dkam/clinch
1
0
Fork 0
Code Issues 2 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Improvements derived from rodauth-oauth

Browse Source
This commit is contained in:
Dan Milne
2025-11-12 22:17:55 +11:00
parent 67f28faaca
commit 1ee3302319
3 changed files with 107 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
app/controllers/oidc_controller.rb
View File

@@ -58,13 +58,13 @@ class OidcController < ApplicationController
# Validate PKCE parameters if present # Validate PKCE parameters if present
if code_challenge.present? if code_challenge.present?
unless %w[plain S256].include?(code_challenge_method) unless %w[plain S256].include?(code_challenge_method)
render plain: "Invalid request", status: :bad_request render plain: "Invalid code_challenge_method: must be 'plain' or 'S256'", status: :bad_request
return return
end end
# Validate code challenge format (base64url-encoded, 43-128 characters) # Validate code challenge format (base64url-encoded, 43-128 characters)
unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/) unless code_challenge.match?(/\A[A-Za-z0-9\-_]{43,128}\z/)
render plain: "Invalid request", status: :bad_request render plain: "Invalid code_challenge format: must be 43-128 characters of base64url encoding", status: :bad_request
return return
end end
end end
@@ -170,9 +170,21 @@ class OidcController < ApplicationController
# Add the redirect URI to CSP form-action for this specific request # Add the redirect URI to CSP form-action for this specific request
# This allows the OAuth redirect to work while maintaining security # This allows the OAuth redirect to work while maintaining security
# CSP must allow the OAuth client's redirect_uri as a form submission target
if redirect_uri.present? if redirect_uri.present?
begin
redirect_host = URI.parse(redirect_uri).host redirect_host = URI.parse(redirect_uri).host
request.content_security_policy.form_action << "https://#{redirect_host}" if redirect_host csp = request.content_security_policy
if csp && redirect_host
# Only modify if form_action is available and mutable
if csp.respond_to?(:form_action) && csp.form_action.respond_to?(:<<)
csp.form_action << "https://#{redirect_host}"
end
end
rescue => e
# Log CSP modification errors but don't fail the request
Rails.logger.warn "OAuth: Could not modify CSP for redirect_uri #{redirect_uri}: #{e.message}"
end
end end
render :consent render :consent
@@ -268,8 +280,7 @@ class OidcController < ApplicationController
auth_code = OidcAuthorizationCode.find_by( auth_code = OidcAuthorizationCode.find_by(
application: application, application: application,
code: code, code: code
used: false
) )
unless auth_code unless auth_code
@@ -277,6 +288,31 @@ class OidcController < ApplicationController
return return
end end
# Use a transaction with pessimistic locking to prevent code reuse
begin
OidcAuthorizationCode.transaction do
# Lock the record to prevent concurrent access
auth_code.lock!
# Check if code has already been used (CRITICAL: check AFTER locking)
if auth_code.used?
# Per OAuth 2.0 spec, if an auth code is reused, revoke all tokens issued from it
Rails.logger.warn "OAuth Security: Authorization code reuse detected for code #{auth_code.id}"
# Revoke all access tokens issued from this authorization code
OidcAccessToken.where(
application: application,
user: auth_code.user,
created_at: auth_code.created_at..Time.current
).update_all(expires_at: Time.current)
render json: {
error: "invalid_grant",
error_description: "Authorization code has already been used"
}, status: :bad_request
return
end
# Check if code is expired # Check if code is expired
if auth_code.expires_at < Time.current if auth_code.expires_at < Time.current
render json: { error: "invalid_grant", error_description: "Authorization code expired" }, status: :bad_request render json: { error: "invalid_grant", error_description: "Authorization code expired" }, status: :bad_request
@@ -299,7 +335,7 @@ class OidcController < ApplicationController
return return
end end
# Mark code as used # Mark code as used BEFORE generating tokens (prevents reuse)
auth_code.update!(used: true) auth_code.update!(used: true)
# Get the user # Get the user
@@ -327,6 +363,10 @@ class OidcController < ApplicationController
scope: auth_code.scope scope: auth_code.scope
} }
end end
rescue ActiveRecord::RecordNotFound
render json: { error: "invalid_grant" }, status: :bad_request
end
end
# GET /oauth/userinfo # GET /oauth/userinfo
def userinfo def userinfo

4
app/services/oidc_jwt_service.rb
View File

@@ -63,7 +63,9 @@ class OidcJwtService
def issuer_url def issuer_url
# In production, this should come from ENV or config # In production, this should come from ENV or config
# For now, we'll use a placeholder that can be overridden # For now, we'll use a placeholder that can be overridden
"https://#{ENV.fetch("CLINCH_HOST", "localhost:3000")}" host = ENV.fetch("CLINCH_HOST", "localhost:3000")
# Ensure URL has https:// protocol
host.match?(/^https?:\/\//) ? host : "https://#{host}"
end end
private private

18
test/controllers/oidc_pkce_controller_test.rb
View File

@@ -11,13 +11,14 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
active: true active: true
) )
# Sign in the user by creating a session directly # Sign in the user using the test helper
@session = Session.create!(user: @user) sign_in_as(@user)
cookies[:session_id] = @session.id
end end
def teardown def teardown
Current.session&.destroy
OidcAuthorizationCode.where(application: @application).destroy_all OidcAuthorizationCode.where(application: @application).destroy_all
OidcAccessToken.where(application: @application).destroy_all
@user.destroy @user.destroy
@application.destroy @application.destroy
end end
@@ -50,9 +51,9 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
get "/oauth/authorize", params: auth_params get "/oauth/authorize", params: auth_params
# Should redirect to consent page (user is already authenticated) # Should show consent page (user is already authenticated)
assert_response :success assert_response :success
assert_template "consent" assert_match /consent/, @response.body.downcase
end end
test "authorization endpoint accepts PKCE parameters (plain)" do test "authorization endpoint accepts PKCE parameters (plain)" do
@@ -71,9 +72,9 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
get "/oauth/authorize", params: auth_params get "/oauth/authorize", params: auth_params
# Should redirect to consent page (user is already authenticated) # Should show consent page (user is already authenticated)
assert_response :success assert_response :success
assert_template "consent" assert_match /consent/, @response.body.downcase
end end
test "authorization endpoint rejects invalid code_challenge_method" do test "authorization endpoint rejects invalid code_challenge_method" do
@@ -184,7 +185,8 @@ class OidcPkceControllerTest < ActionDispatch::IntegrationTest
grant_type: "authorization_code", grant_type: "authorization_code",
code: auth_code.code, code: auth_code.code,
redirect_uri: "http://localhost:4000/callback", redirect_uri: "http://localhost:4000/callback",
code_verifier: "invalid_verifier" # Use a properly formatted but wrong verifier (43+ chars, base64url)
code_verifier: "wrongverifier_with_enough_characters_base64url"
} }
post "/oauth/token", params: token_params, headers: { post "/oauth/token", params: token_params, headers: {