3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-05 12:23:03 +02:00
Code Issues Projects Releases Packages Wiki Activity

authenticate: add additional error details for hmac errors (#3878)

Browse source
This commit is contained in:
Caleb Doxsey 2023-01-11 07:53:11 -07:00 committed by GitHub
parent 92b50683ff
commit bfcd15435f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 29 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

16
authenticate/handlers.go
View file

@ -382,11 +382,6 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
return nil, httputil.NewError(http.StatusBadRequest, fmt.Errorf("state malformed, size: %d", len(statePayload)))
}
// verify that the returned timestamp is valid
if err := cryptutil.ValidTimestamp(statePayload[1]); err != nil {
return nil, httputil.NewError(http.StatusBadRequest, err)
}
// Use our AEAD construct to enforce secrecy and authenticity:
// mac: to validate the nonce again, and above timestamp
// decrypt: to prevent leaking 'redirect_uri' to IdP or logs
@ -401,6 +396,17 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
return nil, httputil.NewError(http.StatusBadRequest, err)
}
// verify that the returned timestamp is valid
if err := cryptutil.ValidTimestamp(statePayload[1]); err != nil {
return nil, httputil.NewError(http.StatusBadRequest, err).WithDescription(fmt.Sprintf(`
The request expired. This may be because a login attempt took too long, or because the server's clock is out of sync.
Try again by following this link: [%s](%s).
Or contact your administrator.
`, redirectURL.String(), redirectURL.String()))
}
idp, err := options.GetIdentityProviderForID(redirectURL.Query().Get(urlutil.QueryIdentityProviderID))
if err != nil {
return nil, err