Skip to content

Enhance login security with CSRF protection and host validation#2

Merged
uji merged 1 commit into
mainfrom
claude/bold-keller-56XlT
Jun 1, 2026
Merged

Enhance login security with CSRF protection and host validation#2
uji merged 1 commit into
mainfrom
claude/bold-keller-56XlT

Conversation

@uji

@uji uji commented Jun 1, 2026
edited
Loading

Copy link
Copy Markdown
Owner

Summary

This PR improves the security of the login flow by adding CSRF protection via state parameter validation and implementing host validation for the OAuth callback handler.

Key Changes

  • CSRF Protection: Generate a random state parameter and validate it on callback using constant-time comparison to prevent CSRF attacks
  • Host Validation: Restrict callback handler to only accept requests from 127.0.0.1 or localhost to prevent open redirect vulnerabilities
  • Input Validation: Add explicit validation for the authorization code parameter to ensure it's present before processing
  • Code Refactoring: Extract query parameters into a variable for cleaner code and improved readability

Implementation Details

  • Uses crypto/subtle.ConstantTimeCompare() for timing-attack-resistant state comparison
  • Validates the request host by splitting the Host header and checking against allowed localhost addresses
  • Returns appropriate HTTP error responses (400 Bad Request) for security violations
  • Maintains backward compatibility with existing OAuth flow while adding security layers

@claude
Add state parameter and harden OAuth callback against CSRF
01642d1 
- Generate a cryptographically random state value (via GenerateVerifier)
  and include it in the Slack authorization URL (RFC 6749 §10.12 / RFC 9700)
- Validate state in /callback using subtle.ConstantTimeCompare to prevent
  timing side-channels
- Reject requests with a mismatched or missing state, sending the error
  through errCh so the login flow surfaces it instead of hanging
- Validate Host header against 127.0.0.1/localhost as a DNS-rebinding
  defence layer
- Reject callbacks that carry an empty code so the token exchange is never
  attempted with a blank value

https://claude.ai/code/session_01GwwBXV9g43FLpmKzgobVGE
@uji uji merged commit a4a3a3a into main Jun 1, 2026
@uji uji deleted the claude/bold-keller-56XlT branch June 3, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@uji @claude