From 91d75524ee0bcde581d29896495aa05178542452 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jos=C3=A9=20Padilla?= Date: Fri, 19 Feb 2021 17:52:12 -0500 Subject: [PATCH] Add `state` paremeter for try-login --- internal/auth/authutil/browser.go | 8 +++++--- internal/auth/authutil/login.go | 3 ++- internal/cli/utils_shared.go | 33 +++++++++++++++++++++++++++---- 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/internal/auth/authutil/browser.go b/internal/auth/authutil/browser.go index afed22280..093640f29 100644 --- a/internal/auth/authutil/browser.go +++ b/internal/auth/authutil/browser.go @@ -10,9 +10,10 @@ import ( // WaitForBrowserCallback lauches a new HTTP server listening on the provided // address and waits for a request. Once received, the code is extracted from // the query string (if any), and returned it to the caller. -func WaitForBrowserCallback(addr string) (string, error) { +func WaitForBrowserCallback(addr string) (code string, state string, err error) { type callback struct { code string + state string err string errDescription string } @@ -26,6 +27,7 @@ func WaitForBrowserCallback(addr string) (string, error) { m.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { cb := &callback{ code: r.URL.Query().Get("code"), + state: r.URL.Query().Get("state"), err: r.URL.Query().Get("error"), errDescription: r.URL.Query().Get("error_description"), } @@ -55,8 +57,8 @@ func WaitForBrowserCallback(addr string) (string, error) { if cb.err != "" { err = fmt.Errorf("%s: %s", cb.err, cb.errDescription) } - return cb.code, err + return cb.code, cb.state, err case err := <-errCh: - return "", err + return "", "", err } } diff --git a/internal/auth/authutil/login.go b/internal/auth/authutil/login.go index 5df350d23..e146be2eb 100644 --- a/internal/auth/authutil/login.go +++ b/internal/auth/authutil/login.go @@ -7,13 +7,14 @@ import ( // BuildLoginURL constructs a URL + query string that can be used to // initiate a user-facing login-flow from the CLI. -func BuildLoginURL(domain, clientID, callbackURL, connectionName, audience, prompt string, scopes []string) (string, error) { +func BuildLoginURL(domain, clientID, callbackURL, state, connectionName, audience, prompt string, scopes []string) (string, error) { var path string = "/authorize" q := url.Values{} q.Add("client_id", clientID) q.Add("response_type", "code") q.Add("redirect_uri", callbackURL) + q.Add("state", state) if prompt != "" { q.Add("prompt", prompt) diff --git a/internal/cli/utils_shared.go b/internal/cli/utils_shared.go index caa7d2ab4..11fa7ea00 100644 --- a/internal/cli/utils_shared.go +++ b/internal/cli/utils_shared.go @@ -1,17 +1,20 @@ package cli import ( + "crypto/rand" "fmt" + "encoding/base64" "encoding/json" + "net/http" + "net/url" + "github.com/auth0/auth0-cli/internal/ansi" "github.com/auth0/auth0-cli/internal/auth/authutil" "github.com/auth0/auth0-cli/internal/auth0" "github.com/auth0/auth0-cli/internal/open" "github.com/auth0/auth0-cli/internal/prompt" "gopkg.in/auth0.v5/management" - "net/http" - "net/url" ) const ( @@ -20,6 +23,7 @@ const ( cliLoginTestingCallbackAddr string = "localhost:8484" cliLoginTestingCallbackURL string = "http://localhost:8484" cliLoginTestingInitiateLoginURI string = "https://cli.auth0.com" + cliLoginTestingStateSize int = 152 ) var ( @@ -111,8 +115,13 @@ func runLoginFlow(cli *cli, t tenant, c *management.Client, connName, audience, return err } + state, err := generateState(cliLoginTestingStateSize) + if err != nil { + return err + } + // Build a login URL and initiate login in a browser window. - loginURL, err := authutil.BuildLoginURL(t.Domain, c.GetClientID(), cliLoginTestingCallbackURL, connName, audience, prompt, scopes) + loginURL, err := authutil.BuildLoginURL(t.Domain, c.GetClientID(), cliLoginTestingCallbackURL, state, connName, audience, prompt, scopes) if err != nil { return err } @@ -123,11 +132,15 @@ func runLoginFlow(cli *cli, t tenant, c *management.Client, connName, audience, // launch a HTTP server to wait for the callback to capture the auth // code. - authCode, err := authutil.WaitForBrowserCallback(cliLoginTestingCallbackAddr) + authCode, authState, err := authutil.WaitForBrowserCallback(cliLoginTestingCallbackAddr) if err != nil { return err } + if state != authState { + return fmt.Errorf("unexpected auth state") + } + // once the callback is received, exchange the code for an access // token. tokenResponse, err = authutil.ExchangeCodeForToken( @@ -235,3 +248,15 @@ func removeLocalCallbackURLFromClient(clientManager auth0.ClientAPI, client *man return clientManager.Update(client.GetClientID(), updatedClient) } + +// generate state parameter value used to mitigate CSRF attacks +// more: https://auth0.com/docs/protocols/state-parameters +func generateState(size int) (string, error) { + b := make([]byte, size) + _, err := rand.Read(b) + if err != nil { + return "", err + } + + return base64.URLEncoding.EncodeToString(b), nil +}