Skip to content

Commit 0f5a932

Browse files
hugodutkahugodutka
committed
revert httpmw/oauth2.go changes
1 parent 0490fa1 commit 0f5a932

File tree

1 file changed

+59
-90
lines changed

1 file changed

+59
-90
lines changed

coderd/httpmw/oauth2.go

Lines changed: 59 additions & 90 deletions
Original file line numberDiff line numberDiff line change
@@ -2,8 +2,6 @@ package httpmw
22

33
import (
44
"context"
5-
"encoding/base64"
6-
"encoding/json"
75
"fmt"
86
"net/http"
97
"net/url"
@@ -17,6 +15,7 @@ import (
1715
"github.com/coder/coder/v2/coderd/httpapi"
1816
"github.com/coder/coder/v2/coderd/promoauth"
1917
"github.com/coder/coder/v2/codersdk"
18+
"github.com/coder/coder/v2/cryptorand"
2019
)
2120

2221
type oauth2StateKey struct{}
@@ -85,8 +84,7 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp
8584
return
8685
}
8786

88-
// code := r.URL.Query().Get("code")
89-
deviceCode := r.URL.Query().Get("device_code")
87+
code := r.URL.Query().Get("code")
9088
state := r.URL.Query().Get("state")
9189
redirect := r.URL.Query().Get("redirect")
9290
if redirect != "" {
@@ -98,105 +96,76 @@ func ExtractOAuth2(config promoauth.OAuth2Config, client *http.Client, authURLOp
9896
redirect = uriFromURL(redirect)
9997
}
10098

101-
var da *oauth2.DeviceAuthResponse
102-
if deviceCode != "" {
103-
// Decode base64-encoded device code
104-
decodedBytes, err := base64.StdEncoding.DecodeString(deviceCode)
105-
if err != nil {
106-
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
107-
Message: "Invalid device code format",
108-
Detail: err.Error(),
109-
})
110-
return
99+
if code == "" {
100+
// If the code isn't provided, we'll redirect!
101+
var state string
102+
// If this url param is provided, then a user is trying to merge
103+
// their account with an OIDC account. Their password would have
104+
// been required to get to this point, so we do not need to verify
105+
// their password again.
106+
oidcMergeState := r.URL.Query().Get("oidc_merge_state")
107+
if oidcMergeState != "" {
108+
state = oidcMergeState
109+
} else {
110+
var err error
111+
state, err = cryptorand.String(32)
112+
if err != nil {
113+
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
114+
Message: "Internal error generating state string.",
115+
Detail: err.Error(),
116+
})
117+
return
118+
}
111119
}
112120

113-
// Unmarshal JSON into DeviceAuthResponse
114-
da = &oauth2.DeviceAuthResponse{}
115-
if err := json.Unmarshal(decodedBytes, da); err != nil {
116-
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
117-
Message: "Invalid device code data",
118-
Detail: err.Error(),
119-
})
120-
return
121-
}
122-
} else {
123-
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
124-
Message: "Invalid device code data",
125-
Detail: "Device code is required for device flow.",
121+
http.SetCookie(rw, &http.Cookie{
122+
Name: codersdk.OAuth2StateCookie,
123+
Value: state,
124+
Path: "/",
125+
HttpOnly: true,
126+
SameSite: http.SameSiteLaxMode,
127+
})
128+
// Redirect must always be specified, otherwise
129+
// an old redirect could apply!
130+
http.SetCookie(rw, &http.Cookie{
131+
Name: codersdk.OAuth2RedirectCookie,
132+
Value: redirect,
133+
Path: "/",
134+
HttpOnly: true,
135+
SameSite: http.SameSiteLaxMode,
126136
})
137+
138+
http.Redirect(rw, r, config.AuthCodeURL(state, opts...), http.StatusTemporaryRedirect)
127139
return
128140
}
129141

130-
// if code == "" {
131-
// // If the code isn't provided, we'll redirect!
132-
// var state string
133-
// // If this url param is provided, then a user is trying to merge
134-
// // their account with an OIDC account. Their password would have
135-
// // been required to get to this point, so we do not need to verify
136-
// // their password again.
137-
// oidcMergeState := r.URL.Query().Get("oidc_merge_state")
138-
// if oidcMergeState != "" {
139-
// state = oidcMergeState
140-
// } else {
141-
// var err error
142-
// state, err = cryptorand.String(32)
143-
// if err != nil {
144-
// httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
145-
// Message: "Internal error generating state string.",
146-
// Detail: err.Error(),
147-
// })
148-
// return
149-
// }
150-
// }
151-
152-
http.SetCookie(rw, &http.Cookie{
153-
Name: codersdk.OAuth2StateCookie,
154-
Value: "hello",
155-
Path: "/",
156-
HttpOnly: true,
157-
SameSite: http.SameSiteLaxMode,
158-
})
159-
// // Redirect must always be specified, otherwise
160-
// // an old redirect could apply!
161-
// http.SetCookie(rw, &http.Cookie{
162-
// Name: codersdk.OAuth2RedirectCookie,
163-
// Value: redirect,
164-
// Path: "/",
165-
// HttpOnly: true,
166-
// SameSite: http.SameSiteLaxMode,
167-
// })
168-
169-
// http.Redirect(rw, r, config.AuthCodeURL(state, opts...), http.StatusTemporaryRedirect)
170-
// return
171-
// }
172-
173-
// if state == "" {
174-
// httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
175-
// Message: "State must be provided.",
176-
// })
177-
// return
178-
// }
142+
if state == "" {
143+
httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{
144+
Message: "State must be provided.",
145+
})
146+
return
147+
}
179148

180-
// stateCookie, err := r.Cookie(codersdk.OAuth2StateCookie)
181-
// if err != nil {
182-
// httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
183-
// Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.OAuth2StateCookie),
184-
// })
185-
// return
186-
// }
187-
// if stateCookie.Value != state {
188-
// httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
189-
// Message: "State mismatched.",
190-
// })
191-
// return
192-
// }
149+
stateCookie, err := r.Cookie(codersdk.OAuth2StateCookie)
150+
if err != nil {
151+
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
152+
Message: fmt.Sprintf("Cookie %q must be provided.", codersdk.OAuth2StateCookie),
153+
})
154+
return
155+
}
156+
if stateCookie.Value != state {
157+
httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{
158+
Message: "State mismatched.",
159+
})
160+
return
161+
}
193162

194163
stateRedirect, err := r.Cookie(codersdk.OAuth2RedirectCookie)
195164
if err == nil {
196165
redirect = stateRedirect.Value
197166
}
198167

199-
oauthToken, err := config.DeviceAccessToken(ctx, da)
168+
oauthToken, err := config.Exchange(ctx, code)
200169
if err != nil {
201170
httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{
202171
Message: "Internal error exchanging Oauth code.",

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy