Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix unknown pkce method error when configured #1747

Merged
merged 8 commits into from
Nov 6, 2024

Conversation

ransombriggs
Copy link
Contributor

Summary

I am upgrading to get the configuration update from #1735 but noticed that the error message is not correct when it is configured in that it makes it sound like we accept plain.

#1746

@@ -100,7 +100,7 @@ en:
unauthorized_client: 'The client is not authorized to perform this request using this method.'
access_denied: 'The resource owner or authorization server denied the request.'
invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
invalid_code_challenge_method: 'The code challenge method must be one of %{challenge_methods}.'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This could probably use some tweaking, just let me know how you think this should read.

Copy link
Contributor

@ThisIsMissEm ThisIsMissEm Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'd probably want to use the one / other syntax here..

Suggested change
invalid_code_challenge_method: 'The code challenge method must be one of %{challenge_methods}.'
invalid_code_challenge_method:
one: 'The code challenge method must be %{challenge_methods}.'
other: 'The code challenge method must be one of %{challenge_methods}.'

Which would need a count on challenge_methods, iirc. count is magic in that it decides whether to pick one or other

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome suggestions, I went ahead and updated in ccc9773

@@ -12,6 +12,7 @@ def self.from_request(request, attributes = {})
attributes.merge(
name: error_name_for(request.error),
exception_class: exception_class_for(request.error),
translate_options: request.error.try(:translate_options),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was not completely confident what classes request.error are expected here. I can remove the try if we always expect to receive a DoorkeeperError here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe there's a default that can be set? grab :translate_options or fallback to {}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I default it here in error.rb because that caught all the usages of Error in one place.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

More thinking of if the Error somehow doesn't derive from Doorkeeper::OAuth::Error, e.g., it comes from activerecord or something

class InvalidCodeChallengeMethod < BaseResponseError
def self.translate_options
{
challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", ")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Re: pluralisation in https://github.com/doorkeeper-gem/doorkeeper/pull/1747/files#r1825345954

Suggested change
challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", ")
challenge_methods: Doorkeeper.config.pkce_code_challenge_methods_supported.join(", "),
count: Doorkeeper.config.pkce_code_challenge_methods_supported.length

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, used this in ccc9773

Comment on lines 22 to 36
context "when there are variables" do
subject(:error) do
described_class.new(
:invalid_code_challenge_method,
:some_state,
{
challenge_methods: "foo, bar"
}
)
end

it "is translated from translation messages with variables" do
expect(error.description).to eq("The code challenge method must be one of foo, bar.")
end
end
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have a test case for the "one" option, i.e., just "foo" not "foo, bar"

(this likely more applies to pre_authorization_spec.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a test for %w(foo) and [] in ccc9773

@@ -100,7 +100,10 @@ en:
unauthorized_client: 'The client is not authorized to perform this request using this method.'
access_denied: 'The resource owner or authorization server denied the request.'
invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
invalid_code_challenge_method:
zero: 'There are no acceptable code_challenge methods'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should never be reachable, but if it is, say

Suggested change
zero: 'There are no acceptable code_challenge methods'
zero: 'This authorization server does not support PKCE as there a no accepted code_challenge methods'

Would be better?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is better, tweaked it just a little bit to align with other messages and updated in f042917

attributes[:code_challenge_method] = "plain"

expect(pre_auth).to_not be_authorizable
expect(pre_auth.error_response.description).to eq("There are no acceptable code_challenge methods")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, we should use code_challenge or code challenge consistently.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch, this comment made me realize that we should probably be calling it code_challenge_method since that is the actual param, so I made that change in d244e69

@@ -100,7 +100,10 @@ en:
unauthorized_client: 'The client is not authorized to perform this request using this method.'
access_denied: 'The resource owner or authorization server denied the request.'
invalid_scope: 'The requested scope is invalid, unknown, or malformed.'
invalid_code_challenge_method: 'The code challenge method must be plain or S256.'
invalid_code_challenge_method:
zero: 'The authorization server does not support PKCE as there is no accepted code_challenge_method'
Copy link
Contributor

@ThisIsMissEm ThisIsMissEm Nov 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
zero: 'The authorization server does not support PKCE as there is no accepted code_challenge_method'
zero: 'The authorization server does not support PKCE as there are no accepted code_challenge_method values.'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated this message in 7e2bf4b

Copy link
Contributor

@ThisIsMissEm ThisIsMissEm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiny comment, but LGTMO

Copy link
Contributor

@ThisIsMissEm ThisIsMissEm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Copy link
Member

@nbulaj nbulaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

Thanks!

@nbulaj nbulaj merged commit edceb80 into doorkeeper-gem:main Nov 6, 2024
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants