matrix/authentication-service
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-authentication-service.git synced 2025-11-21 23:00:50 +03:00
Code Activity

Only allow using the refresh token grant if it was asked during the client registration

Browse Source
This commit is contained in:
Quentin Gliech
2023-09-05 12:07:11 +02:00
parent aeb379eee9
commit c85f5f2768
2 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/handlers/src/oauth2/revoke.rs
View File

@@ -265,7 +265,7 @@ mod tests {
"contacts": ["contact@example.com"], "contacts": ["contact@example.com"],
"token_endpoint_auth_method": "client_secret_post", "token_endpoint_auth_method": "client_secret_post",
"response_types": ["code"], "response_types": ["code"],
"grant_types": ["authorization_code"], "grant_types": ["authorization_code", "refresh_token"],
})); }));
let response = state.request(request).await; let response = state.request(request).await;

15
crates/handlers/src/oauth2/token.rs
View File

@@ -257,6 +257,11 @@ async fn authorization_code_grant(
site_config: &SiteConfig, site_config: &SiteConfig,
mut repo: BoxRepository, mut repo: BoxRepository,
) -> Result<(AccessTokenResponse, BoxRepository), RouteError> { ) -> Result<(AccessTokenResponse, BoxRepository), RouteError> {
// Check that the client is allowed to use this grant type
if !client.grant_types.contains(&GrantType::AuthorizationCode) {
return Err(RouteError::UnauthorizedClient);
}
let authz_grant = repo let authz_grant = repo
.oauth2_authorization_grant() .oauth2_authorization_grant()
.find_by_code(&grant.code) .find_by_code(&grant.code)
@@ -405,6 +410,11 @@ async fn refresh_token_grant(
site_config: &SiteConfig, site_config: &SiteConfig,
mut repo: BoxRepository, mut repo: BoxRepository,
) -> Result<(AccessTokenResponse, BoxRepository), RouteError> { ) -> Result<(AccessTokenResponse, BoxRepository), RouteError> {
// Check that the client is allowed to use this grant type
if !client.grant_types.contains(&GrantType::RefreshToken) {
return Err(RouteError::UnauthorizedClient);
}
let refresh_token = repo let refresh_token = repo
.oauth2_refresh_token() .oauth2_refresh_token()
.find_by_token(&grant.refresh_token) .find_by_token(&grant.refresh_token)
@@ -740,7 +750,7 @@ mod tests {
"contacts": ["contact@example.com"], "contacts": ["contact@example.com"],
"token_endpoint_auth_method": "none", "token_endpoint_auth_method": "none",
"response_types": ["code"], "response_types": ["code"],
"grant_types": ["authorization_code"], "grant_types": ["authorization_code", "refresh_token"],
})); }));
let response = state.request(request).await; let response = state.request(request).await;
@@ -859,12 +869,9 @@ mod tests {
let request = let request =
Request::post(mas_router::OAuth2RegistrationEndpoint::PATH).json(serde_json::json!({ Request::post(mas_router::OAuth2RegistrationEndpoint::PATH).json(serde_json::json!({
"client_uri": "https://example.com/", "client_uri": "https://example.com/",
// XXX: we shouldn't have to specify the redirect URI here, but the policy denies it for now
"redirect_uris": ["https://example.com/callback"],
"contacts": ["contact@example.com"], "contacts": ["contact@example.com"],
"token_endpoint_auth_method": "client_secret_post", "token_endpoint_auth_method": "client_secret_post",
"grant_types": ["client_credentials"], "grant_types": ["client_credentials"],
"response_types": [],
})); }));
let response = state.request(request).await; let response = state.request(request).await;