target_url form url encoded

CHANGELOG.md

@@ -1,5 +1,9 @@
 # CHANGELOG
 
+### v0.6.1
+
++   `target_url` query parameter form url encoded
+
 ### v0.6.0
 
 +   Plug Pipeline config `:pre_session_create_pipeline`

lib/samly/auth_handler.ex

@@ -1,6 +1,7 @@
 defmodule Samly.AuthHandler do
   @moduledoc false
 
+  require Logger
   import Plug.Conn
   alias Samly.Helper
   alias Samly.State
@@ -38,28 +39,26 @@ defmodule Samly.AuthHandler do
   def initiate_sso_req(conn) do
     import Plug.CSRFProtection, only: [get_csrf_token: 0]
 
-    if valid_referer?(conn) do
-      target_url = if conn.params["target_url"] do
-        conn.params["target_url"]
-        |>  URI.decode_www_form()
-        |>  URI.encode_www_form()
-      else
-        nil
-      end
-
+    with  true <- valid_referer?(conn),
+          target_url = conn.params["target_url"],
+          target_url = (if target_url, do: URI.decode_www_form(target_url), else: nil)
+    do
       opts = [
         action: conn.request_path,
-        target_url: target_url,
+        target_url: (if target_url, do: URI.encode_www_form(target_url), else: nil),
         csrf_token: get_csrf_token()
       ]
 
       conn
       |>  put_resp_header("Content-Type", "text/html")
       |>  send_resp(200, EEx.eval_string(@sso_init_resp_template, opts))
     else
-      conn
-      |>  send_resp(403, "invalid_request")
+      _ -> conn |> send_resp(403, "invalid_request")
     end
+  rescue
+    error ->
+      Logger.error("#{inspect error}")
+      conn |> send_resp(500, "request_failed")
   end
 
   def send_signin_req(conn) do
@@ -82,16 +81,22 @@ defmodule Samly.AuthHandler do
         |>  configure_session(renew: true)
         |>  put_session("relay_state", relay_state)
         |>  put_session("target_url", target_url)
-        |>  send_saml_request(idp_signin_url, req_xml_frag, relay_state)
+        |>  send_saml_request(idp_signin_url, req_xml_frag, relay_state |> URI.encode_www_form())
     end
+  rescue
+    error ->
+      Logger.error("#{inspect error}")
+      conn |> send_resp(500, "request_failed")
   end
 
   def send_signout_req(conn) do
     sp = Helper.get_sp() |> Helper.ensure_sp_uris_set(conn)
     idp_metadata = Helper.get_idp_metadata()
+
     target_url = conn.params["target_url"] || "/"
-    nameid = get_session(conn, "samly_nameid")
+    |>  URI.decode_www_form()
 
+    nameid = get_session(conn, "samly_nameid")
     case State.get_by_nameid(nameid) do
       {^nameid, _saml_assertion} ->
         {idp_signout_url, req_xml_frag} = Helper.gen_idp_signout_req(sp, idp_metadata, nameid)
@@ -103,10 +108,14 @@ defmodule Samly.AuthHandler do
         |>  put_session("target_url", target_url)
         |>  put_session("relay_state", relay_state)
         |>  delete_session("samly_nameid")
-        |>  send_saml_request(idp_signout_url, req_xml_frag, relay_state)
+        |>  send_saml_request(idp_signout_url, req_xml_frag, relay_state |> URI.encode_www_form())
       _ ->
         conn
         |>  send_resp(403, "access_denied")
     end
+  rescue
+    error ->
+      Logger.error("#{inspect error}")
+      conn |> send_resp(500, "request_failed")
   end
 end

lib/samly/sp_handler.ex

@@ -1,6 +1,7 @@
 defmodule Samly.SPHandler do
   @moduledoc false
 
+  require Logger
   import Plug.Conn
   alias Plug.Conn
   require Samly.Esaml
@@ -16,14 +17,18 @@ defmodule Samly.SPHandler do
     conn
     |>  put_resp_header("Content-Type", "text/xml")
     |>  send_resp(200, metadata)
+  rescue
+    error ->
+      Logger.error("#{inspect error}")
+      conn |> send_resp(500, "request_failed")
   end
 
   def consume_signin_response(conn) do
     sp = Helper.get_sp() |> Helper.ensure_sp_uris_set(conn)
 
     saml_encoding = conn.body_params["SAMLEncoding"]
     saml_response = conn.body_params["SAMLResponse"]
-    relay_state   = conn.body_params["RelayState"]
+    relay_state   = conn.body_params["RelayState"] |> URI.decode_www_form()
 
     pipeline = Application.get_env(:samly, :pre_session_create_pipeline)
 
@@ -44,7 +49,7 @@ defmodule Samly.SPHandler do
       conn
       |>  configure_session(renew: true)
       |>  put_session("samly_nameid", nameid)
-      |>  redirect(302, target_url)
+      |>  redirect(302, target_url |> URI.decode_www_form())
     else
       {:halted, conn} -> conn
       {:error, reason} ->
@@ -54,6 +59,10 @@ defmodule Samly.SPHandler do
         conn
         |>  send_resp(403, "access_denied")
     end
+  rescue
+    error ->
+      Logger.error("#{inspect error}")
+      conn |> send_resp(500, "request_failed")
   end
 
   defp pipethrough(conn, nil), do: conn
@@ -66,20 +75,24 @@ defmodule Samly.SPHandler do
 
     saml_encoding = conn.body_params["SAMLEncoding"]
     saml_response = conn.body_params["SAMLResponse"]
-    relay_state   = conn.body_params["RelayState"]
+    relay_state   = conn.body_params["RelayState"] |> URI.decode_www_form()
 
     with  {:ok, _payload} <- Helper.decode_idp_signout_resp(sp, saml_encoding, saml_response),
           ^relay_state when relay_state != nil <- get_session(conn, "relay_state"),
           target_url when target_url != nil <- get_session(conn, "target_url")
     do
       conn
       |>  configure_session(drop: true)
-      |>  redirect(302, target_url)
+      |>  redirect(302, target_url |> URI.decode_www_form())
     else
       error ->
         conn
         |> send_resp(403, "invalid_request #{inspect error}")
     end
+  rescue
+    error ->
+      Logger.error("#{inspect error}")
+      conn |> send_resp(500, "request_failed")
   end
 
   # non-ui logout request from IDP
@@ -110,5 +123,9 @@ defmodule Samly.SPHandler do
         conn
         |>  send_saml_request(idp_signout_url, resp_xml_frag, relay_state)
     end
+  rescue
+    error ->
+      Logger.error("#{inspect error}")
+      conn |> send_resp(500, "request_failed")
   end
 end

mix.exs

@@ -1,7 +1,7 @@
 defmodule Samly.Mixfile do
   use Mix.Project
 
-  @version "0.6.0"
+  @version "0.6.1"
   @description "SAML plug"
   @source_url "https://github.com/handnot2/samly"