validate redirect uri before issuing token as well

256dpi · Jan 6, 2020 · 7408f99 · 7408f99
1 parent 745cdeb
commit 7408f99
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/flame/authenticator.go b/flame/authenticator.go
@@ -686,7 +686,15 @@ func (a *Authenticator) handleAuthorizationCodeGrant(env *environment, req *oaut
 		stack.Abort(oauth2.InvalidGrant("invalid authorization code ownership"))
 	}
 
-	// validate redirect uri
+	// validate redirect URI
+	req.RedirectURI, err = a.policy.RedirectURIValidator(client, req.RedirectURI)
+	if err == ErrInvalidRedirectURI {
+		stack.Abort(oauth2.InvalidRequest("invalid redirect uri"))
+	} else if err != nil {
+		stack.Abort(err)
+	}
+
+	// compare redirect URIs
 	if data.RedirectURI != req.RedirectURI {
 		stack.Abort(oauth2.InvalidGrant("redirect uri mismatch"))
 	}

diff --git a/flame/authenticator_test.go b/flame/authenticator_test.go
@@ -65,17 +65,19 @@ func TestIntegration(t *testing.T) {
 			t.Error(err)
 		})
 
+		redirectURIs := []string{"http://example.com/callback1", "http://example.com/callback2"}
+
 		app1 := tester.Save(&Application{
 			Name:         "Application 1",
 			Key:          "app1",
 			SecretHash:   mustHash(testPassword),
-			RedirectURIs: []string{"http://example.com/callback1"},
+			RedirectURIs: redirectURIs,
 		}).(*Application)
 
 		app2 := tester.Save(&Application{
 			Name:         "Application 2",
 			Key:          "app2",
-			RedirectURIs: []string{"http://example.com/callback2"},
+			RedirectURIs: redirectURIs,
 		}).(*Application)
 
 		user := tester.Save(&User{
@@ -132,8 +134,8 @@ func TestIntegration(t *testing.T) {
 		config.ExpiredToken = mustGenerateToken(policy, AccessToken, expiredToken.ID(), expiredToken.ExpiresAt)
 		config.InsufficientToken = mustGenerateToken(policy, AccessToken, insufficientToken.ID(), insufficientToken.ExpiresAt)
 
-		config.PrimaryRedirectURI = "http://example.com/callback1"
-		config.SecondaryRedirectURI = "http://example.com/callback2"
+		config.PrimaryRedirectURI = redirectURIs[0]
+		config.SecondaryRedirectURI = redirectURIs[1]
 
 		validRefreshToken := tester.Save(&Token{
 			Type:        RefreshToken,

diff --git a/flame/policy.go b/flame/policy.go
@@ -63,9 +63,11 @@ type Policy struct {
 	// authentication request.
 	ClientFilter func(Client, *http.Request) (bson.M, error)
 
-	// RedirectURIValidator may validate a redirect URI and return a valid or
-	// or corrected redirect URI for further use. It can return
-	// ErrInvalidRedirectURI to to cancel the authorization request.
+	// RedirectURIValidator should validate a redirect URI and return the valid
+	// or corrected redirect URI. It can return ErrInvalidRedirectURI to to
+	// cancel the authorization request. The validator is during the
+	// authorization and the token request. If the result differs, no token will
+	// be issue and the request aborted.
 	RedirectURIValidator func(Client, string) (string, error)
 
 	// ResourceOwners should return a list of resource owner models that are