[server] minor refactor/renames

Author: geropl

components/server/src/auth/authenticator.ts

@@ -20,7 +20,7 @@ import { HostContextProvider } from "./host-context-provider";
 import { SignInJWT } from "./jwt";
 import { NonceService } from "./nonce-service";
 import { getFeatureFlagEnableNonceValidation, getFeatureFlagEnableStrictAuthorizeReturnTo } from "../util/featureflags";
-import { validateLoginReturnToUrl, validateAuthorizeReturnToUrl, safeRedirect } from "../express-util";
+import { validateLoginReturnToUrl, validateAuthorizeReturnToUrl, safeFragmentRedirect } from "../express-util";
 
 @injectable()
 export class Authenticator {
@@ -93,7 +93,7 @@ export class Authenticator {
                         pathname: req.path,
                         search: new URL(req.url, this.config.hostUrl.url).search,
                     });
-                    safeRedirect(res, baseUrl.toString());
+                    safeFragmentRedirect(res, baseUrl.toString());
                     return;
                 }
 
@@ -185,12 +185,14 @@ export class Authenticator {
         let returnToParam: string | undefined = req.query.returnTo?.toString();
         if (returnToParam) {
             log.info(`Stored returnTo URL: ${returnToParam}`, { "login-flow": true });
-
-            // Validate returnTo URL against allowlist for login API
-            if (!validateLoginReturnToUrl(returnToParam, this.config.hostUrl)) {
-                log.warn(`Invalid returnTo URL rejected for login: ${returnToParam}`, { "login-flow": true });
-                safeRedirect(res, this.getSorryUrl(`Invalid return URL.`));
-                return;
+            const isStrictAuthorizeValidationEnabled = await getFeatureFlagEnableStrictAuthorizeReturnTo();
+            if (isStrictAuthorizeValidationEnabled) {
+                // Validate returnTo URL against allowlist for login API
+                if (!validateLoginReturnToUrl(returnToParam, this.config.hostUrl)) {
+                    log.warn(`Invalid returnTo URL rejected for login: ${returnToParam}`, { "login-flow": true });
+                    safeFragmentRedirect(res, this.getSorryUrl(`Invalid return URL.`));
+                    return;
+                }
             }
         }
         // returnTo defaults to workspaces url
@@ -202,7 +204,7 @@ export class Authenticator {
         const authProvider = host && (await this.getAuthProviderForHost(host));
         if (!host || !authProvider) {
             log.info(`Bad request: missing parameters.`, { "login-flow": true });
-            safeRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
         // Logins with organizational Git Auth is not permitted
@@ -211,12 +213,12 @@ export class Authenticator {
                 "authorize-flow": true,
                 ap: authProvider.info,
             });
-            safeRedirect(res, this.getSorryUrl(`Login with "${host}" is not permitted.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Login with "${host}" is not permitted.`));
             return;
         }
         if (this.config.disableDynamicAuthProviderLogin && !authProvider.params.builtin) {
             log.info(`Auth Provider is not allowed.`, { ap: authProvider.info });
-            safeRedirect(res, this.getSorryUrl(`Login with ${authProvider.params.host} is not allowed.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Login with ${authProvider.params.host} is not allowed.`));
             return;
         }
 
@@ -226,7 +228,7 @@ export class Authenticator {
                 "login-flow": true,
                 ap: authProvider.info,
             });
-            safeRedirect(res, this.getSorryUrl(`Login with "${host}" is not permitted.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Login with "${host}" is not permitted.`));
             return;
         }
 
@@ -248,7 +250,7 @@ export class Authenticator {
         const user = req.user;
         if (!req.isAuthenticated() || !User.is(user)) {
             log.info(`User is not authenticated.`);
-            safeRedirect(res, this.getSorryUrl(`Not authenticated. Please login.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Not authenticated. Please login.`));
             return;
         }
         const returnTo: string = req.query.returnTo?.toString() || this.config.hostUrl.asDashboard().toString();
@@ -258,20 +260,20 @@ export class Authenticator {
 
         if (!host || !authProvider) {
             log.warn(`Bad request: missing parameters.`);
-            safeRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
 
         try {
             await this.userAuthentication.deauthorize(user, authProvider.authProviderId);
-            safeRedirect(res, returnTo);
+            safeFragmentRedirect(res, returnTo);
         } catch (error) {
             next(error);
             log.error(`Failed to disconnect a provider.`, error, {
                 host,
                 userId: user.id,
             });
-            safeRedirect(
+            safeFragmentRedirect(
                 res,
                 this.getSorryUrl(
                     `Failed to disconnect a provider: ${error && error.message ? error.message : "unknown reason"}`,
@@ -284,12 +286,12 @@ export class Authenticator {
         const user = req.user;
         if (!req.isAuthenticated() || !User.is(user)) {
             log.info(`User is not authenticated.`, { "authorize-flow": true });
-            safeRedirect(res, this.getSorryUrl(`Not authenticated. Please login.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Not authenticated. Please login.`));
             return;
         }
         if (user.id === BUILTIN_INSTLLATION_ADMIN_USER_ID) {
             log.info(`Authorization is not permitted for admin user.`);
-            safeRedirect(
+            safeFragmentRedirect(
                 res,
                 this.getSorryUrl(`Authorization is not permitted for admin user. Please login with a user account.`),
             );
@@ -303,24 +305,22 @@ export class Authenticator {
 
         if (!returnToParam || !host || !authProvider) {
             log.info(`Bad request: missing parameters.`, { "authorize-flow": true });
-            safeRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Bad request: missing parameters.`));
             return;
         }
 
         // Validate returnTo URL against allowlist for authorize API
         const isStrictAuthorizeValidationEnabled = await getFeatureFlagEnableStrictAuthorizeReturnTo();
-        const isValidReturnTo = isStrictAuthorizeValidationEnabled
-            ? validateAuthorizeReturnToUrl(returnToParam, this.config.hostUrl)
-            : validateLoginReturnToUrl(returnToParam, this.config.hostUrl);
-
-        if (!isValidReturnTo) {
-            const validationType = isStrictAuthorizeValidationEnabled ? "strict authorize" : "login fallback";
-            log.warn(`Invalid returnTo URL rejected for authorize (${validationType}): ${returnToParam}`, {
-                "authorize-flow": true,
-                strictValidation: isStrictAuthorizeValidationEnabled,
-            });
-            safeRedirect(res, this.getSorryUrl(`Invalid return URL.`));
-            return;
+        if (isStrictAuthorizeValidationEnabled) {
+            const isValidReturnTo = validateAuthorizeReturnToUrl(returnToParam, this.config.hostUrl);
+            if (!isValidReturnTo) {
+                log.warn(`Invalid returnTo URL rejected for authorize`, {
+                    "authorize-flow": true,
+                    returnToParam,
+                });
+                safeFragmentRedirect(res, this.getSorryUrl(`Invalid return URL.`));
+                return;
+            }
         }
 
         const returnTo = returnToParam;
@@ -333,7 +333,7 @@ export class Authenticator {
                     "authorize-flow": true,
                     ap: authProvider.info,
                 });
-                safeRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
+                safeFragmentRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
                 return;
             }
         }
@@ -344,7 +344,7 @@ export class Authenticator {
                 "authorize-flow": true,
                 ap: authProvider.info,
             });
-            safeRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
+            safeFragmentRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
             return;
         }
 
@@ -356,7 +356,7 @@ export class Authenticator {
                     "authorize-flow": true,
                     ap: authProvider.info,
                 });
-                safeRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
+                safeFragmentRedirect(res, this.getSorryUrl(`Authorization with "${host}" is not permitted.`));
                 return;
             }
         }

components/server/src/auth/generic-auth-provider.ts

@@ -23,7 +23,7 @@ import {
     UnconfirmedUserException,
 } from "../auth/errors";
 import { Config } from "../config";
-import { getRequestingClientInfo, safeRedirect } from "../express-util";
+import { getRequestingClientInfo, safeFragmentRedirect } from "../express-util";
 import { TokenProvider } from "../user/token-provider";
 import { UserAuthentication } from "../user/user-authentication";
 import { AuthProviderService } from "./auth-provider-service";
@@ -287,7 +287,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
         const state = request.query.state;
         if (!state) {
             log.error(cxt, `(${strategyName}) No state present on callback request.`, { clientInfo });
-            safeRedirect(
+            safeFragmentRedirect(
                 response,
                 this.getSorryUrl(`No state was present on the authentication callback. Please try again.`),
             );
@@ -299,7 +299,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
             log.error(`(${strategyName}) Auth flow state is missing.`);
 
             reportLoginCompleted("failed", "git");
-            safeRedirect(response, this.getSorryUrl(`Auth flow state is missing.`));
+            safeFragmentRedirect(response, this.getSorryUrl(`Auth flow state is missing.`));
             return;
         }
 
@@ -310,7 +310,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                     `(${strategyName}) User is already logged in. No auth info provided. Redirecting to dashboard.`,
                     { clientInfo },
                 );
-                safeRedirect(response, this.config.hostUrl.asDashboard().toString());
+                safeFragmentRedirect(response, this.config.hostUrl.asDashboard().toString());
                 return;
             }
         }
@@ -321,15 +321,18 @@ export abstract class GenericAuthProvider implements AuthProvider {
             reportLoginCompleted("failed_client", "git");
 
             log.error(cxt, `(${strategyName}) No session found during auth callback.`, { clientInfo });
-            safeRedirect(response, this.getSorryUrl(`Please allow Cookies in your browser and try to log in again.`));
+            safeFragmentRedirect(
+                response,
+                this.getSorryUrl(`Please allow Cookies in your browser and try to log in again.`),
+            );
             return;
         }
 
         if (authFlow.host !== this.host) {
             reportLoginCompleted("failed", "git");
 
             log.error(cxt, `(${strategyName}) Host does not match.`, { clientInfo });
-            safeRedirect(response, this.getSorryUrl(`Host does not match.`));
+            safeFragmentRedirect(response, this.getSorryUrl(`Host does not match.`));
             return;
         }
 
@@ -360,7 +363,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                 authenticate(request, response, next);
             });
         } catch (error) {
-            safeRedirect(response, this.getSorryUrl(`OAuth2 error. (${error})`));
+            safeFragmentRedirect(response, this.getSorryUrl(`OAuth2 error. (${error})`));
             return;
         }
         const [err, userOrIdentity, flowContext] = result;
@@ -472,7 +475,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                     );
 
                     const { returnTo } = authFlow;
-                    safeRedirect(response, returnTo);
+                    safeFragmentRedirect(response, returnTo);
                     return;
                 } else {
                     // Complete login into an existing account
@@ -537,7 +540,7 @@ export abstract class GenericAuthProvider implements AuthProvider {
                 search: "message=error:" + Buffer.from(JSON.stringify(error), "utf-8").toString("base64"),
             })
             .toString();
-        safeRedirect(response, url);
+        safeFragmentRedirect(response, url);
     }
 
     /**

components/server/src/auth/login-completion-handler.ts

@@ -16,7 +16,7 @@ import { IAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
 import { trackLogin } from "../analytics";
 import { SessionHandler } from "../session-handler";
 import { AuthJWT } from "./jwt";
-import { safeRedirect } from "../express-util";
+import { safeFragmentRedirect } from "../express-util";
 
 /**
  * The login completion handler pulls the strings between the OAuth2 flow, the ToS flow, and the session management.
@@ -50,7 +50,10 @@ export class LoginCompletionHandler {
         } catch (err) {
             reportLoginCompleted("failed", "git");
             log.error(logContext, `Failed to login user. Redirecting to /sorry on login.`, err);
-            safeRedirect(response, this.config.hostUrl.asSorry("Oops! Something went wrong during login.").toString());
+            safeFragmentRedirect(
+                response,
+                this.config.hostUrl.asSorry("Oops! Something went wrong during login.").toString(),
+            );
             return;
         }
 
@@ -89,7 +92,7 @@ export class LoginCompletionHandler {
 
         log.info(logContext, `User is logged in successfully. Redirect to: ${returnTo}`);
         reportLoginCompleted("succeeded", "git");
-        safeRedirect(response, returnTo);
+        safeFragmentRedirect(response, returnTo);
     }
 
     public async updateAuthProviderAsVerified(hostname: string, user: User) {

components/server/src/express-util.ts

@@ -10,6 +10,8 @@ import * as crypto from "crypto";
 import { IncomingHttpHeaders } from "http";
 import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
 import { ensureUrlHasFragment } from "./auth/fragment-utils";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
+import { TrustedValue } from "@gitpod/gitpod-protocol/lib/util/scrubbing";
 
 export const query = (...tuples: [string, string][]) => {
     if (tuples.length === 0) {
@@ -169,14 +171,14 @@ export function toClientHeaderFields(expressReq: express.Request): ClientHeaderF
  * @param allowedPatterns Array of regex patterns that are allowed for the pathname
  * @returns true if the URL is valid, false otherwise
  */
-export function validateReturnToUrlWithPatterns(
+function validateReturnToUrlWithPatterns(
     returnTo: string,
-    hostUrl: GitpodHostUrl,
-    allowedPatterns: RegExp[],
+    allowedBaseUrl: GitpodHostUrl,
+    allowedPatterns?: RegExp[],
 ): boolean {
     try {
         const url = new URL(returnTo);
-        const baseUrl = hostUrl.url;
+        const baseUrl = allowedBaseUrl.url;
 
         // Must be same origin OR www.gitpod.io exception
         const isSameOrigin = url.origin === baseUrl.origin;
@@ -191,7 +193,7 @@ export function validateReturnToUrlWithPatterns(
             return url.pathname === "/";
         }
 
-        if (allowedPatterns && allowedPatterns.length != 0) {
+        if (allowedPatterns !== undefined) {
             // Check if pathname matches any allowed pattern
             const isAllowedPath = allowedPatterns.some((pattern) => pattern.test(url.pathname));
             if (!isAllowedPath) {
@@ -218,8 +220,8 @@ export function validateReturnToUrlWithPatterns(
  * Login API allows broader navigation after authentication.
  */
 export function validateLoginReturnToUrl(returnTo: string, hostUrl: GitpodHostUrl): boolean {
-    // We have already verified the domain above, and we do not restrict the redirect location for loginReturnToUrl.
-    return validateReturnToUrlWithPatterns(returnTo, hostUrl, []);
+    // We just verify the domain
+    return validateReturnToUrlWithPatterns(returnTo, hostUrl, undefined);
 }
 
 /**
@@ -240,6 +242,21 @@ export function validateAuthorizeReturnToUrl(returnTo: string, hostUrl: GitpodHo
     return validateReturnToUrlWithPatterns(returnTo, hostUrl, allowedPatterns);
 }
 
+export function getSafeReturnToParam(req: express.Request, validator: (url: string) => boolean): string | undefined {
+    // @ts-ignore Type 'ParsedQs' is not assignable
+    const returnToURL: string | undefined = req.query.redirect || req.query.returnTo;
+    if (!returnToURL) {
+        return;
+    }
+
+    if (!validator(returnToURL)) {
+        log.debug("The redirect URL does not match allowed patterns", { query: new TrustedValue(req.query).value });
+        return;
+    }
+
+    return returnToURL;
+}
+
 /**
  * Safe redirect wrapper that automatically ensures URLs have fragments to prevent
  * OAuth token inheritance attacks.
@@ -252,7 +269,7 @@ export function validateAuthorizeReturnToUrl(returnTo: string, hostUrl: GitpodHo
  * @param url URL to redirect to
  * @param status Optional HTTP status code (default: 302)
  */
-export function safeRedirect(res: express.Response, url: string, status?: number): void {
+export function safeFragmentRedirect(res: express.Response, url: string, status?: number): void {
     const protectedUrl = ensureUrlHasFragment(url);
     if (status) {
         res.redirect(status, protectedUrl);