Docker/planka
Docker/planka
1
0
Fork 0
mirror of https://github.com/plankanban/planka.git synced 2025-07-18 20:59:44 +02:00
Code Issues Releases Activity

fix: Add state parameter to OIDC authorization url

Browse source 
Closes #558
This commit is contained in:
Maksim Eltyshev 2023-12-09 17:06:45 +01:00
parent 8018b74038
commit 28e4abaf76
1 changed files with 42 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

46
client/src/sagas/login/services/login.js
View file

@ -32,15 +32,29 @@ export function* authenticate(data) {
export function* authenticateUsingOidc() { export function* authenticateUsingOidc() {
const oidcConfig = yield select(selectors.selectOidcConfig); const oidcConfig = yield select(selectors.selectOidcConfig);
const state = nanoid();
window.sessionStorage.setItem('oidc-state', state);
const nonce = nanoid(); const nonce = nanoid();
window.sessionStorage.setItem('oidc-nonce', nonce); window.sessionStorage.setItem('oidc-nonce', nonce);
window.location.href = `${oidcConfig.authorizationUrl}&nonce=${encodeURIComponent(nonce)}`;
let redirectUrl = `${oidcConfig.authorizationUrl}`;
redirectUrl += `&state=${encodeURIComponent(state)}`;
redirectUrl += `&nonce=${encodeURIComponent(nonce)}`;
window.location.href = redirectUrl;
} }
export function* authenticateUsingOidcCallback() { export function* authenticateUsingOidcCallback() {
// https://github.com/plankanban/planka/issues/511#issuecomment-1771385639 // https://github.com/plankanban/planka/issues/511#issuecomment-1771385639
const params = new URLSearchParams(window.location.hash.substring(1) || window.location.search); const params = new URLSearchParams(window.location.hash.substring(1) || window.location.search);
const state = window.sessionStorage.getItem('oidc-state');
window.sessionStorage.removeItem('oidc-state');
const nonce = window.sessionStorage.getItem('oidc-nonce');
window.sessionStorage.removeItem('oidc-nonce');
yield put(replace(Paths.LOGIN)); yield put(replace(Paths.LOGIN));
if (params.get('error') !== null) { if (params.get('error') !== null) {
@ -54,7 +68,23 @@ export function* authenticateUsingOidcCallback() {
return; return;
} }
const nonce = window.sessionStorage.getItem('oidc-nonce'); const code = params.get('code');
if (code === null) {
yield put(
actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
);
return;
}
if (params.get('state') !== state) {
yield put(
actions.authenticateUsingOidc.failure(
new Error('Unable to process OIDC response: state mismatch'),
),
);
return;
}
if (nonce === null) { if (nonce === null) {
yield put( yield put(
actions.authenticateUsingOidc.failure( actions.authenticateUsingOidc.failure(
@ -64,17 +94,6 @@ export function* authenticateUsingOidcCallback() {
return; return;
} }
const code = params.get('code');
if (code === null) {
yield put(
actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
);
return;
}
window.sessionStorage.removeItem('oidc-nonce');
if (code !== null) {
let accessToken; let accessToken;
try { try {
({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, { ({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, {
@ -89,7 +108,6 @@ export function* authenticateUsingOidcCallback() {
yield call(setAccessToken, accessToken); yield call(setAccessToken, accessToken);
yield put(actions.authenticateUsingOidc.success(accessToken)); yield put(actions.authenticateUsingOidc.success(accessToken));
} }
}
export function* clearAuthenticateError() { export function* clearAuthenticateError() {
yield put(actions.clearAuthenticateError()); yield put(actions.clearAuthenticateError());