fix(server): creepy @@ string split logic for auth_token

2022-11-13 01:22:21 +05:30 · 2022-11-13 01:22:21 +05:30 · 579899c397
commit 579899c397
parent 9320f1cb07
12 changed files with 21 additions and 29 deletions
--- a/server/handlers/authorize.go
+++ b/server/handlers/authorize.go
@ -16,7 +16,7 @@ jargons
 	login resolver has optional param state
 		-if state found in store, split with @@
 		- if len > 1 -> response type is code and has code + challenge
-		- set `nonce@@code` for createAuthToken request so that `c_hash` can be generated
+		- set `nonce, code` for createAuthToken request so that `c_hash` can be generated
 		- do not add `nonce` to id_token in code flow, instead set `c_hash` and `at_hash`


@ -26,8 +26,8 @@ jargons
 		- add &nonce to login redirect url
 	login resolver has optional param state
 		- if state found in store, split with @@
-		- if len < 1 -> response type is token / id_token and has nonce
-		- send received nonce for createAuthToken
+		- if len < 1 -> response type is token / id_token and value is nonce
+		- send received nonce for createAuthToken with empty code value
 		- set `nonce` and `at_hash` in `id_token`
 **/

@ -277,7 +277,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		if responseType == constants.ResponseTypeToken || responseType == constants.ResponseTypeIDToken {
 			hostname := parsers.GetHost(gc)
 			// rollover the session for security
-			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod, nonce)
+			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod, nonce, "")
 			if err != nil {
 				log.Debug("CreateAuthToken failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
--- a/server/handlers/oauth_callback.go
+++ b/server/handlers/oauth_callback.go
@ -197,8 +197,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			}
 		}

+		// TODO
+		// use stateValue to get code / nonce
+		// add code / nonce to id_token
 		nonce := uuid.New().String()
-		authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce)
+		authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce, "")
 		if err != nil {
 			log.Debug("Failed to create auth token: ", err)
 			ctx.JSON(500, gin.H{"error": err.Error()})
--- a/server/handlers/token.go
+++ b/server/handlers/token.go
@ -246,7 +246,7 @@ func TokenHandler() gin.HandlerFunc {
 		fmt.Println("=> code", code)
 		fmt.Println("=> nonce", nonce)

-		authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)
 		if err != nil {
 			log.Debug("Error creating auth token: ", err)
 			gc.JSON(http.StatusUnauthorized, gin.H{
--- a/server/handlers/verify_email.go
+++ b/server/handlers/verify_email.go
@ -101,7 +101,7 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		}

 		nonce := uuid.New().String()
-		authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce)
+		authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce, "")
 		if err != nil {
 			log.Debug("Error creating auth token: ", err)
 			errorRes["error_description"] = err.Error()
--- a/server/resolvers/login.go
+++ b/server/resolvers/login.go
@ -155,7 +155,6 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 				codeChallenge = authorizeStateSplit[1]

 				fmt.Println("=> code info", authorizeStateSplit)
-				nonce = nonce + "@@" + code
 			} else {
 				nonce = authorizeState
 			}
@ -163,7 +162,7 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 		}
 	}

-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
 	if err != nil {
 		log.Debug("Failed to create auth token", err)
 		return res, err
@ -186,8 +185,8 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	sessionStoreKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
 	memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
 	memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+	// TODO add to other login options as well
 	// Code challenge could be optional if PKCE flow is not used
-
 	if code != "" {
 		fmt.Println("=> setting the state here....")
 		if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {
--- a/server/resolvers/magic_link_login.go
+++ b/server/resolvers/magic_link_login.go
@ -15,6 +15,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
+	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
@ -185,7 +186,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		}
 		redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")
 		if params.State != nil {
-			redirectURLParams = redirectURLParams + "&state=" + *params.State
+			redirectURLParams = redirectURLParams + "&state=" + refs.StringValue(params.State)
 		}
 		if params.Scope != nil && len(params.Scope) > 0 {
 			redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")
--- a/server/resolvers/session.go
+++ b/server/resolvers/session.go
@ -72,7 +72,7 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 	}

 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce, "")
 	if err != nil {
 		log.Debug("Failed to create auth token: ", err)
 		return res, err
--- a/server/resolvers/signup.go
+++ b/server/resolvers/signup.go
@ -258,7 +258,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 			nonce = nonce + "@@" + code
 		}

-		authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
 		if err != nil {
 			log.Debug("Failed to create auth token: ", err)
 			return res, err
--- a/server/resolvers/verify_email.go
+++ b/server/resolvers/verify_email.go
@ -86,7 +86,7 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	roles := strings.Split(user.Roles, ",")
 	scope := []string{"openid", "email", "profile"}
 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, "")
 	if err != nil {
 		log.Debug("Failed to create auth token: ", err)
 		return res, err
--- a/server/resolvers/verify_otp.go
+++ b/server/resolvers/verify_otp.go
@ -59,7 +59,7 @@ func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*mod
 	roles := strings.Split(user.Roles, ",")
 	scope := []string{"openid", "email", "profile"}
 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, "")
 	if err != nil {
 		log.Debug("Failed to create auth token: ", err)
 		return res, err
--- a/server/test/validate_jwt_token_test.go
+++ b/server/test/validate_jwt_token_test.go
@ -52,7 +52,7 @@ func validateJwtTokenTest(t *testing.T, s TestSetup) {
 	assert.NoError(t, err)
 	sessionKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, "")
 	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
 	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)

--- a/server/token/auth_token.go
+++ b/server/token/auth_token.go
@ -49,18 +49,7 @@ type SessionData struct {
 }

 // CreateAuthToken creates a new auth token when userlogs in
-func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, loginMethod, nonce string) (*Token, error) {
-
-	code := ""
-	nonceSplit := strings.Split(nonce, "@@")
-	fingerPrint := nonce
-	fmt.Println("=> nonce split", nonceSplit)
-	if len(nonceSplit) > 1 {
-		code = nonceSplit[1]
-		// use original nonce for session token and access token
-		nonce = nonceSplit[0]
-		fingerPrint = nonce
-	}
+func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, loginMethod, nonce string, code string) (*Token, error) {

 	fmt.Println("=> original nonce:", nonce)

@ -98,7 +87,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, l
 	}

 	res := &Token{
-		FingerPrint:     fingerPrint,
+		FingerPrint:     nonce,
 		FingerPrintHash: fingerPrintHash,
 		AccessToken:     &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
 		IDToken:         &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},