From 0a83016b4bcb5ea577ac65bb6e8ed759050e95d4 Mon Sep 17 00:00:00 2001 From: Peter Sanchez Date: Tue, 19 Dec 2023 13:35:45 -0600 Subject: [PATCH] Cleaning up revoke auth verification for unescaping data, etc. --- routes.go | 33 ++++++++++++++++++++------------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/routes.go b/routes.go index 215ae70..70e3347 100644 --- a/routes.go +++ b/routes.go @@ -751,26 +751,33 @@ func (s *Service) RevokeTokenPOST(c echo.Context) error { return s.accessTokenError(c, "invalid_request", "Invalid Authorization header", 400) } - z := strings.SplitN(header, " ", 2) - if len(z) != 2 { - return s.accessTokenError(c, "invalid_request", + parts := strings.SplitN(header, " ", 2) + if len(parts) != 2 || parts[0] != "Basic" { + return s.accessTokenError(c, "invalid_client", "Invalid Authorization header", 400) } - if strings.ToLower(z[0]) != "basic" { - return s.accessTokenError(c, "invalid_request", + bytes, err := base64.StdEncoding.DecodeString(parts[1]) + if err != nil { + return s.accessTokenError(c, "invalid_client", + "Invalid Authorization header contents", 400) + } + auth := string(bytes) + if !strings.Contains(auth, ":") { + return s.accessTokenError(c, "invalid_client", "Invalid Authorization header", 400) } - idsec, err := base64.StdEncoding.DecodeString(z[1]) + parts = strings.SplitN(auth, ":", 2) + clientID, err := url.PathUnescape(parts[0]) if err != nil { - return s.accessTokenError(c, "invalid_request", - "Invalid Authorization header", 400) + return s.accessTokenError(c, "invalid_client", + "Invalid Authorization header contents", 400) } - z = strings.SplitN(string(idsec), ":", 2) - if len(z) != 2 { - return s.accessTokenError(c, "invalid_request", - "Invalid Authorization header", 400) + clientSecret, err := url.PathUnescape(parts[1]) + if err != nil { + return s.accessTokenError(c, "invalid_client", + "Invalid Authorization header contents", 400) } - clientID, clientSecret := z[0], z[1] + client, err := GetClientByID(c.Request().Context(), clientID) if err != nil { c.Response().Header().Set("WWW-Authenticate", "Basic") -- 2.45.2