Commit a7a1c49f authored by Eric Eastwood's avatar Eric Eastwood

Fix GitHub OAuth CSRF (state query parameter)

 - Now using standard session state
 - Switched to `passport-github2`(previously `@gitterhq/passport-github`)
    -  https://www.npmjs.com/package/passport-github2

Fix gitlab-org/gitter/webapp#2069

Part of gitlab-org/gitter/webapp#2074
parent 29308a35
......@@ -1371,34 +1371,6 @@
}
}
},
"@gitterhq/passport-github": {
"version": "0.1.8-g",
"resolved": "https://registry.npmjs.org/@gitterhq/passport-github/-/passport-github-0.1.8-g.tgz",
"integrity": "sha1-stnDgt91jyQMrahUBUP3sSlK34U=",
"requires": {
"@gitterhq/passport-oauth": "^1.0.0-f",
"pkginfo": "0.2.x"
}
},
"@gitterhq/passport-oauth": {
"version": "1.0.0-f",
"resolved": "https://registry.npmjs.org/@gitterhq/passport-oauth/-/passport-oauth-1.0.0-f.tgz",
"integrity": "sha1-sc6zowbsR/eQY/u+h7t4/nAk+Gg=",
"requires": {
"@gitterhq/passport-oauth2": "^1.1.2-b",
"passport-oauth1": "1.x.x"
}
},
"@gitterhq/passport-oauth2": {
"version": "1.1.2-b",
"resolved": "https://registry.npmjs.org/@gitterhq/passport-oauth2/-/passport-oauth2-1.1.2-b.tgz",
"integrity": "sha1-1O/iZO3BjgMbdIYYg8vgHjBVaW0=",
"requires": {
"oauth": "0.9.x",
"passport-strategy": "1.x.x",
"uid2": "0.0.x"
}
},
"@gitterhq/redis-sentinel-client": {
"version": "0.3.0",
"resolved": "https://registry.npmjs.org/@gitterhq/redis-sentinel-client/-/redis-sentinel-client-0.3.0.tgz",
......@@ -21207,14 +21179,22 @@
"dev": true
},
"passport": {
"version": "0.2.2",
"resolved": "https://registry.npmjs.org/passport/-/passport-0.2.2.tgz",
"integrity": "sha1-nDjxe+uSnz2Br3uIOOhDDbhwPys=",
"version": "0.4.0",
"resolved": "https://registry.npmjs.org/passport/-/passport-0.4.0.tgz",
"integrity": "sha1-xQlWkTR71a07XhgCOMORTRbwWBE=",
"requires": {
"passport-strategy": "1.x.x",
"pause": "0.0.1"
}
},
"passport-github2": {
"version": "0.1.11",
"resolved": "https://registry.npmjs.org/passport-github2/-/passport-github2-0.1.11.tgz",
"integrity": "sha1-yStW88OKROdmqsfp58E4TF6TyZk=",
"requires": {
"passport-oauth2": "1.x.x"
}
},
"passport-gitlab2": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/passport-gitlab2/-/passport-gitlab2-4.0.0.tgz",
......@@ -21446,11 +21426,6 @@
}
}
},
"pkginfo": {
"version": "0.2.3",
"resolved": "https://registry.npmjs.org/pkginfo/-/pkginfo-0.2.3.tgz",
"integrity": "sha1-cjnEKl72wwuPMoQ52bn/cQQkkPg="
},
"platform": {
"version": "1.3.5",
"resolved": "https://registry.npmjs.org/platform/-/platform-1.3.5.tgz",
......
......@@ -3,8 +3,7 @@
var env = require('gitter-web-env');
var config = env.config;
var logger = env.logger;
var GitHubStrategy = require('@gitterhq/passport-github').Strategy;
var TokenStateProvider = require('@gitterhq/passport-oauth2').TokenStateProvider;
var GitHubStrategy = require('passport-github2').Strategy;
var callbackUrlBuilder = require('./callback-url-builder');
function githubUpgradeCallback(req, accessToken, refreshToken, params, _profile, done) {
......@@ -28,14 +27,15 @@ function githubUpgradeCallback(req, accessToken, refreshToken, params, _profile,
});
}
var statePassphrase = config.get('github:statePassphrase');
var githubUpgradeStrategy = new GitHubStrategy(
{
clientID: config.get('github:client_id'),
clientSecret: config.get('github:client_secret'),
callbackURL: callbackUrlBuilder(),
stateProvider: statePassphrase && new TokenStateProvider({ passphrase: statePassphrase }),
// Prevent CSRF by adding a state query parameter through the OAuth flow that is connected to the users session.
// These options come from the `require('passport-oauth2').Strategy`,
// https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js
state: true,
skipUserProfile: true,
passReqToCallback: true
},
......
......@@ -7,8 +7,7 @@ var stats = env.stats;
var logger = env.logger;
var moment = require('moment');
var GitHubStrategy = require('@gitterhq/passport-github').Strategy;
var TokenStateProvider = require('@gitterhq/passport-oauth2').TokenStateProvider;
var GitHubStrategy = require('passport-github2').Strategy;
var extractGravatarVersion = require('gitter-web-avatars/server/extract-gravatar-version');
var gaCookieParser = require('../ga-cookie-parser');
var userService = require('gitter-web-users');
......@@ -169,14 +168,15 @@ function githubUserCallback(req, accessToken, refreshToken, params, _profile, do
.asCallback(done);
}
var statePassphrase = config.get('github:statePassphrase');
var githubUserStrategy = new GitHubStrategy(
{
clientID: config.get('github:user_client_id'),
clientSecret: config.get('github:user_client_secret'),
callbackURL: callbackUrlBuilder(),
stateProvider: statePassphrase && new TokenStateProvider({ passphrase: statePassphrase }),
// Prevent CSRF by adding a state query parameter through the OAuth flow that is connected to the users session.
// These options come from the `require('passport-oauth2').Strategy`,
// https://github.com/jaredhanson/passport-oauth2/blob/master/lib/strategy.js
state: true,
skipUserProfile: true,
passReqToCallback: true
},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment