Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proper use of state parameter for the OAuth CSRF protection #1435

Closed
1 of 6 tasks
seratch opened this issue Feb 25, 2022 · 0 comments · Fixed by #1436
Closed
1 of 6 tasks

Proper use of state parameter for the OAuth CSRF protection #1435

seratch opened this issue Feb 25, 2022 · 0 comments · Fixed by #1436
Assignees
@seratch
Labels
bug M-T: A confirmed bug report. Issues are confirmed when the reproduction steps are documented pkg:oauth applies to `@slack/oauth-helper`
Milestone
oauth@2.5.0

Comments

@seratch
Copy link
Member

seratch commented Feb 25, 2022

As of Feb 2022, @slack/oauth (~ v2.4) and @slack/bolt (~ v3.10) do not use state parameter for the purpose of CSRF protection in the Slack OAuth flow. Refer to the RFC https://datatracker.ietf.org/doc/html/rfc6749#section-10.12 for the details of state parameter in general.

Currently, the only things that InstallProvider does are adding state parameter to the Slack authorize URL, and then decoding the underlying value from the string. There is no way for developers to check if the state parameter in query string is valid for the accessing user-agent (=the web browser).

To improve this, @slack/oauth module can provide a new way to serve the install path (/slack/install) in a way to manage user-agent state by setting cookies. With that, the Redirect URL (/slack/oauth_redirect) can check if the user-agent is the same person in the OAuth flow.

We will add a new method handleInstallPath(), which handles all the above. Also, the existing handleCallback() verifies both the query string and browser cookies. Newer versions of bolt-js (v3.11 or newer) will switch to this new way.

Packages:

Select all that apply:

  • @slack/web-api
  • @slack/rtm-api
  • @slack/webhooks
  • @slack/oauth
  • @slack/socket-mode
  • I don't know
@seratch seratch added bug M-T: A confirmed bug report. Issues are confirmed when the reproduction steps are documented pkg:oauth applies to `@slack/oauth-helper` labels Feb 25, 2022
@seratch seratch added this to the oauth@2.5.0 milestone Feb 25, 2022
@seratch seratch self-assigned this Feb 25, 2022
seratch added a commit to seratch/node-slack-sdk that referenced this issue Feb 25, 2022
@seratch
Fix slackapi#1435 Proper use of state parameter for the OAuth CSRF pr…
96d188a 
…otection
This was referenced Feb 25, 2022
Merged
Closed
seratch added a commit to seratch/node-slack-sdk that referenced this issue Mar 1, 2022
@seratch
Fix slackapi#1435 Proper use of state parameter for the OAuth CSRF pr…
0ef9378 
…otection
seratch added a commit to seratch/node-slack-sdk that referenced this issue Mar 1, 2022
@seratch @yujinakayama
Fix slackapi#1435 Proper use of state parameter for the OAuth CSRF pr…
57ae345 
…otection

Co-authored-by: Yuji Nakayama <nkymyj@gmail.com>
seratch added a commit that referenced this issue Mar 2, 2022
@seratch @yujinakayama
Fix #1435 Proper use of state parameter for the OAuth CSRF protection (
fdd2e45 
…#1436)

Co-authored-by: Yuji Nakayama <nkymyj@gmail.com>
@seratch seratch mentioned this issue Aug 24, 2022
Closed
6 tasks
@seratch seratch mentioned this issue Jan 31, 2023
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seratch seratch

Labels
bug M-T: A confirmed bug report. Issues are confirmed when the reproduction steps are documented pkg:oauth applies to `@slack/oauth-helper`
Projects
None yet
Milestone
oauth@2.5.0
Development

Successfully merging a pull request may close this issue.

Fix #1435 Proper use of state parameter for the OAuth CSRF protection seratch/node-slack-sdk
1 participant
@seratch