back round 0 view raw

add option to disable some URL checks #2

merged
opened by winter.bsky.social targeting main from winter.bsky.social/atproto-oauth: push-uqplmsuzttpn

This is useful for local development.

options
unified split
Changed files
+18 -13
helpers
generic.go
oauth.go
types.go
+3 -3
helpers/generic.go 
···

       
36

       
36

       
 

       
	return key, nil


     

       
37

       
37

       
 

       
}


     

       
38

       
38

       
 

       



     

       
39

       

       
-

       
func IsUrlSafeAndParsed(ustr string) (*url.URL, error) {


     

       

       
39

       
+

       
func IsUrlSafeAndParsed(ustr string, insecure bool) (*url.URL, error) {


     

       
40

       
40

       
 

       
	u, err := url.Parse(ustr)


     

       
41

       
41

       
 

       
	if err != nil {


     

       
42

       
42

       
 

       
		return nil, err


     

       
43

       
43

       
 

       
	}


     

       
44

       
44

       
 

       



     

       
45

       

       
-

       
	if u.Scheme != "https" {


     

       

       
45

       
+

       
	if u.Scheme != "https" && !insecure {


     

       
46

       
46

       
 

       
		return nil, fmt.Errorf("input url is not https")


     

       
47

       
47

       
 

       
	}


     

       
48

       
48

       
 

       



     
···

       
54

       
54

       
 

       
		return nil, fmt.Errorf("url user was not empty")


     

       
55

       
55

       
 

       
	}


     

       
56

       
56

       
 

       



     

       
57

       

       
-

       
	if u.Port() != "" {


     

       

       
57

       
+

       
	if u.Port() != "" && !insecure {


     

       
58

       
58

       
 

       
		return nil, fmt.Errorf("url port was not empty")


     

       
59

       
59

       
 

       
	}


     

       
60

       
60
+7 -4
oauth.go 
···

       
24

       
24

       
 

       
	clientKid        string


     

       
25

       
25

       
 

       
	clientId         string


     

       
26

       
26

       
 

       
	redirectUri      string


     

       

       
27

       
+

       
	insecure         bool


     

       
27

       
28

       
 

       
}


     

       
28

       
29

       
 

       



     

       
29

       
30

       
 

       
type ClientArgs struct {


     
···

       
31

       
32

       
 

       
	ClientJwk   jwk.Key


     

       
32

       
33

       
 

       
	ClientId    string


     

       
33

       
34

       
 

       
	RedirectUri string


     

       

       
35

       
+

       
	Insecure    bool


     

       
34

       
36

       
 

       
}


     

       
35

       
37

       
 

       



     

       
36

       
38

       
 

       
func NewClient(args ClientArgs) (*Client, error) {


     
···

       
61

       
63

       
 

       
		clientPrivateKey: clientPkey,


     

       
62

       
64

       
 

       
		clientId:         args.ClientId,


     

       
63

       
65

       
 

       
		redirectUri:      args.RedirectUri,


     

       

       
66

       
+

       
		insecure:         args.Insecure,


     

       
64

       
67

       
 

       
	}, nil


     

       
65

       
68

       
 

       
}


     

       
66

       
69

       
 

       



     

       
67

       
70

       
 

       
func (c *Client) ResolvePdsAuthServer(ctx context.Context, ustr string) (string, error) {


     

       
68

       

       
-

       
	u, err := helpers.IsUrlSafeAndParsed(ustr)


     

       

       
71

       
+

       
	u, err := helpers.IsUrlSafeAndParsed(ustr, c.insecure)


     

       
69

       
72

       
 

       
	if err != nil {


     

       
70

       
73

       
 

       
		return "", err


     

       
71

       
74

       
 

       
	}


     
···

       
106

       
109

       
 

       
}


     

       
107

       
110

       
 

       



     

       
108

       
111

       
 

       
func (c *Client) FetchAuthServerMetadata(ctx context.Context, ustr string) (*OauthAuthorizationMetadata, error) {


     

       
109

       

       
-

       
	u, err := helpers.IsUrlSafeAndParsed(ustr)


     

       

       
112

       
+

       
	u, err := helpers.IsUrlSafeAndParsed(ustr, c.insecure)


     

       
110

       
113

       
 

       
	if err != nil {


     

       
111

       
114

       
 

       
		return nil, err


     

       
112

       
115

       
 

       
	}


     
···

       
139

       
142

       
 

       
		return nil, fmt.Errorf("could not unmarshal authserver metadata: %w", err)


     

       
140

       
143

       
 

       
	}


     

       
141

       
144

       
 

       



     

       
142

       

       
-

       
	if err := metadata.Validate(u); err != nil {


     

       

       
145

       
+

       
	if err := metadata.Validate(u, c.insecure); err != nil {


     

       
143

       
146

       
 

       
		return nil, fmt.Errorf("could not validate authserver metadata: %w", err)


     

       
144

       
147

       
 

       
	}


     

       
145

       
148

       
 

       



     
···

       
261

       
264

       
 

       
		params.Set("login_hint", loginHint)


     

       
262

       
265

       
 

       
	}


     

       
263

       
266

       
 

       



     

       
264

       

       
-

       
	_, err = helpers.IsUrlSafeAndParsed(parUrl)


     

       

       
267

       
+

       
	_, err = helpers.IsUrlSafeAndParsed(parUrl, c.insecure)


     

       
265

       
268

       
 

       
	if err != nil {


     

       
266

       
269

       
 

       
		return nil, err


     

       
267

       
270

       
 

       
	}
+8 -6
types.go 
···

       
97

       
97

       
 

       
	return nil


     

       
98

       
98

       
 

       
}


     

       
99

       
99

       
 

       



     

       
100

       

       
-

       
func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL) error {


     

       

       
100

       
+

       
func (oam *OauthAuthorizationMetadata) Validate(fetch_url *url.URL, insecure bool) error {


     

       
101

       
101

       
 

       
	if fetch_url == nil {


     

       
102

       
102

       
 

       
		return fmt.Errorf("fetch_url was nil")


     

       
103

       
103

       
 

       
	}


     
···

       
111

       
111

       
 

       
		return fmt.Errorf("issuer hostname does not match fetch url hostname")


     

       
112

       
112

       
 

       
	}


     

       
113

       
113

       
 

       



     

       
114

       

       
-

       
	if iu.Scheme != "https" {


     

       
115

       

       
-

       
		return fmt.Errorf("issuer url is not https")


     

       
116

       

       
-

       
	}


     

       

       
114

       
+

       
	if !insecure {


     

       

       
115

       
+

       
		if iu.Scheme != "https" {


     

       

       
116

       
+

       
			return fmt.Errorf("issuer url is not https")


     

       

       
117

       
+

       
		}


     

       
117

       
118

       
 

       



     

       
118

       

       
-

       
	if iu.Port() != "" {


     

       
119

       

       
-

       
		return fmt.Errorf("issuer port is not empty")


     

       

       
119

       
+

       
		if iu.Port() != "" {


     

       

       
120

       
+

       
			return fmt.Errorf("issuer port is not empty")


     

       

       
121

       
+

       
		}


     

       
120

       
122

       
 

       
	}


     

       
121

       
123

       
 

       



     

       
122

       
124

       
 

       
	if iu.Path != "" && iu.Path != "/" {