Use form_post response mode for interactive authentication (#596)

* Form_post support in system browser auth

* Update server.go

Author: ashok672

apps/internal/base/base.go

@@ -302,13 +302,10 @@ func (b Client) AuthCodeURL(ctx context.Context, clientID, redirectURI string, s
 	if authParams.DomainHint != "" {
 		v.Add("domain_hint", authParams.DomainHint)
 	}
-	// There were left over from an implementation that didn't use any of these.  We may
-	// need to add them later, but as of now aren't needed.
-	/*
-		if p.ResponseMode != "" {
-			urlParams.Add("response_mode", p.ResponseMode)
-		}
-	*/
+	// Use form_post response mode for interactive auth to avoid exposing the auth code in the URL
+	if authParams.AuthorizationType == authority.ATInteractive {
+		v.Add("response_mode", "form_post")
+	}
 	baseURL.RawQuery = v.Encode()
 	return baseURL.String(), nil
 }

apps/internal/local/server.go

@@ -24,6 +24,7 @@ var okPage = []byte(`
 </head>
 <body>
     <p>Authentication complete. You can return to the application. Feel free to close this browser tab.</p>
+    <p><strong>For your security:</strong> Do not share the contents of this page, the address bar, or take screenshots.</p>
 </body>
 </html>
 `)
@@ -42,6 +43,20 @@ const failPage = `
 </html>
 `
 
+const unsupportedResponseModePage = `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8" />
+    <title>Authentication Failed</title>
+</head>
+<body>
+    <p>Authentication failed. The response was received via a GET operation, which is not supported.</p>
+    <p>You can return to the application. Feel free to close this browser tab.</p>
+</body>
+</html>
+`
+
 // Result is the result from the redirect.
 type Result struct {
 	// Code is the code sent by the authority server.
@@ -138,11 +153,24 @@ func (s *Server) putResult(r Result) {
 }
 
 func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
-	q := r.URL.Query()
+	// Only accept POST requests (form_post response mode)
+	// GET requests with query parameters are not supported for security reasons
+	if r.Method != http.MethodPost {
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		_, _ = w.Write([]byte(unsupportedResponseModePage))
+		s.putResult(Result{Err: fmt.Errorf("response was received via a GET operation, which is not supported")})
+		return
+	}
+
+	// For form_post response mode, parameters come in the POST body
+	if err := r.ParseForm(); err != nil {
+		s.error(w, http.StatusBadRequest, "failed to parse form data: %v", err)
+		return
+	}
 
-	headerErr := q.Get("error")
+	headerErr := r.PostFormValue("error")
 	if headerErr != "" {
-		desc := html.EscapeString(q.Get("error_description"))
+		desc := html.EscapeString(r.PostFormValue("error_description"))
 		escapedHeaderErr := html.EscapeString(headerErr)
 		// Note: It is a little weird we handle some errors by not going to the failPage. If they all should,
 		// change this to s.error() and make s.error() write the failPage instead of an error code.
@@ -152,7 +180,7 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	respState := q.Get("state")
+	respState := r.PostFormValue("state")
 	switch respState {
 	case s.reqState:
 	case "":
@@ -163,9 +191,9 @@ func (s *Server) handler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	code := q.Get("code")
+	code := r.PostFormValue("code")
 	if code == "" {
-		s.error(w, http.StatusInternalServerError, "authorization code missing in query string")
+		s.error(w, http.StatusInternalServerError, "authorization code missing in response")
 		return
 	}
 

apps/internal/local/server_test.go

@@ -23,44 +23,44 @@ func TestServer(t *testing.T) {
 		desc       string
 		reqState   string
 		port       int
-		q          url.Values
+		formData   url.Values
 		failPage   bool
 		statusCode int
 	}{
 		{
-			desc:       "Error: Query Values has 'error' key",
+			desc:       "Error: Form data has 'error' key",
 			reqState:   "state",
 			port:       0,
-			q:          url.Values{"state": []string{"state"}, "error": []string{"error"}},
+			formData:   url.Values{"state": []string{"state"}, "error": []string{"error"}},
 			statusCode: 200,
 			failPage:   true,
 		},
 		{
-			desc:       "Error: Query Values missing 'state' key",
+			desc:       "Error: Form data missing 'state' key",
 			reqState:   "state",
 			port:       0,
-			q:          url.Values{"code": []string{"code"}},
+			formData:   url.Values{"code": []string{"code"}},
 			statusCode: http.StatusInternalServerError,
 		},
 		{
-			desc:       "Error: Query Values missing had 'state' key value that was different that requested",
+			desc:       "Error: Form data had 'state' key value that was different than requested",
 			reqState:   "state",
 			port:       0,
-			q:          url.Values{"state": []string{"etats"}, "code": []string{"code"}},
+			formData:   url.Values{"state": []string{"etats"}, "code": []string{"code"}},
 			statusCode: http.StatusInternalServerError,
 		},
 		{
-			desc:       "Error: Query Values missing 'code' key",
+			desc:       "Error: Form data missing 'code' key",
 			reqState:   "state",
 			port:       0,
-			q:          url.Values{"state": []string{"state"}},
+			formData:   url.Values{"state": []string{"state"}},
 			statusCode: http.StatusInternalServerError,
 		},
 		{
 			desc:       "Success",
 			reqState:   "state",
 			port:       0,
-			q:          url.Values{"state": []string{"state"}, "code": []string{"code"}},
+			formData:   url.Values{"state": []string{"state"}, "code": []string{"code"}},
 			statusCode: 200,
 		},
 	}
@@ -79,14 +79,9 @@ func TestServer(t *testing.T) {
 		if err != nil {
 			panic(err)
 		}
-		u.RawQuery = test.q.Encode()
 
-		resp, err := http.DefaultClient.Do(
-			&http.Request{
-				Method: "GET",
-				URL:    u,
-			},
-		)
+		// Send POST request with form data (form_post response mode)
+		resp, err := http.DefaultClient.PostForm(u.String(), test.formData)
 
 		if err != nil {
 			panic(err)
@@ -139,3 +134,36 @@ func TestServer(t *testing.T) {
 		}
 	}
 }
+
+func TestServerRejectsGET(t *testing.T) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	serv, err := New("state", 0)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer serv.Shutdown()
+
+	u, err := url.Parse(serv.Addr)
+	if err != nil {
+		t.Fatal(err)
+	}
+	u.RawQuery = url.Values{"state": []string{"state"}, "code": []string{"code"}}.Encode()
+
+	// Send GET request (should be rejected)
+	resp, err := http.DefaultClient.Get(u.String())
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusMethodNotAllowed {
+		t.Errorf("GET request: got StatusCode %d, want %d", resp.StatusCode, http.StatusMethodNotAllowed)
+	}
+
+	res := serv.Result(ctx)
+	if res.Err == nil {
+		t.Error("GET request: Result.Err == nil, want error about unexpected response mode")
+	}
+}

apps/public/public_test.go

@@ -56,8 +56,15 @@ func fakeBrowserOpenURL(authURL string) error {
 	if redirect == "" {
 		return errors.New("missing redirect param 'redirect_uri'")
 	}
-	// now send the info to our local redirect server
-	resp, err := http.DefaultClient.Get(redirect + fmt.Sprintf("/?state=%s&code=fake_auth_code", state))
+	// Verify response_mode=form_post is requested
+	if q.Get("response_mode") != "form_post" {
+		return errors.New("missing or incorrect response_mode, expected 'form_post'")
+	}
+	// Send POST request with form data (simulating form_post response mode)
+	resp, err := http.DefaultClient.PostForm(redirect, url.Values{
+		"state": []string{state},
+		"code":  []string{"fake_auth_code"},
+	})
 	if err != nil {
 		return err
 	}