hailey.at / cocoon
An atproto PDS written in Go
fork atom
cocoon / server / handle_oauth_par.go
at main 3.2 kB view raw
1package server 2 3import ( 4 "errors" 5 "time" 6 7 "github.com/Azure/go-autorest/autorest/to" 8 "github.com/haileyok/cocoon/internal/helpers" 9 "github.com/haileyok/cocoon/oauth" 10 "github.com/haileyok/cocoon/oauth/constants" 11 "github.com/haileyok/cocoon/oauth/dpop" 12 "github.com/haileyok/cocoon/oauth/provider" 13 "github.com/labstack/echo/v4" 14) 15 16type OauthParResponse struct { 17 ExpiresIn int64 `json:"expires_in"` 18 RequestURI string `json:"request_uri"` 19} 20 21func (s *Server) handleOauthPar(e echo.Context) error { 22 var parRequest provider.ParRequest 23 if err := e.Bind(&parRequest); err != nil { 24 s.logger.Error("error binding for par request", "error", err) 25 return helpers.ServerError(e, nil) 26 } 27 28 if err := e.Validate(parRequest); err != nil { 29 s.logger.Error("missing parameters for par request", "error", err) 30 return helpers.InputError(e, nil) 31 } 32 33 // TODO: this seems wrong. should be a way to get the entire request url i believe, but this will work for now 34 dpopProof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, nil) 35 if err != nil { 36 if errors.Is(err, dpop.ErrUseDpopNonce) { 37 nonce := s.oauthProvider.NextNonce() 38 if nonce != "" { 39 e.Response().Header().Set("DPoP-Nonce", nonce) 40 e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce") 41 } 42 return e.JSON(400, map[string]string{ 43 "error": "use_dpop_nonce", 44 }) 45 } 46 s.logger.Error("error getting dpop proof", "error", err) 47 return helpers.InputError(e, nil) 48 } 49 50 client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), parRequest.AuthenticateClientRequestBase, dpopProof, &provider.AuthenticateClientOptions{ 51 // rfc9449 52 // https://github.com/bluesky-social/atproto/blob/main/packages/oauth/oauth-provider/src/oauth-provider.ts#L473 53 AllowMissingDpopProof: true, 54 }) 55 if err != nil { 56 s.logger.Error("error authenticating client", "client_id", parRequest.ClientID, "error", err) 57 return helpers.InputError(e, to.StringPtr(err.Error())) 58 } 59 60 if parRequest.DpopJkt == nil { 61 if client.Metadata.DpopBoundAccessTokens { 62 parRequest.DpopJkt = to.StringPtr(dpopProof.JKT) 63 } 64 } else { 65 if !client.Metadata.DpopBoundAccessTokens { 66 msg := "dpop bound access tokens are not enabled for this client" 67 s.logger.Error(msg) 68 return helpers.InputError(e, &msg) 69 } 70 71 if dpopProof.JKT != *parRequest.DpopJkt { 72 msg := "supplied dpop jkt does not match header dpop jkt" 73 s.logger.Error(msg) 74 return helpers.InputError(e, &msg) 75 } 76 } 77 78 eat := time.Now().Add(constants.ParExpiresIn) 79 id := oauth.GenerateRequestId() 80 81 authRequest := &provider.OauthAuthorizationRequest{ 82 RequestId: id, 83 ClientId: client.Metadata.ClientID, 84 ClientAuth: *clientAuth, 85 Parameters: parRequest, 86 ExpiresAt: eat, 87 } 88 89 if err := s.db.Create(authRequest, nil).Error; err != nil { 90 s.logger.Error("error creating auth request in db", "error", err) 91 return helpers.ServerError(e, nil) 92 } 93 94 uri := oauth.EncodeRequestUri(id) 95 96 return e.JSON(201, OauthParResponse{ 97 ExpiresIn: int64(constants.ParExpiresIn.Seconds()), 98 RequestURI: uri, 99 }) 100}