blob: b73b17bcda5d6cecf86171424dfdc411df0bd1e2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
|
using System.Security.Cryptography;
using System.Text;
using System.Text.RegularExpressions;
using VPNAuth.Server.Database;
using VPNAuth.Server.Responses;
namespace VPNAuth.Server.Api;
public static class OAuth2
{
public static async Task AcceptAuthHandler(HttpContext context, int id)
{
using var db = new Database.Database();
var authRequest = db.AuthRequests.Find(id);
if (authRequest == null || authRequest.Accepted)
{
context.Response.StatusCode = StatusCodes.Status404NotFound;
return;
}
if (authRequest.Username != context.GetUser()?.Username)
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
return;
}
authRequest.Accepted = true;
db.SaveChanges();
var config = Config.Read();
context.Response.StatusCode = StatusCodes.Status302Found;
context.Response.Headers["Location"] = config.FindApp(authRequest.ClientId)!.RedirectUri!
+ "?code=" + authRequest.Code
+ "&state=" + authRequest.State;
}
// -> https://datatracker.ietf.org/doc/html/rfc7636#section-4.2
private static string HashCodeVerifier(string codeVerifier)
{
using var sha256 = SHA256.Create();
var removeCodeChallengeEnd = new Regex("=$");
var verifierBytes = Encoding.ASCII.GetBytes(codeVerifier);
var hashedVerifierBytes = sha256.ComputeHash(verifierBytes);
return removeCodeChallengeEnd.Replace(Convert.ToBase64String(hashedVerifierBytes), "")
.Replace("+", "-")
.Replace("/", "_");
}
public static async Task AccessTokenHandler(HttpContext context)
{
var config = Config.Read();
if (context.Request.Form["grant_type"] != "authorization_code")
{
context.Response.StatusCode = StatusCodes.Status400BadRequest;
return;
}
var clientSecret = config.FindApp(context.Request.Form["client_id"]!)!.Secret; // FIXME: null pointer
if (clientSecret != null && clientSecret != context.Request.Form["client_secret"])
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
return;
}
using var db = new Database.Database();
var authRequest = db.AuthRequests
.Where(request => request.Code == context.Request.Form["code"])
.ToList()
.FirstOrDefault();
if (authRequest == null)
{
context.Response.StatusCode = StatusCodes.Status404NotFound;
return;
}
if (!context.Request.Form.ContainsKey("code_verifier"))
{
context.Response.StatusCode = StatusCodes.Status400BadRequest;
return;
}
var expectedCodeChallenge = HashCodeVerifier(context.Request.Form["code_verifier"].ToString());
if (expectedCodeChallenge != authRequest.CodeChallenge)
{
context.Response.StatusCode = StatusCodes.Status403Forbidden;
return;
}
var accessTokenEntry = db.AccessTokens.Add(new AccessToken
{
ClientId = authRequest.ClientId,
Scopes = authRequest.Scopes,
CreationTime = DateTime.Now,
Token = PkceUtils.GenerateToken(),
Username = authRequest.Username
});
db.AuthRequests.Remove(authRequest);
db.SaveChanges();
await context.Response.WriteAsJsonAsync(new Token
{
AccessToken = accessTokenEntry.Entity.Token,
TokenType = "Bearer",
ExpiresIn = 604800 // 7 days
});
}
}
|
