chore: resolve comments

canonical · Mar 12, 2024 · e2aff7a · e2aff7a
1 parent bd62680
commit e2aff7a
Show file tree

Hide file tree

Showing 11 changed files with 366 additions and 144 deletions.
diff --git a/compose/compose_oauth2.go b/compose/compose_oauth2.go
@@ -24,9 +24,12 @@ func OAuth2AuthorizeExplicitAuthFactory(config fosite.Configurator, storage inte
 func Oauth2AuthorizeExplicitTokenFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
 	return &oauth2.AuthorizeExplicitTokenEndpointHandler{
 		GenericCodeTokenEndpointHandler: oauth2.GenericCodeTokenEndpointHandler{
-			CodeTokenEndpointHandler: &oauth2.AuthorizeExplicitGrantTokenHandler{
+			AccessRequestValidator: &oauth2.AuthorizeExplicitGrantAccessRequestValidator{},
+			CodeHandler: &oauth2.AuthorizeCodeHandler{
 				AuthorizeCodeStrategy: strategy.(oauth2.AuthorizeCodeStrategy),
-				AuthorizeCodeStorage:  storage.(oauth2.AuthorizeCodeStorage),
+			},
+			SessionHandler: &oauth2.AuthorizeExplicitGrantSessionHandler{
+				AuthorizeCodeStorage: storage.(oauth2.AuthorizeCodeStorage),
 			},
 
 			AccessTokenStrategy:    strategy.(oauth2.AccessTokenStrategy),

diff --git a/compose/compose_rfc8628.go b/compose/compose_rfc8628.go
@@ -26,10 +26,13 @@ func RFC8628DeviceFactory(config fosite.Configurator, storage interface{}, strat
 func RFC8628DeviceAuthorizationTokenFactory(config fosite.Configurator, storage interface{}, strategy interface{}) interface{} {
 	return &rfc8628.DeviceCodeTokenEndpointHandler{
 		GenericCodeTokenEndpointHandler: oauth2.GenericCodeTokenEndpointHandler{
-			CodeTokenEndpointHandler: &rfc8628.DeviceTokenHandler{
+			AccessRequestValidator: &rfc8628.DeviceAccessRequestValidator{},
+			CodeHandler: &rfc8628.DeviceCodeHandler{
 				DeviceRateLimitStrategy: strategy.(rfc8628.DeviceRateLimitStrategy),
 				DeviceCodeStrategy:      strategy.(rfc8628.DeviceCodeStrategy),
-				DeviceCodeStorage:       storage.(rfc8628.DeviceCodeStorage),
+			},
+			SessionHandler: &rfc8628.DeviceSessionHandler{
+				DeviceCodeStorage: storage.(rfc8628.DeviceCodeStorage),
 			},
 
 			AccessTokenStrategy:    strategy.(oauth2.AccessTokenStrategy),

diff --git a/fosite_test.go b/fosite_test.go
@@ -26,7 +26,6 @@ func TestAuthorizeEndpointHandlers(t *testing.T) {
 }
 
 func TestTokenEndpointHandlers(t *testing.T) {
-	// h := &oauth2.AuthorizeExplicitGrantHandler{}
 	h := &oauth2.GenericCodeTokenEndpointHandler{}
 	hs := TokenEndpointHandlers{}
 	hs.Append(h)

diff --git a/handler.go b/handler.go
@@ -8,7 +8,7 @@ import (
 )
 
 type AuthorizeEndpointHandler interface {
-	// HandleAuthorizeEndpointRequest handles an authorize endpoint request. To extend the handler's capabilities, the http request
+	// HandleAuthorizeRequest handles an authorize endpoint request. To extend the handler's capabilities, the http request
 	// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
 	// the authorize request, he must return nil and NOT modify session nor responder neither requester.
 	//
@@ -31,12 +31,12 @@ type TokenEndpointHandler interface {
 	// the request, this method should return ErrUnknownRequest and otherwise handle the request.
 	HandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) error
 
-	// CanSkipClientAuth indicates if client authentication can be skipped. By default, it MUST be false, unless you are
+	// CanSkipClientAuth indicates if client authentication can be skipped. By default it MUST be false, unless you are
 	// implementing extension grant type, which allows unauthenticated client. CanSkipClientAuth must be called
 	// before HandleTokenEndpointRequest to decide, if AccessRequester will contain authenticated client.
 	CanSkipClientAuth(ctx context.Context, requester AccessRequester) bool
 
-	// CanHandleTokenEndpointRequest indicates, if TokenEndpointHandler can handle this request or not. If true,
+	// CanHandleRequest indicates, if TokenEndpointHandler can handle this request or not. If true,
 	// HandleTokenEndpointRequest can be called.
 	CanHandleTokenEndpointRequest(ctx context.Context, requester AccessRequester) bool
 }
@@ -61,7 +61,7 @@ type RevocationHandler interface {
 
 // PushedAuthorizeEndpointHandler is the interface that handles PAR (https://datatracker.ietf.org/doc/html/rfc9126)
 type PushedAuthorizeEndpointHandler interface {
-	// HandlePushedAuthorizeEndpointRequest handles a pushed authorize endpoint request. To extend the handler's capabilities, the http request
+	// HandlePushedAuthorizeRequest handles a pushed authorize endpoint request. To extend the handler's capabilities, the http request
 	// is passed along, if further information retrieval is required. If the handler feels that he is not responsible for
 	// the pushed authorize request, he must return nil and NOT modify session nor responder neither requester.
 	HandlePushedAuthorizeEndpointRequest(ctx context.Context, requester AuthorizeRequester, responder PushedAuthorizeResponder) error

diff --git a/handler/oauth2/flow_authorize_code_token.go b/handler/oauth2/flow_authorize_code_token.go
@@ -6,54 +6,94 @@ package oauth2
 import (
 	"context"
 
+	"github.com/pkg/errors"
+
 	"github.com/ory/x/errorsx"
 
 	"github.com/ory/fosite"
 )
 
-// AuthorizeExplicitGrantTokenHandler is a response handler for the Authorize Code grant using the explicit grant type
-// as defined in https://tools.ietf.org/html/rfc6749#section-4.1
-type AuthorizeExplicitGrantTokenHandler struct {
+type AuthorizeCodeHandler struct {
 	AuthorizeCodeStrategy AuthorizeCodeStrategy
-	AuthorizeCodeStorage  AuthorizeCodeStorage
 }
 
-func (c AuthorizeExplicitGrantTokenHandler) ValidateGrantTypes(ctx context.Context, requester fosite.AccessRequester) error {
-	if !requester.GetClient().GetGrantTypes().Has("authorization_code") {
-		return errorsx.WithStack(fosite.ErrUnauthorizedClient.WithHint("The OAuth 2.0 Client is not allowed to use authorization grant \"authorization_code\"."))
-	}
-
-	return nil
+func (c AuthorizeCodeHandler) Code(ctx context.Context, requester fosite.AccessRequester) (code string, signature string, err error) {
+	code = requester.GetRequestForm().Get("code")
+	signature = c.AuthorizeCodeStrategy.AuthorizeCodeSignature(ctx, code)
+	return code, signature, nil
 }
 
-func (c AuthorizeExplicitGrantTokenHandler) ValidateCode(ctx context.Context, requester fosite.AccessRequester, code string) error {
+func (c AuthorizeCodeHandler) ValidateCode(ctx context.Context, requester fosite.AccessRequester, code string) error {
 	return c.AuthorizeCodeStrategy.ValidateAuthorizeCode(ctx, requester, code)
 }
 
-func (c AuthorizeExplicitGrantTokenHandler) GetCodeAndSession(ctx context.Context, requester fosite.AccessRequester) (code string, signature string, authorizeRequest fosite.Requester, err error) {
-	code = requester.GetRequestForm().Get("code")
-	signature = c.AuthorizeCodeStrategy.AuthorizeCodeSignature(ctx, code)
-	req, err := c.AuthorizeCodeStorage.GetAuthorizeCodeSession(ctx, signature, requester.GetSession())
-	return code, signature, req, err
+type AuthorizeExplicitGrantSessionHandler struct {
+	AuthorizeCodeStorage AuthorizeCodeStorage
 }
 
-func (c AuthorizeExplicitGrantTokenHandler) InvalidateSession(ctx context.Context, signature string) error {
-	return c.AuthorizeCodeStorage.InvalidateAuthorizeCodeSession(ctx, signature)
+func (s AuthorizeExplicitGrantSessionHandler) Session(ctx context.Context, requester fosite.AccessRequester, codeSignature string) (fosite.Requester, error) {
+	req, err := s.AuthorizeCodeStorage.GetAuthorizeCodeSession(ctx, codeSignature, requester.GetSession())
+
+	if err != nil && errors.Is(err, fosite.ErrInvalidatedAuthorizeCode) {
+		if req == nil {
+			return req, fosite.ErrServerError.
+				WithHint("Misconfigured code lead to an error that prohibited the OAuth 2.0 Framework from processing this request.").
+				WithDebug("\"GetAuthorizeCodeSession\" must return a value for \"fosite.Requester\" when returning \"ErrInvalidatedAuthorizeCode\".")
+		}
+
+		return req, err
+	}
+
+	if err != nil && errors.Is(err, fosite.ErrNotFound) {
+		return nil, errorsx.WithStack(fosite.ErrInvalidGrant.WithWrap(err).WithDebug(err.Error()))
+	}
+
+	if err != nil {
+		return nil, errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
+	}
+
+	return req, err
 }
 
-func (c AuthorizeExplicitGrantTokenHandler) CanSkipClientAuth(ctx context.Context, requester fosite.AccessRequester) bool {
-	return false
+func (s AuthorizeExplicitGrantSessionHandler) InvalidateSession(ctx context.Context, codeSignature string) error {
+	return s.AuthorizeCodeStorage.InvalidateAuthorizeCodeSession(ctx, codeSignature)
 }
 
-func (c AuthorizeExplicitGrantTokenHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) bool {
+type AuthorizeExplicitGrantAccessRequestValidator struct{}
+
+func (v AuthorizeExplicitGrantAccessRequestValidator) ValidateRequest(requester fosite.AccessRequester) bool {
 	return requester.GetGrantTypes().ExactOne("authorization_code")
 }
 
+func (v AuthorizeExplicitGrantAccessRequestValidator) ValidateClientAuth(requester fosite.AccessRequester) bool {
+	return false
+}
+
+func (v AuthorizeExplicitGrantAccessRequestValidator) ValidateGrantTypes(requester fosite.AccessRequester) error {
+	if !requester.GetClient().GetGrantTypes().Has("authorization_code") {
+		return errorsx.WithStack(fosite.ErrUnauthorizedClient.WithHint("The OAuth 2.0 Client is not allowed to use authorization grant \"authorization_code\"."))
+	}
+
+	return nil
+}
+
+func (v AuthorizeExplicitGrantAccessRequestValidator) ValidateRedirectURI(accessRequester fosite.AccessRequester, authorizeRequester fosite.Requester) error {
+	forcedRedirectURI := authorizeRequester.GetRequestForm().Get("redirect_uri")
+	requestedRedirectURI := accessRequester.GetRequestForm().Get("redirect_uri")
+	if forcedRedirectURI != "" && forcedRedirectURI != requestedRedirectURI {
+		return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("The \"redirect_uri\" from this request does not match the one from the authorize request."))
+	}
+
+	return nil
+}
+
 type AuthorizeExplicitTokenEndpointHandler struct {
 	GenericCodeTokenEndpointHandler
 }
 
 var (
-	_ CodeTokenEndpointHandler    = (*AuthorizeExplicitGrantTokenHandler)(nil)
+	_ AccessRequestValidator      = (*AuthorizeExplicitGrantAccessRequestValidator)(nil)
+	_ CodeHandler                 = (*AuthorizeCodeHandler)(nil)
+	_ SessionHandler              = (*AuthorizeExplicitGrantSessionHandler)(nil)
 	_ fosite.TokenEndpointHandler = (*AuthorizeExplicitTokenEndpointHandler)(nil)
 )
diff --git a/handler/oauth2/flow_authorize_code_token_test.go b/handler/oauth2/flow_authorize_code_token_test.go
@@ -208,9 +208,12 @@ func TestAuthorizeCode_PopulateTokenEndpointResponse(t *testing.T) {
 						RefreshTokenScopes:       []string{"offline"},
 					}
 					h = GenericCodeTokenEndpointHandler{
-						CodeTokenEndpointHandler: &AuthorizeExplicitGrantTokenHandler{
+						AccessRequestValidator: &AuthorizeExplicitGrantAccessRequestValidator{},
+						CodeHandler: &AuthorizeCodeHandler{
 							AuthorizeCodeStrategy: strategy,
-							AuthorizeCodeStorage:  store,
+						},
+						SessionHandler: &AuthorizeExplicitGrantSessionHandler{
+							AuthorizeCodeStorage: store,
 						},
 						AccessTokenStrategy:  strategy,
 						RefreshTokenStrategy: strategy,
@@ -252,9 +255,12 @@ func TestAuthorizeCode_HandleTokenEndpointRequest(t *testing.T) {
 				AuthorizeCodeLifespan:    time.Minute,
 			}
 			h := GenericCodeTokenEndpointHandler{
-				CodeTokenEndpointHandler: &AuthorizeExplicitGrantTokenHandler{
+				AccessRequestValidator: &AuthorizeExplicitGrantAccessRequestValidator{},
+				CodeHandler: &AuthorizeCodeHandler{
 					AuthorizeCodeStrategy: strategy,
-					AuthorizeCodeStorage:  store,
+				},
+				SessionHandler: &AuthorizeExplicitGrantSessionHandler{
+					AuthorizeCodeStorage: store,
 				},
 				TokenRevocationStorage: store,
 				Config:                 config,
@@ -668,8 +674,11 @@ func TestAuthorizeCodeTransactional_HandleTokenEndpointRequest(t *testing.T) {
 				AuthorizeCodeLifespan:    time.Minute,
 			}
 			handler := GenericCodeTokenEndpointHandler{
-				CodeTokenEndpointHandler: &AuthorizeExplicitGrantTokenHandler{
+				AccessRequestValidator: &AuthorizeExplicitGrantAccessRequestValidator{},
+				CodeHandler: &AuthorizeCodeHandler{
 					AuthorizeCodeStrategy: &strategy,
+				},
+				SessionHandler: &AuthorizeExplicitGrantSessionHandler{
 					AuthorizeCodeStorage: authorizeTransactionalStore{
 						mockTransactional,
 						mockAuthorizeStore,

diff --git a/handler/oauth2/flow_generic_code_token.go b/handler/oauth2/flow_generic_code_token.go
@@ -18,31 +18,46 @@ import (
 	"github.com/ory/fosite"
 )
 
-// CodeTokenEndpointHandler handles the differences between Authorize code grant and extended grant types.
-type CodeTokenEndpointHandler interface {
-	// ValidateGrantTypes validates the authorization grant type.
-	ValidateGrantTypes(ctx context.Context, requester fosite.AccessRequester) error
+// AccessRequestValidator handles various validations in the access request handling.
+type AccessRequestValidator interface {
+	// ValidateRequest validates if the access request should be handled.
+	ValidateRequest(requester fosite.AccessRequester) bool
 
-	// ValidateCode validates the code used in the authorization flow.
-	ValidateCode(ctx context.Context, requester fosite.AccessRequester, code string) error
+	// ValidateClientAuth validates if the client authentication is required.
+	ValidateClientAuth(requester fosite.AccessRequester) bool
+
+	// ValidateGrantTypes validates the grant types in the access request.
+	ValidateGrantTypes(requester fosite.AccessRequester) error
 
-	// GetCodeAndSession retrieves the code, the code signature, and the request session.
-	GetCodeAndSession(ctx context.Context, requester fosite.AccessRequester) (code string, signature string, authorizeRequest fosite.Requester, err error)
+	// ValidateRedirectURI validates the redirect uri in the access request.
+	ValidateRedirectURI(accessRequester fosite.AccessRequester, authorizeRequester fosite.Requester) error
+}
 
-	// InvalidateSession invalidates the code once the code is used.
-	InvalidateSession(ctx context.Context, signature string) error
+// CodeHandler handles authorization/device code related operations.
+type CodeHandler interface {
+	// Code fetches the code and code signature.
+	Code(ctx context.Context, requester fosite.AccessRequester) (code string, signature string, err error)
+
+	// ValidateCode validates the code.
+	ValidateCode(ctx context.Context, requester fosite.AccessRequester, code string) error
+}
 
-	// CanSkipClientAuth indicates if client authentication can be skipped. By default, it MUST be false, unless you are
-	// implementing extension grant type, which allows unauthenticated client. CanSkipClientAuth must be called
-	// before HandleTokenEndpointRequest to decide, if AccessRequester will contain authenticated client.
-	CanSkipClientAuth(ctx context.Context, requester fosite.AccessRequester) bool
+// SessionHandler handles session-related operations.
+type SessionHandler interface {
+	// Session fetches the authorized request.
+	Session(ctx context.Context, requester fosite.AccessRequester, codeSignature string) (fosite.Requester, error)
 
-	// CanHandleTokenEndpointRequest indicates if GenericCodeTokenEndpointHandler can handle this request or not.
-	CanHandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) bool
+	// InvalidateSession invalidates the code and session.
+	InvalidateSession(ctx context.Context, codeSignature string) error
 }
 
+// GenericCodeTokenEndpointHandler is a token response handler for
+// - the Authorize Code grant using the explicit grant type as defined in https://tools.ietf.org/html/rfc6749#section-4.1
+// - the Device Authorization Grant as defined in https://www.rfc-editor.org/rfc/rfc8628
 type GenericCodeTokenEndpointHandler struct {
-	CodeTokenEndpointHandler
+	AccessRequestValidator
+	CodeHandler
+	SessionHandler
 
 	AccessTokenStrategy    AccessTokenStrategy
 	RefreshTokenStrategy   RefreshTokenStrategy
@@ -60,7 +75,12 @@ func (c *GenericCodeTokenEndpointHandler) PopulateTokenEndpointResponse(ctx cont
 		return errorsx.WithStack(fosite.ErrUnknownRequest)
 	}
 
-	code, signature, ar, err := c.GetCodeAndSession(ctx, requester)
+	code, signature, err := c.Code(ctx, requester)
+	if err != nil {
+		return err
+	}
+
+	ar, err := c.Session(ctx, requester, signature)
 	if err != nil {
 		return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
 	}
@@ -137,30 +157,21 @@ func (c *GenericCodeTokenEndpointHandler) HandleTokenEndpointRequest(ctx context
 		return errorsx.WithStack(errorsx.WithStack(fosite.ErrUnknownRequest))
 	}
 
-	if err := c.ValidateGrantTypes(ctx, requester); err != nil {
+	if err := c.ValidateGrantTypes(requester); err != nil {
 		return err
 	}
 
-	code, _, ar, err := c.GetCodeAndSession(ctx, requester)
+	code, signature, err := c.Code(ctx, requester)
 	if err != nil {
-		switch {
-		case errors.Is(err, fosite.ErrInvalidatedAuthorizeCode), errors.Is(err, fosite.ErrInvalidatedDeviceCode):
-			if ar == nil {
-				return fosite.ErrServerError.
-					WithHint("Misconfigured code lead to an error that prohibited the OAuth 2.0 Framework from processing this request.").
-					WithDebug("getCodeSession must return a value for \"fosite.Requester\" when returning \"ErrInvalidatedAuthorizeCode\" or \"ErrInvalidatedDeviceCode\".")
-			}
+		return err
+	}
 
-			return c.revokeTokens(ctx, requester.GetID())
-		case errors.Is(err, fosite.ErrAuthorizationPending):
-			return err
-		case errors.Is(err, fosite.ErrPollingRateLimited):
-			return errorsx.WithStack(err)
-		case errors.Is(err, fosite.ErrNotFound):
-			return errorsx.WithStack(fosite.ErrInvalidGrant.WithWrap(err).WithDebug(err.Error()))
-		default:
-			return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
-		}
+	ar, err := c.Session(ctx, requester, signature)
+	if ar != nil && err != nil && (errors.Is(err, fosite.ErrInvalidatedAuthorizeCode) || errors.Is(err, fosite.ErrInvalidatedDeviceCode)) {
+		return c.revokeTokens(ctx, requester.GetID())
+	}
+	if err != nil {
+		return err
 	}
 
 	if err = c.ValidateCode(ctx, requester, code); err != nil {
@@ -180,10 +191,8 @@ func (c *GenericCodeTokenEndpointHandler) HandleTokenEndpointRequest(ctx context
 		return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("The OAuth 2.0 Client ID from this request does not match the one from the authorize request."))
 	}
 
-	forcedRedirectURI := ar.GetRequestForm().Get("redirect_uri")
-	requestedRedirectURI := requester.GetRequestForm().Get("redirect_uri")
-	if forcedRedirectURI != "" && forcedRedirectURI != requestedRedirectURI {
-		return errorsx.WithStack(fosite.ErrInvalidGrant.WithHint("The \"redirect_uri\" from this request does not match the one from the authorize request."))
+	if err = c.ValidateRedirectURI(requester, ar); err != nil {
+		return err
 	}
 
 	// Checking of POST client_id skipped, because
@@ -204,11 +213,11 @@ func (c *GenericCodeTokenEndpointHandler) HandleTokenEndpointRequest(ctx context
 }
 
 func (c *GenericCodeTokenEndpointHandler) CanSkipClientAuth(ctx context.Context, requester fosite.AccessRequester) bool {
-	return c.CodeTokenEndpointHandler.CanSkipClientAuth(ctx, requester)
+	return c.ValidateClientAuth(requester)
 }
 
 func (c *GenericCodeTokenEndpointHandler) CanHandleTokenEndpointRequest(ctx context.Context, requester fosite.AccessRequester) bool {
-	return c.CodeTokenEndpointHandler.CanHandleTokenEndpointRequest(ctx, requester)
+	return c.ValidateRequest(requester)
 }
 
 func (c *GenericCodeTokenEndpointHandler) canIssueRefreshToken(ctx context.Context, requester fosite.Requester) bool {