DefGuard · moubctez · Sep 18, 2025 · Sep 17, 2025 · Sep 18, 2025 · Sep 18, 2025
diff --git a/...88357f5403c2e9e97fa17e502223bbcc918a.json → ...35ad0e24e4855aa42cdceab2712f8c8dbef4.json b/...88357f5403c2e9e97fa17e502223bbcc918a.json → ...35ad0e24e4855aa42cdceab2712f8c8dbef4.json
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/defguard_core/src/db/models/auth_code.rs b/crates/defguard_core/src/db/models/auth_code.rs
@@ -1,29 +1,30 @@
 use chrono::Utc;
 use model_derive::Model;
-use sqlx::{Error as SqlxError, PgPool, query_as};
+use sqlx::{PgExecutor, query_as};
 
 use crate::{
     db::{Id, NoId},
     random::gen_alphanumeric,
 };
 
-#[derive(Model, Clone)]
+#[derive(Model)]
 #[table(authorization_code)]
-pub struct AuthCode<I = NoId> {
+pub(crate) struct AuthCode<I = NoId> {
+    #[allow(dead_code)]
     id: I,
-    pub user_id: Id,
-    pub client_id: String,
-    pub code: String,
-    pub redirect_uri: String,
-    pub scope: String,
-    pub auth_time: i64,
-    pub nonce: Option<String>,
-    pub code_challenge: Option<String>,
+    pub(crate) user_id: Id,
+    pub(crate) client_id: String,
+    pub(crate) code: String,
+    pub(crate) redirect_uri: String,
+    pub(crate) scope: String,
+    pub(crate) auth_time: i64,
+    pub(crate) nonce: Option<String>,
+    pub(crate) code_challenge: Option<String>,
 }
 
 impl AuthCode {
     #[must_use]
-    pub fn new(
+    pub(crate) fn new(
         user_id: Id,
         client_id: String,
         redirect_uri: String,
@@ -46,21 +47,41 @@ impl AuthCode {
     }
 }
 
+impl From<AuthCode<Id>> for AuthCode<NoId> {
+    fn from(value: AuthCode<Id>) -> Self {
+        Self {
+            id: NoId,
+            user_id: value.user_id,
+            client_id: value.client_id,
+            code: value.code,
+            redirect_uri: value.redirect_uri,
+            scope: value.scope,
+            auth_time: value.auth_time,
+            nonce: value.nonce,
+            code_challenge: value.code_challenge,
+        }
+    }
+}
+
 impl AuthCode<Id> {
     /// Find by code.
-    pub async fn find_code(pool: &PgPool, code: &str) -> Result<Option<Self>, SqlxError> {
+    /// If found, delete `AuthCode` from the database right away, so it can't be reused.
+    pub(crate) async fn find_code<'e, E>(
+        executor: E,
+        code: &str,
+    ) -> Result<Option<AuthCode<NoId>>, sqlx::Error>
+    where
+        E: PgExecutor<'e>,
+    {
         query_as!(
             Self,
-            "SELECT id, user_id, client_id, code, redirect_uri, scope, auth_time, nonce, \
-            code_challenge FROM authorization_code WHERE code = $1",
+            "DELETE FROM authorization_code WHERE code = $1 \
+            RETURNING id, user_id, client_id, code, redirect_uri, scope, auth_time, nonce, \
+            code_challenge",
             code
         )
-        .fetch_optional(pool)
+        .fetch_optional(executor)
         .await
-    }
-
-    // Remove a used authorization_code
-    pub async fn consume(self, pool: &PgPool) -> Result<(), SqlxError> {
-        self.delete(pool).await
+        .map(|inner_option| inner_option.map(Into::into))
     }
 }
diff --git a/crates/defguard_core/src/db/models/oauth2client.rs b/crates/defguard_core/src/db/models/oauth2client.rs
@@ -1,5 +1,4 @@
 use model_derive::Model;
-use reqwest::Url;
 use sqlx::{Error as SqlxError, PgExecutor, PgPool, query_as};
 
 use super::NewOpenIDClient;
@@ -103,23 +102,17 @@ impl OAuth2Client<Id> {
         .await
     }
 
-    /// Checks if `url` matches client config (ignoring trailing slashes)
+    /// Checks if `url` matches client config (ignoring trailing slashes).
     pub(crate) fn contains_redirect_url(&self, url: &str) -> bool {
-        let parsed_redirect_uris: Vec<String> = self
-            .redirect_uri
-            .iter()
-            .map(|uri| uri.trim_end_matches('/').into())
-            .collect();
+        let url_trimmed = url.trim_end_matches('/');
 
-        // extract origin from url
-        let Ok(url) = Url::parse(url) else {
-            return false;
-        };
-        let url = url.origin().ascii_serialization();
+        for redirect in &self.redirect_uri {
+            if url_trimmed == redirect.trim_end_matches('/') {
+                return true;
+            }
+        }
 
-        !url.split(' ')
-            .map(|uri| uri.trim_end_matches('/'))
-            .all(|uri| !parsed_redirect_uris.iter().any(|u| u == uri))
+        false
     }
 }
 
@@ -140,3 +133,28 @@ impl From<OAuth2Client<Id>> for OAuth2ClientSafe {
         }
     }
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_contains_redirect_url() {
+        let oauth2client = OAuth2Client {
+            id: 1,
+            client_id: String::new(),
+            client_secret: String::new(),
+            redirect_uri: vec![
+                String::from("http://localhost/"),
+                String::from("http://safe.net/"),
+            ],
+            scope: Vec::new(),
+            name: String::new(),
+            enabled: true,
+        };
+        assert!(oauth2client.contains_redirect_url("http://safe.net"));
+        assert!(oauth2client.contains_redirect_url("http://localhost"));
+        assert!(!oauth2client.contains_redirect_url("http://safe.net/api"));
+        assert!(!oauth2client.contains_redirect_url("http://nonexistent:8000"));
+    }
+}