From 7a372cc0648cd4b2c6d5eb4ea67671ea1f8a9ed2 Mon Sep 17 00:00:00 2001 From: ritou Date: Fri, 27 Apr 2018 00:29:37 +0900 Subject: [PATCH 1/2] add state param to AuthZ request and verify it --- auth/web/controllers/auth_controller.ex | 29 +++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/auth/web/controllers/auth_controller.ex b/auth/web/controllers/auth_controller.ex index 3de8ad6..4be7c47 100644 --- a/auth/web/controllers/auth_controller.ex +++ b/auth/web/controllers/auth_controller.ex @@ -7,7 +7,11 @@ defmodule GoogleOAuth2Example.AuthController do be used to request an access token. The access token will then be used to access protected resources on behalf of the user. """ - def callback(conn, %{"code" => code}) do + def callback(conn, %{"code" => code, "state" => state}) when is_binary(state) do + if conn |> get_session(:state) != state do + raise "state parameter is invalid." + end + # Exchange an auth code for an access token client = Google.get_token!(code: code) @@ -36,9 +40,9 @@ defmodule GoogleOAuth2Example.AuthController do This action is reached via `/auth` and redirects to the Google OAuth2 provider. """ def index(conn, _params) do - redirect conn, external: Google.authorize_url!( - scope: "https://www.googleapis.com/auth/userinfo.email" - ) + conn + |> set_state() + |> redirect_to_authrization_url() end def delete(conn, _params) do @@ -47,4 +51,21 @@ defmodule GoogleOAuth2Example.AuthController do |> configure_session(drop: true) |> redirect(to: "/") end + + defp set_state(conn) do + case conn |> get_session(:state) do + nil -> + state = :crypto.strong_rand_bytes(32) |> Base.encode64 |> binary_part(0, 32) + conn |> put_session(:state, state) + _ -> conn + end + end + + defp redirect_to_authrization_url(conn) do + conn + |> redirect( external: Google.authorize_url!( + state: conn |> get_session(:state), + scope: "https://www.googleapis.com/auth/userinfo.email" + )) + end end From b6ef8637dc303a03054a0470a57e0430b0313842 Mon Sep 17 00:00:00 2001 From: ritou Date: Fri, 27 Apr 2018 00:34:05 +0900 Subject: [PATCH 2/2] use Base64 "URL" encode --- auth/web/controllers/auth_controller.ex | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/web/controllers/auth_controller.ex b/auth/web/controllers/auth_controller.ex index 4be7c47..a2e2313 100644 --- a/auth/web/controllers/auth_controller.ex +++ b/auth/web/controllers/auth_controller.ex @@ -55,7 +55,7 @@ defmodule GoogleOAuth2Example.AuthController do defp set_state(conn) do case conn |> get_session(:state) do nil -> - state = :crypto.strong_rand_bytes(32) |> Base.encode64 |> binary_part(0, 32) + state = :crypto.strong_rand_bytes(32) |> Base.url_encode64 |> binary_part(0, 32) conn |> put_session(:state, state) _ -> conn end