Browse Source

url-encode/decode the tokens

deiu 5 years ago
parent
commit
b028784848
4 changed files with 32 additions and 18 deletions
  1. 6 10
      auth.go
  2. 17 3
      auth_test.go
  3. 1 1
      server.go
  4. 8 4
      system.go

+ 6 - 10
auth.go

@@ -2,10 +2,10 @@ package gold
 
 import (
 	"crypto/sha256"
-	"encoding/base64"
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -186,7 +186,7 @@ func ParseBearerAuthorizationHeader(header string) (string, error) {
 	if parts[0] != "Bearer" {
 		return "", errors.New("Not a Bearer header. Got: " + parts[0])
 	}
-	return base64decode(parts[1])
+	return decodeQuery(parts[1])
 }
 
 func NewTokenValues() map[string]string {
@@ -266,14 +266,10 @@ func saltedPassword(salt, pass string) string {
 	return toString
 }
 
-func base64encode(src string) string {
-	return base64.StdEncoding.EncodeToString([]byte(src))
+func encodeQuery(s string) string {
+	return url.QueryEscape(s)
 }
 
-func base64decode(src string) (string, error) {
-	dec, err := base64.StdEncoding.DecodeString(src)
-	if err != nil {
-		return "", err
-	}
-	return string(dec), nil
+func decodeQuery(s string) (string, error) {
+	return url.QueryUnescape(s)
 }

+ 17 - 3
auth_test.go

@@ -13,9 +13,9 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func TestBase64EncodeDecode(t *testing.T) {
-	str := "test"
-	dec, err := base64decode(base64encode(str))
+func TestUrlEncodeDecode(t *testing.T) {
+	str := "test#me="
+	dec, err := decodeQuery(encodeQuery(str))
 	assert.NoError(t, err)
 	assert.Equal(t, str, dec)
 }
@@ -30,6 +30,20 @@ func TestNewSecureToken(t *testing.T) {
 	assert.Equal(t, 184, len(token))
 }
 
+func TestParseBearerAuthorizationHeader(t *testing.T) {
+	decoded := "MTQ5MzMyMDM2NHx1YVUxT21EYUkxSXZKZ29VdC03NjFibDkzZGx1WEtyUEVpM21XUnVUSGh2LUQtN0ZUTTV0REVPcjNSWEIwUm1Ob2FHMm83LVkxd3d5UGZiYTZUb0pUSmRoZFBwM1BCVWxJN1drbjFMaTZ2bHloc3FtbVJnSkxfN2MzNkQ3eGFpS3FPS2JTOGdCN3NlZnNmb2lncG13ZUdDaUtWLTBmQ3BCMEhDNmVMRUNaWDdzSjlfVXxU5vqaGdhcpGEl9-qrIs-GBl2HJCXwC85bCDr_zrmbjA=="
+	encoded := "MTQ5MzMyMDM2NHx1YVUxT21EYUkxSXZKZ29VdC03NjFibDkzZGx1WEtyUEVpM21XUnVUSGh2LUQtN0ZUTTV0REVPcjNSWEIwUm1Ob2FHMm83LVkxd3d5UGZiYTZUb0pUSmRoZFBwM1BCVWxJN1drbjFMaTZ2bHloc3FtbVJnSkxfN2MzNkQ3eGFpS3FPS2JTOGdCN3NlZnNmb2lncG13ZUdDaUtWLTBmQ3BCMEhDNmVMRUNaWDdzSjlfVXxU5vqaGdhcpGEl9-qrIs-GBl2HJCXwC85bCDr_zrmbjA%3D%3D"
+	assert.Equal(t, encoded, encodeQuery(decoded))
+	dec, err := decodeQuery(encoded)
+	assert.NoError(t, err)
+	assert.Equal(t, decoded, dec)
+
+	h := "Bearer " + encoded
+	dec, err = ParseBearerAuthorizationHeader(h)
+	assert.NoError(t, err)
+	assert.Equal(t, decoded, dec)
+}
+
 func TestParseDigestAuthorizationHeader(t *testing.T) {
 	h := "WebID-RSA source=\"http://server.org/\", username=\"http://example.org/\", nonce=\"string1\", sig=\"string2\""
 	p, err := ParseDigestAuthorizationHeader(h)

+ 1 - 1
server.go

@@ -256,7 +256,7 @@ func ProxyReq(w http.ResponseWriter, req *httpRequest, s *Server, reqUrl string)
 		}
 	}
 	if len(req.FormValue("key")) > 0 {
-		token, err := base64decode(req.FormValue("key"))
+		token, err := decodeQuery(req.FormValue("key"))
 		if err != nil {
 			s.debug.Println(err.Error())
 		}

+ 8 - 4
system.go

@@ -167,7 +167,7 @@ func loginRedirect(w http.ResponseWriter, req *httpRequest, s *Server, values ma
 		return SystemReturn{Status: 500, Body: "Could not generate auth token for " + values["webid"] + ", err: " + err.Error()}
 	}
 	s.debug.Println("Generated new token for", values["webid"], "->", key)
-	redirTo += "?key=" + base64encode(key)
+	redirTo += "?key=" + encodeQuery(key)
 	http.Redirect(w, req.Request, redirTo, 301)
 	return SystemReturn{Status: 200}
 }
@@ -224,7 +224,7 @@ func sendRecoveryToken(w http.ResponseWriter, req *httpRequest, s *Server) Syste
 	}
 	// create recovery URL
 	IP, _, _ := net.SplitHostPort(req.Request.RemoteAddr)
-	link := resource.Base + "/" + SystemPrefix + "/accountRecovery?token=" + token
+	link := resource.Base + "/" + SystemPrefix + "/recovery?token=" + encodeQuery(token)
 	// Setup message
 	params := make(map[string]string)
 	params["{{.To}}"] = email
@@ -237,9 +237,13 @@ func sendRecoveryToken(w http.ResponseWriter, req *httpRequest, s *Server) Syste
 }
 
 func validateRecoveryToken(w http.ResponseWriter, req *httpRequest, s *Server) SystemReturn {
-	token := req.FormValue("token")
+	token, err := decodeQuery(req.FormValue("token"))
+	if err != nil {
+		s.debug.Println("Decode query err: " + err.Error())
+		return SystemReturn{Status: 500, Body: err.Error()}
+	}
 	value := make(map[string]string)
-	err := s.cookie.Decode("Recovery", token, &value)
+	err = s.cookie.Decode("Recovery", token, &value)
 	if err != nil {
 		s.debug.Println("Decoding err: " + err.Error())
 		return SystemReturn{Status: 500, Body: err.Error()}