From fd17adbd16a6820a4afe945ba1b4036e7b714dd2 Mon Sep 17 00:00:00 2001 From: Mihaly Lengyel Date: Tue, 22 Oct 2024 23:41:04 +0200 Subject: [PATCH] fix: fetch the clientId/secret from the auth header if present --- .../webserver/api/oauth/OAuthTokenAPI.java | 12 ++++++++++-- .../webserver/api/oauth/RevokeOAuthTokenAPI.java | 15 +++++++++++++-- 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java index 69e3ef317..923829e44 100644 --- a/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java +++ b/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java @@ -45,6 +45,7 @@ import io.supertokens.session.jwt.JWT.JWTException; import io.supertokens.storageLayer.StorageLayer; import io.supertokens.useridmapping.UserIdType; +import io.supertokens.utils.Utils; import io.supertokens.webserver.InputParser; import io.supertokens.webserver.WebserverAPI; import jakarta.servlet.ServletException; @@ -99,7 +100,14 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I formFields.put(entry.getKey(), entry.getValue().getAsString()); } - String clientId = formFields.get("client_id"); + String clientId; + + if (authorizationHeader != null) { + String[] parsedHeader = Utils.convertFromBase64(authorizationHeader.replaceFirst("^Basic ", "").trim()).split(":"); + clientId = parsedHeader[0]; + } else { + clientId = InputParser.parseStringOrThrowError(input, formFields.get("client_id"), false); + } try { AppIdentifier appIdentifier = getAppIdentifier(req); @@ -158,7 +166,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I main, req, resp, getAppIdentifier(req), enforcePublicTenantAndGetPublicTenantStorage(req), - formFields.get("client_id"), // clientIdToCheck + clientId, // clientIdToCheck "/oauth2/token", // proxyPath false, // proxyToAdmin false, // camelToSnakeCaseConversion diff --git a/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokenAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokenAPI.java index 1fb9fc884..322a4ce2d 100644 --- a/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokenAPI.java +++ b/src/main/java/io/supertokens/webserver/api/oauth/RevokeOAuthTokenAPI.java @@ -20,6 +20,7 @@ import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException; import io.supertokens.pluginInterface.multitenancy.AppIdentifier; import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException; +import io.supertokens.utils.Utils; import io.supertokens.webserver.InputParser; import io.supertokens.webserver.WebserverAPI; import jakarta.servlet.ServletException; @@ -84,11 +85,21 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I } // revoking refresh token - String clientId = InputParser.parseStringOrThrowError(input, "client_id", false); - String clientSecret = InputParser.parseStringOrThrowError(input, "client_secret", true); + + String clientId, clientSecret; String authorizationHeader = InputParser.parseStringOrThrowError(input, "authorizationHeader", true); + if (authorizationHeader != null) { + String[] parsedHeader = Utils.convertFromBase64(authorizationHeader.replaceFirst("^Basic ", "").trim()).split(":"); + clientId = parsedHeader[0]; + clientSecret = parsedHeader[1]; + } else { + clientId = InputParser.parseStringOrThrowError(input, "client_id", false); + clientSecret = InputParser.parseStringOrThrowError(input, "client_secret", true); + } + + Map headers = new HashMap<>(); if (authorizationHeader != null) { headers.put("Authorization", authorizationHeader);