comparison mod_http_oauth2/mod_http_oauth2.lua @ 5629:ef0a283507c9

mod_http_oauth2: Make storage of various code more consistent I'm not sure how any of this worked at all.
author Kim Alvefur <zash@zash.se>
date Sun, 06 Aug 2023 12:07:05 +0200
parents 9aace51c3637
children dd2079b3dec6
comparison
equal deleted inserted replaced
5628:9aace51c3637 5629:ef0a283507c9
392 392
393 if pkce_required and not params.code_challenge then 393 if pkce_required and not params.code_challenge then
394 return oauth_error("invalid_request", "PKCE required"); 394 return oauth_error("invalid_request", "PKCE required");
395 end 395 end
396 396
397 local prefix = "authorization_code:";
397 local code = id.medium(); 398 local code = id.medium();
398 if params.redirect_uri == device_uri then 399 if params.redirect_uri == device_uri then
399 local is_device, device_state = verify_device_token(params.state); 400 local is_device, device_state = verify_device_token(params.state);
400 if is_device then 401 if is_device then
401 -- reconstruct the device_code 402 -- reconstruct the device_code
403 prefix = "device_code:";
402 code = b64url(hashes.hmac_sha256(verification_key, device_state.user_code)); 404 code = b64url(hashes.hmac_sha256(verification_key, device_state.user_code));
403 else 405 else
404 return oauth_error("invalid_request"); 406 return oauth_error("invalid_request");
405 end 407 end
406 end 408 end
407 local ok = codes:set("authorization_code:" .. params.client_id .. "#" .. code, { 409 local ok = codes:set(prefix.. params.client_id .. "#" .. code, {
408 expires = os.time() + 600; 410 expires = os.time() + 600;
409 granted_jid = granted_jid; 411 granted_jid = granted_jid;
410 granted_scopes = granted_scopes; 412 granted_scopes = granted_scopes;
411 granted_role = granted_role; 413 granted_role = granted_role;
412 challenge = params.code_challenge; 414 challenge = params.code_challenge;
578 if not verify_client_secret(params.client_id, params.client_secret) then 580 if not verify_client_secret(params.client_id, params.client_secret) then
579 module:log("debug", "client_secret mismatch"); 581 module:log("debug", "client_secret mismatch");
580 return oauth_error("invalid_client", "incorrect credentials"); 582 return oauth_error("invalid_client", "incorrect credentials");
581 end 583 end
582 584
583 local code = codes:get("device_code:" .. params.device_code); 585 local code = codes:get("device_code:" .. params.client_id .. "#" .. params.device_code);
584 if type(code) ~= "table" or code_expired(code) then 586 if type(code) ~= "table" or code_expired(code) then
585 return oauth_error("expired_token"); 587 return oauth_error("expired_token");
586 elseif code.error then 588 elseif code.error then
587 return code.error; 589 return code.error;
588 elseif not code.granted_jid then 590 elseif not code.granted_jid then
589 return oauth_error("authorization_pending"); 591 return oauth_error("authorization_pending");
590 end 592 end
591 codes:set("device_code:" .. params.device_code, nil); 593 codes:set("device_code:" .. params.client_id .. "#" .. params.device_code, nil);
592 594
593 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token)); 595 return json.encode(new_access_token(code.granted_jid, code.granted_role, code.granted_scopes, client, code.id_token));
594 end 596 end
595 597
596 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients 598 -- RFC 7636 Proof Key for Code Exchange by OAuth Public Clients
991 -- device code should be derivable after consent but not guessable by the user 993 -- device code should be derivable after consent but not guessable by the user
992 local device_code = b64url(hashes.hmac_sha256(verification_key, user_code)); 994 local device_code = b64url(hashes.hmac_sha256(verification_key, user_code));
993 local verification_uri = module:http_url() .. "/device"; 995 local verification_uri = module:http_url() .. "/device";
994 local verification_uri_complete = verification_uri .. "?" .. http.formencode({ user_code = user_code }); 996 local verification_uri_complete = verification_uri .. "?" .. http.formencode({ user_code = user_code });
995 997
996 local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = os.time() + 1200 }); 998 local expires = os.time() + 600;
999 local dc_ok = codes:set("device_code:" .. params.client_id .. "#" .. device_code, { expires = expires });
997 local uc_ok = codes:set("user_code:" .. user_code, 1000 local uc_ok = codes:set("user_code:" .. user_code,
998 { user_code = user_code; expires = os.time() + 600; client_id = params.client_id; 1001 { user_code = user_code; expires = expires; client_id = params.client_id;
999 scope = requested_scopes:concat(" ") }); 1002 scope = requested_scopes:concat(" ") });
1000 if not dc_ok or not uc_ok then 1003 if not dc_ok or not uc_ok then
1001 return oauth_error("temporarily_unavailable"); 1004 return oauth_error("temporarily_unavailable");
1002 end 1005 end
1003 1006