Merge pull request #462 from sebadob/improved-origen-validation

UX: improved origen validation for configs
sebadob · Jun 10, 2024 · d993d42 · d993d42
2 parents 55704f3 + 13e6ff0
commit d993d42
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 6 deletions.
diff --git a/rauthy-common/src/constants.rs b/rauthy-common/src/constants.rs
@@ -126,6 +126,7 @@ lazy_static! {
     pub static ref RE_LOWERCASE: Regex = Regex::new(r"^[a-z0-9-_/]{2,128}$").unwrap();
     pub static ref RE_LOWERCASE_SPACE: Regex = Regex::new(r"^[a-z0-9-_/\s]{2,128}$").unwrap();
     pub static ref RE_MFA_CODE: Regex = Regex::new(r"^[a-zA-Z0-9]{48}$").unwrap();
+    pub static ref RE_ORIGIN: Regex = Regex::new(r"^(http|https)://[a-zA-Z0-9.:]+$").unwrap();
     pub static ref RE_PEM: Regex = Regex::new(r"^(-----BEGIN CERTIFICATE-----)[a-zA-Z0-9+/=\n]+(-----END CERTIFICATE-----)$").unwrap();
     pub static ref RE_PHONE: Regex = Regex::new(r"^\+[0-9]{0,32}$").unwrap();
     // we have a pretty high upper limit for characters here just to be sure that even if

diff --git a/rauthy-main/tests/handler_auth.rs b/rauthy-main/tests/handler_auth.rs
@@ -258,7 +258,7 @@ async fn test_authorization_code_flow() -> Result<(), Box<dyn Error>> {
         confidential: true,
         redirect_uris: vec!["http://localhost:3000/oidc/callback".to_string()],
         post_logout_redirect_uris: Some(vec!["http://localhost:8080".to_string()]),
-        allowed_origens: Some(vec!["http://localhost:8080/*".to_string()]),
+        allowed_origens: Some(vec!["http://localhost:8080".to_string()]),
         enabled: true,
         flows_enabled: vec![
             "authorization_code".to_string(),

diff --git a/rauthy-main/tests/zzc_handler_clients.rs b/rauthy-main/tests/zzc_handler_clients.rs
@@ -82,7 +82,7 @@ async fn test_clients() -> Result<(), Box<dyn Error>> {
     let mut redirect_uris = client.redirect_uris;
     redirect_uris.push("http://test.client.io/callback123".to_string());
 
-    let allowed_origens = Some(vec!["http://origen.test.cient.io/*".to_string()]);
+    let allowed_origens = Some(vec!["http://origen.test.cient.io".to_string()]);
 
     let mut flows_enabled = client.flows_enabled;
     flows_enabled.push("password".to_string());

diff --git a/rauthy-models/src/request.rs b/rauthy-models/src/request.rs
@@ -9,8 +9,8 @@ use css_color::Srgb;
 use rauthy_common::constants::{
     RE_ALNUM, RE_ALNUM_48, RE_ALNUM_64, RE_API_KEY, RE_APP_ID, RE_ATTR, RE_ATTR_DESC, RE_CHALLENGE,
     RE_CITY, RE_CLIENT_ID_EPHEMERAL, RE_CLIENT_NAME, RE_CODE_CHALLENGE, RE_CODE_VERIFIER,
-    RE_CONTACT, RE_DATE_STR, RE_GRANT_TYPES, RE_GROUPS, RE_LOWERCASE, RE_MFA_CODE, RE_PEM,
-    RE_PHONE, RE_SCOPE_SPACE, RE_SEARCH, RE_STREET, RE_TOKEN_ENDPOINT_AUTH_METHOD, RE_URI,
+    RE_CONTACT, RE_DATE_STR, RE_GRANT_TYPES, RE_GROUPS, RE_LOWERCASE, RE_MFA_CODE, RE_ORIGIN,
+    RE_PEM, RE_PHONE, RE_SCOPE_SPACE, RE_SEARCH, RE_STREET, RE_TOKEN_ENDPOINT_AUTH_METHOD, RE_URI,
     RE_USER_NAME,
 };
 use rauthy_common::error_response::{ErrorResponse, ErrorResponseType};
@@ -887,8 +887,8 @@ pub struct UpdateClientRequest {
     //github.com/ Validation: `Vec<^[a-zA-Z0-9,.:/_\\-&?=~#!$'()*+%]+$>`
     #[validate(custom(function = "validate_vec_uri"))]
     pub post_logout_redirect_uris: Option<Vec<String>>,
-    //github.com/ Validation: `Vec<^[a-zA-Z0-9,.:/_\\-&?=~#!$'()*+%]+$>`
-    #[validate(custom(function = "validate_vec_uri"))]
+    //github.com/ Validation: `Vec<^(http|https)://[a-zA-Z0-9.:]+$>`
+    #[validate(custom(function = "validate_vec_origen"))]
     pub allowed_origens: Option<Vec<String>>,
     pub enabled: bool,
     //github.com/ Validation: `Vec<^(authorization_code|client_credentials|password|refresh_token)$>`
@@ -1136,6 +1136,19 @@ fn validate_vec_grant_types(value: &[String]) -> Result<(), ValidationError> {
     Ok(())
 }
 
+fn validate_vec_origen(value: &[String]) -> Result<(), ValidationError> {
+    let mut err = None;
+    value.iter().for_each(|v| {
+        if !RE_ORIGIN.is_match(v) {
+            err = Some("^(http|https)://[a-zA-Z0-9.:]+$");
+        }
+    });
+    if let Some(e) = err {
+        return Err(ValidationError::new(e));
+    }
+    Ok(())
+}
+
 fn validate_vec_uri(value: &[String]) -> Result<(), ValidationError> {
     let mut err = None;
     value.iter().for_each(|v| {