✨ Normalize external-session-id parsing from request

2025-01-08 07:50:43 -05:00 · 2024-07-12 10:20:24 +02:00 · 2024-07-12 10:20:24 +02:00 · f4b59cc5a0
commit f4b59cc5a0
parent d52f2b18a5
2 changed files with 37 additions and 11 deletions
--- a/backend/src/app/auth/oidc.clj
+++ b/backend/src/app/auth/oidc.clj
@ -22,6 +22,7 @@
   [app.http.errors :as errors]
   [app.http.session :as session]
   [app.loggers.audit :as audit]
+   [app.rpc :as rpc]
   [app.rpc.commands.profile :as profile]
   [app.setup :as-alias setup]
   [app.tokens :as tokens]
@ -589,17 +590,28 @@
        (redirect-to-register cfg info request)
        (redirect-with-error "registration-disabled")))))

+(defn- get-external-session-id
+  [request]
+  (let [session-id (rreq/get-header request "x-external-session-id")]
+    (when (string? session-id)
+      (if (or (> (count session-id) 256)
+              (= session-id "null")
+              (str/blank? session-id))
+        nil
+        session-id))))
+
 (defn- auth-handler
  [cfg {:keys [params] :as request}]
-  (let [props (audit/extract-utm-params params)
-        esid  (rreq/get-header request "x-external-session-id")
-        state (tokens/generate (::setup/props cfg)
-                               {:iss :oauth
-                                :invitation-token (:invitation-token params)
-                                :external-session-id esid
-                                :props props
-                                :exp (dt/in-future "4h")})
-        uri   (build-auth-uri cfg state)]
+  (let [props  (audit/extract-utm-params params)
+        esid   (rpc/get-external-session-id request)
+        params {:iss :oauth
+                :invitation-token (:invitation-token params)
+                :external-session-id esid
+                :props props
+                :exp (dt/in-future "4h")}
+        state  (tokens/generate (::setup/props cfg)
+                                (d/without-nils params))
+        uri    (build-auth-uri cfg state)]
    {::rres/status 200
     ::rres/body {:redirect-uri uri}}))

--- a/backend/src/app/rpc.clj
+++ b/backend/src/app/rpc.clj
@ -70,6 +70,20 @@
        (handle-response-transformation request mdata)
        (handle-before-comple-hook mdata))))

+(defn get-external-session-id
+  [request]
+  (when-let [session-id (rreq/get-header request "x-external-session-id")]
+    (when-not (or (> (count session-id) 256)
+                  (= session-id "null")
+                  (str/blank? session-id))
+      session-id)))
+
+(defn- get-external-event-origin
+  [request]
+  (when-let [origin (rreq/get-header request "x-event-origin")]
+    (when-not (> (count origin) 256)
+      origin)))
+
 (defn- rpc-handler
  "Ring handler that dispatches cmd requests and convert between
  internal async flow into ring async flow."
@ -79,8 +93,8 @@
        profile-id   (or (::session/profile-id request)
                         (::actoken/profile-id request))

-        session-id   (rreq/get-header request "x-external-session-id")
-        event-origin (rreq/get-header request "x-event-origin")
+        session-id   (get-external-session-id request)
+        event-origin (get-external-event-origin request)

        data         (-> params
                         (assoc ::handler-name handler-name)