diff options
author | Vika <vika@fireburn.ru> | 2022-07-19 05:00:40 +0300 |
---|---|---|
committer | Vika <vika@fireburn.ru> | 2022-07-19 05:31:51 +0300 |
commit | 1efb89a75af31d7580fdb06e3b4535bcde08e966 (patch) | |
tree | c6947265cc1fb913568655e2ca92d9bdee7a45f2 | |
parent | fb1f322f188f53e03201eeede479496fd9d0302b (diff) | |
download | kittybox-1efb89a75af31d7580fdb06e3b4535bcde08e966.tar.zst |
indieauth: improve security checks
Client ID and the redirect URI must match those that were used to create the grant.
-rw-r--r-- | kittybox-rs/src/indieauth/mod.rs | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/kittybox-rs/src/indieauth/mod.rs b/kittybox-rs/src/indieauth/mod.rs index b22f3ba..a059211 100644 --- a/kittybox-rs/src/indieauth/mod.rs +++ b/kittybox-rs/src/indieauth/mod.rs @@ -58,6 +58,7 @@ async fn authorization_endpoint_get( ) -> Html<String> { // TODO fetch h-app from client_id // TODO verify redirect_uri registration + // TODO fetch user profile to display it in a pretty page Html(kittybox_templates::Template { title: "Confirm sign-in via IndieAuth", @@ -119,6 +120,20 @@ async fn authorization_endpoint_post<A: AuthBackend>( return StatusCode::INTERNAL_SERVER_ERROR.into_response(); } }; + if client_id != request.client_id { + return Json(Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This authorization code isn't yours.".to_string()), + error_uri: None + }).into_response() + } + if redirect_uri != request.redirect_uri { + return Json(Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()), + error_uri: None + }).into_response() + } if !request.code_challenge.verify(code_verifier) { return Json(Error { kind: ErrorKind::InvalidGrant, @@ -192,7 +207,6 @@ async fn token_endpoint_post<A: AuthBackend>( match grant { GrantRequest::AuthorizationCode { code, client_id, redirect_uri, code_verifier } => { // TODO load the information corresponding to the code - // TODO verify PKCE challenge using grant.code_verifier let request: AuthorizationRequest = match backend.get_code(&code).await { Ok(Some(request)) => request, Ok(None) => return Json(Error { @@ -215,7 +229,20 @@ async fn token_endpoint_post<A: AuthBackend>( error_uri: "https://indieauth.spec.indieweb.org/#access-token-response".parse().ok() }).into_response(); }; - + if client_id != request.client_id { + return Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This authorization code isn't yours.".to_string()), + error_uri: None + }.into_response() + } + if redirect_uri != request.redirect_uri { + return Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()), + error_uri: None + }.into_response() + } if !request.code_challenge.verify(code_verifier) { return Json(Error { kind: ErrorKind::InvalidGrant, |