mirror of
https://github.com/zerotier/ZeroTierOne.git
synced 2025-06-05 03:53:44 +02:00
Fix hash verification on refresh
This commit is contained in:
Grant Limberg
parent
8fccf3136c
commit
a69e91c541
1 changed files with 115 additions and 85 deletions
|
|
@ -159,6 +159,10 @@ impl ZeroIDC {
|
|||
(*inner_local.lock().unwrap()).running = true;
|
||||
let mut running = true;
|
||||
|
||||
// Keep a copy of the initial nonce used to get the tokens
|
||||
// Will be needed later when verifying the responses from refresh tokens
|
||||
let nonce = (*inner_local.lock().unwrap()).nonce.clone();
|
||||
|
||||
while running {
|
||||
let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time);
|
||||
let now = SystemTime::now();
|
||||
|
|
@ -169,38 +173,47 @@ impl ZeroIDC {
|
|||
let refresh_token = (*inner_local.lock().unwrap()).refresh_token.clone();
|
||||
if let Some(refresh_token) = refresh_token {
|
||||
if now >= (exp - Duration::from_secs(30)) {
|
||||
let nonce = (*inner_local.lock().unwrap()).nonce.clone();
|
||||
let token_response = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
|
||||
let res = c.exchange_refresh_token(&refresh_token)
|
||||
.request(http_client);
|
||||
|
||||
res
|
||||
});
|
||||
|
||||
if let Some(res) = token_response {
|
||||
match res {
|
||||
Ok(res) => {
|
||||
let n = match nonce {
|
||||
|
||||
let n = match nonce.clone() {
|
||||
Some(n) => n,
|
||||
None => {
|
||||
return None;
|
||||
println!("err: no nonce");
|
||||
continue;
|
||||
}
|
||||
};
|
||||
|
||||
let id = match res.id_token() {
|
||||
Some(t) => t,
|
||||
None => {
|
||||
return None;
|
||||
println!("err: no id_token");
|
||||
continue;
|
||||
}
|
||||
};
|
||||
|
||||
let verified = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
|
||||
let claims = match id.claims(&c.id_token_verifier(), &n) {
|
||||
Ok(c) => c,
|
||||
Err(_e) => {
|
||||
return None;
|
||||
Err(e) => {
|
||||
println!("claims err: {}", e);
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
||||
let signing_algo = match id.signing_alg() {
|
||||
Ok(s) => s,
|
||||
Err(_) => {
|
||||
return None;
|
||||
Err(e) => {
|
||||
println!("alg err: {}", e);
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
||||
|
|
@ -209,24 +222,34 @@ impl ZeroIDC {
|
|||
Ok(h) => h,
|
||||
Err(e) => {
|
||||
println!("Error hashing access token: {}", e);
|
||||
return None;
|
||||
return false;
|
||||
}
|
||||
};
|
||||
|
||||
if actual_hash != *expected_hash {
|
||||
println!("token hash error");
|
||||
return None;
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return Some(res);
|
||||
},
|
||||
Err(_e) => {
|
||||
return None;
|
||||
}
|
||||
};
|
||||
return true;
|
||||
});
|
||||
|
||||
if let Some(Some(res)) = token_response{
|
||||
match verified {
|
||||
Some(verified) => {
|
||||
if !verified {
|
||||
println!("not verified.");
|
||||
(*inner_local.lock().unwrap()).running = false;
|
||||
break;
|
||||
}
|
||||
},
|
||||
None => {
|
||||
println!("no verification performed?");
|
||||
(*inner_local.lock().unwrap()).running = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
match res.id_token() {
|
||||
Some(id_token) => {
|
||||
let params = [("id_token", id_token.to_string()),("state", "refresh".to_string())];
|
||||
|
|
@ -284,6 +307,13 @@ impl ZeroIDC {
|
|||
println!("no id token?!?");
|
||||
}
|
||||
}
|
||||
},
|
||||
Err(e) => {
|
||||
println!("token error: {}", e);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
println!("token response??");
|
||||
}
|
||||
} else {
|
||||
println!("waiting to refresh");
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue