matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-11-20 12:02:22 +03:00
Code Activity

Have more granular errors on the refresh token grant

Browse Source
This commit is contained in:
Quentin Gliech
2023-09-08 15:03:50 +02:00
parent 0bb34ed3e0
commit 20cb5dda8c
1 changed files with 30 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
crates/handlers/src/oauth2/token.rs
View File

@@ -48,6 +48,7 @@ use serde::Serialize;
use serde_with::{serde_as, skip_serializing_none}; use serde_with::{serde_as, skip_serializing_none};
use thiserror::Error; use thiserror::Error;
use tracing::debug; use tracing::debug;
use ulid::Ulid;
use url::Url; use url::Url;
use super::{generate_id_token, generate_token_pair}; use super::{generate_id_token, generate_token_pair};
@@ -96,6 +97,18 @@ pub(crate) enum RouteError {
#[error("invalid grant")] #[error("invalid grant")]
InvalidGrant, InvalidGrant,
#[error("refresh token not found")]
RefreshTokenNotFound,
#[error("refresh token {0} is invalid")]
RefreshTokenInvalid(Ulid),
#[error("session {0} is invalid")]
SessionInvalid(Ulid),
#[error("client id mismatch: expected {expected}, got {actual}")]
ClientIDMismatch { expected: Ulid, actual: Ulid },
#[error("policy denied the request")] #[error("policy denied the request")]
DeniedByPolicy(Vec<mas_policy::Violation>), DeniedByPolicy(Vec<mas_policy::Violation>),
@@ -152,7 +165,12 @@ impl IntoResponse for RouteError {
), ),
), ),
), ),
Self::InvalidGrant | Self::GrantNotFound => ( Self::InvalidGrant
| Self::RefreshTokenNotFound
| Self::RefreshTokenInvalid(_)
| Self::SessionInvalid(_)
| Self::ClientIDMismatch { .. }
| Self::GrantNotFound => (
StatusCode::BAD_REQUEST, StatusCode::BAD_REQUEST,
Json(ClientError::from(ClientErrorCode::InvalidGrant)), Json(ClientError::from(ClientErrorCode::InvalidGrant)),
), ),
@@ -422,7 +440,7 @@ async fn refresh_token_grant(
.oauth2_refresh_token() .oauth2_refresh_token()
.find_by_token(&grant.refresh_token) .find_by_token(&grant.refresh_token)
.await? .await?
.ok_or(RouteError::InvalidGrant)?; .ok_or(RouteError::RefreshTokenNotFound)?;
let session = repo let session = repo
.oauth2_session() .oauth2_session()
@@ -430,13 +448,20 @@ async fn refresh_token_grant(
.await? .await?
.ok_or(RouteError::NoSuchOAuthSession)?; .ok_or(RouteError::NoSuchOAuthSession)?;
if !refresh_token.is_valid() || !session.is_valid() { if !refresh_token.is_valid() {
return Err(RouteError::InvalidGrant); return Err(RouteError::RefreshTokenInvalid(refresh_token.id));
}
if !session.is_valid() {
return Err(RouteError::SessionInvalid(session.id));
} }
if client.id != session.client_id { if client.id != session.client_id {
// As per https://datatracker.ietf.org/doc/html/rfc6749#section-5.2 // As per https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
return Err(RouteError::InvalidGrant); return Err(RouteError::ClientIDMismatch {
expected: session.client_id,
actual: client.id,
});
} }
let ttl = site_config.access_token_ttl; let ttl = site_config.access_token_ttl;