fix: address OAuth review findings (redirect_uri, binding, timeout, CRLF, DRY)
This commit is contained in:
@@ -4,6 +4,8 @@ import android.content.Context
|
||||
import android.content.Intent
|
||||
import android.net.Uri
|
||||
import kotlinx.coroutines.CompletableDeferred
|
||||
import kotlinx.coroutines.TimeoutCancellationException
|
||||
import kotlinx.coroutines.withTimeout
|
||||
|
||||
class AndroidOAuthClient(private val context: Context) : OAuthClient {
|
||||
|
||||
@@ -17,15 +19,20 @@ class AndroidOAuthClient(private val context: Context) : OAuthClient {
|
||||
}
|
||||
context.startActivity(intent)
|
||||
|
||||
val callbackUri = OAuthCallbackHolder.deferred?.await() ?: return null
|
||||
|
||||
val fragment = callbackUri.fragment ?: return null
|
||||
val params = fragment.split("&").associate { pair ->
|
||||
val idx = pair.indexOf("=")
|
||||
if (idx >= 0) pair.substring(0, idx) to pair.substring(idx + 1)
|
||||
else pair to ""
|
||||
return try {
|
||||
withTimeout(TIMEOUT_MS) {
|
||||
val callbackUri = OAuthCallbackHolder.deferred?.await() ?: return@withTimeout null
|
||||
parseAccessTokenFromFragment(callbackUri.fragment ?: "")
|
||||
}
|
||||
return params["access_token"]
|
||||
} catch (e: TimeoutCancellationException) {
|
||||
null
|
||||
} finally {
|
||||
OAuthCallbackHolder.deferred = null
|
||||
}
|
||||
}
|
||||
|
||||
companion object {
|
||||
private const val TIMEOUT_MS = 5L * 60 * 1000
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,10 @@
|
||||
package ch.parano.myice.auth
|
||||
|
||||
internal fun parseAccessTokenFromFragment(fragment: String): String? {
|
||||
val params = fragment.split("&").associate { pair ->
|
||||
val idx = pair.indexOf("=")
|
||||
if (idx >= 0) pair.substring(0, idx) to pair.substring(idx + 1)
|
||||
else pair to ""
|
||||
}
|
||||
return params["access_token"]
|
||||
}
|
||||
@@ -8,23 +8,23 @@ import java.io.PrintWriter
|
||||
import java.net.InetSocketAddress
|
||||
import java.net.ServerSocket
|
||||
import java.net.URI
|
||||
import java.net.URLDecoder
|
||||
import java.net.URLEncoder
|
||||
import kotlin.concurrent.thread
|
||||
|
||||
class DesktopOAuthClient : OAuthClient {
|
||||
|
||||
private var serverPort: Int = 0
|
||||
|
||||
override fun redirectUri(): String = "http://localhost:$serverPort/callback"
|
||||
override fun redirectUri(): String = "myice://callback"
|
||||
|
||||
override suspend fun authenticate(loginUrl: String): String? {
|
||||
val server = ServerSocket()
|
||||
server.bind(InetSocketAddress(0))
|
||||
serverPort = server.localPort
|
||||
server.bind(InetSocketAddress("127.0.0.1", 0))
|
||||
val serverPort = server.localPort
|
||||
|
||||
val redirectUri = "http://localhost:$serverPort/callback"
|
||||
val fullLoginUrl = loginUrl + "&redirect_uri=" + URLEncoder.encode(redirectUri, "UTF-8")
|
||||
val realRedirectUri = "http://localhost:$serverPort/callback"
|
||||
val fullLoginUrl = loginUrl.replace(
|
||||
"redirect_uri=myice://callback",
|
||||
"redirect_uri=" + URLEncoder.encode(realRedirectUri, "UTF-8")
|
||||
)
|
||||
|
||||
val deferred = CompletableDeferred<String?>()
|
||||
|
||||
@@ -47,28 +47,22 @@ class DesktopOAuthClient : OAuthClient {
|
||||
</script>
|
||||
</body></html>
|
||||
""".trimIndent()
|
||||
writer.println("HTTP/1.1 200 OK")
|
||||
writer.println("Content-Type: text/html")
|
||||
writer.println("Connection: close")
|
||||
writer.println()
|
||||
writer.println(html)
|
||||
writer.print("HTTP/1.1 200 OK\r\n")
|
||||
writer.print("Content-Type: text/html\r\n")
|
||||
writer.print("Connection: close\r\n")
|
||||
writer.print("\r\n")
|
||||
writer.print(html)
|
||||
writer.flush()
|
||||
} else if (path.startsWith("/token")) {
|
||||
val query = path.substringAfter("?")
|
||||
val params = query.split("&").associate { pair ->
|
||||
val idx = pair.indexOf("=")
|
||||
if (idx >= 0) {
|
||||
pair.substring(0, idx) to URLDecoder.decode(pair.substring(idx + 1), "UTF-8")
|
||||
} else pair to ""
|
||||
}
|
||||
val token = params["access_token"]
|
||||
val token = parseAccessTokenFromFragment(query)
|
||||
deferred.complete(token)
|
||||
|
||||
writer.println("HTTP/1.1 200 OK")
|
||||
writer.println("Content-Type: text/html")
|
||||
writer.println("Connection: close")
|
||||
writer.println()
|
||||
writer.println("<html><body><h1>Authentication complete. You can close this window.</h1></body></html>")
|
||||
writer.print("HTTP/1.1 200 OK\r\n")
|
||||
writer.print("Content-Type: text/html\r\n")
|
||||
writer.print("Connection: close\r\n")
|
||||
writer.print("\r\n")
|
||||
writer.print("<html><body><h1>Authentication complete. You can close this window.</h1></body></html>")
|
||||
writer.flush()
|
||||
socket.close()
|
||||
break
|
||||
@@ -82,8 +76,17 @@ class DesktopOAuthClient : OAuthClient {
|
||||
}
|
||||
}
|
||||
|
||||
try {
|
||||
Desktop.getDesktop().browse(URI(fullLoginUrl))
|
||||
} catch (e: Exception) {
|
||||
server.close()
|
||||
return null
|
||||
}
|
||||
|
||||
return deferred.await()
|
||||
return try {
|
||||
deferred.await()
|
||||
} finally {
|
||||
server.close()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,9 @@
|
||||
package ch.parano.myice.auth
|
||||
|
||||
import kotlinx.cinterop.ExperimentalForeignApi
|
||||
import kotlinx.coroutines.TimeoutCancellationException
|
||||
import kotlinx.coroutines.suspendCancellableCoroutine
|
||||
import kotlinx.coroutines.withTimeout
|
||||
import platform.AuthenticationServices.ASWebAuthenticationPresentationContextProvidingProtocol
|
||||
import platform.AuthenticationServices.ASWebAuthenticationSession
|
||||
import platform.Foundation.NSError
|
||||
@@ -10,17 +13,18 @@ import platform.UIKit.UIWindow
|
||||
import platform.UIKit.UIWindowScene
|
||||
import platform.darwin.NSObject
|
||||
import kotlin.coroutines.resume
|
||||
import kotlin.coroutines.suspendCoroutine
|
||||
|
||||
@OptIn(ExperimentalForeignApi::class)
|
||||
class IosOAuthClient : OAuthClient {
|
||||
|
||||
override fun redirectUri(): String = "myice://callback"
|
||||
|
||||
override suspend fun authenticate(loginUrl: String): String? = suspendCoroutine { continuation ->
|
||||
override suspend fun authenticate(loginUrl: String): String? = try {
|
||||
withTimeout(TIMEOUT_MS) {
|
||||
suspendCancellableCoroutine { continuation ->
|
||||
val nsUrl = NSURL.URLWithString(loginUrl) ?: run {
|
||||
continuation.resume(null)
|
||||
return@suspendCoroutine
|
||||
return@suspendCancellableCoroutine
|
||||
}
|
||||
|
||||
val session = ASWebAuthenticationSession(
|
||||
@@ -36,12 +40,7 @@ class IosOAuthClient : OAuthClient {
|
||||
continuation.resume(null)
|
||||
} else {
|
||||
val fragment = urlStr.substring(fragmentIndex + 1)
|
||||
val params = fragment.split("&").associate { pair ->
|
||||
val idx = pair.indexOf("=")
|
||||
if (idx >= 0) pair.substring(0, idx) to pair.substring(idx + 1)
|
||||
else pair to ""
|
||||
}
|
||||
continuation.resume(params["access_token"])
|
||||
continuation.resume(parseAccessTokenFromFragment(fragment))
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -56,12 +55,21 @@ class IosOAuthClient : OAuthClient {
|
||||
}
|
||||
}
|
||||
|
||||
continuation.invokeOnCancellation { session.cancel() }
|
||||
session.start()
|
||||
}
|
||||
}
|
||||
} catch (e: TimeoutCancellationException) {
|
||||
null
|
||||
}
|
||||
|
||||
private fun keyWindow(): UIWindow {
|
||||
val scenes = UIApplication.sharedApplication.connectedScenes
|
||||
val windowScene = scenes.firstOrNull { it is UIWindowScene } as? UIWindowScene
|
||||
return (windowScene?.windows?.firstOrNull() as? UIWindow) ?: UIWindow()
|
||||
}
|
||||
|
||||
companion object {
|
||||
private const val TIMEOUT_MS = 5L * 60 * 1000
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user