mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-07-14 14:01:34 +00:00
fix: fix bugs in jwt parsing and redirect uri handling
This commit is contained in:
@@ -15,7 +15,7 @@ export const useRedirectUri = (
|
|||||||
let isAllowedProto = false;
|
let isAllowedProto = false;
|
||||||
let isHttpsDowngrade = false;
|
let isHttpsDowngrade = false;
|
||||||
|
|
||||||
if (redirect_uri === undefined) {
|
if (!redirect_uri) {
|
||||||
return {
|
return {
|
||||||
valid: isValid,
|
valid: isValid,
|
||||||
trusted: isTrusted,
|
trusted: isTrusted,
|
||||||
|
|||||||
@@ -110,11 +110,7 @@ export const AuthorizePage = () => {
|
|||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
if (
|
if (!isOidc || !screenParams.oidc_ticket || !screenParams.oidc_scope) {
|
||||||
!isOidc ||
|
|
||||||
screenParams.oidc_ticket === undefined ||
|
|
||||||
screenParams.oidc_scope === undefined
|
|
||||||
) {
|
|
||||||
return (
|
return (
|
||||||
<Navigate
|
<Navigate
|
||||||
to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
|
to={`/error?error=${encodeURIComponent(t("authorizeErrorInvalidParams"))}`}
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ export const ErrorPage = () => {
|
|||||||
const { t } = useTranslation();
|
const { t } = useTranslation();
|
||||||
const { search } = useLocation();
|
const { search } = useLocation();
|
||||||
const searchParams = new URLSearchParams(search);
|
const searchParams = new URLSearchParams(search);
|
||||||
const error = searchParams.get("error") ?? "";
|
const error = searchParams.get("error") || "";
|
||||||
|
|
||||||
return (
|
return (
|
||||||
<Card>
|
<Card>
|
||||||
|
|||||||
@@ -168,7 +168,8 @@ export const LoginPage = () => {
|
|||||||
!auth.authenticated &&
|
!auth.authenticated &&
|
||||||
isOauthAutoRedirect &&
|
isOauthAutoRedirect &&
|
||||||
!hasAutoRedirectedRef.current &&
|
!hasAutoRedirectedRef.current &&
|
||||||
screenParams.login_for !== undefined
|
screenParams.redirect_uri &&
|
||||||
|
screenParams.login_for
|
||||||
) {
|
) {
|
||||||
hasAutoRedirectedRef.current = true;
|
hasAutoRedirectedRef.current = true;
|
||||||
oauthMutate(oauth.autoRedirect);
|
oauthMutate(oauth.autoRedirect);
|
||||||
@@ -180,6 +181,7 @@ export const LoginPage = () => {
|
|||||||
oauth.autoRedirect,
|
oauth.autoRedirect,
|
||||||
isOauthAutoRedirect,
|
isOauthAutoRedirect,
|
||||||
screenParams.login_for,
|
screenParams.login_for,
|
||||||
|
screenParams.redirect_uri,
|
||||||
]);
|
]);
|
||||||
|
|
||||||
useEffect(() => {
|
useEffect(() => {
|
||||||
|
|||||||
@@ -107,7 +107,6 @@ type TokenResponse struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
type AuthorizeRequest struct {
|
type AuthorizeRequest struct {
|
||||||
jwt.Claims
|
|
||||||
Scope string `form:"scope" json:"scope" url:"scope"`
|
Scope string `form:"scope" json:"scope" url:"scope"`
|
||||||
ResponseType string `form:"response_type" json:"response_type" url:"response_type"`
|
ResponseType string `form:"response_type" json:"response_type" url:"response_type"`
|
||||||
ClientID string `form:"client_id" json:"client_id" url:"client_id"`
|
ClientID string `form:"client_id" json:"client_id" url:"client_id"`
|
||||||
@@ -888,19 +887,32 @@ func (service *OIDCService) DeleteAuthorizeRequestTicket(ticket string) {
|
|||||||
|
|
||||||
// TODO: support signed request objects in the future
|
// TODO: support signed request objects in the future
|
||||||
func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
|
func (service *OIDCService) DecodeAuthorizeJWT(tokenString string) (*AuthorizeRequest, error) {
|
||||||
var req AuthorizeRequest
|
var claims jwt.MapClaims
|
||||||
|
|
||||||
token, _, err := jwt.NewParser().ParseUnverified(tokenString, &req)
|
|
||||||
|
|
||||||
|
token, _, err := jwt.NewParser().ParseUnverified(tokenString, &claims)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
|
return nil, fmt.Errorf("failed to parse authorize request jwt: %w", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
claims, ok := token.Claims.(*AuthorizeRequest)
|
alg, ok := token.Header["alg"].(string)
|
||||||
|
|
||||||
if !ok {
|
if !ok || alg != "none" || string(token.Signature) != "" {
|
||||||
return nil, errors.New("failed to parse claims from authorize request jwt")
|
return nil, fmt.Errorf("only unsigned jwts are supported for authorize requests")
|
||||||
}
|
}
|
||||||
|
|
||||||
return claims, nil
|
get := func(k string) string {
|
||||||
|
v, _ := claims[k].(string)
|
||||||
|
return v
|
||||||
|
}
|
||||||
|
|
||||||
|
return &AuthorizeRequest{
|
||||||
|
Scope: get("scope"),
|
||||||
|
ResponseType: get("response_type"),
|
||||||
|
ClientID: get("client_id"),
|
||||||
|
RedirectURI: get("redirect_uri"),
|
||||||
|
State: get("state"),
|
||||||
|
Nonce: get("nonce"),
|
||||||
|
CodeChallenge: get("code_challenge"),
|
||||||
|
CodeChallengeMethod: get("code_challenge_method"),
|
||||||
|
}, nil
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user