Redirect settings action to consent and update settings action respon…

…se type #3813
authgear · Feb 28, 2024 · 70da13b · 70da13b
1 parent 8a6c22a
commit 70da13b
Show file tree

Hide file tree

Showing 10 changed files with 2,047 additions and 3,549 deletions.
diff --git a/pkg/auth/handler/webapp/settings_change_password.go b/pkg/auth/handler/webapp/settings_change_password.go
@@ -30,11 +30,10 @@ func ConfigureSettingsChangePasswordRoute(route httproute.Route) httproute.Route
 }
 
 type SettingsChangePasswordHandler struct {
-	ControllerFactory   ControllerFactory
-	BaseViewModel       *viewmodels.BaseViewModeler
-	Renderer            Renderer
-	PasswordPolicy      PasswordPolicy
-	OAuthClientResolver WebappOAuthClientResolver
+	ControllerFactory ControllerFactory
+	BaseViewModel     *viewmodels.BaseViewModeler
+	Renderer          Renderer
+	PasswordPolicy    PasswordPolicy
 }
 
 func (h *SettingsChangePasswordHandler) GetData(r *http.Request, rw http.ResponseWriter) (map[string]interface{}, error) {
@@ -76,7 +75,7 @@ func (h *SettingsChangePasswordHandler) ServeHTTP(w http.ResponseWriter, r *http
 	ctrl.PostAction("", func() error {
 		userID := ctrl.RequireUserID()
 		opts := webapp.SessionOptions{
-			RedirectURI: webapp.DeriveSettingsRedirectURIFromRequest(r, h.OAuthClientResolver, "/settings"),
+			RedirectURI: ctrl.RedirectURI(),
 		}
 		intent := intents.NewIntentChangePrimaryPassword(userID)
 		result, err := ctrl.EntryPointPost(opts, intent, func() (input interface{}, err error) {

diff --git a/pkg/auth/webapp/redirect.go b/pkg/auth/webapp/redirect.go
@@ -19,43 +19,6 @@ type OAuthClientResolver interface {
 	ResolveClient(clientID string) *config.OAuthClientConfig
 }
 
-func DeriveSettingsRedirectURIFromRequest(r *http.Request, clientResolver OAuthClientResolver, defaultURI string) string {
-	// 1. Redirect URL in query param (must be whitelisted)
-	// 2. Default redirect URL
-	// 3. `/settings`
-	redirectURIFromQuery := func() string {
-		clientID := r.URL.Query().Get("client_id")
-		redirectURI := r.URL.Query().Get("redirect_uri")
-		if clientID == "" {
-			return ""
-		}
-		client := clientResolver.ResolveClient(clientID)
-		if client == nil {
-			return ""
-		}
-
-		allowed := true
-		// 1. Redirect URL in query param (must be whitelisted)
-		if allowed && redirectURI != "" {
-			return redirectURI
-		}
-
-		return ""
-	}()
-
-	if redirectURIFromQuery != "" {
-		return redirectURIFromQuery
-	}
-
-	// 2. Default redirect URL
-	if defaultURI != "" {
-		return defaultURI
-	}
-
-	// 3. `/settings`
-	return "/settings"
-}
-
 func DerivePostLoginRedirectURIFromRequest(r *http.Request, clientResolver OAuthClientResolver, uiConfig *config.UIConfig) string {
 	// 1. Redirect URL in query param (must be whitelisted)
 	// 2. Default redirect URL of the client
@@ -72,8 +35,10 @@ func DerivePostLoginRedirectURIFromRequest(r *http.Request, clientResolver OAuth
 			return ""
 		}
 
+		allowedURIs := client.RedirectURIs
 		allowed := false
-		for _, u := range client.RedirectURIs {
+
+		for _, u := range allowedURIs {
 			if u == redirectURI {
 				allowed = true
 				break

diff --git a/pkg/auth/webapp/service2.go b/pkg/auth/webapp/service2.go
@@ -15,22 +15,12 @@ import (
 	"github.com/authgear/authgear-server/pkg/lib/interaction"
 	"github.com/authgear/authgear-server/pkg/lib/interaction/intents"
 	"github.com/authgear/authgear-server/pkg/lib/interaction/nodes"
-	"github.com/authgear/authgear-server/pkg/lib/oauth"
-	"github.com/authgear/authgear-server/pkg/lib/oauth/handler"
-	"github.com/authgear/authgear-server/pkg/lib/oauth/oauthsession"
-	"github.com/authgear/authgear-server/pkg/lib/oauth/oidc"
-	"github.com/authgear/authgear-server/pkg/lib/oauth/protocol"
-	"github.com/authgear/authgear-server/pkg/lib/session"
 	"github.com/authgear/authgear-server/pkg/util/log"
 	"github.com/authgear/authgear-server/pkg/util/setutil"
 )
 
 type UIInfoResolver interface {
 	SetAuthenticationInfoInQuery(redirectURI string, e *authenticationinfo.Entry) string
-	ResolveForAuthorizationEndpoint(
-		client *config.OAuthClientConfig,
-		req protocol.AuthorizationRequest,
-	) (*oidc.UIInfo, *oidc.UIInfoByProduct, error)
 }
 
 type SessionStore interface {
@@ -59,22 +49,19 @@ func NewServiceLogger(lf *log.Factory) ServiceLogger {
 }
 
 type Service2 struct {
-	Logger                     ServiceLogger
-	Request                    *http.Request
-	Sessions                   SessionStore
-	SessionCookie              SessionCookieDef
-	SignedUpCookie             SignedUpCookieDef
-	MFADeviceTokenCookie       mfa.CookieDef
-	ErrorCookie                *ErrorCookie
-	Cookies                    CookieManager
-	OAuthConfig                *config.OAuthConfig
-	UIConfig                   *config.UIConfig
-	TrustProxy                 config.TrustProxy
-	UIInfoResolver             UIInfoResolver
-	OAuthClientResolver        OAuthClientResolver
-	OAuthSessions              oauthsession.StoreRedis
-	SettingsActionGrantService handler.SettingsActionGrantService
-	Authorizations             handler.AuthorizationService
+	Logger               ServiceLogger
+	Request              *http.Request
+	Sessions             SessionStore
+	SessionCookie        SessionCookieDef
+	SignedUpCookie       SignedUpCookieDef
+	MFADeviceTokenCookie mfa.CookieDef
+	ErrorCookie          *ErrorCookie
+	Cookies              CookieManager
+	OAuthConfig          *config.OAuthConfig
+	UIConfig             *config.UIConfig
+	TrustProxy           config.TrustProxy
+	UIInfoResolver       UIInfoResolver
+	OAuthClientResolver  OAuthClientResolver
 
 	Graph GraphService
 }
@@ -551,16 +538,6 @@ func (s *Service2) afterPost(
 func (s *Service2) deriveFinishRedirectURI(session *Session, graph *interaction.Graph) (redirectURI string) {
 	defer func() {
 		if e, ok := graph.GetAuthenticationInfoEntry(); ok {
-			code, err := s.generateSettingsActionGrant(redirectURI, e)
-			if err != nil {
-				panic(err)
-			}
-
-			if code != "" {
-				e = &authenticationinfo.Entry{
-					ID: code,
-				}
-			}
 			redirectURI = s.UIInfoResolver.SetAuthenticationInfoInQuery(redirectURI, e)
 		}
 	}()
@@ -587,68 +564,6 @@ func (s *Service2) deriveFinishRedirectURI(session *Session, graph *interaction.
 	return
 }
 
-func (s *Service2) generateSettingsActionGrant(redirectURI string, e *authenticationinfo.Entry) (string, error) {
-	entry, err := s.OAuthSessions.Get(e.OAuthSessionID)
-	if err != nil {
-		return "", err
-	}
-
-	req := entry.T.AuthorizationRequest
-	if req.ResponseType() != "settings_action" {
-		return "", nil
-	}
-
-	result := entry.T.SettingsActionResult
-	if result == nil {
-		return "", nil
-	}
-
-	client := s.OAuthClientResolver.ResolveClient(entry.T.AuthorizationRequest.ClientID())
-
-	// Assume prompt=none for settings action
-	_, uiInfoByProduct, err := s.UIInfoResolver.ResolveForAuthorizationEndpoint(client, req)
-	if err != nil {
-		return "", err
-	}
-	idTokenHintSID := uiInfoByProduct.IDTokenHintSID
-
-	authenticationInfo := e.T
-	autoGrantAuthz := client.IsFirstParty()
-	var authz *oauth.Authorization
-	r := entry.T.AuthorizationRequest
-	if autoGrantAuthz {
-		authz, err = s.Authorizations.CheckAndGrant(
-			r.ClientID(),
-			authenticationInfo.UserID,
-			r.Scope(),
-		)
-	} else {
-		authz, err = s.Authorizations.Check(
-			r.ClientID(),
-			authenticationInfo.UserID,
-			r.Scope(),
-		)
-	}
-	if err != nil {
-		return "", err
-	}
-
-	ss := session.GetSession(s.Request.Context())
-	code, _, err := s.SettingsActionGrantService.CreateSettingsActionGrant(&handler.CreateSettingsActionGrantOptions{
-		Authorization:        authz,
-		IDPSessionID:         ss.SessionID(),
-		AuthenticationInfo:   authenticationInfo,
-		IDTokenHintSID:       idTokenHintSID,
-		RedirectURI:          req.RedirectURI(),
-		AuthorizationRequest: req,
-	})
-	if err != nil {
-		return "", err
-	}
-
-	return code, nil
-}
-
 func deriveSessionStepKind(graph *interaction.Graph) SessionStepKind {
 	switch currentNode := graph.CurrentNode().(type) {
 	case *nodes.NodeUseIdentityOAuthProvider: