matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-11-23 11:02:35 +03:00
Code Activity

Better CORS filter to allow OTEL propagator headers

Browse Source
This commit is contained in:
Quentin Gliech
2021-10-14 18:29:32 +02:00
parent e630279b54
commit 29f3edd833
11 changed files with 96 additions and 239 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
crates/core/src/handlers/oauth2/discovery.rs
View File

@@ -15,6 +15,7 @@
use std::collections::HashSet;
use hyper::Method;
use mas_config::OAuth2Config;
use oauth2_types::{
oidc::Metadata,
pkce::CodeChallengeMethod,
@@ -22,7 +23,7 @@ use oauth2_types::{
};
use warp::{Filter, Rejection, Reply};
use crate::config::OAuth2Config;
use crate::filters::cors::cors;
pub(super) fn filter(
config: &OAuth2Config,
@@ -87,15 +88,9 @@ pub(super) fn filter(
code_challenge_methods_supported,
};
// TODO: get the headers list from the global opentelemetry propagators
let cors = warp::cors()
.allow_method(Method::GET)
.allow_any_origin()
.allow_headers(["traceparent"]);
warp::path!(".well-known" / "openid-configuration").and(
warp::get()
.map(move || warp::reply::json(&metadata))
.with(cors),
.with(cors().allow_method(Method::GET)),
)
}

16
crates/core/src/handlers/oauth2/introspection.rs
View File

@@ -13,6 +13,7 @@
// limitations under the License.
use chrono::Utc;
use hyper::Method;
use oauth2_types::requests::{IntrospectionRequest, IntrospectionResponse, TokenTypeHint};
use sqlx::{pool::PoolConnection, PgPool, Postgres};
use tracing::{info, warn};
@@ -23,6 +24,7 @@ use crate::{
errors::WrapError,
filters::{
client::{client_authentication, ClientAuthentication},
cors::cors,
database::connection,
},
storage::oauth2::{access_token::lookup_access_token, refresh_token::lookup_refresh_token},
@@ -33,12 +35,14 @@ pub fn filter(
pool: &PgPool,
oauth2_config: &OAuth2Config,
) -> impl Filter<Extract = (impl Reply,), Error = Rejection> + Clone + Send + Sync + 'static {
warp::path!("oauth2" / "introspect")
.and(warp::post())
.and(connection(pool))
.and(client_authentication(oauth2_config))
.and_then(introspect)
.recover(recover)
warp::path!("oauth2" / "introspect").and(
warp::post()
.and(connection(pool))
.and(client_authentication(oauth2_config))
.and_then(introspect)
.recover(recover)
.with(cors().allow_method(Method::POST)),
)
}
const INACTIVE: IntrospectionResponse = IntrospectionResponse {

15
crates/core/src/handlers/oauth2/keys.rs
View File

@@ -12,19 +12,20 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use hyper::Method;
use mas_config::OAuth2Config;
use warp::{Filter, Rejection, Reply};
use crate::config::OAuth2Config;
use crate::filters::cors::cors;
pub(super) fn filter(
config: &OAuth2Config,
) -> impl Filter<Extract = (impl Reply,), Error = Rejection> + Clone + Send + Sync + 'static {
let jwks = config.keys.to_public_jwks();
let cors = warp::cors().allow_any_origin();
warp::path!("oauth2" / "keys.json")
.and(warp::get())
.map(move || warp::reply::json(&jwks))
.with(cors)
warp::path!("oauth2" / "keys.json").and(
warp::get()
.map(move || warp::reply::json(&jwks))
.with(cors().allow_method(Method::GET)),
)
}

21
crates/core/src/handlers/oauth2/token.rs
View File

@@ -16,7 +16,7 @@ use anyhow::Context;
use chrono::Duration;
use data_encoding::BASE64URL_NOPAD;
use headers::{CacheControl, Pragma};
use hyper::StatusCode;
use hyper::{Method, StatusCode};
use jwt_compact::{Claims, Header, TimeOptions};
use oauth2_types::{
errors::{
@@ -44,6 +44,7 @@ use crate::{
errors::WrapError,
filters::{
client::{client_authentication, ClientAuthentication},
cors::cors,
database::connection,
with_keys,
},
@@ -92,14 +93,16 @@ pub fn filter(
oauth2_config: &OAuth2Config,
) -> impl Filter<Extract = (impl Reply,), Error = Rejection> + Clone + Send + Sync + 'static {
let issuer = oauth2_config.issuer.clone();
warp::path!("oauth2" / "token")
.and(warp::post())
.and(client_authentication(oauth2_config))
.and(with_keys(oauth2_config))
.and(warp::any().map(move || issuer.clone()))
.and(connection(pool))
.and_then(token)
.recover(recover)
warp::path!("oauth2" / "token").and(
warp::post()
.and(client_authentication(oauth2_config))
.and(with_keys(oauth2_config))
.and(warp::any().map(move || issuer.clone()))
.and(connection(pool))
.and_then(token)
.recover(recover)
.with(cors().allow_method(Method::POST)),
)
}
async fn recover(rejection: Rejection) -> Result<impl Reply, Rejection> {

20
crates/core/src/handlers/oauth2/userinfo.rs
View File

@@ -12,13 +12,17 @@
// See the License for the specific language governing permissions and
// limitations under the License.
use hyper::Method;
use serde::Serialize;
use sqlx::PgPool;
use warp::{Filter, Rejection, Reply};
use crate::{
config::OAuth2Config,
filters::authenticate::{authentication, recover_unauthorized},
filters::{
authenticate::{authentication, recover_unauthorized},
cors::cors,
},
storage::oauth2::access_token::OAuth2AccessTokenLookup,
};
@@ -31,11 +35,15 @@ pub(super) fn filter(
pool: &PgPool,
_config: &OAuth2Config,
) -> impl Filter<Extract = (impl Reply,), Error = Rejection> + Clone + Send + Sync + 'static {
warp::path!("oauth2" / "userinfo")
.and(warp::get().or(warp::post()).unify())
.and(authentication(pool))
.and_then(userinfo)
.recover(recover_unauthorized)
warp::path!("oauth2" / "userinfo").and(
warp::get()
.or(warp::post())
.unify()
.and(authentication(pool))
.and_then(userinfo)
.recover(recover_unauthorized)
.with(cors().allow_methods([Method::GET, Method::POST])),
)
}
async fn userinfo(token: OAuth2AccessTokenLookup) -> Result<impl Reply, Rejection> {