From ead46fe177a9f7cf36dc8fc816954e5b1f2db370 Mon Sep 17 00:00:00 2001
From: zachmann <gabriel.zachmann@kit.edu>
Date: Tue, 27 Jul 2021 09:35:35 +0200
Subject: [PATCH] error if empty capabilities are requested

---
 internal/endpoints/token/mytoken/mytokenEndpoint.go | 6 ++++++
 shared/mytoken/mytokenHandler.go                    | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/internal/endpoints/token/mytoken/mytokenEndpoint.go b/internal/endpoints/token/mytoken/mytokenEndpoint.go
index a1684a97..578dd847 100644
--- a/internal/endpoints/token/mytoken/mytokenEndpoint.go
+++ b/internal/endpoints/token/mytoken/mytokenEndpoint.go
@@ -65,6 +65,12 @@ func handleOIDCFlow(ctx *fiber.Ctx) error {
 			Response: api.ErrorUnknownIssuer,
 		}.Send(ctx)
 	}
+	if req.Capabilities != nil && len(req.Capabilities) == 0 {
+		return serverModel.Response{
+			Status:   fiber.StatusBadRequest,
+			Response: api.Error{Error: api.ErrorStrInvalidRequest, ErrorDescription: "capabilities cannot be empty"},
+		}.Send(ctx)
+	}
 	switch req.OIDCFlow {
 	case model.OIDCFlowAuthorizationCode:
 		return authcode.StartAuthCodeFlow(ctx, *req).Send(ctx)
diff --git a/shared/mytoken/mytokenHandler.go b/shared/mytoken/mytokenHandler.go
index 1431e60e..0f32f197 100644
--- a/shared/mytoken/mytokenHandler.go
+++ b/shared/mytoken/mytokenHandler.go
@@ -104,6 +104,12 @@ func HandleMytokenFromMytoken(ctx *fiber.Ctx) *model.Response {
 	if err := json.Unmarshal(ctx.Body(), &req); err != nil {
 		return model.ErrorToBadRequestErrorResponse(err)
 	}
+	if req.Capabilities != nil && len(req.Capabilities) == 0 {
+		return &model.Response{
+			Status:   fiber.StatusBadRequest,
+			Response: api.Error{Error: api.ErrorStrInvalidRequest, ErrorDescription: "capabilities cannot be empty"},
+		}
+	}
 	req.Restrictions.ReplaceThisIp(ctx.IP())
 	req.Restrictions.ClearUnsupportedKeys()
 	log.Trace("Parsed mytoken request")
-- 
GitLab