summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSebastian <sebasjm@gmail.com>2023-01-13 12:15:45 -0300
committerSebastian <sebasjm@gmail.com>2023-01-13 12:16:44 -0300
commitf8ddd0b685ad464f23009412584edfe4f3c5deea (patch)
treedd005be483b98d18e400df9cac499a055eda43d0
parent4374b1868e2f1c74014c976d2d98d0c58b3ac561 (diff)
downloadexchange-f8ddd0b685ad464f23009412584edfe4f3c5deea.tar.gz
exchange-f8ddd0b685ad464f23009412584edfe4f3c5deea.tar.bz2
exchange-f8ddd0b685ad464f23009412584edfe4f3c5deea.zip
fix kyc-proof handle
1.- redirect_uri has an extra slash 2.- response_type=code is required https://www.rfc-editor.org/rfc/rfc6749#section-3.1.1 3.- add more info to "Unexpected response from KYC gateway" 4.- relax the requirements on the login response, marked as optional 5.- redirect_uri should be the same when exchanging the code for the access_token, 6.- remove legi and payto from kyc-proof path 7.- use state to transport h_payto https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
Diffstat
-rw-r--r--src/exchange/taler-exchange-httpd_kyc-proof.c32
-rw-r--r--src/kyclogic/plugin_kyclogic_oauth2.c87
2 files changed, 70 insertions, 49 deletions
diff --git a/src/exchange/taler-exchange-httpd_kyc-proof.c b/src/exchange/taler-exchange-httpd_kyc-proof.c
index 5d89c4203..e550d28e2 100644
--- a/src/exchange/taler-exchange-httpd_kyc-proof.c
+++ b/src/exchange/taler-exchange-httpd_kyc-proof.c
@@ -259,27 +259,39 @@ TEH_handler_kyc_proof (
const char *const args[3])
{
struct KycProofContext *kpc = rc->rh_ctx;
-
+ const char *h_payto;
if (NULL == kpc)
{
/* first time */
- if ( (NULL == args[0]) ||
- (NULL == args[1]) )
+ if ( (NULL == args[0]))
{
GNUNET_break_op (0);
return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_NOT_FOUND,
TALER_EC_GENERIC_ENDPOINT_UNKNOWN,
- "'/kyc-proof/$H_PATYO/$LOGIC' required");
+ "'/kyc-proof/$LOGIC?state=$H_PAYTO' required");
+ }
+
+ h_payto = MHD_lookup_connection_value (rc->connection,
+ MHD_GET_ARGUMENT_KIND,
+ "state");
+ if ( (NULL == h_payto) )
+ {
+ GNUNET_break_op (0);
+ return TALER_MHD_reply_with_error (rc->connection,
+ MHD_HTTP_BAD_REQUEST,
+ TALER_EC_GENERIC_PARAMETER_MALFORMED,
+ "h_payto");
}
+
kpc = GNUNET_new (struct KycProofContext);
kpc->rc = rc;
rc->rh_ctx = kpc;
rc->rh_cleaner = &clean_kpc;
if (GNUNET_OK !=
- GNUNET_STRINGS_string_to_data (args[0],
- strlen (args[0]),
+ GNUNET_STRINGS_string_to_data (h_payto,
+ strlen (h_payto),
&kpc->h_payto,
sizeof (kpc->h_payto)))
{
@@ -290,7 +302,7 @@ TEH_handler_kyc_proof (
"h_payto");
}
if (GNUNET_OK !=
- TALER_KYCLOGIC_lookup_logic (args[1],
+ TALER_KYCLOGIC_lookup_logic (args[0],
&kpc->logic,
&kpc->pd,
&kpc->provider_section))
@@ -299,14 +311,14 @@ TEH_handler_kyc_proof (
return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_NOT_FOUND,
TALER_EC_EXCHANGE_KYC_GENERIC_LOGIC_UNKNOWN,
- args[1]);
+ args[0]);
}
if (NULL != kpc->provider_section)
{
enum GNUNET_DB_QueryStatus qs;
struct GNUNET_TIME_Absolute expiration;
- if (0 != strcmp (args[1],
+ if (0 != strcmp (args[0],
kpc->provider_section))
{
GNUNET_break_op (0);
@@ -352,7 +364,7 @@ TEH_handler_kyc_proof (
}
kpc->ph = kpc->logic->proof (kpc->logic->cls,
kpc->pd,
- &args[2],
+ &args[1],
rc->connection,
&kpc->h_payto,
kpc->process_row,
diff --git a/src/kyclogic/plugin_kyclogic_oauth2.c b/src/kyclogic/plugin_kyclogic_oauth2.c
index 91c936bbc..e97ca830d 100644
--- a/src/kyclogic/plugin_kyclogic_oauth2.c
+++ b/src/kyclogic/plugin_kyclogic_oauth2.c
@@ -474,18 +474,17 @@ initiate_task (void *cls)
hps = GNUNET_STRINGS_data_to_string_alloc (&ih->h_payto,
sizeof (ih->h_payto));
GNUNET_asprintf (&redirect_uri,
- "%s/kyc-proof/%s/%s/%s",
+ "%skyc-proof/%s",
ps->exchange_base_url,
- hps,
- pd->section,
- legi_s);
+ pd->section);
redirect_uri_encoded = TALER_urlencode (redirect_uri);
GNUNET_free (redirect_uri);
GNUNET_asprintf (&url,
- "%s?client_id=%s&redirect_uri=%s",
+ "%s?response_type=code&client_id=%s&redirect_uri=%s&state=%s",
pd->login_url,
pd->client_id,
- redirect_uri_encoded);
+ redirect_uri_encoded,
+ hps);
GNUNET_free (redirect_uri_encoded);
ih->cb (ih->cb_cls,
TALER_EC_NONE,
@@ -610,8 +609,8 @@ handle_proof_error (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response
= TALER_MHD_make_error (
- TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
- "Unexpected response from KYC gateway");
+ TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
+ "Unexpected response from KYC gateway: proof error");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
return;
@@ -678,8 +677,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response
= TALER_MHD_make_error (
- TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
- "Unexpected response from KYC gateway");
+ TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
+ "Unexpected response from KYC gateway: proof success must contain data and status");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
return;
@@ -713,8 +712,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response
= TALER_MHD_make_error (
- TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
- "Unexpected response from KYC gateway");
+ TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
+ "Unexpected response from KYC gateway: data must contain id");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
return;
@@ -797,15 +796,23 @@ handle_curl_login_finished (void *cls,
const char *token_type;
uint64_t expires_in_s;
const char *refresh_token;
+ bool no_expires;
+ bool no_refresh;
struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_string ("access_token",
&access_token),
GNUNET_JSON_spec_string ("token_type",
&token_type),
- GNUNET_JSON_spec_uint64 ("expires_in",
- &expires_in_s),
- GNUNET_JSON_spec_string ("refresh_token",
- &refresh_token),
+ GNUNET_JSON_spec_mark_optional (
+ GNUNET_JSON_spec_uint64 ("expires_in",
+ &expires_in_s),
+ &no_expires
+ ),
+ GNUNET_JSON_spec_mark_optional (
+ GNUNET_JSON_spec_string ("refresh_token",
+ &refresh_token),
+ &no_refresh
+ ),
GNUNET_JSON_spec_end ()
};
CURL *eh;
@@ -824,8 +831,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
- TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
- "Unexpected response from KYC gateway");
+ TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
+ "Unexpected response from KYC gateway: login finished");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
break;
@@ -837,8 +844,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
- TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
- "Unexpected token type in response from KYC gateway");
+ TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
+ "Unexpected token type in response from KYC gateway");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
break;
@@ -858,8 +865,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
- TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
- "Illegal character in access token");
+ TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
+ "Illegal character in access token");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
break;
@@ -871,8 +878,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
- TALER_EC_GENERIC_ALLOCATION_FAILURE,
- "curl_easy_init");
+ TALER_EC_GENERIC_ALLOCATION_FAILURE,
+ "curl_easy_init");
ph->http_status
= MHD_HTTP_INTERNAL_SERVER_ERROR;
break;
@@ -1008,23 +1015,24 @@ oauth2_proof (void *cls,
char *client_secret;
char *authorization_code;
+ char *redirect_uri_encoded;
+ char *hps;
+
+ hps = GNUNET_STRINGS_data_to_string_alloc (&ph->h_payto,
+ sizeof (ph->h_payto));
+
+ GNUNET_asprintf (&redirect_uri,
+ "%skyc-proof/%s",
+ ps->exchange_base_url,
+ pd->section);
+ redirect_uri_encoded = TALER_urlencode (redirect_uri);
+ GNUNET_free (redirect_uri);
+ GNUNET_assert (NULL != redirect_uri_encoded);
+
client_id = curl_easy_escape (ph->eh,
pd->client_id,
0);
GNUNET_assert (NULL != client_id);
- {
- char *request_uri;
-
- GNUNET_asprintf (&request_uri,
- "%s?client_id=%s",
- pd->login_url,
- pd->client_id);
- redirect_uri = curl_easy_escape (ph->eh,
- request_uri,
- 0);
- GNUNET_free (request_uri);
- }
- GNUNET_assert (NULL != redirect_uri);
client_secret = curl_easy_escape (ph->eh,
pd->client_secret,
0);
@@ -1036,12 +1044,13 @@ oauth2_proof (void *cls,
GNUNET_asprintf (&ph->post_body,
"client_id=%s&redirect_uri=%s&client_secret=%s&code=%s&grant_type=authorization_code",
client_id,
- redirect_uri,
+ redirect_uri_encoded,
client_secret,
authorization_code);
curl_free (authorization_code);
curl_free (client_secret);
- curl_free (redirect_uri);
+ curl_free (redirect_uri_encoded);
+ curl_free (hps);
curl_free (client_id);
}
GNUNET_assert (CURLE_OK ==
generated by cgit v1.2.3 (git 2.39.1) at 2024-05-11 09:45:23 +0000