Proper error when submitting invalid authorization code

2025-11-23 11:02:35 +03:00 · 2021-09-23 14:48:12 +02:00
parent a9f1f8bb71
commit 4a927861b0
2 changed files with 29 additions and 6 deletions
--- a/crates/core/src/handlers/oauth2/token.rs
+++ b/crates/core/src/handlers/oauth2/token.rs
@@ -153,8 +153,15 @@ async fn authorization_code_grant(
    conn: &mut PoolConnection<Postgres>,
 ) -> Result<AccessTokenResponse, Rejection> {
    let mut txn = conn.begin().await.wrap_error()?;
-    // TODO: recover from failed code lookup with invalid_grant instead
-    let code = lookup_code(&mut txn, &grant.code).await.wrap_error()?;
+
+    // TODO: we should invalidate the existing session if a code is used twice after
+    // some period of time. See the `oidcc-codereuse-30seconds` test from the
+    // conformance suite
+    let code = match lookup_code(&mut txn, &grant.code).await {
+        Err(e) if e.not_found() => return error(InvalidGrant),
+        x => x,
+    }?;
+
    if client.client_id != code.client_id {
        return error(UnauthorizedClient);
    }
--- a/crates/core/src/storage/oauth2/authorization_code.rs
+++ b/crates/core/src/storage/oauth2/authorization_code.rs
@@ -16,6 +16,8 @@ use anyhow::Context;
 use oauth2_types::pkce;
 use serde::Serialize;
 use sqlx::{Executor, FromRow, Postgres};
+use thiserror::Error;
+use warp::reject::Reject;

 #[derive(FromRow, Serialize)]
 pub struct OAuth2Code {
@@ -65,11 +67,24 @@ pub struct OAuth2CodeLookup {
    pub nonce: Option<String>,
 }

+#[derive(Debug, Error)]
+#[error("failed to lookup oauth2 code")]
+pub struct CodeLookupError(#[from] sqlx::Error);
+
+impl Reject for CodeLookupError {}
+
+impl CodeLookupError {
+    #[must_use]
+    pub fn not_found(&self) -> bool {
+        matches!(self.0, sqlx::Error::RowNotFound)
+    }
+}
+
 pub async fn lookup_code(
    executor: impl Executor<'_, Database = Postgres>,
    code: &str,
-) -> anyhow::Result<OAuth2CodeLookup> {
-    sqlx::query_as!(
+) -> Result<OAuth2CodeLookup, CodeLookupError> {
+    let res = sqlx::query_as!(
        OAuth2CodeLookup,
        r#"
            SELECT
@@ -87,8 +102,9 @@ pub async fn lookup_code(
        code,
    )
    .fetch_one(executor)
-    .await
-    .context("could not lookup oauth2 code")
+    .await?;
+
+    Ok(res)
 }

 pub async fn consume_code(