Ensure DPoP-Nonce header is exposed in use_dpop_nonce response

futur.blue / pegasus

fork atom

objective categorical abstract machine language personal data server

fork atom

futur.blue 2 months ago 9544dc54 1286590e

verified

+14 -8

2 changed files

expand all

unified split

pegasus

lib

errors.ml

xrpc.ml

+1 -1

pegasus/lib/errors.ml

··· 70 70 Dream.json ~status:`Bad_Request 71 71 ~headers: 72 72 [ ("WWW-Authenticate", {|DPoP error="use_dpop_nonce"|}) 73 - ; ("Access-Control-Expose-Headers", "WWW-Authenticate") ] 73 + ; ("Access-Control-Expose-Headers", "DPoP-Nonce, WWW-Authenticate") ] 74 74 {|{ "error": "use_dpop_nonce" }|} 75 75 | e -> 76 76 Dream.warning (fun log ->

+13 -7

pegasus/lib/xrpc.ml

··· 309 309 310 310 let dpop_middleware inner_handler req = 311 311 let%lwt res = inner_handler req in 312 - match Dream.header req "DPoP" with 313 - | Some _ -> 314 - Dream.set_header res "DPoP-Nonce" (Oauth.Dpop.next_nonce ()) ; 315 - Dream.add_header res "Access-Control-Expose-Headers" "DPoP-Nonce" ; 316 - Lwt.return res 317 - | None -> 318 - Lwt.return res 312 + let dpop, www_auth = 313 + (Dream.header req "DPoP", Dream.header res "WWW-Authenticate") 314 + in 315 + if 316 + Option.is_some dpop 317 + || Option.is_some www_auth 318 + && Option.get www_auth |> Util.str_contains ~affix:"DPoP" 319 + then begin 320 + Dream.set_header res "DPoP-Nonce" (Oauth.Dpop.next_nonce ()) ; 321 + Dream.add_header res "Access-Control-Expose-Headers" 322 + "DPoP-Nonce, WWW-Authenticate" 323 + end ; 324 + Lwt.return res 319 325 320 326 let cors_middleware inner_handler req = 321 327 let%lwt res = inner_handler req in