strict state for oauth2

2022-08-29 21:34:46 +03:00 · 2022-08-29 21:34:46 +03:00 · 4588e1c1bf
commit 4588e1c1bf
parent 0ed1a3072d
8 changed files with 107 additions and 19 deletions
--- a/components/common/Container/Container.module.scss
+++ b/components/common/Container/Container.module.scss
@ -2,4 +2,6 @@
  max-width: 1080px;
  margin: 0 auto;
  padding: 1rem;
+  background-color: #fff;
+  min-height: calc(100vh - 54px);
 }
--- a/components/common/Header/Header.module.scss
+++ b/components/common/Header/Header.module.scss
@ -24,6 +24,10 @@

        &.active {
          font-weight: bold;
+
+          a {
+            background-color: #00aaff;
+          }
        }

        a {
--- a/lib/utils/crypto.ts
+++ b/lib/utils/crypto.ts
@ -0,0 +1,47 @@
+import crypto from 'crypto';
+import { CLIENT_SECRET } from '../constants';
+
+const IV_LENGTH = 16;
+const ALGORITHM = 'aes-256-cbc';
+
+export const generateString = (length: number): string =>
+  crypto.randomBytes(length).toString('hex').slice(0, length);
+
+// https://stackoverflow.com/q/52212430
+/**
+ * Symmetric encryption function
+ * @param value String to encrypt
+ * @returns Encrypted text
+ */
+export const encrypt = (value: string) => {
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(
+    ALGORITHM,
+    Buffer.from(CLIENT_SECRET, 'hex'),
+    iv
+  );
+  let encrypted = cipher.update(value);
+  encrypted = Buffer.concat([encrypted, cipher.final()]);
+  return `${iv.toString('hex')}:${encrypted.toString('hex')}`;
+};
+
+/**
+ * Symmetric decryption function
+ * @param text Encrypted string
+ * @returns Decrypted text
+ */
+export const decrypt = (text: string) => {
+  const [iv, encryptedText] = text
+    .split(':')
+    .map((part) => Buffer.from(part, 'hex'));
+
+  const decipher = crypto.createDecipheriv(
+    ALGORITHM,
+    Buffer.from(CLIENT_SECRET, 'hex'),
+    iv
+  );
+
+  let decrypted = decipher.update(encryptedText);
+  decrypted = Buffer.concat([decrypted, decipher.final()]);
+  return decrypted.toString();
+};
--- a/pages/_document.tsx
+++ b/pages/_document.tsx
@ -1,5 +1,5 @@
 import { Head, Html, Main, NextScript } from 'next/document';
-// The stylesheet is for Univia-pro font from Adobe
+
 export default function Document() {
  return (
    <Html>
--- a/pages/api/callback.ts
+++ b/pages/api/callback.ts
@ -2,23 +2,48 @@ import { NextApiRequest, NextApiResponse } from 'next';
 import { getAccessToken } from '../../lib/api/remote';

 import Cookies from 'cookies';
-import { COOKIE_KEYS } from '../../lib/constants';
+import { COOKIE_KEYS, PUBLIC_URL } from '../../lib/constants';
+import { decrypt } from '../../lib/utils/crypto';
+
+const redirect = `${PUBLIC_URL}/api/callback`;

 export default async function handler(
  req: NextApiRequest,
  res: NextApiResponse
 ) {
  if (req.query.code) {
-    // TODO: parse state
+    if (!req.query.state) {
+      return res.redirect('/');
+    }
+
    const getAuth = await getAccessToken(req.query.code as string);
    const cookies = new Cookies(req, res, { keys: COOKIE_KEYS });
+
    if (getAuth) {
+      const decrypted = decrypt(req.query.state as string);
+      const stateToken = cookies.get('validation', { signed: true });
+      const parsedState = JSON.parse(decrypted);
+
+      if (
+        parsedState.state !== stateToken ||
+        parsedState.redirect_uri !== redirect
+      ) {
+        return res.redirect('/');
+      }
+
      cookies.set('authorization', getAuth.access_token, {
        expires: new Date(Date.now() + getAuth.expires_in * 1000),
        secure: process.env.NODE_ENV === 'production',
        signed: true,
      });
+
+      cookies.set('validation', undefined, {
+        expires: new Date(0),
+        secure: process.env.NODE_ENV === 'production',
+        signed: true,
+      });
    }
+
    res.redirect('/');
  }
 }
--- a/pages/api/hello.ts
+++ b/pages/api/hello.ts
@ -1,13 +0,0 @@
-// Next.js API route support: https://nextjs.org/docs/api-routes/introduction
-import type { NextApiRequest, NextApiResponse } from 'next'
-
-type Data = {
-  name: string
-}
-
-export default function handler(
-  req: NextApiRequest,
-  res: NextApiResponse<Data>
-) {
-  res.status(200).json({ name: 'John Doe' })
-}
--- a/pages/api/login.ts
+++ b/pages/api/login.ts
@ -1,15 +1,37 @@
+import Cookies from 'cookies';
 import { NextApiRequest, NextApiResponse } from 'next';
-import { CLIENT_ID, OAUTH_URL, PUBLIC_URL } from '../../lib/constants';
+import {
+  CLIENT_ID,
+  COOKIE_KEYS,
+  OAUTH_URL,
+  PUBLIC_URL,
+} from '../../lib/constants';
+import { encrypt, generateString } from '../../lib/utils/crypto';
+
+const redirect = `${PUBLIC_URL}/api/callback`;

 export default function handler(req: NextApiRequest, res: NextApiResponse) {
+  const stateToken = generateString(16);
+  const state = encrypt(
+    JSON.stringify({
+      redirect_uri: redirect,
+      state: stateToken,
+    })
+  );
  const params = new URLSearchParams({
    client_id: CLIENT_ID,
    response_type: 'code',
-    redirect_uri: `${PUBLIC_URL}/api/callback`,
+    redirect_uri: redirect,
    scope: 'management',
+    state,
  });

-  // TODO: generate state
+  const cookies = new Cookies(req, res, { keys: COOKIE_KEYS });
+
+  cookies.set('validation', stateToken, {
+    secure: process.env.NODE_ENV === 'production',
+    signed: true,
+  });

  res.redirect(`${OAUTH_URL}/authorize?${params.toString()}`);
 }
--- a/styles/globals.scss
+++ b/styles/globals.scss
@ -4,6 +4,7 @@ body {
  margin: 0;
  font-family: -apple-system, BlinkMacSystemFont, Segoe UI, Roboto, Oxygen,
    Ubuntu, Cantarell, Fira Sans, Droid Sans, Helvetica Neue, sans-serif;
+  background-color: rgb(231, 231, 231);
 }

 a {