Several changes:

RockinRoel · RockinRoel · commit 63e5a1c9bc6f · 2017-10-02T14:10:03.000+02:00
- WViewWidget: Fixed crash due to removeFromParent on widget being destructed
 - add configuration parameter for the maximum size of the form-data
 - add logging to oauth and oidc
diff --git a/examples/feature/oidc/Oidc.C b/examples/feature/oidc/Oidc.C
@@ -71,6 +71,7 @@ private:
 
 int main(int argc, char** argv)
 {
+  try {
   Wt::WServer server(argc, argv, WTHTTP_CONFIGURATION);
   server.readConfigurationProperty("application-url",deployUrl);
 
@@ -112,4 +113,7 @@ int main(int argc, char** argv)
   Session::configureAuth();
 
   server.run();
+  } catch (Wt::WException &e) {
+    std::cerr << "Exception: " << e.what() << std::endl;
+  }
 }
diff --git a/src/Wt/Auth/OAuthAuthorizationEndpointProcess.C b/src/Wt/Auth/OAuthAuthorizationEndpointProcess.C
@@ -57,19 +57,23 @@ void OAuthAuthorizationEndpointProcess::processEnvironment()
   }
   client_ = db_->idpClientFindWithId(*clientId);
   if (!client_.checkValid()) {
-    LOG_ERROR("Unknown or invalid client_id.");
+    LOG_ERROR("Unknown or invalid client_id " << *clientId);
     return;
   }
   std::set<std::string> redirectUris = client_.redirectUris();
   if (redirectUris.find(redirectUri_) == redirectUris.end()) {
-    LOG_ERROR("The client application passed an unregistered redirection URI.");
+    LOG_ERROR("The client application passed the  unregistered redirection URI " << redirectUri_);
     return;
   }
   const std::string *scope = env.getParameter("scope");
   const std::string *responseType = env.getParameter("response_type");
   const std::string *state  = env.getParameter("state");
   if (!scope || !responseType || *responseType != "code") {
     sendResponse("error=invalid_request");
+    LOG_INFO("error=invalid_request: "
+      << " scope: " << (scope ? *scope : "NULL")
+      << " response_type: " << (responseType ? *responseType : "NULL")
+    );
     return;
   }
   validRequest_ = true;
@@ -85,6 +89,7 @@ void OAuthAuthorizationEndpointProcess::processEnvironment()
     return;
   } else if (prompt && *prompt == "none") {
     sendResponse("error=login_required");
+    LOG_INFO("error=login_required but prompt == none");
     return;
   }
 }
@@ -97,6 +102,8 @@ void OAuthAuthorizationEndpointProcess::authorizeScope(const std::string& scope)
     db_->idpTokenAdd(authCodeValue, expirationTime, "authorization_code", scope,
         redirectUri_, login_.user(), client_);
     sendResponse("code=" + authCodeValue);
+    LOG_INFO("authorization_code created for " << login_.user().id() << "(" << login_.user().email() << ")"
+	     << ", code = " + authCodeValue);
   } else {
     throw WException("Wt::Auth::OAuthAuthorizationEndpointProcess::authorizeScope: request isn't valid");
   }
diff --git a/src/Wt/Auth/OAuthTokenEndpoint.C b/src/Wt/Auth/OAuthTokenEndpoint.C
@@ -36,10 +36,11 @@ const std::string AUTH_TYPE = "Basic";
 }
 
 namespace Wt {
-namespace Auth {
 
 LOGGER("OAuthTokenEndpoint");
 
+namespace Auth {
+
 OAuthTokenEndpoint::OAuthTokenEndpoint(AbstractUserDatabase& db,
                                        std::string issuer)
   : db_(&db),
@@ -115,6 +116,12 @@ void OAuthTokenEndpoint::handleRequest(const Http::Request &request, Http::Respo
   if (!code || clientId.empty() || clientSecret.empty() || !grantType || !redirectUri) {
     response.setStatus(400);
     response.out() << "{\"error\": \"invalid_request\"}" << std::endl;
+    LOG_INFO("{\"error\": \"invalid_request\"}:"
+      << " code:" << (code ? *code : "NULL")
+      << " clientId: " << clientId
+      << " clientSecret: " << (clientSecret.empty() ? "MISSING" : "NOT MISSING")
+      << " grantType: " << (grantType ? *grantType : "NULL")
+      << " redirectUri: " << (redirectUri ? *redirectUri : "NULL"));
     return;
   }
   OAuthClient client = db_->idpClientFindWithId(clientId);
@@ -129,18 +136,35 @@ void OAuthTokenEndpoint::handleRequest(const Http::Request &request, Http::Respo
             methodToString(client.authMethod()));
     }
     response.out() << "{\n\"error\": \"invalid_client\"\n}" << std::endl;
+    LOG_INFO("{\"error\": \"invalid_client\"}: "
+      << " id: " << clientId
+      << " client: " << (client.checkValid() ? "valid" : "not valid")
+      << " secret: " << (client.verifySecret(clientSecret) ? "correct" : "incorrect")
+	     << " method: " << (client.authMethod() != authMethod ? "no match" : "match")
+    );
     return;
   }
   if (*grantType != GRANT_TYPE) {
     response.setStatus(400);
     response.out() << "{\n\"error\": \"unsupported_grant_type\"\n}" << std::endl;
+    LOG_INFO("{\"error\": \"unsupported_grant_type\"}: "
+      << " id: " << clientId
+      << " grantType: " << grantType
+    );
     return;
   }
   IssuedToken authCode = db_->idpTokenFindWithValue(GRANT_TYPE, *code);
   if (!authCode.checkValid() || authCode.redirectUri() != *redirectUri
       || WDateTime::currentDateTime() > authCode.expirationTime()) {
     response.setStatus(400);
     response.out() << "{\n\"error\": \"invalid_grant\"\n}" << std::endl;
+    LOG_INFO("{\"error\": \"invalid_grant\"}:"
+      << " id: " << clientId
+      << " code: " << *code
+      << " authCode: " << (authCode.checkValid() ? "valid" : "not valid")
+      << " redirectUri: " << *redirectUri << (authCode.redirectUri() != *redirectUri ? " - invalid" : " - valid")
+      << " timestamp: " << authCode.expirationTime().toString() << (WDateTime::currentDateTime() > authCode.expirationTime() ? ", expired" : ", not expired")
+    );
     return;
   }
   std::string accessTokenValue = WRandom::generateId();
@@ -178,6 +202,9 @@ void OAuthTokenEndpoint::handleRequest(const Http::Request &request, Http::Respo
     root["id_token"] = Json::Value(header + "." + payload + "." + signature);
   }
   response.out() << Json::serialize(root);
+
+  LOG_INFO("success: " << clientId << ", " << user.id() << ", " << db_->email(user));
+
 #ifdef WT_TARGET_JAVA
   } catch (std::io_exception ioe) {
     LOG_ERROR(ioe.message());
diff --git a/src/Wt/Auth/OidcUserInfoEndpoint.C b/src/Wt/Auth/OidcUserInfoEndpoint.C
@@ -27,9 +27,11 @@ const std::string AUTH_TYPE = "Bearer ";
 }
 
 namespace Wt {
+
+  LOGGER("OidcUserInfoEndpoint");
+
 namespace Auth {
 
-LOGGER("OidcUserInfoEndpoint");
 
 OidcUserInfoEndpoint::OidcUserInfoEndpoint(AbstractUserDatabase &db)
   : db_(&db)
@@ -54,13 +56,15 @@ void OidcUserInfoEndpoint::handleRequest(const Http::Request& request, Http::Res
   if (!boost::starts_with(authHeader, AUTH_TYPE)) {
     response.setStatus(400);
     response.addHeader("WWW-Authenticate", "error=\"invalid_request\"");
+    LOG_INFO("error=\"invalid_request\": Authorization header missing");
     return;
   }
   std::string tokenValue = authHeader.substr(AUTH_TYPE.length());
   IssuedToken accessToken = db_->idpTokenFindWithValue("access_token", tokenValue);
   if (!accessToken.checkValid() || WDateTime::currentDateTime() > accessToken.expirationTime()) {
     response.setStatus(401);
     response.addHeader("WWW-Authenticate", "error=\"invalid_token\"");
+    LOG_INFO("error=\"invalid_token\" " << authHeader);
     return;
   }
   response.setMimeType("application/json");
@@ -73,6 +77,7 @@ void OidcUserInfoEndpoint::handleRequest(const Http::Request& request, Http::Res
   try {
 #endif
     response.out() << Json::serialize(generateUserInfo(user, scopeSet)) << std::endl;
+    LOG_INFO("Response sent for " << user.id() << "(" << db_->email(user) << ")");
 #ifdef WT_TARGET_JAVA
   } catch (std::io_exception ioe) {
     LOG_ERROR(ioe.message());
diff --git a/src/Wt/WViewWidget.C b/src/Wt/WViewWidget.C
@@ -14,6 +14,11 @@ namespace Wt {
 WViewWidget::WViewWidget()
 { }
 
+WViewWidget::~WViewWidget()
+{
+  manageWidget(contents_, std::unique_ptr<WWidget>{});
+}
+
 void WViewWidget::load()
 {
   update();
diff --git a/src/Wt/WViewWidget.h b/src/Wt/WViewWidget.h
@@ -110,6 +110,8 @@ class WT_API WViewWidget : public WWebWidget
    */
   WViewWidget();
 
+  ~WViewWidget();
+
   /*! \brief Updates the view.
    *
    * Typically, the model will want to update the view when the model
diff --git a/src/web/CgiParser.C b/src/web/CgiParser.C
@@ -174,8 +174,9 @@ void CgiParser::init()
 #endif
 }
 
-CgiParser::CgiParser(::int64_t maxPostData)
-  : maxPostData_(maxPostData)
+CgiParser::CgiParser(::int64_t maxRequestSize, ::int64_t maxFormData)
+  : maxFormData_(maxFormData),
+    maxRequestSize_(maxRequestSize)
 { }
 
 void CgiParser::parse(WebRequest& request, ReadOption readOption)
@@ -189,7 +190,7 @@ void CgiParser::parse(WebRequest& request, ReadOption readOption)
   const char *type = request.contentType();
   const char *meth = request.requestMethod();
 
-  request.postDataExceeded_ = (len > maxPostData_ ? len : 0);
+  request.postDataExceeded_ = (len > maxRequestSize_ ? len : 0);
 
   std::string queryString = request.queryString();
 
@@ -204,7 +205,7 @@ void CgiParser::parse(WebRequest& request, ReadOption readOption)
      * TODO: parse this stream-based to avoid the malloc here. For now
      * we protect the maximum that can be POST'ed as form data.
      */
-    if (len > 5*1024*1024)
+    if (len > maxFormData_)
       throw WException("Oversized application/x-www-form-urlencoded ("
 		       + std::to_string(len) + ")");
 
diff --git a/src/web/CgiParser.h b/src/web/CgiParser.h
@@ -29,7 +29,7 @@ class CgiParser
 
   static void init();
 
-  CgiParser(::int64_t maxPostData);
+  CgiParser(::int64_t maxRequestSize, ::int64_t maxFormData);
 
   /*
    * Reads in GET or POST data, converts it to unescaped text, and
@@ -43,7 +43,7 @@ class CgiParser
 			 ::int64_t len);
   bool parseBody(WebRequest& request, const std::string boundary);
   bool parseHead(WebRequest& request);
-  ::int64_t maxPostData_, left_;
+  ::int64_t maxFormData_, maxRequestSize_, left_;
   std::ostream *spoolStream_;
   WebRequest *request_;
 
diff --git a/src/web/Configuration.C b/src/web/Configuration.C
@@ -212,6 +212,7 @@ void Configuration::reset()
   numThreads_ = 10;
   maxNumSessions_ = 100;
   maxRequestSize_ = 128 * 1024;
+  maxFormDataSize_ = 5 * 1024 * 1024;
   isapiMaxMemoryRequestSize_ = 128 * 1024;
   sessionTracking_ = URL;
   reloadIsNewSession_ = true;
@@ -285,6 +286,12 @@ int Configuration::maxNumSessions() const
   return maxRequestSize_;
 }
 
+  
+::int64_t Configuration::maxFormDataSize() const
+{
+  return maxFormDataSize_;
+}
+
 ::int64_t Configuration::isapiMaxMemoryRequestSize() const
 {
   READ_LOCK;
@@ -775,6 +782,11 @@ void Configuration::readApplicationSettings(xml_node<> *app)
   if (!maxRequestStr.empty())
     maxRequestSize_ = Utils::stol(maxRequestStr) * 1024;
 
+  std::string maxFormDataStr =
+    singleChildElementValue(app, "max-formdata-size", "");
+  if (!maxFormDataStr.empty())
+    maxFormDataSize_ = Utils::stoll(maxFormDataStr) * 1024;
+
   std::string debugStr = singleChildElementValue(app, "debug", "");
 
   if (!debugStr.empty()) {
diff --git a/src/web/Configuration.h b/src/web/Configuration.h
@@ -159,6 +159,7 @@ class WT_API Configuration
   int numThreads() const;
   int maxNumSessions() const;
   ::int64_t maxRequestSize() const;
+  ::int64_t maxFormDataSize() const;
   ::int64_t isapiMaxMemoryRequestSize() const;
   SessionTracking sessionTracking() const;
   bool reloadIsNewSession() const;
@@ -246,6 +247,7 @@ class WT_API Configuration
   int             numThreads_;
   int             maxNumSessions_;
   ::int64_t       maxRequestSize_;
+  ::int64_t       maxFormDataSize_;
   ::int64_t       isapiMaxMemoryRequestSize_;
   SessionTracking sessionTracking_;
   bool            reloadIsNewSession_;
diff --git a/src/web/WebController.C b/src/web/WebController.C
@@ -452,7 +452,7 @@ bool WebController::requestDataReceived(WebRequest *request,
     lock.unlock();
 #endif // WT_THREADED
 
-    CgiParser cgi(conf_.maxRequestSize());
+    CgiParser cgi(conf_.maxRequestSize(), conf_.maxFormDataSize());
 
     try {
       cgi.parse(*request, CgiParser::ReadHeadersOnly);
@@ -587,7 +587,7 @@ void WebController::handleRequest(WebRequest *request)
     }
   }
 
-  CgiParser cgi(conf_.maxRequestSize());
+  CgiParser cgi(conf_.maxRequestSize(), conf_.maxFormDataSize());
 
   try {
     cgi.parse(*request, conf_.needReadBodyBeforeResponse()
diff --git a/src/web/WebSession.C b/src/web/WebSession.C
@@ -1921,7 +1921,8 @@ void WebSession::handleWebSocketMessage(std::weak_ptr<WebSession> session,
 	bool closing = message->contentLength() == 0;
 
 	if (!closing) {
-	  CgiParser cgi(lock->controller_->configuration().maxRequestSize());
+	  CgiParser cgi(lock->controller_->configuration().maxRequestSize(),
+			lock->controller_->configuration().maxFormDataSize());
 	  try {
 	    cgi.parse(*message, CgiParser::ReadDefault);
 	  } catch (std::exception& e) {
diff --git a/wt_config.xml.in b/wt_config.xml.in
@@ -234,6 +234,15 @@
          -->
 	<max-request-size>128</max-request-size>
 
+	<!-- Maximum form data (Kb)
+	     
+	   Maximum size of the data in a POST request of type
+	   'application/x-www-form-urlencoded' (used for Wt form-field values)
+	   Note that the maximum size is also limited by the value of
+	   'max-request-size'.
+	-->
+	<max-formdata-size>5120</max-formdata-size>
+
         <!-- Number of threads per process
 
            You may want to change this value if you would like to

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,7 @@ private:`
`71`	`71`
`72`	`72`	`int main(int argc, char** argv)`
`73`	`73`	`{`
	`74`	`+ try {`
`74`	`75`	`Wt::WServer server(argc, argv, WTHTTP_CONFIGURATION);`
`75`	`76`	`server.readConfigurationProperty("application-url",deployUrl);`
`76`	`77`
`@@ -112,4 +113,7 @@ int main(int argc, char** argv)`
`112`	`113`	`Session::configureAuth();`
`113`	`114`
`114`	`115`	`server.run();`
	`116`	`+ } catch (Wt::WException &e) {`
	`117`	`+ std::cerr << "Exception: " << e.what() << std::endl;`
	`118`	`+ }`
`115`	`119`	`}`
Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,8 @@ class WT_API WViewWidget : public WWebWidget`
`110`	`110`	`*/`
`111`	`111`	`WViewWidget();`
`112`	`112`
	`113`	`+ ~WViewWidget();`
	`114`	`+`
`113`	`115`	`/*! \brief Updates the view.`
`114`	`116`	`*`
`115`	`117`	`* Typically, the model will want to update the view when the model`