Forbid URIs with fragments

This commit is contained in:
Simon Bihel 2022-01-19 22:28:38 +00:00
parent 5c0b748373
commit 452bd2d9fb
No known key found for this signature in database
GPG Key ID: B7013150BEAA28FD
3 changed files with 23 additions and 3 deletions

View File

@ -47,6 +47,9 @@ impl IntoResponse for CustomError {
CustomError::BadRequest(_) => { CustomError::BadRequest(_) => {
(StatusCode::BAD_REQUEST, self.to_string()).into_response() (StatusCode::BAD_REQUEST, self.to_string()).into_response()
} }
CustomError::BadRequestRegister(e) => {
(StatusCode::BAD_REQUEST, Json::from(e)).into_response()
}
CustomError::BadRequestToken(e) => { CustomError::BadRequestToken(e) => {
(StatusCode::BAD_REQUEST, Json::from(e)).into_response() (StatusCode::BAD_REQUEST, Json::from(e)).into_response()
} }

View File

@ -8,9 +8,9 @@ use openidconnect::{
CoreAuthErrorResponseType, CoreAuthPrompt, CoreClaimName, CoreClientAuthMethod, CoreAuthErrorResponseType, CoreAuthPrompt, CoreClaimName, CoreClientAuthMethod,
CoreClientMetadata, CoreClientRegistrationResponse, CoreErrorResponseType, CoreGrantType, CoreClientMetadata, CoreClientRegistrationResponse, CoreErrorResponseType, CoreGrantType,
CoreIdToken, CoreIdTokenClaims, CoreIdTokenFields, CoreJsonWebKeySet, CoreIdToken, CoreIdTokenClaims, CoreIdTokenFields, CoreJsonWebKeySet,
CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreResponseType, CoreRsaPrivateSigningKey, CoreJwsSigningAlgorithm, CoreProviderMetadata, CoreRegisterErrorResponseType,
CoreSubjectIdentifierType, CoreTokenResponse, CoreTokenType, CoreUserInfoClaims, CoreResponseType, CoreRsaPrivateSigningKey, CoreSubjectIdentifierType, CoreTokenResponse,
CoreUserInfoJsonWebToken, CoreTokenType, CoreUserInfoClaims, CoreUserInfoJsonWebToken,
}, },
registration::{EmptyAdditionalClientMetadata, EmptyAdditionalClientRegistrationResponse}, registration::{EmptyAdditionalClientMetadata, EmptyAdditionalClientRegistrationResponse},
url::Url, url::Url,
@ -60,6 +60,8 @@ pub enum CustomError {
#[error("{0}")] #[error("{0}")]
BadRequest(String), BadRequest(String),
#[error("{0:?}")] #[error("{0:?}")]
BadRequestRegister(RegisterError),
#[error("{0:?}")]
BadRequestToken(TokenError), BadRequestToken(TokenError),
#[error("{0}")] #[error("{0}")]
Unauthorized(String), Unauthorized(String),
@ -479,6 +481,11 @@ pub async fn sign_in(
Ok(url) Ok(url)
} }
#[derive(Debug, Serialize)]
pub struct RegisterError {
error: CoreRegisterErrorResponseType,
}
pub async fn register( pub async fn register(
payload: CoreClientMetadata, payload: CoreClientMetadata,
db_client: &DBClientType, db_client: &DBClientType,
@ -487,6 +494,13 @@ pub async fn register(
let secret = Uuid::new_v4(); let secret = Uuid::new_v4();
let redirect_uris = payload.redirect_uris().to_vec(); let redirect_uris = payload.redirect_uris().to_vec();
for uri in redirect_uris.iter() {
if uri.url().fragment().is_some() {
return Err(CustomError::BadRequestRegister(RegisterError {
error: CoreRegisterErrorResponseType::InvalidRedirectUri,
}));
}
}
let entry = ClientEntry { let entry = ClientEntry {
secret: secret.to_string(), secret: secret.to_string(),

View File

@ -22,6 +22,9 @@ impl From<CustomError> for Result<Response> {
fn from(error: CustomError) -> Self { fn from(error: CustomError) -> Self {
match error { match error {
CustomError::BadRequest(_) => Response::error(&error.to_string(), 400), CustomError::BadRequest(_) => Response::error(&error.to_string(), 400),
CustomError::BadRequestRegister(e) => {
Response::from_json(&e).map(|r| r.with_status(400))
}
CustomError::BadRequestToken(e) => Response::from_json(&e).map(|r| r.with_status(400)), CustomError::BadRequestToken(e) => Response::from_json(&e).map(|r| r.with_status(400)),
CustomError::Unauthorized(_) => Response::error(&error.to_string(), 401), CustomError::Unauthorized(_) => Response::error(&error.to_string(), 401),
CustomError::Redirect(uri) => Response::redirect(uri.parse().unwrap()), CustomError::Redirect(uri) => Response::redirect(uri.parse().unwrap()),