CSRF to login as another user - OAuth callback
Follow-up from https://gitlab.com/gitlab-org/gitter/webapp/issues/2061
The OAuth callback endpoints are susceptible to CSRF. This means that someone can redirect you and sign in some random account
-
❌ GitLabGET https://gitter.im/login/gitlab/callback?code=xxx
-
❓ TwitterGET https://gitter.im/login/twitter/callback?code=xxx
- https://github.com/jaredhanson/passport-twitter
-
passport-twitter
seems like it may use session already, https://github.com/jaredhanson/passport-twitter/blob/095a9b1d581762cf9cd7388e820d528da7f1cd05/lib/strategy.js#L51
-
✔ GitHubGET http://localhost:5000/login/callback?code=xxx&state=xxx
- https://github.com/troupe/passport-github
- Already uses
state
parameter but does suffer from https://gitlab.com/gitlab-org/gitter/webapp/issues/2069
Possible solutions
Add state
query parameter that is passed through the process, https://docs.gitlab.com/ee/api/oauth2.html
cc @dappelt
Edited by Eric Eastwood