Fixes passport.js broken security on passport-oauth strategies when passport is used sessionless.
During a recent PR in outline/outline to introduce passport.js, I realized that when using
- koa
- and passport.js (only using sessionless actions, so without mounted session-middleware such as
koa-session,express-sessionandpassport.session()) - and koa-passport to translate koa's
ctxobject into express.js'sreqobject - and any direct or inherited strategies from passport-oauth (that includes passport-oauth2),
the state store fails to initialize (when state: true is set in the strategie's options). Thus the state= query argument is not set and verified, which may result in possible replay-attacks / session-hijacking.
passport-oauth requires the presence of a session object to set the state on, not only the cookies object. Because passport.js is configured to be sessionless, there is no such object. Please note that this incompatibility may also occur on express.js.
passport-oauth includes the (undocument sigh) option (store in the options object) to configure the store itself. It does not export the included stores, so this package implements a store which uses the cookies object instead of the session object.
passport-oauth introduces a StateStore which sets a cookie called state on the intiating computer before redirecting to the third-party provider (this redirect includes the state value). When the third-party provider redirects back, he includes the given state value again. The client must then verify that a cookie state exists on the computer and that the value corresponds to the one in the second redirect. If that is not the case, the session might have been hijacked and user data may has been exposed. Finally, the cookie is removed.