allow redirect_uris from same host and scheme

This commit is contained in:
Niko Abeler 2022-11-06 16:40:26 +01:00
parent 4d5af131c2
commit 1d793c325b
2 changed files with 28 additions and 14 deletions

View File

@ -107,6 +107,19 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
return
}
client_id_url, err := url.Parse(clientId)
if err != nil {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid client_id."))
return
}
redirect_uri_url, err := url.Parse(redirectUri)
if err != nil {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid redirect_uri."))
return
}
if client_id_url.Host != redirect_uri_url.Host || client_id_url.Scheme != redirect_uri_url.Scheme {
// check if redirect_uri is registered
resp, _ := repo.HttpClient.Get(clientId)
registered_redirects, _ := repo.Parser.GetRedirctUris(resp)
@ -123,6 +136,7 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
w.Write([]byte("Invalid redirect_uri. Must be registered with client_id."))
return
}
}
// Double Submit Cookie Pattern
// https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

View File

@ -90,7 +90,7 @@ func (user User) ConfigFile() string {
}
func (user User) AuthCodesFile() string {
return path.Join(user.MetaDir(), "access_tokens.yml")
return path.Join(user.MetaDir(), "auth_codes.yml")
}
func (user User) Name() string {