llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-03 20:50:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat: add protection against attacks (#460)

Browse Source 
Signed-off-by: 0x2a <stevesough@gmail.com>
This commit is contained in:
Steve0x2a
2022-01-29 00:32:57 +08:00
committed by GitHub
parent fbc73de3bb
commit 3c2f7b7fc8
1 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
object/token.go
View File

@ -19,6 +19,7 @@ import (
"encoding/base64"
"fmt"
"strings"
"time"
"github.com/casdoor/casdoor/util"
"xorm.io/core"
@ -45,6 +46,8 @@ type Token struct {
Scope string `xorm:"varchar(100)" json:"scope"`
TokenType string `xorm:"varchar(100)" json:"tokenType"`
CodeChallenge string `xorm:"varchar(100)" json:"codeChallenge"`
CodeIsUsed bool `json:"codeIsUsed"`
CodeExpireIn int64 `json:"codeExpireIn"`
}
type TokenWrapper struct {
@ -119,6 +122,15 @@ func getTokenByCode(code string) *Token {
return nil
}
func updateUsedByCode(token *Token) bool {
affected, err := adapter.Engine.Where("code=?", token.Code).Cols("code_is_used").Update(token)
if err != nil {
panic(err)
}
return affected != 0
}
func GetToken(id string) *Token {
owner, name := util.GetOwnerAndNameFromId(id)
return getToken(owner, name)
@ -238,6 +250,8 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
Scope: scope,
TokenType: "Bearer",
CodeChallenge: challenge,
CodeIsUsed: false,
CodeExpireIn: time.Now().Add(time.Minute * 5).Unix(),
}
AddToken(token)
@ -311,7 +325,29 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
Scope: "",
}
}
if token.CodeIsUsed {
//Resist replay attacks, if the code is reused, the token generated with this code will be deleted
DeleteToken(token)
return &TokenWrapper{
AccessToken: "error: code has been used.",
TokenType: "",
ExpiresIn: 0,
Scope: "",
}
}
if time.Now().Unix() > token.CodeExpireIn {
//can only use the code to generate a token within five minutes
DeleteToken(token)
return &TokenWrapper{
AccessToken: "error: code has expired",
TokenType: "",
ExpiresIn: 0,
Scope: "",
}
}
token.CodeIsUsed = true
updateUsedByCode(token)
tokenWrapper := &TokenWrapper{
AccessToken: token.AccessToken,
IdToken: token.AccessToken,