CSRF protection
See original GitHub issueAs detailed here and here, the default implementation of OAuth2 is vulnerable to CSRF attacks whereby a malicious host can compromise the developer’s site by grabbing a valid code from his own Facebook/Google/etc. account and tricking the victim into GETting it. This would enable the malicious user to use his own Facebook/Google/etc. account to login to the developer’s site as the victim.
The solution is to send a known value in the state parameter and assert that it comes back as expected.
It seems to me like this is something we should fix at the library level. Here’s one potential solution, but I’m interested in hearing others.
- When initializing an
OAuth2Service
, the developer passes in aCSRF_SECRET_KEY
(orNone
to disable rauth’s CSRF protection). - When the developer calls
get_authorize_url
, he passes in the current user’s ID (orNone
if the user is anonymous). - If rauth receives an ID, it salts it with
CSRF_SECRET_KEY
, hashes it, and concatenates it onto the state param:
&state=__csrf__%3D95078fdf5cde38c1ca1694389cda1460;original_state_here
- Just before
get_access_token
returns, it salts and hashes the current user’s ID, and compares the results to__csrf__
. 4a) If the hashes match, the__csrf__
string is removed from the state and it is passed unmolested back to the developer. 4b) If the hashes don’t match, return{'error': 'csrf_validation_failed'}
to the developer.
I’m new to both the rauth project and OAuth2 implementation in general. I’d love to know if I’m off-base here. If not, I’d be happy to add support.
Please critique.
Issue Analytics
- State:
- Created 11 years ago
- Reactions:1
- Comments:13 (11 by maintainers)
Top GitHub Comments
What became of this?
Repo owner, can I work on a fix for this?