From 1efb89a75af31d7580fdb06e3b4535bcde08e966 Mon Sep 17 00:00:00 2001 From: Vika Date: Tue, 19 Jul 2022 05:00:40 +0300 Subject: indieauth: improve security checks Client ID and the redirect URI must match those that were used to create the grant. --- kittybox-rs/src/indieauth/mod.rs | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/kittybox-rs/src/indieauth/mod.rs b/kittybox-rs/src/indieauth/mod.rs index b22f3ba..a059211 100644 --- a/kittybox-rs/src/indieauth/mod.rs +++ b/kittybox-rs/src/indieauth/mod.rs @@ -58,6 +58,7 @@ async fn authorization_endpoint_get( ) -> Html { // TODO fetch h-app from client_id // TODO verify redirect_uri registration + // TODO fetch user profile to display it in a pretty page Html(kittybox_templates::Template { title: "Confirm sign-in via IndieAuth", @@ -119,6 +120,20 @@ async fn authorization_endpoint_post( return StatusCode::INTERNAL_SERVER_ERROR.into_response(); } }; + if client_id != request.client_id { + return Json(Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This authorization code isn't yours.".to_string()), + error_uri: None + }).into_response() + } + if redirect_uri != request.redirect_uri { + return Json(Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()), + error_uri: None + }).into_response() + } if !request.code_challenge.verify(code_verifier) { return Json(Error { kind: ErrorKind::InvalidGrant, @@ -192,7 +207,6 @@ async fn token_endpoint_post( match grant { GrantRequest::AuthorizationCode { code, client_id, redirect_uri, code_verifier } => { // TODO load the information corresponding to the code - // TODO verify PKCE challenge using grant.code_verifier let request: AuthorizationRequest = match backend.get_code(&code).await { Ok(Some(request)) => request, Ok(None) => return Json(Error { @@ -215,7 +229,20 @@ async fn token_endpoint_post( error_uri: "https://indieauth.spec.indieweb.org/#access-token-response".parse().ok() }).into_response(); }; - + if client_id != request.client_id { + return Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This authorization code isn't yours.".to_string()), + error_uri: None + }.into_response() + } + if redirect_uri != request.redirect_uri { + return Error { + kind: ErrorKind::InvalidGrant, + msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()), + error_uri: None + }.into_response() + } if !request.code_challenge.verify(code_verifier) { return Json(Error { kind: ErrorKind::InvalidGrant, -- cgit 1.4.1