refactor(security): fix info disclosure, TOCTOU race, and reduce parameter sprawl (#146)

- Replace err.Error() with generic messages in device code and auth code
  exchange error responses to prevent internal detail leakage
- Add atomic AuthorizeDeviceCode store method using WHERE authorized=false
  to prevent TOCTOU race condition in concurrent device code authorization
- Introduce CreateAuthorizationCodeParams struct to replace 9 positional
  parameters in CreateAuthorizationCode
- Simplify issueCodeAndRedirect from 8 parameters to 4 by fully populating
  AuthorizationRequest with CodeChallenge in ValidateAuthorizationRequest
- Add explicit error mapping for all authorization code exchange sentinel
  errors in token handler

Author: appleboy

internal/core/store.go

@@ -62,6 +62,7 @@ type DeviceCodeStore interface {
 	GetDeviceCodesByID(deviceCodeID string) ([]*models.DeviceCode, error)
 	GetDeviceCodeByUserCode(userCode string) (*models.DeviceCode, error)
 	UpdateDeviceCode(dc *models.DeviceCode) error
+	AuthorizeDeviceCode(id int64, userID string) error
 	DeleteDeviceCodeByID(id int64) error
 }
 

internal/handlers/authorization.go

@@ -56,7 +56,7 @@ func (h *AuthorizationHandler) ShowAuthorizePage(c *gin.Context) {
 
 	// Validate the authorization request parameters
 	req, err := h.authorizationService.ValidateAuthorizationRequest(
-		clientID, redirectURI, responseType, scope, codeChallengeMethod, nonce,
+		clientID, redirectURI, responseType, scope, codeChallenge, codeChallengeMethod, nonce,
 	)
 	if err != nil {
 		h.redirectWithError(c, redirectURI, state, oauthErrorCode(err), err.Error())
@@ -77,16 +77,7 @@ func (h *AuthorizationHandler) ShowAuthorizePage(c *gin.Context) {
 	if h.config.ConsentRemember {
 		existing, _ := h.authorizationService.GetUserAuthorization(userIDStr, req.Client.ID)
 		if existing != nil && util.IsScopeSubset(existing.Scopes, req.Scopes) {
-			h.issueCodeAndRedirect(
-				c,
-				req,
-				userIDStr,
-				redirectURI,
-				state,
-				nonce,
-				codeChallenge,
-				codeChallengeMethod,
-			)
+			h.issueCodeAndRedirect(c, req, userIDStr, state)
 			return
 		}
 	}
@@ -99,13 +90,13 @@ func (h *AuthorizationHandler) ShowAuthorizePage(c *gin.Context) {
 		ClientID:            req.Client.ClientID,
 		ClientName:          req.Client.ClientName,
 		ClientDescription:   req.Client.Description,
-		RedirectURI:         redirectURI,
+		RedirectURI:         req.RedirectURI,
 		Scopes:              req.Scopes,
 		ScopeList:           strings.Fields(req.Scopes),
 		State:               state,
-		Nonce:               nonce,
-		CodeChallenge:       codeChallenge,
-		CodeChallengeMethod: codeChallengeMethod,
+		Nonce:               req.Nonce,
+		CodeChallenge:       req.CodeChallenge,
+		CodeChallengeMethod: req.CodeChallengeMethod,
 	}))
 }
 
@@ -139,7 +130,7 @@ func (h *AuthorizationHandler) HandleAuthorize(c *gin.Context) {
 
 	// Re-validate request on POST to prevent parameter tampering
 	req, err := h.authorizationService.ValidateAuthorizationRequest(
-		clientID, redirectURI, "code", scope, codeChallengeMethod, nonce,
+		clientID, redirectURI, "code", scope, codeChallenge, codeChallengeMethod, nonce,
 	)
 	if err != nil {
 		h.redirectWithError(c, redirectURI, state, oauthErrorCode(err), err.Error())
@@ -160,40 +151,40 @@ func (h *AuthorizationHandler) HandleAuthorize(c *gin.Context) {
 		return
 	}
 
-	h.issueCodeAndRedirect(
-		c, req, userIDStr, redirectURI, state, nonce, codeChallenge, codeChallengeMethod,
-	)
+	h.issueCodeAndRedirect(c, req, userIDStr, state)
 }
 
 // issueCodeAndRedirect generates an authorization code and redirects to the client's redirect_uri.
 func (h *AuthorizationHandler) issueCodeAndRedirect(
 	c *gin.Context,
 	req *services.AuthorizationRequest,
-	userID, redirectURI, state, nonce, codeChallenge, codeChallengeMethod string,
+	userID, state string,
 ) {
 	plainCode, _, err := h.authorizationService.CreateAuthorizationCode(
 		c.Request.Context(),
-		req.Client.ID,
-		req.Client.ClientID,
-		userID,
-		redirectURI,
-		req.Scopes,
-		codeChallenge,
-		codeChallengeMethod,
-		nonce,
+		services.CreateAuthorizationCodeParams{
+			ApplicationID:       req.Client.ID,
+			ClientID:            req.Client.ClientID,
+			UserID:              userID,
+			RedirectURI:         req.RedirectURI,
+			Scopes:              req.Scopes,
+			CodeChallenge:       req.CodeChallenge,
+			CodeChallengeMethod: req.CodeChallengeMethod,
+			Nonce:               req.Nonce,
+		},
 	)
 	if err != nil {
 		h.redirectWithError(
 			c,
-			redirectURI,
+			req.RedirectURI,
 			state,
 			errServerError,
 			"Failed to generate authorization code",
 		)
 		return
 	}
 
-	u, err := url.Parse(redirectURI)
+	u, err := url.Parse(req.RedirectURI)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "invalid redirect_uri"})
 		return

internal/handlers/device.go

@@ -2,6 +2,7 @@ package handlers
 
 import (
 	"errors"
+	"log"
 	"net/http"
 
 	"github.com/go-authgate/authgate/internal/config"
@@ -21,6 +22,8 @@ func deviceCodeErrorMessage(err error) string {
 		return "User code not found"
 	case errors.Is(err, services.ErrDeviceCodeExpired):
 		return "Code has expired, please request a new one"
+	case errors.Is(err, services.ErrDeviceCodeAlreadyAuthorized):
+		return "This code has already been authorized"
 	default:
 		return "Invalid or expired code"
 	}
@@ -124,7 +127,13 @@ func (h *DeviceHandler) DeviceCodeRequest(c *gin.Context) {
 			)
 			return
 		}
-		respondOAuthError(c, http.StatusInternalServerError, errServerError, err.Error())
+		log.Printf("[device] device code generation error: %v", err)
+		respondOAuthError(
+			c,
+			http.StatusInternalServerError,
+			errServerError,
+			"An internal error occurred",
+		)
 		return
 	}
 

internal/handlers/token.go

@@ -491,10 +491,28 @@ func (h *TokenHandler) handleAuthorizationCodeGrant(c *gin.Context) {
 	)
 	if err != nil {
 		errCode := errInvalidGrant
-		if errors.Is(err, services.ErrUnauthorizedClient) {
+		var description string
+		switch {
+		case errors.Is(err, services.ErrUnauthorizedClient):
 			errCode = errUnauthorizedClient
+			description = "Client authentication failed"
+		case errors.Is(err, services.ErrAuthCodeNotFound):
+			description = "Authorization code is invalid or expired"
+		case errors.Is(err, services.ErrAuthCodeExpired):
+			description = "Authorization code has expired"
+		case errors.Is(err, services.ErrAuthCodeAlreadyUsed):
+			description = "Authorization code has already been used"
+		case errors.Is(err, services.ErrInvalidRedirectURI):
+			description = "Redirect URI does not match"
+		case errors.Is(err, services.ErrPKCERequired):
+			description = "PKCE code_verifier is required for public clients"
+		case errors.Is(err, services.ErrInvalidCodeVerifier):
+			description = "PKCE code_verifier validation failed"
+		default:
+			log.Printf("[token] authorization code exchange error: %v", err)
+			description = "An internal error occurred"
 		}
-		respondOAuthError(c, http.StatusBadRequest, errCode, err.Error())
+		respondOAuthError(c, http.StatusBadRequest, errCode, description)
 		return
 	}
 

internal/mocks/mock_store.go

@@ -74,7 +74,7 @@ func NewAuthorizationService(
 // ValidateAuthorizationRequest validates all parameters of an incoming authorization request.
 // Returns the parsed AuthorizationRequest on success.
 func (s *AuthorizationService) ValidateAuthorizationRequest(
-	clientID, redirectURI, responseType, scope, codeChallengeMethod, nonce string,
+	clientID, redirectURI, responseType, scope, codeChallenge, codeChallengeMethod, nonce string,
 ) (*AuthorizationRequest, error) {
 	// 1. response_type must be "code"
 	if responseType != "code" {
@@ -126,17 +126,29 @@ func (s *AuthorizationService) ValidateAuthorizationRequest(
 		Client:              client,
 		RedirectURI:         redirectURI,
 		Scopes:              scope,
+		CodeChallenge:       codeChallenge,
 		CodeChallengeMethod: codeChallengeMethod,
 		Nonce:               nonce,
 	}, nil
 }
 
+// CreateAuthorizationCodeParams bundles the inputs for authorization code creation.
+type CreateAuthorizationCodeParams struct {
+	ApplicationID       int64
+	ClientID            string
+	UserID              string
+	RedirectURI         string
+	Scopes              string
+	CodeChallenge       string
+	CodeChallengeMethod string
+	Nonce               string
+}
+
 // CreateAuthorizationCode generates a one-time authorization code and saves it to the database.
 // Returns the plaintext code (to be sent in the redirect) and the stored record.
 func (s *AuthorizationService) CreateAuthorizationCode(
 	ctx context.Context,
-	applicationID int64,
-	clientID, userID, redirectURI, scopes, codeChallenge, codeChallengeMethod, nonce string,
+	params CreateAuthorizationCodeParams,
 ) (plainCode string, record *models.AuthorizationCode, err error) {
 	// Generate 32 cryptographically random bytes (256-bit entropy)
 	rawBytes, err := util.CryptoRandomBytes(32)
@@ -153,14 +165,14 @@ func (s *AuthorizationService) CreateAuthorizationCode(
 		UUID:                uuid.New().String(),
 		CodeHash:            codeHash,
 		CodePrefix:          codePrefix,
-		ApplicationID:       applicationID,
-		ClientID:            clientID,
-		UserID:              userID,
-		RedirectURI:         redirectURI,
-		Scopes:              scopes,
-		CodeChallenge:       codeChallenge,
-		CodeChallengeMethod: codeChallengeMethod,
-		Nonce:               nonce,
+		ApplicationID:       params.ApplicationID,
+		ClientID:            params.ClientID,
+		UserID:              params.UserID,
+		RedirectURI:         params.RedirectURI,
+		Scopes:              params.Scopes,
+		CodeChallenge:       params.CodeChallenge,
+		CodeChallengeMethod: params.CodeChallengeMethod,
+		Nonce:               params.Nonce,
 		ExpiresAt:           time.Now().Add(s.config.AuthCodeExpiration),
 	}
 
@@ -172,15 +184,15 @@ func (s *AuthorizationService) CreateAuthorizationCode(
 		s.auditService.Log(ctx, AuditLogEntry{
 			EventType:    models.EventAuthorizationCodeGenerated,
 			Severity:     models.SeverityInfo,
-			ActorUserID:  userID,
+			ActorUserID:  params.UserID,
 			ResourceType: models.ResourceAuthorization,
 			ResourceID:   record.UUID,
 			Action:       "Authorization code generated",
 			Details: models.AuditDetails{
-				"client_id":    clientID,
-				"scopes":       scopes,
-				"pkce":         codeChallenge != "",
-				"redirect_uri": redirectURI,
+				"client_id":    params.ClientID,
+				"scopes":       params.Scopes,
+				"pkce":         params.CodeChallenge != "",
+				"redirect_uri": params.RedirectURI,
 			},
 			Success: true,
 		})