go-pkgz / auth / 24744987265
84%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 24
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 84.247%. Remained the same
24744987265

push

github

web-flow 
fix: validate "from" redirect target in OAuth/verify flows (#275)

* fix: validate "from" redirect target in OAuth/verify flows

The "from" query parameter accepted by oauth1/oauth2/apple/verify login
handlers was stored verbatim in the handshake JWT and used as the redirect
target after a successful auth handshake with no validation. Any external
URL passed as "from" became a 307 redirect after the user completed the
real OAuth flow with the legitimate provider — usable for phishing and
post-auth landing-page substitution.

Add token.AllowedHosts (interface) and AllowedHostsFunc (adapter), mirroring
the existing token.Audience pattern. Expose Opts.AllowedRedirectHosts and
thread it through provider.Params and VerifyHandler. The provider's own URL
host is always permitted; additional hosts are opt-in via the allowlist.
Default (nil allowlist) accepts only the same host as Opts.URL — safe for
all existing single-host deployments without any caller code changes.

Centralise the policy in provider.isAllowedRedirect(); the four redirect
sites all gate on it and fall back to the existing JSON user-info response
on rejection (with a [WARN] log).

* docs: document AllowedRedirectHosts and from-redirect validation

* test: document the open-redirect attack scenario in oauth2 reproduction

Add an attack-scenario doc block to TestOauth2LoginFromRejectsExternalHost
spelling out the pre-fix flow (attacker-crafted login URL → legitimate
OAuth consent → 307 to attacker site). Same pattern applies to oauth1,
apple and verify; the comment names them explicitly so a future reader
sees what the regression test is guarding against.

* fix(provider): port-insensitive host check + log only host on rejection

Address Copilot review on PR #275:

* isAllowedRedirect compared u.Host (which includes port). A from URL
  like https://app.example.com:443/x against an Opts.URL of
  https://app.example.com would be rejected even though they are the
  same origin. Switch to u.Hostna... (continued)

2706 of 3212 relevant lines covered (84.25%)

7.27 hits per line

Jobs
ID Job ID Ran Files Coverage
1 24744987265.1 24
84.25
 GitHub Action Run
Source Files on build 24744987265