cim/zitadel-oidc
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make sure the client not to reuse the content of the response

Browse source
This commit is contained in:
Ayato 2024-03-03 16:16:19 +09:00
parent 938be2529a
commit 8045e4b919
No known key found for this signature in database
GPG key ID: 56E05AE09DBA012D
2 changed files with 18 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

18
pkg/op/auth_request.go
View file

@ -469,13 +469,12 @@ func AuthResponseCode(w http.ResponseWriter, r *http.Request, authReq AuthReques
}
if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
res, err := AuthResponseFormPost(authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
err := AuthResponseFormPost(w, authReq.GetRedirectURI(), &codeResponse, authorizer.Encoder())
if err != nil {
AuthRequestError(w, r, authReq, err, authorizer)
return
}
res.WriteTo(w)
return
}
@ -501,13 +500,12 @@ func AuthResponseToken(w http.ResponseWriter, r *http.Request, authReq AuthReque
}
if authReq.GetResponseMode() == oidc.ResponseModeFormPost {
res, err := AuthResponseFormPost(authReq.GetRedirectURI(), resp, authorizer.Encoder())
err := AuthResponseFormPost(w, authReq.GetRedirectURI(), resp, authorizer.Encoder())
if err != nil {
AuthRequestError(w, r, authReq, err, authorizer)
return
}
res.WriteTo(w)
return
}
@ -568,11 +566,11 @@ var formPostHtmlTemplate string
var formPostTmpl = template.Must(template.New("form_post").Parse(formPostHtmlTemplate))
// AuthResponseFormPost responds a html page that automatically submits the form which contains the auth response parameters
func AuthResponseFormPost(redirectURI string, response any, encoder httphelper.Encoder) (*bytes.Buffer, error) {
func AuthResponseFormPost(res http.ResponseWriter, redirectURI string, response any, encoder httphelper.Encoder) error {
values := make(map[string][]string)
err := encoder.Encode(response, values)
if err != nil {
return nil, oidc.ErrServerError().WithParent(err)
return oidc.ErrServerError().WithParent(err)
}
params := &struct {
@ -586,10 +584,14 @@ func AuthResponseFormPost(redirectURI string, response any, encoder httphelper.E
var buf bytes.Buffer
err = formPostTmpl.Execute(&buf, params)
if err != nil {
return nil, oidc.ErrServerError().WithParent(err)
return oidc.ErrServerError().WithParent(err)
}
return &buf, nil
res.Header().Set("Cache-Control", "no-store")
res.WriteHeader(http.StatusOK)
buf.WriteTo(res)
return nil
}
func setFragment(uri *url.URL, params url.Values) string {