Merge pull request grafana#6217 from ericpp/oauth_add_state_param

DanCech · web-flow · commit 519100f1bd50 · 2016-10-10T09:58:35.000-04:00
Added a state parameter for all OAuth requests
diff --git a/pkg/api/login_oauth.go b/pkg/api/login_oauth.go
@@ -3,6 +3,8 @@ package api
 import (
 	"errors"
 	"fmt"
+	"crypto/rand"
+	"encoding/base64"
 
 	"golang.org/x/oauth2"
 
@@ -14,6 +16,12 @@ import (
 	"github.com/grafana/grafana/pkg/social"
 )
 
+func GenStateString() string {
+        rnd := make([]byte, 32)
+        rand.Read(rnd)
+        return base64.StdEncoding.EncodeToString(rnd)
+}
+
 func OAuthLogin(ctx *middleware.Context) {
 	if setting.OAuthService == nil {
 		ctx.Handle(404, "login.OAuthLogin(oauth service not enabled)", nil)
@@ -29,7 +37,17 @@ func OAuthLogin(ctx *middleware.Context) {
 
 	code := ctx.Query("code")
 	if code == "" {
-		ctx.Redirect(connect.AuthCodeURL("", oauth2.AccessTypeOnline))
+		state := GenStateString()
+		ctx.Session.Set(middleware.SESS_KEY_OAUTH_STATE, state)
+		ctx.Redirect(connect.AuthCodeURL(state, oauth2.AccessTypeOnline))
+		return
+	}
+
+	// verify state string
+	savedState := ctx.Session.Get(middleware.SESS_KEY_OAUTH_STATE).(string)
+	queryState := ctx.Query("state")
+	if savedState != queryState {
+		ctx.Handle(500, "login.OAuthLogin(state mismatch)", nil)
 		return
 	}
 
diff --git a/pkg/middleware/session.go b/pkg/middleware/session.go
@@ -13,6 +13,7 @@ import (
 
 const (
 	SESS_KEY_USERID = "uid"
+	SESS_KEY_OAUTH_STATE = "state"
 )
 
 var sessionManager *session.Manager

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ import (`
`13`	`13`
`14`	`14`	`const (`
`15`	`15`	`SESS_KEY_USERID = "uid"`
	`16`	`+ SESS_KEY_OAUTH_STATE = "state"`
`16`	`17`	`)`
`17`	`18`
`18`	`19`	`var sessionManager *session.Manager`