From f94b807f3973d824d8512c94e2a49b510005e56f Mon Sep 17 00:00:00 2001 From: Joram Wilander Date: Wed, 4 Oct 2017 11:05:36 -0400 Subject: PLT-7782 Fix for OAuth (#7566) * Fix for oauth * Fix test --- api/oauth_test.go | 8 -------- app/oauth.go | 7 +------ 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/api/oauth_test.go b/api/oauth_test.go index 0e952768e..0f809dfe6 100644 --- a/api/oauth_test.go +++ b/api/oauth_test.go @@ -765,14 +765,6 @@ func TestOAuthAccessToken(t *testing.T) { t.Fatal("Should have failed - code is expired") } - authData = &model.AuthData{ClientId: oauthApp.Id, RedirectUri: oauthApp.CallbackUrls[0], UserId: th.BasicUser.Id, Code: model.NewId(), ExpiresIn: model.AUTHCODE_EXPIRE_TIME} - <-th.App.Srv.Store.OAuth().SaveAuthData(authData) - - data.Set("code", authData.Code) - if _, err := Client.GetAccessToken(data); err == nil { - t.Fatal("Should have failed - code with invalid hash comparission") - } - Client.ClearOAuthToken() } diff --git a/app/oauth.go b/app/oauth.go index be0535f35..6e411138b 100644 --- a/app/oauth.go +++ b/app/oauth.go @@ -6,7 +6,6 @@ package app import ( "bytes" b64 "encoding/base64" - "fmt" "io" "io/ioutil" "net/http" @@ -133,7 +132,7 @@ func (a *App) AllowOAuthAppAccessToUser(userId string, authRequest *model.Author } authData := &model.AuthData{UserId: userId, ClientId: authRequest.ClientId, CreateAt: model.GetMillis(), RedirectUri: authRequest.RedirectUri, State: authRequest.State, Scope: authRequest.Scope} - authData.Code = utils.HashSha256(fmt.Sprintf("%v:%v:%v:%v", authRequest.ClientId, authRequest.RedirectUri, authData.CreateAt, userId)) + authData.Code = model.NewId() + model.NewId() // this saves the OAuth2 app as authorized authorizedApp := model.Preference{ @@ -191,10 +190,6 @@ func (a *App) GetOAuthAccessToken(clientId, grantType, redirectUri, code, secret return nil, model.NewAppError("GetOAuthAccessToken", "api.oauth.get_access_token.redirect_uri.app_error", nil, "", http.StatusBadRequest) } - if code != utils.HashSha256(fmt.Sprintf("%v:%v:%v:%v", clientId, redirectUri, authData.CreateAt, authData.UserId)) { - return nil, model.NewAppError("GetOAuthAccessToken", "api.oauth.get_access_token.expired_code.app_error", nil, "", http.StatusBadRequest) - } - if result := <-a.Srv.Store.User().Get(authData.UserId); result.Err != nil { return nil, model.NewAppError("GetOAuthAccessToken", "api.oauth.get_access_token.internal_user.app_error", nil, "", http.StatusNotFound) } else { -- cgit v1.2.3-1-g7c22