Add OAuthStateManager for CSRF protection in GitHub OAuth flow #10702
Conversation
|
jNullj
added
core
|
I haven't really looked at this in much detail. Tbh, I've not 100% got my head round the attack vector here. However, there's one thing I want to flag quickly here before we go any further with this..
It looks to me like it wouldn't. i.e: if the computer that does the |
|
That's current, I wrongly assumed here we run on one instance, its easy to forget as I'm used to debug on a single container and usually write single instance applications. I tried to think of a way to sync this info that we already used, github api tokens came to mind as they should also be persistent across servers, and i noticed we used postgresSQL, do you think using it is a viable strategy? I would love to ditch persistent storage for keys altogether but then an attacker could forge a valid key for the CSRF attack for all clients, do you think we could bind the CSRF token to something else? like IP address & user agent mix hash or something similar? I think i might need a bit more reading about this, it appears many save time by picking a framework to handle csrf for them. |
|
Before we get any further into this, I've invited you to a private thread to try and dig into what problem we're actually trying to solve here. I think I need to understand what problem are trying to solve before we can design a solution to it. |
Introduce an OAuthStateManager class to manage states for CSRF protection during GitHub OAuth authentication, addressing issue #1805, This implementation generates and validates states to enhance security against CSRF attacks.
this pr is public as its an open public issue.
draft as i didn't test yet, and i need to add automatic tests as well