Add access token validation

author: Kjetil Orbekk <kj@orbekk.com> 2022-10-08 10:30:15 -0400
committer: Kjetil Orbekk <kj@orbekk.com> 2022-10-08 10:30:15 -0400
commit: 1cbf881835fc33859a31645f886c5d3787ed48f8 (patch)
tree: eb7a8ac803e33283ea0efffa015c8bd96ca40c29 /server
parent: b727db0d64f4250742b0ebaac0149c1224a0d040 (diff)
4 files changed, 94 insertions, 13 deletions
diff --git a/server/Cargo.toml b/server/Cargo.toml
index e7824a2..0651fef 100644
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@@ -21,4 +21,8 @@ uuid = { version = "1.1.2", features = ["serde", "fast-rng", "v4"] }
 tower-cookies = "0.7.0"
 tower = { version = "0.4.13", features = ["full"] }
 urlencoding = "2.1.2"
-sqlx = { version = "0.6", features = [ "runtime-tokio-native-tls" , "postgres" ] }
-\ No newline at end of file
+sqlx = { version = "0.6", features = [ "runtime-tokio-native-tls" , "postgres" ] }
+anyhow = "1.0.65"
+chrono = { version = "0.4.22", features = ["serde"] }
+thiserror = "1.0.37"
+reqwest = "0.11.12"
diff --git a/server/src/auth.rs b/server/src/auth.rs
index c5f9e64..01ee467 100644
--- a/server/src/auth.rs
+++ b/server/src/auth.rs
@@ -1,9 +1,12 @@
 use std::{
+    collections::HashMap,
     env,
     num::NonZeroUsize,
-    sync::{Arc, Mutex}, collections::HashMap,
+    sync::{Arc, Mutex},
 };
 
+use crate::error::BridgeError;
+use chrono::Utc;
 use lru::LruCache;
 use openidconnect::{
     core::{CoreClient, CoreProviderMetadata, CoreResponseType},
@@ -12,9 +15,9 @@ use openidconnect::{
     AccessTokenHash, AuthenticationFlow, AuthorizationCode, ClientId, ClientSecret, CsrfToken,
     IssuerUrl, Nonce, OAuth2TokenResponse, PkceCodeChallenge, RedirectUrl, Scope, TokenResponse,
 };
+use serde::{Deserialize, Serialize};
 use tracing::info;
 use uuid::Uuid;
-use serde::{Deserialize, Serialize};
 
 pub struct LoginState {
     csrf_token: CsrfToken,
@@ -91,15 +94,58 @@ impl Authenticator {
             .url();
         let user_id = EndUserId::new();
         self.login_cache
-            .lock().unwrap()
+            .lock()
+            .unwrap()
             .put(user_id.clone(), LoginState { csrf_token, nonce });
         (user_id, auth_url)
     }
 
-    pub async fn authenticate(&self, user_id: EndUserId, auth_params: HashMap<String, String>) {
-	let state = self.login_cache.lock().unwrap().pop(&user_id).unwrap();
-	info!("state: {:?}, {:?}", state.csrf_token.secret(), state.nonce.secret());
+    pub async fn authenticate(
+        &self,
+        user_id: EndUserId,
+        auth_params: HashMap<String, String>,
+    ) -> Result<(), BridgeError> {
+        // TODO: If the token is missing from the cache, client should retry logging in.
+        let state = self
+            .login_cache
+            .lock()
+            .unwrap()
+            .pop(&user_id)
+            .ok_or(BridgeError::InvalidRequest("token missing".to_string()))?;
+        info!(
+            "state: {:?}, {:?}",
+            state.csrf_token.secret(),
+            state.nonce.secret()
+        );
+        if Some(state.csrf_token.secret()) != auth_params.get("state") {
+            return Err(BridgeError::InvalidRequest(
+                "token validation failed".to_string(),
+            ));
+        }
+        let authorization_code = AuthorizationCode::new(
+            auth_params
+                .get("code")
+                .ok_or(BridgeError::InvalidRequest(
+                    "missing 'code' param".to_string(),
+                ))?
+                .to_string(),
+        );
+
+        let token = self
+            .client
+            .exchange_code(authorization_code)
+            .request_async(async_http_client)
+            .await?;
+        info!("Got token {token:#?}");
+
+        let id_token = token
+            .id_token()
+            .ok_or(BridgeError::InvalidRequest("Server did not return an IdToken".to_string()))?;
+        let claims = id_token.claims(&self.client.id_token_verifier(), &state.nonce)?;
+	
+        info!("Got claims {claims:#?}");
 
-	// params: {"session_state": "909b9959-041b-4a98-84d0-5f978bc8a679", "code": "2b4e95d1-0000-4b28-b49d-7a9de731e82b.909b9959-041b-4a98-84d0-5f978bc8a679.a382d869-4e34-42f1-a64d-24a224b9d338", "state": "a7Hff_hF_FOCqPCxmA1ZXg
+        // params: {"session_state": "909b9959-041b-4a98-84d0-5f978bc8a679", "code": "2b4e95d1-0000-4b28-b49d-7a9de731e82b.909b9959-041b-4a98-84d0-5f978bc8a679.a382d869-4e34-42f1-a64d-24a224b9d338", "state": "a7Hff_hF_FOCqPCxmA1ZXg
+        Err(BridgeError::Internal("todo".to_string()))
     }
 }
diff --git a/server/src/error.rs b/server/src/error.rs
new file mode 100644
index 0000000..439e81b
--- /dev/null
+++ b/server/src/error.rs
@@ -0,0 +1,28 @@
+use axum::{http::StatusCode, response::IntoResponse};
+use openidconnect::{core::CoreErrorResponseType, StandardErrorResponse, ClaimsVerificationError};
+
+type RequestTokenError = openidconnect::RequestTokenError<
+    openidconnect::reqwest::Error<reqwest::Error>,
+    StandardErrorResponse<CoreErrorResponseType>,
+>;
+
+#[derive(thiserror::Error, Debug)]
+pub enum BridgeError {
+    #[error("Invalid request: {0}")]
+    InvalidRequest(String),
+
+    #[error("Backend request failed")]
+    Backend(#[from] RequestTokenError),
+
+    #[error("Unexpected authorization error")]
+    UnexpectedInvalidAuthorization(#[from] ClaimsVerificationError),
+    
+    #[error("Internal server error: {0}")]
+    Internal(String),
+}
+
+impl IntoResponse for BridgeError {
+    fn into_response(self) -> axum::response::Response {
+        (StatusCode::INTERNAL_SERVER_ERROR, format!("Error: {self}")).into_response()
+    }
+}
diff --git a/server/src/main.rs b/server/src/main.rs
index e3a84d9..4183abb 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -2,9 +2,9 @@ use std::{collections::HashMap, env, sync::Arc};
 
 use axum::{
     extract::{Extension, Query},
-    response::Redirect,
+    response::{Redirect, IntoResponse},
     routing::get,
-    Json, Router,
+    Json, Router, http::StatusCode,
 };
 use protocol::UserInfo;
 use tower_cookies::{Cookie, CookieManagerLayer, Cookies};
@@ -12,8 +12,10 @@ use tower_http::trace::TraceLayer;
 use tracing::info;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 mod auth;
+mod error;
 use crate::auth::{Authenticator, EndUserId};
 use sqlx::{postgres::PgPoolOptions, PgPool};
+use crate::error::BridgeError;
 
 pub struct ServerContext {
     pub app_url: String,
@@ -75,14 +77,14 @@ async fn login_callback(
     cookies: Cookies,
     Query(params): Query<HashMap<String, String>>,
     extension: ContextExtension,
-) -> () {
+) -> Result<(), BridgeError> {
     let cookie = cookies.get("user-id").unwrap();
     let user_id: EndUserId =
         serde_json::from_str(&urlencoding::decode(cookie.value()).unwrap()).unwrap();
     info!("cookie: {cookie:?}");
     info!("params: {params:?}");
-    extension.authenticator.authenticate(user_id, params).await;
-    ()
+    extension.authenticator.authenticate(user_id, params).await?;
+    Ok(())
 }
 
 async fn login(cookies: Cookies, extension: ContextExtension) -> Redirect {
@@ -95,3 +97,4 @@ async fn login(cookies: Cookies, extension: ContextExtension) -> Redirect {
     ));
     Redirect::temporary(auth_url.as_str())
 }
+
author	Kjetil Orbekk <kj@orbekk.com>	2022-10-08 10:30:15 -0400
committer	Kjetil Orbekk <kj@orbekk.com>	2022-10-08 10:30:15 -0400
commit	1cbf881835fc33859a31645f886c5d3787ed48f8 (patch)
tree	eb7a8ac803e33283ea0efffa015c8bd96ca40c29 /server
parent	b727db0d64f4250742b0ebaac0149c1224a0d040 (diff)