this repo has no description
oauth client: check callback state before checking errors
+18
-9
+18
-9
atproto/auth/oauth/oauth.go
+18
-9
atproto/auth/oauth/oauth.go
···
600
600
// High-level helper for completing auth flow: verifies callback query parameters against persisted auth request info, makes initial token request to the auth server, validates account identifier, and persists session data.
601
601
func (app *ClientApp) ProcessCallback(ctx context.Context, params url.Values) (*ClientSessionData, error) {
602
602
603
+
state := params.Get("state")
604
+
if state == "" {
605
+
return nil, fmt.Errorf("missing state query param")
606
+
}
607
+
608
+
info, err := app.Store.GetAuthRequestInfo(ctx, state)
609
+
if err != nil {
610
+
return nil, fmt.Errorf("loading auth request info: %w", err)
611
+
}
612
+
if info.State != state {
613
+
return nil, fmt.Errorf("callback state doesn't match request info")
614
+
}
615
+
616
+
// NOTE: A corresponding `state` is expected even under error conditions,
617
+
// hence we check error *after* checking state.
603
618
errorCode := params.Get("error")
604
619
if errorCode != "" {
605
620
var errorUri *syntax.URI
···
614
629
}
615
630
}
616
631
617
-
state := params.Get("state")
618
632
authserverURL := params.Get("iss")
619
633
authCode := params.Get("code")
620
-
if state == "" || authserverURL == "" || authCode == "" {
634
+
if authserverURL == "" || authCode == "" {
621
635
return nil, fmt.Errorf("missing required query param")
622
636
}
623
637
624
-
info, err := app.Store.GetAuthRequestInfo(ctx, state)
625
-
if err != nil {
626
-
return nil, fmt.Errorf("loading auth request info: %w", err)
627
-
}
628
-
629
-
if info.State != state || info.AuthServerURL != authserverURL {
630
-
return nil, fmt.Errorf("callback params don't match request info")
638
+
if info.AuthServerURL != authserverURL {
639
+
return nil, fmt.Errorf("callback iss doesn't match request info")
631
640
}
632
641
633
642
tokenResp, err := app.SendInitialTokenRequest(ctx, authCode, *info)