chore: fix typo

tests: add test for invalid challenge method
chore: remove simple logger from testing
2026-04-08 14:57:58 +00:00 · 2026-04-07 19:00:09 +03:00 · 2026-04-07 18:48:38 +03:00 · 2026-04-07 18:30:05 +03:00 · 2026-04-07 18:28:28 +03:00 · 2026-04-07 18:27:45 +03:00
6 changed files with 70 additions and 267 deletions
--- a/frontend/src/pages/login-page.tsx
+++ b/frontend/src/pages/login-page.tsx
@@ -76,14 +76,10 @@ export const LoginPage = () => {
    isPending: oauthIsPending,
    variables: oauthVariables,
  } = useMutation({
-    mutationFn: (provider: string) => {
-      const params = isOidc
-        ? `?${compiledOIDCParams}`
-        : props.redirect_uri
-          ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}`
-          : "";
-      return axios.get(`/api/oauth/url/${provider}${params}`);
-    },
+    mutationFn: (provider: string) =>
+      axios.get(
+        `/api/oauth/url/${provider}${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
+      ),
    mutationKey: ["oauth"],
    onSuccess: (data) => {
      toast.info(t("loginOauthSuccessTitle"), {
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -62,29 +62,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 		return
 	}

-	var reqParams service.OAuthURLParams
-
-	err = c.BindQuery(&reqParams)
-
-	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to bind query parameters")
-		c.JSON(400, gin.H{
-			"status":  400,
-			"message": "Bad Request",
-		})
-		return
-	}
-
-	if !controller.isOidcRequest(reqParams) {
-		isRedirectSafe := utils.IsRedirectSafe(reqParams.RedirectURI, controller.config.CookieDomain)
-
-		if !isRedirectSafe {
-			tlog.App.Warn().Str("redirect_uri", reqParams.RedirectURI).Msg("Unsafe redirect URI detected, ignoring")
-			reqParams.RedirectURI = ""
-		}
-	}
-
-	sessionId, _, err := controller.auth.NewOAuthSession(req.Provider, reqParams)
+	sessionId, session, err := controller.auth.NewOAuthSession(req.Provider)

 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to create OAuth session")
@@ -107,6 +85,20 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	}

 	c.SetCookie(controller.config.OAuthSessionCookieName, sessionId, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	c.SetCookie(controller.config.CSRFCookieName, session.State, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+
+	redirectURI := c.Query("redirect_uri")
+	isRedirectSafe := utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain)
+
+	if !isRedirectSafe {
+		tlog.App.Warn().Str("redirect_uri", redirectURI).Msg("Unsafe redirect URI detected, ignoring")
+		redirectURI = ""
+	}
+
+	if redirectURI != "" && isRedirectSafe {
+		tlog.App.Debug().Msg("Setting redirect URI cookie")
+		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+	}

 	c.JSON(200, gin.H{
 		"status":  200,
@@ -137,24 +129,20 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	}

 	c.SetCookie(controller.config.OAuthSessionCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
-
-	oauthPendingSession, err := controller.auth.GetOAuthPendingSession(sessionIdCookie)
-
-	if err != nil {
-		tlog.App.Error().Err(err).Msg("Failed to get OAuth pending session")
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
-		return
-	}
-
 	defer controller.auth.EndOAuthSession(sessionIdCookie)

 	state := c.Query("state")
-	if state != oauthPendingSession.State {
-		tlog.App.Warn().Err(err).Msg("CSRF token mismatch")
+	csrfCookie, err := c.Cookie(controller.config.CSRFCookieName)
+
+	if err != nil || state != csrfCookie {
+		tlog.App.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
+		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}

+	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
+
 	code := c.Query("code")
 	_, err = controller.auth.GetOAuthToken(sessionIdCookie, code)

@@ -210,7 +198,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		username = strings.Replace(user.Email, "@", "_", 1)
 	}

-	svc, err := controller.auth.GetOAuthService(sessionIdCookie)
+	service, err := controller.auth.GetOAuthService(sessionIdCookie)

 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to get OAuth service for session")
@@ -218,8 +206,8 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}

-	if svc.ID() != req.Provider {
-		tlog.App.Error().Msgf("OAuth service ID mismatch: expected %s, got %s", svc.ID(), req.Provider)
+	if service.ID() != req.Provider {
+		tlog.App.Error().Msgf("OAuth service ID mismatch: expected %s, got %s", service.ID(), req.Provider)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
@@ -228,9 +216,9 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		Username:    username,
 		Name:        name,
 		Email:       user.Email,
-		Provider:    svc.ID(),
+		Provider:    service.ID(),
 		OAuthGroups: utils.CoalesceToString(user.Groups),
-		OAuthName:   svc.Name(),
+		OAuthName:   service.Name(),
 		OAuthSub:    user.Sub,
 	}

@@ -246,21 +234,16 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)

-	if controller.isOidcRequest(oauthPendingSession.CallbackParams) {
-		tlog.App.Debug().Msg("OIDC request, redirecting to authorize page")
-		queries, err := query.Values(oauthPendingSession.CallbackParams)
-		if err != nil {
-			tlog.App.Error().Err(err).Msg("Failed to encode OIDC callback query")
-			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
-			return
-		}
-		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/authorize?%s", controller.config.AppURL, queries.Encode()))
+	redirectURI, err := c.Cookie(controller.config.RedirectCookieName)
+
+	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
+		tlog.App.Debug().Msg("No redirect URI cookie found, redirecting to app root")
+		c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 		return
 	}

-	if oauthPendingSession.CallbackParams.RedirectURI != "" {
 	queries, err := query.Values(config.RedirectQuery{
-			RedirectURI: oauthPendingSession.CallbackParams.RedirectURI,
+		RedirectURI: redirectURI,
 	})

 	if err != nil {
@@ -269,16 +252,6 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 		return
 	}

+	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
-		return
-	}
-
-	c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
-}
-
-func (controller *OAuthController) isOidcRequest(params service.OAuthURLParams) bool {
-	return params.Scope != "" &&
-		params.ResponseType != "" &&
-		params.ClientID != "" &&
-		params.RedirectURI != ""
 }
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -9,7 +9,6 @@ import (

 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
-
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
@@ -71,7 +70,6 @@ func (controller *OIDCController) SetupRoutes() {
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
-	oidcGroup.POST("/userinfo", controller.Userinfo)
 }

 func (controller *OIDCController) GetClientInfo(c *gin.Context) {
@@ -377,15 +375,14 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 		return
 	}

-	var token string
-
 	authorization := c.GetHeader("Authorization")
-	if authorization != "" {
-		tokenType, bearerToken, ok := strings.Cut(authorization, " ")
+
+	tokenType, token, ok := strings.Cut(authorization, " ")
+
 	if !ok {
-			tlog.App.Warn().Msg("OIDC userinfo accessed with malformed authorization header")
+		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
 		c.JSON(401, gin.H{
-				"error": "invalid_request",
+			"error": "invalid_grant",
 		})
 		return
 	}
@@ -393,32 +390,7 @@ func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if strings.ToLower(tokenType) != "bearer" {
 		tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
 		c.JSON(401, gin.H{
-				"error": "invalid_request",
-			})
-			return
-		}
-
-		token = bearerToken
-	} else if c.Request.Method == http.MethodPost {
-		if c.ContentType() != "application/x-www-form-urlencoded" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed with invalid content type")
-			c.JSON(400, gin.H{
-				"error": "invalid_request",
-			})
-			return
-		}
-		token = c.PostForm("access_token")
-		if token == "" {
-			tlog.App.Warn().Msg("OIDC userinfo POST accessed without access_token in body")
-			c.JSON(401, gin.H{
-				"error": "invalid_request",
-			})
-			return
-		}
-	} else {
-		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
-		c.JSON(401, gin.H{
-			"error": "invalid_request",
+			"error": "invalid_grant",
 		})
 		return
 	}
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -435,128 +435,6 @@ func TestOIDCController(t *testing.T) {
 				assert.False(t, ok, "Did not expect email claim in userinfo response")
 			},
 		},
-		{
-			description: "Ensure userinfo forbids access with no authorization header",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
-
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
-			},
-		},
-		{
-			description: "Ensure userinfo forbids access with malformed authorization header",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Bearer")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
-
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
-			},
-		},
-		{
-			description: "Ensure userinfo forbids access with invalid token type",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Basic some-token")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
-
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
-			},
-		},
-		{
-			description: "Ensure userinfo forbids access with empty bearer token",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("GET", "/api/oidc/userinfo", nil)
-				req.Header.Set("Authorization", "Bearer ")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
-
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
-				assert.Equal(t, "invalid_grant", res["error"])
-			},
-		},
-		{
-			description: "Ensure userinfo POST rejects missing access token in body",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(""))
-				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 401, recorder.Code)
-
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
-			},
-		},
-		{
-			description: "Ensure userinfo POST rejects wrong content type",
-			middlewares: []gin.HandlerFunc{},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(`{"access_token":"some-token"}`))
-				req.Header.Set("Content-Type", "application/json")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 400, recorder.Code)
-
-				var res map[string]any
-				err := json.Unmarshal(recorder.Body.Bytes(), &res)
-				assert.NoError(t, err)
-				assert.Equal(t, "invalid_request", res["error"])
-			},
-		},
-		{
-			description: "Ensure userinfo accepts access token via POST body",
-			middlewares: []gin.HandlerFunc{
-				simpleCtx,
-			},
-			run: func(t *testing.T, router *gin.Engine, recorder *httptest.ResponseRecorder) {
-				tokenTest, found := getTestByDescription("Ensure we can get a token with a valid request")
-				assert.True(t, found, "Token test not found")
-				tokenRecorder := httptest.NewRecorder()
-				tokenTest(t, router, tokenRecorder)
-
-				var tokenRes map[string]any
-				err := json.Unmarshal(tokenRecorder.Body.Bytes(), &tokenRes)
-				assert.NoError(t, err)
-
-				accessToken := tokenRes["access_token"].(string)
-				assert.NotEmpty(t, accessToken)
-
-				body := url.Values{}
-				body.Set("access_token", accessToken)
-				req := httptest.NewRequest("POST", "/api/oidc/userinfo", strings.NewReader(body.Encode()))
-				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-				router.ServeHTTP(recorder, req)
-				assert.Equal(t, 200, recorder.Code)
-
-				var userInfoRes map[string]any
-				err = json.Unmarshal(recorder.Body.Bytes(), &userInfoRes)
-				assert.NoError(t, err)
-
-				_, ok := userInfoRes["sub"]
-				assert.True(t, ok, "Expected sub claim in userinfo response")
-			},
-		},
 		{
 			description: "Ensure plain PKCE succeeds",
 			middlewares: []gin.HandlerFunc{
--- a/internal/middleware/context_middleware.go
+++ b/internal/middleware/context_middleware.go
@@ -24,7 +24,6 @@ var (
 		"GET /api/oidc/clients",
 		"POST /api/oidc/token",
 		"GET /api/oidc/userinfo",
-		"POST /api/oidc/userinfo",
 		"GET /resources",
 		"POST /api/user/login",
 		"GET /.well-known/openid-configuration",
--- a/internal/service/auth_service.go
+++ b/internal/service/auth_service.go
@@ -28,26 +28,12 @@ const MaxOAuthPendingSessions = 256
 const OAuthCleanupCount = 16
 const MaxLoginAttemptRecords = 256

-// slightly modified version of the AuthorizeRequest from the OIDC service to basically accept all
-// parameters and pass them to the authorize page if needed
-type OAuthURLParams struct {
-	Scope               string `form:"scope" url:"scope"`
-	ResponseType        string `form:"response_type" url:"response_type"`
-	ClientID            string `form:"client_id" url:"client_id"`
-	RedirectURI         string `form:"redirect_uri" url:"redirect_uri"`
-	State               string `form:"state" url:"state"`
-	Nonce               string `form:"nonce" url:"nonce"`
-	CodeChallenge       string `form:"code_challenge" url:"code_challenge"`
-	CodeChallengeMethod string `form:"code_challenge_method" url:"code_challenge_method"`
-}
-
 type OAuthPendingSession struct {
 	State     string
 	Verifier  string
 	Token     *oauth2.Token
 	Service   *OAuthServiceImpl
 	ExpiresAt time.Time
-	CallbackParams OAuthURLParams
 }

 type LdapGroupsCache struct {
@@ -612,7 +598,7 @@ func (auth *AuthService) IsBypassedIP(acls config.AppIP, ip string) bool {
 	return false
 }

-func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLParams) (string, OAuthPendingSession, error) {
+func (auth *AuthService) NewOAuthSession(serviceName string) (string, OAuthPendingSession, error) {
 	auth.ensureOAuthSessionLimit()

 	service, ok := auth.oauthBroker.GetService(serviceName)
@@ -635,7 +621,6 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLPara
 		Verifier:  verifier,
 		Service:   &service,
 		ExpiresAt: time.Now().Add(1 * time.Hour),
-		CallbackParams: params,
 	}

 	auth.oauthMutex.Lock()
@@ -646,7 +631,7 @@ func (auth *AuthService) NewOAuthSession(serviceName string, params OAuthURLPara
 }

 func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
-	session, err := auth.GetOAuthPendingSession(sessionId)
+	session, err := auth.getOAuthPendingSession(sessionId)

 	if err != nil {
 		return "", err
@@ -656,7 +641,7 @@ func (auth *AuthService) GetOAuthURL(sessionId string) (string, error) {
 }

 func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.Token, error) {
-	session, err := auth.GetOAuthPendingSession(sessionId)
+	session, err := auth.getOAuthPendingSession(sessionId)

 	if err != nil {
 		return nil, err
@@ -676,7 +661,7 @@ func (auth *AuthService) GetOAuthToken(sessionId string, code string) (*oauth2.T
 }

 func (auth *AuthService) GetOAuthUserinfo(sessionId string) (config.Claims, error) {
-	session, err := auth.GetOAuthPendingSession(sessionId)
+	session, err := auth.getOAuthPendingSession(sessionId)

 	if err != nil {
 		return config.Claims{}, err
@@ -696,7 +681,7 @@ func (auth *AuthService) GetOAuthUserinfo(sessionId string) (config.Claims, erro
 }

 func (auth *AuthService) GetOAuthService(sessionId string) (OAuthServiceImpl, error) {
-	session, err := auth.GetOAuthPendingSession(sessionId)
+	session, err := auth.getOAuthPendingSession(sessionId)

 	if err != nil {
 		return nil, err
@@ -730,7 +715,7 @@ func (auth *AuthService) CleanupOAuthSessionsRoutine() {
 	}
 }

-func (auth *AuthService) GetOAuthPendingSession(sessionId string) (*OAuthPendingSession, error) {
+func (auth *AuthService) getOAuthPendingSession(sessionId string) (*OAuthPendingSession, error) {
 	auth.ensureOAuthSessionLimit()

 	auth.oauthMutex.RLock()
Author	SHA1	Message	Date
Stavros	def9e5aaaa	chore: fix typo	2026-04-07 19:00:09 +03:00
Stavros	6ffb52a5cd	tests: add test for invalid challenge method	2026-04-07 18:48:38 +03:00
Stavros	668348655f	chore: remove simple logger from testing	2026-04-07 18:30:05 +03:00
Stavros	482b3c6b57	chore: remove debug line	2026-04-07 18:28:28 +03:00
Stavros	e451b3d62f	fix: review comments	2026-04-07 18:27:45 +03:00
Stavros	5bada13919	tests: add test cases for pkce	2026-04-07 17:49:42 +03:00
Stavros	9a6676b054	feat: add pkce support to oidc server	2026-04-06 23:09:14 +03:00