Skip to content

Commit

Permalink
fix: return 401 if password is invalid (dexidp#2796)
Browse files Browse the repository at this point in the history
Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>
  • Loading branch information
nabokihms authored and Alex Palesandro committed Sep 11, 2023
1 parent a66fbbb commit 816d57c
Show file tree
Hide file tree
Showing 2 changed files with 39 additions and 23 deletions.
59 changes: 36 additions & 23 deletions server/handlers_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,7 @@ func mockConnectorDataTestStorage(t *testing.T, s storage.Storage) {
require.NoError(t, err)
}

func TestPasswordConnectorDataNotEmpty(t *testing.T) {
func TestHandlePassword(t *testing.T) {
t0 := time.Now()

ctx, cancel := context.WithCancel(context.Background())
Expand All @@ -280,33 +280,46 @@ func TestPasswordConnectorDataNotEmpty(t *testing.T) {

mockConnectorDataTestStorage(t, s.storage)

u, err := url.Parse(s.issuerURL.String())
require.NoError(t, err)
makeReq := func(username, password string) *httptest.ResponseRecorder {
u, err := url.Parse(s.issuerURL.String())
require.NoError(t, err)

u.Path = path.Join(u.Path, "/token")
v := url.Values{}
v.Add("scope", "openid offline_access email")
v.Add("grant_type", "password")
v.Add("username", "test")
v.Add("password", "test")
u.Path = path.Join(u.Path, "/token")
v := url.Values{}
v.Add("scope", "openid offline_access email")
v.Add("grant_type", "password")
v.Add("username", username)
v.Add("password", password)

req, _ := http.NewRequest("POST", u.String(), bytes.NewBufferString(v.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
req.SetBasicAuth("test", "barfoo")
req, _ := http.NewRequest("POST", u.String(), bytes.NewBufferString(v.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded; param=value")
req.SetBasicAuth("test", "barfoo")

rr := httptest.NewRecorder()
s.ServeHTTP(rr, req)
rr := httptest.NewRecorder()
s.ServeHTTP(rr, req)

require.Equal(t, 200, rr.Code)
return rr
}

// Check that we received expected refresh token
var ref struct {
Token string `json:"refresh_token"`
// Check unauthorized error
{
rr := makeReq("test", "invalid")
require.Equal(t, 401, rr.Code)
}
err = json.Unmarshal(rr.Body.Bytes(), &ref)
require.NoError(t, err)

newSess, err := s.storage.GetOfflineSessions("0-385-28089-0", "test")
require.NoError(t, err)
require.Equal(t, `{"test": "true"}`, string(newSess.ConnectorData))
// Check that we received expected refresh token
{
rr := makeReq("test", "test")
require.Equal(t, 200, rr.Code)

var ref struct {
Token string `json:"refresh_token"`
}
err := json.Unmarshal(rr.Body.Bytes(), &ref)
require.NoError(t, err)

newSess, err := s.storage.GetOfflineSessions("0-385-28089-0", "test")
require.NoError(t, err)
require.Equal(t, `{"test": "true"}`, string(newSess.ConnectorData))
}
}
3 changes: 3 additions & 0 deletions server/templates.go
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,9 @@ func (t *templates) login(r *http.Request, w http.ResponseWriter, connectors []c
}

func (t *templates) password(r *http.Request, w http.ResponseWriter, postURL, lastUsername, usernamePrompt string, lastWasInvalid bool, backLink string) error {
if lastWasInvalid {
w.WriteHeader(http.StatusUnauthorized)
}
data := struct {
PostURL string
BackLink string
Expand Down

0 comments on commit 816d57c

Please sign in to comment.