# HG changeset patch # User Peter Sanchez # Date 1703014545 21600 # Tue Dec 19 13:35:45 2023 -0600 # Node ID 0a582a6d902932e31fe26bf98b947cef987f95ba # Parent 5178eaa31f19e6d9f4ab06608fb34ce03d0ab829 Cleaning up revoke auth verification for unescaping data, etc. diff --git a/routes.go b/routes.go --- a/routes.go +++ b/routes.go @@ -751,26 +751,33 @@ return s.accessTokenError(c, "invalid_request", "Invalid Authorization header", 400) } - z := strings.SplitN(header, " ", 2) - if len(z) != 2 { - return s.accessTokenError(c, "invalid_request", - "Invalid Authorization header", 400) - } - if strings.ToLower(z[0]) != "basic" { - return s.accessTokenError(c, "invalid_request", + parts := strings.SplitN(header, " ", 2) + if len(parts) != 2 || parts[0] != "Basic" { + return s.accessTokenError(c, "invalid_client", "Invalid Authorization header", 400) } - idsec, err := base64.StdEncoding.DecodeString(z[1]) + bytes, err := base64.StdEncoding.DecodeString(parts[1]) if err != nil { - return s.accessTokenError(c, "invalid_request", + return s.accessTokenError(c, "invalid_client", + "Invalid Authorization header contents", 400) + } + auth := string(bytes) + if !strings.Contains(auth, ":") { + return s.accessTokenError(c, "invalid_client", "Invalid Authorization header", 400) } - z = strings.SplitN(string(idsec), ":", 2) - if len(z) != 2 { - return s.accessTokenError(c, "invalid_request", - "Invalid Authorization header", 400) + parts = strings.SplitN(auth, ":", 2) + clientID, err := url.PathUnescape(parts[0]) + if err != nil { + return s.accessTokenError(c, "invalid_client", + "Invalid Authorization header contents", 400) } - clientID, clientSecret := z[0], z[1] + clientSecret, err := url.PathUnescape(parts[1]) + if err != nil { + return s.accessTokenError(c, "invalid_client", + "Invalid Authorization header contents", 400) + } + client, err := GetClientByID(c.Request().Context(), clientID) if err != nil { c.Response().Header().Set("WWW-Authenticate", "Basic")