Skip to content

Harden OAuth redirect handling (avoid open-redirect + token leakage) #580

New issue
New issue
Open
Open
Harden OAuth redirect handling (avoid open-redirect + token leakage)#580
@colebemis

Description

@colebemis
colebemis
opened on Jan 4, 2026

Problem

api/github-auth.ts builds a redirect URL from the state parameter and appends the GitHub access token (user_token) to the query string.

Impact

  • If state can be attacker-controlled, this is an open redirect.
  • Tokens in URLs can leak via logs, browser history, referrers, or third-party requests.

Suggested fix

  • Treat state as an opaque CSRF token, not a URL.
  • Only redirect to a fixed allowlisted origin (e.g., same-origin).
  • Avoid putting tokens in the URL; use an httpOnly Secure cookie or a short-lived server-side session.

Files

  • api/github-auth.ts

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    Lumen tracking

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions