From 558e5e8c0edee945e85d94ea17982544534e9708 Mon Sep 17 00:00:00 2001 From: Mariano Cano Date: Mon, 1 Oct 2018 11:59:11 -0700 Subject: [PATCH] Fixes #29: skip or log unexpected requests to the oauth server. Returns 404 for requests to invalid paths. Add error messages to unexpected requests to /. --- command/oauth/cmd.go | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go index 802e8f14..b872d378 100644 --- a/command/oauth/cmd.go +++ b/command/oauth/cmd.go @@ -551,6 +551,11 @@ func (o *oauth) DoJWTAuthorization(issuer, aud string) (*token, error) { // ServeHTTP is the handler that performs the OAuth 2.0 dance and returns the // tokens using channels. func (o *oauth) ServeHTTP(w http.ResponseWriter, req *http.Request) { + if req.URL.Path != "/" { + http.NotFound(w, req) + return + } + q := req.URL.Query() errStr := q.Get("error") if errStr != "" { @@ -559,12 +564,11 @@ func (o *oauth) ServeHTTP(w http.ResponseWriter, req *http.Request) { } code, state := q.Get("code"), q.Get("state") - if code == "" || state == "" { - fmt.Printf("Invalid request received from: %v%v\n\n", req.RemoteAddr, req.RequestURI) - if req.RequestURI == "/robots.txt" { - fmt.Printf("** You may have an app or browser plugin that needs to be turned off **\n\n") - } + fmt.Fprintf(os.Stderr, "Invalid request received: http://%s%s\n", req.RemoteAddr, req.URL.String()) + fmt.Fprintf(os.Stderr, "You may have an app or browser plugin that needs to be turned off\n") + http.Error(w, "400 bad request", http.StatusBadRequest) + return } if code == "" {