feat: generate a nonce to validate the OAuth callback

author: mo khan <mo@mokhan.ca> 2025-04-28 16:23:19 -0600
committer: mo khan <mo@mokhan.ca> 2025-04-28 16:23:19 -0600
commit: 62fdf88cbdec6dbf248bea13611521667112f5e1 (patch)
tree: 2632236a73a674aa86f8efe46f3553f8d81e5328 /app/controllers/sessions/controller.go
parent: 3b942be3d49830b80689a5c7b9f0fda4b3deb44b (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/app/controllers/sessions/controller.go b/app/controllers/sessions/controller.go
index 7e706e7..7549dc7 100644
--- a/app/controllers/sessions/controller.go
+++ b/app/controllers/sessions/controller.go
@@ -3,9 +3,11 @@ package sessions
 import (
 	"context"
 	"net/http"
+	"time"
 
 	"github.com/xlgmokha/x/pkg/log"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/oidc"
+	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/web/cookie"
 	"golang.org/x/oauth2"
 )
@@ -29,8 +31,9 @@ func (c *Controller) MountTo(mux *http.ServeMux) {
 }
 
 func (c *Controller) New(w http.ResponseWriter, r *http.Request) {
-	// TODO:: Generate and store nonce and use as state param to compare as a CSRF token
-	url := c.cfg.Config.AuthCodeURL("todo-csrf-token", oauth2.SetAuthURLParam("audience", "todo"))
+	nonce := pls.GenerateNonce(32)
+	url := c.cfg.Config.AuthCodeURL(nonce, oauth2.SetAuthURLParam("audience", c.cfg.Config.ClientID))
+	http.SetCookie(w, cookie.New("oauth_state", nonce, time.Now().Add(10*time.Minute)))
 	http.Redirect(w, r, url, http.StatusFound)
 }
author	mo khan <mo@mokhan.ca>	2025-04-28 16:23:19 -0600
committer	mo khan <mo@mokhan.ca>	2025-04-28 16:23:19 -0600
commit	62fdf88cbdec6dbf248bea13611521667112f5e1 (patch)
tree	2632236a73a674aa86f8efe46f3553f8d81e5328 /app/controllers/sessions/controller.go
parent	3b942be3d49830b80689a5c7b9f0fda4b3deb44b (diff)