(ctx context.Context, _ http.ResponseWriter, r *http.Request, verifier string)
| 617 | } |
| 618 | |
| 619 | func (s *defaultStrategy) verifyConsent(ctx context.Context, _ http.ResponseWriter, r *http.Request, verifier string) (_ *flow.Flow, err error) { |
| 620 | ctx, span := trace.SpanFromContext(ctx).TracerProvider().Tracer("").Start(ctx, "DefaultStrategy.verifyConsent") |
| 621 | defer otelx.End(span, &err) |
| 622 | |
| 623 | f, err := flow.DecodeAndInvalidateConsentVerifier(ctx, s.r, verifier) |
| 624 | if errors.Is(err, sqlcon.ErrNoRows) { |
| 625 | return nil, errors.WithStack(fosite.ErrAccessDenied.WithHint("The consent verifier has already been used, has not been granted, or is invalid.")) |
| 626 | } else if err != nil { |
| 627 | return nil, err |
| 628 | } else if f.Client.GetID() != r.URL.Query().Get("client_id") { |
| 629 | return nil, errors.WithStack(fosite.ErrInvalidClient.WithHint("The flow client id does not match the authorize request client id.")) |
| 630 | } |
| 631 | |
| 632 | if f.ConsentError.IsError() { |
| 633 | f.ConsentError.SetDefaults(flow.ConsentRequestDeniedErrorName) |
| 634 | return nil, errors.WithStack(f.ConsentError.ToRFCError()) |
| 635 | } |
| 636 | |
| 637 | if err := s.r.ConsentManager().CreateConsentSession(ctx, f); errors.Is(err, sqlcon.ErrUniqueViolation) { |
| 638 | return nil, errors.WithStack(fosite.ErrAccessDenied.WithHint("The consent verifier has already been used.")) |
| 639 | } else if errors.Is(err, sqlcon.ErrNoRows) { |
| 640 | return nil, errors.WithStack(fosite.ErrAccessDenied.WithHint("The consent verifier has already been used, has not been granted, or is invalid.")) |
| 641 | } else if err != nil { |
| 642 | return nil, err |
| 643 | } |
| 644 | |
| 645 | store, err := s.r.CookieStore(ctx) |
| 646 | if err != nil { |
| 647 | return nil, err |
| 648 | } |
| 649 | |
| 650 | clientSpecificCookieNameConsentCSRF := fmt.Sprintf("%s_%s", s.r.Config().CookieNameConsentCSRF(ctx), f.Client.CookieSuffix()) |
| 651 | if err := validateCSRFCookie(ctx, r, s.r.Config(), store, clientSpecificCookieNameConsentCSRF, f.ConsentCSRF.String()); err != nil { |
| 652 | return nil, err |
| 653 | } |
| 654 | |
| 655 | if f.SessionAccessToken == nil { |
| 656 | f.SessionAccessToken = map[string]interface{}{} |
| 657 | } |
| 658 | |
| 659 | if f.SessionIDToken == nil { |
| 660 | f.SessionIDToken = map[string]interface{}{} |
| 661 | } |
| 662 | |
| 663 | return f, nil |
| 664 | } |
| 665 | |
| 666 | func (s *defaultStrategy) generateFrontChannelLogoutURLs(ctx context.Context, subject, sid string) ([]string, error) { |
| 667 | clients, err := s.r.ConsentManager().ListUserAuthenticatedClientsWithFrontChannelLogout(ctx, subject, sid) |
no test coverage detected