Fixes passport.js broken security on passport-oauth strategies when passport is used sessionless.
During a recent PR in outline/outline to introduce passport.js, I realized that when using
- koa
- and passport.js (only using sessionless actions, so without mounted session-middleware such as
koa-session
,express-session
andpassport.session()
) - and koa-passport to translate koa's
ctx
object into express.js'sreq
object - and any direct or inherited strategies from passport-oauth (that includes passport-oauth2),
the state store fails to initialize (when state: true
is set in the strategie's options). Thus the state=
query argument is not set and verified, which may result in possible replay-attacks / session-hijacking.
passport-oauth requires the presence of a session
object to set the state on, not only the cookies
object. Because passport.js is configured to be sessionless, there is no such object. Please note that this incompatibility may also occur on express.js.
passport-oauth includes the (undocument sigh) option (store
in the options object) to configure the store itself. It does not export the included stores, so this package implements a store which uses the cookies
object instead of the session
object.
passport-oauth introduces a StateStore
which sets a cookie called state
on the intiating computer before redirecting to the third-party provider (this redirect includes the state value). When the third-party provider redirects back, he includes the given state value again. The client must then verify that a cookie state
exists on the computer and that the value corresponds to the one in the second redirect. If that is not the case, the session might have been hijacked and user data may has been exposed. Finally, the cookie is removed.