Properly handle cb errors

2023-04-25 18:28:45 +02:00 · 2023-04-25 18:28:45 +02:00 · 38e7c96d20
commit 38e7c96d20
parent 2cca64f9b8
2 changed files with 33 additions and 7 deletions
--- a/src/controllers/providers_controller.rs
+++ b/src/controllers/providers_controller.rs
@ -23,8 +23,8 @@ struct ProviderLoginError<'a> {
 }

 impl<'a> ProviderLoginError<'a> {
-    pub fn get(message: &'a str, redirect_uri: &'a LoginRedirect) -> String {
-        Self {
+    pub fn get(message: &'a str, redirect_uri: &'a LoginRedirect) -> HttpResponse {
+        let body = Self {
            _p: BaseLoginPage {
                danger: None,
                success: None,
@ -35,7 +35,11 @@ impl<'a> ProviderLoginError<'a> {
            message,
        }
        .render()
-        .unwrap()
+        .unwrap();
+
+        HttpResponse::Unauthorized()
+            .content_type("text/html")
+            .body(body)
    }
 }

@ -135,10 +139,11 @@ pub async fn finish_login(
                .map(|e| e.error_description.unwrap_or(e.error))
                .unwrap_or("Authentication failed (unspecified error)!".to_string());

-            return HttpResponse::Unauthorized().body(ProviderLoginError::get(
-                &error_message,
-                &LoginRedirect::default(),
-            ));
+            logger.log(Action::ProviderError {
+                message: error_message.as_str(),
+            });
+
+            return ProviderLoginError::get(&error_message, &LoginRedirect::default());
        }
    };

@ -151,6 +156,17 @@ pub async fn finish_login(
        .await
        .unwrap();

+    let state = match state {
+        Some(s) => s,
+        None => {
+            logger.log(Action::ProviderCBInvalidState {
+                state: query.state.as_str(),
+            });
+            log::warn!("User returned invalid state!");
+            return ProviderLoginError::get("Invalid state!", &LoginRedirect::default());
+        }
+    };
+
    // TODO : rate limiting
    // TODO : finish login, get user information
    // TODO : check token signature
--- a/src/data/action_logger.rs
+++ b/src/data/action_logger.rs
@ -32,6 +32,12 @@ pub enum Action<'a> {
        provider_id: &'a ProviderID,
        state: &'a str,
    },
+    ProviderError {
+        message: &'a str,
+    },
+    ProviderCBInvalidState {
+        state: &'a str,
+    },
    Signout,
    UserNeed2FAOnLogin(&'a User),
    UserSuccessfullyAuthenticated(&'a User),
@ -98,6 +104,10 @@ impl<'a> Action<'a> {
            Action::StartLoginAttemptWithOpenIDProvider { provider_id, state } => format!(
                "started new authentication attempt through an OpenID provider (prov={} / state={state})", provider_id.0
            ),
+            Action::ProviderError { message } =>
+                format!("failed provider authentication with message '{message}'"),
+            Action::ProviderCBInvalidState { state } =>
+                format!("provided invalid callback state after provider authentication: '{state}'"),
            Action::Signout => "signed out".to_string(),
            Action::UserNeed2FAOnLogin(user) => {
                format!(