fix: resolve nil pointer panic in Authorize (#358)

When ParseAuthorizeRequest received an invalid URL,
for example containing a semi-colon `;`,
AuthRequestError used to panic.
This was because a typed nil was passed as a interface argument.
The nil check inside AuthRequestError always resulted in false,
allowing access through the nil pointer.

Fixes #315

pkg/op/auth_request.go

@@ -68,7 +68,7 @@ func authorizeCallbackHandler(authorizer Authorizer) func(http.ResponseWriter, *
 func Authorize(w http.ResponseWriter, r *http.Request, authorizer Authorizer) {
 	authReq, err := ParseAuthorizeRequest(r, authorizer.Decoder())
 	if err != nil {
-		AuthRequestError(w, r, authReq, err, authorizer.Encoder())
+		AuthRequestError(w, r, nil, err, authorizer.Encoder())
 		return
 	}
 	ctx := r.Context()

pkg/op/auth_request_test.go

@@ -9,6 +9,7 @@ import (
 	"reflect"
 	"testing"
 
+	"github.com/golang/mock/gomock"
 	"github.com/gorilla/schema"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -19,60 +20,34 @@ import (
 	"github.com/zitadel/oidc/v2/pkg/op/mock"
 )
 
-//
+func TestAuthorize(t *testing.T) {
-// TOOD: tests will be implemented in branch for service accounts
+	tests := []struct {
-// func TestAuthorize(t *testing.T) {
+		name   string
-//	// testCallback := func(t *testing.T, clienID string) callbackHandler {
+		req    *http.Request
-//	// 	return func(authReq *oidc.AuthRequest, client oidc.Client, w http.ResponseWriter, r *http.Request) {
+		expect func(a *mock.MockAuthorizerMockRecorder)
-//	// 		// require.Equal(t, clientID, client.)
+	}{
-//	// 	}
+		{
-//	// }
+			name: "parse error", // used to panic, see issue #315
-//	// testErr := func(t *testing.T, expected error) errorHandler {
+			req:  httptest.NewRequest(http.MethodPost, "/?;", nil),
-//	// 	return func(w http.ResponseWriter, r *http.Request, authReq *oidc.AuthRequest, err error) {
+		},
-//	// 		require.Equal(t, expected, err)
+	}
-//	// 	}
+	for _, tt := range tests {
-//	// }
+		t.Run(tt.name, func(t *testing.T) {
-//	type args struct {
+			w := httptest.NewRecorder()
-//		w          http.ResponseWriter
+			authorizer := mock.NewMockAuthorizer(gomock.NewController(t))
-//		r          *http.Request
+
-//		authorizer op.Authorizer
+			expect := authorizer.EXPECT()
-//	}
+			expect.Decoder().Return(schema.NewDecoder())
-//	tests := []struct {
+			expect.Encoder().Return(schema.NewEncoder())
-//		name string
+
-//		args args
+			if tt.expect != nil {
-//	}{
+				tt.expect(expect)
-//		{
+			}
-//			"parsing fails",
+
-//			args{
+			op.Authorize(w, tt.req, authorizer)
-//				httptest.NewRecorder(),
+		})
-//				&http.Request{Method: "POST", Body: nil},
+	}
-//				mock.NewAuthorizerExpectValid(t, true),
+}
-//				// testCallback(t, ""),
-//				// testErr(t, ErrInvalidRequest("cannot parse form")),
-//			},
-//		},
-//		{
-//			"decoding fails",
-//			args{
-//				httptest.NewRecorder(),
-//				func() *http.Request {
-//					r := httptest.NewRequest("POST", "/authorize", strings.NewReader("client_id=foo"))
-//					r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-//					return r
-//				}(),
-//				mock.NewAuthorizerExpectValid(t, true),
-//				// testCallback(t, ""),
-//				// testErr(t, ErrInvalidRequest("cannot parse auth request")),
-//			},
-//		},
-//		// {"decoding fails", args{httptest.NewRecorder(), &http.Request{}, mock.NewAuthorizerExpectValid(t), nil, testErr(t, nil)}},
-//	}
-//	for _, tt := range tests {
-//		t.Run(tt.name, func(t *testing.T) {
-//			op.Authorize(tt.args.w, tt.args.r, tt.args.authorizer)
-//		})
-//	}
-//}
 
 func TestParseAuthorizeRequest(t *testing.T) {
 	type args struct {