Enhancing backwards compatibility of OAuth credential fetching (#647)

* Implementing backwards compatibility with previous versions oauth credential fetching

- Making sure that errors with fetching credentials fail more gracefully

* Fixing linter errors

* Added write-time validation of oauth credentials for instance

* Ensuring that the GitlabURL properly corresponds to the instance or plugin config

* Improving validation of instance config

* Reworked resolveOAuthCredentials and protected completeConnectUserToGitlab

- Made sure URL parsing happens as a part of resolveOAuthCredentials
- Added test case for handling of malformed URLs to ensure graceful failures
- Added validation of both format and userID values when completing connections -- protecting against any requests with spoofed state query param

* Added missing return line

* Adding check against GitlabURL

- Also added test case pointed out as nitpick by ai reviewer

* Addressing PR issues

- Returning internal server error on KV store delete errors
- Renamed validation function for better clarity
- Added better URL validation in oauth credential resolving

* Simplifying error messages sent to client during connection

Author: avasconcelos114

server/api.go

@@ -10,6 +10,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"regexp"
 	"runtime/debug"
 	"strconv"
 	"strings"
@@ -29,6 +30,8 @@ import (
 	"github.com/mattermost/mattermost-plugin-gitlab/server/subscription"
 )
 
+var oauthStateRegexp = regexp.MustCompile(`^[a-z0-9]{15}_[a-z0-9]{26}$`)
+
 const (
 	APIErrorIDNotConnected = "not_connected"
 
@@ -248,8 +251,9 @@ func (p *Plugin) connectUserToGitlab(c *Context, w http.ResponseWriter, r *http.
 		return
 	}
 
-	conf := p.getOAuthConfig()
-	if conf == nil {
+	conf, err := p.getOAuthConfig()
+	if err != nil {
+		c.Log.WithError(err).Warnf("Failed to get OAuth configuration")
 		http.Error(w, "OAuth configuration not found", http.StatusInternalServerError)
 		return
 	}
@@ -310,46 +314,58 @@ func (p *Plugin) completeConnectUserToGitlab(c *Context, w http.ResponseWriter,
 
 	config := p.getConfiguration()
 
-	conf := p.getOAuthConfig()
+	conf, err := p.getOAuthConfig()
+	if err != nil {
+		c.Log.WithError(err).Warnf("Failed to get OAuth configuration")
+		rErr = errors.Wrap(err, "OAuth configuration not found")
+		http.Error(w, "OAuth configuration not found", http.StatusInternalServerError)
+		return
+	}
 
 	code := r.URL.Query().Get("code")
 	if len(code) == 0 {
 		rErr = errors.New("missing authorization code")
-		http.Error(w, rErr.Error(), http.StatusBadRequest)
+		http.Error(w, "Missing authorization code", http.StatusBadRequest)
 		return
 	}
 
 	state := r.URL.Query().Get("state")
 
-	var storedState []byte
-	err := p.client.KV.Get(state, &storedState)
-	if err != nil {
-		c.Log.WithError(err).Warnf("Can't get state from store")
+	if !oauthStateRegexp.MatchString(state) {
+		rErr = errors.New("invalid state format")
+		http.Error(w, "Invalid OAuth state", http.StatusBadRequest)
+		return
+	}
 
-		rErr = errors.Wrap(err, "missing stored state")
-		http.Error(w, rErr.Error(), http.StatusBadRequest)
+	userID := strings.Split(state, "_")[1]
+	if userID != authedUserID {
+		rErr = errors.New("not authorized, incorrect user")
+		http.Error(w, "Not authorized", http.StatusUnauthorized)
 		return
 	}
 
-	err = p.client.KV.Delete(state)
+	var storedState []byte
+	err = p.client.KV.Get(state, &storedState)
 	if err != nil {
-		c.Log.WithError(err).Warnf("Failed to delete state token")
+		c.Log.WithError(err).Warnf("Can't get state from store")
 
-		rErr = errors.Wrap(err, "error deleting stored state")
-		http.Error(w, rErr.Error(), http.StatusBadRequest)
+		rErr = errors.Wrap(err, "missing stored state")
+		http.Error(w, "Missing stored OAuth state", http.StatusBadRequest)
+		return
 	}
 
 	if string(storedState) != state {
 		rErr = errors.New("invalid state token")
-		http.Error(w, rErr.Error(), http.StatusBadRequest)
+		http.Error(w, "Invalid OAuth state", http.StatusBadRequest)
 		return
 	}
 
-	userID := strings.Split(state, "_")[1]
+	err = p.client.KV.Delete(state)
+	if err != nil {
+		c.Log.WithError(err).Warnf("Failed to delete state token")
 
-	if userID != authedUserID {
-		rErr = errors.New("not authorized, incorrect user")
-		http.Error(w, rErr.Error(), http.StatusUnauthorized)
+		rErr = errors.Wrap(err, "error deleting stored state")
+		http.Error(w, "Error completing OAuth connection", http.StatusInternalServerError)
 		return
 	}
 
@@ -358,7 +374,7 @@ func (p *Plugin) completeConnectUserToGitlab(c *Context, w http.ResponseWriter,
 		c.Log.WithError(err).Warnf("Can't exchange state")
 
 		rErr = errors.Wrap(err, "Failed to exchange oauth code into token")
-		http.Error(w, rErr.Error(), http.StatusInternalServerError)
+		http.Error(w, "Error completing OAuth connection", http.StatusInternalServerError)
 		return
 	}
 
@@ -367,23 +383,23 @@ func (p *Plugin) completeConnectUserToGitlab(c *Context, w http.ResponseWriter,
 		c.Log.WithError(err).Warnf("Can't retrieve user info from gitLab API")
 
 		rErr = errors.Wrap(err, "unable to connect user to GitLab")
-		http.Error(w, rErr.Error(), http.StatusInternalServerError)
+		http.Error(w, "Unable to connect user to GitLab", http.StatusInternalServerError)
 		return
 	}
 
 	if err = p.storeGitlabUserInfo(userInfo); err != nil {
 		c.Log.WithError(err).Warnf("Can't store user info")
 
 		rErr = errors.Wrap(err, "Unable to connect user to GitLab")
-		http.Error(w, rErr.Error(), http.StatusInternalServerError)
+		http.Error(w, "Unable to connect user to GitLab", http.StatusInternalServerError)
 		return
 	}
 
 	if err = p.storeGitlabUserToken(userInfo.UserID, tok); err != nil {
 		c.Log.WithError(err).Warnf("Can't store user token")
 
 		rErr = errors.Wrap(err, "Unable to connect user to GitLab")
-		http.Error(w, rErr.Error(), http.StatusInternalServerError)
+		http.Error(w, "Unable to connect user to GitLab", http.StatusInternalServerError)
 		return
 	}
 

server/api_test.go

@@ -267,6 +267,201 @@ func TestCreateIssueAllowsWhenGitlabGroupEmpty(t *testing.T) {
 	assert.Equal(t, http.StatusOK, result.StatusCode)
 }
 
+func TestCompleteConnectUserToGitlab_StateValidation(t *testing.T) {
+	validUserID := "abcdefghijklmnopqrstuvwxyz"
+
+	setupPlugin := func(t *testing.T) *Plugin {
+		t.Helper()
+
+		siteURL := "https://mattermost.example.com"
+		mmConfig := &model.Config{}
+		mmConfig.ServiceSettings.SiteURL = &siteURL
+
+		config := configuration{
+			GitlabURL:               "https://gitlab.example.com",
+			GitlabOAuthClientID:     "client_id",
+			GitlabOAuthClientSecret: "client_secret",
+			EncryptionKey:           "aaaaaaaaaaaaaaaa",
+		}
+
+		p := &Plugin{configuration: &config}
+		p.initializeAPI()
+
+		api := &plugintest.API{}
+		api.On("GetConfig").Return(mmConfig)
+		api.On("KVGet", mock.Anything).Return(nil, nil).Maybe()
+		api.On("LogWarn", mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		api.On("LogDebug", mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		p.SetAPI(api)
+		p.client = pluginapi.NewClient(api, p.Driver)
+		p.oauthBroker = NewOAuthBroker(func(_ OAuthCompleteEvent) {})
+		return p
+	}
+
+	t.Run("rejects state with arbitrary KV key name", func(t *testing.T) {
+		p := setupPlugin(t)
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/oauth/complete?code=test&state=Gitlab_Instance_Configuration_Map", nil)
+		r.Header.Set("Mattermost-User-ID", validUserID)
+
+		p.ServeHTTP(nil, w, r)
+
+		result := w.Result()
+		defer func() { _ = result.Body.Close() }()
+		assert.Equal(t, http.StatusBadRequest, result.StatusCode)
+		data, _ := io.ReadAll(result.Body)
+		assert.Contains(t, string(data), "Invalid OAuth state")
+	})
+
+	t.Run("rejects state targeting user token key", func(t *testing.T) {
+		p := setupPlugin(t)
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/oauth/complete?code=test&state="+validUserID+"_usertoken", nil)
+		r.Header.Set("Mattermost-User-ID", validUserID)
+
+		p.ServeHTTP(nil, w, r)
+
+		result := w.Result()
+		defer func() { _ = result.Body.Close() }()
+		assert.Equal(t, http.StatusBadRequest, result.StatusCode)
+		data, _ := io.ReadAll(result.Body)
+		assert.Contains(t, string(data), "Invalid OAuth state")
+	})
+
+	t.Run("rejects empty state", func(t *testing.T) {
+		p := setupPlugin(t)
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/oauth/complete?code=test&state=", nil)
+		r.Header.Set("Mattermost-User-ID", validUserID)
+
+		p.ServeHTTP(nil, w, r)
+
+		result := w.Result()
+		defer func() { _ = result.Body.Close() }()
+		assert.Equal(t, http.StatusBadRequest, result.StatusCode)
+	})
+
+	t.Run("passes validation with correctly formatted state and matching user", func(t *testing.T) {
+		state := "abcdefghijklmno_" + validUserID
+
+		siteURL := "https://mattermost.example.com"
+		mmConfig := &model.Config{}
+		mmConfig.ServiceSettings.SiteURL = &siteURL
+
+		config := configuration{
+			GitlabURL:               "https://gitlab.example.com",
+			GitlabOAuthClientID:     "client_id",
+			GitlabOAuthClientSecret: "client_secret",
+			EncryptionKey:           "aaaaaaaaaaaaaaaa",
+		}
+
+		p := &Plugin{configuration: &config}
+		p.initializeAPI()
+
+		api := &plugintest.API{}
+		api.On("GetConfig").Return(mmConfig)
+		api.On("KVGet", state).Return([]byte(state), nil)
+		api.On("KVSetWithOptions", state, []byte(nil), mock.Anything).Return(true, nil)
+		api.On("KVGet", instanceConfigNameListKey).Return(nil, nil)
+		api.On("LogDebug", mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		api.On("LogWarn", mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		api.On("LogWarn", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		p.SetAPI(api)
+		p.client = pluginapi.NewClient(api, p.Driver)
+		p.oauthBroker = NewOAuthBroker(func(_ OAuthCompleteEvent) {})
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/oauth/complete?code=test&state="+state, nil)
+		r.Header.Set("Mattermost-User-ID", validUserID)
+
+		p.ServeHTTP(nil, w, r)
+
+		result := w.Result()
+		defer func() { _ = result.Body.Close() }()
+
+		// The request passes state validation and proceeds to the token exchange,
+		// which fails because there's no real GitLab server — that's an Internal
+		// Server Error, not a Bad Request or Unauthorized from the validation gates.
+		assert.Equal(t, http.StatusInternalServerError, result.StatusCode)
+		data, _ := io.ReadAll(result.Body)
+		assert.NotContains(t, string(data), "invalid state")
+		assert.NotContains(t, string(data), "not authorized, incorrect user")
+
+		api.AssertCalled(t, "KVGet", state)
+		api.AssertCalled(t, "KVSetWithOptions", state, []byte(nil), mock.Anything)
+	})
+
+	t.Run("returns error when KV delete of state token fails", func(t *testing.T) {
+		state := "abcdefghijklmno_" + validUserID
+
+		siteURL := "https://mattermost.example.com"
+		mmConfig := &model.Config{}
+		mmConfig.ServiceSettings.SiteURL = &siteURL
+
+		config := configuration{
+			GitlabURL:               "https://gitlab.example.com",
+			GitlabOAuthClientID:     "client_id",
+			GitlabOAuthClientSecret: "client_secret",
+			EncryptionKey:           "aaaaaaaaaaaaaaaa",
+		}
+
+		p := &Plugin{configuration: &config}
+		p.initializeAPI()
+
+		kvDeleteErr := model.NewAppError("KVDelete", "plugin.kv_delete.error", nil, "storage failure", http.StatusInternalServerError)
+
+		api := &plugintest.API{}
+		api.On("GetConfig").Return(mmConfig)
+		api.On("KVGet", state).Return([]byte(state), nil)
+		api.On("KVSetWithOptions", state, []byte(nil), mock.Anything).Return(false, kvDeleteErr)
+		api.On("KVGet", instanceConfigNameListKey).Return(nil, nil)
+		api.On("LogDebug", mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		api.On("LogWarn", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		api.On("LogWarn", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil).Maybe()
+		p.SetAPI(api)
+		p.client = pluginapi.NewClient(api, p.Driver)
+		p.oauthBroker = NewOAuthBroker(func(_ OAuthCompleteEvent) {})
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/oauth/complete?code=test&state="+state, nil)
+		r.Header.Set("Mattermost-User-ID", validUserID)
+
+		p.ServeHTTP(nil, w, r)
+
+		result := w.Result()
+		defer func() { _ = result.Body.Close() }()
+
+		assert.Equal(t, http.StatusInternalServerError, result.StatusCode)
+		data, _ := io.ReadAll(result.Body)
+		assert.Contains(t, string(data), "Error completing OAuth connection")
+
+		api.AssertCalled(t, "KVSetWithOptions", state, []byte(nil), mock.Anything)
+		api.AssertNotCalled(t, "KVGet", "user_id_usertoken")
+	})
+
+	t.Run("rejects state with wrong user ID", func(t *testing.T) {
+		p := setupPlugin(t)
+
+		differentUserID := "zyxwvutsrqponmlkjihgfedcba"
+		state := "abcdefghijklmno_" + differentUserID
+
+		w := httptest.NewRecorder()
+		r := httptest.NewRequest(http.MethodGet, "/oauth/complete?code=test&state="+state, nil)
+		r.Header.Set("Mattermost-User-ID", validUserID)
+
+		p.ServeHTTP(nil, w, r)
+
+		result := w.Result()
+		defer func() { _ = result.Body.Close() }()
+		assert.Equal(t, http.StatusUnauthorized, result.StatusCode)
+		data, _ := io.ReadAll(result.Body)
+		assert.Contains(t, string(data), "Not authorized")
+	})
+}
+
 func TestAttachCommentToIssueReturns403WhenNamespaceNotAllowed(t *testing.T) {
 	fakeGitLab := fakeGitLabServer(t, "othergroup/repo")
 	defer fakeGitLab.Close()

server/instance.go

@@ -16,6 +16,26 @@ type InstanceConfiguration struct {
 	GitlabOAuthClientSecret string `json:"gitlaboauthclientsecret"`
 }
 
+func (c *InstanceConfiguration) Validate() error {
+	if c == nil {
+		return errors.New("instance configuration is nil")
+	}
+
+	if err := isValidURL(c.GitlabURL); err != nil {
+		return errors.Wrap(err, "must have a valid GitLab URL")
+	}
+
+	if c.GitlabOAuthClientID == "" {
+		return errors.New("must have a GitLab OAuth client ID")
+	}
+
+	if c.GitlabOAuthClientSecret == "" {
+		return errors.New("must have a GitLab OAuth client secret")
+	}
+
+	return nil
+}
+
 const (
 	instanceConfigMapKey      = "Gitlab_Instance_Configuration_Map"
 	instanceConfigNameListKey = "Gitlab_Instance_Configuration_Name_List"
@@ -26,6 +46,10 @@ func (p *Plugin) installInstance(instanceName string, config *InstanceConfigurat
 		return errors.New("config is nil")
 	}
 
+	if err := config.Validate(); err != nil {
+		return fmt.Errorf("invalid instance configuration: %w", err)
+	}
+
 	var instanceNameList []string
 	err := p.client.KV.Get(instanceConfigNameListKey, &instanceNameList)
 	if err != nil {