fix(server): creepy @@ string split logic for auth_token

lakhansamani · lakhansamani · commit 579899c39761 · 2022-11-13T01:22:21.000+05:30
diff --git a/server/handlers/authorize.go b/server/handlers/authorize.go
@@ -16,7 +16,7 @@ jargons
 	login resolver has optional param state
 		-if state found in store, split with @@
 		- if len > 1 -> response type is code and has code + challenge
-		- set `nonce@@code` for createAuthToken request so that `c_hash` can be generated
+		- set `nonce, code` for createAuthToken request so that `c_hash` can be generated
 		- do not add `nonce` to id_token in code flow, instead set `c_hash` and `at_hash`
 
 
@@ -26,8 +26,8 @@ jargons
 		- add &nonce to login redirect url
 	login resolver has optional param state
 		- if state found in store, split with @@
-		- if len < 1 -> response type is token / id_token and has nonce
-		- send received nonce for createAuthToken
+		- if len < 1 -> response type is token / id_token and value is nonce
+		- send received nonce for createAuthToken with empty code value
 		- set `nonce` and `at_hash` in `id_token`
 **/
 
@@ -277,7 +277,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 		if responseType == constants.ResponseTypeToken || responseType == constants.ResponseTypeIDToken {
 			hostname := parsers.GetHost(gc)
 			// rollover the session for security
-			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod, nonce)
+			authToken, err := token.CreateAuthToken(gc, user, claims.Roles, scope, claims.LoginMethod, nonce, "")
 			if err != nil {
 				log.Debug("CreateAuthToken failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
diff --git a/server/handlers/oauth_callback.go b/server/handlers/oauth_callback.go
@@ -197,8 +197,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			}
 		}
 
+		// TODO
+		// use stateValue to get code / nonce
+		// add code / nonce to id_token
 		nonce := uuid.New().String()
-		authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce)
+		authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce, "")
 		if err != nil {
 			log.Debug("Failed to create auth token: ", err)
 			ctx.JSON(500, gin.H{"error": err.Error()})
diff --git a/server/handlers/token.go b/server/handlers/token.go
@@ -246,7 +246,7 @@ func TokenHandler() gin.HandlerFunc {
 		fmt.Println("=> code", code)
 		fmt.Println("=> nonce", nonce)
 
-		authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, code)
 		if err != nil {
 			log.Debug("Error creating auth token: ", err)
 			gc.JSON(http.StatusUnauthorized, gin.H{
diff --git a/server/handlers/verify_email.go b/server/handlers/verify_email.go
@@ -101,7 +101,7 @@ func VerifyEmailHandler() gin.HandlerFunc {
 		}
 
 		nonce := uuid.New().String()
-		authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce)
+		authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce, "")
 		if err != nil {
 			log.Debug("Error creating auth token: ", err)
 			errorRes["error_description"] = err.Error()
diff --git a/server/resolvers/login.go b/server/resolvers/login.go
@@ -155,15 +155,14 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 				codeChallenge = authorizeStateSplit[1]
 
 				fmt.Println("=> code info", authorizeStateSplit)
-				nonce = nonce + "@@" + code
 			} else {
 				nonce = authorizeState
 			}
 			go memorystore.Provider.RemoveState(refs.StringValue(params.State))
 		}
 	}
 
-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
 	if err != nil {
 		log.Debug("Failed to create auth token", err)
 		return res, err
@@ -186,8 +185,8 @@ func LoginResolver(ctx context.Context, params model.LoginInput) (*model.AuthRes
 	sessionStoreKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
 	memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
 	memorystore.Provider.SetUserSession(sessionStoreKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
+	// TODO add to other login options as well
 	// Code challenge could be optional if PKCE flow is not used
-
 	if code != "" {
 		fmt.Println("=> setting the state here....")
 		if err := memorystore.Provider.SetState(code, codeChallenge+"@@"+authToken.FingerPrintHash); err != nil {
diff --git a/server/resolvers/magic_link_login.go b/server/resolvers/magic_link_login.go
@@ -15,6 +15,7 @@ import (
 	"github.com/authorizerdev/authorizer/server/graph/model"
 	"github.com/authorizerdev/authorizer/server/memorystore"
 	"github.com/authorizerdev/authorizer/server/parsers"
+	"github.com/authorizerdev/authorizer/server/refs"
 	"github.com/authorizerdev/authorizer/server/token"
 	"github.com/authorizerdev/authorizer/server/utils"
 	"github.com/authorizerdev/authorizer/server/validators"
@@ -185,7 +186,7 @@ func MagicLinkLoginResolver(ctx context.Context, params model.MagicLinkLoginInpu
 		}
 		redirectURLParams := "&roles=" + strings.Join(inputRoles, ",")
 		if params.State != nil {
-			redirectURLParams = redirectURLParams + "&state=" + *params.State
+			redirectURLParams = redirectURLParams + "&state=" + refs.StringValue(params.State)
 		}
 		if params.Scope != nil && len(params.Scope) > 0 {
 			redirectURLParams = redirectURLParams + "&scope=" + strings.Join(params.Scope, " ")
diff --git a/server/resolvers/session.go b/server/resolvers/session.go
@@ -72,7 +72,7 @@ func SessionResolver(ctx context.Context, params *model.SessionQueryInput) (*mod
 	}
 
 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce, "")
 	if err != nil {
 		log.Debug("Failed to create auth token: ", err)
 		return res, err
diff --git a/server/resolvers/signup.go b/server/resolvers/signup.go
@@ -258,7 +258,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR
 			nonce = nonce + "@@" + code
 		}
 
-		authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
+		authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)
 		if err != nil {
 			log.Debug("Failed to create auth token: ", err)
 			return res, err
diff --git a/server/resolvers/verify_email.go b/server/resolvers/verify_email.go
@@ -86,7 +86,7 @@ func VerifyEmailResolver(ctx context.Context, params model.VerifyEmailInput) (*m
 	roles := strings.Split(user.Roles, ",")
 	scope := []string{"openid", "email", "profile"}
 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, "")
 	if err != nil {
 		log.Debug("Failed to create auth token: ", err)
 		return res, err
diff --git a/server/resolvers/verify_otp.go b/server/resolvers/verify_otp.go
@@ -59,7 +59,7 @@ func VerifyOtpResolver(ctx context.Context, params model.VerifyOTPRequest) (*mod
 	roles := strings.Split(user.Roles, ",")
 	scope := []string{"openid", "email", "profile"}
 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, loginMethod, nonce, "")
 	if err != nil {
 		log.Debug("Failed to create auth token: ", err)
 		return res, err
diff --git a/server/test/validate_jwt_token_test.go b/server/test/validate_jwt_token_test.go
@@ -52,7 +52,7 @@ func validateJwtTokenTest(t *testing.T, s TestSetup) {
 	assert.NoError(t, err)
 	sessionKey := constants.AuthRecipeMethodBasicAuth + ":" + user.ID
 	nonce := uuid.New().String()
-	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)
+	authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, "")
 	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+authToken.FingerPrint, authToken.FingerPrintHash)
 	memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeAccessToken+"_"+authToken.FingerPrint, authToken.AccessToken.Token)
 
diff --git a/server/token/auth_token.go b/server/token/auth_token.go
@@ -49,18 +49,7 @@ type SessionData struct {
 }
 
 // CreateAuthToken creates a new auth token when userlogs in
-func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, loginMethod, nonce string) (*Token, error) {
-
-	code := ""
-	nonceSplit := strings.Split(nonce, "@@")
-	fingerPrint := nonce
-	fmt.Println("=> nonce split", nonceSplit)
-	if len(nonceSplit) > 1 {
-		code = nonceSplit[1]
-		// use original nonce for session token and access token
-		nonce = nonceSplit[0]
-		fingerPrint = nonce
-	}
+func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, loginMethod, nonce string, code string) (*Token, error) {
 
 	fmt.Println("=> original nonce:", nonce)
 
@@ -98,7 +87,7 @@ func CreateAuthToken(gc *gin.Context, user models.User, roles, scope []string, l
 	}
 
 	res := &Token{
-		FingerPrint:     fingerPrint,
+		FingerPrint:     nonce,
 		FingerPrintHash: fingerPrintHash,
 		AccessToken:     &JWTToken{Token: accessToken, ExpiresAt: accessTokenExpiresAt},
 		IDToken:         &JWTToken{Token: idToken, ExpiresAt: idTokenExpiresAt},

Original file line number	Diff line number	Diff line change
`@@ -197,8 +197,11 @@ func OAuthCallbackHandler() gin.HandlerFunc {`
`197`	`197`	`}`
`198`	`198`	`}`
`199`	`199`
	`200`	`+ // TODO`
	`201`	`+ // use stateValue to get code / nonce`
	`202`	`+ // add code / nonce to id_token`
`200`	`203`	`nonce := uuid.New().String()`
`201`		`- authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce)`
	`204`	`+ authToken, err := token.CreateAuthToken(ctx, user, inputRoles, scopes, provider, nonce, "")`
`202`	`205`	`if err != nil {`
`203`	`206`	`log.Debug("Failed to create auth token: ", err)`
`204`	`207`	`ctx.JSON(500, gin.H{"error": err.Error()})`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ func VerifyEmailHandler() gin.HandlerFunc {`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`nonce := uuid.New().String()`
`104`		`- authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce)`
	`104`	`+ authToken, err := token.CreateAuthToken(c, user, roles, scope, loginMethod, nonce, "")`
`105`	`105`	`if err != nil {`
`106`	`106`	`log.Debug("Error creating auth token: ", err)`
`107`	`107`	`errorRes["error_description"] = err.Error()`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ func SessionResolver(ctx context.Context, params model.SessionQueryInput) (mod`
`72`	`72`	`}`
`73`	`73`
`74`	`74`	`nonce := uuid.New().String()`
`75`		`- authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce)`
	`75`	`+ authToken, err := token.CreateAuthToken(gc, user, claimRoles, scope, claims.LoginMethod, nonce, "")`
`76`	`76`	`if err != nil {`
`77`	`77`	`log.Debug("Failed to create auth token: ", err)`
`78`	`78`	`return res, err`
Original file line number	Diff line number	Diff line change
`@@ -258,7 +258,7 @@ func SignupResolver(ctx context.Context, params model.SignUpInput) (*model.AuthR`
`258`	`258`	`nonce = nonce + "@@" + code`
`259`	`259`	`}`
`260`	`260`
`261`		`- authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce)`
	`261`	`+ authToken, err := token.CreateAuthToken(gc, user, roles, scope, constants.AuthRecipeMethodBasicAuth, nonce, code)`
`262`	`262`	`if err != nil {`
`263`	`263`	`log.Debug("Failed to create auth token: ", err)`
`264`	`264`	`return res, err`