fix(oidc): use client secret from query params

This commit is contained in:
Ivan R. 2024-09-21 12:47:07 +05:00
parent 489c39e16c
commit 08f94ad16b
Signed by: lumin
GPG key ID: E0937DC7CD6D3817

View file

@ -77,20 +77,21 @@ defmodule ComfycampWeb.OauthController do
end
end
def token(conn, %{"code" => code_value, "redirect_uri" => redirect_uri}) do
def token(conn, %{
"code" => code_value,
"redirect_uri" => redirect_uri,
"client_id" => client_id,
"client_secret" => client_secret
}) do
# Check that code is still valid and redirect uri has not been altered.
%OIDCCode{redirect_uri: ^redirect_uri} = code = SSO.get_oidc_code!(code_value)
# Get client secret.
[auth_header] = Plug.Conn.get_req_header(conn, "authorization")
"Basic " <> client_secret = auth_header
# Check that client provided a valid secret for an active OIDC app.
%OIDCApp{enabled: true} = oidc_app = SSO.get_oidc_app_by_secret!(client_secret)
%OIDCApp{enabled: true, client_id: ^client_id} =
oidc_app = SSO.get_oidc_app_by_secret!(client_secret)
# Check that OIDC app is referenced by provided code.
app_client_id = oidc_app.client_id
^app_client_id = code.oidc_app.client_id
^client_id = code.oidc_app.client_id
# Delete the code.
SSO.delete_oidc_code(code)