feat: [DX-2999] add state to pkce oauth #2
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
State is a recommended part of the PKCE Oauth2 spec, but it is required by our identity provider (Okta). This implements support for state in a fairly straight-forward manner. We use the unique session id from the Oauth2 class (which might be the electron store?) and we make that URL safe and pass it along as a query param when the PKCE checkbox is enabled in the Oauth2 authorization code flow.
I implemented one more fix in the oauth2 helper file, also due to okta. The code previously had a conditional that checked for a code URL parameter when in the redirect flow, but okta returned that parameter before the final redirect was reached. That meant I changed the logic to say if we're at the callback url and we see this code query parameter, then execute the rest of the code. This should be backward compatible with anything else since only the PKCE flow uses this function and callback url is a requirement of the PKCE flow.
https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1 for more information on state
This pull request includes changes to the
packages/bruno-electron/src/ipc/networkdirectory that focus on improving the OAuth2 authentication process. The key changes involve enhancing the URL redirect validation in theauthorizeUserInWindowfunction, simplifying the hash generation process in thegenerateCodeVerifierfunction, and adding a unique state parameter in thegetOAuth2AuthorizationCodefunction.URL Redirect Validation:
packages/bruno-electron/src/ipc/network/authorize-user-in-window.js: TheonWindowRedirectfunction now checks if the URL includes thecallbackUrlbefore checking for an authorization code. This change ensures that thefinalUrlis always thecallbackUrl.Hash Generation:
packages/bruno-electron/src/ipc/network/oauth2-helper.js: ThegenerateCodeChallengefunction has been renamed togenerateUniqueHashand simplified. It now directly creates a SHA-256 hash of the input string and returns it in base64url format. This function is used to generate a unique hash for thecodeVerifierand thestateparameter.OAuth2 Authorization Code Retrieval:
packages/bruno-electron/src/ipc/network/oauth2-helper.js: ThegetOAuth2AuthorizationCodefunction now generates a unique state parameter using the session ID of the collection and includes this in the OAuth2 query parameters. This change adds an extra layer of security to the OAuth2 process by mitigating cross-site request forgery attacks.