summaryrefslogtreecommitdiff
path: root/internal/api/client/auth/authorize.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/api/client/auth/authorize.go')
-rw-r--r--internal/api/client/auth/authorize.go45
1 files changed, 25 insertions, 20 deletions
diff --git a/internal/api/client/auth/authorize.go b/internal/api/client/auth/authorize.go
index fb16b00fc..a10408723 100644
--- a/internal/api/client/auth/authorize.go
+++ b/internal/api/client/auth/authorize.go
@@ -23,9 +23,11 @@ import (
"fmt"
"net/http"
"net/url"
+ "strings"
"github.com/gin-contrib/sessions"
"github.com/gin-gonic/gin"
+ "github.com/google/uuid"
"github.com/superseriousbusiness/gotosocial/internal/api/model"
"github.com/superseriousbusiness/gotosocial/internal/db"
"github.com/superseriousbusiness/gotosocial/internal/gtsmodel"
@@ -46,16 +48,19 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
form := &model.OAuthAuthorize{}
if err := c.Bind(form); err != nil {
l.Debugf("invalid auth form: %s", err)
+ m.clearSession(s)
+ c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
- l.Tracef("parsed auth form: %+v", form)
+ l.Debugf("parsed auth form: %+v", form)
if err := extractAuthForm(s, form); err != nil {
l.Debugf(fmt.Sprintf("error parsing form at /oauth/authorize: %s", err))
+ m.clearSession(s)
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
- c.Redirect(http.StatusFound, AuthSignInPath)
+ c.Redirect(http.StatusSeeOther, AuthSignInPath)
return
}
@@ -69,6 +74,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
ClientID: clientID,
}
if err := m.db.GetWhere([]db.Where{{Key: sessionClientID, Value: app.ClientID}}, app); err != nil {
+ m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": fmt.Sprintf("no application found for client id %s", clientID)})
return
}
@@ -78,6 +84,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
ID: userID,
}
if err := m.db.GetByID(user.ID, user); err != nil {
+ m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
@@ -87,6 +94,7 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
}
if err := m.db.GetByID(acct.ID, acct); err != nil {
+ m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
return
}
@@ -94,11 +102,13 @@ func (m *Module) AuthorizeGETHandler(c *gin.Context) {
// Finally we should also get the redirect and scope of this particular request, as stored in the session.
redirect, ok := s.Get(sessionRedirectURI).(string)
if !ok || redirect == "" {
+ m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": "no redirect_uri found in session"})
return
}
scope, ok := s.Get(sessionScope).(string)
if !ok || scope == "" {
+ m.clearSession(s)
c.JSON(http.StatusInternalServerError, gin.H{"error": "no scope found in session"})
return
}
@@ -128,48 +138,42 @@ func (m *Module) AuthorizePOSTHandler(c *gin.Context) {
// recreate it on the request so that it can be used further by the oauth2 library.
// So first fetch all the values from the session.
+ errs := []string{}
+
forceLogin, ok := s.Get(sessionForceLogin).(string)
if !ok {
- c.JSON(http.StatusBadRequest, gin.H{"error": "session missing force_login"})
- return
+ forceLogin = "false"
}
responseType, ok := s.Get(sessionResponseType).(string)
if !ok || responseType == "" {
- c.JSON(http.StatusBadRequest, gin.H{"error": "session missing response_type"})
- return
+ errs = append(errs, "session missing response_type")
}
clientID, ok := s.Get(sessionClientID).(string)
if !ok || clientID == "" {
- c.JSON(http.StatusBadRequest, gin.H{"error": "session missing client_id"})
- return
+ errs = append(errs, "session missing client_id")
}
redirectURI, ok := s.Get(sessionRedirectURI).(string)
if !ok || redirectURI == "" {
- c.JSON(http.StatusBadRequest, gin.H{"error": "session missing redirect_uri"})
- return
+ errs = append(errs, "session missing redirect_uri")
}
scope, ok := s.Get(sessionScope).(string)
if !ok {
- c.JSON(http.StatusBadRequest, gin.H{"error": "session missing scope"})
- return
+ errs = append(errs, "session missing scope")
}
userID, ok := s.Get(sessionUserID).(string)
if !ok {
- c.JSON(http.StatusBadRequest, gin.H{"error": "session missing userid"})
- return
+ errs = append(errs, "session missing userid")
}
- // we're done with the session so we can clear it now
- for _, key := range sessionKeys {
- s.Delete(key)
- }
- if err := s.Save(); err != nil {
- c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+ m.clearSession(s)
+
+ if len(errs) != 0 {
+ c.JSON(http.StatusBadRequest, gin.H{"error": strings.Join(errs, ": ")})
return
}
@@ -209,5 +213,6 @@ func extractAuthForm(s sessions.Session, form *model.OAuthAuthorize) error {
s.Set(sessionClientID, form.ClientID)
s.Set(sessionRedirectURI, form.RedirectURI)
s.Set(sessionScope, form.Scope)
+ s.Set(sessionState, uuid.NewString())
return s.Save()
}
generated by cgit v1.2.3 (git 2.46.0) at 2025-07-13 16:04:16 +0000