nightshift/security: add CSRF state to Slack and GitHub OAuth#17
Open
nightshift/security: add CSRF state to Slack and GitHub OAuth#17
Conversation
The Slack and GitHub OAuth callbacks lacked state parameter validation, making them vulnerable to CSRF attacks (OWASP A5). An attacker could trick a logged-in user into connecting an attacker-controlled Slack or GitHub account. Both flows now generate a random state token stored in an httpOnly cookie, and the callback verifies it before exchanging the authorization code. https://claude.ai/code/session_01EG1HcH5DWijTkARenutW5N
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The Slack and GitHub OAuth flows were missing CSRF
stateparameter validation — an attacker could craft a link that forces a logged-in user to connect an attacker-controlled Slack or GitHub account (OWASP A5: Broken Access Control). HubSpot and Jira already had proper state validation; Slack and GitHub did not.Risk
An attacker could trick a user into linking an attacker-controlled Slack workspace or GitHub account, potentially exposing the user's worklog data to the attacker's integrations.
Fix
/api/auth/slack/route.ts: generates acrypto.randomUUID()state token, stores it in an httpOnly cookie, and passes it to Slack's authorize URL./api/auth/slack/callback/route.ts: validates the returnedstateparam against the cookie before exchanging the code. Rejects withstate_mismatchon failure./api/auth/github/route.ts: same pattern — generates state, stores in cookie, passes to GitHub./api/auth/github/callback/route.ts: validates state before code exchange.await cookies()calls in both callbacks.Verification
Build passes. The fix follows the exact same pattern already used by the HubSpot and Jira OAuth flows in this codebase.