Add support for Authorization header during code exchange

2024-10-17 00:12:16 +05:00 · 2024-10-17 00:12:16 +05:00 · fbb33369a8
commit fbb33369a8
parent c9668ff1ef
1 changed files with 22 additions and 6 deletions
--- a/lib/comfycamp_web/controllers/oauth_controller.ex
+++ b/lib/comfycamp_web/controllers/oauth_controller.ex
@ -77,12 +77,9 @@ defmodule ComfycampWeb.OauthController do
    end
  end

-  def token(conn, %{
-        "code" => code_value,
-        "redirect_uri" => redirect_uri,
-        "client_id" => client_id,
-        "client_secret" => client_secret
-      }) do
+  def token(conn, params = %{"code" => code_value, "redirect_uri" => redirect_uri}) do
+    {:ok, client_id, client_secret} = get_client_info(conn, params)
+
    # Check that code is still valid and redirect uri has not been altered.
    %OIDCCode{redirect_uri: ^redirect_uri} = code = SSO.get_oidc_code!(code_value)

@ -112,6 +109,25 @@ defmodule ComfycampWeb.OauthController do
    render(conn, :openid_discovery)
  end

+  @doc """
+  Extract client id and client secret from request parameters or headers.
+  Returns {:ok, "client_id", "client_secret"} on success.
+  """
+  def get_client_info(_conn, %{"client_id" => client_id, "client_secret" => client_secret}) do
+    {:ok, client_id, client_secret}
+  end
+
+  def get_client_info(conn, _params) do
+    with [header] <- Plug.Conn.get_req_header(conn, "authorization"),
+         "Basic " <> b64 <- header,
+         {:ok, keys} <- Base.decode64(b64),
+         [client_id, client_secret] <- String.split(keys, ":") do
+      {:ok, client_id, client_secret}
+    else
+      _ -> {:error, "Invalid Authorization header"}
+    end
+  end
+
  defp build_redirect_uri(redirect_uri, code, state) do
    parsed_uri = URI.parse(redirect_uri)