From b4f04a2cd7162b3c88f9ac28d5a19d56bbe626aa Mon Sep 17 00:00:00 2001
From: jwijenbergh <jeroenwijenbergh@protonmail.com>
Date: Wed, 27 Sep 2023 16:36:51 +0200
Subject: OAuth: Check for error parameter in authorization response

---
 internal/oauth/oauth.go | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/internal/oauth/oauth.go b/internal/oauth/oauth.go
index 3d5930b..f1cc9fe 100644
--- a/internal/oauth/oauth.go
+++ b/internal/oauth/oauth.go
@@ -366,11 +366,12 @@ func writeResponseHTML(w http.ResponseWriter, title string, message string) erro
 func (s *exchangeSession) Authcode(url *url.URL) (string, error) {
 	// ISS: https://www.rfc-editor.org/rfc/rfc9207.html
 	q := url.Query()
+
+	// first check ISS
 	iss := q.Get("iss")
 	if s.ISS != iss {
 		return "", errors.Errorf("failed matching ISS; expected '%s' got '%s'", s.ISS, iss)
 	}
-
 	// Make sure the state is present and matches to protect against cross-site request forgeries
 	// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-04#section-7.15
 	state := q.Get("state")
@@ -382,6 +383,16 @@ func (s *exchangeSession) Authcode(url *url.URL) (string, error) {
 		return "", errors.Errorf("failed matching state; expected '%s' got '%s'", s.State, state)
 	}
 
+	// check if an error is present
+	// https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-09#name-authorization-response (error response)
+	errc := q.Get("error")
+	if errc != "" {
+		// these are optional but let's include them
+		errdesc := q.Get("error_description")
+		erruri := q.Get("error_uri")
+		return "", errors.Errorf("failed obtaining oauthorization code, error code '%s', error description '%s', error uri '%s'", errc, errdesc, erruri)
+	}
+
 	// No authorization code
 	code := q.Get("code")
 	if code == "" {
-- 
cgit v1.2.3