oauth_state_only

Author: epompeii

lib/api_auth/src/oauth/github.rs

@@ -1,14 +1,10 @@
 use bencher_endpoint::{CorsResponse, Endpoint, Get, Post, ResponseAccepted, ResponseOk};
-use bencher_json::{
-    JsonOAuthUrl, JsonOAuthUser, Jwt, OrganizationUuid, PlanLevel, system::auth::JsonOAuth,
-};
+use bencher_json::{JsonOAuthUrl, JsonOAuthUser, system::auth::JsonOAuth};
 use bencher_schema::{
     context::ApiContext,
     error::{payment_required_error, unauthorized_error},
 };
 use dropshot::{HttpError, Query, RequestContext, TypedBody, endpoint};
-use schemars::JsonSchema;
-use serde::Deserialize;
 use slog::Logger;
 
 use crate::oauth::oauth_state::OAuthState;
@@ -28,24 +24,14 @@ pub async fn auth_github_options(
     Ok(Endpoint::cors(&[Get.into(), Post.into()]))
 }
 
-#[derive(Debug, Deserialize, JsonSchema)]
-pub struct AuthGitHubQuery {
-    /// Invitation JWT.
-    pub invite: Option<Jwt>,
-    /// Organization UUID to claim.
-    pub claim: Option<OrganizationUuid>,
-    /// Plan level.
-    pub plan: Option<PlanLevel>,
-}
-
 #[endpoint {
     method = GET,
     path =  "/v0/auth/github",
     tags = ["auth"]
 }]
 pub async fn auth_github_get(
     rqctx: RequestContext<ApiContext>,
-    query_params: Query<AuthGitHubQuery>,
+    query_params: Query<OAuthState>,
 ) -> Result<ResponseOk<JsonOAuthUrl>, HttpError> {
     let json = get_inner(&rqctx.log, rqctx.context(), query_params.into_inner()).await?;
     Ok(Get::pub_response_ok(json))
@@ -54,7 +40,7 @@ pub async fn auth_github_get(
 async fn get_inner(
     log: &Logger,
     context: &ApiContext,
-    query_params: AuthGitHubQuery,
+    oauth_state: OAuthState,
 ) -> Result<JsonOAuthUrl, HttpError> {
     let Some(github_client) = &context.github_client else {
         let err = "GitHub OAuth2 is not configured";
@@ -63,20 +49,7 @@ async fn get_inner(
     };
     is_allowed_oauth(context).await?;
 
-    // TODO: Currently, we do not protect against CSRF attacks,
-    // as we allow any client to use our authentication endpoints.
-    // So the `state` parameter is currently just used to pass callback information.
-    // In the future, we may want to restrict allowed clients,
-    // at which point we should generate and validate a CSRF token here
-    // along with the callback information.
-    // https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
-    let AuthGitHubQuery {
-        invite,
-        claim,
-        plan,
-    } = query_params;
-    let state_struct = OAuthState::new(invite, claim, plan);
-    let state = state_struct.encode(log, &context.token_key)?;
+    let state = oauth_state.encode(log, &context.token_key)?;
     let url = github_client.auth_url(state);
 
     Ok(JsonOAuthUrl { url })

lib/api_auth/src/oauth/google.rs

@@ -1,14 +1,10 @@
 use bencher_endpoint::{CorsResponse, Endpoint, Get, Post, ResponseAccepted, ResponseOk};
-use bencher_json::{
-    JsonOAuthUrl, JsonOAuthUser, Jwt, OrganizationUuid, PlanLevel, system::auth::JsonOAuth,
-};
+use bencher_json::{JsonOAuthUrl, JsonOAuthUser, system::auth::JsonOAuth};
 use bencher_schema::{
     context::ApiContext,
     error::{payment_required_error, unauthorized_error},
 };
 use dropshot::{HttpError, Query, RequestContext, TypedBody, endpoint};
-use schemars::JsonSchema;
-use serde::Deserialize;
 use slog::Logger;
 
 use crate::oauth::oauth_state::OAuthState;
@@ -28,24 +24,14 @@ pub async fn auth_google_options(
     Ok(Endpoint::cors(&[Get.into(), Post.into()]))
 }
 
-#[derive(Debug, Deserialize, JsonSchema)]
-pub struct AuthGoogleQuery {
-    /// Invitation JWT.
-    pub invite: Option<Jwt>,
-    /// Organization UUID to claim.
-    pub claim: Option<OrganizationUuid>,
-    /// Plan level.
-    pub plan: Option<PlanLevel>,
-}
-
 #[endpoint {
     method = GET,
     path =  "/v0/auth/google",
     tags = ["auth"]
 }]
 pub async fn auth_google_get(
     rqctx: RequestContext<ApiContext>,
-    query_params: Query<AuthGoogleQuery>,
+    query_params: Query<OAuthState>,
 ) -> Result<ResponseOk<JsonOAuthUrl>, HttpError> {
     let json = get_inner(&rqctx.log, rqctx.context(), query_params.into_inner()).await?;
     Ok(Get::pub_response_ok(json))
@@ -54,7 +40,7 @@ pub async fn auth_google_get(
 async fn get_inner(
     log: &Logger,
     context: &ApiContext,
-    query_params: AuthGoogleQuery,
+    oauth_state: OAuthState,
 ) -> Result<JsonOAuthUrl, HttpError> {
     let Some(google_client) = &context.google_client else {
         let err = "Google OAuth2 is not configured";
@@ -63,23 +49,8 @@ async fn get_inner(
     };
     is_allowed_oauth(context).await?;
 
-    // TODO: Currently, we do not protect against CSRF attacks,
-    // as we allow any client to use our authentication endpoints.
-    // So the `state` parameter is currently just used to pass callback information.
-    // In the future, we may want to restrict allowed clients,
-    // at which point we should generate and validate a CSRF token here
-    // along with the callback information.
-    // https://datatracker.ietf.org/doc/html/rfc6749#section-10.12
-    let AuthGoogleQuery {
-        invite,
-        claim,
-        plan,
-    } = query_params;
-
-    let state_struct = OAuthState::new(invite, claim, plan);
-    let state = state_struct.encode(log, &context.token_key)?;
+    let state = oauth_state.encode(log, &context.token_key)?;
     let url = google_client.auth_url(state);
-
     Ok(JsonOAuthUrl { url })
 }
 

lib/api_auth/src/oauth/oauth_state.rs

@@ -4,6 +4,7 @@ use bencher_json::{Email, Jwt, OrganizationUuid, PlanLevel};
 use bencher_schema::error::unauthorized_error;
 use bencher_token::TokenKey;
 use dropshot::HttpError;
+use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 use slog::Logger;
 
@@ -13,11 +14,14 @@ const OAUTH_TTL: u32 = 600;
 static OAUTH_EMAIL: LazyLock<Email> =
     LazyLock::new(|| "[email protected]".parse().expect("Invalid OAuth email"));
 
-#[derive(Debug, Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize, JsonSchema)]
 pub struct OAuthState {
-    invite: Option<Jwt>,
-    claim: Option<OrganizationUuid>,
-    plan: Option<PlanLevel>,
+    /// Invitation JWT.
+    pub invite: Option<Jwt>,
+    /// Organization UUID to claim.
+    pub claim: Option<OrganizationUuid>,
+    /// Plan level.
+    pub plan: Option<PlanLevel>,
 }
 
 impl OAuthState {