fix: pkce flow for oauth login

2024-01-08 14:21:24 +05:30 · 2024-01-08 14:21:24 +05:30 · e5fbaa26e1
commit e5fbaa26e1
parent 3bd3a52d3b
4 changed files with 17 additions and 6 deletions
--- a/server/handlers/authorize.go
+++ b/server/handlers/authorize.go
@ -123,7 +123,7 @@ func AuthorizeHandler() gin.HandlerFunc {

 		// TODO add state with timeout
 		// used for response mode query or fragment
-		authState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
+		authState := "state=" + state + "&scope=" + scopeString + "&redirect_uri=" + redirectURI
 		if responseType == constants.ResponseTypeCode {
 			authState += "&code=" + code
 			if err := memorystore.Provider.SetState(state, code+"@@"+codeChallenge); err != nil {
--- a/server/handlers/oauth_callback.go
+++ b/server/handlers/oauth_callback.go
@ -53,7 +53,16 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		stateValue := sessionSplit[0]
 		redirectURL := sessionSplit[1]
 		inputRoles := strings.Split(sessionSplit[2], ",")
-		scopes := strings.Split(sessionSplit[3], ",")
+		scopeString := sessionSplit[3]
+		scopes := []string{}
+		if scopeString != "" {
+			if strings.Contains(scopeString, ",") {
+				scopes = strings.Split(scopeString, ",")
+			}
+			if strings.Contains(scopeString, " ") {
+				scopes = strings.Split(scopeString, " ")
+			}
+		}
 		var user *models.User
 		oauthCode := ctx.Request.FormValue("code")
 		if oauthCode == "" {
--- a/server/handlers/token.go
+++ b/server/handlers/token.go
@ -3,6 +3,7 @@ package handlers
 import (
 	"crypto/sha256"
 	"encoding/base64"
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
@ -105,7 +106,7 @@ func TokenHandler() gin.HandlerFunc {

 			if codeVerifier == "" && clientSecret == "" {
 				gc.JSON(http.StatusBadRequest, gin.H{
-					"error":             "invalid_dat",
+					"error":             "invalid_data",
 					"error_description": "The code verifier or client secret is required",
 				})
 				return
@ -263,12 +264,14 @@ func TokenHandler() gin.HandlerFunc {
 			"roles":        roles,
 			"expires_in":   expiresIn,
 		}
-
+		fmt.Println("=> scopes:", scope)
+		fmt.Println("=> refreshToken:", authToken.RefreshToken)
 		if authToken.RefreshToken != nil {
+			log.Debug("Refresh token is present: ", fmt.Sprintf("%s:%s", sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint))
 			res["refresh_token"] = authToken.RefreshToken.Token
 			memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeRefreshToken+"_"+authToken.FingerPrint, authToken.RefreshToken.Token, authToken.RefreshToken.ExpiresAt)
 		}
-
+		fmt.Printf("=> res %v", res)
 		gc.JSON(http.StatusOK, res)
 	}
 }
--- a/server/token/auth_token.go
+++ b/server/token/auth_token.go
@ -91,7 +91,6 @@ func CreateAuthToken(gc *gin.Context, user *models.User, roles, scope []string,
 		AccessToken:           &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
 		IDToken:               &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},
 	}
-
 	if utils.StringSliceContains(scope, "offline_access") {
 		refreshToken, refreshTokenExpiresAt, err := CreateRefreshToken(user, roles, scope, hostname, nonce, loginMethod)
 		if err != nil {