fix(server): creepy @@ string split logic for auth_token
This commit is contained in:
parent
9320f1cb07
commit
579899c397
|
@ -16,7 +16,7 @@ jargons
|
||||||
login resolver has optional param state
|
login resolver has optional param state
|
||||||
-if state found in store, split with @@
|
-if state found in store, split with @@
|
||||||
- if len > 1 -> response type is code and has code + challenge
|
- if len > 1 -> response type is code and has code + challenge
|
||||||
- set `nonce@@code` for createAuthToken request so that `c_hash` can be generated
|
- set `nonce, code` for createAuthToken request so that `c_hash` can be generated
|
||||||
- do not add `nonce` to id_token in code flow, instead set `c_hash` and `at_hash`
|
- do not add `nonce` to id_token in code flow, instead set `c_hash` and `at_hash`
|
||||||
|
|
||||||
|
|
||||||
|
@ -26,8 +26,8 @@ jargons
|
||||||
- add &nonce to login redirect url
|
- add &nonce to login redirect url
|
||||||
login resolver has optional param state
|
login resolver has optional param state
|
||||||
- if state found in store, split with @@
|
- if state found in store, split with @@
|
||||||
- if len < 1 -> response type is token / id_token and has nonce
|
- if len < 1 -> response type is token / id_token and value is nonce
|
||||||
- send received nonce for createAuthToken
|
- send received nonce for createAuthToken with empty code value
|
||||||
- set `nonce` and `at_hash` in `id_token`
|
- set `nonce` and `at_hash` in `id_token`
|
||||||
**/
|
**/
|
||||||
|
|
||||||
|
@ -277,7 +277,7 @@ func AuthorizeHandler() gin.HandlerFunc {
|
||||||
if responseType == constants.ResponseTypeToken || responseType == constants.ResponseTypeIDToken {
|
if responseType == constants.ResponseTypeToken || responseType == constants.ResponseTypeIDToken {
|
||||||
hostname := parsers.GetHost(gc)
|
hostname := parsers.GetHost(gc)
|
||||||
// rollover the session for security
|
// rollover the session for security
|
||||||
authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod, nonce, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("CreateAuthToken failed: ", err)
|
log.Debug("CreateAuthToken failed: ", err)
|
||||||
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
|
||||||
|
|
|
@ -197,8 +197,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO
|
||||||
|
// use stateValue to get code / nonce
|
||||||
|
// add code / nonce to id_token
|
||||||
nonce := uuid.New().String()
|
nonce := uuid.New().String()
|
||||||
authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce)
|
authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to create auth token: ", err)
|
log.Debug("Failed to create auth token: ", err)
|
||||||
ctx.JSON(500, gin.H{"error": err.Error()})
|
ctx.JSON(500, gin.H{"error": err.Error()})
|
||||||
|
|
|
@ -246,7 +246,7 @@ func TokenHandler() gin.HandlerFunc {
|
||||||
fmt.Println("=> code", code)
|
fmt.Println("=> code", code)
|
||||||
fmt.Println("=> nonce", nonce)
|
fmt.Println("=> nonce", nonce)
|
||||||
|
|
||||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Error creating auth token: ", err)
|
log.Debug("Error creating auth token: ", err)
|
||||||
gc.JSON(http.StatusUnauthorized, gin.H{
|
gc.JSON(http.StatusUnauthorized, gin.H{
|
||||||
|
|
|
@ -101,7 +101,7 @@ func VerifyEmailHandler() gin.HandlerFunc {
|
||||||
}
|
}
|
||||||
|
|
||||||
nonce := uuid.New().String()
|
nonce := uuid.New().String()
|
||||||
authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce)
|
authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Error creating auth token: ", err)
|
log.Debug("Error creating auth token: ", err)
|
||||||
errorRes["error_description"] = err.Error()
|
errorRes["error_description"] = err.Error()
|
||||||
|
|
|
@ -155,7 +155,6 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||||
codeChallenge = authorizeStateSplit[1]
|
codeChallenge = authorizeStateSplit[1]
|
||||||
|
|
||||||
fmt.Println("=> code info", authorizeStateSplit)
|
fmt.Println("=> code info", authorizeStateSplit)
|
||||||
nonce = nonce + "@@" + code
|
|
||||||
} else {
|
} else {
|
||||||
nonce = authorizeState
|
nonce = authorizeState
|
||||||
}
|
}
|
||||||
|
@ -163,7 +162,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to create auth token", err)
|
log.Debug("Failed to create auth token", err)
|
||||||
return res, err
|
return res, err
|
||||||
|
@ -186,8 +185,8 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
|
||||||
sessionStoreKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
|
sessionStoreKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
|
||||||
memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||||
memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||||
|
// TODO add to other login options as well
|
||||||
// Code challenge could be optional if PKCE flow is not used
|
// Code challenge could be optional if PKCE flow is not used
|
||||||
|
|
||||||
if code != "" {
|
if code != "" {
|
||||||
fmt.Println("=> setting the state here....")
|
fmt.Println("=> setting the state here....")
|
||||||
if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {
|
if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {
|
||||||
|
|
|
@ -15,6 +15,7 @@ import (
|
||||||
"github.com/authorizerdev/authorizer/server/graph/model"
|
"github.com/authorizerdev/authorizer/server/graph/model"
|
||||||
"github.com/authorizerdev/authorizer/server/memorystore"
|
"github.com/authorizerdev/authorizer/server/memorystore"
|
||||||
"github.com/authorizerdev/authorizer/server/parsers"
|
"github.com/authorizerdev/authorizer/server/parsers"
|
||||||
|
"github.com/authorizerdev/authorizer/server/refs"
|
||||||
"github.com/authorizerdev/authorizer/server/token"
|
"github.com/authorizerdev/authorizer/server/token"
|
||||||
"github.com/authorizerdev/authorizer/server/utils"
|
"github.com/authorizerdev/authorizer/server/utils"
|
||||||
"github.com/authorizerdev/authorizer/server/validators"
|
"github.com/authorizerdev/authorizer/server/validators"
|
||||||
|
@ -185,7 +186,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
|
||||||
}
|
}
|
||||||
redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")
|
redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")
|
||||||
if params.State != nil {
|
if params.State != nil {
|
||||||
redirectURLParams = redirectURLParams + "&state=" + *params.State
|
redirectURLParams = redirectURLParams + "&state=" + refs.StringValue(params.State)
|
||||||
}
|
}
|
||||||
if params.Scope != nil && len(params.Scope) > 0 {
|
if params.Scope != nil && len(params.Scope) > 0 {
|
||||||
redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")
|
redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")
|
||||||
|
|
|
@ -72,7 +72,7 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
|
||||||
}
|
}
|
||||||
|
|
||||||
nonce := uuid.New().String()
|
nonce := uuid.New().String()
|
||||||
authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to create auth token: ", err)
|
log.Debug("Failed to create auth token: ", err)
|
||||||
return res, err
|
return res, err
|
||||||
|
|
|
@ -258,7 +258,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
|
||||||
nonce = nonce + "@@" + code
|
nonce = nonce + "@@" + code
|
||||||
}
|
}
|
||||||
|
|
||||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to create auth token: ", err)
|
log.Debug("Failed to create auth token: ", err)
|
||||||
return res, err
|
return res, err
|
||||||
|
|
|
@ -86,7 +86,7 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
|
||||||
roles := strings.Split(user.Roles, ",")
|
roles := strings.Split(user.Roles, ",")
|
||||||
scope := []string{"openid", "email", "profile"}
|
scope := []string{"openid", "email", "profile"}
|
||||||
nonce := uuid.New().String()
|
nonce := uuid.New().String()
|
||||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to create auth token: ", err)
|
log.Debug("Failed to create auth token: ", err)
|
||||||
return res, err
|
return res, err
|
||||||
|
|
|
@ -59,7 +59,7 @@ func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*mod
|
||||||
roles := strings.Split(user.Roles, ",")
|
roles := strings.Split(user.Roles, ",")
|
||||||
scope := []string{"openid", "email", "profile"}
|
scope := []string{"openid", "email", "profile"}
|
||||||
nonce := uuid.New().String()
|
nonce := uuid.New().String()
|
||||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, "")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.Debug("Failed to create auth token: ", err)
|
log.Debug("Failed to create auth token: ", err)
|
||||||
return res, err
|
return res, err
|
||||||
|
|
|
@ -52,7 +52,7 @@ func validateJwtTokenTest(t *testing.T, s TestSetup) {
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
sessionKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
|
sessionKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
|
||||||
nonce := uuid.New().String()
|
nonce := uuid.New().String()
|
||||||
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
|
authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, "")
|
||||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
|
||||||
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
|
||||||
|
|
||||||
|
|
|
@ -49,18 +49,7 @@ type SessionData struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
// CreateAuthToken creates a new auth token when userlogs in
|
// CreateAuthToken creates a new auth token when userlogs in
|
||||||
func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, loginMethod, nonce string) (*Token, error) {
|
func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, loginMethod, nonce string, code string) (*Token, error) {
|
||||||
|
|
||||||
code := ""
|
|
||||||
nonceSplit := strings.Split(nonce, "@@")
|
|
||||||
fingerPrint := nonce
|
|
||||||
fmt.Println("=> nonce split", nonceSplit)
|
|
||||||
if len(nonceSplit) > 1 {
|
|
||||||
code = nonceSplit[1]
|
|
||||||
// use original nonce for session token and access token
|
|
||||||
nonce = nonceSplit[0]
|
|
||||||
fingerPrint = nonce
|
|
||||||
}
|
|
||||||
|
|
||||||
fmt.Println("=> original nonce:", nonce)
|
fmt.Println("=> original nonce:", nonce)
|
||||||
|
|
||||||
|
@ -98,7 +87,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, l
|
||||||
}
|
}
|
||||||
|
|
||||||
res := &Token{
|
res := &Token{
|
||||||
FingerPrint: fingerPrint,
|
FingerPrint: nonce,
|
||||||
FingerPrintHash: fingerPrintHash,
|
FingerPrintHash: fingerPrintHash,
|
||||||
AccessToken: &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
|
AccessToken: &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
|
||||||
IDToken: &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},
|
IDToken: &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},
|
||||||
|
|
Loading…
Reference in New Issue
Block a user