From 7b82361a2099ab9cbc7c9b3d5b32e9b599ea24eb Mon Sep 17 00:00:00 2001 From: hackerman <3372410+aeneasr@users.noreply.github.com> Date: Tue, 5 Nov 2024 12:38:22 +0100 Subject: [PATCH] revert: reduce size of verifiers (#3875) feat: store client in challenge/verified and reduce DB load. --- consent/handler.go | 5 ----- consent/strategy_default.go | 11 ----------- flow/flow.go | 6 +----- persistence/sql/persister_consent.go | 16 ---------------- 4 files changed, 1 insertion(+), 37 deletions(-) diff --git a/consent/handler.go b/consent/handler.go index 89e521058b..48167e7380 100644 --- a/consent/handler.go +++ b/consent/handler.go @@ -1053,10 +1053,5 @@ func (h *Handler) decodeFlowWithClient(ctx context.Context, challenge string, op return nil, err } - f.Client, err = h.r.ClientManager().GetConcreteClient(ctx, f.ClientID) - if err != nil { - return nil, err - } - return f, nil } diff --git a/consent/strategy_default.go b/consent/strategy_default.go index 241a52a8b2..6d7f8c67e9 100644 --- a/consent/strategy_default.go +++ b/consent/strategy_default.go @@ -348,11 +348,6 @@ func (s *DefaultStrategy) verifyAuthentication( return nil, errorsx.WithStack(fosite.ErrAccessDenied.WithHint("The login verifier is invalid.")) } - f.Client, err = s.r.ClientManager().GetConcreteClient(ctx, f.ClientID) - if err != nil { - return nil, err - } - session, err := s.r.ConsentManager().VerifyAndInvalidateLoginRequest(ctx, verifier) if errors.Is(err, sqlcon.ErrNoRows) { return nil, errorsx.WithStack(fosite.ErrAccessDenied.WithHint("The login verifier has already been used, has not been granted, or is invalid.")) @@ -657,12 +652,6 @@ func (s *DefaultStrategy) verifyConsent(ctx context.Context, _ http.ResponseWrit if err != nil { return nil, nil, errorsx.WithStack(fosite.ErrAccessDenied.WithHint("The consent verifier has already been used, has not been granted, or is invalid.")) } - - f.Client, err = s.r.ClientManager().GetConcreteClient(ctx, f.ClientID) - if err != nil { - return nil, nil, err - } - if f.Client.GetID() != r.URL.Query().Get("client_id") { return nil, nil, errorsx.WithStack(fosite.ErrInvalidClient.WithHint("The flow client id does not match the authorize request client id.")) } diff --git a/flow/flow.go b/flow/flow.go index d81816b325..0502bc544b 100644 --- a/flow/flow.go +++ b/flow/flow.go @@ -119,7 +119,7 @@ type Flow struct { // Client is the OAuth 2.0 Client that initiated the request. // // required: true - Client *client.Client `db:"-" json:"client,omitempty"` + Client *client.Client `db:"-" json:"c,omitempty"` ClientID string `db:"client_id" json:"ci,omitempty"` // RequestURL is the original OAuth 2.0 Authorization URL requested by the OAuth 2.0 client. It is the URL which @@ -514,7 +514,6 @@ func (f Flow) ToLoginChallenge(ctx context.Context, cipherProvider CipherProvide if f.Client != nil { f.ClientID = f.Client.GetID() } - f.Client = nil return flowctx.Encode(ctx, cipherProvider.FlowCipher(), f, flowctx.AsLoginChallenge) } @@ -523,7 +522,6 @@ func (f Flow) ToLoginVerifier(ctx context.Context, cipherProvider CipherProvider if f.Client != nil { f.ClientID = f.Client.GetID() } - f.Client = nil return flowctx.Encode(ctx, cipherProvider.FlowCipher(), f, flowctx.AsLoginVerifier) } @@ -532,7 +530,6 @@ func (f Flow) ToConsentChallenge(ctx context.Context, cipherProvider CipherProvi if f.Client != nil { f.ClientID = f.Client.GetID() } - f.Client = nil return flowctx.Encode(ctx, cipherProvider.FlowCipher(), f, flowctx.AsConsentChallenge) } @@ -541,6 +538,5 @@ func (f Flow) ToConsentVerifier(ctx context.Context, cipherProvider CipherProvid if f.Client != nil { f.ClientID = f.Client.GetID() } - f.Client = nil return flowctx.Encode(ctx, cipherProvider.FlowCipher(), f, flowctx.AsConsentVerifier) } diff --git a/persistence/sql/persister_consent.go b/persistence/sql/persister_consent.go index e68929b428..5bd9713938 100644 --- a/persistence/sql/persister_consent.go +++ b/persistence/sql/persister_consent.go @@ -198,10 +198,6 @@ func (p *Persister) GetFlowByConsentChallenge(ctx context.Context, challenge str if f.RequestedAt.Add(p.config.ConsentRequestMaxAge(ctx)).Before(time.Now()) { return nil, errorsx.WithStack(fosite.ErrRequestUnauthorized.WithHint("The consent request has expired, please try again.")) } - f.Client, err = p.GetConcreteClient(ctx, f.ClientID) - if err != nil { - return nil, err - } return f, nil } @@ -266,10 +262,6 @@ func (p *Persister) GetLoginRequest(ctx context.Context, loginChallenge string) if f.RequestedAt.Add(p.config.ConsentRequestMaxAge(ctx)).Before(time.Now()) { return nil, errorsx.WithStack(fosite.ErrRequestUnauthorized.WithHint("The login request has expired, please try again.")) } - f.Client, err = p.GetConcreteClient(ctx, f.ClientID) - if err != nil { - return nil, err - } lr := f.GetLoginRequest() // Restore the short challenge ID, which was previously sent to the encoded flow, // to make sure that the challenge ID in the returned flow matches the param. @@ -309,10 +301,6 @@ func (p *Persister) VerifyAndInvalidateConsentRequest(ctx context.Context, verif if f.NID != p.NetworkID(ctx) { return nil, errorsx.WithStack(sqlcon.ErrNoRows) } - f.Client, err = p.GetConcreteClient(ctx, f.ClientID) - if err != nil { - return nil, err - } if err = f.InvalidateConsentRequest(); err != nil { return nil, errorsx.WithStack(fosite.ErrInvalidRequest.WithDebug(err.Error())) @@ -359,10 +347,6 @@ func (p *Persister) VerifyAndInvalidateLoginRequest(ctx context.Context, verifie if f.NID != p.NetworkID(ctx) { return nil, errorsx.WithStack(sqlcon.ErrNoRows) } - f.Client, err = p.GetConcreteClient(ctx, f.ClientID) - if err != nil { - return nil, err - } if err := f.InvalidateLoginRequest(); err != nil { return nil, errorsx.WithStack(fosite.ErrInvalidRequest.WithDebug(err.Error()))