fix: add code to login query params

server/handlers/authorize.go

@@ -64,7 +64,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 
 		if err := validateAuthorizeRequest(responseType, responseMode, clientID, state, codeChallenge); err != nil {
 			log.Debug("invalid authorization request: ", err)
-			gc.JSON(http.StatusBadRequest, gin.H{"error": err})
+			gc.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 			return
 		}
 
@@ -77,21 +77,45 @@ func AuthorizeHandler() gin.HandlerFunc {
 			"redirect_uri":   redirectURI,
 		})
 
+		code := uuid.New().String()
+		memorystore.Provider.SetState(codeChallenge, code)
+
 		// used for response mode query or fragment
-		loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI
+		loginState := "state=" + state + "&scope=" + strings.Join(scope, " ") + "&redirect_uri=" + redirectURI + "&code=" + code
 		loginURL := "/app?" + loginState
+
 		if responseMode == constants.ResponseModeFragment {
 			loginURL = "/app#" + loginState
 		}
 
+		if state == "" {
+			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+				"type": "authorization_response",
+				"response": map[string]interface{}{
+					"error":             "state_required",
+					"error_description": "state is required",
+				},
+			}, http.StatusOK)
+			return
+		}
+
+		if responseType == constants.ResponseTypeCode && codeChallenge == "" {
+			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+				"type": "authorization_response",
+				"response": map[string]interface{}{
+					"error":             "code_challenge_required",
+					"error_description": "code challenge is required",
+				},
+			}, http.StatusOK)
+		}
+
 		loginError := map[string]interface{}{
 			"type": "authorization_response",
-			"response": map[string]string{
+			"response": map[string]interface{}{
 				"error":             "login_required",
 				"error_description": "Login is required",
 			},
 		}
-
 		sessionToken, err := cookie.GetSession(gc)
 		if err != nil {
 			log.Debug("GetSession failed: ", err)
@@ -106,13 +130,14 @@ func AuthorizeHandler() gin.HandlerFunc {
 			handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
 			return
 		}
+
 		userID := claims.Subject
 		user, err := db.Provider.GetUserByID(gc, userID)
 		if err != nil {
 			log.Debug("GetUserByID failed: ", err)
 			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
 				"type": "authorization_response",
-				"response": map[string]string{
+				"response": map[string]interface{}{
 					"error":             "signup_required",
 					"error_description": "Sign up required",
 				},
@@ -125,17 +150,23 @@ func AuthorizeHandler() gin.HandlerFunc {
 			sessionKey = claims.LoginMethod + ":" + user.ID
 		}
 
+		nonce := uuid.New().String()
+		newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
+		if err != nil {
+			log.Debug("CreateSessionToken failed: ", err)
+			handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+			return
+		}
+
+		if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
+			log.Debug("SetState failed: ", err)
+			handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
+			return
+		}
+
 		// rollover the session for security
 		go memorystore.Provider.DeleteUserSession(sessionKey, claims.Nonce)
 		if responseType == constants.ResponseTypeCode {
-			nonce := uuid.New().String()
-			newSessionTokenData, newSessionToken, err := token.CreateSessionToken(user, nonce, claims.Roles, scope, claims.LoginMethod)
-			if err != nil {
-				log.Debug("CreateSessionToken failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
-				return
-			}
-
 			if err := memorystore.Provider.SetUserSession(sessionKey, constants.TokenTypeSessionToken+"_"+newSessionTokenData.Nonce, newSessionToken); err != nil {
 				log.Debug("SetUserSession failed: ", err)
 				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
@@ -143,46 +174,42 @@ func AuthorizeHandler() gin.HandlerFunc {
 			}
 
 			cookie.SetSession(gc, newSessionToken)
-			code := uuid.New().String()
-			if err := memorystore.Provider.SetState(codeChallenge, code+"@"+newSessionToken); err != nil {
-				log.Debug("SetState failed: ", err)
-				handleResponse(gc, responseMode, loginURL, redirectURI, loginError, http.StatusOK)
-				return
-			}
 
 			// in case, response type is code and user is already logged in send the code and state
 			// and cookie session will already be rolled over and set
-			gc.HTML(http.StatusOK, authorizeWebMessageTemplate, gin.H{
-				"target_origin": redirectURI,
-				"authorization_response": map[string]interface{}{
-					"type": "authorization_response",
-					"response": map[string]string{
-						"code":  code,
-						"state": state,
-					},
+			// gc.HTML(http.StatusOK, authorizeWebMessageTemplate, gin.H{
+			// 	"target_origin": redirectURI,
+			// 	"authorization_response": map[string]interface{}{
+			// 		"type": "authorization_response",
+			// 		"response": map[string]string{
+			// 			"code":  code,
+			// 			"state": state,
+			// 		},
+			// 	},
+			// })
+
+			params := "code=" + code + "&state=" + state
+			if responseMode == constants.ResponseModeQuery {
+				if strings.Contains(redirectURI, "?") {
+					redirectURI = redirectURI + "&" + params
+				} else {
+					redirectURI = redirectURI + "?" + params
+				}
+			} else if responseMode == constants.ResponseModeFragment {
+				if strings.Contains(redirectURI, "#") {
+					redirectURI = redirectURI + "&" + params
+				} else {
+					redirectURI = redirectURI + "#" + params
+				}
+			}
+
+			handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
+				"type": "authorization_response",
+				"response": map[string]interface{}{
+					"code":  code,
+					"state": state,
 				},
-			})
-
-			// params := "code=" + code + "&state=" + state
-
-			// if responseMode == constants.ResponseModeQuery {
-			// 	if strings.Contains(redirectURI, "?") {
-			// 		redirectURI = redirectURI + "&" + params
-			// 	} else {
-			// 		redirectURI = redirectURI + "?" + params
-			// 	}
-			// } else if responseMode == constants.ResponseModeFragment {
-			// 	if strings.Contains(redirectURI, "#") {
-			// 		redirectURI = redirectURI + "&" + params
-			// 	} else {
-			// 		redirectURI = redirectURI + "#" + params
-			// 	}
-			// }
-
-			// handleResponse(gc, responseMode, loginURL, redirectURI, map[string]interface{}{
-			// 	"code":  code,
-			// 	"state": state,
-			// }, http.StatusOK)
+			}, http.StatusOK)
 
 			return
 		}
@@ -216,7 +243,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 			}
 
 			// used of query mode
-			params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token
+			params := "access_token=" + authToken.AccessToken.Token + "&token_type=bearer&expires_in=" + strconv.FormatInt(expiresIn, 10) + "&state=" + state + "&id_token=" + authToken.IDToken.Token + "&code=" + code
 
 			res := map[string]interface{}{
 				"access_token": authToken.AccessToken.Token,
@@ -225,6 +252,7 @@ func AuthorizeHandler() gin.HandlerFunc {
 				"scope":        scope,
 				"token_type":   "Bearer",
 				"expires_in":   expiresIn,
+				"code":         code,
 			}
 
 			if authToken.RefreshToken != nil {
@@ -267,24 +295,16 @@ func validateAuthorizeRequest(responseType, responseMode, clientID, state, codeC
 		return fmt.Errorf("invalid response mode %s. 'query', 'fragment', 'form_post' and 'web_message' are valid response_mode", responseMode)
 	}
 
-	if responseType == constants.ResponseTypeCode && strings.TrimSpace(codeChallenge) == "" {
-		return fmt.Errorf("code_challenge is required for %s '%s'", responseType, constants.ResponseTypeCode)
-	}
-
 	if client, err := memorystore.Provider.GetStringStoreEnvVariable(constants.EnvKeyClientID); client != clientID || err != nil {
 		return fmt.Errorf("invalid client_id %s", clientID)
 	}
 
-	if strings.TrimSpace(state) == "" {
-		return fmt.Errorf("state is required")
-	}
-
 	return nil
 }
 
 func handleResponse(gc *gin.Context, responseMode, loginURI, redirectURI string, data map[string]interface{}, httpStatusCode int) {
 	isAuthenticationRequired := false
-	if _, ok := data["error"]; ok {
+	if _, ok := data["response"].(map[string]interface{})["error"]; ok {
 		isAuthenticationRequired = true
 	}
 
@@ -305,7 +325,7 @@ func handleResponse(gc *gin.Context, responseMode, loginURI, redirectURI string,
 	case constants.ResponseModeFormPost:
 		gc.HTML(httpStatusCode, authorizeFormPostTemplate, gin.H{
 			"target_origin":          redirectURI,
-			"authorization_response": data,
+			"authorization_response": data["response"],
 		})
 		return
 	}

templates/authorize_form_post.tmpl

@@ -4,9 +4,9 @@
 		<title>Authorization Response</title>
 	</head>
 	<body onload="document.forms['authorize_form_post'].submit()">
-        <form action={{.target_origin}} name="authorize_form_post">
+        <form action="{{.target_origin}}" name="authorize_form_post" method="POST">
             {{ range $key, $val := .authorization_response }}
-                <input type="hidden" key={{$key}} value={{$val}} name={{$key}} id={{$key}} />
+                <input type="hidden" key="{{$key}}" value="{{$val}}" name="{{$key}}" id="{{$key}}" />
             {{ end }}
         </form>
 	</body>