include request data in password form

2022-11-04 21:53:14 +01:00 · 2022-11-04 21:53:14 +01:00 · da9111c186
parent 1072f48e9f
commit da9111c186
4 changed files with 91 additions and 5 deletions
--- a/cmd/owl/web/handler.go
+++ b/cmd/owl/web/handler.go
@ -67,7 +67,48 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
 			notFoundHandler(repo)(w, r)
 			return
 		}
-		html, err := owl.RenderUserAuthPage(user)
+		// get me, cleint_id, redirect_uri, state and response_type from query
+		me := r.URL.Query().Get("me")
+		clientId := r.URL.Query().Get("client_id")
+		redirectUri := r.URL.Query().Get("redirect_uri")
+		state := r.URL.Query().Get("state")
+		responseType := r.URL.Query().Get("response_type")
+
+		// check if request is valid
+		missing_params := []string{}
+		if clientId == "" {
+			missing_params = append(missing_params, "client_id")
+		}
+		if redirectUri == "" {
+			missing_params = append(missing_params, "redirect_uri")
+		}
+		if responseType == "" {
+			missing_params = append(missing_params, "response_type")
+		}
+		if len(missing_params) > 0 {
+			w.WriteHeader(http.StatusBadRequest)
+			w.Write([]byte(fmt.Sprintf("Missing parameters: %s", strings.Join(missing_params, ", "))))
+			return
+		}
+		if responseType != "id" {
+			responseType = "code"
+		}
+		if responseType != "code" {
+			w.WriteHeader(http.StatusBadRequest)
+			w.Write([]byte("Invalid response_type. Must be 'code' ('id' converted to 'code' for legacy support)."))
+			return
+		}
+
+		reqData := owl.AuthRequestData{
+			Me:           me,
+			ClientId:     clientId,
+			RedirectUri:  redirectUri,
+			State:        state,
+			ResponseType: responseType,
+			User:         user,
+		}
+
+		html, err := owl.RenderUserAuthPage(reqData)
 		if err != nil {
 			println("Error rendering auth page: ", err.Error())
 			w.WriteHeader(http.StatusInternalServerError)
--- a/embed/auth.html
+++ b/embed/auth.html
@ -1,5 +1,11 @@
+<h2>Authorization for {{.ClientId}}</h2>
+
 <form action="" method="post">
    <label for="password">Password</label>
    <input type="password" name="password" placeholder="Password">
+    <input type="hidden" name="client_id" value="{{.ClientId}}">
+    <input type="hidden" name="redirect_uri" value="{{.RedirectUri}}">
+    <input type="hidden" name="response_type" value="{{.ResponseType}}">
+    <input type="hidden" name="state" value="{{.State}}">
    <input type="submit" value="Login">
 </form>
--- a/renderer.go
+++ b/renderer.go
@ -20,6 +20,15 @@ type PostRenderData struct {
 	Content template.HTML
 }

+type AuthRequestData struct {
+	Me           string
+	ClientId     string
+	RedirectUri  string
+	State        string
+	ResponseType string
+	User         User
+}
+
 func renderEmbedTemplate(templateFile string, data interface{}) (string, error) {
 	templateStr, err := embed_files.ReadFile(templateFile)
 	if err != nil {
@ -109,13 +118,13 @@ func RenderIndexPage(user User) (string, error) {
 	})
 }

-func RenderUserAuthPage(user User) (string, error) {
-	authHtml, err := renderEmbedTemplate("embed/auth.html", user)
+func RenderUserAuthPage(reqData AuthRequestData) (string, error) {
+	authHtml, err := renderEmbedTemplate("embed/auth.html", reqData)
 	if err != nil {
 		return "", err
 	}

-	return renderIntoBaseTemplate(user, PageContent{
+	return renderIntoBaseTemplate(reqData.User, PageContent{
 		Title:   "Auth",
 		Content: template.HTML(authHtml),
 	})
--- a/renderer_test.go
+++ b/renderer_test.go
@ -289,7 +289,37 @@ func TestAddFaviconIfExist(t *testing.T) {
 func TestRenderUserAuth(t *testing.T) {
 	user := getTestUser()
 	user.ResetPassword("test")
-	result, err := owl.RenderUserAuthPage(user)
+	result, err := owl.RenderUserAuthPage(owl.AuthRequestData{
+		User: user,
+	})
 	assertions.AssertNoError(t, err, "Error rendering user auth page")
 	assertions.AssertContains(t, result, "<form")
 }
+
+func TestRenderUserAuthIncludesClientId(t *testing.T) {
+	user := getTestUser()
+	user.ResetPassword("test")
+	result, err := owl.RenderUserAuthPage(owl.AuthRequestData{
+		User:     user,
+		ClientId: "https://example.com/",
+	})
+	assertions.AssertNoError(t, err, "Error rendering user auth page")
+	assertions.AssertContains(t, result, "https://example.com/")
+}
+
+func TestRenderUserAuthHiddenFields(t *testing.T) {
+	user := getTestUser()
+	user.ResetPassword("test")
+	result, err := owl.RenderUserAuthPage(owl.AuthRequestData{
+		User:         user,
+		ClientId:     "https://example.com/",
+		RedirectUri:  "https://example.com/redirect",
+		ResponseType: "code",
+		State:        "teststate",
+	})
+	assertions.AssertNoError(t, err, "Error rendering user auth page")
+	assertions.AssertContains(t, result, "name=\"client_id\" value=\"https://example.com/\"")
+	assertions.AssertContains(t, result, "name=\"redirect_uri\" value=\"https://example.com/redirect\"")
+	assertions.AssertContains(t, result, "name=\"response_type\" value=\"code\"")
+	assertions.AssertContains(t, result, "name=\"state\" value=\"teststate\"")
+}