Merge pull request #18 from auth0-extensions/Add-samesite-support

Add samesite support
auth0-extensions · Jan 8, 2020 · 9f6c619 · 9f6c619
2 parents e8c0c55 + 6fd2bf8
commit 9f6c619
Show file tree

Hide file tree

Showing 4 changed files with 428 additions and 134 deletions.
diff --git a/package.json b/package.json
@@ -1,12 +1,12 @@
 {
   "name": "auth0-extension-express-tools",
-  "version": "1.1.9",
+  "version": "2.0.0",
   "description": "A set of tools and utilities to simplify the development of Auth0 Extensions with Express.",
   "main": "src/index.js",
   "dependencies": {
     "auth0-extension-tools": "^1.3.0",
     "cookie-parser": "^1.4.3",
-    "express": "^4.12.4",
+    "express": "^4.17.1",
     "express-conditional-middleware": "2.0.0",
     "express-jwt": "^3.1.0",
     "jwks-rsa": "^1.1.1",

diff --git a/src/routes/dashboardAdmins.js b/src/routes/dashboardAdmins.js
@@ -74,10 +74,19 @@ module.exports = function(options) {
   router.get(urlPrefix + '/login', function(req, res) {
     const basePath = urlHelpers.getBasePath(req);
     const state = crypto.randomBytes(16).toString('hex');
-    const nonce = crypto.randomBytes(16).toString('hex');
-    res.cookie(stateKey, state, { path: basePath });
-    res.cookie(nonceKey, nonce, { path: basePath });
-
+    const nonce = crypto.randomBytes(16).toString('hex');  
+    const basicAttr = {
+      httpOnly: true,
+      path: basePath
+    };
+
+    res.cookie(stateKey, state, Object.assign({}, basicAttr, { sameSite: 'None', secure: true }));
+    res.cookie(nonceKey, nonce, Object.assign({}, basicAttr, { sameSite: 'None', secure: true }));
+
+    // create legacy cookie
+    res.cookie(stateKey + '_compat', state, basicAttr);
+    res.cookie(nonceKey + '_compat', nonce, basicAttr);
+
     const redirectTo = sessionManager.createAuthorizeUrl({
       redirectUri: urlHelpers.getBaseUrl(req) + urlPrefix + '/login/callback',
       scopes: options.scopes,
@@ -101,11 +110,10 @@ module.exports = function(options) {
       return next(new tools.ValidationError('Login failed. Invalid token.'));
     }
 
-    if (!req.cookies || req.cookies[nonceKey] !== decoded.nonce) {
+    if ((req.cookies && req.cookies[nonceKey] && req.cookies[nonceKey] !== decoded.nonce) || (req.cookies && req.cookies[nonceKey + '_compat'] && req.cookies[nonceKey + '_compat'] !== decoded.nonce)) {
       return next(new tools.ValidationError('Login failed. Nonce mismatch.'));
     }
-
-    if (!req.cookies || req.cookies[stateKey] !== req.body.state) {
+    if ((req.cookies && req.cookies[stateKey] && req.cookies[stateKey] !== req.body.state) || (req.cookies && req.cookies[stateKey + '_compat'] && req.cookies[stateKey + '_compat'] !== req.body.state)) {
       return next(new tools.ValidationError('Login failed. State mismatch.'));
     }
 
@@ -121,6 +129,8 @@ module.exports = function(options) {
       .then(function(token) {
         res.clearCookie(stateKey, { path: basePath });
         res.clearCookie(nonceKey, { path: basePath });
+        res.clearCookie(stateKey + '_compat', { path: basePath });
+        res.clearCookie(nonceKey + '_compat', { path: basePath });
         res.header('Content-Type', 'text/html');
         res.status(200).send('<html>' +
           '<head>' +
@@ -141,6 +151,8 @@ module.exports = function(options) {
     const encodedBaseUrl = encodeURIComponent(urlHelpers.getBaseUrl(req));
     res.clearCookie(stateKey, { path: basePath });
     res.clearCookie(nonceKey, { path: basePath });
+    res.clearCookie(stateKey + '_compat', { path: basePath });
+    res.clearCookie(nonceKey + '_compat', { path: basePath });
     res.header('Content-Type', 'text/html');
     res.status(200).send(
       '<html>' +

diff --git a/tests/routes/dashboardAdmins.js b/tests/routes/dashboardAdmins.js
@@ -177,7 +177,15 @@ tape('dashboardAdmins should redirect to auth0 on /login', function(t) {
   const res = {
     cookie: function(key, value, options) {
       cookies[key] = value;
+      t.equal(options.httpOnly, true);
       t.equal(options.path, '/login/');
+      if (!key.includes('_compat')) {
+        t.equal(options.sameSite, 'None');
+        t.equal(options.secure, true);
+      } else {
+        t.false(options.sameSite);
+        t.false(options.secure);
+      }
     },
     redirect: function(url) {
       const expectedUrl =
@@ -188,8 +196,8 @@ tape('dashboardAdmins should redirect to auth0 on /login', function(t) {
         '&scope=openid%20name%20email' +
         '&expiration=36000' +
         '&redirect_uri=https%3A%2Flogin%2Flogin%2Fcallback&audience=https%3A%2F%2Ftest.auth0.com%2Fapi%2Fv2%2F' +
-        '&nonce=' + cookies.nonce +
-        '&state=' + cookies.state;
+        '&nonce=' + (cookies.nonce || cookies['nonce_compat']) +
+        '&state=' + (cookies.state || cookies['state_compat']);
       t.ok(url);
       t.equal(url, expectedUrl);
       t.end();
@@ -241,6 +249,49 @@ tape('dashboardAdmins should return ValidationError in case of nonce mismatch',
   mw(req, {}, next);
 });
 
+tape('dashboardAdmins should return ValidationError in case of legacy nonce mismatch', function(t) {
+  const mw = dashboardAdmins({
+    secret: 'abc',
+    audience: 'urn:api',
+    rta: 'test.auth0.com',
+    domain: 'test.auth0.com',
+    baseUrl: 'https://test.auth0.com/api/v2/',
+    clientName: 'Some Client'
+  });
+
+  const token = tokens.sign(certs.bar.private, 'key2', {
+    iss: 'https://test.auth0.com/',
+    sub: '1234567890',
+    aud: 'https://test.auth0.com/api/v2/',
+    name: 'John Doe',
+    admin: true,
+    nonce_compat: 'nonce'
+  });
+
+  const req = {
+    headers: {},
+    cookies: {
+      state: 'state',
+      nonce_compat: 'another_nonce'
+    },
+    body: {
+      state: 'state',
+      id_token: token,
+      access_token: token
+    },
+    url: 'http://api/login/callback',
+    method: 'post'
+  };
+
+  const next = function(err) {
+    t.ok(err);
+    t.equal(err.name, 'ValidationError');
+    t.end();
+  };
+
+  mw(req, {}, next);
+});
+
 tape('dashboardAdmins should return ValidationError in case of state mismatch', function(t) {
   const mw = dashboardAdmins({
     secret: 'abc',
@@ -284,6 +335,50 @@ tape('dashboardAdmins should return ValidationError in case of state mismatch',
   mw(req, {}, next);
 });
 
+tape('dashboardAdmins should return ValidationError in case of legacy state mismatch', function(t) {
+  const mw = dashboardAdmins({
+    secret: 'abc',
+    audience: 'urn:api',
+    rta: 'test.auth0.com',
+    domain: 'test.auth0.com',
+    baseUrl: 'https://test.auth0.com/api/v2/',
+    clientName: 'Some Client'
+  });
+
+  const token = tokens.sign(certs.bar.private, 'key2', {
+    iss: 'https://test.auth0.com/',
+    sub: '1234567890',
+    aud: 'https://test.auth0.com/api/v2/',
+    name: 'John Doe',
+    admin: true,
+    state_compat: 'state',
+    nonce: 'nonce'
+  });
+
+  const req = {
+    headers: {},
+    cookies: {
+      state_compat: 'another_state',
+      nonce: 'nonce'
+    },
+    body: {
+      state: 'state',
+      id_token: token,
+      access_token: token
+    },
+    url: 'http://api/login/callback',
+    method: 'post'
+  };
+
+  const next = function(err) {
+    t.ok(err);
+    t.equal(err.name, 'ValidationError');
+    t.end();
+  };
+
+  mw(req, {}, next);
+});
+
 tape('dashboardAdmins should return 200 if everything is ok', function(t) {
   const mw = dashboardAdmins({
     secret: 'abc',
@@ -324,7 +419,67 @@ tape('dashboardAdmins should return 200 if everything is ok', function(t) {
     header: function() {},
     clearCookie: function(name) {
       if (name === 'nonce') t.equal(name, 'nonce');
-      else t.equal(name, 'state');
+      else if (name === 'nonce_compat') t.equal(name, 'nonce_compat');
+      else if (name === 'state') t.equal(name, 'state');
+      else t.equal(name, 'state_compat');
+    },
+    status: function(status) {
+      return {
+        send: function(html) {
+          t.ok(html);
+          t.equal(status, 200);
+          t.end();
+        }
+      };
+    }
+  };
+
+  mw(req, res);
+});
+
+tape('dashboardAdmins should return 200 with legacy nonce and state', function(t) {
+  const mw = dashboardAdmins({
+    secret: 'abc',
+    audience: 'urn:api',
+    rta: 'test.auth0.com',
+    domain: 'test.auth0.com',
+    baseUrl: 'https://test.auth0.com/api/v2/',
+    clientName: 'Some Client'
+  });
+
+  tokens.wellKnownEndpoint('test.auth0.com', certs.bar.cert, 'key2');
+  const token = tokens.sign(certs.bar.private, 'key2', {
+    iss: 'https://test.auth0.com/',
+    sub: '1234567890',
+    aud: 'https://test.auth0.com/api/v2/',
+    azp: 'https://test.auth0.com/api/v2/',
+    name: 'John Doe',
+    admin: true,
+    nonce: 'nonce'
+  });
+
+  const req = {
+    headers: {},
+    cookies: {
+      state_compat: 'state',
+      nonce_compat: 'nonce'
+    },
+    body: {
+      state: 'state',
+      id_token: token,
+      access_token: token
+    },
+    url: 'http://api/login/callback',
+    method: 'post'
+  };
+
+  const res = {
+    header: function() {},
+    clearCookie: function(name) {
+      if (name === 'nonce') t.equal(name, 'nonce');
+      else if (name === 'nonce_compat') t.equal(name, 'nonce_compat');
+      else if (name === 'state') t.equal(name, 'state');
+      else t.equal(name, 'state_compat');
     },
     status: function(status) {
       return {
@@ -381,7 +536,9 @@ tape('dashboardAdmins should work with localStorage', function(t) {
     header: function() {},
     clearCookie: function(name) {
       if (name === 'nonce') t.equal(name, 'nonce');
-      else t.equal(name, 'state');
+      else if (name === 'nonce_compat') t.equal(name, 'nonce_compat');
+      else if (name === 'state') t.equal(name, 'state');
+      else t.equal(name, 'state_compat');
     },
     status: function(status) {
       return {