taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix kyc-proof handle

Browse Source 
1.- redirect_uri has an extra slash
2.- response_type=code is required https://www.rfc-editor.org/rfc/rfc6749#section-3.1.1
3.- add more info to "Unexpected response from KYC gateway"
4.- relax the requirements on the login response, marked as optional
5.- redirect_uri should be the same when exchanging the code for the access_token,
6.- remove legi and payto from kyc-proof path
7.- use state to transport h_payto https://www.rfc-editor.org/rfc/rfc6749#section-4.1.1
This commit is contained in:
Sebastian 2023-01-13 12:15:45 -03:00
parent 4374b1868e
commit f8ddd0b685
No known key found for this signature in database
GPG Key ID: BE4FF68352439FC1
2 changed files with 70 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
src/exchange/taler-exchange-httpd_kyc-proof.c
View File

@ -259,27 +259,39 @@ TEH_handler_kyc_proof (
const char *const args[3])
{
struct KycProofContext *kpc = rc->rh_ctx;
const char *h_payto;
if (NULL == kpc)
{
/* first time */
if ( (NULL == args[0]) ||
(NULL == args[1]) )
if ( (NULL == args[0]))
{
GNUNET_break_op (0);
return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_NOT_FOUND,
TALER_EC_GENERIC_ENDPOINT_UNKNOWN,
"'/kyc-proof/$H_PATYO/$LOGIC' required");
"'/kyc-proof/$LOGIC?state=$H_PAYTO' required");
}
h_payto = MHD_lookup_connection_value (rc->connection,
MHD_GET_ARGUMENT_KIND,
"state");
if ( (NULL == h_payto) )
{
GNUNET_break_op (0);
return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_BAD_REQUEST,
TALER_EC_GENERIC_PARAMETER_MALFORMED,
"h_payto");
}
kpc = GNUNET_new (struct KycProofContext);
kpc->rc = rc;
rc->rh_ctx = kpc;
rc->rh_cleaner = &clean_kpc;
if (GNUNET_OK !=
GNUNET_STRINGS_string_to_data (args[0],
strlen (args[0]),
GNUNET_STRINGS_string_to_data (h_payto,
strlen (h_payto),
&kpc->h_payto,
sizeof (kpc->h_payto)))
{
@ -290,7 +302,7 @@ TEH_handler_kyc_proof (
"h_payto");
}
if (GNUNET_OK !=
TALER_KYCLOGIC_lookup_logic (args[1],
TALER_KYCLOGIC_lookup_logic (args[0],
&kpc->logic,
&kpc->pd,
&kpc->provider_section))
@ -299,14 +311,14 @@ TEH_handler_kyc_proof (
return TALER_MHD_reply_with_error (rc->connection,
MHD_HTTP_NOT_FOUND,
TALER_EC_EXCHANGE_KYC_GENERIC_LOGIC_UNKNOWN,
args[1]);
args[0]);
}
if (NULL != kpc->provider_section)
{
enum GNUNET_DB_QueryStatus qs;
struct GNUNET_TIME_Absolute expiration;
if (0 != strcmp (args[1],
if (0 != strcmp (args[0],
kpc->provider_section))
{
GNUNET_break_op (0);
@ -352,7 +364,7 @@ TEH_handler_kyc_proof (
}
kpc->ph = kpc->logic->proof (kpc->logic->cls,
kpc->pd,
&args[2],
&args[1],
rc->connection,
&kpc->h_payto,
kpc->process_row,

87
src/kyclogic/plugin_kyclogic_oauth2.c
View File

@ -474,18 +474,17 @@ initiate_task (void *cls)
hps = GNUNET_STRINGS_data_to_string_alloc (&ih->h_payto,
sizeof (ih->h_payto));
GNUNET_asprintf (&redirect_uri,
"%s/kyc-proof/%s/%s/%s",
"%skyc-proof/%s",
ps->exchange_base_url,
hps,
pd->section,
legi_s);
pd->section);
redirect_uri_encoded = TALER_urlencode (redirect_uri);
GNUNET_free (redirect_uri);
GNUNET_asprintf (&url,
"%s?client_id=%s&redirect_uri=%s",
"%s?response_type=code&client_id=%s&redirect_uri=%s&state=%s",
pd->login_url,
pd->client_id,
redirect_uri_encoded);
redirect_uri_encoded,
hps);
GNUNET_free (redirect_uri_encoded);
ih->cb (ih->cb_cls,
TALER_EC_NONE,
@ -610,8 +609,8 @@ handle_proof_error (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response
= TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway");
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway: proof error");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
return;
@ -678,8 +677,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response
= TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway");
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway: proof success must contain data and status");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
return;
@ -713,8 +712,8 @@ parse_proof_success_reply (struct TALER_KYCLOGIC_ProofHandle *ph,
ph->status = TALER_KYCLOGIC_STATUS_PROVIDER_FAILED;
ph->response
= TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway");
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway: data must contain id");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
return;
@ -797,15 +796,23 @@ handle_curl_login_finished (void *cls,
const char *token_type;
uint64_t expires_in_s;
const char *refresh_token;
bool no_expires;
bool no_refresh;
struct GNUNET_JSON_Specification spec[] = {
GNUNET_JSON_spec_string ("access_token",
&access_token),
GNUNET_JSON_spec_string ("token_type",
&token_type),
GNUNET_JSON_spec_uint64 ("expires_in",
&expires_in_s),
GNUNET_JSON_spec_string ("refresh_token",
&refresh_token),
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_uint64 ("expires_in",
&expires_in_s),
&no_expires
),
GNUNET_JSON_spec_mark_optional (
GNUNET_JSON_spec_string ("refresh_token",
&refresh_token),
&no_refresh
),
GNUNET_JSON_spec_end ()
};
CURL *eh;
@ -824,8 +831,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway");
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected response from KYC gateway: login finished");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
break;
@ -837,8 +844,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected token type in response from KYC gateway");
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Unexpected token type in response from KYC gateway");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
break;
@ -858,8 +865,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Illegal character in access token");
TALER_EC_EXCHANGE_KYC_PROOF_BACKEND_INVALID_RESPONSE,
"Illegal character in access token");
ph->http_status
= MHD_HTTP_BAD_GATEWAY;
break;
@ -871,8 +878,8 @@ handle_curl_login_finished (void *cls,
GNUNET_break_op (0);
ph->response
= TALER_MHD_make_error (
TALER_EC_GENERIC_ALLOCATION_FAILURE,
"curl_easy_init");
TALER_EC_GENERIC_ALLOCATION_FAILURE,
"curl_easy_init");
ph->http_status
= MHD_HTTP_INTERNAL_SERVER_ERROR;
break;
@ -1008,23 +1015,24 @@ oauth2_proof (void *cls,
char *client_secret;
char *authorization_code;
char *redirect_uri_encoded;
char *hps;
hps = GNUNET_STRINGS_data_to_string_alloc (&ph->h_payto,
sizeof (ph->h_payto));
GNUNET_asprintf (&redirect_uri,
"%skyc-proof/%s",
ps->exchange_base_url,
pd->section);
redirect_uri_encoded = TALER_urlencode (redirect_uri);
GNUNET_free (redirect_uri);
GNUNET_assert (NULL != redirect_uri_encoded);
client_id = curl_easy_escape (ph->eh,
pd->client_id,
0);
GNUNET_assert (NULL != client_id);
{
char *request_uri;
GNUNET_asprintf (&request_uri,
"%s?client_id=%s",
pd->login_url,
pd->client_id);
redirect_uri = curl_easy_escape (ph->eh,
request_uri,
0);
GNUNET_free (request_uri);
}
GNUNET_assert (NULL != redirect_uri);
client_secret = curl_easy_escape (ph->eh,
pd->client_secret,
0);
@ -1036,12 +1044,13 @@ oauth2_proof (void *cls,
GNUNET_asprintf (&ph->post_body,
"client_id=%s&redirect_uri=%s&client_secret=%s&code=%s&grant_type=authorization_code",
client_id,
redirect_uri,
redirect_uri_encoded,
client_secret,
authorization_code);
curl_free (authorization_code);
curl_free (client_secret);
curl_free (redirect_uri);
curl_free (redirect_uri_encoded);
curl_free (hps);
curl_free (client_id);
}
GNUNET_assert (CURLE_OK ==