barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-03-01 04:11:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: more rabbit nitpicks

Browse Source
This commit is contained in:
Stavros
2026-02-01 00:16:58 +02:00
parent 01e491c3be
commit 673f556fb3
6 changed files with 27 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
frontend/src/pages/authorize-page.tsx
View File

@@ -10,7 +10,7 @@ import {
CardFooter, CardFooter,
CardContent, CardContent,
} from "@/components/ui/card"; } from "@/components/ui/card";
import { getOidcClientInfoScehma } from "@/schemas/oidc-schemas"; import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
import { Button } from "@/components/ui/button"; import { Button } from "@/components/ui/button";
import axios from "axios"; import axios from "axios";
import { toast } from "sonner"; import { toast } from "sonner";
@@ -73,13 +73,13 @@ export const AuthorizePage = () => {
isOidc, isOidc,
compiled: compiledOIDCParams, compiled: compiledOIDCParams,
} = useOIDCParams(searchParams); } = useOIDCParams(searchParams);
const scopes = props.scope.split(" "); const scopes = props.scope ? props.scope.split(" ").filter(Boolean) : [];
const getClientInfo = useQuery({ const getClientInfo = useQuery({
queryKey: ["client", props.client_id], queryKey: ["client", props.client_id],
queryFn: async () => { queryFn: async () => {
const res = await fetch(`/api/oidc/clients/${props.client_id}`); const res = await fetch(`/api/oidc/clients/${props.client_id}`);
const data = await getOidcClientInfoScehma.parseAsync(await res.json()); const data = await getOidcClientInfoSchema.parseAsync(await res.json());
return data; return data;
}, },
enabled: isOidc, enabled: isOidc,

4
frontend/src/pages/login-page.tsx
View File

@@ -149,6 +149,10 @@ export const LoginPage = () => {
[], [],
); );
if (isLoggedIn && isOidc) {
return <Navigate to={`/authorize?${compiledOIDCParams}`} replace />;
}
if (isLoggedIn && props.redirect_uri !== "") { if (isLoggedIn && props.redirect_uri !== "") {
return ( return (
<Navigate <Navigate

2
frontend/src/schemas/oidc-schemas.ts
View File

@@ -1,5 +1,5 @@
import { z } from "zod"; import { z } from "zod";
export const getOidcClientInfoScehma = z.object({ export const getOidcClientInfoSchema = z.object({
name: z.string(), name: z.string(),
}); });

10
internal/controller/oidc_controller.go
View File

@@ -273,7 +273,7 @@ func (controller *OIDCController) Token(c *gin.Context) {
tokenResponse = tokenRes tokenResponse = tokenRes
case "refresh_token": case "refresh_token":
tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken) tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, rclientId)
if err != nil { if err != nil {
if errors.Is(err, service.ErrTokenExpired) { if errors.Is(err, service.ErrTokenExpired) {
@@ -284,6 +284,14 @@ func (controller *OIDCController) Token(c *gin.Context) {
return return
} }
if errors.Is(err, service.ErrInvalidClient) {
tlog.App.Error().Err(err).Msg("Invalid client")
c.JSON(401, gin.H{
"error": "invalid_grant",
})
return
}
tlog.App.Error().Err(err).Msg("Failed to refresh access token") tlog.App.Error().Err(err).Msg("Failed to refresh access token")
c.JSON(400, gin.H{ c.JSON(400, gin.H{
"error": "server_error", "error": "server_error",

2
internal/controller/oidc_controller_test.go
View File

@@ -176,6 +176,8 @@ func TestOIDCController(t *testing.T) {
req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode())) req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
assert.NilError(t, err)
req.Header.Set("content-type", "application/x-www-form-urlencoded") req.Header.Set("content-type", "application/x-www-form-urlencoded")
req.SetBasicAuth("some-client-id", "some-client-secret") req.SetBasicAuth("some-client-id", "some-client-secret")

10
internal/service/oidc_service.go
View File

@@ -37,6 +37,7 @@ var (
ErrCodeNotFound = errors.New("code_not_found") ErrCodeNotFound = errors.New("code_not_found")
ErrTokenNotFound = errors.New("token_not_found") ErrTokenNotFound = errors.New("token_not_found")
ErrTokenExpired = errors.New("token_expired") ErrTokenExpired = errors.New("token_expired")
ErrInvalidClient = errors.New("invalid_client")
) )
type ClaimSet struct { type ClaimSet struct {
@@ -212,7 +213,7 @@ func (service *OIDCService) Init() error {
} }
func (service *OIDCService) GetIssuer() string { func (service *OIDCService) GetIssuer() string {
return service.config.Issuer return service.issuer
} }
func (service *OIDCService) GetClient(id string) (config.OIDCClientConfig, bool) { func (service *OIDCService) GetClient(id string) (config.OIDCClientConfig, bool) {
@@ -424,7 +425,7 @@ func (service *OIDCService) GenerateAccessToken(c *gin.Context, client config.OI
return tokenResponse, nil return tokenResponse, nil
} }
func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken string) (TokenResponse, error) { func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken string, reqClientId string) (TokenResponse, error) {
entry, err := service.queries.GetOidcTokenByRefreshToken(c, service.Hash(refreshToken)) entry, err := service.queries.GetOidcTokenByRefreshToken(c, service.Hash(refreshToken))
if err != nil { if err != nil {
@@ -438,6 +439,11 @@ func (service *OIDCService) RefreshAccessToken(c *gin.Context, refreshToken stri
return TokenResponse{}, ErrTokenExpired return TokenResponse{}, ErrTokenExpired
} }
// Ensure the client ID in the request matches the client ID in the token
if entry.ClientID != reqClientId {
return TokenResponse{}, ErrInvalidClient
}
idToken, err := service.generateIDToken(config.OIDCClientConfig{ idToken, err := service.generateIDToken(config.OIDCClientConfig{
ClientID: entry.ClientID, ClientID: entry.ClientID,
}, entry.Sub) }, entry.Sub)