diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2022-10-08 10:30:15 -0400 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2022-10-08 10:30:15 -0400 |
| commit | 1cbf881835fc33859a31645f886c5d3787ed48f8 (patch) | |
| tree | eb7a8ac803e33283ea0efffa015c8bd96ca40c29 /server/src | |
| parent | b727db0d64f4250742b0ebaac0149c1224a0d040 (diff) | |
Add access token validation
Diffstat (limited to 'server/src')
| -rw-r--r-- | server/src/auth.rs | 60 | ||||
| -rw-r--r-- | server/src/error.rs | 28 | ||||
| -rw-r--r-- | server/src/main.rs | 13 |
3 files changed, 89 insertions, 12 deletions
diff --git a/server/src/auth.rs b/server/src/auth.rs index c5f9e64..01ee467 100644 --- a/server/src/auth.rs +++ b/server/src/auth.rs @@ -1,9 +1,12 @@ use std::{ + collections::HashMap, env, num::NonZeroUsize, - sync::{Arc, Mutex}, collections::HashMap, + sync::{Arc, Mutex}, }; +use crate::error::BridgeError; +use chrono::Utc; use lru::LruCache; use openidconnect::{ core::{CoreClient, CoreProviderMetadata, CoreResponseType}, @@ -12,9 +15,9 @@ use openidconnect::{ AccessTokenHash, AuthenticationFlow, AuthorizationCode, ClientId, ClientSecret, CsrfToken, IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, RedirectUrl, Scope, TokenResponse, }; +use serde::{Deserialize, Serialize}; use tracing::info; use uuid::Uuid; -use serde::{Deserialize, Serialize}; pub struct LoginState { csrf_token: CsrfToken, @@ -91,15 +94,58 @@ impl Authenticator { .url(); let user_id = EndUserId::new(); self.login_cache - .lock().unwrap() + .lock() + .unwrap() .put(user_id.clone(), LoginState { csrf_token, nonce }); (user_id, auth_url) } - pub async fn authenticate(&self, user_id: EndUserId, auth_params: HashMap<String, String>) { - let state = self.login_cache.lock().unwrap().pop(&user_id).unwrap(); - info!("state: {:?}, {:?}", state.csrf_token.secret(), state.nonce.secret()); + pub async fn authenticate( + &self, + user_id: EndUserId, + auth_params: HashMap<String, String>, + ) -> Result<(), BridgeError> { + // TODO: If the token is missing from the cache, client should retry logging in. + let state = self + .login_cache + .lock() + .unwrap() + .pop(&user_id) + .ok_or(BridgeError::InvalidRequest("token missing".to_string()))?; + info!( + "state: {:?}, {:?}", + state.csrf_token.secret(), + state.nonce.secret() + ); + if Some(state.csrf_token.secret()) != auth_params.get("state") { + return Err(BridgeError::InvalidRequest( + "token validation failed".to_string(), + )); + } + let authorization_code = AuthorizationCode::new( + auth_params + .get("code") + .ok_or(BridgeError::InvalidRequest( + "missing 'code' param".to_string(), + ))? + .to_string(), + ); + + let token = self + .client + .exchange_code(authorization_code) + .request_async(async_http_client) + .await?; + info!("Got token {token:#?}"); + + let id_token = token + .id_token() + .ok_or(BridgeError::InvalidRequest("Server did not return an IdToken".to_string()))?; + let claims = id_token.claims(&self.client.id_token_verifier(), &state.nonce)?; + + info!("Got claims {claims:#?}"); - // params: {"session_state": "909b9959-041b-4a98-84d0-5f978bc8a679", "code": "2b4e95d1-0000-4b28-b49d-7a9de731e82b.909b9959-041b-4a98-84d0-5f978bc8a679.a382d869-4e34-42f1-a64d-24a224b9d338", "state": "a7Hff_hF_FOCqPCxmA1ZXg + // params: {"session_state": "909b9959-041b-4a98-84d0-5f978bc8a679", "code": "2b4e95d1-0000-4b28-b49d-7a9de731e82b.909b9959-041b-4a98-84d0-5f978bc8a679.a382d869-4e34-42f1-a64d-24a224b9d338", "state": "a7Hff_hF_FOCqPCxmA1ZXg + Err(BridgeError::Internal("todo".to_string())) } } diff --git a/server/src/error.rs b/server/src/error.rs new file mode 100644 index 0000000..439e81b --- /dev/null +++ b/server/src/error.rs @@ -0,0 +1,28 @@ +use axum::{http::StatusCode, response::IntoResponse}; +use openidconnect::{core::CoreErrorResponseType, StandardErrorResponse, ClaimsVerificationError}; + +type RequestTokenError = openidconnect::RequestTokenError< + openidconnect::reqwest::Error<reqwest::Error>, + StandardErrorResponse<CoreErrorResponseType>, +>; + +#[derive(thiserror::Error, Debug)] +pub enum BridgeError { + #[error("Invalid request: {0}")] + InvalidRequest(String), + + #[error("Backend request failed")] + Backend(#[from] RequestTokenError), + + #[error("Unexpected authorization error")] + UnexpectedInvalidAuthorization(#[from] ClaimsVerificationError), + + #[error("Internal server error: {0}")] + Internal(String), +} + +impl IntoResponse for BridgeError { + fn into_response(self) -> axum::response::Response { + (StatusCode::INTERNAL_SERVER_ERROR, format!("Error: {self}")).into_response() + } +} diff --git a/server/src/main.rs b/server/src/main.rs index e3a84d9..4183abb 100644 --- a/server/src/main.rs +++ b/server/src/main.rs @@ -2,9 +2,9 @@ use std::{collections::HashMap, env, sync::Arc}; use axum::{ extract::{Extension, Query}, - response::Redirect, + response::{Redirect, IntoResponse}, routing::get, - Json, Router, + Json, Router, http::StatusCode, }; use protocol::UserInfo; use tower_cookies::{Cookie, CookieManagerLayer, Cookies}; @@ -12,8 +12,10 @@ use tower_http::trace::TraceLayer; use tracing::info; use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt}; mod auth; +mod error; use crate::auth::{Authenticator, EndUserId}; use sqlx::{postgres::PgPoolOptions, PgPool}; +use crate::error::BridgeError; pub struct ServerContext { pub app_url: String, @@ -75,14 +77,14 @@ async fn login_callback( cookies: Cookies, Query(params): Query<HashMap<String, String>>, extension: ContextExtension, -) -> () { +) -> Result<(), BridgeError> { let cookie = cookies.get("user-id").unwrap(); let user_id: EndUserId = serde_json::from_str(&urlencoding::decode(cookie.value()).unwrap()).unwrap(); info!("cookie: {cookie:?}"); info!("params: {params:?}"); - extension.authenticator.authenticate(user_id, params).await; - () + extension.authenticator.authenticate(user_id, params).await?; + Ok(()) } async fn login(cookies: Cookies, extension: ContextExtension) -> Redirect { @@ -95,3 +97,4 @@ async fn login(cookies: Cookies, extension: ContextExtension) -> Redirect { )); Redirect::temporary(auth_url.as_str()) } + |