IndieAuth #25

Merged
h4kor merged 19 commits from auth into master 2022-11-07 19:38:21 +00:00
2 changed files with 28 additions and 14 deletions
Showing only changes of commit 1d793c325b - Show all commits

View File

@ -107,6 +107,19 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
return return
} }
client_id_url, err := url.Parse(clientId)
if err != nil {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid client_id."))
return
}
redirect_uri_url, err := url.Parse(redirectUri)
if err != nil {
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid redirect_uri."))
return
}
if client_id_url.Host != redirect_uri_url.Host || client_id_url.Scheme != redirect_uri_url.Scheme {
// check if redirect_uri is registered // check if redirect_uri is registered
resp, _ := repo.HttpClient.Get(clientId) resp, _ := repo.HttpClient.Get(clientId)
registered_redirects, _ := repo.Parser.GetRedirctUris(resp) registered_redirects, _ := repo.Parser.GetRedirctUris(resp)
@ -123,6 +136,7 @@ func userAuthHandler(repo *owl.Repository) func(http.ResponseWriter, *http.Reque
w.Write([]byte("Invalid redirect_uri. Must be registered with client_id.")) w.Write([]byte("Invalid redirect_uri. Must be registered with client_id."))
return return
} }
}
// Double Submit Cookie Pattern // Double Submit Cookie Pattern
// https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie // https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie

View File

@ -90,7 +90,7 @@ func (user User) ConfigFile() string {
} }
func (user User) AuthCodesFile() string { func (user User) AuthCodesFile() string {
return path.Join(user.MetaDir(), "access_tokens.yml") return path.Join(user.MetaDir(), "auth_codes.yml")
} }
func (user User) Name() string { func (user User) Name() string {