Prevent open redirects from being possible

main.go

@@ -801,6 +801,42 @@ func main() {
 		redirect_uri := c.Request.URL.Query().Get("redirect_uri")
 		state := c.Request.URL.Query().Get("state")
 		nonce := c.Request.URL.Query().Get("nonce")
+		deny := c.Request.URL.Query().Get("deny")
+
+		conn := get_db_connection()
+
+		var appidcheck, rdiruricheck string
+
+		if !(rdiruricheck == redirect_uri) {
+			c.String(401, "Redirect URI does not match")
+			return
+		}
+
+		if deny == "true" {
+			c.Redirect(302, redirect_uri+"?error=access_denied&state="+state)
+			return
+		}
+
+		err := conn.QueryRow("SELECT appId, rdiruri FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&appidcheck, &rdiruricheck)
+		if err != nil {
+			if errors.Is(err, sql.ErrNoRows) {
+				fmt.Println(appId)
+				c.String(401, "OAuth screening failed")
+			} else {
+				log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
+			}
+			return
+		}
+
+		if !(appidcheck == appId) {
+			fmt.Println(appidcheck, appId)
+			c.String(401, "OAuth screening failed")
+			return
+		}
+
+		if nonce == "none" {
+			nonce = genSalt(512)
+		}
 
 		userid, norows := get_user_from_session(secretKey)
 
@@ -816,36 +852,6 @@ func main() {
 			return
 		}
 
-		conn := get_db_connection()
-
-		var appidcheck, rdiruricheck string
-
-		err := conn.QueryRow("SELECT appId, rdiruri FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&appidcheck, &rdiruricheck)
-		if err != nil {
-			if errors.Is(err, sql.ErrNoRows) {
-				fmt.Println(appId)
-				c.String(401, "OAuth screening failed")
-			} else {
-				log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
-			}
-			return
-		}
-
-		if !(rdiruricheck == redirect_uri) {
-			c.String(401, "Redirect URI does not match")
-			return
-		}
-
-		if !(appidcheck == appId) {
-			fmt.Println(appidcheck, appId)
-			c.String(401, "OAuth screening failed")
-			return
-		}
-
-		if nonce == "none" {
-			nonce = genSalt(512)
-		}
-
 		datatemplate := jwt.MapClaims{
 			"sub":       uniqueid[:255],
 			"iss":       "https://auth.hectabit.org",

templates/main.html

@@ -56,11 +56,15 @@
             expires = new Date(expireTime).toUTCString();
         });
 
+        function deny() {
+            document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
+            // Redirect to the redirect_uri so that an open redirect is not possible
+            window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=true");
+        }
+
         function oauth() {
             document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
-
+            window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=false");
-            // Send data to example.org using POST request
-            window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce);
         }
     </script>
 </head>
@@ -76,7 +80,7 @@
         <br>
         <div style="display: flex;justify-content: center;">
             <button onclick="oauth();" style="width: 100%;margin: 0 3px 0 0;">Allow</button>
-            <button onclick="window.location.replace('https://www.hectabit.org');" style="width: 100%;margin: 0 0 0 3px;">Deny</button>
+            <button onclick="deny();" style="width: 100%;margin: 0 0 0 3px;">Deny</button>
         </div>
     </div>
 </body>