nikdoof/rustical
1
1
Fork 0
mirror of https://github.com/lennart-k/rustical.git synced 2025-12-14 02:22:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

oidc: Add checking of state returned by IdP

Browse Source
This commit is contained in:
Lennart
2025-04-20 21:30:32 +02:00
parent 2c74d56f50
commit 5e4cdc6a12
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
crates/frontend/src/oidc/mod.rs
View File

@@ -131,6 +131,7 @@ pub async fn route_post_oidc(
pub struct AuthCallbackQuery { pub struct AuthCallbackQuery {
code: AuthorizationCode, code: AuthorizationCode,
iss: IssuerUrl, iss: IssuerUrl,
state: String,
} }
/// Handle callback from IdP page /// Handle callback from IdP page
@@ -139,7 +140,7 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
oidc_config: Data<OidcConfig>, oidc_config: Data<OidcConfig>,
session: Session, session: Session,
auth_provider: Data<AP>, auth_provider: Data<AP>,
Query(AuthCallbackQuery { code, iss }): Query<AuthCallbackQuery>, Query(AuthCallbackQuery { code, iss, state }): Query<AuthCallbackQuery>,
default_redirect_name: Data<DefaultRedirectRouteName>, default_redirect_name: Data<DefaultRedirectRouteName>,
) -> Result<impl Responder, OidcError> { ) -> Result<impl Responder, OidcError> {
assert_eq!(iss, oidc_config.issuer); assert_eq!(iss, oidc_config.issuer);
@@ -148,6 +149,8 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
.ok_or(OidcError::Other("No local OIDC state"))? .ok_or(OidcError::Other("No local OIDC state"))?
.map_err(|_| OidcError::Other("Error parsing OIDC state"))?; .map_err(|_| OidcError::Other("Error parsing OIDC state"))?;
assert_eq!(oidc_state.state.secret(), &state);
let http_client = get_http_client(); let http_client = get_http_client();
let oidc_client = get_oidc_client( let oidc_client = get_oidc_client(
oidc_config.get_ref().clone(), oidc_config.get_ref().clone(),