diff options
| author | Tim <contact@bytim.eu> | 2025-04-21 15:36:15 +0200 |
|---|---|---|
| committer | Tim <contact@bytim.eu> | 2025-04-21 15:36:15 +0200 |
| commit | a930e972917575c46ff9f59ab69d62be657ecac8 (patch) | |
| tree | 9f599d78ec8b89f5d09214d637f303340e68cf5a /VPNAuth.Server/Api/OAuth2.cs | |
| parent | 2d690226d9f86cc0fd50f8bfef87b883a7323355 (diff) | |
| download | VPNAuth-a930e972917575c46ff9f59ab69d62be657ecac8.tar.xz VPNAuth-a930e972917575c46ff9f59ab69d62be657ecac8.zip | |
Move api handler out of Program.cs
Diffstat (limited to 'VPNAuth.Server/Api/OAuth2.cs')
| -rw-r--r-- | VPNAuth.Server/Api/OAuth2.cs | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/VPNAuth.Server/Api/OAuth2.cs b/VPNAuth.Server/Api/OAuth2.cs new file mode 100644 index 0000000..63dc115 --- /dev/null +++ b/VPNAuth.Server/Api/OAuth2.cs @@ -0,0 +1,107 @@ +using System.Security.Cryptography; +using System.Text; +using System.Text.RegularExpressions; +using VPNAuth.Server.Database; +using VPNAuth.Server.Responses; + +namespace VPNAuth.Server.Api; + +public static class OAuth2 +{ + public static async Task AcceptAuthHandler(HttpContext context, int id) + { + using var db = new Database.Database(); + var authRequest = db.AuthRequests.Find(id); + if (authRequest == null || authRequest.Accepted) + { + context.Response.StatusCode = StatusCodes.Status404NotFound; + return; + } + + if (authRequest.Username != context.GetUser()?.Username) + { + context.Response.StatusCode = StatusCodes.Status403Forbidden; + return; + } + + authRequest.Accepted = true; + db.SaveChanges(); + + var config = Config.Read(); + context.Response.StatusCode = StatusCodes.Status302Found; + context.Response.Headers["Location"] = config.FindApp(authRequest.ClientId)!.RedirectUri! + + "?code=" + authRequest.Code + + "&state=" + authRequest.State; + } + + private static string HashCodeVerifier(string codeVerifier) + { + using var sha256 = SHA256.Create(); + var removeCodeChallengeEnd = new Regex("=$"); + + var verifierBytes = Encoding.ASCII.GetBytes(codeVerifier); + var hashedVerifierBytes = sha256.ComputeHash(verifierBytes); + return removeCodeChallengeEnd.Replace(Convert.ToBase64String(hashedVerifierBytes), "") + .Replace("+", "-") + .Replace("/", "_"); + } + + public static async Task AccessTokenHandler(HttpContext context) + { + var config = Config.Read(); + if (context.Request.Form["grant_type"] != "authorization_code") + { + context.Response.StatusCode = StatusCodes.Status400BadRequest; + return; + } + + var clientSecret = config.FindApp(context.Request.Form["client_id"]!)!.Secret; // FIXME: null pointer + if (clientSecret != null && clientSecret != context.Request.Form["client_secret"]) + { + context.Response.StatusCode = StatusCodes.Status403Forbidden; + return; + } + + using var db = new Database.Database(); + var authRequest = db.AuthRequests + .Where(request => request.Code == context.Request.Form["code"].ToString()) + .ToList() + .FirstOrDefault(); + if (authRequest == null) + { + context.Response.StatusCode = StatusCodes.Status404NotFound; + return; + } + + if (!context.Request.Form.ContainsKey("code_verifier")) + { + context.Response.StatusCode = StatusCodes.Status400BadRequest; + return; + } + + var expectedCodeChallenge = HashCodeVerifier(context.Request.Form["code_verifier"].ToString()); + + if (expectedCodeChallenge != authRequest.CodeChallenge) + { + context.Response.StatusCode = StatusCodes.Status403Forbidden; + return; + } + + var accessTokenEntry = db.AccessTokens.Add(new AccessToken + { + ClientId = authRequest.ClientId, + Scopes = authRequest.Scopes, + CreationTime = DateTime.Now, + Token = PkceUtils.GenerateToken(), + Username = authRequest.Username + }); + db.SaveChanges(); + + await context.Response.WriteAsJsonAsync(new Token + { + AccessToken = accessTokenEntry.Entity.Token, + TokenType = "Bearer", + Expires = 0 // TODO: change to actual value + }); + } +} |