more cleanup

11 months ago · f489930482
2 changed files with 8 additions and 5 deletions
--- a/src/api/core/two_factor/duo_oidc.rs
+++ b/src/api/core/two_factor/duo_oidc.rs
@ -131,7 +131,8 @@ struct IdTokenClaims {
    nonce: String,
 }

-// Duo WebSDK 4 Client
+// Duo OIDC Authorization Client
+// See https://duo.com/docs/oauthapi
 struct DuoClient {
    client_id: String,     // Duo Client ID (DuoData.ik)
    client_secret: String, // Duo Client Secret (DuoData.sk)
@ -140,7 +141,6 @@ struct DuoClient {
    jwt_exp_seconds: i64,  // Number of seconds that JWTs we create should be valid for
 }

-// See https://duo.com/docs/oauthapi
 impl DuoClient {

    // Construct a new DuoClient
@ -240,7 +240,7 @@ impl DuoClient {
        let jwt_payload = AuthorizationRequest {
            response_type: String::from("code"),
            scope: String::from("openid"),
-            exp: now,
+            exp: now + self.jwt_exp_seconds,
            client_id: self.client_id.clone(),
            redirect_uri: self.redirect_uri.clone(),
            state,
@ -303,7 +303,7 @@ impl DuoClient {
        post_body.insert("client_assertion", token);

        let res = match get_reqwest_client()
-            .post(token_url.clone())
+            .post(&token_url)
            .header(header::USER_AGENT, "vaultwarden:Duo/2.0 (Rust)")
            .form(&post_body)
            .send()
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@ -523,9 +523,11 @@ async fn twofactor_auth(
        Some(TwoFactorType::Duo | TwoFactorType::OrganizationDuo) => {
            match CONFIG.duo_use_iframe() {
                true => {
+                    // Legacy iframe prompt flow
                    duo::validate_duo_login(data.username.as_ref().unwrap().trim(), twofactor_code, conn).await?
                }
                false => {
+                    // OIDC based flow
                    duo_oidc::validate_duo_login(data.username.as_ref().unwrap().trim(), twofactor_code, client_type, conn).await?
                }
            }
@ -597,9 +599,9 @@ async fn _json_err_twofactor(providers: &[i32], user_uuid: &str, client_type: &C
                    None => err!("User does not exist"),
                };

-                // Should we try to use the legacy iframe prompt?
                match CONFIG.duo_use_iframe() {
                    true => {
+                        // Legacy iframe prompt flow
                        let (signature, host) = duo::generate_duo_signature(&email, conn).await?;
                        result["TwoFactorProviders2"][provider.to_string()] = json!({
                            "Host": host,
@ -607,6 +609,7 @@ async fn _json_err_twofactor(providers: &[i32], user_uuid: &str, client_type: &C
                        })
                    }
                    false => {
+                        // OIDC based flow
                        let auth_url = duo_oidc::get_duo_auth_url(&email, client_type, conn).await?;

                        result["TwoFactorProviders2"][provider.to_string()] = json!({