Merge pull request #40 from midasplatform/googleauth-csrf

Fixes #33. Use session token for googleauth login to protect from CSRF
midasplatform · Jul 21, 2014 · 6f7b6fd · 6f7b6fd
2 parents e28a6ad + b48e17c
commit 6f7b6fd
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 6 deletions.
diff --git a/modules/googleauth/Notification.php b/modules/googleauth/Notification.php
@@ -44,13 +44,19 @@ public function googleAuthLink()
     $clientId = $this->Setting->getValueByName('client_id', $this->moduleName);
     $scheme = (array_key_exists('HTTPS', $_SERVER) && $_SERVER['HTTPS']) ? 'https://' : 'http://';
     $fc = Zend_Controller_Front::getInstance();
+    $csrfToken = UtilityComponent::generateRandomString(30);
     $redirectUri = $scheme.$_SERVER['HTTP_HOST'].$fc->getBaseUrl().'/'.$this->moduleName.'/callback';
     $scopes = array('profile', 'email');
 
     $href = 'https://accounts.google.com/o/oauth2/auth?response_type=code'.
             '&client_id='.urlencode($clientId).
             '&redirect_uri='.urlencode($redirectUri).
-            '&scope='.urlencode(join(' ', $scopes));
+            '&scope='.urlencode(join(' ', $scopes)).
+            '&state='.urlencode($csrfToken);
+
+    $userNs = new Zend_Session_Namespace('Auth_User');
+    $userNs->oauthToken = $csrfToken;
+    session_write_close();
 
     return '<div style="margin-top: 10px; display: inline-block;">Or '.
            '<a class="googleauth-login" style="text-decoration: underline;" href="'.$href.'">'.

diff --git a/modules/googleauth/controllers/CallbackController.php b/modules/googleauth/controllers/CallbackController.php
@@ -34,7 +34,16 @@ function indexAction()
     $this->disableView();
 
     $code = $this->_getParam('code');
-    $redirect = $this->_getParam('state');
+    $state = $this->_getParam('state');
+
+    if(strpos($state, ' ') !== false)
+      {
+      list($csrfToken, $redirect) = split(' ', $state);
+      }
+    else
+      {
+      $redirect = null;
+      }
 
     if(!$code)
       {
@@ -48,9 +57,12 @@ function indexAction()
 
     session_start();
     $this->userSession->Dao = $user;
+
+    $userNs = new Zend_Session_Namespace('Auth_User');
+    $sessionToken = $userNs->oauthToken;
     session_write_close();
 
-    if($redirect)
+    if($redirect && $csrfToken === $sessionToken)
       {
       $this->_redirect($redirect);
       }

diff --git a/modules/googleauth/public/js/login/googleauth.login.js b/modules/googleauth/public/js/login/googleauth.login.js
@@ -1,8 +1,6 @@
 (function () {
-    var currentUrl = window.encodeURIComponent(window.location.href);
-
     $.each($('a.googleauth-login'), function () {
         var link = $(this);
-        link.attr('href', link.attr('href') + '&state=' + currentUrl);
+        link.attr('href', link.attr('href') + window.encodeURIComponent(' ' + window.location.href));
     });
 }) ();