matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-11-23 11:02:35 +03:00
Code Activity

Proper error when submitting invalid authorization code

Browse Source
This commit is contained in:
Quentin Gliech
2021-09-23 14:48:12 +02:00
parent a9f1f8bb71
commit 4a927861b0
2 changed files with 29 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
crates/core/src/handlers/oauth2/token.rs
View File

@@ -153,8 +153,15 @@ async fn authorization_code_grant(
conn: &mut PoolConnection<Postgres>, conn: &mut PoolConnection<Postgres>,
) -> Result<AccessTokenResponse, Rejection> { ) -> Result<AccessTokenResponse, Rejection> {
let mut txn = conn.begin().await.wrap_error()?; let mut txn = conn.begin().await.wrap_error()?;
// TODO: recover from failed code lookup with invalid_grant instead
let code = lookup_code(&mut txn, &grant.code).await.wrap_error()?; // TODO: we should invalidate the existing session if a code is used twice after
// some period of time. See the `oidcc-codereuse-30seconds` test from the
// conformance suite
let code = match lookup_code(&mut txn, &grant.code).await {
Err(e) if e.not_found() => return error(InvalidGrant),
x => x,
}?;
if client.client_id != code.client_id { if client.client_id != code.client_id {
return error(UnauthorizedClient); return error(UnauthorizedClient);
} }

24
crates/core/src/storage/oauth2/authorization_code.rs
View File

@@ -16,6 +16,8 @@ use anyhow::Context;
use oauth2_types::pkce; use oauth2_types::pkce;
use serde::Serialize; use serde::Serialize;
use sqlx::{Executor, FromRow, Postgres}; use sqlx::{Executor, FromRow, Postgres};
use thiserror::Error;
use warp::reject::Reject;
#[derive(FromRow, Serialize)] #[derive(FromRow, Serialize)]
pub struct OAuth2Code { pub struct OAuth2Code {
@@ -65,11 +67,24 @@ pub struct OAuth2CodeLookup {
pub nonce: Option<String>, pub nonce: Option<String>,
} }
#[derive(Debug, Error)]
#[error("failed to lookup oauth2 code")]
pub struct CodeLookupError(#[from] sqlx::Error);
impl Reject for CodeLookupError {}
impl CodeLookupError {
#[must_use]
pub fn not_found(&self) -> bool {
matches!(self.0, sqlx::Error::RowNotFound)
}
}
pub async fn lookup_code( pub async fn lookup_code(
executor: impl Executor<'_, Database = Postgres>, executor: impl Executor<'_, Database = Postgres>,
code: &str, code: &str,
) -> anyhow::Result<OAuth2CodeLookup> { ) -> Result<OAuth2CodeLookup, CodeLookupError> {
sqlx::query_as!( let res = sqlx::query_as!(
OAuth2CodeLookup, OAuth2CodeLookup,
r#" r#"
SELECT SELECT
@@ -87,8 +102,9 @@ pub async fn lookup_code(
code, code,
) )
.fetch_one(executor) .fetch_one(executor)
.await .await?;
.context("could not lookup oauth2 code")
Ok(res)
} }
pub async fn consume_code( pub async fn consume_code(