h4kor/owl-blogs
h4kor
/
owl-blogs
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

allow redirect_uris from same host and scheme

This commit is contained in:
Niko Abeler 2022-11-06 16:40:26 +01:00
parent 4d5af131c2
commit 1d793c325b
2 changed files with 28 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
cmd/owl/web/handler.go
View File

@ -107,22 +107,36 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
return return
} }
// check if redirect_uri is registered client_id_url, err := url.Parse(clientId)
resp, _ := repo.HttpClient.Get(clientId) if err != nil {
registered_redirects, _ := repo.Parser.GetRedirctUris(resp)
is_registered := false
for _, registered_redirect := range registered_redirects {
if registered_redirect == redirectUri {
// redirect_uri is registered
is_registered = true
break
}
}
if !is_registered {
w.WriteHeader(http.StatusBadRequest) w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid redirect_uri. Must be registered with client_id.")) w.Write([]byte("Invalid client_id."))
return return
} }
redirect_uri_url, err := url.Parse(redirectUri)
if err != nil {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid redirect_uri."))
return
}
if client_id_url.Host != redirect_uri_url.Host || client_id_url.Scheme != redirect_uri_url.Scheme {
// check if redirect_uri is registered
resp, _ := repo.HttpClient.Get(clientId)
registered_redirects, _ := repo.Parser.GetRedirctUris(resp)
is_registered := false
for _, registered_redirect := range registered_redirects {
if registered_redirect == redirectUri {
// redirect_uri is registered
is_registered = true
break
}
}
if !is_registered {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid redirect_uri. Must be registered with client_id."))
return
}
}
// Double Submit Cookie Pattern // Double Submit Cookie Pattern
// https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie // https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

2
user.go
View File

@ -90,7 +90,7 @@ func (user User) ConfigFile() string {
} }
func (user User) AuthCodesFile() string { func (user User) AuthCodesFile() string {
return path.Join(user.MetaDir(), "access_tokens.yml") return path.Join(user.MetaDir(), "auth_codes.yml")
} }
func (user User) Name() string { func (user User) Name() string {