feat: @slack/oauth: add support and examples for CSRF mitigation #1013
Commits on May 7, 2020
-
fix: moves dev dependencies to devDependencies
* Updates the version to 1.1.0 * Moves TypeScript dependencies that were in the production dependencies to the devDependencies
-
feat: adds timing attack mitigation
If the JWT doesn't expire, it can be used any time. * Adds configuration option to limit the lifetime of the state token * Adds default lifetime of 3 minutes
-
docs: adds documentation for overriding state ttl
Adds documentation to the README to describe the default state lifetime, and how to override it.
-
feat: adds support for csrf mitigation
* Replaces generateInstallUrl with makeInstallUrl, which returns both the url, and the token that was generated * Adds support for passing the token in with the options to callbackHandler, so it can be bound to the device in a cookie, and compared to the token that we received from Slack * Adds support for injecting the web client, so additional test paths can be evaluated * Improves test coverage * Fixes the mock web client responses (appId should be app_id)
-
docs: updates README with makeInstallUrl
Because the generateInstallUrl returned a string, it wasn't extensible, so I had to either (a) introduce a breaking change, or (b) introduce a new function. I chose the latter, and updated the documentation to demonstrate (b) in the examples.
-
feat: updates v1 example with csrf mitigation
* Adds dependency on `cookie` library * Uses new makeInstallUrl function to get the redirect url, and token * Adds the generated token to a secure, http-only cookie before redirecting to Slack OAuth * Parses the cookie from the headers when Slack redirects back to the app * Ensures the cookie exists before calling handleCallback, so there isn't a wait-for-expiration gap * Passes the token to handleCallback so it can be timingSafeCompared to the JWT that Slack send back in the query string
-
feat: updates v2 example with csrf mitigation
* Adds dependency on `cookie` library * Uses new makeInstallUrl function to get the redirect url, and token * Adds the generated token to a secure, http-only cookie before redirecting to Slack OAuth * Parses the cookie from the headers when Slack redirects back to the app * Ensures the cookie exists before calling handleCallback, so there isn't a wait-for-expiration gap * Passes the token to handleCallback so it can be timingSafeCompared to the JWT that Slack send back in the query string
-
fix: uses separate jwt for device sync
My intention was to only send the random byte array as the value for the OAuth state param, and for the JWT to only exist in the cookie. However, that represents a potentially complex and/or breaking change. However, if the same JWT is used as the state param and in the cookie, and adversary who is able to capture the redirect url can easily spoof a synchronized device. So the examples sign JWTs specifically for the device, and provide the synchronizer to the callbackHandler for comparison.
-
fix: updates tests to pass after rebase
A test breaking change was introduced in master. This changes the test to evaluate the new behavior.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.