Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for state in oauth scenarios #103

Closed
wants to merge 2 commits into from
Closed

Support for state in oauth scenarios #103

wants to merge 2 commits into from

Conversation

sameer-coder
Copy link

This PR tries to fix the issue reported in fastify-passport (fastify/fastify-passport#376)

Issue: When state is used in an oauth strategy along with fastify-secure-session then the state is not being encoded because we only encode session[kObj]. As a result when the callback happens the local state does not exist.

Fix: I have tried to add the state to session[kObj] before the encoding happens and restore it after decoding so that state verification is done correctly.

I am not sure if this fix is the right way to do it. Any suggestions to improve the PR are welcome!

@mcollina
Copy link
Member

I don't understand this or why it's needed, could you please clarify?

@mcollina
Copy link
Member

Can you please add a unit test?

mcollina
mcollina reviewed Dec 14, 2021
View reviewed changes
index.js
@@ -117,14 +117,31 @@ module.exports = fp(function (fastify, options, next) {
}

const session = new Session(JSON.parse(msg))
session.changed = signingKeyRotated

if (session[kObj].state) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the state property special?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is actually the problem of passport-oauth2 which directly mutating the request.session object.
The usage of fastify-secure-session only allow to use the get and set function to mutate the session.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can only think of adding an extra layer new Proxy() to support this use-case.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@climba03003 yes, I think you are right. If passport-oauth2 uses get and set functions to mutate the session then this problem won't exist

index.js
@@ -153,7 +170,8 @@ module.exports = fp(function (fastify, options, next) {
fastify.addHook('onSend', (request, reply, payload, next) => {
const session = request.session

if (!session || !session.changed) {
const hasState = session && Object.values(session).some(v => (typeof v === 'object' && !!v.state))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have checked already if we have state.

@sameer-coder
Copy link
Author

sameer-coder commented Dec 14, 2021
edited
Loading

@mcollina Maybe I have got this completely wrong! I was waiting it to be reviewed to see if to see if the implementation makes sense before adding a unit test.

I have got a reproducible repo here: https://github.com/sameer-coder/secure-session-test
It works fine without state but when you add state it throws 403

@sameer-coder
Copy link
Author

Since the issue is with the way passport-oauth2 uses the session this change is not required. Closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@climba03003 climba03003 climba03003 left review comments

@mcollina mcollina mcollina left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sameer-coder @mcollina @climba03003