Merge pull request #412 from MadAppGang/feature/oidc-login-v2

OIDC login v2
MadAppGang · Jul 25, 2023 · e012b66 · e012b66
2 parents 563f8c0 + ae3bd49
commit e012b66
Show file tree

Hide file tree

Showing 8 changed files with 475 additions and 166 deletions.
diff --git a/localization/messages_const.go b/localization/messages_const.go
diff --git a/localization/translations/en.yaml b/localization/translations/en.yaml
@@ -96,6 +96,7 @@ error.federated.access_denied.error: "You are not allowed to login with error: %
 error.federated.login.error: "Federated login error: %v."
 error.federated.code.error: "No code returned for federated login"
 error.federated.state.error: "State mismatch code returned for federated login"
+error.federated.state.internal.error: "State processing error: %v."
 error.federated.exchange.error: "Federated exchange error: %v."
 error.federated.idtoken.missing: "No id_token returned for federated login"
 error.federated.idtoken.invalid: "Invalid id_token returned for federated login: %v"

diff --git a/web/api/appsecret.go b/web/api/appsecret.go
@@ -6,7 +6,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"errors"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"strings"
 
@@ -45,7 +45,7 @@ func (ar *Router) SignatureHandler() negroni.HandlerFunc {
 			ar.logger.Println("RequestURI to sign:", r.URL.RequestURI()+t, "(GET request)")
 		} else {
 			// Extract body.
-			b, err := ioutil.ReadAll(r.Body)
+			b, err := io.ReadAll(r.Body)
 			if err != nil {
 				ar.Error(rw, locale, http.StatusBadRequest, l.ErrorAPIRequestBodyInvalidError, err)
 				return
@@ -73,7 +73,7 @@ func (ar *Router) SignatureHandler() negroni.HandlerFunc {
 
 		if r.Method != "GET" && r.Body != http.NoBody {
 			// Return body as Reader to next handlers.
-			r.Body = ioutil.NopCloser(bytes.NewBuffer(body))
+			r.Body = io.NopCloser(bytes.NewBuffer(body))
 		}
 		// Call next handler.
 		next(rw, r)

diff --git a/web/api/federated_login.go b/web/api/federated_login.go
@@ -47,10 +47,12 @@ func init() {
 // If no state string is associated with the request, one will be generated.
 // This state is sent to the provider and can be retrieved during the
 // callback.
-var setState = func(req *http.Request) string {
+var setState = func(req *http.Request, stateRequired bool) (string, error) {
 	state := req.URL.Query().Get("state")
 	if len(state) > 0 {
-		return state
+		return state, nil
+	} else if stateRequired {
+		return "", errors.New("state is required")
 	}
 
 	// If a state query param is not passed in, generate a random
@@ -61,9 +63,11 @@ var setState = func(req *http.Request) string {
 	nonceBytes := make([]byte, 64)
 	_, err := io.ReadFull(rand.Reader, nonceBytes)
 	if err != nil {
-		panic("gothic: source of randomness unavailable: " + err.Error())
+		return "", fmt.Errorf("source of randomness unavailable: %v", err)
+		// panic("gothic: source of randomness unavailable: " + err.Error())
 	}
-	return base64.URLEncoding.EncodeToString(nonceBytes)
+
+	return base64.URLEncoding.EncodeToString(nonceBytes), nil
 }
 
 // GetState gets the state returned by the provider during the callback.
@@ -271,7 +275,12 @@ func (ar *Router) GetAuthURL(res http.ResponseWriter, req *http.Request) (string
 		return "", errors.New(ar.ls.SD(l.APIAPPFederatedProviderEmptyRedirect))
 	}
 
-	sess, err := provider.BeginAuth(setState(req))
+	state, err := setState(req, false)
+	if err != nil {
+		return "", err
+	}
+
+	sess, err := provider.BeginAuth(state)
 	if err != nil {
 		return "", err
 	}
@@ -421,7 +430,11 @@ func getCallbackUrl(req *http.Request) string {
 }
 
 func getScopes(req *http.Request) []string {
-	rs := strings.Split(req.URL.Query().Get("scopes"), ",")
+	return parseScopes(req.URL.Query().Get("scopes"), ",")
+}
+
+func parseScopes(scopes, sep string) []string {
+	rs := strings.Split(scopes, sep)
 
 	result := []string{}
 	for _, scope := range rs {