Move public base URL from oauth2 config to http config

2025-07-31 09:24:31 +03:00 · 2022-02-01 09:34:17 +01:00
parent f96c5b0cec
commit c0e5b66ea4
15 changed files with 166 additions and 74 deletions
--- a/crates/handlers/src/lib.rs
+++ b/crates/handlers/src/lib.rs
@ -47,12 +47,19 @@ pub fn root(
    config: &RootConfig,
 ) -> BoxedFilter<(impl Reply,)> {
    let health = health(pool);
-    let oauth2 = oauth2(pool, templates, key_store, &config.oauth2, &config.cookies);
+    let oauth2 = oauth2(
+        pool,
+        templates,
+        key_store,
+        &config.oauth2,
+        &config.http,
+        &config.cookies,
+    );
    let views = views(
        pool,
        templates,
        mailer,
-        &config.oauth2,
+        &config.http,
        &config.csrf,
        &config.cookies,
    );
--- a/crates/handlers/src/oauth2/discovery.rs
+++ b/crates/handlers/src/oauth2/discovery.rs
@ -14,7 +14,7 @@

 use std::collections::HashSet;

-use mas_config::OAuth2Config;
+use mas_config::HttpConfig;
 use mas_iana::{
    jose::JsonWebSignatureAlg,
    oauth::{
@ -23,6 +23,7 @@ use mas_iana::{
    },
 };
 use mas_jose::SigningKeystore;
+use mas_warp_utils::filters::url_builder::UrlBuilder;
 use oauth2_types::{
    oidc::{ClaimType, Metadata, SubjectType},
    requests::{Display, GrantType, ResponseMode},
@ -32,9 +33,9 @@ use warp::{filters::BoxedFilter, Filter, Reply};
 #[allow(clippy::too_many_lines)]
 pub(super) fn filter(
    key_store: impl SigningKeystore,
-    config: &OAuth2Config,
+    http_config: &HttpConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
-    let base = config.issuer.clone();
+    let builder = UrlBuilder::from(http_config);

    // This is how clients can authenticate
    let client_auth_methods_supported = Some({
@ -62,12 +63,12 @@ pub(super) fn filter(
    let jwt_signing_alg_values_supported = Some(key_store.supported_algorithms());

    // Prepare all the endpoints
-    let issuer = Some(base.clone());
-    let authorization_endpoint = base.join("oauth2/authorize").ok();
-    let token_endpoint = base.join("oauth2/token").ok();
-    let jwks_uri = base.join("oauth2/keys.json").ok();
-    let introspection_endpoint = base.join("oauth2/introspect").ok();
-    let userinfo_endpoint = base.join("oauth2/userinfo").ok();
+    let issuer = Some(builder.oidc_issuer());
+    let authorization_endpoint = Some(builder.oauth_authorization_endpoint());
+    let token_endpoint = Some(builder.oauth_token_endpoint());
+    let jwks_uri = Some(builder.jwks_uri());
+    let introspection_endpoint = Some(builder.oauth_introspection_endpoint());
+    let userinfo_endpoint = Some(builder.oidc_userinfo_endpoint());

    let scopes_supported = Some({
        let mut s = HashSet::new();
--- a/crates/handlers/src/oauth2/introspection.rs
+++ b/crates/handlers/src/oauth2/introspection.rs
@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-use mas_config::{OAuth2ClientConfig, OAuth2Config};
+use mas_config::{HttpConfig, OAuth2ClientConfig, OAuth2Config};
 use mas_data_model::TokenType;
 use mas_iana::oauth::{OAuthClientAuthenticationMethod, OAuthTokenTypeHint};
 use mas_storage::oauth2::{
@ -20,18 +20,20 @@ use mas_storage::oauth2::{
 };
 use mas_warp_utils::{
    errors::WrapError,
-    filters::{client::client_authentication, database::connection},
+    filters::{client::client_authentication, database::connection, url_builder::UrlBuilder},
 };
 use oauth2_types::requests::{IntrospectionRequest, IntrospectionResponse};
 use sqlx::{pool::PoolConnection, PgPool, Postgres};
 use tracing::{info, warn};
 use warp::{filters::BoxedFilter, Filter, Rejection, Reply};

-pub fn filter(pool: &PgPool, oauth2_config: &OAuth2Config) -> BoxedFilter<(Box<dyn Reply>,)> {
-    let audience = oauth2_config
-        .issuer
-        .join("/oauth2/introspect")
-        .unwrap()
+pub fn filter(
+    pool: &PgPool,
+    oauth2_config: &OAuth2Config,
+    http_config: &HttpConfig,
+) -> BoxedFilter<(Box<dyn Reply>,)> {
+    let audience = UrlBuilder::from(http_config)
+        .oauth_introspection_endpoint()
        .to_string();

    warp::path!("oauth2" / "introspect")
--- a/crates/handlers/src/oauth2/mod.rs
+++ b/crates/handlers/src/oauth2/mod.rs
@ -15,7 +15,7 @@
 use std::sync::Arc;

 use hyper::Method;
-use mas_config::{CookiesConfig, OAuth2Config};
+use mas_config::{CookiesConfig, HttpConfig, OAuth2Config};
 use mas_jose::StaticKeystore;
 use mas_templates::Templates;
 use mas_warp_utils::filters::cors::cors;
@ -41,14 +41,15 @@ pub fn filter(
    templates: &Templates,
    key_store: &Arc<StaticKeystore>,
    oauth2_config: &OAuth2Config,
+    http_config: &HttpConfig,
    cookies_config: &CookiesConfig,
 ) -> BoxedFilter<(impl Reply,)> {
-    let discovery = discovery(key_store.as_ref(), oauth2_config);
+    let discovery = discovery(key_store.as_ref(), http_config);
    let keys = keys(key_store);
    let authorization = authorization(pool, templates, oauth2_config, cookies_config);
    let userinfo = userinfo(pool, oauth2_config);
-    let introspection = introspection(pool, oauth2_config);
-    let token = token(pool, key_store, oauth2_config);
+    let introspection = introspection(pool, oauth2_config, http_config);
+    let token = token(pool, key_store, oauth2_config, http_config);

    let filter = discovery
        .or(keys)
--- a/crates/handlers/src/oauth2/token.rs
+++ b/crates/handlers/src/oauth2/token.rs
@ -19,7 +19,7 @@ use chrono::{DateTime, Duration, Utc};
 use data_encoding::BASE64URL_NOPAD;
 use headers::{CacheControl, Pragma};
 use hyper::StatusCode;
-use mas_config::{OAuth2ClientConfig, OAuth2Config};
+use mas_config::{HttpConfig, OAuth2ClientConfig, OAuth2Config};
 use mas_data_model::{AuthorizationGrantStage, TokenType};
 use mas_iana::{jose::JsonWebSignatureAlg, oauth::OAuthClientAuthenticationMethod};
 use mas_jose::{
@ -37,7 +37,7 @@ use mas_storage::{
 };
 use mas_warp_utils::{
    errors::WrapError,
-    filters::{client::client_authentication, database::connection},
+    filters::{client::client_authentication, database::connection, url_builder::UrlBuilder},
    reply::with_typed_header,
 };
 use oauth2_types::{
@ -99,14 +99,13 @@ pub fn filter(
    pool: &PgPool,
    key_store: &Arc<StaticKeystore>,
    oauth2_config: &OAuth2Config,
+    http_config: &HttpConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
    let key_store = key_store.clone();
-    let audience = oauth2_config
-        .issuer
-        .join("/oauth2/token")
-        .unwrap()
-        .to_string();
-    let issuer = oauth2_config.issuer.clone();
+    let builder = UrlBuilder::from(http_config);
+    let audience = builder.oauth_token_endpoint().to_string();
+
+    let issuer = builder.oidc_issuer();

    warp::path!("oauth2" / "token")
        .and(
--- a/crates/handlers/src/views/account/emails.rs
+++ b/crates/handlers/src/views/account/emails.rs
@ -13,7 +13,7 @@
 // limitations under the License.

 use lettre::{message::Mailbox, Address};
-use mas_config::{CookiesConfig, CsrfConfig, OAuth2Config};
+use mas_config::{CookiesConfig, CsrfConfig, HttpConfig};
 use mas_data_model::{BrowserSession, User, UserEmail};
 use mas_email::Mailer;
 use mas_storage::{
@ -31,6 +31,7 @@ use mas_warp_utils::{
        csrf::{protected_form, updated_csrf_token},
        database::{connection, transaction},
        session::session,
+        url_builder::{url_builder, UrlBuilder},
        with_templates, CsrfToken,
    },
 };
@ -38,21 +39,18 @@ use rand::{distributions::Alphanumeric, thread_rng, Rng};
 use serde::Deserialize;
 use sqlx::{pool::PoolConnection, PgExecutor, PgPool, Postgres, Transaction};
 use tracing::info;
-use url::Url;
 use warp::{filters::BoxedFilter, reply::html, Filter, Rejection, Reply};

 pub(super) fn filter(
    pool: &PgPool,
    templates: &Templates,
    mailer: &Mailer,
-    oauth2_config: &OAuth2Config,
+    http_config: &HttpConfig,
    csrf_config: &CsrfConfig,
    cookies_config: &CookiesConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
    let mailer = mailer.clone();

-    let base = oauth2_config.issuer.clone();
-
    let get = with_templates(templates)
        .and(encrypted_cookie_saver(cookies_config))
        .and(updated_csrf_token(cookies_config, csrf_config))
@ -62,7 +60,7 @@ pub(super) fn filter(

    let post = with_templates(templates)
        .and(warp::any().map(move || mailer.clone()))
-        .and(warp::any().map(move || base.clone()))
+        .and(url_builder(http_config))
        .and(encrypted_cookie_saver(cookies_config))
        .and(updated_csrf_token(cookies_config, csrf_config))
        .and(session(pool, cookies_config))
@ -120,7 +118,7 @@ async fn render(

 async fn start_email_verification(
    mailer: &Mailer,
-    base: &Url,
+    url_builder: &UrlBuilder,
    executor: impl PgExecutor<'_>,
    user: &User<PostgresqlBackend>,
    user_email: &UserEmail<PostgresqlBackend>,
@ -139,8 +137,7 @@ async fn start_email_verification(

    let mailbox = Mailbox::new(Some(user.username.clone()), address);

-    let link = base.join("./verify/")?;
-    let link = link.join(&code)?;
+    let link = url_builder.email_verification(&code);

    let context = EmailVerificationContext::new(user.clone().into(), link);

@ -154,7 +151,7 @@ async fn start_email_verification(
 async fn post(
    templates: Templates,
    mailer: Mailer,
-    base: Url,
+    url_builder: UrlBuilder,
    cookie_saver: EncryptedCookieSaver,
    csrf_token: CsrfToken,
    mut session: BrowserSession<PostgresqlBackend>,
@ -166,7 +163,7 @@ async fn post(
            let user_email = add_user_email(&mut txn, &session.user, email)
                .await
                .wrap_error()?;
-            start_email_verification(&mailer, &base, &mut txn, &session.user, &user_email)
+            start_email_verification(&mailer, &url_builder, &mut txn, &session.user, &user_email)
                .await
                .wrap_error()?;
        }
@ -184,7 +181,7 @@ async fn post(
                .await
                .wrap_error()?;

-            start_email_verification(&mailer, &base, &mut txn, &session.user, &user_email)
+            start_email_verification(&mailer, &url_builder, &mut txn, &session.user, &user_email)
                .await
                .wrap_error()?;
        }
--- a/crates/handlers/src/views/account/mod.rs
+++ b/crates/handlers/src/views/account/mod.rs
@ -15,7 +15,7 @@
 mod emails;
 mod password;

-use mas_config::{CookiesConfig, CsrfConfig, OAuth2Config};
+use mas_config::{CookiesConfig, CsrfConfig, HttpConfig};
 use mas_data_model::BrowserSession;
 use mas_email::Mailer;
 use mas_storage::{
@ -42,7 +42,7 @@ pub(super) fn filter(
    pool: &PgPool,
    templates: &Templates,
    mailer: &Mailer,
-    oauth2_config: &OAuth2Config,
+    http_config: &HttpConfig,
    csrf_config: &CsrfConfig,
    cookies_config: &CookiesConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
@ -60,7 +60,7 @@ pub(super) fn filter(
        pool,
        templates,
        mailer,
-        oauth2_config,
+        http_config,
        csrf_config,
        cookies_config,
    );
--- a/crates/handlers/src/views/index.rs
+++ b/crates/handlers/src/views/index.rs
@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-use mas_config::{CookiesConfig, CsrfConfig, OAuth2Config};
+use mas_config::{CookiesConfig, CsrfConfig, HttpConfig};
 use mas_data_model::BrowserSession;
 use mas_storage::PostgresqlBackend;
 use mas_templates::{IndexContext, TemplateContext, Templates};
@ -20,23 +20,22 @@ use mas_warp_utils::filters::{
    cookies::{encrypted_cookie_saver, EncryptedCookieSaver},
    csrf::updated_csrf_token,
    session::optional_session,
+    url_builder::{url_builder, UrlBuilder},
    with_templates, CsrfToken,
 };
 use sqlx::PgPool;
-use url::Url;
 use warp::{filters::BoxedFilter, reply::html, Filter, Rejection, Reply};

 pub(super) fn filter(
    pool: &PgPool,
    templates: &Templates,
-    oauth2_config: &OAuth2Config,
+    http_config: &HttpConfig,
    csrf_config: &CsrfConfig,
    cookies_config: &CookiesConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
-    let discovery_url = oauth2_config.discovery_url();
    warp::path::end()
        .and(warp::get())
-        .map(move || discovery_url.clone())
+        .and(url_builder(http_config))
        .and(with_templates(templates))
        .and(encrypted_cookie_saver(cookies_config))
        .and(updated_csrf_token(cookies_config, csrf_config))
@ -46,13 +45,13 @@ pub(super) fn filter(
 }

 async fn get(
-    discovery_url: Url,
+    url_builder: UrlBuilder,
    templates: Templates,
    cookie_saver: EncryptedCookieSaver,
    csrf_token: CsrfToken,
    maybe_session: Option<BrowserSession<PostgresqlBackend>>,
 ) -> Result<Box<dyn Reply>, Rejection> {
-    let ctx = IndexContext::new(discovery_url)
+    let ctx = IndexContext::new(url_builder.oidc_discovery())
        .maybe_with_session(maybe_session)
        .with_csrf(csrf_token.form_value());

--- a/crates/handlers/src/views/mod.rs
+++ b/crates/handlers/src/views/mod.rs
@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-use mas_config::{CookiesConfig, CsrfConfig, OAuth2Config};
+use mas_config::{CookiesConfig, CsrfConfig, HttpConfig};
 use mas_email::Mailer;
 use mas_templates::Templates;
 use sqlx::PgPool;
@ -40,16 +40,16 @@ pub(super) fn filter(
    pool: &PgPool,
    templates: &Templates,
    mailer: &Mailer,
-    oauth2_config: &OAuth2Config,
+    http_config: &HttpConfig,
    csrf_config: &CsrfConfig,
    cookies_config: &CookiesConfig,
 ) -> BoxedFilter<(Box<dyn Reply>,)> {
-    let index = index(pool, templates, oauth2_config, csrf_config, cookies_config);
+    let index = index(pool, templates, http_config, csrf_config, cookies_config);
    let account = account(
        pool,
        templates,
        mailer,
-        oauth2_config,
+        http_config,
        csrf_config,
        cookies_config,
    );