willdot.net
hailey.at
+6
-2
oauth/dpop/manager.go
+6
-2
oauth/dpop/manager.go
···
36
36
Hostname string
37
37
}
38
38
39
+
var (
40
+
ErrUseDpopNonce = errors.New("use_dpop_nonce")
41
+
)
42
+
39
43
func NewManager(args ManagerArgs) *Manager {
40
44
if args.Logger == nil {
41
45
args.Logger = slog.Default()
···
194
198
nonce, _ := claims["nonce"].(string)
195
199
if nonce == "" {
196
200
// WARN: this _must_ be `use_dpop_nonce` for clients know they should make another request
197
-
return nil, errors.New("use_dpop_nonce")
201
+
return nil, ErrUseDpopNonce
198
202
}
199
203
200
204
if nonce != "" && !dm.nonce.Check(nonce) {
201
205
// WARN: this _must_ be `use_dpop_nonce` so that clients will fetch a new nonce
202
-
return nil, errors.New("use_dpop_nonce")
206
+
return nil, ErrUseDpopNonce
203
207
}
204
208
205
209
ath, _ := claims["ath"].(string)
+8
-1
server/handle_oauth_par.go
+8
-1
server/handle_oauth_par.go
···
1
1
package server
2
2
3
3
import (
4
+
"errors"
4
5
"time"
5
6
6
7
"github.com/Azure/go-autorest/autorest/to"
7
8
"github.com/haileyok/cocoon/internal/helpers"
8
9
"github.com/haileyok/cocoon/oauth"
9
10
"github.com/haileyok/cocoon/oauth/constants"
11
+
"github.com/haileyok/cocoon/oauth/dpop"
10
12
"github.com/haileyok/cocoon/oauth/provider"
11
13
"github.com/labstack/echo/v4"
12
14
)
···
31
33
// TODO: this seems wrong. should be a way to get the entire request url i believe, but this will work for now
32
34
dpopProof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, nil)
33
35
if err != nil {
36
+
if errors.Is(err, dpop.ErrUseDpopNonce) {
37
+
return e.JSON(400, map[string]string{
38
+
"error": "use_dpop_nonce",
39
+
})
40
+
}
34
41
s.logger.Error("error getting dpop proof", "error", err)
35
-
return helpers.InputError(e, to.StringPtr(err.Error()))
42
+
return helpers.InputError(e, nil)
36
43
}
37
44
38
45
client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), parRequest.AuthenticateClientRequestBase, dpopProof, &provider.AuthenticateClientOptions{
+8
-1
server/handle_oauth_token.go
+8
-1
server/handle_oauth_token.go
···
4
4
"bytes"
5
5
"crypto/sha256"
6
6
"encoding/base64"
7
+
"errors"
7
8
"fmt"
8
9
"slices"
9
10
"time"
···
13
14
"github.com/haileyok/cocoon/internal/helpers"
14
15
"github.com/haileyok/cocoon/oauth"
15
16
"github.com/haileyok/cocoon/oauth/constants"
17
+
"github.com/haileyok/cocoon/oauth/dpop"
16
18
"github.com/haileyok/cocoon/oauth/provider"
17
19
"github.com/labstack/echo/v4"
18
20
)
···
44
46
45
47
proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, e.Request().URL.String(), e.Request().Header, nil)
46
48
if err != nil {
49
+
if errors.Is(err, dpop.ErrUseDpopNonce) {
50
+
return e.JSON(400, map[string]string{
51
+
"error": "use_dpop_nonce",
52
+
})
53
+
}
47
54
s.logger.Error("error getting dpop proof", "error", err)
48
-
return helpers.InputError(e, to.StringPtr(err.Error()))
55
+
return helpers.InputError(e, nil)
49
56
}
50
57
51
58
client, clientAuth, err := s.oauthProvider.AuthenticateClient(e.Request().Context(), req.AuthenticateClientRequestBase, proof, &provider.AuthenticateClientOptions{
+8
-1
server/middleware.go
+8
-1
server/middleware.go
···
3
3
import (
4
4
"crypto/sha256"
5
5
"encoding/base64"
6
+
"errors"
6
7
"fmt"
7
8
"strings"
8
9
"time"
···
11
12
"github.com/golang-jwt/jwt/v4"
12
13
"github.com/haileyok/cocoon/internal/helpers"
13
14
"github.com/haileyok/cocoon/models"
15
+
"github.com/haileyok/cocoon/oauth/dpop"
14
16
"github.com/haileyok/cocoon/oauth/provider"
15
17
"github.com/labstack/echo/v4"
16
18
"gitlab.com/yawning/secp256k1-voi"
···
229
231
230
232
proof, err := s.oauthProvider.DpopManager.CheckProof(e.Request().Method, "https://"+s.config.Hostname+e.Request().URL.String(), e.Request().Header, to.StringPtr(accessToken))
231
233
if err != nil {
234
+
if errors.Is(err, dpop.ErrUseDpopNonce) {
235
+
return e.JSON(400, map[string]string{
236
+
"error": "use_dpop_nonce",
237
+
})
238
+
}
232
239
s.logger.Error("invalid dpop proof", "error", err)
233
-
return helpers.InputError(e, to.StringPtr(err.Error()))
240
+
return helpers.InputError(e, nil)
234
241
}
235
242
236
243
var oauthToken provider.OauthToken