MCPcopy Index your code
hub / github.com/PatchMon/PatchMon / Callback

Method Callback

server-source-code/internal/handler/oidc.go:149–302  ·  view source on GitHub ↗

Callback handles GET /api/v1/auth/oidc/callback.

(w http.ResponseWriter, r *http.Request)

Source from the content-addressed store, hash-verified

147
148// Callback handles GET /api/v1/auth/oidc/callback.
149func (h *OidcHandler) Callback(w http.ResponseWriter, r *http.Request) {
150 h.clientMu.RLock()
151 client := h.client
152 h.clientMu.RUnlock()
153
154 if client == nil {
155 http.Redirect(w, r, "/login?error=OIDC+not+enabled", http.StatusFound)
156 return
157 }
158 q := r.URL.Query()
159 code := q.Get("code")
160 state := q.Get("state")
161 errParam := q.Get("error")
162 if errParam != "" {
163 if h.log != nil {
164 h.log.Error("oidc idp error", "error", errParam, "description", q.Get("error_description"))
165 }
166 http.Redirect(w, r, "/login?error=Authentication+failed", http.StatusFound)
167 return
168 }
169 if state == "" {
170 if h.log != nil {
171 h.log.Error("oidc callback missing state")
172 }
173 http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound)
174 return
175 }
176 if code == "" {
177 if h.log != nil {
178 h.log.Error("oidc callback missing code")
179 }
180 http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound)
181 return
182 }
183 // Double-submit cookie check: the oidc_state cookie MUST be present and match.
184 // A missing cookie used to be accepted (only mismatches were rejected), which
185 // allowed a login-CSRF / forced-login attack where an attacker who captured a
186 // valid state+code pair could trick a victim (whose browser has no oidc_state
187 // cookie for this flow) into completing the callback and getting auth cookies
188 // for the attacker's account. We now require cookie presence AND a match, in
189 // addition to the server-side state store GetAndDelete below.
190 cookieState, _ := r.Cookie("oidc_state")
191 if cookieState == nil {
192 if h.log != nil {
193 h.log.Error("oidc state cookie missing", "state_present", state != "")
194 }
195 http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound)
196 return
197 }
198 if cookieState.Value != state {
199 if h.log != nil {
200 h.log.Error("oidc state mismatch")
201 }
202 http.Redirect(w, r, "/login?error=Invalid+authentication+response", http.StatusFound)
203 return
204 }
205 sessionData, err := h.oidcStore.GetAndDelete(r.Context(), state)
206 if err != nil || sessionData == nil {

Callers

nothing calls this directly

Calls 15

oidcAutoCreateUsersMethod · 0.95
createOidcUserMethod · 0.95
oidcIssuerURLMethod · 0.95
oidcSyncRolesMethod · 0.95
mapGroupsToRoleMethod · 0.95
oidcSuperadminGroupMethod · 0.95
isSecureRequestFunction · 0.85
extractHostFunction · 0.85
QueryMethod · 0.80
ErrorMethod · 0.80
ExchangeMethod · 0.80
GetByOidcSubOrEmailMethod · 0.80

Tested by

no test coverage detected