taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix kyc-proof handle

Browse Source 
1.- redirect_uri has an extra slash
2.- response_type=code is required https://www.rfc-editor.org/rfc/rfc6749#section-3.1.1
3.- add more info to "Unexpected response from KYC gateway"
4.- relax the requirements on the login response, marked as optional
5.- redirect_uri should be the same when exchanging the code for the access_token,
6.- remove legi and payto from kyc-proof path
7.- use state to transport h_payto https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
This commit is contained in:
Sebastian 2023-01-13 12:15:45 -03:00
parent 4374b1868e
commit f8ddd0b685
No known key found for this signature in database
GPG Key ID: BE4FF68352439FC1
2 changed files with 70 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/exchange/taler-exchange-httpd_kyc-proof.c
View File

@ -259,27 +259,39 @@ TEH_handler_kyc_proof (
const char *const args[3]) const char *const args[3])
{ {
struct KycProofContext *kpc = rc->rh_ctx; struct KycProofContext *kpc = rc->rh_ctx;
const char *h_payto;
if (NULL == kpc) if (NULL == kpc)
{ {
/* first time */ /* first time */
if ( (NULL == args[0]) || if ( (NULL == args[0]))
(NULL == args[1]) )
{ {
GNUNET_break_op (0); GNUNET_break_op (0);
return TALER_MHD_reply_with_error (rc->connection, return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_NOT_FOUND, MHD_HTTP_NOT_FOUND,
TALER_EC_GENERIC_ENDPOINT_UNKNOWN, TALER_EC_GENERIC_ENDPOINT_UNKNOWN,
"'/kyc-proof/$H_PATYO/$LOGIC' required"); "'/kyc-proof/$LOGIC?state=$H_PAYTO' required");
} }
h_payto = MHD_lookup_connection_value (rc->connection,
MHD_GET_ARGUMENT_KIND,
"state");
if ( (NULL == h_payto) )
{
GNUNET_break_op (0);
return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_BAD_REQUEST,
TALER_EC_GENERIC_PARAMETER_MALFORMED,
"h_payto");
}
kpc = GNUNET_new (struct KycProofContext); kpc = GNUNET_new (struct KycProofContext);
kpc->rc = rc; kpc->rc = rc;
rc->rh_ctx = kpc; rc->rh_ctx = kpc;
rc->rh_cleaner = &clean_kpc; rc->rh_cleaner = &clean_kpc;
if (GNUNET_OK != if (GNUNET_OK !=
GNUNET_STRINGS_string_to_data (args[0], GNUNET_STRINGS_string_to_data (h_payto,
strlen (args[0]), strlen (h_payto),
&kpc->h_payto, &kpc->h_payto,
sizeof (kpc->h_payto))) sizeof (kpc->h_payto)))
{ {
@ -290,7 +302,7 @@ TEH_handler_kyc_proof (
"h_payto"); "h_payto");
} }
if (GNUNET_OK != if (GNUNET_OK !=
TALER_KYCLOGIC_lookup_logic (args[1], TALER_KYCLOGIC_lookup_logic (args[0],
&kpc->logic, &kpc->logic,
&kpc->pd, &kpc->pd,
&kpc->provider_section)) &kpc->provider_section))
@ -299,14 +311,14 @@ TEH_handler_kyc_proof (
return TALER_MHD_reply_with_error (rc->connection, return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_NOT_FOUND, MHD_HTTP_NOT_FOUND,
TALER_EC_EXCHANGE_KYC_GENERIC_LOGIC_UNKNOWN, TALER_EC_EXCHANGE_KYC_GENERIC_LOGIC_UNKNOWN,
args[1]); args[0]);
} }
if (NULL != kpc->provider_section) if (NULL != kpc->provider_section)
{ {
enum GNUNET_DB_QueryStatus qs; enum GNUNET_DB_QueryStatus qs;
struct GNUNET_TIME_Absolute expiration; struct GNUNET_TIME_Absolute expiration;
if (0 != strcmp (args[1], if (0 != strcmp (args[0],
kpc->provider_section)) kpc->provider_section))
{ {
GNUNET_break_op (0); GNUNET_break_op (0);
@ -352,7 +364,7 @@ TEH_handler_kyc_proof (
} }
kpc->ph = kpc->logic->proof (kpc->logic->cls, kpc->ph = kpc->logic->proof (kpc->logic->cls,
kpc->pd, kpc->pd,
&args[2], &args[1],
rc->connection, rc->connection,
&kpc->h_payto, &kpc->h_payto,
kpc->process_row, kpc->process_row,

87
src/kyclogic/plugin_kyclogic_oauth2.c
View File

@ -474,18 +474,17 @@ initiate_task (void *cls)
hps = GNUNET_STRINGS_data_to_string_alloc (&ih->h_payto, hps = GNUNET_STRINGS_data_to_string_alloc (&ih->h_payto,
sizeof (ih->h_payto)); sizeof (ih->h_payto));
GNUNET_asprintf (&redirect_uri, GNUNET_asprintf (&redirect_uri,
"%s/kyc-proof/%s/%s/%s", "%skyc-proof/%s",
ps->exchange_base_url, ps->exchange_base_url,
hps, pd->section);
pd->section,
legi_s);
redirect_uri_encoded = TALER_urlencode (redirect_uri); redirect_uri_encoded = TALER_urlencode (redirect_uri);
GNUNET_free (redirect_uri); GNUNET_free (redirect_uri);
GNUNET_asprintf (&url, GNUNET_asprintf (&url,
"%s?client_id=%s&redirect_uri=%s", "%s?response_type=code&client_id=%s&redirect_uri=%s&state=%s",
pd->login_url, pd->login_url,
pd->client_id, pd->client_id,
redirect_uri_encoded); redirect_uri_encoded,
hps);
GNUNET_free (redirect_uri_encoded); GNUNET_free (redirect_uri_encoded);
ih->cb (ih->cb_cls, ih->cb (ih->cb_cls,
TALER_EC_NONE, TALER_EC_NONE,
@ -610,8 +609,8 @@ handle_proof_error (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED; ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response ph->response
= TALER_MHD_make_error ( = TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway"); "Unexpected response from KYC gateway: proof error");
ph->http_status ph->http_status
= MHD_HTTP_BAD_GATEWAY; = MHD_HTTP_BAD_GATEWAY;
return; return;
@ -678,8 +677,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED; ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response ph->response
= TALER_MHD_make_error ( = TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway"); "Unexpected response from KYC gateway: proof success must contain data and status");
ph->http_status ph->http_status
= MHD_HTTP_BAD_GATEWAY; = MHD_HTTP_BAD_GATEWAY;
return; return;
@ -713,8 +712,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED; ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response ph->response
= TALER_MHD_make_error ( = TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway"); "Unexpected response from KYC gateway: data must contain id");
ph->http_status ph->http_status
= MHD_HTTP_BAD_GATEWAY; = MHD_HTTP_BAD_GATEWAY;
return; return;
@ -797,15 +796,23 @@ handle_curl_login_finished (void *cls,
const char *token_type; const char *token_type;
uint64_t expires_in_s; uint64_t expires_in_s;
const char *refresh_token; const char *refresh_token;
bool no_expires;
bool no_refresh;
struct GNUNET_JSON_Specification spec[] = { struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_string ("access_token", GNUNET_JSON_spec_string ("access_token",
&access_token), &access_token),
GNUNET_JSON_spec_string ("token_type", GNUNET_JSON_spec_string ("token_type",
&token_type), &token_type),
GNUNET_JSON_spec_uint64 ("expires_in", GNUNET_JSON_spec_mark_optional (
&expires_in_s), GNUNET_JSON_spec_uint64 ("expires_in",
GNUNET_JSON_spec_string ("refresh_token", &expires_in_s),
&refresh_token), &no_expires
),
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_string ("refresh_token",
&refresh_token),
&no_refresh
),
GNUNET_JSON_spec_end () GNUNET_JSON_spec_end ()
}; };
CURL *eh; CURL *eh;
@ -824,8 +831,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0); GNUNET_break_op (0);
ph->response ph->response
= TALER_MHD_make_error ( = TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway"); "Unexpected response from KYC gateway: login finished");
ph->http_status ph->http_status
= MHD_HTTP_BAD_GATEWAY; = MHD_HTTP_BAD_GATEWAY;
break; break;
@ -837,8 +844,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0); GNUNET_break_op (0);
ph->response ph->response
= TALER_MHD_make_error ( = TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected token type in response from KYC gateway"); "Unexpected token type in response from KYC gateway");
ph->http_status ph->http_status
= MHD_HTTP_BAD_GATEWAY; = MHD_HTTP_BAD_GATEWAY;
break; break;
@ -858,8 +865,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0); GNUNET_break_op (0);
ph->response ph->response
= TALER_MHD_make_error ( = TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE, TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Illegal character in access token"); "Illegal character in access token");
ph->http_status ph->http_status
= MHD_HTTP_BAD_GATEWAY; = MHD_HTTP_BAD_GATEWAY;
break; break;
@ -871,8 +878,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0); GNUNET_break_op (0);
ph->response ph->response
= TALER_MHD_make_error ( = TALER_MHD_make_error (
TALER_EC_GENERIC_ALLOCATION_FAILURE, TALER_EC_GENERIC_ALLOCATION_FAILURE,
"curl_easy_init"); "curl_easy_init");
ph->http_status ph->http_status
= MHD_HTTP_INTERNAL_SERVER_ERROR; = MHD_HTTP_INTERNAL_SERVER_ERROR;
break; break;
@ -1008,23 +1015,24 @@ oauth2_proof (void *cls,
char *client_secret; char *client_secret;
char *authorization_code; char *authorization_code;
char *redirect_uri_encoded;
char *hps;
hps = GNUNET_STRINGS_data_to_string_alloc (&ph->h_payto,
sizeof (ph->h_payto));
GNUNET_asprintf (&redirect_uri,
"%skyc-proof/%s",
ps->exchange_base_url,
pd->section);
redirect_uri_encoded = TALER_urlencode (redirect_uri);
GNUNET_free (redirect_uri);
GNUNET_assert (NULL != redirect_uri_encoded);
client_id = curl_easy_escape (ph->eh, client_id = curl_easy_escape (ph->eh,
pd->client_id, pd->client_id,
0); 0);
GNUNET_assert (NULL != client_id); GNUNET_assert (NULL != client_id);
{
char *request_uri;
GNUNET_asprintf (&request_uri,
"%s?client_id=%s",
pd->login_url,
pd->client_id);
redirect_uri = curl_easy_escape (ph->eh,
request_uri,
0);
GNUNET_free (request_uri);
}
GNUNET_assert (NULL != redirect_uri);
client_secret = curl_easy_escape (ph->eh, client_secret = curl_easy_escape (ph->eh,
pd->client_secret, pd->client_secret,
0); 0);
@ -1036,12 +1044,13 @@ oauth2_proof (void *cls,
GNUNET_asprintf (&ph->post_body, GNUNET_asprintf (&ph->post_body,
"client_id=%s&redirect_uri=%s&client_secret=%s&code=%s&grant_type=authorization_code", "client_id=%s&redirect_uri=%s&client_secret=%s&code=%s&grant_type=authorization_code",
client_id, client_id,
redirect_uri, redirect_uri_encoded,
client_secret, client_secret,
authorization_code); authorization_code);
curl_free (authorization_code); curl_free (authorization_code);
curl_free (client_secret); curl_free (client_secret);
curl_free (redirect_uri); curl_free (redirect_uri_encoded);
curl_free (hps);
curl_free (client_id); curl_free (client_id);
} }
GNUNET_assert (CURLE_OK == GNUNET_assert (CURLE_OK ==