From fde54f3b18e336b56b65b7c20c4f25ece3702e97 Mon Sep 17 00:00:00 2001
From: 0x0fbc <10455804+0x0fbc@users.noreply.github.com>
Date: Fri, 7 Jun 2024 00:28:10 -0400
Subject: [PATCH] more cleanup

---
 src/api/core/two_factor/duo_oidc.rs | 8 ++++----
 src/api/identity.rs                 | 5 ++++-
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/src/api/core/two_factor/duo_oidc.rs b/src/api/core/two_factor/duo_oidc.rs
index 546e2fa8..d8096bd9 100644
--- a/src/api/core/two_factor/duo_oidc.rs
+++ b/src/api/core/two_factor/duo_oidc.rs
@@ -131,7 +131,8 @@ struct IdTokenClaims {
     nonce: String,
 }
 
-// Duo WebSDK 4 Client
+// Duo OIDC Authorization Client
+// See https://duo.com/docs/oauthapi
 struct DuoClient {
     client_id: String,     // Duo Client ID (DuoData.ik)
     client_secret: String, // Duo Client Secret (DuoData.sk)
@@ -140,7 +141,6 @@ struct DuoClient {
     jwt_exp_seconds: i64,  // Number of seconds that JWTs we create should be valid for
 }
 
-// See https://duo.com/docs/oauthapi
 impl DuoClient {
 
     // Construct a new DuoClient
@@ -240,7 +240,7 @@ impl DuoClient {
         let jwt_payload = AuthorizationRequest {
             response_type: String::from("code"),
             scope: String::from("openid"),
-            exp: now,
+            exp: now + self.jwt_exp_seconds,
             client_id: self.client_id.clone(),
             redirect_uri: self.redirect_uri.clone(),
             state,
@@ -303,7 +303,7 @@ impl DuoClient {
         post_body.insert("client_assertion", token);
 
         let res = match get_reqwest_client()
-            .post(token_url.clone())
+            .post(&token_url)
             .header(header::USER_AGENT, "vaultwarden:Duo/2.0 (Rust)")
             .form(&post_body)
             .send()
diff --git a/src/api/identity.rs b/src/api/identity.rs
index 558ac2c9..4289bd23 100644
--- a/src/api/identity.rs
+++ b/src/api/identity.rs
@@ -523,9 +523,11 @@ async fn twofactor_auth(
         Some(TwoFactorType::Duo | TwoFactorType::OrganizationDuo) => {
             match CONFIG.duo_use_iframe() {
                 true => {
+                    // Legacy iframe prompt flow
                     duo::validate_duo_login(data.username.as_ref().unwrap().trim(), twofactor_code, conn).await?
                 }
                 false => {
+                    // OIDC based flow
                     duo_oidc::validate_duo_login(data.username.as_ref().unwrap().trim(), twofactor_code, client_type, conn).await?
                 }
             }
@@ -594,9 +596,9 @@ async fn _json_err_twofactor(providers: &[i32], user_uuid: &str, client_type: &C
                     None => err!("User does not exist"),
                 };
 
-                // Should we try to use the legacy iframe prompt?
                 match CONFIG.duo_use_iframe() {
                     true => {
+                        // Legacy iframe prompt flow
                         let (signature, host) = duo::generate_duo_signature(&email, conn).await?;
                         result["TwoFactorProviders2"][provider.to_string()] = json!({
                             "Host": host,
@@ -604,6 +606,7 @@ async fn _json_err_twofactor(providers: &[i32], user_uuid: &str, client_type: &C
                         })
                     }
                     false => {
+                        // OIDC based flow
                         let auth_url = duo_oidc::get_duo_auth_url(&email, client_type, conn).await?;
 
                         result["TwoFactorProviders2"][provider.to_string()] = json!({