From f223975e7973077ce7d9e37240fd0ef80308ecd6 Mon Sep 17 00:00:00 2001
From: James Elliott <james-d-elliott@users.noreply.github.com>
Date: Sat, 7 Jan 2023 10:28:53 +1100
Subject: [PATCH] refactor(oidc): simplify hmac core strategy (#4711)

---
 internal/oidc/config.go |  3 +--
 internal/oidc/const.go  |  7 +++++++
 internal/oidc/hmac.go   | 35 +++++++++++++++++------------------
 3 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/internal/oidc/config.go b/internal/oidc/config.go
index 7da84d4ef..0146899bf 100644
--- a/internal/oidc/config.go
+++ b/internal/oidc/config.go
@@ -40,11 +40,10 @@ func NewConfig(config *schema.OpenIDConnectConfiguration) *Config {
 		},
 	}
 
-	prefix := "authelia_%s_"
 	c.Strategy.Core = &HMACCoreStrategy{
 		Enigma: &hmac.HMACStrategy{Config: c},
 		Config: c,
-		prefix: &prefix,
+		prefix: tokenPrefixFmt,
 	}
 
 	return c
diff --git a/internal/oidc/const.go b/internal/oidc/const.go
index 91647013e..9c8fa6942 100644
--- a/internal/oidc/const.go
+++ b/internal/oidc/const.go
@@ -106,6 +106,13 @@ const (
 	JWTHeaderKeyIdentifier = "kid"
 )
 
+const (
+	tokenPrefixFmt               = "authelia_%s_" //nolint:gosec
+	tokenPrefixPartAccessToken   = "at"
+	tokenPrefixPartRefreshToken  = "rt"
+	tokenPrefixPartAuthorizeCode = "ac"
+)
+
 // Paths.
 const (
 	EndpointPathConsent                           = "/consent"
diff --git a/internal/oidc/hmac.go b/internal/oidc/hmac.go
index 976ddec07..979a98afc 100644
--- a/internal/oidc/hmac.go
+++ b/internal/oidc/hmac.go
@@ -19,7 +19,7 @@ type HMACCoreStrategy struct {
 		fosite.RefreshTokenLifespanProvider
 		fosite.AuthorizeCodeLifespanProvider
 	}
-	prefix *string
+	prefix string
 }
 
 // AccessTokenSignature implements oauth2.AccessTokenStrategy.
@@ -34,7 +34,7 @@ func (h *HMACCoreStrategy) GenerateAccessToken(ctx context.Context, _ fosite.Req
 		return "", "", err
 	}
 
-	return h.setPrefix(token, "at"), sig, nil
+	return h.setPrefix(token, tokenPrefixPartAccessToken), sig, nil
 }
 
 // ValidateAccessToken implements oauth2.AccessTokenStrategy.
@@ -48,7 +48,7 @@ func (h *HMACCoreStrategy) ValidateAccessToken(ctx context.Context, r fosite.Req
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Access token expired at '%s'.", exp))
 	}
 
-	return h.Enigma.Validate(ctx, h.trimPrefix(token, "at"))
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, tokenPrefixPartAccessToken))
 }
 
 // RefreshTokenSignature implements oauth2.RefreshTokenStrategy.
@@ -63,21 +63,22 @@ func (h *HMACCoreStrategy) GenerateRefreshToken(ctx context.Context, _ fosite.Re
 		return "", "", err
 	}
 
-	return h.setPrefix(token, "rt"), sig, nil
+	return h.setPrefix(token, tokenPrefixPartRefreshToken), sig, nil
 }
 
 // ValidateRefreshToken implements oauth2.RefreshTokenStrategy.
 func (h *HMACCoreStrategy) ValidateRefreshToken(ctx context.Context, r fosite.Requester, token string) (err error) {
 	var exp = r.GetSession().GetExpiresAt(fosite.RefreshToken)
+
 	if exp.IsZero() {
-		return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
+		return h.Enigma.Validate(ctx, h.trimPrefix(token, tokenPrefixPartRefreshToken))
 	}
 
-	if !exp.IsZero() && exp.Before(time.Now().UTC()) {
+	if exp.Before(time.Now().UTC()) {
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Refresh token expired at '%s'.", exp))
 	}
 
-	return h.Enigma.Validate(ctx, h.trimPrefix(token, "rt"))
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, tokenPrefixPartRefreshToken))
 }
 
 // AuthorizeCodeSignature implements oauth2.AuthorizeCodeStrategy.
@@ -92,12 +93,13 @@ func (h *HMACCoreStrategy) GenerateAuthorizeCode(ctx context.Context, _ fosite.R
 		return "", "", err
 	}
 
-	return h.setPrefix(token, "ac"), sig, nil
+	return h.setPrefix(token, tokenPrefixPartAuthorizeCode), sig, nil
 }
 
 // ValidateAuthorizeCode implements oauth2.AuthorizeCodeStrategy.
 func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.Requester, token string) (err error) {
 	var exp = r.GetSession().GetExpiresAt(fosite.AuthorizeCode)
+
 	if exp.IsZero() && r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx)).Before(time.Now().UTC()) {
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", r.GetRequestedAt().Add(h.Config.GetAuthorizeCodeLifespan(ctx))))
 	}
@@ -106,24 +108,21 @@ func (h *HMACCoreStrategy) ValidateAuthorizeCode(ctx context.Context, r fosite.R
 		return errorsx.WithStack(fosite.ErrTokenExpired.WithHintf("Authorize code expired at '%s'.", exp))
 	}
 
-	return h.Enigma.Validate(ctx, h.trimPrefix(token, "ac"))
+	return h.Enigma.Validate(ctx, h.trimPrefix(token, tokenPrefixPartAuthorizeCode))
 }
 
 func (h *HMACCoreStrategy) getPrefix(part string) string {
-	if h.prefix == nil {
-		prefix := "ory_%s_"
-		h.prefix = &prefix
-	} else if len(*h.prefix) == 0 {
+	if len(h.prefix) == 0 {
 		return ""
 	}
 
-	return fmt.Sprintf(*h.prefix, part)
-}
-
-func (h *HMACCoreStrategy) trimPrefix(token, part string) string {
-	return strings.TrimPrefix(token, h.getPrefix(part))
+	return fmt.Sprintf(h.prefix, part)
 }
 
 func (h *HMACCoreStrategy) setPrefix(token, part string) string {
 	return h.getPrefix(part) + token
 }
+
+func (h *HMACCoreStrategy) trimPrefix(token, part string) string {
+	return strings.TrimPrefix(token, h.getPrefix(part))
+}