Merge pull request #97 from sebadob/improve-failed-login-timeout-hanling

Improve failed login timeout hanling
sebadob · Oct 25, 2023 · 7f7a675 · 7f7a675
2 parents 09d1d3a + 9d19d1b
commit 7f7a675
Show file tree

Hide file tree

Showing 7 changed files with 194 additions and 206 deletions.
diff --git a/rauthy-handlers/src/lib.rs b/rauthy-handlers/src/lib.rs
@@ -45,7 +45,8 @@ pub fn map_auth_step(
     data: &web::Data<AppState>,
     auth_step: AuthStep,
     req: &HttpRequest,
-) -> Result<HttpResponse, ErrorResponse> {
+    // Ok => HttpResponse + has_password_been_hashed
+) -> Result<(HttpResponse, bool), ErrorResponse> {
     match auth_step {
         AuthStep::LoggedIn(res) => {
             let mut resp = HttpResponse::Accepted()
@@ -55,7 +56,7 @@ pub fn map_auth_step(
             if let Some((name, value)) = res.header_origen {
                 resp.headers_mut().insert(name, value);
             }
-            Ok(resp)
+            Ok((resp, res.has_password_been_hashed))
         }
 
         AuthStep::AwaitWebauthn(res) => {
@@ -83,7 +84,7 @@ pub fn map_auth_step(
                 add_req_mfa_cookie(data, &mut resp, res.email.clone())?;
             }
 
-            Ok(resp)
+            Ok((resp, res.has_password_been_hashed))
         }
     }
 }

diff --git a/rauthy-handlers/src/oidc.rs b/rauthy-handlers/src/oidc.rs
@@ -19,8 +19,8 @@ use rauthy_models::entity::users::User;
 use rauthy_models::entity::webauthn::WebauthnCookie;
 use rauthy_models::language::Language;
 use rauthy_models::request::{
-    AuthRequest, LoginRefreshRequest, LoginRequest, LogoutRequest, RefreshTokenRequest,
-    TokenRequest, TokenValidationRequest,
+    AuthRequest, LoginRequest, LogoutRequest, RefreshTokenRequest, TokenRequest,
+    TokenValidationRequest,
 };
 use rauthy_models::response::{JWKSCerts, JWKSPublicKeyCerts, SessionInfoResponse};
 use rauthy_models::templates::{AuthorizeHtml, CallbackHtml, ErrorHtml, FrontendAction};
@@ -172,11 +172,13 @@ pub async fn post_authorize(
     let start = SystemTime::now().duration_since(UNIX_EPOCH).unwrap();
 
     let session = Session::extract_validate_csrf(session_req, &req)?;
-    let res = auth::authorize(&data, &req, req_data.into_inner(), session)
-        .await
-        .map(|auth_step| map_auth_step(&data, auth_step, &req))?;
 
-    auth::handle_login_delay(start, &data.caches.ha_cache_config, res, true).await
+    let res = match auth::authorize(&data, &req, req_data.into_inner(), session).await {
+        Ok(auth_step) => map_auth_step(&data, auth_step, &req),
+        Err(err) => Err(err),
+    };
+
+    auth::handle_login_delay(start, &data.caches.ha_cache_config, res).await
 }
 
 #[get("/oidc/callback")]
@@ -191,46 +193,6 @@ pub async fn get_callback_html(data: web::Data<AppState>) -> Result<HttpResponse
         .body(body))
 }
 
-// TODO clean up?
-//github.com/ DEPRECATED
-//github.com/
-//github.com/ This is an older refresh token endpoint, which is not being used anymore in favor of the
-//github.com/ *refresh_token* grant on the [POST /token](post_token) endpoint.
-#[utoipa::path(
-    post,
-    path = "/oidc/authorize/refresh",
-    tag = "deprecated",
-    request_body = LoginRefreshRequest,
-    responses(
-        (status = 202, description = "Accepted"),
-        (status = 400, description = "BadRequest", body = ErrorResponse),
-        (status = 401, description = "Unauthorized", body = ErrorResponse),
-    ),
-)]
-#[post("/oidc/authorize/refresh")]
-#[has_permissions("session-auth")]
-pub async fn post_authorize_refresh(
-    data: web::Data<AppState>,
-    req: HttpRequest,
-    req_data: web::Json<LoginRefreshRequest>,
-    session_req: web::ReqData<Option<Session>>,
-) -> Result<HttpResponse, ErrorResponse> {
-    let (client, header_origen) = auth::validate_auth_req_param(
-        &data,
-        &req,
-        &req_data.client_id,
-        &req_data.redirect_uri,
-        &req_data.code_challenge,
-        &req_data.code_challenge_method,
-    )
-    .await?;
-
-    let session = Session::extract_validate_csrf(session_req, &req)?;
-    auth::authorize_refresh(&data, session, client, header_origen, req_data.into_inner())
-        .await
-        .map(|auth_step| map_auth_step(&data, auth_step, &req))?
-}
-
 //github.com/ JWT Token public JWKS
 //github.com/
 //github.com/ Returns the Json Web Key Set (JWKS) for independent validation of the signed JWT Tokens.
@@ -527,21 +489,40 @@ pub async fn post_token(
         Session::get_csrf_header("none")
     };
 
-    let res = auth::get_token_set(req_data.into_inner(), &data, req)
-        .await
-        .map(|(token_set, header_origen)| {
-            if let Some(o) = header_origen {
-                return HttpResponse::Ok()
+    let res = match auth::get_token_set(req_data.into_inner(), &data, req).await {
+        Ok((token_set, header_origen)) => {
+            let http_resp = if let Some(o) = header_origen {
+                HttpResponse::Ok()
                     .insert_header(o)
                     .insert_header(csrf_header)
-                    .json(token_set);
-            }
-            HttpResponse::Ok()
-                .insert_header(csrf_header)
-                .json(token_set)
-        });
+                    .json(token_set)
+            } else {
+                HttpResponse::Ok()
+                    .insert_header(csrf_header)
+                    .json(token_set)
+            };
+            Ok((http_resp, save_timer))
+        }
+        Err(err) => Err(err),
+    };
 
-    auth::handle_login_delay(start, &data.caches.ha_cache_config, res, save_timer).await
+    // let res = auth::get_token_set(req_data.into_inner(), &data, req)
+    //     .await
+    //     .map(|(token_set, header_origen)| {
+    //         let http_resp = if let Some(o) = header_origen {
+    //             HttpResponse::Ok()
+    //                 .insert_header(o)
+    //                 .insert_header(csrf_header)
+    //                 .json(token_set)
+    //         } else {
+    //             HttpResponse::Ok()
+    //                 .insert_header(csrf_header)
+    //                 .json(token_set)
+    //         };
+    //         (http_resp, save_timer)
+    //     });
+
+    auth::handle_login_delay(start, &data.caches.ha_cache_config, res).await
 }
 
 //github.com/ The tokenInfo endpoint for the OIDC standard.

diff --git a/rauthy-handlers/src/openapi.rs b/rauthy-handlers/src/openapi.rs
@@ -51,7 +51,6 @@ use utoipa::{openapi, OpenApi};
 
         oidc::get_authorize,
         oidc::post_authorize,
-        oidc::post_authorize_refresh,
         oidc::get_certs,
         oidc::get_cert_by_kid,
         oidc::get_logout,
@@ -129,7 +128,6 @@ use utoipa::{openapi, OpenApi};
             request::ColorsRequest,
             request::EncKeyMigrateRequest,
             request::LoginRequest,
-            request::LoginRefreshRequest,
             request::LogoutRequest,
             request::MfaAwaitRequest,
             request::MfaPurpose,

diff --git a/rauthy-main/src/main.rs b/rauthy-main/src/main.rs
@@ -445,7 +445,7 @@ async fn actix_main(app_state: web::Data<AppState>) -> std::io::Result<()> {
                         .service(oidc::get_authorize)
                         .service(oidc::post_authorize)
                         .service(oidc::get_callback_html)
-                        .service(oidc::post_authorize_refresh)
+                        // .service(oidc::post_authorize_refresh)
                         .service(oidc::get_certs)
                         .service(oidc::get_cert_by_kid)
                         .service(oidc::get_logout)

diff --git a/rauthy-models/src/lib.rs b/rauthy-models/src/lib.rs
@@ -39,12 +39,14 @@ pub enum AuthStep {
 }
 
 pub struct AuthStepLoggedIn {
+    pub has_password_been_hashed: bool,
     pub header_loc: (HeaderName, HeaderValue),
     pub header_csrf: (HeaderName, HeaderValue),
     pub header_origen: Option<(HeaderName, HeaderValue)>,
 }
 
 pub struct AuthStepAwaitWebauthn {
+    pub has_password_been_hashed: bool,
     pub code: String,
     pub header_csrf: (HeaderName, HeaderValue),
     pub header_origen: Option<(HeaderName, HeaderValue)>,

diff --git a/rauthy-models/src/request.rs b/rauthy-models/src/request.rs
@@ -174,30 +174,30 @@ pub struct LoginRequest {
     pub code_challenge_method: Option<String>,
 }
 
-#[derive(Debug, Deserialize, Validate, ToSchema)]
-pub struct LoginRefreshRequest {
-    //github.com/ Validation: `^[a-z0-9-_/]{2,128}$`
-    #[validate(regex(path = "RE_LOWERCASE", code = "^[a-z0-9-_/]{2,128}$"))]
-    pub client_id: String,
-    //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
-    pub redirect_uri: String,
-    //github.com/ Validation: `Vec<^[a-zA-Z0-9\\s]$>`
-    #[validate(custom(function = "validate_vec_scope"))]
-    pub scopes: Option<Vec<String>>,
-    //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
-    pub state: Option<String>,
-    //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
-    pub nonce: Option<String>,
-    //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
-    #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
-    pub code_challenge: Option<String>,
-    //github.com/ Validation: `[a-zA-Z0-9-._~]{43,128}`
-    #[validate(regex(path = "RE_CODE_CHALLENGE", code = "[a-zA-Z0-9-._~]{43,128}"))]
-    pub code_challenge_method: Option<String>,
-}
+// #[derive(Debug, Deserialize, Validate, ToSchema)]
+// pub struct LoginRefreshRequest {
+//     //github.com/ Validation: `^[a-z0-9-_/]{2,128}$`
+//     #[validate(regex(path = "RE_LOWERCASE", code = "^[a-z0-9-_/]{2,128}$"))]
+//     pub client_id: String,
+//     //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
+//     #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
+//     pub redirect_uri: String,
+//     //github.com/ Validation: `Vec<^[a-zA-Z0-9\\s]$>`
+//     #[validate(custom(function = "validate_vec_scope"))]
+//     pub scopes: Option<Vec<String>>,
+//     //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
+//     #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
+//     pub state: Option<String>,
+//     //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
+//     #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
+//     pub nonce: Option<String>,
+//     //github.com/ Validation: `[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$`
+//     #[validate(regex(path = "RE_URI", code = "[a-zA-Z0-9,.:/_-&?=~#!$'()*+%]+$"))]
+//     pub code_challenge: Option<String>,
+//     //github.com/ Validation: `[a-zA-Z0-9-._~]{43,128}`
+//     #[validate(regex(path = "RE_CODE_CHALLENGE", code = "[a-zA-Z0-9-._~]{43,128}"))]
+//     pub code_challenge_method: Option<String>,
+// }
 
 #[derive(Debug, Deserialize, Validate, ToSchema, IntoParams)]
 pub struct LogoutRequest {