mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-07-18 15:37:48 +00:00
chore: do not pass the full signing key to template (#10967)
A template should not get (easy) access to a full signing key to prevent accidents. Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10967 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Nils Goroll <nils.goroll@uplex.de> Co-committed-by: Nils Goroll <nils.goroll@uplex.de>
This commit is contained in:
parent
fb2f666535
commit
b4412c2206
3 changed files with 31 additions and 2 deletions
|
|
@ -674,7 +674,7 @@ func OIDCWellKnown(ctx *context.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
ctx.Data["SigningKey"] = oauth2.DefaultSigningKey
|
||||
ctx.Data["SigningAlg"] = oauth2.DefaultSigningKey.SigningMethod().Alg()
|
||||
ctx.Data["Issuer"] = strings.TrimSuffix(setting.AppURL, "/")
|
||||
ctx.JSONTemplate("user/auth/oidc_wellknown")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -4,15 +4,22 @@
|
|||
package auth
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"forgejo.org/models/auth"
|
||||
"forgejo.org/models/db"
|
||||
"forgejo.org/models/unittest"
|
||||
user_model "forgejo.org/models/user"
|
||||
"forgejo.org/modules/json"
|
||||
"forgejo.org/modules/jwtx"
|
||||
"forgejo.org/modules/setting"
|
||||
"forgejo.org/modules/templates"
|
||||
"forgejo.org/modules/test"
|
||||
"forgejo.org/modules/timeutil"
|
||||
"forgejo.org/services/auth/source/oauth2"
|
||||
"forgejo.org/services/contexttest"
|
||||
|
||||
"github.com/golang-jwt/jwt/v5"
|
||||
"github.com/stretchr/testify/assert"
|
||||
|
|
@ -86,3 +93,25 @@ func TestEncodeCodeChallenge(t *testing.T) {
|
|||
require.NoError(t, err)
|
||||
assert.Equal(t, "E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM", codeChallenge)
|
||||
}
|
||||
|
||||
func TestOIDCWellKnownDisabled(t *testing.T) {
|
||||
ctx, resp := contexttest.MockContext(t, "/openid-configuration")
|
||||
defer test.MockVariableValue(&setting.OAuth2.Enabled, false)()
|
||||
OIDCWellKnown(ctx)
|
||||
assert.Equal(t, http.StatusNotFound, resp.Code)
|
||||
}
|
||||
|
||||
func TestOIDCWellKnownEnabled(t *testing.T) {
|
||||
ctx, resp := contexttest.MockContext(t, "/openid-configuration", contexttest.MockContextOption{Render: templates.HTMLRenderer()})
|
||||
err := oauth2.Init(ctx)
|
||||
require.NoError(t, err)
|
||||
|
||||
OIDCWellKnown(ctx)
|
||||
assert.Equal(t, http.StatusOK, resp.Code)
|
||||
|
||||
oidcjson := make(map[string]any)
|
||||
require.NoError(t, json.Unmarshal([]byte(resp.Body.String()), &oidcjson))
|
||||
|
||||
assert.Equal(t, strings.TrimSuffix(setting.AppURL, "/"), oidcjson["issuer"])
|
||||
assert.Equal(t, []any{oauth2.DefaultSigningKey.SigningMethod().Alg()}, oidcjson["id_token_signing_alg_values_supported"])
|
||||
}
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
"id_token"
|
||||
],
|
||||
"id_token_signing_alg_values_supported": [
|
||||
"{{.SigningKey.SigningMethod.Alg | JSEscape}}"
|
||||
"{{.SigningAlg | JSEscape}}"
|
||||
],
|
||||
"subject_types_supported": [
|
||||
"public"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue