Add code verifier to direct post requests

apps/boruta_admin/lib/boruta_admin_web/controllers/configuration_controller.ex

@@ -62,8 +62,7 @@ defmodule BorutaAdminWeb.ConfigurationController do
         "{{PREAUTHORIZED_CODE_REDIRECT_URI}}",
         issuer() <>
           # credo:disable-for-next-line
-          BorutaIdentityWeb.Router.Helpers.wallet_path(BorutaIdentityWeb.Endpoint, :index) <>
-          "/preauthorized-code"
+          BorutaIdentityWeb.Router.Helpers.wallet_path(BorutaIdentityWeb.Endpoint, :index, ["preauthorized-code"])
       )
 
     content =
@@ -72,8 +71,7 @@ defmodule BorutaAdminWeb.ConfigurationController do
         "{{PRESENTATION_REDIRECT_URI}}",
         issuer() <>
           # credo:disable-for-next-line
-          BorutaIdentityWeb.Router.Helpers.wallet_path(BorutaIdentityWeb.Endpoint, :index) <>
-          "/verifiable-presentation"
+          BorutaIdentityWeb.Router.Helpers.wallet_path(BorutaIdentityWeb.Endpoint, :index, ["verifiable-presentation"])
       )
 
     configurations = [

apps/boruta_admin/lib/boruta_admin_web/templates/page/admin.html.eex

@@ -12,7 +12,7 @@
         BORUTA_ADMIN_OAUTH_CLIENT_ID: '<%= System.get_env("BORUTA_ADMIN_OAUTH_CLIENT_ID", "6a2f41a3-c54c-fce8-32d2-0324e1c32e20") %>',
         BORUTA_ADMIN_OAUTH_BASE_URL: '<%= System.get_env("BORUTA_ADMIN_OAUTH_BASE_URL", "http://localhost:4000") %>',
         BORUTA_ADMIN_BASE_URL: '<%= System.get_env("BORUTA_ADMIN_BASE_URL", "http://localhost:4001") %>',
-        BORUTA_OAUTH_BASE_URL: '<%= System.get_env("BORUTA_OAUTH_BASE_URL", "http://localhost:4000") %>',
+        BORUTA_OAUTH_BASE_URL: '<%= System.get_env("BORUTA_OAUTH_BASE_URL", "http://localhost:4000") %>'
       }
     </script>
     <link rel="stylesheet" type="text/css" href="<%= Routes.static_path(@conn, "/assets/boruta-admin.css") %>" media="all"/>

apps/boruta_auth/mix.exs

@@ -24,7 +24,7 @@ defmodule BorutaAuth.MixProject do
 
   defp deps do
     [
-      {:boruta, git: "https://github.com/malach-it/boruta_auth"},
+      {:boruta, git: "https://github.com/malach-it/boruta_auth", branch: "direct-post-code-verifier"},
       {:logger_file_backend, "~> 0.0.13"},
       {:quantum, "~> 3.0"}
     ]

apps/boruta_identity/assets/wallet/src/views/VerifiablePresentationsView.vue

@@ -35,6 +35,7 @@
       <Credentials :credentials="credentials" delete-label="Unselect" @deleteCredential="deleteCredential" />
       <div class="ui segment">
         <form :action="redirect_uri" method="POST">
+          <input type="hidden" name="code_verifier" :value="codeVerifier" />
           <input type="hidden" name="vp_token" :value="vp_token" />
           <input type="hidden" name="presentation_submission" :value="presentation_submission" />
           <button class="ui violet large fluid button" type="submit">Present your credential to {{ host }}</button>
@@ -75,7 +76,8 @@ export default defineComponent({
       redirect_uri: null,
       vp_token: null,
       presentation_submission: null,
-      keyConsentEventKey: null
+      keyConsentEventKey: null,
+      codeVerifier: window.env.BORUTA_WALLET_CODE_VERIFIER
     }
   },
   async mounted () {
@@ -114,8 +116,6 @@ export default defineComponent({
       }
     })
   },
-  computed: {
-  },
   methods: {
     deleteCredential (credential) {
       this.credentials.splice(this.credentials.indexOf(credential), 1)

apps/boruta_identity/lib/boruta_identity/accounts/schemas/user.ex

@@ -33,6 +33,7 @@ defmodule BorutaIdentity.Accounts.User do
           federated_metadata: map(),
           totp_secret: String.t() | nil,
           webauthn_challenge: String.t() | nil,
+          code_verifier: String.t(),
           confirmed_at: DateTime.t() | nil,
           authorized_scopes: Ecto.Association.NotLoaded.t() | list(UserAuthorizedScope.t()),
           consents: Ecto.Association.NotLoaded.t() | list(Consent.t()),
@@ -79,6 +80,7 @@ defmodule BorutaIdentity.Accounts.User do
     field(:webauthn_public_key, CoseKey)
     field(:webauthn_registered_at, :utc_datetime_usec)
     field(:account_type, :string)
+    field(:code_verifier, :string)
 
     has_many(:authorized_scopes, UserAuthorizedScope)
     has_many(:roles, UserRole)

apps/boruta_identity/lib/boruta_identity_web/concerns/authenticable.ex

@@ -3,6 +3,7 @@ defmodule BorutaIdentityWeb.Authenticable do
 
   use BorutaIdentityWeb, :controller
 
+  alias Boruta.ClientsAdapter
   alias Boruta.Oauth
   alias BorutaIdentity.Accounts
 
@@ -61,6 +62,27 @@ defmodule BorutaIdentityWeb.Authenticable do
     Routes.user_session_path(conn, :new, query_params)
   end
 
+  @spec public_client_request_param(conn :: Plug.Conn.t()) :: request_param :: String.t()
+  def public_client_request_param(conn) do
+    client = ClientsAdapter.public!()
+
+    user_return_to =
+      current_path(conn)
+      |> String.replace(~r/prompt=(login|none)/, "")
+      |> String.replace(~r/max_age=(\d+)/, "")
+
+    {:ok, jwt, _payload} =
+      Joken.encode_and_sign(
+        %{
+          "client_id" => client.id,
+          "user_return_to" => user_return_to
+        },
+        BorutaIdentityWeb.Token.application_signer()
+      )
+
+    jwt
+  end
+
   @spec request_param(conn :: Plug.Conn.t()) :: request_param :: String.t()
   def request_param(conn) do
     case Oauth.Request.authorize_request(conn, %Oauth.ResourceOwner{sub: ""}) do

apps/boruta_identity/lib/boruta_identity_web/controllers/wallet_controller.ex

@@ -2,8 +2,10 @@ defmodule BorutaIdentityWeb.WalletController do
   use BorutaIdentityWeb, :controller
 
   def index(conn, _params) do
+    current_user = conn.assigns[:current_user]
+
     conn
     |> put_layout(false)
-    |> render("index.html")
+    |> render("index.html", code_verifier: current_user.code_verifier)
   end
 end

apps/boruta_identity/lib/boruta_identity_web/plugs/sessions.ex

@@ -3,7 +3,11 @@ defmodule BorutaIdentityWeb.Sessions do
 
   use BorutaIdentityWeb, :controller
 
-  import BorutaIdentityWeb.Authenticable, only: [remember_me_cookie: 0, after_sign_in_path: 1]
+  import BorutaIdentityWeb.Authenticable, only: [
+    remember_me_cookie: 0,
+    after_sign_in_path: 1,
+    public_client_request_param: 1
+  ]
 
   alias BorutaIdentity.Accounts
 
@@ -63,4 +67,18 @@ defmodule BorutaIdentityWeb.Sessions do
       |> halt()
     end
   end
+
+  @spec redirect_to_public_if_not_authenticated(conn :: Plug.Conn.t(), list()) :: conn :: Plug.Conn.t()
+  def redirect_to_public_if_not_authenticated(conn, _opts) do
+    if conn.assigns[:current_user] do
+      conn
+    else
+      conn
+      |> put_flash(:error, "You must log in to access this page.")
+      |> redirect(
+        to: Routes.user_session_path(conn, :new, %{request: public_client_request_param(conn)})
+      )
+      |> halt()
+    end
+  end
 end

apps/boruta_identity/lib/boruta_identity_web/router.ex

@@ -6,7 +6,8 @@ defmodule BorutaIdentityWeb.Router do
     only: [
       fetch_current_user: 2,
       redirect_if_user_is_authenticated: 2,
-      require_authenticated_user: 2
+      require_authenticated_user: 2,
+      redirect_to_public_if_not_authenticated: 2
     ]
   require Logger
 
@@ -75,11 +76,10 @@ defmodule BorutaIdentityWeb.Router do
     get("/users/confirm/:token", UserConfirmationController, :confirm)
     get("/users/reset_password/:token", UserResetPasswordController, :edit)
     put("/users/reset_password/:token", UserResetPasswordController, :update)
-    get("/wallet", WalletController, :index)
   end
 
   scope "/wallet", BorutaIdentityWeb do
-    pipe_through(:browser)
+    pipe_through([:browser, :redirect_to_public_if_not_authenticated])
 
     match(:get, "/*path", WalletController, :index)
   end

apps/boruta_identity/lib/boruta_identity_web/templates/wallet/index.html.eex

@@ -12,6 +12,7 @@
         BORUTA_ADMIN_OAUTH_BASE_URL: '<%= System.get_env("BORUTA_ADMIN_OAUTH_BASE_URL", "http://localhost:4000") %>',
         BORUTA_ADMIN_BASE_URL: '<%= System.get_env("BORUTA_ADMIN_BASE_URL", "http://localhost:4001") %>',
         BORUTA_OAUTH_BASE_URL: '<%= System.get_env("BORUTA_OAUTH_BASE_URL", "http://localhost:4000") %>',
+        BORUTA_WALLET_CODE_VERIFIER: '<%= @code_verifier %>'
       }
     </script>
     <link rel="manifest" type="text/css" href="<%= Routes.static_path(@conn, "/wallet/manifest.webmanifest") %>" media="all"/>

apps/boruta_identity/priv/repo/migrations/20250405213511_add_code_verifier_to_users.exs

@@ -0,0 +1,9 @@
+defmodule BorutaIdentity.Repo.Migrations.AddCodeVerifierToUsers do
+  use Ecto.Migration
+
+  def change do
+    alter table(:users) do
+      add :code_verifier, :string, null: false, default: fragment("gen_random_uuid()")
+    end
+  end
+end

apps/boruta_identity/test/boruta_identity/admin_test.exs

@@ -55,15 +55,15 @@ defmodule BorutaIdentity.AdminTest do
     end
 
     test "returns paginated users" do
-      user = insert(:user) |> Repo.preload([:authorized_scopes, :roles, :organizations])
+      insert(:user) |> Repo.preload([:authorized_scopes, :roles, :organizations])
 
-      assert Admin.list_users() == %Scrivener.Page{
-               entries: [user],
+      assert %Scrivener.Page{
+               entries: [_user],
                page_number: 1,
                page_size: 12,
                total_entries: 1,
                total_pages: 1
-             }
+             } = Admin.list_users()
     end
   end
 
@@ -79,19 +79,19 @@ defmodule BorutaIdentity.AdminTest do
     end
 
     test "returns user search" do
-      _other = insert(:user) |> Repo.preload(:authorized_scopes)
+      insert(:user) |> Repo.preload(:authorized_scopes)
 
-      user =
-        insert(:user, username: "match")
-        |> Repo.preload([:authorized_scopes, :roles, :organizations])
+      insert(:user, username: "match")
+      |> Repo.reload()
+      |> Repo.preload([:authorized_scopes, :roles, :organizations])
 
-      assert Admin.search_users("match") == %Scrivener.Page{
-               entries: [user],
+      assert %Scrivener.Page{
+               entries: [_user],
                page_number: 1,
                page_size: 12,
                total_entries: 1,
                total_pages: 1
-             }
+             } = Admin.search_users("match")
     end
   end
 
@@ -201,6 +201,7 @@ defmodule BorutaIdentity.AdminTest do
       }
 
       assert Enum.empty?(Repo.all(Internal.User))
+
       assert_raise Ecto.InvalidChangesetError, fn ->
         Admin.create_user(backend, params) == {:error, %Ecto.Changeset{}}
       end

apps/boruta_web/lib/boruta_web/controllers/oauth/authorize_controller.ex

@@ -658,6 +658,7 @@ defmodule BorutaWeb.Oauth.AuthorizeController do
     %ResourceOwner{
       sub: current_user.id || anonymous_sub,
       username: current_user.username,
+      code_verifier: current_user.code_verifier,
       last_login_at: current_user.last_login_at,
       extra_claims:
         Map.merge(ResourceOwners.metadata(current_user, scope), current_user.federated_metadata),

apps/boruta_web/lib/boruta_web/controllers/oauth/token_controller.ex

@@ -59,7 +59,8 @@ defmodule BorutaWeb.Oauth.TokenController do
 
   def direct_post(conn, %{"code_id" => code_id} = params) do
     direct_post_params = %{
-      code_id: code_id
+      code_id: code_id,
+      code_verifier: params["code_verifier"]
     }
 
     direct_post_params =