ezidam, openid: refactor check app in method, verifying and send POST as well

2023-03-16 21:38:32 +01:00 · 2023-03-16 21:38:32 +01:00 · eb93cbd7ec
commit eb93cbd7ec
parent 8ae0c59a25
7 changed files with 76 additions and 22 deletions
--- a/crates/apps/Cargo.toml
+++ b/crates/apps/Cargo.toml
@ -12,3 +12,4 @@ url = { workspace = true }
 id = { path = "../id" }
 database = { path = "../database" }
 hash = { path = "../hash" }
+openid = { path = "../openid" }
--- a/crates/apps/src/database.rs
+++ b/crates/apps/src/database.rs
@ -42,11 +42,11 @@ impl App {
    }

    /// App needs to be not archived
-    pub async fn get_one(
+    pub(crate) async fn get_one(
        conn: impl SqliteExecutor<'_>,
        id: &str,
        redirect: &str,
-    ) -> Result<Option<Self>, Error> {
+    ) -> Result<Option<Self>, database::Error> {
        Ok(DatabaseApps::get_one(conn, id, redirect)
            .await?
            .map(Self::from))
--- a/crates/apps/src/get_valid.rs
+++ b/crates/apps/src/get_valid.rs
@ -0,0 +1,42 @@
+// error
+#[derive(thiserror::Error)]
+// the rest
+#[derive(Debug)]
+pub enum Error {
+    #[error("Database: {0}")]
+    Database(#[from] database::Error),
+
+    #[error("Bad response types")]
+    ResponseTypes,
+
+    #[error("Invalid scopes")]
+    Scopes,
+
+    #[error("Invalid application")]
+    Application,
+}
+
+use super::App;
+use database::sqlx::SqliteExecutor;
+
+impl App {
+    pub async fn get_valid_app(
+        conn: impl SqliteExecutor<'_>,
+        response_type: &str,
+        scope: &str,
+        client_id: &str,
+        redirect_uri: &str,
+    ) -> Result<App, Error> {
+        // Check for valid response types
+        openid::parse_response_types(response_type).ok_or_else(|| Error::ResponseTypes)?;
+
+        // Check for supported scopes
+        if !openid::SupportedScopes::check_supported_scopes(scope) {
+            return Err(Error::Scopes);
+        }
+
+        Self::get_one(conn, client_id, redirect_uri)
+            .await?
+            .ok_or_else(|| Error::Application)
+    }
+}
--- a/crates/apps/src/lib.rs
+++ b/crates/apps/src/lib.rs
@ -1,10 +1,12 @@
 mod database;
 mod error;
+mod get_valid;

 use chrono::{DateTime, Utc};
 use id::AppID;

 pub use crate::error::Error;
+pub use get_valid::Error as GetValidError;

 #[derive(Debug)]
 pub struct App {
--- a/crates/ezidam/src/error/conversion.rs
+++ b/crates/ezidam/src/error/conversion.rs
@ -57,3 +57,14 @@ impl From<apps::Error> for Error {
        Error::internal_server_error(e)
    }
 }
+
+impl From<apps::GetValidError> for Error {
+    fn from(e: apps::GetValidError) -> Self {
+        match e {
+            apps::GetValidError::Database(e) => Error::internal_server_error(e),
+            apps::GetValidError::ResponseTypes
+            | apps::GetValidError::Scopes
+            | apps::GetValidError::Application => Error::bad_request(e),
+        }
+    }
+}
--- a/crates/ezidam/src/routes/oauth.rs
+++ b/crates/ezidam/src/routes/oauth.rs
@ -28,25 +28,17 @@ async fn authorize_page(
    flash: Option<FlashMessage<'_>>,
    auth_request: AuthenticationRequest<'_>,
 ) -> Result<Template> {
-    // Check for valid response types
-    openid::parse_response_types(auth_request.response_type)
-        .ok_or_else(|| Error::bad_request("Bad response types"))?;
-
-    // Check for supported scopes
-    if !openid::SupportedScopes::check_supported_scopes(auth_request.scope) {
-        return Err(Error::bad_request("Invalid scopes"));
-    }
-
    let mut transaction = db.begin().await?;
-    // TODO: wrap checking in function?

-    let app = App::get_one(
+    // Get app info
+    let app = App::get_valid_app(
        &mut transaction,
+        auth_request.response_type,
+        auth_request.scope,
        auth_request.client_id,
        auth_request.redirect_uri,
    )
-    .await?
-    .ok_or_else(|| Error::bad_request("Invalid application"))?;
+    .await?;

    let settings = Settings::get(&mut transaction).await?;

@ -118,16 +110,23 @@ async fn authorize(
    mut db: Connection<Database>,
    auth_request: AuthenticationRequest<'_>,
 ) -> Result<Either<Redirect, Flash<Redirect>>> {
-    // TODO: check app and stuff before doing anything AGAIN, this is important
-    // TODO: check if request uri matches
+    let mut transaction = db.begin().await?;
+
+    // Get app info
+    let app = App::get_valid_app(
+        &mut transaction,
+        auth_request.response_type,
+        auth_request.scope,
+        auth_request.client_id,
+        auth_request.redirect_uri,
+    )
+    .await?;

    if form.login.is_empty() {
        return Ok(Either::Right(invalid_form(auth_request)));
    }
    let form = form.into_inner();

-    let mut transaction = db.begin().await?;
-
    // Get user
    let Some(user) = User::get_by_login(&mut transaction, form.login).await? else {
        return Ok(Either::Right(invalid_credentials(form.login, auth_request)));
@ -154,9 +153,7 @@ async fn authorize(
    // TODO: refresh token + jwt

    // TODO: put more data
-    Ok(Either::Left(Redirect::to(
-        auth_request.redirect_uri.to_string(),
-    )))
+    Ok(Either::Left(Redirect::to(app.redirect_uri().to_string())))
 }

 // TODO: oauth redirect route for ezidam