Skip to content

fix: enforce SSL certificate verification in OAuth provider, replace hardcoded CERT_NONE#3431

Open
Aryanbansal-05 wants to merge 1 commit into
ritesh-1918:gssocfrom
Aryanbansal-05:Aryan-05-15
Open

fix: enforce SSL certificate verification in OAuth provider, replace hardcoded CERT_NONE#3431
Aryanbansal-05 wants to merge 1 commit into
ritesh-1918:gssocfrom
Aryanbansal-05:Aryan-05-15

Conversation

@Aryanbansal-05

Copy link
Copy Markdown

🔐 Summary

Resolves #3425 by removing hardcoded ssl.CERT_NONE and check_hostname = False from the OAuth provider, replacing them with a secure SSL context that enforces full certificate verification in production.


🛠️ Changes Made

backend/auth/oauth_provider.py

Before:

  • Both exchange_code_for_tokens() and get_user_profile() created SSL contexts with:
    • ctx.check_hostname = False
    • ctx.verify_mode = ssl.CERT_NONE
  • This disabled all SSL certificate verification, making every OAuth token exchange and user profile fetch vulnerable to MITM attacks
  • Comment justified it as "local dev fallback" but it was active in all environments

After:

  • Extracted _create_ssl_context() helper used by both functions
  • Production default: check_hostname = True, verify_mode = ssl.CERT_REQUIRED
  • Local dev escape hatch: set OAUTH_DISABLE_SSL_VERIFY=1 env var (logs a warning, never silent)
  • Replaced print() statements with logging.getLogger() for proper log level control

.env.example

  • Documented OAUTH_DISABLE_SSL_VERIFY=0 with clear warning it must never be 1 in production

✅ Security Issues Fixed

  • 🔒 SSL certificate verification now enforced for all OAuth providers (Google, Microsoft, GitHub)
  • 🔒 MITM attacks on OAuth token exchange no longer possible
  • 🔒 Dev override requires explicit env var with logged warning
  • 🔒 No silent SSL bypass in any environment

Closes #3425

@vercel

vercel Bot commented Jul 8, 2026

Copy link
Copy Markdown

@Aryanbansal-05 is attempting to deploy a commit to the ritesh Team on Vercel.

A member of the Team first needs to authorize it.

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 001df7a5-58fe-49d2-9a36-2294e7a24d92

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant