Improve validation for token exchange endpoint

This commit is contained in:
Ivan R. 2024-10-17 12:22:23 +05:00
parent fbb33369a8
commit 8129d916e3
Signed by: lumin
GPG key ID: E0937DC7CD6D3817
2 changed files with 34 additions and 19 deletions

View file

@ -4,7 +4,6 @@ defmodule ComfycampWeb.OauthController do
alias Comfycamp.Accounts alias Comfycamp.Accounts
alias Comfycamp.SSO alias Comfycamp.SSO
alias Comfycamp.SSO.OIDCApp alias Comfycamp.SSO.OIDCApp
alias Comfycamp.SSO.OIDCCode
alias Comfycamp.SSO.IDToken alias Comfycamp.SSO.IDToken
alias Comfycamp.Token alias Comfycamp.Token
@ -78,19 +77,13 @@ defmodule ComfycampWeb.OauthController do
end end
def token(conn, params = %{"code" => code_value, "redirect_uri" => redirect_uri}) do def token(conn, params = %{"code" => code_value, "redirect_uri" => redirect_uri}) do
{:ok, client_id, client_secret} = get_client_info(conn, params) with {:client_info, {:ok, client_id, client_secret}} <-
{:client_info, get_client_info(conn, params)},
# Check that code is still valid and redirect uri has not been altered. {:code, code} <- {:code, SSO.get_oidc_code!(code_value)},
%OIDCCode{redirect_uri: ^redirect_uri} = code = SSO.get_oidc_code!(code_value) {:uri, ^redirect_uri} <- {:uri, code.redirect_uri},
{:app, oidc_app = %OIDCApp{enabled: true, client_id: ^client_id}} <-
# Check that client provided a valid secret for an active OIDC app. {:app, SSO.get_oidc_app_by_secret!(client_secret)},
%OIDCApp{enabled: true, client_id: ^client_id} = {:code_ref, ^client_id} <- {:code_ref, code.oidc_app.client_id} do
oidc_app = SSO.get_oidc_app_by_secret!(client_secret)
# Check that OIDC app is referenced by provided code.
^client_id = code.oidc_app.client_id
# Delete the code.
SSO.delete_oidc_code(code) SSO.delete_oidc_code(code)
{access_token, refresh_token} = Accounts.generate_oauth_tokens(code.user) {access_token, refresh_token} = Accounts.generate_oauth_tokens(code.user)
@ -103,6 +96,22 @@ defmodule ComfycampWeb.OauthController do
refresh_token: Base.url_encode64(refresh_token), refresh_token: Base.url_encode64(refresh_token),
id_token: signed_id_token id_token: signed_id_token
) )
else
{:client_info, _} ->
render(conn, :error, description: "Нет client id или client secret")
{:code, _} ->
render(conn, :error, description: "Не удалось найти временный код")
{:uri, _} ->
render(conn, :error, description: "Redirect URI не совпадает с изначальным значением")
{:app, _} ->
render(conn, :error, description: "Приложение не найдено или отключено")
{:code_ref, _} ->
render(conn, :error, description: "Временный код выдан для другого приложения")
end
end end
def openid_discovery(conn, _params) do def openid_discovery(conn, _params) do

View file

@ -21,4 +21,10 @@ defmodule ComfycampWeb.OauthJSON do
claims_supported: ["sub", "email", "preferred_username"] claims_supported: ["sub", "email", "preferred_username"]
} }
end end
def error(assigns) do
%{
description: assigns["description"]
}
end
end end