diff --git a/app/controllers/oidc_controller.rb b/app/controllers/oidc_controller.rb index 340afd3..3ed9393 100644 --- a/app/controllers/oidc_controller.rb +++ b/app/controllers/oidc_controller.rb @@ -257,7 +257,12 @@ class OidcController < ApplicationController end # Validate PKCE if code challenge is present - unless validate_pkce(auth_code, code_verifier) + pkce_result = validate_pkce(auth_code, code_verifier) + unless pkce_result[:valid] + render json: { + error: pkce_result[:error], + error_description: pkce_result[:error_description] + }, status: pkce_result[:status] return end @@ -376,24 +381,26 @@ class OidcController < ApplicationController def validate_pkce(auth_code, code_verifier) # Skip PKCE validation if no code challenge was stored (legacy clients) - return true unless auth_code.code_challenge.present? + return { valid: true } unless auth_code.code_challenge.present? # PKCE is required but no verifier provided unless code_verifier.present? - render json: { + return { + valid: false, error: "invalid_request", - error_description: "code_verifier is required when code_challenge was provided" - }, status: :bad_request - return false + error_description: "code_verifier is required when code_challenge was provided", + status: :bad_request + } end # Validate code verifier format (base64url-encoded, 43-128 characters) unless code_verifier.match?(/\A[A-Za-z0-9\-_]{43,128}\z/) - render json: { + return { + valid: false, error: "invalid_request", - error_description: "Invalid code_verifier format. Must be 43-128 characters of base64url encoding" - }, status: :bad_request - return false + error_description: "Invalid code_verifier format. Must be 43-128 characters of base64url encoding", + status: :bad_request + } end # Recreate code challenge based on method @@ -405,23 +412,25 @@ class OidcController < ApplicationController .tr("+/", "-_") .tr("=", "") else - render json: { + return { + valid: false, error: "server_error", - error_description: "Unsupported code challenge method" - }, status: :internal_server_error - return false + error_description: "Unsupported code challenge method", + status: :internal_server_error + } end # Validate the code challenge unless auth_code.code_challenge == expected_challenge - render json: { + return { + valid: false, error: "invalid_grant", - error_description: "Invalid code verifier" - }, status: :bad_request - return false + error_description: "Invalid code verifier", + status: :bad_request + } end - true + { valid: true } end def extract_client_credentials diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 87ad2f6..12c82c4 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -19,4 +19,14 @@ module ApplicationHelper :smtp end end + + def border_class_for(type) + case type.to_s + when 'notice' then 'border-green-200' + when 'alert', 'error' then 'border-red-200' + when 'warning' then 'border-yellow-200' + when 'info' then 'border-blue-200' + else 'border-gray-200' + end + end end diff --git a/app/views/shared/_flash.html.erb b/app/views/shared/_flash.html.erb index 3efdd34..7ef4da8 100644 --- a/app/views/shared/_flash.html.erb +++ b/app/views/shared/_flash.html.erb @@ -71,16 +71,3 @@ <% end %> - -<%# Helper method for border colors %> -<% -def border_class_for(type) - case type.to_s - when 'notice' then 'border-green-200' - when 'alert', 'error' then 'border-red-200' - when 'warning' then 'border-yellow-200' - when 'info' then 'border-blue-200' - else 'border-gray-200' - end -end -%>