hailey.at / cocoon
this repo has no description
fork atom
cocoon / server / handle_oauth_par.go
at 0d9fcc5a3825db9b681594efc1af38ea6032f03b 3.2 kB view raw
1package server 2 3import ( 4 "errors" 5 "time" 6 7 "github.com/Azure/go-autorest/autorest/to" 8 "github.com/haileyok/cocoon/internal/helpers" 9 "github.com/haileyok/cocoon/oauth" 10 "github.com/haileyok/cocoon/oauth/constants" 11 "github.com/haileyok/cocoon/oauth/dpop" 12 "github.com/haileyok/cocoon/oauth/provider" 13 "github.com/labstack/echo/v4" 14) 15 16type OauthParResponse struct { 17 ExpiresIn int64 `json:"expires_in"` 18 RequestURI string `json:"request_uri"` 19} 20 21func (s *Server) handleOauthPar(e echo.Context) error { 22 ctx := e.Request().Context() 23 24 var parRequest provider.ParRequest 25 if err := e.Bind(&parRequest); err != nil { 26 s.logger.Error("error binding for par request", "error", err) 27 return helpers.ServerError(e, nil) 28 } 29 30 if err := e.Validate(parRequest); err != nil { 31 s.logger.Error("missing parameters for par request", "error", err) 32 return helpers.InputError(e, nil) 33 } 34 35 // TODO: this seems wrong. should be a way to get the entire request url i believe, but this will work for now 36 dpopProof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, nil) 37 if err != nil { 38 if errors.Is(err, dpop.ErrUseDpopNonce) { 39 nonce := s.oauthProvider.NextNonce() 40 if nonce != "" { 41 e.Response().Header().Set("DPoP-Nonce", nonce) 42 e.Response().Header().Add("access-control-expose-headers", "DPoP-Nonce") 43 } 44 return e.JSON(400, map[string]string{ 45 "error": "use_dpop_nonce", 46 }) 47 } 48 s.logger.Error("error getting dpop proof", "error", err) 49 return helpers.InputError(e, nil) 50 } 51 52 client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), parRequest.AuthenticateClientRequestBase, dpopProof, &provider.AuthenticateClientOptions{ 53 // rfc9449 54 // https://github.com/bluesky-social/atproto/blob/main/packages/oauth/oauth-provider/src/oauth-provider.ts#L473 55 AllowMissingDpopProof: true, 56 }) 57 if err != nil { 58 s.logger.Error("error authenticating client", "client_id", parRequest.ClientID, "error", err) 59 return helpers.InputError(e, to.StringPtr(err.Error())) 60 } 61 62 if parRequest.DpopJkt == nil { 63 if client.Metadata.DpopBoundAccessTokens { 64 parRequest.DpopJkt = to.StringPtr(dpopProof.JKT) 65 } 66 } else { 67 if !client.Metadata.DpopBoundAccessTokens { 68 msg := "dpop bound access tokens are not enabled for this client" 69 s.logger.Error(msg) 70 return helpers.InputError(e, &msg) 71 } 72 73 if dpopProof.JKT != *parRequest.DpopJkt { 74 msg := "supplied dpop jkt does not match header dpop jkt" 75 s.logger.Error(msg) 76 return helpers.InputError(e, &msg) 77 } 78 } 79 80 eat := time.Now().Add(constants.ParExpiresIn) 81 id := oauth.GenerateRequestId() 82 83 authRequest := &provider.OauthAuthorizationRequest{ 84 RequestId: id, 85 ClientId: client.Metadata.ClientID, 86 ClientAuth: *clientAuth, 87 Parameters: parRequest, 88 ExpiresAt: eat, 89 } 90 91 if err := s.db.Create(ctx, authRequest, nil).Error; err != nil { 92 s.logger.Error("error creating auth request in db", "error", err) 93 return helpers.ServerError(e, nil) 94 } 95 96 uri := oauth.EncodeRequestUri(id) 97 98 return e.JSON(201, OauthParResponse{ 99 ExpiresIn: int64(constants.ParExpiresIn.Seconds()), 100 RequestURI: uri, 101 }) 102}