feat: enhance security and dynamic redirection

Author: Aldiwildan77

.env.example

@@ -23,7 +23,7 @@ DB_DIALECT
 
 DISCORD_CLIENT_ID
 DISCORD_CLIENT_SECRET
-DISCORD_REDIRECT_URI
+DISCORD_BASE_URL
 DISCORD_OAUTH2_REDIRECT_DOMAIN
 DISCORD_LATEST_VERSION
 

config/discord.go

@@ -2,15 +2,10 @@ package config
 
 import "fmt"
 
-const (
-	DiscordBaseURL  = "https://discord.com/api"
-	DiscordOAuthURL = DiscordBaseURL + "/oauth2/authorize"
-)
-
 type DiscordConfig struct {
 	ClientID       string `env:"DISCORD_CLIENT_ID" envDefault:""`
 	ClientSecret   string `env:"DISCORD_CLIENT_SECRET" envDefault:""`
-	RedirectURI    string `env:"DISCORD_REDIRECT_URI" envDefault:""`
+	BaseURL        string `env:"DISCORD_BASE_URL" envDefault:"https://discord.com/api"`
 	RedirectDomain string `env:"DISCORD_REDIRECT_DOMAIN" envDefault:".mocha-bot.xyz"`
 	LatestVersion  string `env:"DISCORD_LATEST_VERSION" envDefault:"v10"`
 }
@@ -20,9 +15,5 @@ func (d DiscordConfig) GetBaseURL(version string) string {
 		version = d.LatestVersion
 	}
 
-	return fmt.Sprintf("%s/%s", DiscordBaseURL, version)
-}
-
-func (d DiscordConfig) GetRedirectURI() string {
-	return d.RedirectURI
+	return fmt.Sprintf("%s/%s", d.BaseURL, version)
 }

core/entity/discord.go

@@ -14,7 +14,20 @@ const (
 )
 
 type OauthCallbackRequest struct {
-	Code string `query:"code"`
+	Code        string `query:"code"`
+	RequestURL  string `query:"request_url"`
+	RedirectURL string `query:"redirect_url"`
+}
+
+func (ocr *OauthCallbackRequest) Validate() error {
+	err := validator.New().Struct(ocr)
+	if err != nil {
+		for _, e := range err.(validator.ValidationErrors) {
+			return fmt.Errorf("field %s is invalid", e.Field())
+		}
+	}
+
+	return nil
 }
 
 type AccessToken struct {

core/entity/user.go

@@ -3,7 +3,16 @@ package entity
 type User struct {
 	ID            string
 	Username      string
-	Discriminator string
 	Avatar        string
+	Discriminator string
+	PublicFlags   int
+	Flags         int
+	Banner        string
+	AccentColor   string
+	GlobalName    string
+	MFAEnabled    bool
+	Locale        string
+	PremiumType   int
 	Email         string
+	Verified      bool
 }

core/module/discord.go

@@ -9,7 +9,7 @@ import (
 )
 
 type DiscordUsecase interface {
-	ExchangeCodeForToken(ctx context.Context, code string) (*entity.AccessToken, error)
+	ExchangeCodeForToken(ctx context.Context, req *entity.OauthCallbackRequest) (*entity.AccessToken, error)
 	ExchangeRefreshForToken(ctx context.Context, req *entity.RefreshTokenRequest) (*entity.AccessToken, error)
 	RevokeToken(ctx context.Context, req *entity.RevokeTokenRequest) error
 
@@ -26,30 +26,20 @@ func NewDiscordUsecase(repo repository.DiscordRepository) DiscordUsecase {
 	}
 }
 
-func (d *discordUsecase) ExchangeCodeForToken(ctx context.Context, code string) (*entity.AccessToken, error) {
-	if code == "" {
-		return nil, fmt.Errorf("%w, invalid code", entity.ErrorUnauthorized)
-	}
-
-	accessToken, err := d.DiscordRepository.GetToken(ctx, code)
-	if err != nil {
-		return nil, err
+func (d *discordUsecase) ExchangeCodeForToken(ctx context.Context, req *entity.OauthCallbackRequest) (*entity.AccessToken, error) {
+	if err := req.Validate(); err != nil {
+		return nil, fmt.Errorf("%w, %w", entity.ErrorUnauthorized, err)
 	}
 
-	return accessToken, nil
+	return d.DiscordRepository.GetToken(ctx, req.Code, req.RequestURL)
 }
 
 func (d *discordUsecase) ExchangeRefreshForToken(ctx context.Context, req *entity.RefreshTokenRequest) (*entity.AccessToken, error) {
 	if err := req.Validate(); err != nil {
 		return nil, fmt.Errorf("%w, %w", entity.ErrorUnauthorized, err)
 	}
 
-	accessToken, err := d.DiscordRepository.GetTokenByRefresh(ctx, req.RefreshToken)
-	if err != nil {
-		return nil, err
-	}
-
-	return accessToken, nil
+	return d.DiscordRepository.GetTokenByRefresh(ctx, req.RefreshToken)
 }
 
 func (d *discordUsecase) RevokeToken(ctx context.Context, req *entity.RevokeTokenRequest) error {

core/repository/discord/discord.go

@@ -7,7 +7,7 @@ import (
 )
 
 type DiscordRepository interface {
-	GetToken(ctx context.Context, code string) (*entity.AccessToken, error)
+	GetToken(ctx context.Context, code, redirectURL string) (*entity.AccessToken, error)
 	GetTokenByRefresh(ctx context.Context, refreshToken string) (*entity.AccessToken, error)
 	RevokeToken(ctx context.Context, req *entity.RevokeTokenRequest) error
 

handler/http/discord.go

@@ -31,14 +31,20 @@ func NewDiscordHandler(cfg config.Config, discordUsecase module.DiscordUsecase)
 func (d *discordHandler) OauthCallback(c echo.Context) error {
 	ctx := c.Request().Context()
 
+	// If the error occurs, the discord will still got redirected to the desired URL
+	// with the error message in the query params and the URI fragment will also be appended
+	// e.g. /redirect?error=error_message#access_token=token&token_type=type&expires_in=3600&refresh_token=refresh&scope=identify
+
 	req, err := parseOauthCallbackRequest(c)
 	if err != nil {
-		return c.JSON(parseOauthCallbackError(err))
+		code, resp := parseOauthCallbackError(err)
+		return c.Redirect(http.StatusTemporaryRedirect, parseOauthCallbackRedirectError(req.RedirectURL, code, resp))
 	}
 
-	exchanged, err := d.discordUsecase.ExchangeCodeForToken(ctx, req.Code)
+	exchanged, err := d.discordUsecase.ExchangeCodeForToken(ctx, req)
 	if err != nil {
-		return c.JSON(parseOauthCallbackError(err))
+		code, resp := parseOauthCallbackError(err)
+		return c.Redirect(http.StatusTemporaryRedirect, parseOauthCallbackRedirectError(req.RedirectURL, code, resp))
 	}
 
 	isLocalhost := d.cfg.App.IsLocalhost()
@@ -52,7 +58,7 @@ func (d *discordHandler) OauthCallback(c echo.Context) error {
 		c.SetCookie(cookie)
 	}
 
-	return c.Redirect(http.StatusFound, d.cfg.App.Gateway)
+	return c.Redirect(http.StatusFound, req.RedirectURL)
 }
 
 func (d *discordHandler) RefreshToken(c echo.Context) error {

handler/http/parser.discord.go

@@ -4,10 +4,12 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 
 	"github.com/labstack/echo/v4"
 	"github.com/mocha-bot/mochus/core/entity"
 	cookiey "github.com/mocha-bot/mochus/pkg/cookie"
+	"github.com/mocha-bot/mochus/pkg/echoy"
 	zLog "github.com/rs/zerolog/log"
 )
 
@@ -18,19 +20,56 @@ func parseOauthCallbackRequest(c echo.Context) (*entity.OauthCallbackRequest, er
 		return nil, fmt.Errorf("%w: %s", entity.ErrorBind, err)
 	}
 
+	parsedURL, err := url.ParseRequestURI(c.Request().RequestURI)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %s", entity.ErrorBind, err)
+	}
+
+	redirectURL := parsedURL.Query().Get(RedirectURLKey)
+	if redirectURL == "" {
+		return nil, fmt.Errorf("%w: %s", entity.ErrorBind, "redirect_url is required")
+	}
+
+	finalURL := url.URL{
+		Scheme:   echoy.GetScheme(c),
+		Host:     c.Request().Host,
+		Path:     c.Request().URL.Path,
+		RawQuery: url.Values{RedirectURLKey: {redirectURL}}.Encode(),
+	}
+
+	req.RequestURL, err = url.QueryUnescape(finalURL.String())
+	if err != nil {
+		return nil, fmt.Errorf("%w: %s", entity.ErrorBind, err)
+	}
+
 	return req, nil
 }
 
 func parseOauthCallbackError(err error) (code int, i any) {
 	switch {
 	case errors.Is(err, entity.ErrorBind):
 		return http.StatusBadRequest, Response{Message: err.Error()}
+	case errors.Is(err, entity.ErrorUnauthorized):
+		return http.StatusUnauthorized, Response{Message: err.Error()}
+	case errors.Is(err, entity.ErrorBadRequest):
+		return http.StatusBadRequest, Response{Message: err.Error()}
 	default:
 		zLog.Error().Err(err).Msg("Internal server error")
 		return http.StatusInternalServerError, Response{Message: "Internal server error"}
 	}
 }
 
+func parseOauthCallbackRedirectError(redirectURL string, code int, i any) (newRedirectURL string) {
+	redirectURLParsed, _ := url.Parse(redirectURL)
+
+	if i == nil {
+		return redirectURLParsed.String()
+	}
+
+	redirectURLParsed.RawQuery = url.Values{"error": {i.(Response).Message}}.Encode()
+	return redirectURLParsed.String()
+}
+
 func parseRefreshTokenRequest(c echo.Context) (*entity.RefreshTokenRequest, error) {
 	req := new(entity.RefreshTokenRequest)
 
@@ -48,6 +87,8 @@ func parseRefreshTokenError(err error) (code int, i any) {
 	switch {
 	case errors.Is(err, entity.ErrorUnauthorized):
 		return http.StatusUnauthorized, Response{Message: err.Error()}
+	case errors.Is(err, entity.ErrorBadRequest):
+		return http.StatusBadRequest, Response{Message: err.Error()}
 	default:
 		zLog.Error().Err(err).Msg("Internal server error")
 		return http.StatusInternalServerError, Response{Message: "Internal server error"}
@@ -76,6 +117,8 @@ func parseRevokeTokenError(err error) (code int, i any) {
 	switch {
 	case errors.Is(err, entity.ErrorUnauthorized):
 		return http.StatusUnauthorized, Response{Message: err.Error()}
+	case errors.Is(err, entity.ErrorBadRequest):
+		return http.StatusBadRequest, Response{Message: err.Error()}
 	default:
 		zLog.Error().Err(err).Msg("Internal server error")
 		return http.StatusInternalServerError, Response{Message: "Internal server error"}
@@ -106,6 +149,8 @@ func parseGetUserByTokenError(err error) (code int, i any) {
 	switch {
 	case errors.Is(err, entity.ErrorUnauthorized):
 		return http.StatusUnauthorized, Response{Message: err.Error()}
+	case errors.Is(err, entity.ErrorBadRequest):
+		return http.StatusBadRequest, Response{Message: err.Error()}
 	default:
 		zLog.Error().Err(err).Msg("Internal server error")
 		return http.StatusInternalServerError, Response{Message: "Internal server error"}

handler/http/request.go

@@ -0,0 +1,5 @@
+package http_handler
+
+const (
+	RedirectURLKey = "redirect_url"
+)

pkg/echoy/scheme.go

@@ -0,0 +1,15 @@
+package echoy
+
+import "github.com/labstack/echo/v4"
+
+const (
+	HTTP  = "http"
+	HTTPS = "https"
+)
+
+func GetScheme(c echo.Context) string {
+	if c.Request().TLS != nil {
+		return HTTPS
+	}
+	return HTTP
+}

repository/discord/api.go

@@ -0,0 +1,9 @@
+package discord_repository
+
+const (
+	Oauth2Authorize   = "/oauth2/authorize"
+	Oauth2GetToken    = "/oauth2/token"
+	Oauth2RevokeToken = "/oauth2/token/revoke"
+
+	GetUser = "/users/@me"
+)