matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-11-20 12:02:22 +03:00
Code Activity

data-model: don't embed the client in the auth grant

Browse Source
This commit is contained in:
Quentin Gliech
2023-01-09 10:49:51 +01:00
parent fb7c6f4dd1
commit 39cd9a2578
8 changed files with 104 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
crates/handlers/src/oauth2/authorization/complete.rs
View File

@@ -29,7 +29,7 @@ use mas_storage::{
oauth2::{
authorization_grant::{fulfill_grant, get_grant_by_id},
consent::fetch_client_consent,
OAuth2SessionRepository,
OAuth2ClientRepository, OAuth2SessionRepository,
},
Repository,
};
@@ -125,6 +125,7 @@ pub(crate) async fn get(
}
Err(GrantCompletionError::NotPending) => Err(RouteError::NotPending),
Err(GrantCompletionError::Internal(e)) => Err(RouteError::Internal(e)),
Err(e) => Err(RouteError::Internal(e.into())),
}
}
@@ -144,6 +145,9 @@ pub enum GrantCompletionError {
#[error("denied by the policy")]
PolicyViolation,
#[error("failed to load client")]
NoSuchClient,
}
impl_from_error_for_route!(GrantCompletionError: sqlx::Error);
@@ -182,8 +186,13 @@ pub(crate) async fn complete(
return Err(GrantCompletionError::PolicyViolation);
}
let current_consent =
fetch_client_consent(&mut txn, &browser_session.user, &grant.client).await?;
let client = txn
.oauth2_client()
.lookup(grant.client_id)
.await?
.ok_or(GrantCompletionError::NoSuchClient)?;
let current_consent = fetch_client_consent(&mut txn, &browser_session.user, &client).await?;
let lacks_consent = grant
.scope

10
crates/handlers/src/oauth2/authorization/mod.rs
View File

@@ -360,7 +360,10 @@ pub(crate) async fn get(
Err(GrantCompletionError::Internal(e)) => {
return Err(RouteError::Internal(e))
}
Err(e @ GrantCompletionError::NotPending) => {
Err(
e @ (GrantCompletionError::NotPending
| GrantCompletionError::NoSuchClient),
) => {
// This should never happen
return Err(RouteError::Internal(Box::new(e)));
}
@@ -390,7 +393,10 @@ pub(crate) async fn get(
Err(GrantCompletionError::Internal(e)) => {
return Err(RouteError::Internal(e))
}
Err(e @ GrantCompletionError::NotPending) => {
Err(
e @ (GrantCompletionError::NotPending
| GrantCompletionError::NoSuchClient),
) => {
// This should never happen
return Err(RouteError::Internal(Box::new(e)));
}

21
crates/handlers/src/oauth2/consent.rs
View File

@@ -28,9 +28,13 @@ use mas_data_model::AuthorizationGrantStage;
use mas_keystore::Encrypter;
use mas_policy::PolicyFactory;
use mas_router::{PostAuthAction, Route};
use mas_storage::oauth2::{
authorization_grant::{get_grant_by_id, give_consent_to_grant},
consent::insert_client_consent,
use mas_storage::{
oauth2::{
authorization_grant::{get_grant_by_id, give_consent_to_grant},
consent::insert_client_consent,
OAuth2ClientRepository,
},
Repository,
};
use mas_templates::{ConsentContext, PolicyViolationContext, TemplateContext, Templates};
use sqlx::PgPool;
@@ -55,6 +59,9 @@ pub enum RouteError {
#[error("Policy violation")]
PolicyViolation,
#[error("Failed to load client")]
NoSuchClient,
}
impl_from_error_for_route!(sqlx::Error);
@@ -160,6 +167,12 @@ pub(crate) async fn post(
return Err(RouteError::PolicyViolation);
}
let client = txn
.oauth2_client()
.lookup(grant.client_id)
.await?
.ok_or(RouteError::NoSuchClient)?;
// Do not consent for the "urn:matrix:org.matrix.msc2967.client:device:*" scope
let scope_without_device = grant
.scope
@@ -172,7 +185,7 @@ pub(crate) async fn post(
&mut rng,
&clock,
&session.user,
&grant.client,
&client,
&scope_without_device,
)
.await?;