Merge pull request #13 from devtron-labs/auth-fix

prkhrkat · web-flow · commit 87207db6607c · 2024-10-14T19:27:51.000+05:30
fix: error handling in verifyAppState (/auth/callback API)
diff --git a/authenticator/client/oidcClient.go b/authenticator/client/oidcClient.go
@@ -26,6 +26,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"sync"
 	"time"
 )
 
@@ -65,8 +66,8 @@ func getOidcClient(dexServerAddress string, settings *oidc.Settings, userVerifie
 		},
 	}
 	dexProxy := oidc.NewDexHTTPReverseProxy(dexServerAddress, dexClient.Transport)
-	cahecStore := &oidc.Cache{OidcState: map[string]*oidc.OIDCState{}}
-	oidcClient, err := oidc.NewClientApp(settings, cahecStore, "/", userVerifier, RedirectUrlSanitiser)
+	cacheStore := &oidc.Cache{OidcState: sync.Map{}}
+	oidcClient, err := oidc.NewClientApp(settings, cacheStore, "/", userVerifier, RedirectUrlSanitiser)
 	if err != nil {
 		return nil, nil, err
 	}
diff --git a/authenticator/oidc/oidc.go b/authenticator/oidc/oidc.go
@@ -32,6 +32,7 @@ import (
 	"path"
 	"regexp"
 	"strings"
+	"sync"
 	"time"
 
 	gooidc "github.com/coreos/go-oidc/v3/oidc"
@@ -69,16 +70,23 @@ type OIDCStateStorage interface {
 }
 
 type Cache struct {
-	OidcState map[string]*OIDCState
+	OidcState sync.Map
 }
 
 func (c *Cache) GetOIDCState(key string) (*OIDCState, error) {
-	state := c.OidcState[key]
+	value, exists := c.OidcState.Load(key)
+	if !exists {
+		return nil, ErrCacheMiss
+	}
+	state, ok := value.(*OIDCState)
+	if !ok || state == nil {
+		return nil, ErrInvalidState
+	}
 	return state, nil
 }
 
 func (c *Cache) SetOIDCState(key string, state *OIDCState) error {
-	c.OidcState[key] = state
+	c.OidcState.Store(key, state)
 	return nil
 }
 
@@ -287,12 +295,15 @@ func (a *ClientApp) generateAppState(returnURL string) string {
 }
 
 var ErrCacheMiss = errors.New("cache: key is missing")
+var ErrInvalidState = errors.New("invalid app state")
 
 func (a *ClientApp) verifyAppState(state string) (*OIDCState, error) {
 	res, err := a.cache.GetOIDCState(state)
 	if err != nil {
-		if err == ErrCacheMiss {
+		if errors.Is(err, ErrCacheMiss) {
 			return nil, fmt.Errorf("unknown app state %s", state)
+		} else if errors.Is(err, ErrInvalidState) {
+			return nil, fmt.Errorf("invalid app state %s", state)
 		} else {
 			return nil, fmt.Errorf("failed to verify app state %s: %v", state, err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ import (`
`26`	`26`	`"net/http"`
`27`	`27`	`"net/url"`
`28`	`28`	`"path"`
	`29`	`+ "sync"`
`29`	`30`	`"time"`
`30`	`31`	`)`
`31`	`32`
`@@ -65,8 +66,8 @@ func getOidcClient(dexServerAddress string, settings *oidc.Settings, userVerifie`
`65`	`66`	`},`
`66`	`67`	`}`
`67`	`68`	`dexProxy := oidc.NewDexHTTPReverseProxy(dexServerAddress, dexClient.Transport)`
`68`		`- cahecStore := &oidc.Cache{OidcState: map[string]*oidc.OIDCState{}}`
`69`		`- oidcClient, err := oidc.NewClientApp(settings, cahecStore, "/", userVerifier, RedirectUrlSanitiser)`
	`69`	`+ cacheStore := &oidc.Cache{OidcState: sync.Map{}}`
	`70`	`+ oidcClient, err := oidc.NewClientApp(settings, cacheStore, "/", userVerifier, RedirectUrlSanitiser)`
`70`	`71`	`if err != nil {`
`71`	`72`	`return nil, nil, err`
`72`	`73`	`}`