about summary refs log tree commit diff
path: root/kittybox-rs/src/indieauth
diff options
context:
space:
mode:
authorVika <vika@fireburn.ru>2022-07-19 05:00:40 +0300
committerVika <vika@fireburn.ru>2022-07-19 05:31:51 +0300
commit1efb89a75af31d7580fdb06e3b4535bcde08e966 (patch)
treec6947265cc1fb913568655e2ca92d9bdee7a45f2 /kittybox-rs/src/indieauth
parentfb1f322f188f53e03201eeede479496fd9d0302b (diff)
downloadkittybox-1efb89a75af31d7580fdb06e3b4535bcde08e966.tar.zst
indieauth: improve security checks
Client ID and the redirect URI must match those that were used to
create the grant.
Diffstat (limited to 'kittybox-rs/src/indieauth')
-rw-r--r--kittybox-rs/src/indieauth/mod.rs31
1 files changed, 29 insertions, 2 deletions
diff --git a/kittybox-rs/src/indieauth/mod.rs b/kittybox-rs/src/indieauth/mod.rs
index b22f3ba..a059211 100644
--- a/kittybox-rs/src/indieauth/mod.rs
+++ b/kittybox-rs/src/indieauth/mod.rs
@@ -58,6 +58,7 @@ async fn authorization_endpoint_get(
 ) -> Html<String> {
     // TODO fetch h-app from client_id
     // TODO verify redirect_uri registration
+    // TODO fetch user profile to display it in a pretty page
 
     Html(kittybox_templates::Template {
         title: "Confirm sign-in via IndieAuth",
@@ -119,6 +120,20 @@ async fn authorization_endpoint_post<A: AuthBackend>(
                         return StatusCode::INTERNAL_SERVER_ERROR.into_response();
                     }
                 };
+                if client_id != request.client_id {
+                    return Json(Error {
+                        kind: ErrorKind::InvalidGrant,
+                        msg: Some("This authorization code isn't yours.".to_string()),
+                        error_uri: None
+                    }).into_response()
+                }
+                if redirect_uri != request.redirect_uri {
+                    return Json(Error {
+                        kind: ErrorKind::InvalidGrant,
+                        msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()),
+                        error_uri: None
+                    }).into_response()
+                }
                 if !request.code_challenge.verify(code_verifier) {
                     return Json(Error {
                         kind: ErrorKind::InvalidGrant,
@@ -192,7 +207,6 @@ async fn token_endpoint_post<A: AuthBackend>(
     match grant {
         GrantRequest::AuthorizationCode { code, client_id, redirect_uri, code_verifier } => {
             // TODO load the information corresponding to the code
-            // TODO verify PKCE challenge using grant.code_verifier
             let request: AuthorizationRequest = match backend.get_code(&code).await {
                 Ok(Some(request)) => request,
                 Ok(None) => return Json(Error {
@@ -215,7 +229,20 @@ async fn token_endpoint_post<A: AuthBackend>(
                     error_uri: "https://indieauth.spec.indieweb.org/#access-token-response".parse().ok()
                 }).into_response();
             };
-
+            if client_id != request.client_id {
+                return Error {
+                    kind: ErrorKind::InvalidGrant,
+                    msg: Some("This authorization code isn't yours.".to_string()),
+                    error_uri: None
+                }.into_response()
+            }
+            if redirect_uri != request.redirect_uri {
+                return Error {
+                    kind: ErrorKind::InvalidGrant,
+                    msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()),
+                    error_uri: None
+                }.into_response()
+            }
             if !request.code_challenge.verify(code_verifier) {
                 return Json(Error {
                     kind: ErrorKind::InvalidGrant,