From d6e4b578aaf8a7a1fc392ea3eb40628c9ae804ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Ja=C5=82ocha?= Date: Fri, 23 Feb 2024 13:57:16 +0100 Subject: [PATCH 1/3] Fix invalid numerics exponential notation --- consent/handler.go | 1 + 1 file changed, 1 insertion(+) diff --git a/consent/handler.go b/consent/handler.go index 3ae98aa23c2..da63b64773c 100644 --- a/consent/handler.go +++ b/consent/handler.go @@ -745,6 +745,7 @@ func (h *Handler) acceptOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ var p flow.AcceptOAuth2ConsentRequest d := json.NewDecoder(r.Body) + d.UseNumber() d.DisallowUnknownFields() if err := d.Decode(&p); err != nil { h.r.Writer().WriteErrorCode(w, r, http.StatusBadRequest, errorsx.WithStack(err)) From 02bfaa4d189c4edbf1b4e71b267246c688518732 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Ja=C5=82ocha?= Date: Tue, 7 May 2024 12:00:22 +0200 Subject: [PATCH 2/3] Add helper to avoid repeated code in handlers --- consent/handler.go | 26 ++++++++++++-------------- consent/helper.go | 10 ++++++++++ 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/consent/handler.go b/consent/handler.go index da63b64773c..3694f7d66c8 100644 --- a/consent/handler.go +++ b/consent/handler.go @@ -4,7 +4,6 @@ package consent import ( - "encoding/json" "net/http" "net/url" "time" @@ -432,9 +431,9 @@ func (h *Handler) acceptOAuth2LoginRequest(w http.ResponseWriter, r *http.Reques } var handledLoginRequest flow.HandledLoginRequest - d := json.NewDecoder(r.Body) - d.DisallowUnknownFields() - if err := d.Decode(&handledLoginRequest); err != nil { + + err := decodeRequestBody(r, &handledLoginRequest) + if err != nil { h.r.Writer().WriteError(w, r, errorsx.WithStack(fosite.ErrInvalidRequest.WithWrap(err).WithHintf("Unable to decode body because: %s", err))) return } @@ -560,9 +559,9 @@ func (h *Handler) rejectOAuth2LoginRequest(w http.ResponseWriter, r *http.Reques } var p flow.RequestDeniedError - d := json.NewDecoder(r.Body) - d.DisallowUnknownFields() - if err := d.Decode(&p); err != nil { + + err := decodeRequestBody(r, &p) + if err != nil { h.r.Writer().WriteError(w, r, errorsx.WithStack(fosite.ErrInvalidRequest.WithWrap(err).WithHintf("Unable to decode body because: %s", err))) return } @@ -744,10 +743,9 @@ func (h *Handler) acceptOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ } var p flow.AcceptOAuth2ConsentRequest - d := json.NewDecoder(r.Body) - d.UseNumber() - d.DisallowUnknownFields() - if err := d.Decode(&p); err != nil { + + err := decodeRequestBody(r, &p) + if err != nil { h.r.Writer().WriteErrorCode(w, r, http.StatusBadRequest, errorsx.WithStack(err)) return } @@ -854,9 +852,9 @@ func (h *Handler) rejectOAuth2ConsentRequest(w http.ResponseWriter, r *http.Requ } var p flow.RequestDeniedError - d := json.NewDecoder(r.Body) - d.DisallowUnknownFields() - if err := d.Decode(&p); err != nil { + + err := decodeRequestBody(r, &p) + if err != nil { h.r.Writer().WriteErrorCode(w, r, http.StatusBadRequest, errorsx.WithStack(err)) return } diff --git a/consent/helper.go b/consent/helper.go index 362f2952284..53be915f80f 100644 --- a/consent/helper.go +++ b/consent/helper.go @@ -4,6 +4,9 @@ package consent import ( + "encoding/json" + "net/http" + "github.com/ory/fosite" "github.com/ory/hydra/v2/client" "github.com/ory/hydra/v2/flow" @@ -38,3 +41,10 @@ func matchScopes(scopeStrategy fosite.ScopeStrategy, previousConsent []flow.Acce return nil } + +func decodeRequestBody(r *http.Request, v interface{}) error { + decoder := json.NewDecoder(r.Body) + decoder.DisallowUnknownFields() + decoder.UseNumber() + return decoder.Decode(v) +} From fa2ed97934c95571d38cd94940c1314058550773 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marcin=20Ja=C5=82ocha?= Date: Fri, 14 Jun 2024 14:35:19 +0200 Subject: [PATCH 3/3] Ensure proper number format in AcceptOAuth2ConsentRequestSession --- flow/consent_types.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/flow/consent_types.go b/flow/consent_types.go index 793538bf6ad..060af351f60 100644 --- a/flow/consent_types.go +++ b/flow/consent_types.go @@ -8,7 +8,9 @@ import ( "database/sql/driver" "encoding/json" "fmt" + "math" "net/http" + "strconv" "time" "github.com/gobuffalo/pop/v6" @@ -742,8 +744,22 @@ func NewConsentRequestSessionData() *AcceptOAuth2ConsentRequestSession { func (r *AcceptOAuth2ConsentRequestSession) MarshalJSON() ([]byte, error) { type Alias AcceptOAuth2ConsentRequestSession alias := Alias(*r) + if alias.AccessToken == nil { alias.AccessToken = map[string]interface{}{} + } else { + // ensure numbers are properly converted to their respective types instead of forcing float64 + for key, value := range alias.AccessToken { + switch v := value.(type) { + case float64: + _, frac := math.Modf(v) + if frac == 0.0 { + alias.AccessToken[key] = json.Number(strconv.FormatInt(int64(v), 10)) + } else { + alias.AccessToken[key] = json.Number(strconv.FormatFloat(v, 'f', -1, 64)) + } + } + } } if alias.IDToken == nil {