From 9d0e11ac861ba55fabd1b9bbce15e7b6814673e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phan=20Kochen?= <git@stephank.nl>
Date: Thu, 30 Nov 2023 19:12:01 +0100
Subject: [PATCH] Reject request objects

---
 src/handlers/auth.rs | 38 ++++++++++++++++++++++++++------------
 src/web.rs           |  2 +-
 2 files changed, 27 insertions(+), 13 deletions(-)

diff --git a/src/handlers/auth.rs b/src/handlers/auth.rs
index b8b452b5..62e8159a 100644
--- a/src/handlers/auth.rs
+++ b/src/handlers/auth.rs
@@ -91,19 +91,8 @@ pub async fn auth(ctx: &mut Context) -> HandlerResult {
     let state = try_get_input_param!(params, "state", String::new());
     let prompt = try_get_input_param!(params, "prompt", String::new());
 
-    let nonce = try_get_input_param!(params, "nonce", String::new());
-    let nonce = if nonce.is_empty() { None } else { Some(nonce) };
-
     let response_type = match try_get_input_param!(params, "response_type").as_str() {
-        "id_token" => {
-            if nonce.is_none() {
-                return Err(BrokerError::Input(
-                    "missing request parameter nonce, required with response_type=id_token"
-                        .to_owned(),
-                ));
-            }
-            ResponseType::IdToken
-        }
+        "id_token" => ResponseType::IdToken,
         "code" => ResponseType::Code,
         _ => {
             return Err(BrokerError::Input(
@@ -149,6 +138,31 @@ pub async fn auth(ctx: &mut Context) -> HandlerResult {
         state,
     });
 
+    if params.contains_key("request") {
+        return Err(BrokerError::SpecificInput {
+            error: "request_not_supported".to_owned(),
+            error_description: "passing request parameters as JWTs is not supported".to_owned(),
+        });
+    }
+    if params.contains_key("request_uri") {
+        return Err(BrokerError::SpecificInput {
+            error: "request_uri_not_supported".to_owned(),
+            error_description: "passing request parameters as JWTs is not supported".to_owned(),
+        });
+    }
+
+    let nonce = try_get_input_param!(params, "nonce", String::new());
+    let nonce = if nonce.is_empty() {
+        if response_type == ResponseType::IdToken {
+            return Err(BrokerError::Input(
+                "missing request parameter nonce, required with response_type=id_token".to_owned(),
+            ));
+        }
+        None
+    } else {
+        Some(nonce)
+    };
+
     if let Some(ref whitelist) = ctx.app.allowed_origins {
         if !whitelist.contains(&client_id) {
             return Err(BrokerError::Input(
diff --git a/src/web.rs b/src/web.rs
index 8829357a..7111eaca 100644
--- a/src/web.rs
+++ b/src/web.rs
@@ -40,7 +40,7 @@ pub struct Session {
 }
 
 /// Response types we support.
-#[derive(Clone, Copy, Serialize, Deserialize)]
+#[derive(Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
 pub enum ResponseType {
     IdToken,
     // NOTE: This type is outside the Portier spec, but we support it in this implementation for