From patchwork Tue Jul 28 14:33:41 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Mangano-Tarumi?=
 <fmang@mg0.fr>
X-Patchwork-Id: 1734
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id EE4211A336F50
	for <patchwork@archlinux.org>; Tue, 28 Jul 2020 14:33:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,MAILING_LIST_MULTI=-1,
	RCVD_IN_DNSWL_MED=-2.3,RCVD_IN_MSPIKE_H4=-0.01,RCVD_IN_MSPIKE_WL=-0.01,
	SPF_HELO_NONE=0.001,T_DMARC_POLICY_NONE=0.01 autolearn=ham
	autolearn_force=no version=3.4.4
X-Spam-BL-Results: <dns:70.91.198.88.list.dnswl.org> [127.0.9.2]
	<dns:70.91.198.88.wl.mailspike.net> [127.0.0.19]
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Tue, 28 Jul 2020 14:33:52 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 8C57F1D362FD7D;
	Tue, 28 Jul 2020 14:33:51 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 529001D362FD77;
	Tue, 28 Jul 2020 14:33:51 +0000 (UTC)
Authentication-Results: orion.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=x+14ylbA
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 46D9729CAD;
	Tue, 28 Jul 2020 14:33:51 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=x+14ylbA
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 5B2EA29CAC
 for <aur-dev@lists.archlinux.org>; Tue, 28 Jul 2020 14:33:46 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Tue, 28 Jul 2020 14:33:46 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 570CE1D362FD6A
 for <aur-dev@archlinux.org>; Tue, 28 Jul 2020 14:33:43 +0000 (UTC)
Received: from tsubame.mg0.fr (tsubame.mg0.fr [IPv6:2001:41d0:401:3100::402b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@archlinux.org>; Tue, 28 Jul 2020 14:33:43 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mg0.fr;
 s=tsubame; h=Message-ID:Subject:To:From:Date:cc;
 bh=GPdI8u3QS1uiIpxfs3Pt1DmrMftH/VSyxOlD8o7zWKo=; b=x+14ylbAfx9Ws4f0cpSjRD6JaQ
 XD6StcD2+SA6NDtrtKT1mJ2jyon+Lx11I7QKHNl/cTJ1gDA1GjvKoJKHaK7AIX3SnLC4ZkEHZajeY
 i1pgDWO6ScEDF4sY9HAbNpti7qvqRqwttBnKeTeOx4Aa7aSJbc+oTZ6UmDwsOFC02mDY=;
Received: from fmang by tsubame.mg0.fr with local (Exim 4.94)
 (envelope-from <fmang@mg0.fr>) id 1k0Qfl-002Msd-Ii
 for aur-dev@archlinux.org; Tue, 28 Jul 2020 16:33:41 +0200
Date: Tue, 28 Jul 2020 16:33:41 +0200
From: =?utf-8?b?RnLDqWTDqXJpYw==?= Mangano-Tarumi <fmang@mg0.fr>
To: aur-dev@archlinux.org
Subject: [PATCH 3/3] Guard OAuth exceptions to provide better messages
Message-ID: <20200728143341.GA564600@tsubame.mg0.fr>
MIME-Version: 1.0
Content-Disposition: inline
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

---
 aurweb/routers/sso.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 817adadb..2e4fbacc 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -5,7 +5,7 @@ from urllib.parse import urlencode
 
 import fastapi
 
-from authlib.integrations.starlette_client import OAuth
+from authlib.integrations.starlette_client import OAuth, OAuthError
 from fastapi import Depends, HTTPException
 from fastapi.responses import RedirectResponse
 from sqlalchemy.sql import select
@@ -95,8 +95,18 @@ async def authenticate(request: Request, conn=Depends(aurweb.db.connect)):
             detail=_('The login form is currently disabled for your IP address, '
                      'probably due to sustained spam attacks. Sorry for the '
                      'inconvenience.'))
-    token = await oauth.sso.authorize_access_token(request)
-    user = await oauth.sso.parse_id_token(request, token)
+
+    try:
+        token = await oauth.sso.authorize_access_token(request)
+        user = await oauth.sso.parse_id_token(request, token)
+    except OAuthError:
+        # Here, most OAuth errors should be caused by forged or expired tokens.
+        # Let’s give attackers as little information as possible.
+        _ = get_translator_for_request(request)
+        raise HTTPException(
+            status_code=400,
+            detail=_('Bad OAuth token. Please retry logging in from the start.'))
+
     sub = user.get("sub")  # this is the SSO account ID in JWT terminology
     if not sub:
         _ = get_translator_for_request(request)