From 1a40833e2c87c98541d053f7c54b38f791dbb448 Mon Sep 17 00:00:00 2001
From: Henning Perl <henning.perl@ory.sh>
Date: Mon, 18 Dec 2023 15:48:40 +0100
Subject: [PATCH] fix: handle token hook auth config (#3677)

* fix: handle token hook auth config

* fix: bump golangci-lint

---------

Co-authored-by: Arne Luenser <arne.luenser@ory.sh>
---
 .github/workflows/ci.yaml                |  2 +-
 Makefile                                 |  2 +-
 driver/config/provider.go                | 10 +++++++---
 driver/config/provider_test.go           | 23 +++++++++++++++--------
 go.mod                                   |  2 +-
 go.sum                                   |  2 ++
 oauth2/oauth2_auth_code_test.go          |  8 ++++++--
 oauth2/oauth2_client_credentials_test.go |  8 ++++++--
 oauth2/token_hook.go                     | 15 +++------------
 9 files changed, 42 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 76c7b32da18..c85ba2aa558 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -94,7 +94,7 @@ jobs:
           GOGC: 100
         with:
           args: --timeout 10m0s
-          version: v1.53.2
+          version: v1.55.2
           skip-pkg-cache: true
       - name: Run go-acc (tests)
         run: |
diff --git a/Makefile b/Makefile
index e8b512af9bf..0d83b6ff9af 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,7 @@ export PATH 					:= .bin:${PATH}
 export PWD 						:= $(shell pwd)
 export IMAGE_TAG 			:= $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
 
-GOLANGCI_LINT_VERSION = 1.53.3
+GOLANGCI_LINT_VERSION = 1.55.2
 
 GO_DEPENDENCIES = github.com/ory/go-acc \
 				  github.com/golang/mock/mockgen \
diff --git a/driver/config/provider.go b/driver/config/provider.go
index abacc3e4394..ba1869498fe 100644
--- a/driver/config/provider.go
+++ b/driver/config/provider.go
@@ -5,7 +5,6 @@ package config
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -482,8 +481,13 @@ func (p *DefaultProvider) AccessTokenStrategy(ctx context.Context, additionalSou
 
 type (
 	Auth struct {
-		Type   string          `json:"type"`
-		Config json.RawMessage `json:"config"`
+		Type   string     `json:"type"`
+		Config AuthConfig `json:"config"`
+	}
+	AuthConfig struct {
+		In    string `json:"in"`
+		Name  string `json:"name"`
+		Value string `json:"value"`
 	}
 	HookConfig struct {
 		URL  string `json:"url"`
diff --git a/driver/config/provider_test.go b/driver/config/provider_test.go
index 1b175aa919b..8e5c44a9e2e 100644
--- a/driver/config/provider_test.go
+++ b/driver/config/provider_test.go
@@ -443,18 +443,25 @@ func TestHookConfigs(t *testing.T) {
 		require.NotNil(t, hc)
 		assert.EqualValues(t, "http://localhost:8080/hook", hc.URL)
 
-		c.MustSet(ctx, key, map[string]any{
-			"url": "http://localhost:8080/hook2",
-			"auth": map[string]any{
-				"type":   "api_key",
-				"config": json.RawMessage(`{"in":"header","name":"my-header","value":"my-value"}`),
-			},
-		})
+		c.MustSet(ctx, key, `
+{
+	"url": "http://localhost:8080/hook2",
+	"auth": {
+		"type": "api_key",
+		"config": {
+			"in": "header",
+			"name": "my-header",
+			"value": "my-value"
+		}
+	}
+}`)
 		hc = getFunc(ctx)
 		require.NotNil(t, hc)
 		assert.EqualValues(t, "http://localhost:8080/hook2", hc.URL)
 		assert.EqualValues(t, "api_key", hc.Auth.Type)
-		assert.JSONEq(t, `{"in":"header","name":"my-header","value":"my-value"}`, string(hc.Auth.Config))
+		rawConfig, err := json.Marshal(hc.Auth.Config)
+		require.NoError(t, err)
+		assert.JSONEq(t, `{"in":"header","name":"my-header","value":"my-value"}`, string(rawConfig))
 	}
 }
 
diff --git a/go.mod b/go.mod
index a39bdcd2a0f..bcb1847b918 100644
--- a/go.mod
+++ b/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
 	github.com/oleiade/reflections v1.0.1
 	github.com/ory/analytics-go/v5 v5.0.1
-	github.com/ory/fosite v0.44.1-0.20231213153202-0d631f345034
+	github.com/ory/fosite v0.44.1-0.20231218095112-ac9ae4bd99d7
 	github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe
 	github.com/ory/graceful v0.1.3
 	github.com/ory/herodot v0.10.3-0.20230626083119-d7e5192f0d88
diff --git a/go.sum b/go.sum
index f72289a310d..33c1a3d331e 100644
--- a/go.sum
+++ b/go.sum
@@ -591,6 +591,8 @@ github.com/ory/fosite v0.44.1-0.20230807113540-d4605bb2b3a6 h1:pJLf9Gx4CfhE+M0lP
 github.com/ory/fosite v0.44.1-0.20230807113540-d4605bb2b3a6/go.mod h1:fkMPsnm/UjiefE9dE9CdZQGOH48TWJLIzUcdGIXg8Kk=
 github.com/ory/fosite v0.44.1-0.20231213153202-0d631f345034 h1:0afOTtuICtxga4Ni/PLQwsr45I0jAzsYXg/MaCoXFQs=
 github.com/ory/fosite v0.44.1-0.20231213153202-0d631f345034/go.mod h1:fkMPsnm/UjiefE9dE9CdZQGOH48TWJLIzUcdGIXg8Kk=
+github.com/ory/fosite v0.44.1-0.20231218095112-ac9ae4bd99d7 h1:EZEUk9sdC9cIKSqXipBz4eO84byOLLeVUnptgX7QFvM=
+github.com/ory/fosite v0.44.1-0.20231218095112-ac9ae4bd99d7/go.mod h1:fkMPsnm/UjiefE9dE9CdZQGOH48TWJLIzUcdGIXg8Kk=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe h1:rvu4obdvqR0fkSIJ8IfgzKOWwZ5kOT2UNfLq81Qk7rc=
 github.com/ory/go-acc v0.2.9-0.20230103102148-6b1c9a70dbbe/go.mod h1:z4n3u6as84LbV4YmgjHhnwtccQqzf4cZlSk9f1FhygI=
 github.com/ory/go-convenience v0.1.0 h1:zouLKfF2GoSGnJwGq+PE/nJAE6dj2Zj5QlTgmMTsTS8=
diff --git a/oauth2/oauth2_auth_code_test.go b/oauth2/oauth2_auth_code_test.go
index f76712c8114..69e9d42e427 100644
--- a/oauth2/oauth2_auth_code_test.go
+++ b/oauth2/oauth2_auth_code_test.go
@@ -1006,8 +1006,12 @@ func TestAuthCodeWithDefaultStrategy(t *testing.T) {
 				reg.Config().MustSet(ctx, config.KeyTokenHook, &config.HookConfig{
 					URL: hs.URL,
 					Auth: &config.Auth{
-						Type:   "api_key",
-						Config: json.RawMessage(`{"in": "header", "name": "Authorization", "value": "Bearer secret value"}`),
+						Type: "api_key",
+						Config: config.AuthConfig{
+							In:    "header",
+							Name:  "Authorization",
+							Value: "Bearer secret value",
+						},
 					},
 				})
 
diff --git a/oauth2/oauth2_client_credentials_test.go b/oauth2/oauth2_client_credentials_test.go
index 34b260dc2b6..40696ac1238 100644
--- a/oauth2/oauth2_client_credentials_test.go
+++ b/oauth2/oauth2_client_credentials_test.go
@@ -290,8 +290,12 @@ func TestClientCredentials(t *testing.T) {
 				reg.Config().MustSet(ctx, config.KeyTokenHook, &config.HookConfig{
 					URL: hs.URL,
 					Auth: &config.Auth{
-						Type:   "api_key",
-						Config: json.RawMessage(`{"in": "header", "name": "Authorization", "value": "Bearer secret value"}`),
+						Type: "api_key",
+						Config: config.AuthConfig{
+							In:    "header",
+							Name:  "Authorization",
+							Value: "Bearer secret value",
+						},
 					},
 				})
 
diff --git a/oauth2/token_hook.go b/oauth2/token_hook.go
index 377d15d0004..d32cadd7e4d 100644
--- a/oauth2/token_hook.go
+++ b/oauth2/token_hook.go
@@ -71,20 +71,11 @@ func applyAuth(req *retryablehttp.Request, auth *config.Auth) error {
 
 	switch auth.Type {
 	case "api_key":
-		c := struct {
-			In    string `json:"in"`
-			Name  string `json:"name"`
-			Value string `json:"value"`
-		}{}
-		if err := json.Unmarshal(auth.Config, &c); err != nil {
-			return err
-		}
-
-		switch c.In {
+		switch auth.Config.In {
 		case "header":
-			req.Header.Set(c.Name, c.Value)
+			req.Header.Set(auth.Config.Name, auth.Config.Value)
 		case "cookie":
-			req.AddCookie(&http.Cookie{Name: c.Name, Value: c.Value})
+			req.AddCookie(&http.Cookie{Name: auth.Config.Name, Value: auth.Config.Value})
 		}
 	default:
 		return errors.Errorf("unsupported auth type %q", auth.Type)