From 6ac82d5171769bf8d543cb6c017d29c0a4c81621 Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Fri, 27 Jul 2018 17:35:43 -0400 Subject: Implement OAuth2 implicit grant flow (#9178) --- api4/oauth.go | 9 +++++++-- api4/oauth_test.go | 22 ++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) (limited to 'api4') diff --git a/api4/oauth.go b/api4/oauth.go index b858267ee..ab4b1bfcf 100644 --- a/api4/oauth.go +++ b/api4/oauth.go @@ -278,6 +278,12 @@ func authorizeOAuthApp(c *Context, w http.ResponseWriter, r *http.Request) { return } + if c.Session.IsOAuth { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + c.Err.DetailedError += ", attempted access by oauth app" + return + } + c.LogAudit("attempt") redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) @@ -358,7 +364,6 @@ func authorizeOAuthPage(c *Context, w http.ResponseWriter, r *http.Request) { // Automatically allow if the app is trusted if oauthApp.IsTrusted || isAuthorized { - authRequest.ResponseType = model.AUTHCODE_RESPONSE_TYPE redirectUrl, err := c.App.AllowOAuthAppAccessToUser(c.Session.UserId, authRequest) if err != nil { @@ -418,7 +423,7 @@ func getAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { c.LogAudit("attempt") - accessRsp, err := c.App.GetOAuthAccessToken(clientId, grantType, redirectUri, code, secret, refreshToken) + accessRsp, err := c.App.GetOAuthAccessTokenForCodeFlow(clientId, grantType, redirectUri, code, secret, refreshToken) if err != nil { c.Err = err return diff --git a/api4/oauth_test.go b/api4/oauth_test.go index 5415e485e..cac40e442 100644 --- a/api4/oauth_test.go +++ b/api4/oauth_test.go @@ -13,6 +13,7 @@ import ( "testing" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "github.com/mattermost/mattermost-server/einterfaces" "github.com/mattermost/mattermost-server/model" @@ -665,6 +666,7 @@ func TestAuthorizeOAuthApp(t *testing.T) { State: "123", } + // Test auth code flow ruri, resp := Client.AuthorizeOAuthApp(authRequest) CheckNoError(t, resp) @@ -684,6 +686,26 @@ func TestAuthorizeOAuthApp(t *testing.T) { } } + // Test implicit flow + authRequest.ResponseType = model.IMPLICIT_RESPONSE_TYPE + ruri, resp = Client.AuthorizeOAuthApp(authRequest) + CheckNoError(t, resp) + require.False(t, len(ruri) == 0, "redirect url should be set") + + ru, _ = url.Parse(ruri) + require.NotNil(t, ru, "redirect url unparseable") + values, err := url.ParseQuery(ru.Fragment) + require.Nil(t, err) + assert.False(t, len(values.Get("access_token")) == 0, "access_token not returned") + assert.Equal(t, authRequest.State, values.Get("state"), "returned state doesn't match") + + oldToken := Client.AuthToken + Client.AuthToken = values.Get("access_token") + _, resp = Client.AuthorizeOAuthApp(authRequest) + CheckForbiddenStatus(t, resp) + + Client.AuthToken = oldToken + authRequest.RedirectUri = "" _, resp = Client.AuthorizeOAuthApp(authRequest) CheckBadRequestStatus(t, resp) -- cgit v1.2.3-1-g7c22