[pull] master from supabase:master

CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [2.159.0](https://github.com/supabase/auth/compare/v2.158.1...v2.159.0) (2024-08-21)
+
+
+### Features
+
+* Vercel marketplace OIDC ([#1731](https://github.com/supabase/auth/issues/1731)) ([a9ff361](https://github.com/supabase/auth/commit/a9ff3612196af4a228b53a8bfb9c11785bcfba8d))
+
+
+### Bug Fixes
+
+* add error codes to password login flow ([#1721](https://github.com/supabase/auth/issues/1721)) ([4351226](https://github.com/supabase/auth/commit/435122627a0784f1c5cb76d7e08caa1f6259423b))
+* change phone constraint to per user ([#1713](https://github.com/supabase/auth/issues/1713)) ([b9bc769](https://github.com/supabase/auth/commit/b9bc769b93b6e700925fcbc1ebf8bf9678034205))
+* custom SMS does not work with Twilio Verify ([#1733](https://github.com/supabase/auth/issues/1733)) ([dc2391d](https://github.com/supabase/auth/commit/dc2391d15f2c0725710aa388cd32a18797e6769c))
+* ignore errors if transaction has closed already ([#1726](https://github.com/supabase/auth/issues/1726)) ([53c11d1](https://github.com/supabase/auth/commit/53c11d173a79ae5c004871b1b5840c6f9425a080))
+* redirect invalid state errors to site url ([#1722](https://github.com/supabase/auth/issues/1722)) ([b2b1123](https://github.com/supabase/auth/commit/b2b11239dc9f9bd3c85d76f6c23ee94beb3330bb))
+* remove TOTP field for phone enroll response ([#1717](https://github.com/supabase/auth/issues/1717)) ([4b04327](https://github.com/supabase/auth/commit/4b043275dd2d94600a8138d4ebf4638754ed926b))
+* use signing jwk to sign oauth state ([#1728](https://github.com/supabase/auth/issues/1728)) ([66fd0c8](https://github.com/supabase/auth/commit/66fd0c8434388bbff1e1bf02f40517aca0e9d339))
+
 ## [2.158.1](https://github.com/supabase/auth/compare/v2.158.0...v2.158.1) (2024-08-05)
 
 

internal/api/api.go

@@ -274,7 +274,7 @@ func NewAPIWithVersion(globalConfig *conf.GlobalConfiguration, db *storage.Conne
 					tollbooth.NewLimiter(api.config.SAML.RateLimitAssertion/(60*5), &limiter.ExpirableOptions{
 						DefaultExpirationTTL: time.Hour,
 					}).SetBurst(30),
-				)).Post("/acs", api.SAMLACS)
+				)).Post("/acs", api.SamlAcs)
 			})
 		})
 

internal/api/errorcodes.go

@@ -81,5 +81,7 @@ const (
 	ErrorCodeMFAPhoneVerifyDisabled            ErrorCode = "mfa_phone_verify_not_enabled"
 	ErrorCodeMFATOTPEnrollDisabled             ErrorCode = "mfa_totp_enroll_not_enabled"
 	ErrorCodeMFATOTPVerifyDisabled             ErrorCode = "mfa_totp_verify_not_enabled"
-	ErrorCodeVerifiedFactorExists              ErrorCode = "mfa_verified_factor_exists"
+	ErrorCodeMFAVerifiedFactorExists           ErrorCode = "mfa_verified_factor_exists"
+	//#nosec G101 -- Not a secret value.
+	ErrorCodeInvalidCredentials ErrorCode = "invalid_credentials"
 )

internal/api/external.go

@@ -15,6 +15,7 @@ import (
 	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/sirupsen/logrus"
 	"github.com/supabase/auth/internal/api/provider"
+	"github.com/supabase/auth/internal/conf"
 	"github.com/supabase/auth/internal/models"
 	"github.com/supabase/auth/internal/observability"
 	"github.com/supabase/auth/internal/storage"
@@ -106,8 +107,7 @@ func (a *API) GetExternalProviderRedirectURL(w http.ResponseWriter, r *http.Requ
 		claims.LinkingTargetID = linkingTargetUser.ID.String()
 	}
 
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	tokenString, err := token.SignedString([]byte(config.JWT.Secret))
+	tokenString, err := signJwt(&config.JWT, claims)
 	if err != nil {
 		return "", internalServerError("Error creating state").WithInternalError(err)
 	}
@@ -138,7 +138,7 @@ func (a *API) ExternalProviderCallback(w http.ResponseWriter, r *http.Request) e
 	if err != nil {
 		return err
 	}
-	a.redirectErrors(a.internalExternalProviderCallback, w, r, u)
+	redirectErrors(a.internalExternalProviderCallback, w, r, u)
 	return nil
 }
 
@@ -338,7 +338,7 @@ func (a *API) createAccountFromExternalIdentity(tx *storage.Connection, r *http.
 		if identity, terr = a.createNewIdentity(tx, user, providerType, identityData); terr != nil {
 			return nil, terr
 		}
-
+		user.Identities = append(user.Identities, *identity)
 	case models.AccountExists:
 		user = decision.User
 		identity = decision.Identities[0]
@@ -478,18 +478,39 @@ func (a *API) processInvite(r *http.Request, tx *storage.Connection, userData *p
 	return user, nil
 }
 
-func (a *API) loadExternalState(ctx context.Context, state string) (context.Context, error) {
+func (a *API) loadExternalState(ctx context.Context, r *http.Request) (context.Context, error) {
+	var state string
+	switch r.Method {
+	case http.MethodPost:
+		state = r.FormValue("state")
+	default:
+		state = r.URL.Query().Get("state")
+	}
+	if state == "" {
+		return ctx, badRequestError(ErrorCodeBadOAuthCallback, "OAuth state parameter missing")
+	}
 	config := a.config
 	claims := ExternalProviderClaims{}
-	p := jwt.NewParser(jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Name}))
+	p := jwt.NewParser(jwt.WithValidMethods(config.JWT.ValidMethods))
 	_, err := p.ParseWithClaims(state, &claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(config.JWT.Secret), nil
+		if kid, ok := token.Header["kid"]; ok {
+			if kidStr, ok := kid.(string); ok {
+				return conf.FindPublicKeyByKid(kidStr, &config.JWT)
+			}
+		}
+		if alg, ok := token.Header["alg"]; ok {
+			if alg == jwt.SigningMethodHS256.Name {
+				// preserve backward compatibility for cases where the kid is not set
+				return []byte(config.JWT.Secret), nil
+			}
+		}
+		return nil, fmt.Errorf("missing kid")
 	})
 	if err != nil {
-		return nil, badRequestError(ErrorCodeBadOAuthState, "OAuth callback with invalid state").WithInternalError(err)
+		return ctx, badRequestError(ErrorCodeBadOAuthState, "OAuth callback with invalid state").WithInternalError(err)
 	}
 	if claims.Provider == "" {
-		return nil, badRequestError(ErrorCodeBadOAuthState, "OAuth callback with invalid state (missing provider)")
+		return ctx, badRequestError(ErrorCodeBadOAuthState, "OAuth callback with invalid state (missing provider)")
 	}
 	if claims.InviteToken != "" {
 		ctx = withInviteToken(ctx, claims.InviteToken)
@@ -564,6 +585,8 @@ func (a *API) Provider(ctx context.Context, name string, scopes string) (provide
 		return provider.NewTwitchProvider(config.External.Twitch, scopes)
 	case "twitter":
 		return provider.NewTwitterProvider(config.External.Twitter, scopes)
+	case "vercel_marketplace":
+		return provider.NewVercelMarketplaceProvider(config.External.VercelMarketplace, scopes)
 	case "workos":
 		return provider.NewWorkOSProvider(config.External.WorkOS)
 	case "zoom":
@@ -573,7 +596,7 @@ func (a *API) Provider(ctx context.Context, name string, scopes string) (provide
 	}
 }
 
-func (a *API) redirectErrors(handler apiHandler, w http.ResponseWriter, r *http.Request, u *url.URL) {
+func redirectErrors(handler apiHandler, w http.ResponseWriter, r *http.Request, u *url.URL) {
 	ctx := r.Context()
 	log := observability.GetLogEntry(r).Entry
 	errorID := utilities.GetRequestID(ctx)

internal/api/external_oauth.go

@@ -10,6 +10,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/supabase/auth/internal/api/provider"
 	"github.com/supabase/auth/internal/observability"
+	"github.com/supabase/auth/internal/utilities"
 )
 
 // OAuthProviderData contains the userData and token returned by the oauth provider
@@ -23,17 +24,6 @@ type OAuthProviderData struct {
 // loadFlowState parses the `state` query parameter as a JWS payload,
 // extracting the provider requested
 func (a *API) loadFlowState(w http.ResponseWriter, r *http.Request) (context.Context, error) {
-	var state string
-	if r.Method == http.MethodPost {
-		state = r.FormValue("state")
-	} else {
-		state = r.URL.Query().Get("state")
-	}
-
-	if state == "" {
-		return nil, badRequestError(ErrorCodeBadOAuthCallback, "OAuth state parameter missing")
-	}
-
 	ctx := r.Context()
 	oauthToken := r.URL.Query().Get("oauth_token")
 	if oauthToken != "" {
@@ -43,7 +33,21 @@ func (a *API) loadFlowState(w http.ResponseWriter, r *http.Request) (context.Con
 	if oauthVerifier != "" {
 		ctx = withOAuthVerifier(ctx, oauthVerifier)
 	}
-	return a.loadExternalState(ctx, state)
+
+	var err error
+	ctx, err = a.loadExternalState(ctx, r)
+	if err != nil {
+		u, uerr := url.ParseRequestURI(a.config.SiteURL)
+		if uerr != nil {
+			return ctx, internalServerError("site url is improperly formatted").WithInternalError(uerr)
+		}
+
+		q := getErrorQueryString(err, utilities.GetRequestID(ctx), observability.GetLogEntry(r).Entry, u.Query())
+		u.RawQuery = q.Encode()
+
+		http.Redirect(w, r, u.String(), http.StatusSeeOther)
+	}
+	return ctx, err
 }
 
 func (a *API) oAuthCallback(ctx context.Context, r *http.Request, providerType string) (*OAuthProviderData, error) {

internal/api/external_test.go

@@ -235,7 +235,7 @@ func (ts *ExternalTestSuite) TestRedirectErrorsShouldPreserveParams() {
 		parsedURL, err := url.Parse(c.RedirectURL)
 		require.Equal(ts.T(), err, nil)
 
-		ts.API.redirectErrors(ts.API.internalExternalProviderCallback, w, req, parsedURL)
+		redirectErrors(ts.API.internalExternalProviderCallback, w, req, parsedURL)
 
 		parsedParams, err := url.ParseQuery(parsedURL.RawQuery)
 		require.Equal(ts.T(), err, nil)

internal/api/jwks.go

@@ -3,8 +3,10 @@ package api
 import (
 	"net/http"
 
+	jwt "github.com/golang-jwt/jwt/v5"
 	"github.com/lestrrat-go/jwx/v2/jwa"
 	jwk "github.com/lestrrat-go/jwx/v2/jwk"
+	"github.com/supabase/auth/internal/conf"
 )
 
 type JwksResponse struct {
@@ -28,3 +30,32 @@ func (a *API) Jwks(w http.ResponseWriter, r *http.Request) error {
 	w.Header().Set("Cache-Control", "public, max-age=600")
 	return sendJSON(w, http.StatusOK, resp)
 }
+
+func signJwt(config *conf.JWTConfiguration, claims jwt.Claims) (string, error) {
+	signingJwk, err := conf.GetSigningJwk(config)
+	if err != nil {
+		return "", err
+	}
+	signingMethod := conf.GetSigningAlg(signingJwk)
+	token := jwt.NewWithClaims(signingMethod, claims)
+	if token.Header == nil {
+		token.Header = make(map[string]interface{})
+	}
+
+	if _, ok := token.Header["kid"]; !ok {
+		if kid := signingJwk.KeyID(); kid != "" {
+			token.Header["kid"] = kid
+		}
+	}
+	// this serializes the aud claim to a string
+	jwt.MarshalSingleStringAsArray = false
+	signingKey, err := conf.GetSigningKey(signingJwk)
+	if err != nil {
+		return "", err
+	}
+	signed, err := token.SignedString(signingKey)
+	if err != nil {
+		return "", err
+	}
+	return signed, nil
+}

internal/api/mfa.go

@@ -103,7 +103,7 @@ func (a *API) enrollPhoneFactor(w http.ResponseWriter, r *http.Request, params *
 			if factor.Phone.String() == phone {
 				if factor.IsVerified() {
 					return unprocessableEntityError(
-						ErrorCodeVerifiedFactorExists,
+						ErrorCodeMFAVerifiedFactorExists,
 						"A verified phone factor already exists, unenroll the existing factor to continue",
 					)
 				} else if factor.IsUnverified() {

internal/api/provider/oidc.go

@@ -61,6 +61,8 @@ func ParseIDToken(ctx context.Context, provider *oidc.Provider, config *oidc.Con
 		token, data, err = parseLinkedinIDToken(token)
 	case IssuerKakao:
 		token, data, err = parseKakaoIDToken(token)
+	case IssuerVercelMarketplace:
+		token, data, err = parseVercelMarketplaceIDToken(token)
 	default:
 		if IsAzureIssuer(token.Issuer) {
 			token, data, err = parseAzureIDToken(token)
@@ -351,6 +353,40 @@ func parseKakaoIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData, e
 	return token, &data, nil
 }
 
+type VercelMarketplaceIDTokenClaims struct {
+	jwt.RegisteredClaims
+
+	UserEmail     string `json:"user_email"`
+	UserName      string `json:"user_name"`
+	UserAvatarUrl string `json:"user_avatar_url"`
+}
+
+func parseVercelMarketplaceIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData, error) {
+	var claims VercelMarketplaceIDTokenClaims
+
+	if err := token.Claims(&claims); err != nil {
+		return nil, nil, err
+	}
+
+	var data UserProvidedData
+
+	data.Emails = append(data.Emails, Email{
+		Email:    claims.UserEmail,
+		Verified: true,
+		Primary:  true,
+	})
+
+	data.Metadata = &Claims{
+		Issuer:     token.Issuer,
+		Subject:    token.Subject,
+		ProviderId: token.Subject,
+		Name:       claims.UserName,
+		Picture:    claims.UserAvatarUrl,
+	}
+
+	return token, &data, nil
+}
+
 func parseGenericIDToken(token *oidc.IDToken) (*oidc.IDToken, *UserProvidedData, error) {
 	var data UserProvidedData
 

internal/api/provider/vercel_marketplace.go

@@ -0,0 +1,78 @@
+package provider
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/supabase/auth/internal/conf"
+	"golang.org/x/oauth2"
+)
+
+const (
+	defaultVercelMarketplaceAPIBase = "api.vercel.com"
+	IssuerVercelMarketplace         = "https://marketplace.vercel.com"
+)
+
+type vercelMarketplaceProvider struct {
+	*oauth2.Config
+	oidc    *oidc.Provider
+	APIPath string
+}
+
+// NewVercelMarketplaceProvider creates a VercelMarketplace account provider via OIDC.
+func NewVercelMarketplaceProvider(ext conf.OAuthProviderConfiguration, scopes string) (OAuthProvider, error) {
+	if err := ext.ValidateOAuth(); err != nil {
+		return nil, err
+	}
+
+	apiPath := chooseHost(ext.URL, defaultVercelMarketplaceAPIBase)
+
+	oauthScopes := []string{}
+
+	if scopes != "" {
+		oauthScopes = append(oauthScopes, strings.Split(scopes, ",")...)
+	}
+
+	oidcProvider, err := oidc.NewProvider(context.Background(), IssuerVercelMarketplace)
+	if err != nil {
+		return nil, err
+	}
+
+	return &vercelMarketplaceProvider{
+		oidc: oidcProvider,
+		Config: &oauth2.Config{
+			ClientID:     ext.ClientID[0],
+			ClientSecret: ext.Secret,
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  apiPath + "/oauth/v2/authorization",
+				TokenURL: apiPath + "/oauth/v2/accessToken",
+			},
+			Scopes:      oauthScopes,
+			RedirectURL: ext.RedirectURI,
+		},
+		APIPath: apiPath,
+	}, nil
+}
+
+func (g vercelMarketplaceProvider) GetOAuthToken(code string) (*oauth2.Token, error) {
+	return g.Exchange(context.Background(), code)
+}
+
+func (g vercelMarketplaceProvider) GetUserData(ctx context.Context, tok *oauth2.Token) (*UserProvidedData, error) {
+	idToken := tok.Extra("id_token")
+	if tok.AccessToken == "" || idToken == nil {
+		return nil, errors.New("vercel_marketplace: no OIDC ID token present in response")
+	}
+
+	_, data, err := ParseIDToken(ctx, g.oidc, &oidc.Config{
+		ClientID: g.ClientID,
+	}, idToken.(string), ParseIDTokenOptions{
+		AccessToken: tok.AccessToken,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return data, nil
+}