Added a state parameter for all OAuth requests

2024-11-26 19:00:54 -06:00 · 2016-10-08 01:20:45 -05:00 · 2016-10-08 01:20:45 -05:00 · 81443bf8b4
commit 81443bf8b4
parent 913f17ee8a
2 changed files with 20 additions and 1 deletions
--- a/pkg/api/login_oauth.go
+++ b/pkg/api/login_oauth.go
@ -3,6 +3,8 @@ package api
 import (
 	"errors"
 	"fmt"
+	"crypto/rand"
+	"encoding/base64"

 	"golang.org/x/oauth2"

@ -14,6 +16,12 @@ import (
 	"github.com/grafana/grafana/pkg/social"
 )

+func GenStateString() string {
+        rnd := make([]byte, 32)
+        rand.Read(rnd)
+        return base64.StdEncoding.EncodeToString(rnd)
+}
+
 func OAuthLogin(ctx *middleware.Context) {
 	if setting.OAuthService == nil {
 		ctx.Handle(404, "login.OAuthLogin(oauth service not enabled)", nil)
@ -29,7 +37,17 @@ func OAuthLogin(ctx *middleware.Context) {

 	code := ctx.Query("code")
 	if code == "" {
-		ctx.Redirect(connect.AuthCodeURL("", oauth2.AccessTypeOnline))
+		state := GenStateString()
+		ctx.Session.Set(middleware.SESS_KEY_OAUTH_STATE, state)
+		ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
+		return
+	}
+
+	// verify state string
+	savedState := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
+	queryState := ctx.Query("state")
+	if savedState != queryState {
+		ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
 		return
 	}

--- a/pkg/middleware/session.go
+++ b/pkg/middleware/session.go
@ -13,6 +13,7 @@ import (

 const (
 	SESS_KEY_USERID = "uid"
+	SESS_KEY_OAUTH_STATE = "state"
 )

 var sessionManager *session.Manager