Skip to content

Commit

Permalink
Enable CSRF protection in grant (OAuth2) (#5504)
Browse files Browse the repository at this point in the history
* Enable CSRF protection in grant (OAuth2)

I've been doing some testing and from what I can see, this is already supported in https://github.com/simov/grant (which companion uses for OAuth2), when enabling the `state` parameter. It seems to be working and it is checking the parameter when redirected back from the provider: https://github.com/simov/grant/blob/61fe48a8dac6aa4ec5764fadff0898b743b85588/lib/flow/oauth2.js#L72So

* fix test
  • Loading branch information
mifi authored Nov 11, 2024
1 parent 6d413f5 commit d6d940c
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 8 deletions.
22 changes: 14 additions & 8 deletions packages/@uppy/companion/src/config/grant.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
const google = {
transport: 'session',

// access_type: offline is needed in order to get refresh tokens.
// prompt: 'consent' is needed because sometimes a user will get stuck in an authenticated state where we will
// receive no refresh tokens from them. This seems to be happen when running on different subdomains.
Expand All @@ -15,51 +13,59 @@ const google = {
"scope_delimiter": " "
}

const defaults = {
transport: 'session',
state: true, // Enable CSRF check
};

// oauth configuration for provider services that are used.
module.exports = () => {
return {
// we need separate auth providers because scopes are different,
// and because it would be a too big rewrite to allow reuse of the same provider.
googledrive: {
...defaults,
...google,
state: true,
callback: '/drive/callback',
scope: ['https://www.googleapis.com/auth/drive.readonly'],
},
googlephotos: {
...defaults,
...google,
callback: '/googlephotos/callback',
scope: ['https://www.googleapis.com/auth/photoslibrary.readonly', 'https://www.googleapis.com/auth/userinfo.email'], // if name is needed, then add https://www.googleapis.com/auth/userinfo.profile too
},
dropbox: {
transport: 'session',
...defaults,
authorize_url: 'https://www.dropbox.com/oauth2/authorize',
access_url: 'https://api.dropbox.com/oauth2/token',
callback: '/dropbox/callback',
custom_params: { token_access_type : 'offline' },
},
box: {
transport: 'session',
...defaults,
authorize_url: 'https://account.box.com/api/oauth2/authorize',
access_url: 'https://api.box.com/oauth2/token',
callback: '/box/callback',
},
instagram: {
transport: 'session',
...defaults,
callback: '/instagram/callback',
},
facebook: {
transport: 'session',
...defaults,
scope: ['email', 'user_photos'],
callback: '/facebook/callback',
},
// for onedrive
microsoft: {
transport: 'session',
...defaults,
scope: ['files.read.all', 'offline_access', 'User.Read'],
callback: '/onedrive/callback',
},
zoom: {
transport: 'session',
...defaults,
authorize_url: 'https://zoom.us/oauth/authorize',
access_url: 'https://zoom.us/oauth/token',
callback: '/zoom/callback',
Expand Down
6 changes: 6 additions & 0 deletions packages/@uppy/companion/test/__tests__/provider-manager.js
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ describe('Test Provider options', () => {
providerManager.addProviderOptions(getCompanionOptions(), grantConfig, getOauthProvider)
expect(grantConfig.instagram).toEqual({
transport: 'session',
"state": true,
callback: '/instagram/callback',
redirect_uri: 'http://localhost:3020/instagram/redirect',
key: '123456',
Expand All @@ -53,6 +54,7 @@ describe('Test Provider options', () => {
key: 'dropbox_key',
secret: 'dropbox_secret',
transport: 'session',
"state": true,
redirect_uri: 'http://localhost:3020/dropbox/redirect',
authorize_url: 'https://www.dropbox.com/oauth2/authorize',
access_url: 'https://api.dropbox.com/oauth2/token',
Expand All @@ -66,6 +68,7 @@ describe('Test Provider options', () => {
key: 'box_key',
secret: 'box_secret',
transport: 'session',
"state": true,
redirect_uri: 'http://localhost:3020/box/redirect',
authorize_url: 'https://account.box.com/api/oauth2/authorize',
access_url: 'https://api.box.com/oauth2/token',
Expand All @@ -81,6 +84,7 @@ describe('Test Provider options', () => {
key: 'google_key',
secret: 'google_secret',
transport: 'session',
"state": true,
redirect_uri: 'http://localhost:3020/drive/redirect',
scope: [
'https://www.googleapis.com/auth/drive.readonly',
Expand All @@ -101,6 +105,7 @@ describe('Test Provider options', () => {
key: 'google_key',
secret: 'google_secret',
transport: 'session',
"state": true,
redirect_uri: 'http://localhost:3020/googlephotos/redirect',
scope: ['https://www.googleapis.com/auth/photoslibrary.readonly', 'https://www.googleapis.com/auth/userinfo.email'],
callback: '/googlephotos/callback',
Expand All @@ -114,6 +119,7 @@ describe('Test Provider options', () => {
key: 'zoom_key',
secret: 'zoom_secret',
transport: 'session',
"state": true,
authorize_url: 'https://zoom.us/oauth/authorize',
redirect_uri: 'http://localhost:3020/zoom/redirect',
access_url: 'https://zoom.us/oauth/token',
Expand Down

0 comments on commit d6d940c

Please sign in to comment.