Merge pull request #10 from zedtux/patch-3

Adds client multiple redirect_uri (Closes #8)
brandnewbox · Jul 28, 2023 · ef6a62b · ef6a62b
2 parents 0f9e409 + e7508de
commit ef6a62b
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 28 deletions.
diff --git a/app/controllers/oidc_provider/authorizations_controller.rb b/app/controllers/oidc_provider/authorizations_controller.rb
@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OIDCProvider
   class AuthorizationsController < ApplicationController
     include Concerns::ConnectEndpoint
@@ -8,13 +10,9 @@ class AuthorizationsController < ApplicationController
     before_action :require_authentication
 
     def create
-      puts "scopes: #{requested_scopes}"
-      authorization = Authorization.create(
-        client_id: @client.identifier,
-        nonce: oauth_request.nonce,
-        scopes: requested_scopes,
-        account: oidc_current_account
-      )
+      Rails.logger.info "scopes: #{requested_scopes}"
+
+      authorization = build_authorization_with(requested_scopes)
 
       oauth_response.code = authorization.code
       oauth_response.redirect_uri = @redirect_uri
@@ -27,21 +25,29 @@ def create
 
     private
 
+    def build_authorization_with(scopes)
+      Authorization.create(
+        client_id: @client.identifier,
+        nonce: oauth_request.nonce,
+        scopes: scopes,
+        account: oidc_current_account
+      )
+    end
+
     def require_client
       @client = ClientStore.new.find_by(identifier: oauth_request.client_id) or oauth_request.invalid_request! 'not a valid client'
-      @redirect_uri = oauth_request.verify_redirect_uri! [oauth_request.redirect_uri, @client.redirect_uri]
+      @redirect_uri = oauth_request.verify_redirect_uri! @client.redirect_uri
     end
 
     def requested_scopes
-      @requested_scopes ||= (["openid"] + OIDCProvider.supported_scopes.map(&:name)) & oauth_request.scope
+      @requested_scopes ||= (['openid'] + OIDCProvider.supported_scopes.map(&:name)) & oauth_request.scope
     end
     helper_method :requested_scopes
 
     def require_response_type_code
-      unless oauth_request.response_type == :code
-        oauth_request.unsupported_response_type!
-      end
+      return if oauth_request.response_type == :code
+
+      oauth_request.unsupported_response_type!
     end
   end
-
-end
+end
diff --git a/lib/oidc_provider/client.rb b/lib/oidc_provider/client.rb
@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module OIDCProvider
   class Client
     attr_accessor :identifier, :secret, :redirect_uri, :name
 
     def initialize(options = {})
       @identifier = options[:identifier]
       @secret = options[:secret]
-      @redirect_uri = options[:redirect_uri]
+      @redirect_uri = Array(options[:redirect_uri])
       @name = options[:name]
     end
   end
 end
 
-require 'oidc_provider/client/builder'
+require 'oidc_provider/client/builder'
diff --git a/lib/oidc_provider/token_endpoint.rb b/lib/oidc_provider/token_endpoint.rb
@@ -1,33 +1,46 @@
+# frozen_string_literal: true
+
 module OIDCProvider
   class TokenEndpoint
     attr_accessor :app
+
     delegate :call, to: :app
 
     def initialize
       @app = Rack::OAuth2::Server::Token.new do |req, res|
         Rails.logger.info "Client ID: #{req.client_id}"
         Rails.logger.info "Client secret: #{req.client_secret}"
         Rails.logger.info "Redirect URI: #{req.redirect_uri}"
-        client = ClientStore.new.find_by(
-          identifier: req.client_id,
-          secret: req.client_secret,
-          redirect_uri: req.redirect_uri
-        ) || req.invalid_client!
-
-        Rails.logger.info "Found a client!"
+
+        client = find_valid_client_from(req) || req.invalid_client!
+
+        Rails.logger.info 'Found a client!'
 
         case req.grant_type
         when :authorization_code
-          Rails.logger.info "Grant type was an authorization code. Correct!"
+          Rails.logger.info 'Grant type was an authorization code. Correct!'
           authorization = Authorization.valid.where(client_id: client.identifier, code: req.code).first || req.invalid_grant!
-          Rails.logger.info "We found an authorization matching this code!"
+          Rails.logger.info 'We found an authorization matching this code!'
           res.access_token = authorization.access_token.to_bearer_token
-          res.id_token = authorization.id_token.to_jwt if authorization.scopes.include?("openid")
+          res.id_token = authorization.id_token.to_jwt if authorization.scopes.include?('openid')
         else
-          Rails.logger.info "Unsupported grant type"
+          Rails.logger.info "Unsupported grant type: #{req.grant_type.inspect}"
           req.unsupported_grant_type!
         end
       end
     end
+
+    private
+
+    def find_valid_client_from(req)
+      client = ClientStore.new.find_by(
+        identifier: req.client_id,
+        secret: req.client_secret
+      )
+
+      return nil unless client
+
+      client.redirect_uri.include?(req.redirect_uri) ? client : nil
+    end
   end
-end
+end