Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract client_id from HTTP referer #55

Closed
9 tasks done
nelsonic opened this issue Apr 28, 2020 · 3 comments
Closed
9 tasks done

Extract client_id from HTTP referer #55

nelsonic opened this issue Apr 28, 2020 · 3 comments
Assignees
@nelsonic
Labels
enhancement New feature or enhancement of existing functionality priority-2 Second highest priority, should be worked on as soon as the Priority-1 issues are finished T4h Time Estimate 4 Hours technical A technical issue that requires understanding of the code, infrastructure or dependencies

Comments

@nelsonic
Copy link
Member

nelsonic commented Apr 28, 2020
edited
Loading

auth_plug sends the client_id to the auth_url when no valid JWT is found: lib/auth_plug.ex#L167
We need to verify the client_id (decode_decrypt/1 followed by lookup in apikeys)
and if the client_id is valid, use the client_secret to sign the JWT on successful authentication.

Todo

  • Extract the client_id from the HTTP referer
    • Check if the client_id is valid before displaying the "login buttons" page
      • If client_id not valid, return a friendly Error: 401: AUTH_API_KEY not valid
  • Include the client_id in the state prop that gets sent to GitHub/Google
    I checked and it's RFC3986 compliant to have multiple question marks in a URL Query:
    https://stackoverflow.com/questions/2924160/is-it-valid-more-than-one-question-mark-in-a-url
  • Extract the the client_id from the state (returned by Auth Provider)
  • Confirm that it's still valid (not altered by the Auth Provider > decode_decrypt/1)
  • Lookup the client_id in apikeys
  • Use corresponding client_secret to sign JWT
  • Redirect back to original HTTP referer with JWT

With the completion of this issue Auth dwyl/app#268 will be fully functional!
Let's get it done!
@nelsonic nelsonic added enhancement New feature or enhancement of existing functionality priority-2 Second highest priority, should be worked on as soon as the Priority-1 issues are finished T4h Time Estimate 4 Hours technical A technical issue that requires understanding of the code, infrastructure or dependencies labels Apr 28, 2020
@nelsonic nelsonic self-assigned this Apr 28, 2020
@nelsonic
Copy link
Member Author

true

@nelsonic nelsonic mentioned this issue Apr 28, 2020
Closed
4 tasks
nelsonic added a commit that referenced this issue Apr 28, 2020
@nelsonic
use auth_plug 0.12.0 with client_id in referer #55
52b4f36
nelsonic added a commit that referenced this issue Apr 28, 2020
@nelsonic
create_apikey_for_admin/1 in seeds.exs for #55
3cdd44c
nelsonic added a commit that referenced this issue Apr 28, 2020
@nelsonic
use client_id to sign JWT #55
144a3cf
@nelsonic
Copy link
Member Author

Extracting the client_id from the URL query params works:
image

nelsonic added a commit that referenced this issue Apr 28, 2020
@nelsonic
extract client_id from query params #55 (comment)
3cd0d63
nelsonic added a commit that referenced this issue Apr 28, 2020
@nelsonic
extract client_id from state (returned by successful auth) and lookup…
fa73f37 
… in apikeys #55
nelsonic added a commit that referenced this issue Apr 29, 2020
@nelsonic
create get_client_secret_from_state/1 function for #55
0a181cc
nelsonic added a commit that referenced this issue Apr 29, 2020
@nelsonic
add client_id to state in all auth_controller tests #55
d379fb6
nelsonic added a commit that referenced this issue Apr 29, 2020
@nelsonic
add test for invalid client_id for #55
254e7a5
@nelsonic nelsonic mentioned this issue Apr 29, 2020
Closed
1 task
@nelsonic
Copy link
Member Author

This is working. ✅
See: #43

@nelsonic nelsonic mentioned this issue Apr 29, 2020
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nelsonic nelsonic

Labels
enhancement New feature or enhancement of existing functionality priority-2 Second highest priority, should be worked on as soon as the Priority-1 issues are finished T4h Time Estimate 4 Hours technical A technical issue that requires understanding of the code, infrastructure or dependencies
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nelsonic