SolarNetwork/Swarm
2
3
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

♻️ Clean up OIDC provider

Browse Source
This commit is contained in:
LittleSheep
2025-08-25 23:53:04 +08:00
parent 344007af66
commit d299c32e35
2 changed files with 22 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
DysonNetwork.Pass/Auth/OidcProvider/Controllers/OidcProviderController.cs
View File

@@ -126,7 +126,6 @@ public class OidcProviderController(
[FromForm(Name = "redirect_uri")] string? redirectUri = null, [FromForm(Name = "redirect_uri")] string? redirectUri = null,
[FromForm] string? scope = null, [FromForm] string? scope = null,
[FromForm] string? state = null, [FromForm] string? state = null,
[FromForm(Name = "response_type")] string? responseType = null,
[FromForm] string? nonce = null, [FromForm] string? nonce = null,
[FromForm(Name = "code_challenge")] string? codeChallenge = null, [FromForm(Name = "code_challenge")] string? codeChallenge = null,
[FromForm(Name = "code_challenge_method")] [FromForm(Name = "code_challenge_method")]
@@ -191,7 +190,8 @@ public class OidcProviderController(
scope?.Split(' ') ?? [], scope?.Split(' ') ?? [],
codeChallenge, codeChallenge,
codeChallengeMethod, codeChallengeMethod,
nonce); nonce
);
// Build the redirect URI with the authorization code // Build the redirect URI with the authorization code
var redirectBuilder = new UriBuilder(redirectUri); var redirectBuilder = new UriBuilder(redirectUri);
@@ -307,7 +307,7 @@ public class OidcProviderController(
HttpContext.Items["CurrentSession"] is not AuthSession currentSession) return Unauthorized(); HttpContext.Items["CurrentSession"] is not AuthSession currentSession) return Unauthorized();
// Get requested scopes from the token // Get requested scopes from the token
var scopes = currentSession.Challenge.Scopes; var scopes = currentSession.Challenge?.Scopes ?? [];
var userInfo = new Dictionary<string, object> var userInfo = new Dictionary<string, object>
{ {

69
DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
View File

@@ -242,8 +242,23 @@ public class OidcProviderService(
throw new InvalidOperationException("Invalid authorization code"); throw new InvalidOperationException("Invalid authorization code");
// Load the session for the user // Load the session for the user
session = await FindValidSessionAsync(authCode.AccountId, clientId, withAccount: true) ?? var existingSession = await FindValidSessionAsync(authCode.AccountId, clientId, withAccount: true);
throw new InvalidOperationException("No valid session found for user");
if (existingSession is null)
{
var account = await db.Accounts
.Where(a => a.Id == authCode.AccountId)
.Include(a => a.Profile)
.Include(a => a.Contacts)
.FirstOrDefaultAsync();
if (account is null) throw new InvalidOperationException("Account not found");
session = await auth.CreateSessionForOidcAsync(account, clock.GetCurrentInstant(), clientId);
session.Account = account;
}
else
{
session = existingSession;
}
scopes = authCode.Scopes; scopes = authCode.Scopes;
nonce = authCode.Nonce; nonce = authCode.Nonce;
@@ -369,52 +384,6 @@ public class OidcProviderService(
return Convert.ToBase64String(session.Id.ToByteArray()); return Convert.ToBase64String(session.Id.ToByteArray());
} }
private static bool VerifyHashedSecret(string secret, string hashedSecret)
{
// In a real implementation, you'd use a proper password hashing algorithm like PBKDF2, bcrypt, or Argon2
// For now, we'll do a simple comparison, but you should replace this with proper hashing
return string.Equals(secret, hashedSecret, StringComparison.Ordinal);
}
public async Task<string> GenerateAuthorizationCodeForReuseSessionAsync(
AuthSession session,
Guid clientId,
string redirectUri,
IEnumerable<string> scopes,
string? codeChallenge = null,
string? codeChallengeMethod = null,
string? nonce = null)
{
var clock = SystemClock.Instance;
var now = clock.GetCurrentInstant();
var code = Guid.NewGuid().ToString("N");
// Update the session's last activity time
await db.AuthSessions.Where(s => s.Id == session.Id)
.ExecuteUpdateAsync(s => s.SetProperty(s => s.LastGrantedAt, now));
// Create the authorization code info
var authCodeInfo = new AuthorizationCodeInfo
{
ClientId = clientId,
AccountId = session.AccountId,
RedirectUri = redirectUri,
Scopes = scopes.ToList(),
CodeChallenge = codeChallenge,
CodeChallengeMethod = codeChallengeMethod,
Nonce = nonce,
CreatedAt = now
};
// Store the code with its metadata in the cache
var cacheKey = $"auth:code:{code}";
await cache.SetAsync(cacheKey, authCodeInfo, _options.AuthorizationCodeLifetime);
logger.LogInformation("Generated authorization code for client {ClientId} and user {UserId}", clientId,
session.AccountId);
return code;
}
public async Task<string> GenerateAuthorizationCodeAsync( public async Task<string> GenerateAuthorizationCodeAsync(
Guid clientId, Guid clientId,
Guid userId, Guid userId,
@@ -444,7 +413,7 @@ public class OidcProviderService(
}; };
// Store the code with its metadata in the cache // Store the code with its metadata in the cache
var cacheKey = $"auth:code:{code}"; var cacheKey = $"auth:oidc-code:{code}";
await cache.SetAsync(cacheKey, authCodeInfo, _options.AuthorizationCodeLifetime); await cache.SetAsync(cacheKey, authCodeInfo, _options.AuthorizationCodeLifetime);
logger.LogInformation("Generated authorization code for client {ClientId} and user {UserId}", clientId, userId); logger.LogInformation("Generated authorization code for client {ClientId} and user {UserId}", clientId, userId);
@@ -458,7 +427,7 @@ public class OidcProviderService(
string? codeVerifier = null string? codeVerifier = null
) )
{ {
var cacheKey = $"auth:code:{code}"; var cacheKey = $"auth:oidc-code:{code}";
var (found, authCode) = await cache.GetAsyncWithStatus<AuthorizationCodeInfo>(cacheKey); var (found, authCode) = await cache.GetAsyncWithStatus<AuthorizationCodeInfo>(cacheKey);
if (!found || authCode == null) if (!found || authCode == null)