Generate a Random OAuth State Each Time

[harshkhandeparkar]

Describe the feature/bug

The Github oauth flow has a state variable in its request that is supposed to be used to prevent CSRF. Currently, it is a constant string, but it should be randomly generated for each oauth login request.

In the case of KWoC, the oauth request only logs in the user and no damage could be done even if another site redirects to the oauth login url. However, it would be best to use a random string anyway.

Solution:

1. Generate a random string when clicking on the login button
2. Store the string in localstorage and redirect to the oauth URL with this state
3. When the oauth login is complete and the user is redirected to /oauth on the frontend, match these strings and only proceed to log in if they match
4. It would also be good to make the state a limited-time string so that a string generated previously cannot be used

Resources

KWoC-Frontend/src/util/constants.ts

Line 51 in c9f57e9

export const GH_OAUTH_URL = `https://github.com/login/oauth/authorize?client_id=${GH_OAUTH_CLIENT_ID}&state=replacethiswithrandomtextlater`;

[itsarijitray]

@harshkhandeparkar Can I give this a shot?

[harshkhandeparkar]

Sure @itsarijitray

[Krishna-20-Git]

@harshkhandeparkar I would like to work on this issue. I have gone through the requirements and the codebase.

[Nyasa11]

Hi @harshkhandeparkar, I noticed this issue hasn’t had a PR for a while.
Is it okay if I take this up now, or is someone still working on it?