Skip to content
Snippets Groups Projects
Unverified Commit 793bcc4b authored by Bob Callaway's avatar Bob Callaway
Browse files

address review comments

parent cf3b19a9
Branches
Tags
No related merge requests found
...@@ -502,6 +502,8 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth ...@@ -502,6 +502,8 @@ func (s *Server) finalizeLogin(identity connector.Identity, authReq storage.Auth
// TODO: if s.skipApproval or !authReq.ForceApprovalPrompt, we can skip the redirect to /approval and go ahead and send code // TODO: if s.skipApproval or !authReq.ForceApprovalPrompt, we can skip the redirect to /approval and go ahead and send code
// an HMAC is used here to ensure that the request ID is unpredictable, ensuring that an attacker who intercepted the original
// flow would be unable to poll for the result at the /approval endpoint
h := hmac.New(sha256.New, authReq.HMACKey) h := hmac.New(sha256.New, authReq.HMACKey)
h.Write([]byte(authReq.ID)) h.Write([]byte(authReq.ID))
mac := h.Sum(nil) mac := h.Sum(nil)
...@@ -576,7 +578,7 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) { ...@@ -576,7 +578,7 @@ func (s *Server) handleApproval(w http.ResponseWriter, r *http.Request) {
// build expected hmac with secret key // build expected hmac with secret key
h := hmac.New(sha256.New, authReq.HMACKey) h := hmac.New(sha256.New, authReq.HMACKey)
h.Write([]byte(r.FormValue("req"))) h.Write([]byte(authReq.ID))
expectedMAC := h.Sum(nil) expectedMAC := h.Sum(nil)
// constant time comparison // constant time comparison
if !hmac.Equal(mac, expectedMAC) { if !hmac.Equal(mac, expectedMAC) {
......
...@@ -144,7 +144,8 @@ func (c *conn) CreateAuthRequest(a storage.AuthRequest) error { ...@@ -144,7 +144,8 @@ func (c *conn) CreateAuthRequest(a storage.AuthRequest) error {
a.Claims.Email, a.Claims.EmailVerified, encoder(a.Claims.Groups), a.Claims.Email, a.Claims.EmailVerified, encoder(a.Claims.Groups),
a.ConnectorID, a.ConnectorData, a.ConnectorID, a.ConnectorData,
a.Expiry, a.Expiry,
a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod, a.HMACKey, a.PKCE.CodeChallenge, a.PKCE.CodeChallengeMethod,
a.HMACKey,
) )
if err != nil { if err != nil {
if c.alreadyExistsCheck(err) { if c.alreadyExistsCheck(err) {
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment