Prevent open redirects from being possible

This commit is contained in:
Tracker-Friendly 2024-05-16 19:07:54 +01:00
parent 007941feda
commit 650bd4fad9
2 changed files with 44 additions and 34 deletions

66
main.go
View File

@ -801,6 +801,42 @@ func main() {
redirect_uri := c.Request.URL.Query().Get("redirect_uri")
state := c.Request.URL.Query().Get("state")
nonce := c.Request.URL.Query().Get("nonce")
deny := c.Request.URL.Query().Get("deny")
conn := get_db_connection()
var appidcheck, rdiruricheck string
if !(rdiruricheck == redirect_uri) {
c.String(401, "Redirect URI does not match")
return
}
if deny == "true" {
c.Redirect(302, redirect_uri+"?error=access_denied&state="+state)
return
}
err := conn.QueryRow("SELECT appId, rdiruri FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&appidcheck, &rdiruricheck)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
fmt.Println(appId)
c.String(401, "OAuth screening failed")
} else {
log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
return
}
if !(appidcheck == appId) {
fmt.Println(appidcheck, appId)
c.String(401, "OAuth screening failed")
return
}
if nonce == "none" {
nonce = genSalt(512)
}
userid, norows := get_user_from_session(secretKey)
@ -816,36 +852,6 @@ func main() {
return
}
conn := get_db_connection()
var appidcheck, rdiruricheck string
err := conn.QueryRow("SELECT appId, rdiruri FROM oauth WHERE appId = ? LIMIT 1", appId).Scan(&appidcheck, &rdiruricheck)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
fmt.Println(appId)
c.String(401, "OAuth screening failed")
} else {
log.Println("[ERROR] Unknown in /api/auth at", strconv.FormatInt(time.Now().Unix(), 10)+":", err)
}
return
}
if !(rdiruricheck == redirect_uri) {
c.String(401, "Redirect URI does not match")
return
}
if !(appidcheck == appId) {
fmt.Println(appidcheck, appId)
c.String(401, "OAuth screening failed")
return
}
if nonce == "none" {
nonce = genSalt(512)
}
datatemplate := jwt.MapClaims{
"sub": uniqueid[:255],
"iss": "https://auth.hectabit.org",

View File

@ -56,11 +56,15 @@
expires = new Date(expireTime).toUTCString();
});
function deny() {
document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
// Redirect to the redirect_uri so that an open redirect is not possible
window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=true");
}
function oauth() {
document.cookie = "key=" + secret_key + "; expires=" + expires + "; path=/; SameSite=Strict";
// Send data to example.org using POST request
window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce);
window.location.replace("/api/auth?client_id=" + client_id + "&redirect_uri=" + redirect_uri + "&code_challenge_method=" + codemethod + "&code_challenge=" + code + "&state=" + state + "&nonce=" + nonce + "&deny=false");
}
</script>
</head>
@ -76,7 +80,7 @@
<br>
<div style="display: flex;justify-content: center;">
<button onclick="oauth();" style="width: 100%;margin: 0 3px 0 0;">Allow</button>
<button onclick="window.location.replace('https://www.hectabit.org');" style="width: 100%;margin: 0 0 0 3px;">Deny</button>
<button onclick="deny();" style="width: 100%;margin: 0 0 0 3px;">Deny</button>
</div>
</div>
</body>