From f8ddd0b685ad464f23009412584edfe4f3c5deea Mon Sep 17 00:00:00 2001 From: Sebastian Date: Fri, 13 Jan 2023 12:15:45 -0300 Subject: [PATCH] fix kyc-proof handle 1.- redirect_uri has an extra slash 2.- response_type=code is required https://www.rfc-editor.org/rfc/rfc6749#section-3.1.1 3.- add more info to "Unexpected response from KYC gateway" 4.- relax the requirements on the login response, marked as optional 5.- redirect_uri should be the same when exchanging the code for the access_token, 6.- remove legi and payto from kyc-proof path 7.- use state to transport h_payto https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1 --- src/exchange/taler-exchange-httpd_kyc-proof.c | 32 ++++--- src/kyclogic/plugin_kyclogic_oauth2.c | 87 ++++++++++--------- 2 files changed, 70 insertions(+), 49 deletions(-) diff --git a/src/exchange/taler-exchange-httpd_kyc-proof.c b/src/exchange/taler-exchange-httpd_kyc-proof.c index 5d89c4203..e550d28e2 100644 --- a/src/exchange/taler-exchange-httpd_kyc-proof.c +++ b/src/exchange/taler-exchange-httpd_kyc-proof.c @@ -259,27 +259,39 @@ TEH_handler_kyc_proof ( const char *const args[3]) { struct KycProofContext *kpc = rc->rh_ctx; - + const char *h_payto; if (NULL == kpc) { /* first time */ - if ( (NULL == args[0]) || - (NULL == args[1]) ) + if ( (NULL == args[0])) { GNUNET_break_op (0); return TALER_MHD_reply_with_error (rc->connection, MHD_HTTP_NOT_FOUND, TALER_EC_GENERIC_ENDPOINT_UNKNOWN, - "'/kyc-proof/$H_PATYO/$LOGIC' required"); + "'/kyc-proof/$LOGIC?state=$H_PAYTO' required"); } + h_payto = MHD_lookup_connection_value (rc->connection, + MHD_GET_ARGUMENT_KIND, + "state"); + if ( (NULL == h_payto) ) + { + GNUNET_break_op (0); + return TALER_MHD_reply_with_error (rc->connection, + MHD_HTTP_BAD_REQUEST, + TALER_EC_GENERIC_PARAMETER_MALFORMED, + "h_payto"); + } + + kpc = GNUNET_new (struct KycProofContext); kpc->rc = rc; rc->rh_ctx = kpc; rc->rh_cleaner = &clean_kpc; if (GNUNET_OK != - GNUNET_STRINGS_string_to_data (args[0], - strlen (args[0]), + GNUNET_STRINGS_string_to_data (h_payto, + strlen (h_payto), &kpc->h_payto, sizeof (kpc->h_payto))) { @@ -290,7 +302,7 @@ TEH_handler_kyc_proof ( "h_payto"); } if (GNUNET_OK != - TALER_KYCLOGIC_lookup_logic (args[1], + TALER_KYCLOGIC_lookup_logic (args[0], &kpc->logic, &kpc->pd, &kpc->provider_section)) @@ -299,14 +311,14 @@ TEH_handler_kyc_proof ( return TALER_MHD_reply_with_error (rc->connection, MHD_HTTP_NOT_FOUND, TALER_EC_EXCHANGE_KYC_GENERIC_LOGIC_UNKNOWN, - args[1]); + args[0]); } if (NULL != kpc->provider_section) { enum GNUNET_DB_QueryStatus qs; struct GNUNET_TIME_Absolute expiration; - if (0 != strcmp (args[1], + if (0 != strcmp (args[0], kpc->provider_section)) { GNUNET_break_op (0); @@ -352,7 +364,7 @@ TEH_handler_kyc_proof ( } kpc->ph = kpc->logic->proof (kpc->logic->cls, kpc->pd, - &args[2], + &args[1], rc->connection, &kpc->h_payto, kpc->process_row, diff --git a/src/kyclogic/plugin_kyclogic_oauth2.c b/src/kyclogic/plugin_kyclogic_oauth2.c index 91c936bbc..e97ca830d 100644 --- a/src/kyclogic/plugin_kyclogic_oauth2.c +++ b/src/kyclogic/plugin_kyclogic_oauth2.c @@ -474,18 +474,17 @@ initiate_task (void *cls) hps = GNUNET_STRINGS_data_to_string_alloc (&ih->h_payto, sizeof (ih->h_payto)); GNUNET_asprintf (&redirect_uri, - "%s/kyc-proof/%s/%s/%s", + "%skyc-proof/%s", ps->exchange_base_url, - hps, - pd->section, - legi_s); + pd->section); redirect_uri_encoded = TALER_urlencode (redirect_uri); GNUNET_free (redirect_uri); GNUNET_asprintf (&url, - "%s?client_id=%s&redirect_uri=%s", + "%s?response_type=code&client_id=%s&redirect_uri=%s&state=%s", pd->login_url, pd->client_id, - redirect_uri_encoded); + redirect_uri_encoded, + hps); GNUNET_free (redirect_uri_encoded); ih->cb (ih->cb_cls, TALER_EC_NONE, @@ -610,8 +609,8 @@ handle_proof_error (struct TALER_KYCLOGIC_ProofHandle *ph, ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED; ph->response = TALER_MHD_make_error ( - TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, - "Unexpected response from KYC gateway"); + TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, + "Unexpected response from KYC gateway: proof error"); ph->http_status = MHD_HTTP_BAD_GATEWAY; return; @@ -678,8 +677,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph, ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED; ph->response = TALER_MHD_make_error ( - TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, - "Unexpected response from KYC gateway"); + TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, + "Unexpected response from KYC gateway: proof success must contain data and status"); ph->http_status = MHD_HTTP_BAD_GATEWAY; return; @@ -713,8 +712,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph, ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED; ph->response = TALER_MHD_make_error ( - TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, - "Unexpected response from KYC gateway"); + TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, + "Unexpected response from KYC gateway: data must contain id"); ph->http_status = MHD_HTTP_BAD_GATEWAY; return; @@ -797,15 +796,23 @@ handle_curl_login_finished (void *cls, const char *token_type; uint64_t expires_in_s; const char *refresh_token; + bool no_expires; + bool no_refresh; struct GNUNET_JSON_Specification spec[] = { GNUNET_JSON_spec_string ("access_token", &access_token), GNUNET_JSON_spec_string ("token_type", &token_type), - GNUNET_JSON_spec_uint64 ("expires_in", - &expires_in_s), - GNUNET_JSON_spec_string ("refresh_token", - &refresh_token), + GNUNET_JSON_spec_mark_optional ( + GNUNET_JSON_spec_uint64 ("expires_in", + &expires_in_s), + &no_expires + ), + GNUNET_JSON_spec_mark_optional ( + GNUNET_JSON_spec_string ("refresh_token", + &refresh_token), + &no_refresh + ), GNUNET_JSON_spec_end () }; CURL *eh; @@ -824,8 +831,8 @@ handle_curl_login_finished (void *cls, GNUNET_break_op (0); ph->response = TALER_MHD_make_error ( - TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, - "Unexpected response from KYC gateway"); + TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, + "Unexpected response from KYC gateway: login finished"); ph->http_status = MHD_HTTP_BAD_GATEWAY; break; @@ -837,8 +844,8 @@ handle_curl_login_finished (void *cls, GNUNET_break_op (0); ph->response = TALER_MHD_make_error ( - TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, - "Unexpected token type in response from KYC gateway"); + TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, + "Unexpected token type in response from KYC gateway"); ph->http_status = MHD_HTTP_BAD_GATEWAY; break; @@ -858,8 +865,8 @@ handle_curl_login_finished (void *cls, GNUNET_break_op (0); ph->response = TALER_MHD_make_error ( - TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, - "Illegal character in access token"); + TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, + "Illegal character in access token"); ph->http_status = MHD_HTTP_BAD_GATEWAY; break; @@ -871,8 +878,8 @@ handle_curl_login_finished (void *cls, GNUNET_break_op (0); ph->response = TALER_MHD_make_error ( - TALER_EC_GENERIC_ALLOCATION_FAILURE, - "curl_easy_init"); + TALER_EC_GENERIC_ALLOCATION_FAILURE, + "curl_easy_init"); ph->http_status = MHD_HTTP_INTERNAL_SERVER_ERROR; break; @@ -1008,23 +1015,24 @@ oauth2_proof (void *cls, char *client_secret; char *authorization_code; + char *redirect_uri_encoded; + char *hps; + + hps = GNUNET_STRINGS_data_to_string_alloc (&ph->h_payto, + sizeof (ph->h_payto)); + + GNUNET_asprintf (&redirect_uri, + "%skyc-proof/%s", + ps->exchange_base_url, + pd->section); + redirect_uri_encoded = TALER_urlencode (redirect_uri); + GNUNET_free (redirect_uri); + GNUNET_assert (NULL != redirect_uri_encoded); + client_id = curl_easy_escape (ph->eh, pd->client_id, 0); GNUNET_assert (NULL != client_id); - { - char *request_uri; - - GNUNET_asprintf (&request_uri, - "%s?client_id=%s", - pd->login_url, - pd->client_id); - redirect_uri = curl_easy_escape (ph->eh, - request_uri, - 0); - GNUNET_free (request_uri); - } - GNUNET_assert (NULL != redirect_uri); client_secret = curl_easy_escape (ph->eh, pd->client_secret, 0); @@ -1036,12 +1044,13 @@ oauth2_proof (void *cls, GNUNET_asprintf (&ph->post_body, "client_id=%s&redirect_uri=%s&client_secret=%s&code=%s&grant_type=authorization_code", client_id, - redirect_uri, + redirect_uri_encoded, client_secret, authorization_code); curl_free (authorization_code); curl_free (client_secret); - curl_free (redirect_uri); + curl_free (redirect_uri_encoded); + curl_free (hps); curl_free (client_id); } GNUNET_assert (CURLE_OK ==