Forbid URIs with fragments

2022-01-19 22:28:38 +00:00 · 2022-01-19 22:28:38 +00:00 · 452bd2d9fb
commit 452bd2d9fb
parent 5c0b748373
3 changed files with 23 additions and 3 deletions
--- a/src/axum_lib.rs
+++ b/src/axum_lib.rs
@ -47,6 +47,9 @@ impl IntoResponse for CustomError {
            CustomError::BadRequest(_) => {
                (StatusCode::BAD_REQUEST, self.to_string()).into_response()
            }
+            CustomError::BadRequestRegister(e) => {
+                (StatusCode::BAD_REQUEST, Json::from(e)).into_response()
+            }
            CustomError::BadRequestToken(e) => {
                (StatusCode::BAD_REQUEST, Json::from(e)).into_response()
            }
--- a/src/oidc.rs
+++ b/src/oidc.rs
@ -8,9 +8,9 @@ use openidconnect::{
        CoreAuthErrorResponseType, CoreAuthPrompt, CoreClaimName, CoreClientAuthMethod,
        CoreClientMetadata, CoreClientRegistrationResponse, CoreErrorResponseType, CoreGrantType,
        CoreIdToken, CoreIdTokenClaims, CoreIdTokenFields, CoreJsonWebKeySet,
-        CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreResponseType, CoreRsaPrivateSigningKey,
-        CoreSubjectIdentifierType, CoreTokenResponse, CoreTokenType, CoreUserInfoClaims,
-        CoreUserInfoJsonWebToken,
+        CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreRegisterErrorResponseType,
+        CoreResponseType, CoreRsaPrivateSigningKey, CoreSubjectIdentifierType, CoreTokenResponse,
+        CoreTokenType, CoreUserInfoClaims, CoreUserInfoJsonWebToken,
    },
    registration::{EmptyAdditionalClientMetadata, EmptyAdditionalClientRegistrationResponse},
    url::Url,
@ -60,6 +60,8 @@ pub enum CustomError {
    #[error("{0}")]
    BadRequest(String),
    #[error("{0:?}")]
+    BadRequestRegister(RegisterError),
+    #[error("{0:?}")]
    BadRequestToken(TokenError),
    #[error("{0}")]
    Unauthorized(String),
@ -479,6 +481,11 @@ pub async fn sign_in(
    Ok(url)
 }

+#[derive(Debug, Serialize)]
+pub struct RegisterError {
+    error: CoreRegisterErrorResponseType,
+}
+
 pub async fn register(
    payload: CoreClientMetadata,
    db_client: &DBClientType,
@ -487,6 +494,13 @@ pub async fn register(
    let secret = Uuid::new_v4();

    let redirect_uris = payload.redirect_uris().to_vec();
+    for uri in redirect_uris.iter() {
+        if uri.url().fragment().is_some() {
+            return Err(CustomError::BadRequestRegister(RegisterError {
+                error: CoreRegisterErrorResponseType::InvalidRedirectUri,
+            }));
+        }
+    }

    let entry = ClientEntry {
        secret: secret.to_string(),
--- a/src/worker_lib.rs
+++ b/src/worker_lib.rs
@ -22,6 +22,9 @@ impl From<CustomError> for Result<Response> {
    fn from(error: CustomError) -> Self {
        match error {
            CustomError::BadRequest(_) => Response::error(&error.to_string(), 400),
+            CustomError::BadRequestRegister(e) => {
+                Response::from_json(&e).map(|r| r.with_status(400))
+            }
            CustomError::BadRequestToken(e) => Response::from_json(&e).map(|r| r.with_status(400)),
            CustomError::Unauthorized(_) => Response::error(&error.to_string(), 401),
            CustomError::Redirect(uri) => Response::redirect(uri.parse().unwrap()),