Refactor validators (#62)

Refactor validators

src/Shark.AuthorizationServer.Core/ApplicationServices/TokenApplicationService.cs

@@ -100,7 +100,7 @@ private async Task<ITokenInternalResponse> HandleAuthorizationCode(TokenInternal
 
         _logger.LogInformation(
             "Found matching authorization code {Code}. Issuing access token and refresh token for {GrantType} grant",
-            request.Code,
+            request.Code.Sanitize(),
             GrantType.AuthorizationCode);
 
         var tokenResponse = await GenerateAndStoreBearerToken(

src/Shark.AuthorizationServer.Core/Validators/AuthorizeValidator.cs

@@ -9,20 +9,34 @@
 
 namespace Shark.AuthorizationServer.Core.Validators;
 
-public sealed class AuthorizeValidator(ILogger<AuthorizeValidator> logger) : IAuthorizeValidator
+public sealed class AuthorizeValidator(
+    ILogger<AuthorizeValidator> logger) : BaseValidator<AuthorizeInternalBadRequestResponse>, IAuthorizeValidator
 {
     private readonly ILogger<AuthorizeValidator> _logger = logger;
 
     public AuthorizeInternalBadRequestResponse? ValidateRequest(AuthorizeInternalRequest request, Client? client)
     {
-        // Validate client
+        return CheckAll(
+            ValidateClient(client),
+            ValidateResponseType(request, client!),
+            ValidateRedirectUri(request, client!),
+            ValidateScopes(request, client!),
+            ValidateCodeChallengeMethod(request));
+    }
+
+    private AuthorizeInternalBadRequestResponse? ValidateClient(Client? client)
+    {
         if (client == null)
         {
             _logger.LogWarning("Unknown client");
             return new AuthorizeInternalBadRequestResponse(Error.InvalidClient);
         }
 
-        // Validate response type
+        return null;
+    }
+
+    private AuthorizeInternalBadRequestResponse? ValidateResponseType(AuthorizeInternalRequest request, Client client)
+    {
         if (!ResponseType.Supported.Contains(request.ResponseType))
         {
             _logger.LogWarning(
@@ -39,14 +53,22 @@ public sealed class AuthorizeValidator(ILogger<AuthorizeValidator> logger) : IAu
             return new AuthorizeInternalBadRequestResponse(Error.UnauthorizedClient);
         }
 
-        // Validate redirect URI
+        return null;
+    }
+
+    private AuthorizeInternalBadRequestResponse? ValidateRedirectUri(AuthorizeInternalRequest request, Client client)
+    {
         if (!client.RedirectUris.Contains(request.RedirectUri))
         {
             _logger.LogWarning("Mismatched redirect URL [{RedirectUri}] for client", request.RedirectUri.Sanitize());
             return new AuthorizeInternalBadRequestResponse(Error.InvalidClient);
         }
 
-        // Validate requested scopes against client's allowed scopes
+        return null;
+    }
+
+    private AuthorizeInternalBadRequestResponse? ValidateScopes(AuthorizeInternalRequest request, Client client)
+    {
         var allowedClientScopes = client.Scope.ToHashSet();
         var scopes = request.Scopes;
         foreach (var scope in scopes)
@@ -58,7 +80,11 @@ public sealed class AuthorizeValidator(ILogger<AuthorizeValidator> logger) : IAu
             }
         }
 
-        // Validate code challenge method
+        return null;
+    }
+
+    private AuthorizeInternalBadRequestResponse? ValidateCodeChallengeMethod(AuthorizeInternalRequest request)
+    {
         if (!string.IsNullOrWhiteSpace(request.CodeChallengeMethod) &&
             !CodeChallengeMethod.Supported.Contains(request.CodeChallengeMethod))
         {

src/Shark.AuthorizationServer.Core/Validators/BaseValidator.cs

@@ -0,0 +1,18 @@
+namespace Shark.AuthorizationServer.Core.Validators;
+
+public abstract class BaseValidator<T>
+    where T : class
+{
+    protected T? CheckAll(params T?[] responses)
+    {
+        foreach (var response in responses)
+        {
+            if (response != null)
+            {
+                return response;
+            }
+        }
+
+        return null;
+    }
+}

src/Shark.AuthorizationServer.Core/Validators/DeviceAuthorizationValidator.cs

@@ -9,24 +9,48 @@
 
 namespace Shark.AuthorizationServer.Core.Validators;
 public sealed class DeviceAuthorizationValidator(
-    ILogger<DeviceAuthorizationValidator> logger) : IDeviceAuthorizationValidator
+    ILogger<DeviceAuthorizationValidator> logger) :
+    BaseValidator<DeviceAuthorizationBadRequestResponse>,
+    IDeviceAuthorizationValidator
 {
     private readonly ILogger<DeviceAuthorizationValidator> _logger = logger;
 
-    public DeviceAuthorizationBadRequestResponse? ValidateRequest(DeviceAuthorizationInternalRequest request, Client? client)
+    public DeviceAuthorizationBadRequestResponse? ValidateRequest(
+        DeviceAuthorizationInternalRequest request,
+        Client? client)
+    {
+        return CheckAll(
+            ValidateClient(client),
+            ValidateClientSecret(request, client!),
+            ValidateGrantTypes(client!));
+    }
+
+    private DeviceAuthorizationBadRequestResponse? ValidateClient(Client? client)
     {
         if (client == null)
         {
             _logger.LogWarning("Unknown client");
             return new DeviceAuthorizationBadRequestResponse(Error.InvalidClient);
         }
 
+        return null;
+    }
+
+    private DeviceAuthorizationBadRequestResponse? ValidateClientSecret(
+        DeviceAuthorizationInternalRequest request,
+        Client client)
+    {
         if (!request.ClientSecret.EqualsTo(client.ClientSecret))
         {
             _logger.LogWarning("Invalid client secret");
             return new DeviceAuthorizationBadRequestResponse(Error.InvalidClient);
         }
 
+        return null;
+    }
+
+    private DeviceAuthorizationBadRequestResponse? ValidateGrantTypes(Client client)
+    {
         if (!client.GrantTypes.ToHashSet().Contains(GrantType.DeviceCode))
         {
             _logger.LogWarning("Unsupported grant [{GrantType}] by client", GrantType.DeviceCode);