package controllers import ( "crypto/subtle" "fmt" "net/http" "strconv" "time" "code.crute.us/mcrute/ssh-proxy/app" "code.crute.us/mcrute/ssh-proxy/app/models" "github.com/labstack/echo/v4" ) func badRequest(c echo.Context, e models.AuthorizationError, d string) error { return c.JSON(http.StatusBadRequest, models.Oauth2Error{ Type: e, Description: d, }) } type OAuth2DeviceController[T app.AppSession] struct { Logger echo.Logger OauthClients models.OauthClientStore AuthSessions models.AuthSessionStore Hostname string PollSeconds int SessionExpiration time.Duration } func (a *OAuth2DeviceController[T]) HandleStart(c echo.Context) error { ctx := c.Request().Context() var form models.AuthorizationRequest if err := (&echo.DefaultBinder{}).BindBody(c, &form); err != nil { a.Logger.Errorf("Unable to parse form data: %s", err) return badRequest(c, models.ErrInvalidRequest, "") } client, err := a.OauthClients.Get(ctx, form.ClientId) if err != nil { a.Logger.Errorf("Unable to find client ID '%s': %s", form.ClientId, err) return badRequest(c, models.ErrUnauthorizedClient, "") } if len(form.Challenge) <= 16 { return badRequest(c, models.ErrInvalidRequest, "code_challenge is too short, minimum length is 16 bytes") } if form.ChallengeMethod != models.ChallengeS256 { return badRequest(c, models.ErrInvalidRequest, "code_challenge_method invalid, only S256 supported") } session := models.NewAuthSession(client.Id, time.Now().Add(a.SessionExpiration)) session.SetChallenge(form.Challenge, form.ChallengeMethod) session.SetScopeString(form.Scope) if !session.HasAnyScopes() { return badRequest(c, models.ErrInvalidRequest, "one or more scopes required") } for _, s := range session.Scope { if s != "ssh:proxy" && s != "ca:issue" { return badRequest(c, models.ErrInvalidScope, fmt.Sprintf("scope %s is not recognized", s)) } } if err := a.AuthSessions.Insert(ctx, session); err != nil { a.Logger.Errorf("Error inserting auth session", err) return c.NoContent(http.StatusInternalServerError) } return c.JSON(http.StatusOK, models.DeviceAuthorizationResponse{ DeviceCode: session.DeviceCode, UserCode: session.UserCode, VerificationUri: fmt.Sprintf("%s/login", a.Hostname), VerificationUriComplete: fmt.Sprintf("%s/login?code=%s", a.Hostname, session.UserCode), ExpiresIn: int(time.Until(session.Expires).Seconds()), Interval: a.PollSeconds, }) } func (a *OAuth2DeviceController[T]) HandleToken(c echo.Context) error { ctx := c.Request().Context() var form models.DeviceAccessTokenRequest if err := (&echo.DefaultBinder{}).BindBody(c, &form); err != nil { a.Logger.Errorf("Unable to parse form data: %s", err) return badRequest(c, models.ErrInvalidRequest, "") } session, err := a.AuthSessions.Get(ctx, form.DeviceCode) if err != nil { return c.NoContent(http.StatusNotFound) } if form.GrantType != models.DEVICE_CODE_GRANT_TYPE { return badRequest(c, models.ErrUnsupportedGrantType, "") } if subtle.ConstantTimeCompare([]byte(session.ClientId), []byte(form.ClientId)) != 1 { return badRequest(c, models.ErrUnauthorizedClient, "") } if time.Now().After(session.Expires) { return badRequest(c, models.ErrExpiredToken, "") } verifier := &models.PKCEChallenge{Verifier: form.CodeVerifier} if verifier.EqualString(session.Challenge) { return badRequest(c, models.ErrInvalidGrant, "") // Per RFC7636 4.6 } if session.IsRegistration { return badRequest(c, models.ErrInvalidGrant, "") } if session.AccessCode == "" { return badRequest(c, models.ErrAuthorizationPending, "") } return c.JSON(http.StatusOK, models.AccessTokenResponse{ AccessToken: session.AccessCode, TokenType: "Bearer", ExpiresIn: strconv.FormatInt(int64(time.Until(session.Expires).Seconds()), 10), }) }