diff options
| author | Joram Wilander <jwawilander@gmail.com> | 2018-07-27 17:35:43 -0400 |
|---|---|---|
| committer | Elias Nahum <nahumhbl@gmail.com> | 2018-07-27 17:35:43 -0400 |
| commit | 6ac82d5171769bf8d543cb6c017d29c0a4c81621 (patch) | |
| tree | 945a5d1511b1eb4048bfaa4ea59777886713d797 /api4 | |
| parent | 441c8741c1738e93258b861d92e4f7293203918a (diff) | |
| download | chat-6ac82d5171769bf8d543cb6c017d29c0a4c81621.tar.gz chat-6ac82d5171769bf8d543cb6c017d29c0a4c81621.tar.bz2 chat-6ac82d5171769bf8d543cb6c017d29c0a4c81621.zip | |
Implement OAuth2 implicit grant flow (#9178)
Diffstat (limited to 'api4')
| -rw-r--r-- | api4/oauth.go | 9 | ||||
| -rw-r--r-- | api4/oauth_test.go | 22 |
2 files changed, 29 insertions, 2 deletions
diff --git a/api4/oauth.go b/api4/oauth.go index b858267ee..ab4b1bfcf 100644 --- a/api4/oauth.go +++ b/api4/oauth.go @@ -278,6 +278,12 @@ func authorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } + if c.Session.IsOAuth { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + c.Err.DetailedError += ", attempted access by oauth app" + return + } + c.LogAudit("attempt") redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) @@ -358,7 +364,6 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) { // Automatically allow if the app is trusted if oauthApp.IsTrusted || isAuthorized { - authRequest.ResponseType = model.AUTHCODE_RESPONSE_TYPE redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) if err != nil { @@ -418,7 +423,7 @@ func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { c.LogAudit("attempt") - accessRsp, err := c.App.GetOAuthAccessToken(clientId, grantType, redirectUri, code, secret, refreshToken) + accessRsp, err := c.App.GetOAuthAccessTokenForCodeFlow(clientId, grantType, redirectUri, code, secret, refreshToken) if err != nil { c.Err = err return diff --git a/api4/oauth_test.go b/api4/oauth_test.go index 5415e485e..cac40e442 100644 --- a/api4/oauth_test.go +++ b/api4/oauth_test.go @@ -13,6 +13,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/mattermost/mattermost-server/einterfaces" "github.com/mattermost/mattermost-server/model" @@ -665,6 +666,7 @@ func TestAuthorizeOAuthApp(t *testing.T) { State: "123", } + // Test auth code flow ruri, resp := Client.AuthorizeOAuthApp(authRequest) CheckNoError(t, resp) @@ -684,6 +686,26 @@ func TestAuthorizeOAuthApp(t *testing.T) { } } + // Test implicit flow + authRequest.ResponseType = model.IMPLICIT_RESPONSE_TYPE + ruri, resp = Client.AuthorizeOAuthApp(authRequest) + CheckNoError(t, resp) + require.False(t, len(ruri) == 0, "redirect url should be set") + + ru, _ = url.Parse(ruri) + require.NotNil(t, ru, "redirect url unparseable") + values, err := url.ParseQuery(ru.Fragment) + require.Nil(t, err) + assert.False(t, len(values.Get("access_token")) == 0, "access_token not returned") + assert.Equal(t, authRequest.State, values.Get("state"), "returned state doesn't match") + + oldToken := Client.AuthToken + Client.AuthToken = values.Get("access_token") + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckForbiddenStatus(t, resp) + + Client.AuthToken = oldToken + authRequest.RedirectUri = "" _, resp = Client.AuthorizeOAuthApp(authRequest) CheckBadRequestStatus(t, resp) |