commit 762d95e49107ee2b910e653c08ca4be84f9cce0a · hailey.at/cocoon

+6 -2

oauth/dpop/manager.go

···

       36
       36
        
       	Hostname              string

     

       37
       37
        
       }

     

       38
       38
        
       

     

       39
       39
       +
       var (

     

       40
       40
       +
       	ErrUseDpopNonce = errors.New("use_dpop_nonce")

     

       41
       41
       +
       )

     

       42
       42
       +
       

     

       39
       43
        
       func NewManager(args ManagerArgs) *Manager {

     

       40
       44
        
       	if args.Logger == nil {

     

       41
       45
        
       		args.Logger = slog.Default()

     
···

       194
       198
        
       	nonce, _ := claims["nonce"].(string)

     

       195
       199
        
       	if nonce == "" {

     

       196
       200
        
       		// WARN: this _must_ be `use_dpop_nonce` for clients know they should make another request

     

       197
       197
       -
       		return nil, errors.New("use_dpop_nonce")

     

       201
       201
       +
       		return nil, ErrUseDpopNonce

     

       198
       202
        
       	}

     

       199
       203
        
       

     

       200
       204
        
       	if nonce != "" && !dm.nonce.Check(nonce) {

     

       201
       205
        
       		// WARN: this _must_ be `use_dpop_nonce` so that clients will fetch a new nonce

     

       202
       202
       -
       		return nil, errors.New("use_dpop_nonce")

     

       206
       206
       +
       		return nil, ErrUseDpopNonce

     

       203
       207
        
       	}

     

       204
       208
        
       

     

       205
       209
        
       	ath, _ := claims["ath"].(string)

+8 -1

server/handle_oauth_par.go

···

       1
       1
        
       package server

     

       2
       2
        
       

     

       3
       3
        
       import (

     

       4
       4
       +
       	"errors"

     

       4
       5
        
       	"time"

     

       5
       6
        
       

     

       6
       7
        
       	"github.com/Azure/go-autorest/autorest/to"

     

       7
       8
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       8
       9
        
       	"github.com/haileyok/cocoon/oauth"

     

       9
       10
        
       	"github.com/haileyok/cocoon/oauth/constants"

     

       11
       11
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       10
       12
        
       	"github.com/haileyok/cocoon/oauth/provider"

     

       11
       13
        
       	"github.com/labstack/echo/v4"

     

       12
       14
        
       )

     
···

       31
       33
        
       	// TODO: this seems wrong. should be a way to get the entire request url i believe, but this will work for now

     

       32
       34
        
       	dpopProof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, nil)

     

       33
       35
        
       	if err != nil {

     

       36
       36
       +
       		if errors.Is(err, dpop.ErrUseDpopNonce) {

     

       37
       37
       +
       			return e.JSON(400, map[string]string{

     

       38
       38
       +
       				"error": "use_dpop_nonce",

     

       39
       39
       +
       			})

     

       40
       40
       +
       		}

     

       34
       41
        
       		s.logger.Error("error getting dpop proof", "error", err)

     

       35
       35
       -
       		return helpers.InputError(e, to.StringPtr(err.Error()))

     

       42
       42
       +
       		return helpers.InputError(e, nil)

     

       36
       43
        
       	}

     

       37
       44
        
       

     

       38
       45
        
       	client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), parRequest.AuthenticateClientRequestBase, dpopProof, &provider.AuthenticateClientOptions{

+8 -1

server/handle_oauth_token.go

···

       4
       4
        
       	"bytes"

     

       5
       5
        
       	"crypto/sha256"

     

       6
       6
        
       	"encoding/base64"

     

       7
       7
       +
       	"errors"

     

       7
       8
        
       	"fmt"

     

       8
       9
        
       	"slices"

     

       9
       10
        
       	"time"

     
···

       13
       14
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       14
       15
        
       	"github.com/haileyok/cocoon/oauth"

     

       15
       16
        
       	"github.com/haileyok/cocoon/oauth/constants"

     

       17
       17
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       16
       18
        
       	"github.com/haileyok/cocoon/oauth/provider"

     

       17
       19
        
       	"github.com/labstack/echo/v4"

     

       18
       20
        
       )

     
···

       44
       46
        
       

     

       45
       47
        
       	proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, e.Request().URL.String(), e.Request().Header, nil)

     

       46
       48
        
       	if err != nil {

     

       49
       49
       +
       		if errors.Is(err, dpop.ErrUseDpopNonce) {

     

       50
       50
       +
       			return e.JSON(400, map[string]string{

     

       51
       51
       +
       				"error": "use_dpop_nonce",

     

       52
       52
       +
       			})

     

       53
       53
       +
       		}

     

       47
       54
        
       		s.logger.Error("error getting dpop proof", "error", err)

     

       48
       48
       -
       		return helpers.InputError(e, to.StringPtr(err.Error()))

     

       55
       55
       +
       		return helpers.InputError(e, nil)

     

       49
       56
        
       	}

     

       50
       57
        
       

     

       51
       58
        
       	client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), req.AuthenticateClientRequestBase, proof, &provider.AuthenticateClientOptions{

+8 -1

server/middleware.go

···

       3
       3
        
       import (

     

       4
       4
        
       	"crypto/sha256"

     

       5
       5
        
       	"encoding/base64"

     

       6
       6
       +
       	"errors"

     

       6
       7
        
       	"fmt"

     

       7
       8
        
       	"strings"

     

       8
       9
        
       	"time"

     
···

       11
       12
        
       	"github.com/golang-jwt/jwt/v4"

     

       12
       13
        
       	"github.com/haileyok/cocoon/internal/helpers"

     

       13
       14
        
       	"github.com/haileyok/cocoon/models"

     

       15
       15
       +
       	"github.com/haileyok/cocoon/oauth/dpop"

     

       14
       16
        
       	"github.com/haileyok/cocoon/oauth/provider"

     

       15
       17
        
       	"github.com/labstack/echo/v4"

     

       16
       18
        
       	"gitlab.com/yawning/secp256k1-voi"

     
···

       229
       231
        
       

     

       230
       232
        
       		proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, to.StringPtr(accessToken))

     

       231
       233
        
       		if err != nil {

     

       234
       234
       +
       			if errors.Is(err, dpop.ErrUseDpopNonce) {

     

       235
       235
       +
       				return e.JSON(400, map[string]string{

     

       236
       236
       +
       					"error": "use_dpop_nonce",

     

       237
       237
       +
       				})

     

       238
       238
       +
       			}

     

       232
       239
        
       			s.logger.Error("invalid dpop proof", "error", err)

     

       233
       233
       -
       			return helpers.InputError(e, to.StringPtr(err.Error()))

     

       240
       240
       +
       			return helpers.InputError(e, nil)

     

       234
       241
        
       		}

     

       235
       242
        
       

     

       236
       243
        
       		var oauthToken provider.OauthToken