deepcrayon
/
lila
1
0
Fork 0
Code Releases Activity

add bc for basic auth in legacy oauth flow

pull/9350/head
Niklas Fiekas 2021-07-05 11:29:22 +02:00
parent 5a1b3b0661
commit 0c66ed94d5
3 changed files with 31 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/OAuth.scala
View File

@ -97,7 +97,7 @@ final class OAuth(env: Env) extends LilaController(env) {
def legacyTokenApply =
Action.async(parse.form(accessTokenRequestForm)) { implicit req =>
req.body.prepareLegacy match {
req.body.prepareLegacy(AccessTokenRequest.BasicAuth from req) match {
case Validated.Valid(prepared) =>
env.oAuth.authorizationApi.consume(prepared) flatMap {
case Validated.Valid(granted) =>

33
modules/oauth/src/main/AccessTokenRequest.scala
View File

@ -1,6 +1,11 @@
package lila.oauth
import cats.data.Validated
import play.api.http.HeaderNames
import play.api.mvc.RequestHeader
import lila.common.String.base64
import lila.user.User
object AccessTokenRequest {
@ -23,24 +28,27 @@ object AccessTokenRequest {
.andThen(Protocol.CodeVerifier.from)
clientId <- clientId.map(ClientId.apply).toValid(Error.ClientIdRequired)
redirectUri <- redirectUri.map(UncheckedRedirectUri.apply).toValid(Error.RedirectUriRequired)
} yield Prepared(grantType, code, codeVerifier.some, clientId.some, redirectUri.some, None)
} yield Prepared(grantType, code, codeVerifier.some, clientId, redirectUri, None)
def prepareLegacy: Validated[Error, Prepared] =
def prepareLegacy(auth: Option[BasicAuth]): Validated[Error, Prepared] =
for {
grantType <- grantType.toValid(Error.GrantTypeRequired).andThen(GrantType.from)
code <- code.map(AuthorizationCode.apply).toValid(Error.CodeRequired)
clientId <- clientId.map(ClientId.apply).orElse(auth.map(_.clientId)).toValid(Error.ClientIdRequired)
clientSecret <- clientSecret
.map(LegacyClientApi.ClientSecret)
.orElse(auth.map(_.clientSecret))
.toValid(LegacyClientApi.ClientSecretRequired)
} yield Prepared(grantType, code, None, clientId.map(ClientId.apply), None, clientSecret.some)
redirectUri <- redirectUri.map(UncheckedRedirectUri.apply).toValid(Error.RedirectUriRequired)
} yield Prepared(grantType, code, None, clientId, redirectUri, clientSecret.some)
}
case class Prepared(
grantType: GrantType,
code: AuthorizationCode,
codeVerifier: Option[CodeVerifier],
clientId: Option[ClientId],
redirectUri: Option[UncheckedRedirectUri],
clientId: ClientId,
redirectUri: UncheckedRedirectUri,
clientSecret: Option[LegacyClientApi.ClientSecret]
)
@ -49,4 +57,19 @@ object AccessTokenRequest {
scopes: List[OAuthScope],
redirectUri: RedirectUri
)
case class BasicAuth(clientId: ClientId, clientSecret: LegacyClientApi.ClientSecret)
object BasicAuth {
def from(req: RequestHeader): Option[BasicAuth] =
req.headers.get(HeaderNames.AUTHORIZATION).flatMap { authorization =>
val prefix = "Basic "
authorization.startsWith(prefix) option authorization.stripPrefix(prefix)
} flatMap base64.decode flatMap {
_.split(":", 2) match {
case Array(clientId, clientSecret) =>
Some(BasicAuth(ClientId(clientId), LegacyClientApi.ClientSecret(clientSecret)))
case _ => None
}
}
}
}

6
modules/oauth/src/main/AuthorizationApi.scala
View File

@ -33,10 +33,8 @@ final class AuthorizationApi(val coll: Coll)(implicit ec: scala.concurrent.Execu
.result[PendingAuthorization]
.toValid(Protocol.Error.AuthorizationCodeInvalid)
.ensure(Protocol.Error.AuthorizationCodeExpired)(_.expires.isAfter(DateTime.now()))
.ensure(Protocol.Error.MismatchingRedirectUri)(p =>
request.redirectUri.forall(p.redirectUri.matches)
)
.ensure(Protocol.Error.MismatchingClient)(p => request.clientId.forall(_ == p.clientId))
.ensure(Protocol.Error.MismatchingRedirectUri)(_.redirectUri.matches(request.redirectUri))
.ensure(Protocol.Error.MismatchingClient)(_.clientId == request.clientId)
_ <- pending.challenge match {
case Left(hashedClientSecret) =>
request.clientSecret