Update authentication-backend, prevent open redirect attacks

Author: davidje13

backend/.npmrc

@@ -0,0 +1,2 @@
+package-lock=true
+ignore-scripts=true

backend/package-lock.json

@@ -10,7 +10,7 @@
     "test": "lean-test --preprocess tsc --parallel"
   },
   "dependencies": {
-    "authentication-backend": "1.x",
+    "authentication-backend": "1.3.x",
     "collection-storage": "3.x",
     "express": "5.x",
     "express-static-gzip": "3.x",

backend/package.json

@@ -40,7 +40,7 @@ const baseTestConfig: ConfigT = {
       accessTokenUrl: '',
       userUrl: '',
     },
-    gitlab: { clientId: '', authUrl: '', tokenInfoUrl: '' },
+    gitlab: { clientId: '', authUrl: '', accessTokenUrl: '', tokenInfoUrl: '' },
   },
   giphy: { baseUrl: '', apiKey: '' },
 };

backend/src/api-tests/testConfig.ts

@@ -35,7 +35,7 @@ export function getAuthBackend(
     userAuthService.grantLoginToken,
   );
   return {
-    addRoutes: (app) => app.useHTTP('/api/sso', sso.router),
+    addRoutes: (app) => app.useHTTP('/api/sso', sso.router()),
     clientConfig: sso.service.clientConfig,
   };
 }

backend/src/auth.ts

@@ -52,6 +52,7 @@ export default {
     gitlab: {
       clientId: '',
       authUrl: 'https://gitlab.com/oauth/authorize',
+      accessTokenUrl: 'https://gitlab.com/oauth/token',
       tokenInfoUrl: 'https://gitlab.com/oauth/token/info',
     },
   },

backend/src/config/default.ts

@@ -116,12 +116,12 @@ SSO_GITHUB_CLIENT_ID="idhere" SSO_GITHUB_CLIENT_SECRET="secrethere" ./index.js
 
 You will need a GitLab client ID:
 
-1. Go to <https://gitlab.com/profile/applications>
+1. Go to <https://gitlab.com/-/user_settings/applications>
 2. Set the "Redirect URI" to match your deployment with
    `/sso/gitlab` appended to the end. e.g. for local
    testing, this could be `http://localhost:5000/sso/gitlab`
-3. Untick the "confidential" option. You do not need to enable
-   any scopes.
+3. Untick the "confidential" option and select the "email"
+   scope (this is the closest we can get to no scopes)
 4. Record the application ID (you will not need the secret).
 
 You can now invoke the application with the `SSO_GITLAB_CLIENT_ID`
@@ -137,6 +137,7 @@ the auth and token info URLs:
 
 ```sh
 SSO_GITLAB_AUTH_URL="https://gitlab.example.com/oauth/authorize" \
+SSO_GITLAB_ACCESS_TOKEN_URL="https://gitlab.example.com/oauth/token" \
 SSO_GITLAB_TOKEN_INFO_URL="https://gitlab.example.com/oauth/token/info" \
 SSO_GITLAB_CLIENT_ID="idhere" \
 ./index.js

docs/SERVICES.md

@@ -1,4 +1,4 @@
-import { sha1 } from '../helpers/crypto';
+import { digest, toHex } from '../helpers/crypto';
 
 export class PasswordService {
   public constructor(private readonly apiBase: string) {}
@@ -7,7 +7,7 @@ export class PasswordService {
     password: string,
     signal: AbortSignal,
   ): Promise<number> {
-    const passwordHash = (await sha1(password)).toUpperCase();
+    const passwordHash = toHex(await digest(password, 'SHA-1')).toUpperCase();
     const key = passwordHash.substring(0, 5);
     const rest = passwordHash.substring(5);
 

frontend/src/api/PasswordService.ts

@@ -6,6 +6,8 @@ export class UserTokenService {
   public async login(
     service: string,
     externalToken: string,
+    redirectUri: string,
+    codeVerifier: string | undefined,
     signal: AbortSignal,
   ): Promise<string> {
     const body = await jsonFetch<{ userToken: string }>(
@@ -14,7 +16,7 @@ export class UserTokenService {
         method: 'POST',
         cache: 'no-cache',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ externalToken }),
+        body: JSON.stringify({ externalToken, redirectUri, codeVerifier }),
         signal,
       },
     );

frontend/src/api/UserTokenService.ts

@@ -19,27 +19,35 @@ export const LoginCallback = memo(({ service }: PropsT) => {
   useEffect(() => {
     const ac = new AbortController();
     const { search, hash } = document.location;
-    const nonce = storage.getItem('login-nonce');
-    handleLogin(service, nonce, { search, hash }, ac.signal)
+    const redirectUri = document.location.href.split('?')[0]!;
+    const localState = storage.getItem('login-state');
+    handleLogin(service, localState, { search, hash, redirectUri }, ac.signal)
       .then((redirect) => {
         if (ac.signal.aborted) {
           return;
         }
-        storage.removeItem('login-nonce');
+        storage.removeItem('login-state');
+        if (
+          new URL(redirect, document.location.href).host !==
+          document.location.host
+        ) {
+          // possibly a malicious redirect - ignore it and substitute a safe one
+          redirect = '/';
+        }
         stableSetLocation(redirect, { replace: true });
       })
       .catch((err) => {
         if (ac.signal.aborted) {
           return;
         }
         if (!(err instanceof Error)) {
-          storage.removeItem('login-nonce');
+          storage.removeItem('login-state');
           setError(String(err));
         } else if (err.message === 'unrecognised login details') {
           // GitLab shows a bare link to the /sso/login URL on the confirmation page
           stableSetLocation('/', { replace: true });
         } else {
-          storage.removeItem('login-nonce');
+          storage.removeItem('login-state');
           setError(err.message);
         }
       });