fix tmpauth passthrough

tmpim · Aug 4, 2024 · bb1e0af · bb1e0af
1 parent 7010df9
commit bb1e0af
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 8 deletions.
diff --git a/cmd/mini-server/main.go b/cmd/mini-server/main.go
@@ -198,14 +198,28 @@ func main() {
 			return
 		}
 
+		token := r.Header.Get(tmpauth.TokenHeader)
+		if token == "" {
+			log.Println("missing tmpauth token")
+			http.Error(w, "missing tmpauth token", http.StatusBadRequest)
+			return
+		}
+
 		ta, ok := tmpauthInstances[configID]
 		if !ok {
 			log.Println("invalid config ID:", configID)
 			http.Error(w, "invalid config ID", http.StatusPreconditionFailed)
 			return
 		}
 
-		whomstData, err := ta.Whomst()
+		cachedToken, err := ta.ParseWrappedAuthJWT(token)
+		if err != nil {
+			log.Println("error parsing token:", err)
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		}
+
+		whomstData, err := ta.Whomst(cachedToken)
 		if err != nil {
 			log.Println("error getting whomst:", err)
 			http.Error(w, err.Error(), http.StatusInternalServerError)

diff --git a/handler.go b/handler.go
@@ -411,7 +411,7 @@ func (t *Tmpauth) serveWhomst(w http.ResponseWriter, token *CachedToken) (int, e
 		return http.StatusUnauthorized, fmt.Errorf("tmpauth: must be logged in to retrieve whomst database")
 	}
 
-	whomstData, err := t.Whomst()
+	whomstData, err := t.Whomst(token)
 	if err != nil {
 		return http.StatusInternalServerError, fmt.Errorf("tmpauth: failed to retrieve whomst data: %w", err)
 	}
@@ -423,7 +423,7 @@ func (t *Tmpauth) serveWhomst(w http.ResponseWriter, token *CachedToken) (int, e
 	return 0, nil
 }
 
-func (t *Tmpauth) Whomst() (map[string]json.RawMessage, error) {
+func (t *Tmpauth) Whomst(token *CachedToken) (map[string]json.RawMessage, error) {
 	var resp *http.Response
 	var respErr error
 
@@ -433,11 +433,12 @@ func (t *Tmpauth) Whomst() (map[string]json.RawMessage, error) {
 			return nil, fmt.Errorf("invalid mini server request: %w", err)
 		}
 
-		req.Header.Set(ConfigIDHeader, t.miniConfigID)
+		req.Header.Set(TokenHeader, token.RawToken)
 
 		resp, respErr = t.miniClient(req, 0)
 	} else {
-		resp, respErr = t.HttpClient.Get("https://" + TmpAuthHost + "/whomst")
+		resp, respErr = t.HttpClient.Get("https://" + TmpAuthHost + "/whomst/tmpauth/db?token=" +
+			url.QueryEscape(token.RawToken))
 	}
 	if respErr != nil {
 		return nil, respErr

diff --git a/token.go b/token.go
@@ -27,6 +27,7 @@ type CachedToken struct {
 	ValidatedAt    time.Time
 	IssuedAt       time.Time
 	UserIDs        []string // IDs that can be used in Config.AllowedUsers from IDFormats
+	RawToken       string
 	headersMutex   *sync.RWMutex
 }
 
@@ -48,9 +49,12 @@ func (w *wrappedToken) Valid() error {
 	return nil
 }
 
-const ConfigIDHeader = "X-Tmpauth-Config-Id"
-const RequestURIHeader = "X-Tmpauth-Request-URI"
-const HostHeader = "X-Tmpauth-Host"
+const (
+	ConfigIDHeader   = "X-Tmpauth-Config-Id"
+	RequestURIHeader = "X-Tmpauth-Request-URI"
+	HostHeader       = "X-Tmpauth-Host"
+	TokenHeader      = "X-Tmpauth-Token"
+)
 
 func (t *Tmpauth) ParseWrappedMicrotoken(tokenStr string) (*CachedToken, error) {
 	codec := &microtoken.Codec{
@@ -252,6 +256,7 @@ func (t *Tmpauth) ParseAuthJWT(tokenStr string, minValidationTime time.Time) (*C
 		IssuedAt:       iat,
 		StateID:        stateID,
 		ValidatedAt:    minValidationTime,
+		RawToken:       tokenStr,
 		headersMutex:   new(sync.RWMutex),
 	}