From 1efb89a75af31d7580fdb06e3b4535bcde08e966 Mon Sep 17 00:00:00 2001
From: Vika <vika@fireburn.ru>
Date: Tue, 19 Jul 2022 05:00:40 +0300
Subject: indieauth: improve security checks

Client ID and the redirect URI must match those that were used to
create the grant.
---
 kittybox-rs/src/indieauth/mod.rs | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

(limited to 'kittybox-rs/src/indieauth/mod.rs')

diff --git a/kittybox-rs/src/indieauth/mod.rs b/kittybox-rs/src/indieauth/mod.rs
index b22f3ba..a059211 100644
--- a/kittybox-rs/src/indieauth/mod.rs
+++ b/kittybox-rs/src/indieauth/mod.rs
@@ -58,6 +58,7 @@ async fn authorization_endpoint_get(
 ) -> Html<String> {
     // TODO fetch h-app from client_id
     // TODO verify redirect_uri registration
+    // TODO fetch user profile to display it in a pretty page
 
     Html(kittybox_templates::Template {
         title: "Confirm sign-in via IndieAuth",
@@ -119,6 +120,20 @@ async fn authorization_endpoint_post<A: AuthBackend>(
                         return StatusCode::INTERNAL_SERVER_ERROR.into_response();
                     }
                 };
+                if client_id != request.client_id {
+                    return Json(Error {
+                        kind: ErrorKind::InvalidGrant,
+                        msg: Some("This authorization code isn't yours.".to_string()),
+                        error_uri: None
+                    }).into_response()
+                }
+                if redirect_uri != request.redirect_uri {
+                    return Json(Error {
+                        kind: ErrorKind::InvalidGrant,
+                        msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()),
+                        error_uri: None
+                    }).into_response()
+                }
                 if !request.code_challenge.verify(code_verifier) {
                     return Json(Error {
                         kind: ErrorKind::InvalidGrant,
@@ -192,7 +207,6 @@ async fn token_endpoint_post<A: AuthBackend>(
     match grant {
         GrantRequest::AuthorizationCode { code, client_id, redirect_uri, code_verifier } => {
             // TODO load the information corresponding to the code
-            // TODO verify PKCE challenge using grant.code_verifier
             let request: AuthorizationRequest = match backend.get_code(&code).await {
                 Ok(Some(request)) => request,
                 Ok(None) => return Json(Error {
@@ -215,7 +229,20 @@ async fn token_endpoint_post<A: AuthBackend>(
                     error_uri: "https://indieauth.spec.indieweb.org/#access-token-response".parse().ok()
                 }).into_response();
             };
-
+            if client_id != request.client_id {
+                return Error {
+                    kind: ErrorKind::InvalidGrant,
+                    msg: Some("This authorization code isn't yours.".to_string()),
+                    error_uri: None
+                }.into_response()
+            }
+            if redirect_uri != request.redirect_uri {
+                return Error {
+                    kind: ErrorKind::InvalidGrant,
+                    msg: Some("This redirect_uri doesn't match the one the code has been sent to.".to_string()),
+                    error_uri: None
+                }.into_response()
+            }
             if !request.code_challenge.verify(code_verifier) {
                 return Json(Error {
                     kind: ErrorKind::InvalidGrant,
-- 
cgit 1.4.1