenge) == "" {
@ -247,3 +244,34 @@ func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeC
return nil return nil
} }
func handleResponse(gc *gin.Context, responseMode, loginURI, redirectURI string, data map[string]interface{}, httpStatusCode int) {
isAuthenticationRequired := false
if val, ok := data["error"]; ok {
if val == "login_required" || val == "signup_required" {
isAuthenticationRequired = true
}
}
switch responseMode {
case constants.ResponseModeQuery, constants.ResponseModeFragment:
if isAuthenticationRequired {
gc.Redirect(http.StatusFound, loginURI)
} else {
gc.Redirect(http.StatusFound, redirectURI)
}
return
case constants.ResponseModeWebMessage:
gc.HTML(httpStatusCode, authorizeWebMessageTemplate, gin.H{
"target_origin": redirectURI,
"authorization_response": data,
})
return
case constants.ResponseModeFormPost:
gc.HTML(httpStatusCode, authorizeFormPostTemplate, gin.H{
"target_origin": redirectURI,
"authorization_response": data,
})
return
}
}

2
server/resolvers/forgot_password.go
View File

@ -85,7 +85,7 @@ func ForgotPasswordResolver(ctx context.Context, params model.ForgotPasswordInpu
return res, err return res, err
} }
// exec it as go routine so that we can reduce the api latency // execute it as go routine so that we can reduce the api latency
go email.SendEmail([]string{params.Email}, constants.VerificationTypeForgotPassword, map[string]interface{}{ go email.SendEmail([]string{params.Email}, constants.VerificationTypeForgotPassword, map[string]interface{}{
"user": user.ToMap(), "user": user.ToMap(),
"organization": utils.GetOrganization(), "organization": utils.GetOrganization(),

13
templates/authorize_form_post.tmpl Normal file
View File

@ -0,0 +1,13 @@
<!DOCTYPE html>
<html>
<head>
<title>Authorization Response</title>
</head>
<body onload="document.forms['authorize_form_post'].submit()">
<form action={{.target_origin}} name="authorize_form_post">
{{ range $key, $val := .authorization_response }}
<input type="hidden" key={{$key}} value={{$val}} name={{$key}} id={{$key}} />
{{ end }}
</form>
</body>
</html>

0
templates/authorize.tmpl → templates/authorize_web_message.tmpl
View File