Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: @slack/oauth: add support and examples for CSRF mitigation #1013

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Prev Previous commit
Next Next commit
feat: adds timing attack mitigation
If the JWT doesn't expire, it can be used any time.

* Adds configuration option to limit the lifetime of the state token
* Adds default lifetime of 3 minutes
losandes committed May 7, 2020

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
commit 75f18ea38edce65f6337c2e60f006a547a1dd782
32 changes: 28 additions & 4 deletions packages/oauth/src/index.spec.js
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
require('mocha');
const { assert } = require('chai');

const { decode } = require('jsonwebtoken');
const url = require('url');
const rewiremock = require('rewiremock/node');
const sinon = require('sinon');
@@ -15,7 +15,7 @@ rewiremock(() => require('@slack/web-api')).with({
auth = {
test: sinon.fake.resolves({ bot_id: '' }),
};
oauth = {
oauth = {
access: sinon.fake.resolves({
team_id: 'fake-v1-team-id',
team_name: 'fake-team-name',
@@ -103,6 +103,8 @@ const storedInstallation = {
tokenType: 'tokenType'
}

const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms))

// store our fake installation Object to the memory database.
devDB[storedInstallation.team.id] = storedInstallation;

@@ -257,6 +259,7 @@ describe('OAuth', async () => {
}
});
});

describe('installer.authorize', async () => {
it('should fail if database does not have an entry for authorize query', async () => {
const installer = new InstallProvider({clientId, clientSecret, stateSecret, installationStore});
@@ -349,7 +352,7 @@ describe('OAuth', async () => {
res.send('failure');
},
}

const installer = new InstallProvider({clientId, clientSecret, installationStore, stateStore: fakeStateStore});
const fakeState = 'fakeState';
const fakeCode = 'fakeCode';
@@ -370,7 +373,7 @@ describe('OAuth', async () => {
res.send('failure');
},
}

const installer = new InstallProvider({clientId, clientSecret, stateSecret, installationStore, stateStore: fakeStateStore, authVersion: 'v1'});
const fakeState = 'fakeState';
const fakeCode = 'fakeCode';
@@ -401,5 +404,26 @@ describe('OAuth', async () => {
const returnedInstallUrlOptions = await installer.stateStore.verifyStateParam(new Date(), state);
assert.deepEqual(installUrlOptions, returnedInstallUrlOptions);
});

it('should expire the state token 3 minutes in the future, by default', async () => {
const installer = new InstallProvider({clientId, clientSecret, stateSecret});
const installUrlOptions = { scopes: [ 'channels:read' ] };
const state = await installer.stateStore.generateStateParam(installUrlOptions, new Date());
assert.isAtLeast(decode(state).exp, Math.floor(Date.now() / 1000) + 170)
});

it('should use the token stateTokenLifetime (string) from the installUrlOptions if present', async () => {
const installer = new InstallProvider({clientId, clientSecret, stateSecret});
const installUrlOptions = { scopes: [ 'channels:read' ], stateTokenLifetime: '1h' };
const state = await installer.stateStore.generateStateParam(installUrlOptions, new Date());
assert.isAtLeast(decode(state).exp, Math.floor(Date.now() / 1000) + 3400)
});

it('should use the token stateTokenLifetime (number) from the installUrlOptions if present', async () => {
const installer = new InstallProvider({clientId, clientSecret, stateSecret});
const installUrlOptions = { scopes: [ 'channels:read' ], stateTokenLifetime: 3600 };
const state = await installer.stateStore.generateStateParam(installUrlOptions, new Date());
assert.isAtLeast(decode(state).exp, Math.floor(Date.now() / 1000) + 3400)
});
});
});
11 changes: 10 additions & 1 deletion packages/oauth/src/index.ts
Original file line number Diff line number Diff line change
@@ -300,6 +300,7 @@ export interface InstallURLOptions {
teamId?: string;
redirectUri?: string;
userScopes?: string | string[]; // cannot be used with authVersion=v1
stateTokenLifetime?: number | string; // a string describing a time span zeit/ms
metadata?: string; // Arbitrary data can be stored here, potentially to save app state or use for custom redirect
}

@@ -399,7 +400,15 @@ class ClearStateStore implements StateStore {
}

public async generateStateParam(installOptions: InstallURLOptions, now: Date): Promise<string> {
const state = sign({ installOptions, now: now.toJSON() }, this.stateSecret);
const state = sign(
{ installOptions, now: now.toJSON() },
this.stateSecret,
{
expiresIn: typeof installOptions.stateTokenLifetime !== 'undefined'
? installOptions.stateTokenLifetime
: '3m',
},
);
return state;
}
public async verifyStateParam(_now: Date, state: string): Promise<InstallURLOptions> {