Extract client_id from HTTP referer #55

nelsonic · 2020-04-28T06:59:09Z

auth_plug sends the client_id to the auth_url when no valid JWT is found: lib/auth_plug.ex#L167
We need to verify the client_id (decode_decrypt/1 followed by lookup in apikeys)
and if the client_id is valid, use the client_secret to sign the JWT on successful authentication.

Todo

Extract the client_id from the HTTP referer
- Check if the client_id is valid before displaying the "login buttons" page
  - If client_id not valid, return a friendly Error: 401: AUTH_API_KEY not valid
Include the client_id in the state prop that gets sent to GitHub/Google
I checked and it's RFC3986 compliant to have multiple question marks in a URL Query:
https://stackoverflow.com/questions/2924160/is-it-valid-more-than-one-question-mark-in-a-url
Extract the the client_id from the state (returned by Auth Provider)
Confirm that it's still valid (not altered by the Auth Provider > decode_decrypt/1)
Lookup the client_id in apikeys
Use corresponding client_secret to sign JWT
Redirect back to original HTTP referer with JWT

With the completion of this issue Auth dwyl/app#268 will be fully functional!
Let's get it done!

The text was updated successfully, but these errors were encountered:

nelsonic · 2020-04-28T10:38:59Z

nelsonic · 2020-04-28T21:42:51Z

Extracting the client_id from the URL query params works:

… in apikeys #55

nelsonic · 2020-04-29T17:24:17Z

This is working. ✅
See: #43

nelsonic self-assigned this Apr 28, 2020

nelsonic added this to To do in dwyl app Apr 28, 2020

nelsonic moved this from To do to In progress in dwyl app Apr 28, 2020

nelsonic mentioned this issue Apr 28, 2020

EPIC: AUTH_API_KEY How to Run the App with a Single Environment Variable #42

Closed

4 tasks

nelsonic added a commit that referenced this issue Apr 28, 2020

use auth_plug 0.12.0 with client_id in referer #55

52b4f36

nelsonic added a commit that referenced this issue Apr 28, 2020

create_apikey_for_admin/1 in seeds.exs for #55

3cdd44c

nelsonic added a commit that referenced this issue Apr 28, 2020

use client_id to sign JWT #55

144a3cf

nelsonic added a commit that referenced this issue Apr 28, 2020

extract client_id from query params #55 (comment)

3cd0d63

nelsonic added a commit that referenced this issue Apr 28, 2020

extract client_id from state (returned by successful auth) and lookup…

fa73f37

… in apikeys #55

nelsonic added a commit that referenced this issue Apr 29, 2020

create get_client_secret_from_state/1 function for #55

0a181cc

nelsonic added a commit that referenced this issue Apr 29, 2020

add client_id to state in all auth_controller tests #55

d379fb6

nelsonic added a commit that referenced this issue Apr 29, 2020

add test for invalid client_id for #55

254e7a5

nelsonic mentioned this issue Apr 29, 2020

Add auth_client_id to state in 3rd party auth urls #57

Closed

1 task

nelsonic closed this as completed Apr 29, 2020

dwyl app automation moved this from In progress to Done Apr 29, 2020

nelsonic mentioned this issue Apr 29, 2020

PR: AUTH_API_KEY issue #42 #43

Merged

12 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Extract client_id from HTTP referer #55

Extract client_id from HTTP referer #55

nelsonic commented Apr 28, 2020 •

edited

nelsonic commented Apr 28, 2020

nelsonic commented Apr 28, 2020

nelsonic commented Apr 29, 2020

Extract client_id from HTTP referer #55

Extract client_id from HTTP referer #55

Comments

nelsonic commented Apr 28, 2020 • edited

Todo

nelsonic commented Apr 28, 2020

nelsonic commented Apr 28, 2020

nelsonic commented Apr 29, 2020

nelsonic commented Apr 28, 2020 •

edited