fix(auth): remove JWT cookie when it's invalid

feat(authorize): add implicit authorize flow
2024-11-16 13:04:42 +01:00 · 2024-11-16 13:03:19 +01:00
6 changed files with 74 additions and 6 deletions
--- a/TODO.md
+++ b/TODO.md
@ -28,8 +28,13 @@

 - [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1

- [ ] Redirect to login when JWT expire
+- [ ] UserWebGUI: Redirect to login when JWT expire
+- [ ] UserWebGUI: Show user authorizations.
+- [ ] UserWebGUI: Show available apps
+- [ ] UserWebGUI: Direct user grant flow, User can login to the target app/client, event if it did
+not started here.
 - [ ] Add admin panel via API
+- [ ] AdminWebGUI: Ability to create invitation links
 - [ ] Add admin CLI

 - [ ] add TOTP
--- a/config.example.toml
+++ b/config.example.toml
@ -0,0 +1,28 @@
+[instance]
+base_uri = "http://localhost:8085"
+name = "Example org"
+logo_uri = "https://example.org/logo.png"
+
+[[applications]]
+slug = "demo_app"
+name = "Demo app"
+description = "A super application where you can do everything you want."
+client_id = "a1785786-8be1-443c-9a6f-35feed703609"
+client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
+allowed_redirect_uris = [
+    "http://localhost:9090/authorize",
+    "http://localhost:9876/callback"
+]
+authorize_flow = "implicit"
+
+[[roles]]
+slug = "basic"
+name = "Basic"
+description = "Basic user"
+default = true
+
+[[roles]]
+slug = "admin"
+name = "Administrator"
+description = "Full power on organization instance"
+
--- a/config.toml
+++ b/config.toml
@ -13,6 +13,7 @@ allowed_redirect_uris = [
    "http://localhost:9090/authorize",
    "http://localhost:9876/callback"
 ]
+authorize_flow = "Implicit"

 [[roles]]
 slug = "basic"
--- a/src/controllers/ui/authorize.rs
+++ b/src/controllers/ui/authorize.rs
@ -8,7 +8,7 @@ use url::Url;
 use uuid::Uuid;

 use crate::{
-    models::{authorization::Authorization, token_claims::UserTokenClaims},
+    models::{authorization::Authorization, config::AppAuthorizeFlow, token_claims::UserTokenClaims},
    renderer::TemplateRenderer, server::AppState,
    services::oauth2::{parse_scope, verify_redirect_uri},
    utils::get_random_alphanumerical
@ -97,6 +97,7 @@ pub async fn authorize_form(
            ).into_response();
        }
    };
+
    // 2. Check if the app is already authorized
    let authorizations_res = sqlx::query_as::<_, Authorization>(
        "SELECT * FROM authorizations WHERE user_id = $1 AND client_id = $2 AND scopes = $3"
@ -139,7 +140,19 @@ pub async fn authorize_form(
        }
    }

+    // 3. Check for implicit/explicit flow
+    if app.authorize_flow == AppAuthorizeFlow::Implicit {
+        debug!("Performing Implicit authorization flow.");
+        // Authorization already given, just redirect to the app
+        return perform_authorize(
+            State(app_state),
+            Extension(token_claims),
+            Form(authorization_params)
+        ).await.into_response()
+    }
+
    // 4. Show form that POST to authorize
+    debug!("Performing explicit authorization flow.");
    renderer
        .render(
            "pages/authorize",
--- a/src/middlewares/user_auth.rs
+++ b/src/middlewares/user_auth.rs
@ -1,5 +1,10 @@
-
-use axum::{extract::{OriginalUri, Request, State}, http::StatusCode, middleware::Next, response::{Html, IntoResponse, Redirect, Response}, Extension};
+use axum::{
+    extract::{OriginalUri, Request, State},
+    http::{HeaderMap, HeaderValue, StatusCode},
+    middleware::Next,
+    response::{Html, IntoResponse, Redirect, Response},
+    Extension
+};
 use axum_extra::extract::CookieJar;

 use crate::{
@ -12,6 +17,7 @@ use crate::{
 /// add optional auth to the extension data
 pub async fn auth_middleware(
    State(app_state): State<AppState>,
+    OriginalUri(original_uri): OriginalUri,
    cookies: CookieJar,
    mut req: Request,
    next: Next,
@ -26,8 +32,13 @@ pub async fn auth_middleware(
    let token_claims: UserTokenClaims = match verify_token(&app_state.secrets, jwt) {
        Ok(val) => val,
        Err(_e) => {
+            // UserWebGUI: delete invalid JWT cookie
+            let mut headers = HeaderMap::new();
+            let jwt_cookie = "minauth_jwt=deleted; SameSite=Lax; Max-Age=0".to_string();
+            headers.insert("Set-Cookie", HeaderValue::from_str(&jwt_cookie).unwrap());
+            headers.insert("Location", HeaderValue::from_str(&original_uri.to_string()).unwrap());
            return Err(
-                (StatusCode::UNAUTHORIZED, Html("Unauthorized: The provided JWT is invalid."))
+                (StatusCode::SEE_OTHER, headers, Html("Unauthorized: Invalid JWT cookie."))
            );
        }
    };
--- a/src/models/config.rs
+++ b/src/models/config.rs
@ -12,6 +12,15 @@ struct InstanceConfig {
    logo_uri: Option<String>
 }

+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
+#[fully_pub]
+enum AppAuthorizeFlow {
+    /// user must grant the app
+    Explicit,
+    /// authorized by default for all scopes
+    Implicit
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[fully_pub]
 struct Application {
@ -20,7 +29,8 @@ struct Application {
    description: String,
    client_id: String,
    client_secret: String,
-    allowed_redirect_uris: Vec<String>
+    allowed_redirect_uris: Vec<String>,
+    authorize_flow: AppAuthorizeFlow
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]
Author	SHA1	Message	Date
Matthieu Bessat	d70d622e04	fix(auth): remove JWT cookie when it's invalid	2024-11-16 13:04:42 +01:00
Matthieu Bessat	f0fad9a90a	feat(authorize): add implicit authorize flow	2024-11-16 13:03:19 +01:00