From 1d793c325b1388495dd75a29a0f7d9c2e55cc205 Mon Sep 17 00:00:00 2001 From: Niko Abeler Date: Sun, 6 Nov 2022 16:40:26 +0100 Subject: [PATCH] allow redirect_uris from same host and scheme --- cmd/owl/web/handler.go | 40 +++++++++++++++++++++++++++------------- user.go | 2 +- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/cmd/owl/web/handler.go b/cmd/owl/web/handler.go index bad57c9..0a07aba 100644 --- a/cmd/owl/web/handler.go +++ b/cmd/owl/web/handler.go @@ -107,22 +107,36 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque return } - // check if redirect_uri is registered - resp, _ := repo.HttpClient.Get(clientId) - registered_redirects, _ := repo.Parser.GetRedirctUris(resp) - is_registered := false - for _, registered_redirect := range registered_redirects { - if registered_redirect == redirectUri { - // redirect_uri is registered - is_registered = true - break - } - } - if !is_registered { + client_id_url, err := url.Parse(clientId) + if err != nil { w.WriteHeader(http.StatusBadRequest) - w.Write([]byte("Invalid redirect_uri. Must be registered with client_id.")) + w.Write([]byte("Invalid client_id.")) return } + redirect_uri_url, err := url.Parse(redirectUri) + if err != nil { + w.WriteHeader(http.StatusBadRequest) + w.Write([]byte("Invalid redirect_uri.")) + return + } + if client_id_url.Host != redirect_uri_url.Host || client_id_url.Scheme != redirect_uri_url.Scheme { + // check if redirect_uri is registered + resp, _ := repo.HttpClient.Get(clientId) + registered_redirects, _ := repo.Parser.GetRedirctUris(resp) + is_registered := false + for _, registered_redirect := range registered_redirects { + if registered_redirect == redirectUri { + // redirect_uri is registered + is_registered = true + break + } + } + if !is_registered { + w.WriteHeader(http.StatusBadRequest) + w.Write([]byte("Invalid redirect_uri. Must be registered with client_id.")) + return + } + } // Double Submit Cookie Pattern // https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie diff --git a/user.go b/user.go index 8b042ef..178d0cc 100644 --- a/user.go +++ b/user.go @@ -90,7 +90,7 @@ func (user User) ConfigFile() string { } func (user User) AuthCodesFile() string { - return path.Join(user.MetaDir(), "access_tokens.yml") + return path.Join(user.MetaDir(), "auth_codes.yml") } func (user User) Name() string {