ExtractOAuth2ProviderAppSecret grabs an OAuth2 app secret from the "app" and "secret" URL parameters. This middleware requires the ExtractOAuth2ProviderApp middleware higher in the stack
(db database.Store)
| 381 | // "secret" URL parameters. This middleware requires the ExtractOAuth2ProviderApp |
| 382 | // middleware higher in the stack |
| 383 | func ExtractOAuth2ProviderAppSecret(db database.Store) func(http.Handler) http.Handler { |
| 384 | return func(next http.Handler) http.Handler { |
| 385 | return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { |
| 386 | ctx := r.Context() |
| 387 | secretID, ok := ParseUUIDParam(rw, r, "secretID") |
| 388 | if !ok { |
| 389 | return |
| 390 | } |
| 391 | app := OAuth2ProviderApp(r) |
| 392 | secret, err := db.GetOAuth2ProviderAppSecretByID(ctx, secretID) |
| 393 | if httpapi.Is404Error(err) { |
| 394 | httpapi.ResourceNotFound(rw) |
| 395 | return |
| 396 | } |
| 397 | if err != nil { |
| 398 | httpapi.Write(ctx, rw, http.StatusInternalServerError, codersdk.Response{ |
| 399 | Message: "Internal error fetching OAuth2 app secret.", |
| 400 | Detail: err.Error(), |
| 401 | }) |
| 402 | return |
| 403 | } |
| 404 | // If the user can read the secret they can probably also read the app it |
| 405 | // belongs to and they can read this app as well, so it seems safe to give |
| 406 | // them a more helpful message than a 404 on mismatches. |
| 407 | if app.ID != secret.AppID { |
| 408 | httpapi.Write(ctx, rw, http.StatusBadRequest, codersdk.Response{ |
| 409 | Message: "App ID does not match secret app ID.", |
| 410 | }) |
| 411 | return |
| 412 | } |
| 413 | ctx = context.WithValue(ctx, oauth2ProviderAppSecretParamContextKey{}, secret) |
| 414 | next.ServeHTTP(rw, r.WithContext(ctx)) |
| 415 | }) |
| 416 | } |
| 417 | } |
| 418 | |
| 419 | func uriFromURL(u string) string { |
| 420 | uri, err := url.Parse(u) |
nothing calls this directly
no test coverage detected