Commit 2ac0de88 authored by Eric Eastwood's avatar Eric Eastwood

Merge branch '2074-2069-fix-oauth-csrf' into 'develop'

Fix CSRF to login as another user - OAuth callback

See merge request MadLittleMods/webapp!15
parents 29308a35 fee99a94
......@@ -1371,34 +1371,6 @@
}
}
},
"@gitterhq/passport-github": {
"version": "0.1.8-g",
"resolved": "https://registry.npmjs.org/@gitterhq/passport-github/-/passport-github-0.1.8-g.tgz",
"integrity": "sha1-stnDgt91jyQMrahUBUP3sSlK34U=",
"requires": {
"@gitterhq/passport-oauth": "^1.0.0-f",
"pkginfo": "0.2.x"
}
},
"@gitterhq/passport-oauth": {
"version": "1.0.0-f",
"resolved": "https://registry.npmjs.org/@gitterhq/passport-oauth/-/passport-oauth-1.0.0-f.tgz",
"integrity": "sha1-sc6zowbsR/eQY/u+h7t4/nAk+Gg=",
"requires": {
"@gitterhq/passport-oauth2": "^1.1.2-b",
"passport-oauth1": "1.x.x"
}
},
"@gitterhq/passport-oauth2": {
"version": "1.1.2-b",
"resolved": "https://registry.npmjs.org/@gitterhq/passport-oauth2/-/passport-oauth2-1.1.2-b.tgz",
"integrity": "sha1-1O/iZO3BjgMbdIYYg8vgHjBVaW0=",
"requires": {
"oauth": "0.9.x",
"passport-strategy": "1.x.x",
"uid2": "0.0.x"
}
},
"@gitterhq/redis-sentinel-client": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/@gitterhq/redis-sentinel-client/-/redis-sentinel-client-0.3.0.tgz",
......@@ -21207,18 +21179,26 @@
"dev": true
},
"passport": {
"version": "0.2.2",
"resolved": "https://registry.npmjs.org/passport/-/passport-0.2.2.tgz",
"integrity": "sha1-nDjxe+uSnz2Br3uIOOhDDbhwPys=",
"version": "0.4.0",
"resolved": "https://registry.npmjs.org/passport/-/passport-0.4.0.tgz",
"integrity": "sha1-xQlWkTR71a07XhgCOMORTRbwWBE=",
"requires": {
"passport-strategy": "1.x.x",
"pause": "0.0.1"
}
},
"passport-github2": {
"version": "0.1.11",
"resolved": "https://registry.npmjs.org/passport-github2/-/passport-github2-0.1.11.tgz",
"integrity": "sha1-yStW88OKROdmqsfp58E4TF6TyZk=",
"requires": {
"passport-oauth2": "1.x.x"
}
},
"passport-gitlab2": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/passport-gitlab2/-/passport-gitlab2-4.0.0.tgz",
"integrity": "sha512-C/8/L8piHwv57J6fY/MzsEJc8yCkgsyBSzMWxfTfEHRvCaTkD08vJ5b/txydKrWrRPl4MHuZfisFnKlZHmq4yw==",
"version": "5.0.0",
"resolved": "https://registry.npmjs.org/passport-gitlab2/-/passport-gitlab2-5.0.0.tgz",
"integrity": "sha512-cXQMgM6JQx9wHVh7JLH30D8fplfwjsDwRz+zS0pqC8JS+4bNmc1J04NGp5g2M4yfwylH9kQRrMN98GxMw7q7cg==",
"requires": {
"passport-oauth2": "^1.4.0"
}
......@@ -21446,11 +21426,6 @@
}
}
},
"pkginfo": {
"version": "0.2.3",
"resolved": "https://registry.npmjs.org/pkginfo/-/pkginfo-0.2.3.tgz",
"integrity": "sha1-cjnEKl72wwuPMoQ52bn/cQQkkPg="
},
"platform": {
"version": "1.3.5",
"resolved": "https://registry.npmjs.org/platform/-/platform-1.3.5.tgz",
......
......@@ -3,8 +3,7 @@
var env = require('gitter-web-env');
var config = env.config;
var logger = env.logger;
var GitHubStrategy = require('@gitterhq/passport-github').Strategy;
var TokenStateProvider = require('@gitterhq/passport-oauth2').TokenStateProvider;
var GitHubStrategy = require('passport-github2').Strategy;
var callbackUrlBuilder = require('./callback-url-builder');
function githubUpgradeCallback(req, accessToken, refreshToken, params, _profile, done) {
......@@ -28,14 +27,15 @@ function githubUpgradeCallback(req, accessToken, refreshToken, params, _profile,
});
}
var statePassphrase = config.get('github:statePassphrase');
var githubUpgradeStrategy = new GitHubStrategy(
{
clientID: config.get('github:client_id'),
clientSecret: config.get('github:client_secret'),
callbackURL: callbackUrlBuilder(),
stateProvider: statePassphrase && new TokenStateProvider({ passphrase: statePassphrase }),
// Prevent CSRF by adding a state query parameter through the OAuth flow that is connected to the users session.
// These options come from the `require('passport-oauth2').Strategy`,
// https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js
state: true,
skipUserProfile: true,
passReqToCallback: true
},
......
......@@ -7,8 +7,7 @@ var stats = env.stats;
var logger = env.logger;
var moment = require('moment');
var GitHubStrategy = require('@gitterhq/passport-github').Strategy;
var TokenStateProvider = require('@gitterhq/passport-oauth2').TokenStateProvider;
var GitHubStrategy = require('passport-github2').Strategy;
var extractGravatarVersion = require('gitter-web-avatars/server/extract-gravatar-version');
var gaCookieParser = require('../ga-cookie-parser');
var userService = require('gitter-web-users');
......@@ -169,14 +168,15 @@ function githubUserCallback(req, accessToken, refreshToken, params, _profile, do
.asCallback(done);
}
var statePassphrase = config.get('github:statePassphrase');
var githubUserStrategy = new GitHubStrategy(
{
clientID: config.get('github:user_client_id'),
clientSecret: config.get('github:user_client_secret'),
callbackURL: callbackUrlBuilder(),
stateProvider: statePassphrase && new TokenStateProvider({ passphrase: statePassphrase }),
// Prevent CSRF by adding a state query parameter through the OAuth flow that is connected to the users session.
// These options come from the `require('passport-oauth2').Strategy`,
// https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js
state: true,
skipUserProfile: true,
passReqToCallback: true
},
......
......@@ -44,6 +44,10 @@ var gitlabStrategy = new GitLabStrategy(
clientID: config.get('gitlaboauth:client_id'),
clientSecret: config.get('gitlaboauth:client_secret'),
callbackURL: callbackUrlBuilder('gitlab'),
// Prevent CSRF by adding a state query parameter through the OAuth flow that is connected to the users session.
// These options come from the `require('passport-oauth2').Strategy`,
// https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js
state: true,
passReqToCallback: true,
scope: ['read_user', 'api'],
scopeSeparator: ' '
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment