From 2dd9b7ab412a6e4e2cfba103ba0f4c32c44f038f Mon Sep 17 00:00:00 2001
From: Denis Arh <denis.arh@gmail.com>
Date: Sat, 27 Mar 2021 17:08:47 +0100
Subject: [PATCH] More flexible auth client redirect URI checking

---
 auth/auth.go          |  6 ++----
 auth/oauth2/oauth2.go | 37 ++++++++++++++++++-------------------
 2 files changed, 20 insertions(+), 23 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index f369a7d89..7009f549b 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -58,10 +58,7 @@ func New(ctx context.Context, log *zap.Logger, s store.Storer, opt options.AuthO
 		settings: &settings.Settings{ /* all disabled by default. */ },
 	}
 
-	// use modified logger for the rest
-	if opt.LogEnabled {
-		log = log.WithOptions(zap.AddStacktrace(zap.PanicLevel))
-	} else {
+	if !opt.LogEnabled {
 		log = zap.NewNop()
 	}
 
@@ -69,6 +66,7 @@ func New(ctx context.Context, log *zap.Logger, s store.Storer, opt options.AuthO
 
 	oauth2Manager := oauth2.NewManager(
 		opt,
+		log,
 		&oauth2.ContextClientStore{},
 		&oauth2.CortezaTokenStore{Store: s},
 	)
diff --git a/auth/oauth2/oauth2.go b/auth/oauth2/oauth2.go
index a9677c1b8..8b9ce0f2e 100644
--- a/auth/oauth2/oauth2.go
+++ b/auth/oauth2/oauth2.go
@@ -9,7 +9,6 @@ import (
 	"github.com/go-oauth2/oauth2/v4/manage"
 	"github.com/go-oauth2/oauth2/v4/server"
 	"go.uber.org/zap"
-	"net/url"
 	"strings"
 )
 
@@ -17,7 +16,7 @@ const (
 	RedirectUriSeparator = " "
 )
 
-func NewManager(opt options.AuthOpt, cs oauth2.ClientStore, ts oauth2.TokenStore) *manage.Manager {
+func NewManager(opt options.AuthOpt, log *zap.Logger, cs oauth2.ClientStore, ts oauth2.TokenStore) *manage.Manager {
 	manager := manage.NewDefaultManager()
 	manager.SetAuthorizeCodeTokenCfg(manage.DefaultAuthorizeCodeTokenCfg)
 
@@ -29,27 +28,27 @@ func NewManager(opt options.AuthOpt, cs oauth2.ClientStore, ts oauth2.TokenStore
 	manager.MapClientStorage(cs)
 
 	manager.SetValidateURIHandler(func(baseURI, redirectURI string) (err error) {
+		if baseURI == "" {
+			log.Debug(
+				"redirect URI check for client is disabled (empty validation list)",
+				zap.String("sent", redirectURI),
+			)
+
+			return nil
+		}
+
 		var (
-			base, redirect *url.URL
+			valid = strings.Split(baseURI, RedirectUriSeparator)
 		)
 
-		redirect, err = url.Parse(redirectURI)
-		if err != nil {
-			return err
-		}
+		log.Debug(
+			"matching redirectURI",
+			zap.String("sent", redirectURI),
+			zap.Strings("valid", valid),
+		)
 
-		// allow port only when using localhost as redirect
-		if redirect.Port() != "" && redirect.Hostname() != "localhost" {
-			return errors.ErrInvalidRedirectURI
-		}
-
-		for _, baseURI = range strings.Split(baseURI, RedirectUriSeparator) {
-			base, err = url.Parse(baseURI)
-			if err != nil {
-				return err
-			}
-
-			if strings.HasPrefix(redirect.String(), base.String()) {
+		for _, baseURI = range valid {
+			if strings.HasPrefix(redirectURI, baseURI) {
 				return nil
 			}
 		}