From 401009bfdbec09374765837f7334eea9a653cfd0 Mon Sep 17 00:00:00 2001
From: Ivan Reshetnikov <admin@comfycamp.space>
Date: Thu, 17 Oct 2024 17:47:23 +0500
Subject: [PATCH] Add support for nonce parameter

---
 lib/comfycamp/sso/id_token.ex                      |  7 ++++---
 lib/comfycamp/sso/oidc_code.ex                     | 10 +++++++---
 lib/comfycamp_web/controllers/oauth_controller.ex  |  5 +++--
 priv/repo/migrations/20241017124232_oidc_nonce.exs |  9 +++++++++
 4 files changed, 23 insertions(+), 8 deletions(-)
 create mode 100644 priv/repo/migrations/20241017124232_oidc_nonce.exs

diff --git a/lib/comfycamp/sso/id_token.ex b/lib/comfycamp/sso/id_token.ex
index 99b9553..582c18a 100644
--- a/lib/comfycamp/sso/id_token.ex
+++ b/lib/comfycamp/sso/id_token.ex
@@ -1,8 +1,8 @@
 defmodule Comfycamp.SSO.IDToken do
   @derive Jason.Encoder
-  defstruct [:iss, :sub, :aud, :exp, :iat, :email, :preferred_username]
+  defstruct [:iss, :sub, :aud, :exp, :iat, :email, :preferred_username, :nonce]
 
-  def build_id_token(user, client_id) do
+  def build_id_token(user, client_id, nonce) do
     {_, now} = DateTime.now("Etc/UTC")
     issued_at = DateTime.to_unix(now)
 
@@ -18,7 +18,8 @@ defmodule Comfycamp.SSO.IDToken do
       exp: expires_at,
       iat: issued_at,
       email: user.email,
-      preferred_username: user.username
+      preferred_username: user.username,
+      nonce: nonce
     }
   end
 end
diff --git a/lib/comfycamp/sso/oidc_code.ex b/lib/comfycamp/sso/oidc_code.ex
index 86e2af1..2e287a8 100644
--- a/lib/comfycamp/sso/oidc_code.ex
+++ b/lib/comfycamp/sso/oidc_code.ex
@@ -1,4 +1,8 @@
 defmodule Comfycamp.SSO.OIDCCode do
+  @moduledoc """
+  Temporary code that may be exchanged for an access token.
+  """
+
   use Ecto.Schema
   import Ecto.Changeset
 
@@ -10,6 +14,7 @@ defmodule Comfycamp.SSO.OIDCCode do
   @primary_key {:value, :string, autogenerate: false}
   schema "oidc_codes" do
     field :redirect_uri, :string
+    field :nonce, :string
     belongs_to :user, User
 
     belongs_to :oidc_app, OIDCApp,
@@ -23,9 +28,8 @@ defmodule Comfycamp.SSO.OIDCCode do
   @doc false
   def changeset(oidc_code, attrs) do
     oidc_code
-    |> cast(attrs, [:user_id, :oidc_app_id, :redirect_uri])
     |> change(value: Rand.get_random_string(12))
-    |> validate_required([:value, :user_id, :oidc_app_id, :redirect_uri])
-    |> validate_length(:value, min: 6, max: 255)
+    |> cast(attrs, [:user_id, :oidc_app_id, :redirect_uri, :nonce])
+    |> validate_required([:user_id, :oidc_app_id, :redirect_uri])
   end
 end
diff --git a/lib/comfycamp_web/controllers/oauth_controller.ex b/lib/comfycamp_web/controllers/oauth_controller.ex
index 4444370..9fbe525 100644
--- a/lib/comfycamp_web/controllers/oauth_controller.ex
+++ b/lib/comfycamp_web/controllers/oauth_controller.ex
@@ -56,7 +56,8 @@ defmodule ComfycampWeb.OauthController do
         SSO.create_oidc_code(%{
           oidc_app_id: client_id,
           user_id: conn.assigns.current_user.id,
-          redirect_uri: redirect_uri
+          redirect_uri: redirect_uri,
+          nonce: params["nonce"]
         })
 
       uri = build_redirect_uri(redirect_uri, code.value, params["state"])
@@ -88,7 +89,7 @@ defmodule ComfycampWeb.OauthController do
 
       {access_token, refresh_token} = Accounts.generate_oauth_tokens(code.user)
 
-      id_token = IDToken.build_id_token(code.user, oidc_app.client_id)
+      id_token = IDToken.build_id_token(code.user, oidc_app.client_id, code.nonce)
       {:ok, signed_id_token} = Token.sign(id_token, client_secret)
 
       render(conn, :token,
diff --git a/priv/repo/migrations/20241017124232_oidc_nonce.exs b/priv/repo/migrations/20241017124232_oidc_nonce.exs
new file mode 100644
index 0000000..048c1c5
--- /dev/null
+++ b/priv/repo/migrations/20241017124232_oidc_nonce.exs
@@ -0,0 +1,9 @@
+defmodule Comfycamp.Repo.Migrations.OidcNonce do
+  use Ecto.Migration
+
+  def change do
+    alter table(:oidc_codes) do
+      add :nonce, :string
+    end
+  end
+end