Skip to content

Commit c4a9e49

Browse files
zhaohuabingzhaohuabing
committed
sign oauth2 nonce with the hmac secret
rename nonce in state to csrf_token for clarity Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
1 parent 0642c49 commit c4a9e49

File tree

1 file changed

+6
-3
lines changed

1 file changed

+6
-3
lines changed

single-page-app/verify.sh

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -149,7 +149,10 @@ test_auth () {
149149
"${proxy_scheme}://localhost:${proxy_port}/login" \
150150
"${curl_args[@]}"
151151

152-
encoded_state=$(echo -n "{\"url\":\"${proxy_scheme}://localhost:${proxy_port}/login\",\"nonce\":\"12345678\"}" | basenc --base64url --wrap=0 | sed 's/=//g')
152+
random=$(head /dev/urandom | xxd -p | head -c 16)
153+
hmac=$(echo -n "${random}" | openssl dgst -sha256 -hmac "${HMAC_SECRET}" -binary|base64)
154+
csrf_token=${random}.${hmac}
155+
encoded_state=$(echo -n "{\"url\":\"${proxy_scheme}://localhost:${proxy_port}/login\",\"csrf_token\":\"${csrf_token}\"}" | basenc --base64url --wrap=0 | sed 's/=//g')
153156

154157
run_log "Fetch the myhub authorization page"
155158
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
@@ -175,10 +178,10 @@ test_auth () {
175178
run_log "Return to the app and receive creds"
176179
if [[ "$STATE_BASE64URL_ENCODE" == "true" ]]; then
177180
CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=${encoded_state}" | grep Location | cut -d= -f2 | cut -d\& -f1)
178-
RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${encoded_state}")
181+
RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=${csrf_token}" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=${encoded_state}")
179182
else
180183
CODE=$(_curl "${curl_args[@]}" --head "http://localhost:${PORT_MYHUB}/authorize?client_id=0123456789&redirect_uri=${proxy_scheme}%3A%2F%2Flocalhost%3A${proxy_port}%2Fauthorize&response_type=code&scope=user%3Aemail&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678" | grep Location | cut -d= -f2 | cut -d\& -f1)
181-
RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=12345678" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678")
184+
RESPONSE=$(_curl "${curl_args[@]}" --cookie "OauthNonce=${csrf_token}" --head "${proxy_scheme}://localhost:${proxy_port}/authorize?code=$CODE&state=url%3D${proxy_scheme}%253A%252F%252Flocalhost%253A${proxy_port}%252Flogin%26nonce%3D12345678")
182185
fi
183186
echo "$RESPONSE" | grep "HTTP/1.1 302 Found"
184187
echo "$RESPONSE" | grep "location: ${proxy_scheme}://localhost:${proxy_port}/login"

0 commit comments

Comments
 (0)