Fix/nonce check (#16)

* Merge Latest fix from origin repo (#15) * Very basic XSS prevention * Parse `%20` as spaces before printing them Co-authored-by: Payton Garland <[email protected]> Co-authored-by: Thomas <[email protected]> * Use the id_token nonce to validate. Co-authored-by: Payton Garland <[email protected]> Co-authored-by: Thomas <[email protected]>
iress · Oct 7, 2020 · c0941d5 · c0941d5
1 parent 1d83d49
commit c0941d5
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/authn/openid.index.js b/authn/openid.index.js
@@ -294,9 +294,9 @@ function unauthorized(error, error_description, error_uri, callback) {
   </html>
   `;
 
-  page = page.replace(/%error%/g, error);
-  page = page.replace(/%error_description%/g, error_description);
-  page = page.replace(/%error_uri%/g, error_uri);
+  page = page.replace(/%error%/g, encodeURI(error).replace(/%20/g,' '));
+  page = page.replace(/%error_description%/g, encodeURI(error_description).replace(/%20/g,' '));
+  page = page.replace(/%error_uri%/g, encodeURI(error_uri));
 
   // Unauthorized access attempt. Reset token and nonce cookies
   const response = {

diff --git a/authn/pkce.index.js b/authn/pkce.index.js
@@ -140,7 +140,7 @@ function mainProcess(event, context, callback) {
           console.log("Verifying JWT");
           const access_token = response.data.access_token;
           // Verify the access token JWT, the payload email, and that the email ends with configured hosted domain
-          jwt.verify(response.data.access_token, pem, { algorithms: ['RS256'] }, function(err, decoded) {
+          jwt.verify(access_token, pem, { algorithms: ['RS256'] }, function(err, decoded) {
             if (err) {
               switch (err.name) {
                 case 'TokenExpiredError':
@@ -160,7 +160,7 @@ function mainProcess(event, context, callback) {
               // Validate nonce
               if ("cookie" in headers
                   && "NONCE" in cookie.parse(headers["cookie"][0].value)
-                  && nonce.validateNonce(decoded.nonce, cookie.parse(headers["cookie"][0].value).NONCE)) {
+                  && nonce.validateNonce(decodedData.payload.nonce, cookie.parse(headers["cookie"][0].value).NONCE)) {
                 console.log("Setting cookie and redirecting.");
 
                 // Once verified, create new JWT for this server