hailey.at / cocoon
An atproto PDS written in Go
fork atom
cocoon / server / handle_oauth_par.go
at v0.5.1 3.0 kB view raw
1package server 2 3import ( 4 "errors" 5 "time" 6 7 "github.com/Azure/go-autorest/autorest/to" 8 "github.com/haileyok/cocoon/internal/helpers" 9 "github.com/haileyok/cocoon/oauth" 10 "github.com/haileyok/cocoon/oauth/constants" 11 "github.com/haileyok/cocoon/oauth/dpop" 12 "github.com/haileyok/cocoon/oauth/provider" 13 "github.com/labstack/echo/v4" 14) 15 16type OauthParResponse struct { 17 ExpiresIn int64 `json:"expires_in"` 18 RequestURI string `json:"request_uri"` 19} 20 21func (s *Server) handleOauthPar(e echo.Context) error { 22 var parRequest provider.ParRequest 23 if err := e.Bind(&parRequest); err != nil { 24 s.logger.Error("error binding for par request", "error", err) 25 return helpers.ServerError(e, nil) 26 } 27 28 if err := e.Validate(parRequest); err != nil { 29 s.logger.Error("missing parameters for par request", "error", err) 30 return helpers.InputError(e, nil) 31 } 32 33 // TODO: this seems wrong. should be a way to get the entire request url i believe, but this will work for now 34 dpopProof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, nil) 35 if err != nil { 36 if errors.Is(err, dpop.ErrUseDpopNonce) { 37 return e.JSON(400, map[string]string{ 38 "error": "use_dpop_nonce", 39 }) 40 } 41 s.logger.Error("error getting dpop proof", "error", err) 42 return helpers.InputError(e, nil) 43 } 44 45 client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), parRequest.AuthenticateClientRequestBase, dpopProof, &provider.AuthenticateClientOptions{ 46 // rfc9449 47 // https://github.com/bluesky-social/atproto/blob/main/packages/oauth/oauth-provider/src/oauth-provider.ts#L473 48 AllowMissingDpopProof: true, 49 }) 50 if err != nil { 51 s.logger.Error("error authenticating client", "client_id", parRequest.ClientID, "error", err) 52 return helpers.InputError(e, to.StringPtr(err.Error())) 53 } 54 55 if parRequest.DpopJkt == nil { 56 if client.Metadata.DpopBoundAccessTokens { 57 parRequest.DpopJkt = to.StringPtr(dpopProof.JKT) 58 } 59 } else { 60 if !client.Metadata.DpopBoundAccessTokens { 61 msg := "dpop bound access tokens are not enabled for this client" 62 s.logger.Error(msg) 63 return helpers.InputError(e, &msg) 64 } 65 66 if dpopProof.JKT != *parRequest.DpopJkt { 67 msg := "supplied dpop jkt does not match header dpop jkt" 68 s.logger.Error(msg) 69 return helpers.InputError(e, &msg) 70 } 71 } 72 73 eat := time.Now().Add(constants.ParExpiresIn) 74 id := oauth.GenerateRequestId() 75 76 authRequest := &provider.OauthAuthorizationRequest{ 77 RequestId: id, 78 ClientId: client.Metadata.ClientID, 79 ClientAuth: *clientAuth, 80 Parameters: parRequest, 81 ExpiresAt: eat, 82 } 83 84 if err := s.db.Create(authRequest, nil).Error; err != nil { 85 s.logger.Error("error creating auth request in db", "error", err) 86 return helpers.ServerError(e, nil) 87 } 88 89 uri := oauth.EncodeRequestUri(id) 90 91 return e.JSON(201, OauthParResponse{ 92 ExpiresIn: int64(constants.ParExpiresIn.Seconds()), 93 RequestURI: uri, 94 }) 95}