Knossos Oauth 2 Flow Changes (#752)

* adjust type and response format * Replace Found with Ok for handled redirects * scope parse fix * change apps query from body to query * adjust tests for new response type * remove unused imports * Clippy fixes
2023-11-11 09:42:01 -08:00
parent a818199b5a
commit 97ccb7df94
7 changed files with 50 additions and 29 deletions
--- a/src/auth/oauth/errors.rs
+++ b/src/auth/oauth/errors.rs
@@ -2,7 +2,7 @@ use super::ValidatedRedirectUri;
 use crate::auth::AuthenticationError;
 use crate::models::error::ApiError;
 use crate::models::ids::DecodingError;
-use actix_web::http::StatusCode;
+use actix_web::http::{header::LOCATION, StatusCode};
 use actix_web::HttpResponse;

 #[derive(thiserror::Error, Debug)]
@@ -63,7 +63,7 @@ impl actix_web::ResponseError for OAuthError {
            | OAuthErrorType::ScopesTooBroad
            | OAuthErrorType::AccessDenied => {
                if self.valid_redirect_uri.is_some() {
-                    StatusCode::FOUND
+                    StatusCode::OK
                } else {
                    StatusCode::INTERNAL_SERVER_ERROR
                }
@@ -94,10 +94,9 @@ impl actix_web::ResponseError for OAuthError {
                redirect_uri = format!("{}&state={}", redirect_uri, state);
            }

-            redirect_uri = urlencoding::encode(&redirect_uri).to_string();
-            HttpResponse::Found()
-                .append_header(("Location".to_string(), redirect_uri))
-                .finish()
+            HttpResponse::Ok()
+                .append_header((LOCATION, redirect_uri.clone()))
+                .body(redirect_uri)
        } else {
            HttpResponse::build(self.status_code()).json(ApiError {
                error: &self.error_type.error_name(),
--- a/src/auth/oauth/mod.rs
+++ b/src/auth/oauth/mod.rs
@@ -7,19 +7,21 @@ use crate::database::models::oauth_client_item::OAuthClient as DBOAuthClient;
 use crate::database::models::oauth_token_item::OAuthAccessToken;
 use crate::database::models::{
    generate_oauth_access_token_id, generate_oauth_client_authorization_id,
-    OAuthClientAuthorizationId, OAuthClientId,
+    OAuthClientAuthorizationId,
 };
 use crate::database::redis::RedisPool;
 use crate::models;
+use crate::models::ids::OAuthClientId;
 use crate::models::pats::Scopes;
 use crate::queue::session::AuthQueue;
+use actix_web::http::header::LOCATION;
 use actix_web::web::{scope, Data, Query, ServiceConfig};
 use actix_web::{get, post, web, HttpRequest, HttpResponse};
 use chrono::Duration;
 use rand::distributions::Alphanumeric;
 use rand::{Rng, SeedableRng};
 use rand_chacha::ChaCha20Rng;
-use reqwest::header::{CACHE_CONTROL, LOCATION, PRAGMA};
+use reqwest::header::{CACHE_CONTROL, PRAGMA};
 use serde::{Deserialize, Serialize};
 use sqlx::postgres::PgPool;

@@ -75,7 +77,7 @@ pub async fn init_oauth(
    .await?
    .1;

-    let client_id = oauth_info.client_id;
+    let client_id = oauth_info.client_id.into();
    let client = DBOAuthClient::get(client_id, &**pool).await?;

    if let Some(client) = client {
@@ -118,7 +120,7 @@ pub async fn init_oauth(
            {
                init_oauth_code_flow(
                    user.id.into(),
-                    client.id,
+                    client.id.into(),
                    existing_authorization.id,
                    requested_scopes,
                    redirect_uris,
@@ -141,7 +143,7 @@ pub async fn init_oauth(
                .map_err(|e| OAuthError::redirect(e, &oauth_info.state, &redirect_uri))?;

                let access_request = OAuthClientAccessRequest {
-                    client_id: client.id,
+                    client_id: client.id.into(),
                    client_name: client.name,
                    client_icon: client.icon_url,
                    flow_id,
@@ -341,7 +343,7 @@ pub async fn accept_or_reject_client_scopes(

            init_oauth_code_flow(
                user_id,
-                client_id,
+                client_id.into(),
                auth_id,
                scopes,
                redirect_uris,
@@ -396,7 +398,7 @@ async fn init_oauth_code_flow(
 ) -> Result<HttpResponse, OAuthError> {
    let code = Flow::OAuthAuthorizationCodeSupplied {
        user_id,
-        client_id,
+        client_id: client_id.into(),
        authorization_id,
        scopes,
        original_redirect_uri: redirect_uris.original.clone(),
@@ -413,9 +415,9 @@ async fn init_oauth_code_flow(
    let redirect_uri = append_params_to_uri(&redirect_uris.validated.0, &redirect_params);

    // IETF RFC 6749 Section 4.1.2 (https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2)
-    Ok(HttpResponse::Found()
-        .append_header((LOCATION, redirect_uri))
-        .finish())
+    Ok(HttpResponse::Ok()
+        .append_header((LOCATION, redirect_uri.clone()))
+        .body(redirect_uri))
 }

 fn append_params_to_uri(uri: &str, params: &[impl AsRef<str>]) -> String {