Merge pull request #1678 from dedis/work-be1-nazianze-popcha-nonce-jwt

nonce format fixed for JWT and internal server address changed
dedis · Jun 21, 2023 · 308b636 · 308b636
2 parents f594af4 + 55fabb6
commit 308b636
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 10 deletions.
diff --git a/be1-go/channel/authentication/mod.go b/be1-go/channel/authentication/mod.go
@@ -182,8 +182,12 @@ func (c *Channel) auhenticateUser(msg message.Message, msgData interface{},
 	if !c.latestRollCallMembers.isPresent(msg.Sender) {
 		return xerrors.Errorf("Error while validating the authentication message: pop token is not part of the latest roll call")
 	}
+	nonce, err := base64.URLEncoding.DecodeString(data.Nonce)
+	if err != nil {
+		return xerrors.Errorf("Nonce should be base64 encoded")
+	}
 
-	encodedClientParams, err := constructRedirectURIParams(c, data)
+	encodedClientParams, err := constructRedirectURIParams(c, data, string(nonce))
 	if err != nil {
 		return xerrors.Errorf("Error while constructing the redirect URI parameters: %v", err)
 	}
@@ -192,10 +196,6 @@ func (c *Channel) auhenticateUser(msg message.Message, msgData interface{},
 
 	laoID := strings.TrimPrefix(c.channelID, "/root/")
 
-	nonce, err := base64.URLEncoding.DecodeString(data.Nonce)
-	if err != nil {
-		return xerrors.Errorf("Nonce should be base64 encoded")
-	}
 	popChaPath := strings.Join([]string{"/response", laoID, data.ClientID, string(nonce)}, "/")
 
 	popchaAddress := data.PopchaAddress
@@ -259,7 +259,7 @@ func loadRSAKeys(privateKeyPath string, publicKeyPath string) (*rsa.PrivateKey,
 }
 
 // constructRedirectURIParams computes the redirect URI given the authentication message
-func constructRedirectURIParams(c *Channel, data *messagedata.AuthenticateUser) (string, error) {
+func constructRedirectURIParams(c *Channel, data *messagedata.AuthenticateUser, nonceDec string) (string, error) {
 
 	c.log.Info().Msg("Constructing the URI Parameters")
 
@@ -275,7 +275,7 @@ func constructRedirectURIParams(c *Channel, data *messagedata.AuthenticateUser)
 	c.addPPIDEntry(identifier(data.Identifier), identifier(ppid))
 
 	c.log.Info().Msg("Signing the JWT Token")
-	idTokenString, err := createJWTString(data.PopchaAddress, ppid, data.ClientID, data.Nonce, sk)
+	idTokenString, err := createJWTString(data.PopchaAddress, ppid, data.ClientID, nonceDec, sk)
 	if err != nil {
 		c.log.Err(err).Msg("Error while creating the JWT token")
 		return "", xerrors.Errorf("Error while creating JWT token: %v", err)

diff --git a/be1-go/channel/authentication/mod_test.go b/be1-go/channel/authentication/mod_test.go
@@ -89,7 +89,7 @@ func TestURIParamsConstruction(t *testing.T) {
 	}
 	// creating a fake channel, we will not use it in this test
 	c := NewChannel("", nil, zerolog.New(io.Discard), secPathTest, pubPathtest)
-	_, err := constructRedirectURIParams(c, authMsg)
+	_, err := constructRedirectURIParams(c, authMsg, authMsg.Nonce)
 	require.NoError(t, err)
 }
 

diff --git a/be1-go/cli/mod.go b/be1-go/cli/mod.go
@@ -107,8 +107,9 @@ func Serve(cliCtx *cli.Context) error {
 		log.With().Str("role", "server websocket").Logger())
 	serverSrv.Start()
 
-	// Start the PoPCHA Authorization Server
-	authorizationSrv := popcha.NewAuthServer(h, serverConfig.AuthAddress, serverConfig.AuthPort, popchaHTMLPath,
+	// Start the PoPCHA Authorization Server. It will run internally on localhost, the address of the server given in
+	// the config file will be the one used externally.
+	authorizationSrv := popcha.NewAuthServer(h, "localhost", serverConfig.AuthPort, popchaHTMLPath,
 		log.With().Str("role", "authorization server").Logger())
 	authorizationSrv.Start()
 	<-authorizationSrv.Started