chore: address review comments

Author: nsklikas

.schema/config.schema.json

@@ -1181,7 +1181,7 @@
                 }
               ],
               "default": "5s",
-              "description": "configure how often a non-interactive device should poll the device token endpoint",
+              "description": "Configures how often a non-interactive device should poll the device token endpoint, this is a purely informational configuration and does not enforce rate-limiting.",
               "examples": ["5s", "15s", "1m"]
             },
             "user_code_entropy": {

consent/handler_test.go

@@ -108,7 +108,7 @@ func TestGetLoginRequest(t *testing.T) {
 			if tc.exists {
 				cl := &client.Client{ID: "client" + key}
 				require.NoError(t, reg.ClientManager().CreateClient(context.Background(), cl))
-				f, err := reg.ConsentManager().CreateLoginRequest(context.Background(), nil, &flow.LoginRequest{
+				f, err := reg.ConsentManager().CreateLoginRequest(context.Background(), &flow.LoginRequest{
 					Client:      cl,
 					ID:          challenge,
 					RequestURL:  requestURL,
@@ -180,7 +180,7 @@ func TestGetConsentRequest(t *testing.T) {
 					RequestURL:  requestURL,
 					RequestedAt: time.Now(),
 				}
-				f, err := reg.ConsentManager().CreateLoginRequest(ctx, nil, lr)
+				f, err := reg.ConsentManager().CreateLoginRequest(ctx, lr)
 				require.NoError(t, err)
 				challenge, err = f.ToLoginChallenge(ctx, reg)
 				require.NoError(t, err)
@@ -247,7 +247,7 @@ func TestGetLoginRequestWithDuplicateAccept(t *testing.T) {
 
 		cl := &client.Client{ID: "client"}
 		require.NoError(t, reg.ClientManager().CreateClient(ctx, cl))
-		f, err := reg.ConsentManager().CreateLoginRequest(ctx, nil, &flow.LoginRequest{
+		f, err := reg.ConsentManager().CreateLoginRequest(ctx, &flow.LoginRequest{
 			Client:      cl,
 			ID:          challenge,
 			RequestURL:  requestURL,

consent/manager.go

@@ -45,7 +45,8 @@ type (
 		RevokeSubjectLoginSession(ctx context.Context, user string) error
 		ConfirmLoginSession(ctx context.Context, loginSession *flow.LoginSession) error
 
-		CreateLoginRequest(ctx context.Context, f *flow.Flow, req *flow.LoginRequest) (*flow.Flow, error)
+		CreateLoginRequest(ctx context.Context, req *flow.LoginRequest) (*flow.Flow, error)
+		CreateLoginRequestFromDeviceRequest(ctx context.Context, f *flow.Flow, req *flow.LoginRequest) (*flow.Flow, error)
 		GetLoginRequest(ctx context.Context, challenge string) (*flow.LoginRequest, error)
 		HandleLoginRequest(ctx context.Context, f *flow.Flow, challenge string, r *flow.HandledLoginRequest) (*flow.LoginRequest, error)
 		VerifyAndInvalidateLoginRequest(ctx context.Context, verifier string) (*flow.HandledLoginRequest, error)

consent/strategy_default.go

@@ -279,11 +279,12 @@ func (s *DefaultStrategy) forwardAuthenticationRequest(
 			LoginHint:         ar.GetRequestForm().Get("login_hint"),
 		},
 	}
-	f, err := s.r.ConsentManager().CreateLoginRequest(
-		ctx,
-		f,
-		loginRequest,
-	)
+	var err error
+	if f == nil {
+		f, err = s.r.ConsentManager().CreateLoginRequest(ctx, loginRequest)
+	} else {
+		f, err = s.r.ConsentManager().CreateLoginRequestFromDeviceRequest(ctx, f, loginRequest)
+	}
 	if err != nil {
 		return errorsx.WithStack(err)
 	}
@@ -1293,7 +1294,12 @@ func (s *DefaultStrategy) forwardDeviceRequest(ctx context.Context, w http.Respo
 
 	// Generate the request URL
 	iu := s.getDeviceVerificationPath(ctx)
-	iu.RawQuery = r.URL.RawQuery
+	// We don't want the user_code persisted in the database
+	q := r.URL.Query()
+	if q.Has("user_code") {
+		q.Set("user_code", "****")
+	}
+	iu.RawQuery = q.Encode()
 
 	f, err := s.r.ConsentManager().CreateDeviceUserAuthRequest(
 		r.Context(),

consent/test/manager_test_helpers.go

@@ -301,7 +301,7 @@ func SaneMockAuthRequest(t *testing.T, m consent.Manager, ls *flow.LoginSession,
 		ID:       uuid.New().String(),
 		Verifier: uuid.New().String(),
 	}
-	_, err := m.CreateLoginRequest(context.Background(), nil, c)
+	_, err := m.CreateLoginRequest(context.Background(), c)
 	require.NoError(t, err)
 	return c
 }
@@ -346,9 +346,9 @@ func TestHelperNID(r interface {
 		require.Error(t, t2InvalidNID.CreateLoginSession(ctx, &testLS))
 		require.NoError(t, t1ValidNID.CreateLoginSession(ctx, &testLS))
 
-		_, err := t2InvalidNID.CreateLoginRequest(ctx, nil, &testLR)
+		_, err := t2InvalidNID.CreateLoginRequest(ctx, &testLR)
 		require.Error(t, err)
-		f, err := t1ValidNID.CreateLoginRequest(ctx, nil, &testLR)
+		f, err := t1ValidNID.CreateLoginRequest(ctx, &testLR)
 		require.NoError(t, err)
 
 		testLR.ID = x.Must(f.ToLoginChallenge(ctx, r))
@@ -406,7 +406,7 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 					RequestedAt:     time.Now(),
 				}
 
-				_, err := m.CreateLoginRequest(ctx, nil, lr[k])
+				_, err := m.CreateLoginRequest(ctx, lr[k])
 				require.NoError(t, err)
 			}
 		})
@@ -581,7 +581,7 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 					_, err := m.GetLoginRequest(ctx, loginChallenge)
 					require.Error(t, err)
 
-					f, err = m.CreateLoginRequest(ctx, nil, c)
+					f, err = m.CreateLoginRequest(ctx, c)
 					require.NoError(t, err)
 
 					loginChallenge = x.Must(f.ToLoginChallenge(ctx, deps))
@@ -852,9 +852,9 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 		})
 
 		t.Run("case=list-used-consent-requests", func(t *testing.T) {
-			f1, err := m.CreateLoginRequest(ctx, nil, lr["rv1"])
+			f1, err := m.CreateLoginRequest(ctx, lr["rv1"])
 			require.NoError(t, err)
-			f2, err := m.CreateLoginRequest(ctx, nil, lr["rv2"])
+			f2, err := m.CreateLoginRequest(ctx, lr["rv2"])
 			require.NoError(t, err)
 
 			cr1, hcr1, _ := MockConsentRequest("rv1", true, 0, false, false, false, "fk-login-challenge", network)
@@ -1174,7 +1174,7 @@ func ManagerTests(deps Deps, m consent.Manager, clientManager client.Manager, fo
 				SessionID:       sqlxx.NullString(s.ID),
 			}
 
-			f, err := m.CreateLoginRequest(ctx, nil, lr)
+			f, err := m.CreateLoginRequest(ctx, lr)
 			require.NoError(t, err)
 			expected := &flow.OAuth2ConsentRequest{
 				ID:                   uuid.NewString(),

flow/flow.go

@@ -230,8 +230,6 @@ type Flow struct {
 	DeviceVerifier sqlxx.NullString `db:"device_verifier" json:"dv,omitempty"`
 	// DeviceVerifier is the device request's CSRF
 	DeviceCSRF sqlxx.NullString `db:"device_csrf" json:"dc,omitempty"`
-	// DeviceUserCodeAcceptedAt is the time when device user_code was accepted
-	DeviceUserCodeAcceptedAt sqlxx.NullTime `db:"device_user_code_accepted_at" json:"da,omitempty"`
 	// DeviceWasUsed set to true means that the device request was already handled
 	DeviceWasUsed sqlxx.NullBool `db:"device_was_used" json:"du,omitempty"`
 	// DeviceHandledAt contains the timestamp the device user_code verification request was handled

internal/testhelpers/janitor_test_helper.go

@@ -192,7 +192,7 @@ func (j *JanitorConsentTestHelper) LoginRejectionSetup(ctx context.Context, reg
 		// Create login requests
 		for _, r := range j.flushLoginRequests {
 			require.NoError(t, cl.CreateClient(ctx, r.Client))
-			f, err := cm.CreateLoginRequest(ctx, nil, r)
+			f, err := cm.CreateLoginRequest(ctx, r)
 			require.NoError(t, err)
 
 			f.RequestedAt = time.Now() // we won't handle expired flows
@@ -246,7 +246,7 @@ func (j *JanitorConsentTestHelper) LimitSetup(ctx context.Context, reg interface
 		// Create login requests
 		for _, r := range j.flushLoginRequests {
 			require.NoError(t, cl.CreateClient(ctx, r.Client))
-			f, err = cm.CreateLoginRequest(ctx, nil, r)
+			f, err = cm.CreateLoginRequest(ctx, r)
 			require.NoError(t, err)
 
 			// Reject each request
@@ -290,7 +290,7 @@ func (j *JanitorConsentTestHelper) ConsentRejectionSetup(ctx context.Context, re
 		// Create login requests
 		for i, loginRequest := range j.flushLoginRequests {
 			require.NoError(t, cl.CreateClient(ctx, loginRequest.Client))
-			f, err = cm.CreateLoginRequest(ctx, nil, loginRequest)
+			f, err = cm.CreateLoginRequest(ctx, loginRequest)
 			require.NoError(t, err)
 
 			// Create consent requests
@@ -345,7 +345,7 @@ func (j *JanitorConsentTestHelper) LoginTimeoutSetup(ctx context.Context, reg in
 		// Create login requests
 		for i, loginRequest := range j.flushLoginRequests {
 			require.NoError(t, cl.CreateClient(ctx, loginRequest.Client))
-			f, err = cm.CreateLoginRequest(ctx, nil, loginRequest)
+			f, err = cm.CreateLoginRequest(ctx, loginRequest)
 			require.NoError(t, err)
 
 			if i == 0 {
@@ -386,7 +386,7 @@ func (j *JanitorConsentTestHelper) ConsentTimeoutSetup(ctx context.Context, reg
 		// Let's reset and accept all login requests to test the consent requests
 		for i, loginRequest := range j.flushLoginRequests {
 			require.NoError(t, cl.CreateClient(ctx, loginRequest.Client))
-			f, err := cm.CreateLoginRequest(ctx, nil, loginRequest)
+			f, err := cm.CreateLoginRequest(ctx, loginRequest)
 			require.NoError(t, err)
 			f.RequestedAt = time.Now() // we won't handle expired flows
 			challenge := x.Must(f.ToLoginChallenge(ctx, reg))
@@ -438,7 +438,7 @@ func (j *JanitorConsentTestHelper) LoginConsentNotAfterSetup(ctx context.Context
 		)
 		for _, r := range j.flushLoginRequests {
 			require.NoError(t, cl.CreateClient(ctx, r.Client))
-			f, err = cm.CreateLoginRequest(ctx, nil, r)
+			f, err = cm.CreateLoginRequest(ctx, r)
 			require.NoError(t, err)
 		}
 
@@ -470,7 +470,7 @@ func (j *JanitorConsentTestHelper) LoginConsentNotAfterValidate(
 			t.Logf("login flush check:\nNotAfter: %s\nLoginRequest: %s\nis expired: %v\n%+v\n",
 				notAfter.String(), consentRequestLifespan.String(), isExpired, r)
 
-			f = x.Must(reg.ConsentManager().CreateLoginRequest(ctx, nil, r))
+			f = x.Must(reg.ConsentManager().CreateLoginRequest(ctx, r))
 			loginChallenge := x.Must(f.ToLoginChallenge(ctx, reg))
 
 			_, err = reg.ConsentManager().GetLoginRequest(ctx, loginChallenge)

oauth2/fosite_store_helpers_test.go

@@ -126,7 +126,7 @@ func mockRequestForeignKey(t *testing.T, id string, x oauth2.InternalRegistry) {
 	}
 
 	f, err := x.ConsentManager().CreateLoginRequest(
-		ctx, nil, &flow.LoginRequest{
+		ctx, &flow.LoginRequest{
 			Client:               cl,
 			OpenIDConnectContext: new(flow.OAuth2ConsentRequestOpenIDConnectContext),
 			ID:                   id,

oauth2/handler.go

@@ -47,15 +47,16 @@ import (
 )
 
 const (
-	DefaultLoginPath      = "/oauth2/fallbacks/login"
-	DefaultConsentPath    = "/oauth2/fallbacks/consent"
-	DefaultPostLogoutPath = "/oauth2/fallbacks/logout/callback"
-	DefaultPostDevicePath = "/oauth2/fallbacks/device/done"
-	DefaultLogoutPath     = "/oauth2/fallbacks/logout"
-	DefaultErrorPath      = "/oauth2/fallbacks/error"
-	TokenPath             = "/oauth2/token" // #nosec G101
-	AuthPath              = "/oauth2/auth"
-	LogoutPath            = "/oauth2/sessions/logout"
+	DefaultLoginPath              = "/oauth2/fallbacks/login"
+	DefaultConsentPath            = "/oauth2/fallbacks/consent"
+	DefaultPostLogoutPath         = "/oauth2/fallbacks/logout/callback"
+	DefaultDeviceVerificationPath = "/oauth2/fallbacks/device"
+	DefaultPostDevicePath         = "/oauth2/fallbacks/device/done"
+	DefaultLogoutPath             = "/oauth2/fallbacks/logout"
+	DefaultErrorPath              = "/oauth2/fallbacks/error"
+	TokenPath                     = "/oauth2/token" // #nosec G101
+	AuthPath                      = "/oauth2/auth"
+	LogoutPath                    = "/oauth2/sessions/logout"
 
 	VerifiableCredentialsPath = "/credentials"
 	UserinfoPath              = "/userinfo"
@@ -111,6 +112,7 @@ func (h *Handler) SetRoutes(admin *httprouterx.RouterAdmin, public *httprouterx.
 		http.StatusOK,
 		config.KeyLogoutRedirectURL,
 	))
+	public.GET(DefaultDeviceVerificationPath, h.fallbackHandler("", "", http.StatusOK, config.KeyDeviceVerificationURL))
 	public.GET(DefaultPostDevicePath, h.fallbackHandler(
 		"You successfully authenticated on your device!",
 		"The Default Post Device URL is not set which is why you are seeing this fallback page. Your device login request however succeeded.",

oauth2/oauth2_device_code_test.go

@@ -323,7 +323,6 @@ func TestDeviceCodeWithDefaultStrategy(t *testing.T) {
 			assert.EqualValues(t, c.LogoURI, pointerx.Deref(rr.Client.LogoUri))
 			assert.EqualValues(t, subject, pointerx.Deref(rr.Subject))
 			assert.EqualValues(t, scopes, rr.RequestedScope)
-			assert.EqualValues(t, r.URL.Query().Get("consent_challenge"), rr.Challenge)
 			assert.Contains(t, *rr.RequestUrl, hydraoauth2.DeviceVerificationPath)
 			if checkRequestPayload != nil {
 				checkRequestPayload(rr)