Merge branch 'authorizerdev/authorizer:main' into main

2022-03-25 16:13:46 +03:00
parent 044b025ba2 41b5f00b83
commit 819dd57377
66 changed files with 3244 additions and 158 deletions
--- a/server/handlers/authorize.go
+++ b/server/handlers/authorize.go
@@ -1,6 +1,7 @@
 package handlers

 import (
+	"fmt"
 	"net/http"
 	"strconv"
 	"strings"
@@ -51,6 +52,8 @@ func AuthorizeHandler() gin.HandlerFunc {
 			gc.JSON(400, gin.H{"error": "invalid response mode"})
 		}

+		fmt.Println("=> redirect URI:", redirectURI)
+		fmt.Println("=> state:", state)
 		if redirectURI == "" {
 			redirectURI = "/app"
 		}
--- a/server/handlers/oauth_callback.go
+++ b/server/handlers/oauth_callback.go
@@ -71,6 +71,10 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 		existingUser, err := db.Provider.GetUserByEmail(user.Email)

 		if err != nil {
+			if envstore.EnvStoreObj.GetBoolStoreEnvVariable(constants.EnvKeyDisableSignUp) {
+				c.JSON(400, gin.H{"error": "signup is disabled for this instance"})
+				return
+			}
 			// user not registered, register user and generate session token
 			user.SignupMethods = provider
 			// make sure inputRoles don't include protected roles
@@ -91,9 +95,12 @@ func OAuthCallbackHandler() gin.HandlerFunc {
 			user.EmailVerifiedAt = &now
 			user, _ = db.Provider.AddUser(user)
 		} else {
+			if user.RevokedTimestamp != nil {
+				c.JSON(400, gin.H{"error": "user access has been revoked"})
+			}
+
 			// user exists in db, check if method was google
 			// if not append google to existing signup method and save it
-
 			signupMethod := existingUser.SignupMethods
 			if !strings.Contains(signupMethod, provider) {
 				signupMethod = signupMethod + "," + provider
--- a/server/handlers/oauth_login.go
+++ b/server/handlers/oauth_login.go
@@ -16,7 +16,11 @@ import (
 func OAuthLoginHandler() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		hostname := utils.GetHost(c)
+		// deprecating redirectURL instead use redirect_uri
 		redirectURI := strings.TrimSpace(c.Query("redirectURL"))
+		if redirectURI == "" {
+			redirectURI = strings.TrimSpace(c.Query("redirect_uri"))
+		}
 		roles := strings.TrimSpace(c.Query("roles"))
 		state := strings.TrimSpace(c.Query("state"))
 		scopeString := strings.TrimSpace(c.Query("scope"))
--- a/server/handlers/token.go
+++ b/server/handlers/token.go
@@ -111,8 +111,6 @@ func TokenHandler() gin.HandlerFunc {
 				return
 			}

-			// rollover the session for security
-			sessionstore.RemoveState(sessionDataSplit[1])
 			// validate session
 			claims, err := token.ValidateBrowserSession(gc, sessionDataSplit[1])
 			if err != nil {
@@ -122,6 +120,8 @@ func TokenHandler() gin.HandlerFunc {
 				})
 				return
 			}
+			// rollover the session for security
+			sessionstore.RemoveState(sessionDataSplit[1])
 			userID = claims.Subject
 			roles = claims.Roles
 			scope = claims.Scope