From 34c88c88739bdd9b01cc4258b886d112a6ab532e Mon Sep 17 00:00:00 2001
From: Debug <49997488+DebugOk@users.noreply.github.com>
Date: Tue, 12 Mar 2024 00:40:42 +0100
Subject: [PATCH] Enable PS256 signing by default on oauth apps and add a
 checkbox for existing apps (#18)

* Allow PS256 signing by default

* Add a checkbox to enable/disable PS256 signing
---
 .../Pages/Account/Manage/OAuthApps/Create.cshtml.cs       | 1 +
 .../Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml | 6 ++++++
 .../Pages/Account/Manage/OAuthApps/Manage.cshtml.cs       | 8 +++++++-
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
index 0814cd1..ada6ff1 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Create.cshtml.cs
@@ -62,6 +62,7 @@ public async Task<IActionResult> OnPostAsync()
                 new() { Scope = "profile" },
                 new() { Scope = "email" }
             },
+            AllowedIdentityTokenSigningAlgorithms = "PS256",
             RedirectUris = new List<ClientRedirectUri>
             {
                 new() { RedirectUri = Input.CallbackUrl }
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
index 9a15bbd..11cdf3b 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml
@@ -45,6 +45,12 @@
                     <label asp-for="Input.RequirePkce" class="form-check-label"></label>
                 </div>
             </div>
+            <div class="form-group">
+                <div class="form-check">
+                    <input asp-for="Input.AllowPS256" class="form-check-input"/>
+                    <label asp-for="Input.AllowPS256" class="form-check-label"></label>
+                </div>
+            </div>
             <button type="submit" asp-page-handler="Update" class="btn btn-primary">Update</button>
         </form>
         <div class="col-lg-6">
diff --git a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
index a641290..a7c252f 100644
--- a/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
+++ b/SS14.Web/Areas/Identity/Pages/Account/Manage/OAuthApps/Manage.cshtml.cs
@@ -44,6 +44,10 @@ public sealed class InputModel
         [Required]
         [DisplayName("Require PKCE")]
         public bool RequirePkce { get; set; }
+        
+        [Required]
+        [DisplayName("Allow PS256 signing")]
+        public bool AllowPS256 { get; set; } = true;
     }
 
     public Manage(ApplicationDbContext dbContext, UserManager<SpaceUser> userManager)
@@ -62,7 +66,8 @@ public async Task<IActionResult> OnGetAsync(int client)
             Name = App.Client.ClientName,
             CallbackUrl = App.Client.RedirectUris.FirstOrDefault()?.RedirectUri ?? "",
             HomepageUrl = App.Client.ClientUri,
-            RequirePkce = App.Client.RequirePkce
+            RequirePkce = App.Client.RequirePkce,
+            AllowPS256 = App.Client.AllowedIdentityTokenSigningAlgorithms?.Contains("PS256") ?? false
         };
 
         return Page();
@@ -77,6 +82,7 @@ public async Task<IActionResult> OnPostUpdateAsync(int client)
         App.Client.RedirectUris = new List<ClientRedirectUri> { new() { RedirectUri = Input.CallbackUrl } };
         App.Client.ClientUri = Input.HomepageUrl;
         App.Client.RequirePkce = Input.RequirePkce;
+        App.Client.AllowedIdentityTokenSigningAlgorithms = Input.AllowPS256 ? "PS256" : null;
 
         await _dbContext.SaveChangesAsync();