malach-it · patatoid · Apr 12, 2025 · Apr 19, 2025
diff --git a/apps/boruta_admin/assets/src/views/Home.vue b/apps/boruta_admin/assets/src/views/Home.vue
@@ -69,7 +69,16 @@
           </div>
           <div class="ui segment">
             <h3>Verifiable credential presentation</h3>
-            <a class="ui fluid blue button" target="_blank" :href="presentationUrl">Trigger example presentation with associated boruta wallet (issue example credential first)</a>
+            <form :action="presentationUrl" method="POST">
+              <input type="hidden" name="_csrf_token" :value="csrf_token" />
+              <input type="hidden" name="client_id" value="00000000-0000-0000-0000-000000000001" />
+              <input type="hidden" name="redirect_uri" :value="presentationRedirectUri" />
+              <input type="hidden" name="scope" value="BorutaCredentialJwtVc" />
+              <input type="hidden" name="response_type" value="vp_token" />
+              <input type="hidden" name="client_metadata" value="{}" />
+              <input type="hidden" name="prompt" value="login" />
+              <button class="ui fluid blue button" type="submit">Trigger example presentation with associated boruta wallet (issue example credential first)</button>
+            </form>
           </div>
         </div>
       </div>
@@ -81,13 +90,19 @@
 export default {
   name: 'home',
   computed: {
+    csrf_token () {
+      return window.env.CSRF_TOKEN
+    },
     walletUrl () {
      return window.env.BORUTA_OAUTH_BASE_URL +
       '/accounts/wallet'
     },
     presentationUrl () {
      return window.env.BORUTA_OAUTH_BASE_URL +
-      `/oauth/authorize?client_id=00000000-0000-0000-0000-000000000001&redirect_uri=${window.env.BORUTA_OAUTH_BASE_URL}/accounts/wallet/verifiable-presentation&scope=BorutaCredentialJwtVc&response_type=vp_token&client_metadata={}&state=qrm0c4xm&prompt=login`
+      `/oauth/authorize`
+    },
+    presentationRedirectUri () {
+      return `${window.env.BORUTA_OAUTH_BASE_URL}/accounts/wallet/verifiable-presentation`
     },
     preauthorizeUrl () {
      return window.env.BORUTA_OAUTH_BASE_URL +

diff --git a/apps/boruta_admin/lib/boruta_admin_web/templates/page/admin.html.eex b/apps/boruta_admin/lib/boruta_admin_web/templates/page/admin.html.eex
@@ -13,11 +13,17 @@
         BORUTA_ADMIN_OAUTH_BASE_URL: '<%= System.get_env("BORUTA_ADMIN_OAUTH_BASE_URL", "http://localhost:4000") %>',
         BORUTA_ADMIN_BASE_URL: '<%= System.get_env("BORUTA_ADMIN_BASE_URL", "http://localhost:4001") %>',
         BORUTA_OAUTH_BASE_URL: '<%= System.get_env("BORUTA_OAUTH_BASE_URL", "http://localhost:4000") %>',
+        CSRF_TOKEN: '<%= Phoenix.Controller.get_csrf_token() %>'
       }
     </script>
     <link rel="stylesheet" type="text/css" href="<%= Routes.static_path(@conn, "/assets/boruta-admin.css") %>" media="all"/>
   </head>
   <body>
+    <%= if get_flash(@conn, :error) do %>
+    <div class="ui error message" style="position: absolute; top: 100px; right: 1em; left: 214px; text-align: center; z-index: 1000">
+      <%= get_flash(@conn, :error) %>
+    </div>
+    <% end %>
     <noscript>
       <strong>We're sorry but boruta-admin doesn't work properly without JavaScript enabled. Please enable it to continue.</strong>
     </noscript>

diff --git a/apps/boruta_identity/lib/boruta_identity_web/router.ex b/apps/boruta_identity/lib/boruta_identity_web/router.ex
@@ -86,17 +86,14 @@ defmodule BorutaIdentityWeb.Router do
 
   @impl Plug.ErrorHandler
   def handle_errors(conn, %{reason: %Plug.CSRFProtection.InvalidCSRFTokenError{message: message}}) do
-    with [referer] <- Plug.Conn.get_req_header(conn, "referer"),
-         %URI{path: path, query: query} <- URI.parse(referer) do
-      uri = %URI{path: path, query: query}
-
-      conn
-      |> Plug.Conn.fetch_session()
-      |> Phoenix.Controller.fetch_flash()
-      |> Phoenix.Controller.put_flash(:error, message)
-      |> Plug.Conn.put_status(:found)
-      |> Phoenix.Controller.redirect(to: URI.to_string(uri))
-    else
+    case Plug.Conn.get_req_header(conn, "referer") do
+      [referer] ->
+        conn
+        |> Plug.Conn.fetch_session()
+        |> Phoenix.Controller.fetch_flash()
+        |> Phoenix.Controller.put_flash(:error, message)
+        |> Plug.Conn.put_status(:found)
+        |> Phoenix.Controller.redirect(external: referer)
       _ ->
         render_error(conn, message)
     end

diff --git a/apps/boruta_web/lib/boruta_web/controllers/oauth/authorize_controller.ex b/apps/boruta_web/lib/boruta_web/controllers/oauth/authorize_controller.ex
@@ -31,12 +31,13 @@ defmodule BorutaWeb.Oauth.AuthorizeController do
   alias BorutaIdentityWeb.Router.Helpers, as: IdentityRoutes
   alias BorutaIdentityWeb.TemplateView
 
-  def authorize(%Plug.Conn{} = conn, _params) do
+  def authorize(%Plug.Conn{} = conn, params) do
     current_user = conn.assigns[:current_user]
 
     conn = put_unsigned_request(conn)
 
-    with {:unchanged, conn} <- prompt_redirection(conn, current_user),
+    with {:unchanged, conn} <- check_method(conn, params),
+         {:unchanged, conn} <- prompt_redirection(conn, current_user),
          {:unchanged, conn} <- public_client?(conn),
          {:unchanged, conn} <- verifiable_presentation?(conn),
          {:unchanged, conn} <- max_age_redirection(conn, current_user),
@@ -59,11 +60,36 @@ defmodule BorutaWeb.Oauth.AuthorizeController do
       {:authorize, conn} ->
         conn
 
+      {:error, conn} ->
+        conn
+
       {:redirected, conn} ->
         conn
     end
   end
 
+  def check_method(%Plug.Conn{method: "POST"} = conn, %{"response_type" => "vp_token"}) do
+    {:unchanged, %{conn | query_params: Map.merge(conn.query_params, conn.body_params)}}
+  end
+
+  def check_method(%Plug.Conn{method: "GET"} = conn, %{"response_type" => "vp_token"}) do
+    {:error, authorize_error(conn, %Error{
+      status: :bad_request,
+      error: :invalid_request,
+      error_description: "Presentation requests requires POST method"
+    })}
+  end
+
+  def check_method(%Plug.Conn{method: "GET"} = conn, _params), do: {:unchanged, conn}
+
+  def check_method(%Plug.Conn{method: "POST"} = conn, %{"response_type" => response_type}) do
+    {:error, authorize_error(conn, %Error{
+      status: :bad_request,
+      error: :invalid_request,
+      error_description: "#{response_type} requests require GET method"
+    })}
+  end
+
   def public_client?(conn) do
     case conn.query_params["client_id"] do
       "did:" <> _key ->

diff --git a/apps/boruta_web/lib/boruta_web/router.ex b/apps/boruta_web/lib/boruta_web/router.ex
@@ -77,6 +77,7 @@ defmodule BorutaWeb.Router do
     pipe_through([:browser, :fetch_current_user])
 
     get("/authorize", AuthorizeController, :authorize)
+    post("/authorize", AuthorizeController, :authorize)
   end
 
   scope "/did", BorutaWeb do

diff --git a/apps/boruta_web/test/boruta_web/controllers/oauth/openid_connect_test.exs b/apps/boruta_web/test/boruta_web/controllers/oauth/openid_connect_test.exs
@@ -70,7 +70,7 @@ defmodule BorutaWeb.Integration.OpenidConnectTest do
       redirect_uri: redirect_uri
     } do
       conn =
-        get(
+        post(
           conn,
           Routes.authorize_path(conn, :authorize, %{
             response_type: "vp_token",
-Original file line number
+Diff line change
@@ Expand Up / @@ -70,7 +70,7 @@ defmodule BorutaWeb.Integration.OpenidConnectTest do @@
           redirect_uri: redirect_uri
         } do
           conn =
-            get(
+            post(
               conn,
               Routes.authorize_path(conn, :authorize, %{
                 response_type: "vp_token",
@@ Expand Down @@