Update persister_oauth2.go to handle special character | coming in th…

…e scopes as part of consent request Url encoded and decoded while fetching values from the table, as "|" is a seperator used to store scopes
ory · Sep 25, 2024 · 1606831 · 1606831
1 parent f83193f
commit 1606831
Showing 1 changed file with 31 additions and 4 deletions.
diff --git a/persistence/sql/persister_oauth2.go b/persistence/sql/persister_oauth2.go
@@ -110,8 +110,8 @@ func (p *Persister) sqlSchemaFromRequest(ctx context.Context, signature string,
 		RequestedAt:       r.GetRequestedAt(),
 		InternalExpiresAt: sqlxx.NullTime(expiresAt),
 		Client:            r.GetClient().GetID(),
-		Scopes:            strings.Join(r.GetRequestedScopes(), "|"),
-		GrantedScope:      strings.Join(r.GetGrantedScopes(), "|"),
+		Scopes:            strings.Join(escapeDelimiter(r.GetRequestedScopes()), "|"),
+		GrantedScope:      strings.Join(escapeDelimiter(r.GetGrantedScopes()), "|"),
 		GrantedAudience:   strings.Join(r.GetGrantedAudience(), "|"),
 		RequestedAudience: strings.Join(r.GetRequestedAudience(), "|"),
 		Form:              r.GetRequestForm().Encode(),
@@ -158,8 +158,8 @@ func (r *OAuth2RequestSQL) toRequest(ctx context.Context, session fosite.Session
 		RequestedAt: r.RequestedAt,
 		// ExpiresAt does not need to be populated as we get the expiry time from the session.
 		Client:            c,
-		RequestedScope:    stringsx.Splitx(r.Scopes, "|"),
-		GrantedScope:      stringsx.Splitx(r.GrantedScope, "|"),
+		RequestedScope:    unescapeDelimiter(r.Scopes),
+		GrantedScope:      unescapeDelimiter(r.GrantedScope),
 		RequestedAudience: stringsx.Splitx(r.RequestedAudience, "|"),
 		GrantedAudience:   stringsx.Splitx(r.GrantedAudience, "|"),
 		Form:              val,
@@ -549,3 +549,30 @@ func (p *Persister) DeleteAccessTokens(ctx context.Context, clientID string) (er
 		p.QueryWithNetwork(ctx).Where("client_id=?", clientID).Delete(&OAuth2RequestSQL{Table: sqlTableAccess}),
 	)
 }
+
+func escapeDelimiter(scopes []string) []string {
+	escapedScopes := make([]string, len(scopes))
+	for i, scope := range scopes {
+		if strings.Contains(scope, "|") {
+			escapedScopes[i] = url.QueryEscape(scope)
+		} else {
+			escapedScopes[i] = scope
+		}
+	}
+	return escapedScopes
+}
+
+func unescapeDelimiter(scopes string) []string {
+	updatedScopes := stringsx.Splitx(scopes, "|")
+	if strings.Contains(scopes, "%26") {
+		for i, scope := range updatedScopes {
+			unescapedScope, err := url.QueryUnescape(scope)
+			if err != nil {
+				errors.Errorf("Error while url unescaping scope: %s", scope)
+			}
+			updatedScopes[i] = unescapedScope
+		}
+	}
+	return updatedScopes
+}
+