Add HMAC protection on /approval endpoint
Signed-off-by: Bob Callaway <bcallaway@google.com>
This commit is contained in:
Bob Callaway
@@ -131,10 +131,11 @@ func (c *conn) CreateAuthRequest(a storage.AuthRequest) error {
|
||||
claims_email, claims_email_verified, claims_groups,
|
||||
connector_id, connector_data,
|
||||
expiry,
|
||||
code_challenge, code_challenge_method
|
||||
code_challenge, code_challenge_method,
|
||||
hmac_key
|
||||
)
|
||||
values (
|
||||
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20
|
||||
$1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21
|
||||
);
|
||||
`,
|
||||
a.ID, a.ClientID, encoder(a.ResponseTypes), encoder(a.Scopes), a.RedirectURI, a.Nonce, a.State,
|
||||
@@ -143,7 +144,7 @@ func (c *conn) CreateAuthRequest(a storage.AuthRequest) error {
|
||||
a.Claims.Email, a.Claims.EmailVerified, encoder(a.Claims.Groups),
|
||||
a.ConnectorID, a.ConnectorData,
|
||||
a.Expiry,
|
||||
a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod,
|
||||
a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod, a.HMACKey,
|
||||
)
|
||||
if err != nil {
|
||||
if c.alreadyExistsCheck(err) {
|
||||
@@ -175,8 +176,9 @@ func (c *conn) UpdateAuthRequest(id string, updater func(a storage.AuthRequest)
|
||||
claims_groups = $14,
|
||||
connector_id = $15, connector_data = $16,
|
||||
expiry = $17,
|
||||
code_challenge = $18, code_challenge_method = $19
|
||||
where id = $20;
|
||||
code_challenge = $18, code_challenge_method = $19,
|
||||
hmac_key = $20
|
||||
where id = $21;
|
||||
`,
|
||||
a.ClientID, encoder(a.ResponseTypes), encoder(a.Scopes), a.RedirectURI, a.Nonce, a.State,
|
||||
a.ForceApprovalPrompt, a.LoggedIn,
|
||||
@@ -185,7 +187,7 @@ func (c *conn) UpdateAuthRequest(id string, updater func(a storage.AuthRequest)
|
||||
encoder(a.Claims.Groups),
|
||||
a.ConnectorID, a.ConnectorData,
|
||||
a.Expiry,
|
||||
a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod,
|
||||
a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod, a.HMACKey,
|
||||
r.ID,
|
||||
)
|
||||
if err != nil {
|
||||
@@ -207,7 +209,7 @@ func getAuthRequest(q querier, id string) (a storage.AuthRequest, err error) {
|
||||
claims_user_id, claims_username, claims_preferred_username,
|
||||
claims_email, claims_email_verified, claims_groups,
|
||||
connector_id, connector_data, expiry,
|
||||
code_challenge, code_challenge_method
|
||||
code_challenge, code_challenge_method, hmac_key
|
||||
from auth_request where id = $1;
|
||||
`, id).Scan(
|
||||
&a.ID, &a.ClientID, decoder(&a.ResponseTypes), decoder(&a.Scopes), &a.RedirectURI, &a.Nonce, &a.State,
|
||||
@@ -216,7 +218,7 @@ func getAuthRequest(q querier, id string) (a storage.AuthRequest, err error) {
|
||||
&a.Claims.Email, &a.Claims.EmailVerified,
|
||||
decoder(&a.Claims.Groups),
|
||||
&a.ConnectorID, &a.ConnectorData, &a.Expiry,
|
||||
&a.PKCE.CodeChallenge, &a.PKCE.CodeChallengeMethod,
|
||||
&a.PKCE.CodeChallenge, &a.PKCE.CodeChallengeMethod, &a.HMACKey,
|
||||
)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
|
||||
@@ -281,4 +281,11 @@ var migrations = []migration{
|
||||
add column obsolete_token text default '';`,
|
||||
},
|
||||
},
|
||||
{
|
||||
stmts: []string{
|
||||
`
|
||||
alter table auth_request
|
||||
add column hmac_key bytea;`,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user