commit 5577a922e3e699e3e74063f81388bd3e2a123009
parent 59024d4b5d6b7272edc49e0f7636df8213b2af17
Author: Martin Schanzenbach <schanzen@gnunet.org>
Date: Tue, 23 Dec 2025 22:57:55 +0900
improve/fix state handling
Diffstat:
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/pkg/taldir/oidc_validator.go b/pkg/taldir/oidc_validator.go
@@ -57,9 +57,6 @@ type OidcValidator struct {
// Client secret
clientSecret string
- // Shared (ID) token secret (HMAC signatures)
- sharedTokenSecret string
-
// Scope(s)
scope string
@@ -129,7 +126,7 @@ func (t OidcValidator) IsAliasValid(alias string) (err error) {
func (t OidcValidator) ValidateAliasSubject(tokenString string, expectedAlias string) error {
- var relevantClaims map[string]interface{}
+ var relevantClaims map[string]any
req, err := http.NewRequest("GET", t.userinfoEndpoint, nil)
if err != nil {
return fmt.Errorf("failed to create userinfo request")
@@ -156,14 +153,17 @@ func (t OidcValidator) ValidateAliasSubject(tokenString string, expectedAlias st
func (t OidcValidator) ProcessOidcCallback(r *http.Request) (string, string, error) {
// Process authorization code
- state := r.URL.Query().Get("state")
- if state == "" {
+ stateParam := r.URL.Query().Get("state")
+ if stateParam == "" {
return "", "", fmt.Errorf("no state query parameter provided")
}
- if t.authorizationsState[state] == nil {
+ state, ok := t.authorizationsState[stateParam]
+ if !ok {
return "", "", fmt.Errorf("state invalid")
}
- // TODO process authorization code
+ alias := state.alias
+ challenge := state.challenge
+ delete(t.authorizationsState, stateParam)
code := r.URL.Query().Get("code")
data := url.Values{}
data.Set("client_id", t.clientID)
@@ -190,11 +190,11 @@ func (t OidcValidator) ProcessOidcCallback(r *http.Request) (string, string, err
if err != nil {
return "", "", fmt.Errorf("unable to parse token response: %v", err)
}
- err = t.ValidateAliasSubject(tokenResponse.AccessToken, t.authorizationsState[state].alias)
+ err = t.ValidateAliasSubject(tokenResponse.AccessToken, alias)
if err != nil {
return "", "", fmt.Errorf("unable to validate token: %v", err)
}
- return t.authorizationsState[state].alias, t.authorizationsState[state].challenge, nil
+ return alias, challenge, nil
}
func (t OidcValidator) RegistrationStart(topic string, link string, message string, alias string, challenge string) (string, error) {
@@ -218,7 +218,6 @@ func makeOidcValidator(cfg *TaldirConfig, name string, landingPageTpl *template.
clientSecret: sec.Key("client_secret").MustString(""),
scope: sec.Key("scope").MustString("profile"),
tokenEndpoint: sec.Key("token_endpoint").MustString(""),
- sharedTokenSecret: sec.Key("shared_token_secret").MustString("secret"),
userinfoEndpoint: sec.Key("userinfo_endpoint").MustString(""),
authorizationEndpoint: sec.Key("authorization_endpoint").MustString(""),
validAliasRegex: sec.Key("valid_alias_regex").MustString(""),
