From 6a08afbf52a5f1f0965d086072b928b71cf6cb7b Mon Sep 17 00:00:00 2001
From: grngxd <36968271+grngxd@users.noreply.github.com>
Date: Wed, 30 Jul 2025 11:12:22 +0100
Subject: [PATCH] add state validation to oauth flow

---
 internal/api/routes/auth.go | 68 +++++++++++++++++++++++++++----------
 1 file changed, 51 insertions(+), 17 deletions(-)

diff --git a/internal/api/routes/auth.go b/internal/api/routes/auth.go
index 2c98b6c..4ed3f2c 100644
--- a/internal/api/routes/auth.go
+++ b/internal/api/routes/auth.go
@@ -1,26 +1,28 @@
 /*
 	Copyright (C) 2025  hexlocation (hex@iwakura.rip) & grngxd (grng@iwakura.rip)
 
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
 
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU General Public License for more details.
 
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+	You should have received a copy of the GNU General Public License
+	along with this program.  If not, see <https://www.gnu.org/licenses/>.
 */
 
 package routes
 
 import (
-	"errors"
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"net/http"
+	"net/url"
 	"time"
 
 	"github.com/gin-gonic/gin"
@@ -31,30 +33,62 @@ import (
 	"stereo.cat/backend/internal/types"
 )
 
+func generateState(length int) (string, error) {
+	b := make([]byte, length)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(b), nil
+}
+
 func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
+	api.GET("/auth/login", func(c *gin.Context) {
+		state, err := generateState(32)
+		if err != nil {
+			c.AbortWithStatus(http.StatusInternalServerError)
+			return
+		}
+
+		c.SetCookie("oauth_state", state, 300, "", cfg.Domain, true, true)
+
+		discordURL := fmt.Sprintf(
+			"https://discord.com/oauth2/authorize?client_id=%s&response_type=code&redirect_uri=%s&scope=identify%%20email&state=%s",
+			cfg.Client.ClientId,
+			url.QueryEscape(cfg.Client.RedirectUri),
+			state,
+		)
+
+		c.Redirect(http.StatusTemporaryRedirect, discordURL)
+	})
+
 	api.GET("/auth/callback", func(c *gin.Context) {
 		code := c.Query("code")
+		state := c.Query("state")
+
+		cookieState, err := c.Cookie("oauth_state")
+		if err != nil || state != cookieState {
+			c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"error": "Invalid state"})
+			return
+		}
+		c.SetCookie("oauth_state", "", -1, "", cfg.Domain, true, true)
 
 		t, err := cfg.Client.ExchangeCode(code)
-
 		if err != nil {
 			panic(err)
 		}
 
 		user, err := cfg.Client.GetUser(t)
-
 		if err != nil {
 			panic(err)
 		}
 
 		jwt, err := session.GenerateSessionJWT(cfg.JWTSecret, user, uint64(time.Now().Add(time.Second*time.Duration(t.ExpiresIn)).Unix()))
-
 		if err != nil {
 			panic(err)
 		}
 
 		res := cfg.Database.FirstOrCreate(&user)
-
 		if res.Error != nil {
 			panic(res.Error)
 		}
@@ -66,7 +100,7 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
 		})
 		*/
 		c.SetCookie("jwt", jwt, int(t.ExpiresIn), "", cfg.Domain, true, true)
-		c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"?jwt_set=true")
+		c.Redirect(http.StatusTemporaryRedirect, cfg.FrontendUri+"/dashboard?jwt_set=true")
 	})
 
 	api.GET("/auth/me", session.SessionMiddleware(cfg.JWTSecret), func(c *gin.Context) {
@@ -80,7 +114,7 @@ func RegisterAuthRoutes(cfg *types.StereoConfig, api *gin.RouterGroup) {
 
 		user, ok := claims["user"].(auth.User)
 		if !ok {
-			types.ErrorUserNotFound.Throw(c, errors.New(fmt.Sprintf("got data with type %T but wanted claims.User", claims["user"])))
+			types.ErrorUserNotFound.Throw(c, fmt.Errorf("got data with type %T but wanted claims.User", claims["user"]))
 			return
 		}